popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

hghghgfhgfh.EXE

Generic Malware UPX Malicious Library PE64 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us April 1, 2024, 7:36 a.m. April 1, 2024, 7:52 a.m.
Size 414.0KB
Type PE32+ executable (GUI) x86-64, for MS Windows
MD5 93b2a56dbc2bb2a4ee1b4c6f2873b50b
SHA256 875a2f8b2193bd50ea6c835859aaa348f0168cd10235b632d7dd95913b6ffba7
CRC32 78BE27C5
ssdeep 6144:66kMYlOIa6VkctankhTl2DGl8HjZRw9w0UUCH:62X8anauZqd
Yara
  • IsPE64 - (no description)
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • UPX_Zero - UPX packed file
  • Generic_Malware_Zero - Generic Malware

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
94.156.8.44 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 1880
region_size: 1740800
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002600000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1880
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077711000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1880
region_size: 1740800
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002600000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1880
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077711000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1880
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077711000
process_handle: 0xffffffffffffffff
1 0 0
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
host 94.156.8.44
Time & API Arguments Status Return Repeated

RegSetValueExW

 key_handle: 0x0000000000000144
regkey_r: {FC9E1266-2D24-4101-8525-F2667785694D}
reg_type: 3 (REG_BINARY)
value: MZÿÿ¸@𺴠Í!¸LÍ!This program cannot be run in DOS mode. $Ïä”È‹…ú›‹…ú›‹…ú›äóQ›…ú›d›…ú›‚ýy›ˆ…ú›‚ý}›Š…ú›‚ýi›‚…ú›‹…û›õ…ú›Q›Ï…ú›P›â…ú›`›Š…ú›g›Š…ú›Rich‹…ú›PEd†kùºeð"  BlL{@ð@üdÐð°ìàØ` .textžAB `.rdata´§`¨F@@.data–^î@À.pdataì°L@@.rsrcðÐf@@.reloc àj@BD‰L$ L‰D$H‰T$H‰L$W¸ è±VH+à‹ `ûè³=…Àu3Éÿ÷O3Àf‰D$PHD$RH‹ø3À¹óªA¸HT$P3Éÿ|a…Àu3Éÿxaÿ aH‰D$@ƒ="ú…=èc~…Àu 3ÒH‹L$@ÿŠOHŒ$ÈèUHŒ$Èèxj…Àu 3ÒH‹L$@ÿ?aH ðSÿJOH‰„$°Hƒ¼$°„¢ºþÿ¹@ÿ³`H‰„$øHƒ¼$ø„{A¸H‹”$øH‹Œ$°ÿ°`…À„IH™SH‰„$H¢SH‰„$H³SH‰„$HÄSH‰„$HÍSH‰„$ HÖSH‰„$(HçSH‰„$0HøSH‰„$8H TH‰„$@HTH‰„$HH#TH‰„$PH,TH‰„$XH5TH‰„$`HFTH‰„$hDŽ$pë‹„$pÿÀ‰„$pƒ¼$p}PHc„$pÇD$(dHŒ$€H‰L$ E3ÉA¸‹3ùH‹ŒÄèF6H”$€H‹Œ$øèÑeë–H‹Œ$øÿ9_H ÒSÿ„MH‰„$ÀHƒ¼$À„„ºþÿ¹@ÿí^H‰„$ðHƒ¼$ð„]A¸H‹”$ðH‹Œ$Àÿê^…À„+HƒSH‰„$HŒSH‰„$H•SH‰„$HžSH‰„$H§SH‰„$ H°SH‰„$(H¹SH‰„$0HÊSH‰„$8HÛSH‰„$@HìSH‰„$HHýSH‰„$PHTH‰„$XDŽ$`ë‹„$`ÿÀ‰„$`ƒ¼$` }PHc„$`ÇD$(dHŒ$pH‰L$ E3ÉA¸‹‹÷H‹ŒÄèž4H”$pH‹Œ$ðè)dë–H‹Œ$ðÿ‘]H ŠSÿÜKH‰„$èHƒ¼$è„ߺþÿ¹@ÿE]H‰„$àHƒ¼$à„¸A¸H‹”$àH‹Œ$èÿB]…À„†H3SH‰„$èDŽ$ðë‹„$ðÿÀ‰„$ðƒ¼$ð}PHc„$ðÇD$(dHŒ$H‰L$ E3ÉA¸‹ˆöH‹ŒÄèè›3H”$H‹Œ$àè&cë–H‹Œ$àÿŽ\H ¿RÿÙJH‰„$ðHƒ¼$ð„ ºþÿ¹@ÿB\H‰„$pHƒ¼$p„åA¸H‹”$pH‹Œ$ðÿ?\…À„³HhRH‰„$xHyRH‰„$€HŠRH‰„$ˆH›RH‰„$DŽ$˜ë‹„$˜ÿÀ‰„$˜ƒ¼$˜}PHc„$˜ÇD$(dHŒ$ H‰L$ E3ÉA¸‹XõH‹ŒÄxèk2H”$ H‹Œ$pèöaë–H‹Œ$pÿ^[H Rÿ©IH‰„$¸Hƒ¼$¸„ ºþÿ¹@ÿ[H‰„$Hƒ¼$„åA¸H‹”$H‹Œ$¸ÿ[…À„³HÈQH‰„$HÙQH‰„$ HòQH‰„$(H RH‰„$0DŽ$8ë‹„$8ÿÀ‰„$8ƒ¼$8}PHc„$8ÇD$(dHŒ$@H‰L$ E3ÉA¸‹(ôH‹ŒÄè;1H”$@H‹Œ$èÆ`ë–H‹Œ$ÿ.ZHŒ$Èè)g…Àu 3ÒH‹L$@ÿPZHŒ$Èè{ DŽ$HDŽ$DŽ$ LÂ*3ÒHŒ$ÿŠYH‰+VHƒ=#Vu3ÉÿÑYƒ=F u諝èÆ2ƒø…‘LN3Ò¹ÿÑGH‰ÚUHƒ=ÒUu3ÉÿèYHDŽ$°Lƒ53Ò¹ÿ¸YH‰„$°Hƒ¼$°u3Éÿ­YH‹Œ$°ÿ—YH‹Œ$°ÿéXè 3Éÿ„Yè珅Àu3Éÿ[GHDŽ$xLz)3Ò¹ÿ{XH‰„$xHƒ¼$xtH‹Œ$xÿŠX3ÉÿGL=)º3ÉÿVXH…Àu3Éÿ©Xƒ=&u3ƒ=éUu*誦…Àu!诃ø rHL$Pè5ƒøu3ÉÿmXƒ=òu]ƒ=±UuTèήƒø rJèd¦ƒøu@Hò‹ öñèëH‰„$¸Hƒ¼$¸tH‹Œ$¸èðH‹Œ$¸ÿçWL¶º3Éÿ“WH‰„$8Hƒ¼$8u ¹ÿÿÿÿÿFÿWX=·u ¹ÿÿÿÿÿ½WLòº3ÉÿIWH‰„$(Hƒ¼$(u3ÉÿÖEH ÃèZªL E3Àº3ÉÿSWH‰¤SHƒ=œSu ¹ÿÿÿÿÿOWÿÑW=·u3Éÿ‚EH Ó誃=·ì…ïA¸ÿH”$À3ÉÿW…À„Éfº\HŒ$ÀèÚ3Éf‰H”$ÀH ¦éèaœH‰„$ÈHƒ¼$È„~fº\H‹Œ$Èè™3Éf‰ºþÿ¹@ÿdVH‰„$ÐHƒ¼$Є1H‹”$йÿÿšD…À„fº\H‹Œ$ÐèA3Éf‰H‹”$ÈHŒ$ÀÿÎX…À„ÊH‹”$ÐHŒ$Àÿ°X…À„¬ÿ¢UH‰„$èH”$ØH‹Œ$èÿ$]H‰„$àHý
regkey: HKEY_CURRENT_USER\Software\{E538C857-73DC-4EB2-A0D7-419BC04ABDAB}\{FC9E1266-2D24-4101-8525-F2667785694D}
1 0 0
Process injection Process 1880 manipulating memory of non-child process 2052
Time & API Arguments Status Return Repeated

NtUnmapViewOfSection

 base_address: 0x0000000000090000
region_size: 4096
process_identifier: 2052
process_handle: 0x0000000000000150
1 0 0

NtUnmapViewOfSection

 base_address: 0x00000000000a0000
region_size: 4096
process_identifier: 2052
process_handle: 0x0000000000000150
1 0 0

NtUnmapViewOfSection

 base_address: 0x00000000000b0000
region_size: 425984
process_identifier: 2052
process_handle: 0x0000000000000150
1 0 0
Time & API Arguments Status Return Repeated

RegSetValueExW

 key_handle: 0x0000000000000144
regkey_r: {FC9E1266-2D24-4101-8525-F2667785694D}
reg_type: 3 (REG_BINARY)
value: MZÿÿ¸@𺴠Í!¸LÍ!This program cannot be run in DOS mode. $Ïä”È‹…ú›‹…ú›‹…ú›äóQ›…ú›d›…ú›‚ýy›ˆ…ú›‚ý}›Š…ú›‚ýi›‚…ú›‹…û›õ…ú›Q›Ï…ú›P›â…ú›`›Š…ú›g›Š…ú›Rich‹…ú›PEd†kùºeð"  BlL{@ð@üdÐð°ìàØ` .textžAB `.rdata´§`¨F@@.data–^î@À.pdataì°L@@.rsrcðÐf@@.reloc àj@BD‰L$ L‰D$H‰T$H‰L$W¸ è±VH+à‹ `ûè³=…Àu3Éÿ÷O3Àf‰D$PHD$RH‹ø3À¹óªA¸HT$P3Éÿ|a…Àu3Éÿxaÿ aH‰D$@ƒ="ú…=èc~…Àu 3ÒH‹L$@ÿŠOHŒ$ÈèUHŒ$Èèxj…Àu 3ÒH‹L$@ÿ?aH ðSÿJOH‰„$°Hƒ¼$°„¢ºþÿ¹@ÿ³`H‰„$øHƒ¼$ø„{A¸H‹”$øH‹Œ$°ÿ°`…À„IH™SH‰„$H¢SH‰„$H³SH‰„$HÄSH‰„$HÍSH‰„$ HÖSH‰„$(HçSH‰„$0HøSH‰„$8H TH‰„$@HTH‰„$HH#TH‰„$PH,TH‰„$XH5TH‰„$`HFTH‰„$hDŽ$pë‹„$pÿÀ‰„$pƒ¼$p}PHc„$pÇD$(dHŒ$€H‰L$ E3ÉA¸‹3ùH‹ŒÄèF6H”$€H‹Œ$øèÑeë–H‹Œ$øÿ9_H ÒSÿ„MH‰„$ÀHƒ¼$À„„ºþÿ¹@ÿí^H‰„$ðHƒ¼$ð„]A¸H‹”$ðH‹Œ$Àÿê^…À„+HƒSH‰„$HŒSH‰„$H•SH‰„$HžSH‰„$H§SH‰„$ H°SH‰„$(H¹SH‰„$0HÊSH‰„$8HÛSH‰„$@HìSH‰„$HHýSH‰„$PHTH‰„$XDŽ$`ë‹„$`ÿÀ‰„$`ƒ¼$` }PHc„$`ÇD$(dHŒ$pH‰L$ E3ÉA¸‹‹÷H‹ŒÄèž4H”$pH‹Œ$ðè)dë–H‹Œ$ðÿ‘]H ŠSÿÜKH‰„$èHƒ¼$è„ߺþÿ¹@ÿE]H‰„$àHƒ¼$à„¸A¸H‹”$àH‹Œ$èÿB]…À„†H3SH‰„$èDŽ$ðë‹„$ðÿÀ‰„$ðƒ¼$ð}PHc„$ðÇD$(dHŒ$H‰L$ E3ÉA¸‹ˆöH‹ŒÄèè›3H”$H‹Œ$àè&cë–H‹Œ$àÿŽ\H ¿RÿÙJH‰„$ðHƒ¼$ð„ ºþÿ¹@ÿB\H‰„$pHƒ¼$p„åA¸H‹”$pH‹Œ$ðÿ?\…À„³HhRH‰„$xHyRH‰„$€HŠRH‰„$ˆH›RH‰„$DŽ$˜ë‹„$˜ÿÀ‰„$˜ƒ¼$˜}PHc„$˜ÇD$(dHŒ$ H‰L$ E3ÉA¸‹XõH‹ŒÄxèk2H”$ H‹Œ$pèöaë–H‹Œ$pÿ^[H Rÿ©IH‰„$¸Hƒ¼$¸„ ºþÿ¹@ÿ[H‰„$Hƒ¼$„åA¸H‹”$H‹Œ$¸ÿ[…À„³HÈQH‰„$HÙQH‰„$ HòQH‰„$(H RH‰„$0DŽ$8ë‹„$8ÿÀ‰„$8ƒ¼$8}PHc„$8ÇD$(dHŒ$@H‰L$ E3ÉA¸‹(ôH‹ŒÄè;1H”$@H‹Œ$èÆ`ë–H‹Œ$ÿ.ZHŒ$Èè)g…Àu 3ÒH‹L$@ÿPZHŒ$Èè{ DŽ$HDŽ$DŽ$ LÂ*3ÒHŒ$ÿŠYH‰+VHƒ=#Vu3ÉÿÑYƒ=F u諝èÆ2ƒø…‘LN3Ò¹ÿÑGH‰ÚUHƒ=ÒUu3ÉÿèYHDŽ$°Lƒ53Ò¹ÿ¸YH‰„$°Hƒ¼$°u3Éÿ­YH‹Œ$°ÿ—YH‹Œ$°ÿéXè 3Éÿ„Yè珅Àu3Éÿ[GHDŽ$xLz)3Ò¹ÿ{XH‰„$xHƒ¼$xtH‹Œ$xÿŠX3ÉÿGL=)º3ÉÿVXH…Àu3Éÿ©Xƒ=&u3ƒ=éUu*誦…Àu!诃ø rHL$Pè5ƒøu3ÉÿmXƒ=òu]ƒ=±UuTèήƒø rJèd¦ƒøu@Hò‹ öñèëH‰„$¸Hƒ¼$¸tH‹Œ$¸èðH‹Œ$¸ÿçWL¶º3Éÿ“WH‰„$8Hƒ¼$8u ¹ÿÿÿÿÿFÿWX=·u ¹ÿÿÿÿÿ½WLòº3ÉÿIWH‰„$(Hƒ¼$(u3ÉÿÖEH ÃèZªL E3Àº3ÉÿSWH‰¤SHƒ=œSu ¹ÿÿÿÿÿOWÿÑW=·u3Éÿ‚EH Ó誃=·ì…ïA¸ÿH”$À3ÉÿW…À„Éfº\HŒ$ÀèÚ3Éf‰H”$ÀH ¦éèaœH‰„$ÈHƒ¼$È„~fº\H‹Œ$Èè™3Éf‰ºþÿ¹@ÿdVH‰„$ÐHƒ¼$Є1H‹”$йÿÿšD…À„fº\H‹Œ$ÐèA3Éf‰H‹”$ÈHŒ$ÀÿÎX…À„ÊH‹”$ÐHŒ$Àÿ°X…À„¬ÿ¢UH‰„$èH”$ØH‹Œ$èÿ$]H‰„$àHý
regkey: HKEY_CURRENT_USER\Software\{E538C857-73DC-4EB2-A0D7-419BC04ABDAB}\{FC9E1266-2D24-4101-8525-F2667785694D}
1 0 0
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2056
thread_handle: 0x0000000000000148
process_identifier: 2052
current_directory: C:\Windows
filepath: C:\Windows\explorer.exe
track: 1
command_line:
filepath_r: C:\Windows\explorer.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x0000000000000150
1 1 0
dead_host 94.156.8.44:4787