Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	May 16, 2024, 9:01 a.m.	May 16, 2024, 9:04 a.m.

Size	1.1MB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Title: Installation Database, Keywords: Installer, MSI, Database, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Dec 11 11:47:44 2009, Number of Pages: 200, Security: 0, Code page: 1252, Revision Number: {BC0C0C81-1540-48CB-95EE-8C61C10B8886}, Number of Words: 10, Author: Copyright 2001, Name of Creating Application: Advanced Installer 12.3 build 64631, Template: ;1033, Comments: .
MD5	`cbd6f6f7682366b65948238e0d1f03e5`
SHA256	`9ca27397f4732fe9cf062a4bd5df736adde12f27cecd1497c609005e71f3daa7`
CRC32	`734F8AEF`
ssdeep	`24576:aMi8sY5Amp4b5wgbXbrGrm1lJxf6TaevGrk1DJx:vi8sY5AVbigbXbCa1nwTaeOI19`
Yara	Microsoft_Office_File_Zero - Microsoft Office File CAB_file_format - CAB archive file Generic_Malware_Zero - Generic Malware

msiexec.exe "C:\Windows\System32\msiexec.exe" /I C:\Users\test22\AppData\Local\Temp\br.msi
2004
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
ec2-3-21-233-33.us-east-2.compute.amazonaws.com	A 3.21.233.33	3.21.233.33

IP Address	Status	Action
164.124.101.2	Active	Moloch
3.21.233.33	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameW May 16, 2024, 9:01 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 16, 2024, 9:01 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 16, 2024, 9:01 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 16, 2024, 9:01 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 16, 2024, 9:01 a.m.		1	1	0

Performs some HTTP requests (1 event)

request

GET http://ec2-3-21-233-33.us-east-2.compute.amazonaws.com/5806460-36.2024.7.10.7643/bobluz

Allocates read-write-execute memory (usually to unpack itself) (13 events)

Time & API	Arguments	Status
NtProtectVirtualMemory May 16, 2024, 9:01 a.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 16, 2024, 9:01 a.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73de1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 16, 2024, 9:01 a.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 16, 2024, 9:01 a.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73481000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 16, 2024, 9:01 a.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 16, 2024, 9:01 a.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c21000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 16, 2024, 9:01 a.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 16, 2024, 9:01 a.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73431000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2024, 9:01 a.m.	process_identifier: 2004 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e90000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2024, 9:01 a.m.	process_identifier: 2004 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ec0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 16, 2024, 9:01 a.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73422000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2024, 9:01 a.m.	process_identifier: 2004 region_size: 1376256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03bb0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2024, 9:01 a.m.	process_identifier: 2004 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03cc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (2 events)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW May 16, 2024, 9:01 a.m.	total_number_of_free_bytes: 9933553664 free_bytes_available: 9933553664 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0
GetDiskFreeSpaceW May 16, 2024, 9:01 a.m.	number_of_free_clusters: 2425184 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (16 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW May 16, 2024, 9:01 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW May 16, 2024, 9:01 a.m.	system_name: privilege_name: SeCreateTokenPrivilege	1	1
LookupPrivilegeValueW May 16, 2024, 9:01 a.m.	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	1	1
LookupPrivilegeValueW May 16, 2024, 9:01 a.m.	system_name: privilege_name: SeMachineAccountPrivilege	1	1
LookupPrivilegeValueW May 16, 2024, 9:01 a.m.	system_name: privilege_name: SeTcbPrivilege	1	1
LookupPrivilegeValueW May 16, 2024, 9:01 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW May 16, 2024, 9:01 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW May 16, 2024, 9:01 a.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW May 16, 2024, 9:01 a.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW May 16, 2024, 9:01 a.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW May 16, 2024, 9:01 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW May 16, 2024, 9:01 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 16, 2024, 9:01 a.m.	system_name: privilege_name: SeRemoteShutdownPrivilege	1	1
LookupPrivilegeValueW May 16, 2024, 9:01 a.m.	system_name: privilege_name: SeEnableDelegationPrivilege	1	1
LookupPrivilegeValueW May 16, 2024, 9:01 a.m.	system_name: privilege_name: SeManageVolumePrivilege	1	1
LookupPrivilegeValueW May 16, 2024, 9:01 a.m.	system_name: privilege_name: SeCreateGlobalPrivilege	1	1

File has been identified by 20 AntiVirus engines on VirusTotal as malicious (20 events)

Lionic	Trojan.Win32.Agent.Y!c
Skyhigh	Artemis!Trojan
ALYac	Exploit.HTML-Downloader.Gen
VIPRE	Trojan.GenericKD.72752041
Arcabit	Trojan.Generic.D4561BA9
TrendMicro-HouseCall	Possible_MSAIHASMD
Kaspersky	HEUR:Trojan-Downloader.Script.Agent.gen
BitDefender	Trojan.GenericKD.72752041
MicroWorld-eScan	Trojan.GenericKD.72752041
Emsisoft	Trojan.GenericKD.72752041 (B)
TrendMicro	Possible_MSAIHASMD
FireEye	Trojan.GenericKD.72752041
Ikarus	Trojan-Downloader.JS.Agent
Google	Detected
Kingsoft	Script.Trojan-Downloader.Agent.gen
ZoneAlarm	HEUR:Trojan-Downloader.Script.Agent.gen
GData	Trojan.GenericKD.72752041
Varist	ABRisk.CGSN-1
MAX	malware (ai score=85)
Fortinet	PossibleThreat

br.msi

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All