Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	June 21, 2024, 3:47 p.m.	June 21, 2024, 3:51 p.m.

Size	401.5KB
Type	MS-DOS executable, MZ for MS-DOS
MD5	`90f9973120104179d008e06cde39670c`
SHA256	`88c32d5d4132b4d58d1b02b9d183fd954f87f449f3d51ea3eaec8f9d12f913f2`
CRC32	`BF6F5113`
ssdeep	`6144:rGdCAohu2CHYuZXL4HURkKd6Sq4Tk6XlC9RukP5vBH0vwr5LtOztaOaZIm09Pkfy:SuT3u5eU3kFRDHvLCa8ea`
Yara	PE_Header_Zero - PE File Signature IsPE64 - (no description) MPRESS_Zero - MPRESS packed file UPX_Zero - UPX packed file

changezuhaolnk.exe "C:\Users\test22\AppData\Local\Temp\changezuhaolnk.exe"
444

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.MPRESS1
section	.MPRESS2

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ June 21, 2024, 3:40 p.m.	stacktrace: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 @ 0x77710895 stacktrace+0x84 memdup-0x1af @ 0x749a0470 hook_in_monitor+0x45 lde-0x133 @ 0x749942ea New_ntdll_NtProtectVirtualMemory+0x34 New_ntdll_NtQueryAttributesFile-0x151 @ 0x749b3603 VirtualProtectEx+0x33 MapViewOfFile-0x2d kernelbase+0x13243 @ 0x7fefdc03243 VirtualProtect+0x1b VirtualProtectEx-0x15 kernelbase+0x131fb @ 0x7fefdc031fb changezuhaolnk+0xa7bec @ 0x1400a7bec GetProcessAffinityMask+0x80 SetThreadContext-0x20 kernel32+0x2ef0 @ 0x76fc2ef0 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff exception.instruction_r: 0f ae 81 00 01 00 00 0f 29 81 a0 01 00 00 0f 29 exception.symbol: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 exception.address: 0x77710895 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 329877 registers.r14: 0 registers.r15: 0 registers.rcx: 4388408 registers.rsi: 5369741312 registers.r10: 0 registers.rbx: 1996238576 registers.rsp: 4390664 registers.r11: 514 registers.r8: 64 registers.r9: 4 registers.rdx: 4389752 registers.r12: 0 registers.rbp: 0 registers.rdi: 5368709487 registers.rax: 4388088 registers.r13: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

June 21, 2024, 3:40 p.m.

stacktrace:

RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 @ 0x77710895
stacktrace+0x84 memdup-0x1af @ 0x749a0470
hook_in_monitor+0x45 lde-0x133 @ 0x749942ea
New_ntdll_NtProtectVirtualMemory+0x34 New_ntdll_NtQueryAttributesFile-0x151 @ 0x749b3603
VirtualProtectEx+0x33 MapViewOfFile-0x2d kernelbase+0x13243 @ 0x7fefdc03243
VirtualProtect+0x1b VirtualProtectEx-0x15 kernelbase+0x131fb @ 0x7fefdc031fb
changezuhaolnk+0xa7bec @ 0x1400a7bec
GetProcessAffinityMask+0x80 SetThreadContext-0x20 kernel32+0x2ef0 @ 0x76fc2ef0
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff

exception.instruction_r: 0f ae 81 00 01 00 00 0f 29 81 a0 01 00 00 0f 29
exception.symbol: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895
exception.address: 0x77710895
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 329877
registers.r14: 0
registers.r15: 0
registers.rcx: 4388408
registers.rsi: 5369741312
registers.r10: 0
registers.rbx: 1996238576
registers.rsp: 4390664
registers.r11: 514
registers.r8: 64
registers.r9: 4
registers.rdx: 4389752
registers.r12: 0
registers.rbp: 0
registers.rdi: 5368709487
registers.rax: 4388088
registers.r13: 0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0005cc00', u'virtual_address': u'0x00001000', u'entropy': 7.999504563317703, u'name': u'.MPRESS1', u'virtual_size': u'0x000fc000'}

entropy

7.99950456332

description

A section with a high entropy has been found

entropy

0.925187032419

description

Overall entropy of this PE file is high

File has been identified by 14 AntiVirus engines on VirusTotal as malicious (14 events)

Elastic	malicious (moderate confidence)
Cylance	Unsafe
APEX	Malicious
Kaspersky	UDS:DangerousObject.Multi.Generic
McAfeeD	ti!88C32D5D4132
Trapmine	malicious.high.ml.score
Ikarus	Trojan.MSIL.Bladabindi
Antiy-AVL	Trojan/Win32.SGeneric
ZoneAlarm	UDS:DangerousObject.Multi.Generic
DeepInstinct	MALICIOUS
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.1728101.susgen
Fortinet	W32/PossibleThreat
CrowdStrike	win/malicious_confidence_70% (W)

changezuhaolnk.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All