Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	July 16, 2024, 2:08 p.m.	July 16, 2024, 2:10 p.m.

Size	13.2MB
Type	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5	`e6743e380f2418b616dca113dbbc93cb`
SHA256	`eb7183f807b13b4524393b8da4cc242d96283a13ecd7331db1fcefd43986d0c9`
CRC32	`0130EC67`
ssdeep	`196608:DDErb7pO6pV9Mqhdq3PusYB8NggX4WR+2EZ1hggBMY+gj7LWWtYH4c3nUOTBDAaX:DmUSDBYSBIoM5Shgg+dW64cXUoBDAaX`
Yara	PE_Header_Zero - PE File Signature IsDLL - (no description) IsPE32 - (no description) Generic_Malware_Zero - Generic Malware

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mi.dll,MainFunc
884
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mi.dll,_cgo_dummy_export
2056
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mi.dll,
2152

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 16, 2024, 2:08 p.m.			0	0
IsDebuggerPresent July 16, 2024, 2:08 p.m.			0	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	.rdata0
section	.rdata1
section	.rdata2

One or more processes crashed (3 events)

Time & API	Arguments	Status
__exception__ July 16, 2024, 2:08 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.esp: 9762784 registers.edi: 1906208992 registers.eax: 0 registers.ebp: 9762788 registers.edx: 4294967295 registers.ebx: 9762800 registers.esi: 9762936 registers.ecx: 0	1
__exception__ July 16, 2024, 2:08 p.m.	stacktrace: rundll32+0x1326 @ 0xc1326 rundll32+0x1901 @ 0xc1901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 exception.instruction: add byte ptr [eax], al exception.exception_code: 0xc0000005 exception.symbol: MainFunc+0x3191ec mi+0x7ff64c exception.address: 0x721af64c registers.esp: 3341624 registers.edi: 0 registers.eax: 65890 registers.ebp: 3341740 registers.edx: 9 registers.ebx: 0 registers.esi: 65890 registers.ecx: 0	1
__exception__ July 16, 2024, 2:08 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.esp: 10222784 registers.edi: 1906208992 registers.eax: 0 registers.ebp: 10222788 registers.edx: 4294967295 registers.ebx: 10222800 registers.esi: 10222936 registers.ecx: 0	1

Allocates read-write-execute memory (usually to unpack itself) (6 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 16, 2024, 2:08 p.m.	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 16, 2024, 2:08 p.m.	process_identifier: 884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744a0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 16, 2024, 2:08 p.m.	process_identifier: 884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74471000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 16, 2024, 2:08 p.m.	process_identifier: 2056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00360000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 16, 2024, 2:08 p.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744a0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 16, 2024, 2:08 p.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74471000 process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00d32a00', u'virtual_address': u'0x00e91000', u'entropy': 7.9027636653173, u'name': u'.rdata2', u'virtual_size': u'0x00d32970'}

entropy

7.90276366532

description

A section with a high entropy has been found

entropy

0.999852032701

description

Overall entropy of this PE file is high

File has been identified by 10 AntiVirus engines on VirusTotal as malicious (10 events)

Bkav	W32.AIDetectMalware
Elastic	malicious (moderate confidence)
Cynet	Malicious (score: 100)
Cylance	Unsafe
ESET-NOD32	a variant of Win32/Packed.VMProtect.BC suspicious
Rising	Trojan.Kryptik!8.8 (TFE:6:GYKdcmG8yzF)
Gridinsoft	Trojan.Heur!.002121B0
VBA32	Malware-Cryptor.Inject.gen
SentinelOne	Static AI - Suspicious PE
CrowdStrike	win/malicious_confidence_70% (D)

mi.dll

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All