Summary | ZeroBOX

SS.exe

PE32 PE File
Category Machine Started Completed
FILE s1_win7_x6401 Aug. 5, 2024, 10:36 a.m. Aug. 5, 2024, 11:11 a.m.
Size 475.5KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5 1f0754128f1fd32781886c3d9e7dc138
SHA256 e5bcef72212f77a5390675d5fc24433af0e682db535969894f967a409eefb8aa
CRC32 B73A230B
ssdeep 12288:EfqiJSvtZDd4YQp7T8BPZ0T9XG1rVBbtpIwaDoS8:GqiWfvQpX8T0h2r/b/IDK
Yara
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

buffer: [SC] ChangeServiceConfig SUCCESS
console_handle: 0x00000007
1 1 0

WriteConsoleW

buffer: The Desktop Window Manager Session Manager service is stopping
console_handle: 0x00000007
1 1 0

WriteConsoleW

buffer: The Desktop Window Manager Session Manager service could not be stopped.
console_handle: 0x00000007
1 1 0

WriteConsoleW

buffer: The Desktop Window Manager Session Manager service is starting
console_handle: 0x00000007
1 1 0

WriteConsoleW

buffer: The Desktop Window Manager Session Manager service was started successfully.
console_handle: 0x00000007
1 1 0

WriteConsoleW

buffer: The Desktop Window Manager Session Manager service is stopping
console_handle: 0x00000007
1 1 0

WriteConsoleW

buffer: The Desktop Window Manager Session Manager service could not be stopped.
console_handle: 0x00000007
1 1 0

WriteConsoleW

buffer: The Desktop Window Manager Session Manager service is starting
console_handle: 0x00000007
1 1 0

WriteConsoleW

buffer: The Desktop Window Manager Session Manager service was started successfully.
console_handle: 0x00000007
1 1 0

WriteConsoleW

buffer: The Desktop Window Manager Session Manager service is stopping
console_handle: 0x00000007
1 1 0

WriteConsoleW

buffer: The Desktop Window Manager Session Manager service could not be stopped.
console_handle: 0x00000007
1 1 0

WriteConsoleW

buffer: The Desktop Window Manager Session Manager service is starting
console_handle: 0x00000007
1 1 0

WriteConsoleW

buffer: The Desktop Window Manager Session Manager service was started successfully.
console_handle: 0x00000007
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

1 1 0
Time & API Arguments Status Return Repeated

__exception__

stacktrace:
ss+0xbf80 @ 0x40bf80
ss+0xbaf1 @ 0x40baf1
ss+0x19c88 @ 0x419c88
ss+0x3385c @ 0x43385c
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 8b 43 3c 0f b7 c9 8b 44 18 78 2b 4c 18 10 8b 44
exception.symbol: ss+0xcff1
exception.instruction: mov eax, dword ptr [ebx + 0x3c]
exception.module: SS.exe
exception.exception_code: 0xc0000005
exception.offset: 53233
exception.address: 0x40cff1
registers.esp: 1637984
registers.edi: 45470296
registers.eax: 0
registers.ebp: 1638028
registers.edx: 45088768
registers.ebx: 0
registers.esi: 45676312
registers.ecx: 2147483650
1 0 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

process_identifier: 2556
region_size: 634880
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02b00000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2076
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73660000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2076
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72d61000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2076
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74191000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2076
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72d24000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2076
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72d62000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2076
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74171000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2076
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72de1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2076
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72e31000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2076
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73501000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 3068
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73660000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 3068
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x71951000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 3068
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74191000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 3068
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x71914000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 3068
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x71952000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 3068
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74171000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 3068
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x71881000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 3068
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73bc1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 3068
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73501000
process_handle: 0xffffffff
1 0 0
name RT_VERSION language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000c3058 size 0x00000248
Time & API Arguments Status Return Repeated

ShellExecuteExW

show_type: 0
filepath_r: C:\Windows\Resources\Themes\aero.theme
parameters:
filepath: C:\Windows\Resources\Themes\aero.theme
1 1 0

ShellExecuteExW

show_type: 0
filepath_r: C:\Windows\Resources\Themes\aero.theme
parameters:
filepath: C:\Windows\Resources\Themes\aero.theme
1 1 0
section {u'size_of_data': u'0x00076200', u'virtual_address': u'0x0004b000', u'entropy': 7.999083070325363, u'name': u'UPX1', u'virtual_size': u'0x00077000'} entropy 7.99908307033 description A section with a high entropy has been found
entropy 0.995785036881 description Overall entropy of this PE file is high
section UPX0 description Section name indicates UPX
section UPX1 description Section name indicates UPX
section UPX2 description Section name indicates UPX
cmdline sc config "UxSms" start= demand
cmdline cmd /c sc config "UxSms" start= demand
cmdline cmd /c net start "Desktop Window Manager Session Manager"
cmdline net stop "Desktop Window Manager Session Manager"
cmdline net start "Desktop Window Manager Session Manager"
cmdline cmd /c net stop "Desktop Window Manager Session Manager"
Time & API Arguments Status Return Repeated

ControlService

service_handle: 0x0055d5a0
service_name: UxSms
control_code: 1
1 1 0
Bkav W32.AIDetectMalware
Lionic Trojan.Win32.BlackMoon.4!c
Elastic malicious (high confidence)
Cynet Malicious (score: 100)
Skyhigh BehavesLike.Win32.Generic.gc
ALYac Gen:Variant.Zusy.554925
Cylance Unsafe
VIPRE Gen:Variant.Zusy.554925
Sangfor Trojan.Win32.Blackmoon.V90u
BitDefender Gen:Variant.Zusy.554925
Cybereason malicious.28f1fd
Arcabit Trojan.Zusy.D877AD
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/Packed.BlackMoon.A suspicious
APEX Malicious
McAfee Artemis!1F0754128F1F
Avast Win32:MalwareX-gen [Trj]
Kaspersky UDS:DangerousObject.Multi.Generic
MicroWorld-eScan Gen:Variant.Zusy.554925
Rising Worm.Convagent!8.12386 (CLOUD)
Emsisoft Gen:Variant.Zusy.554925 (B)
F-Secure Trojan.TR/ATRAPS.Gen
TrendMicro TrojanSpy.Win32.BLACKMOON.YXEHDZ
McAfeeD Real Protect-LS!1F0754128F1F
Trapmine malicious.high.ml.score
FireEye Generic.mg.1f0754128f1fd327
Sophos Mal/Generic-S
Ikarus Trojan.Win32.FakeAV
Google Detected
Avira TR/ATRAPS.Gen
Antiy-AVL Trojan[Packed]/Win32.Blackmoon
Kingsoft malware.kb.b.992
Gridinsoft Ransom.Win32.Wacatac.sa
Xcitium TrojWare.Win32.TrojanSpy.Banker.OV@6e1pyh
Microsoft Trojan:Win32/Wacatac.B!ml
ViRobot Trojan.Win.Z.Zusy.486912
ZoneAlarm UDS:DangerousObject.Multi.Generic
GData Gen:Variant.Zusy.554925
Varist W32/ABTrojan.UYES-3843
AhnLab-V3 Trojan/Win.Generic.R658019
BitDefenderTheta Gen:NN.ZexaF.36810.DqKfaiVvFLpb
DeepInstinct MALICIOUS
Malwarebytes MachineLearning/Anomalous.100%
TrendMicro-HouseCall TrojanSpy.Win32.BLACKMOON.YXEHDZ
MAX malware (ai score=84)
Fortinet Riskware/Application
AVG Win32:MalwareX-gen [Trj]
Paloalto generic.ml
CrowdStrike win/malicious_confidence_90% (W)
alibabacloud VirTool:Win/Packed.BlackMoon.A