popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis
UPX Malicious Library Malicious Packer Downloader HTTP ScreenShot Create Service KeyLogger Internet API P2P DGA Hijack Network Http API persistence FTP Socket Escalate priviledges DNS Code injection PWS Sniff Audio Steal credential AntiDebug AntiVM
  1. Resubmit sample
Category Machine Started Completed
ARCHIVE s1_win7_x6401 Aug. 18, 2024, 9:56 a.m. Aug. 18, 2024, 9:58 a.m.

Archive SSD-Z.exe @ SSD-Z_16.09.09wip.zip

Summary

Size 1022.5KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 dc6e1b46c89572020133463ec43ca414
SHA1 f35b51f193c40570df9d5cef0d52637c6dd38898
SHA256 74a0850369ba9ffcbdeeb6bd087a4de1105055d2338378b83e79a91b3e2a5db0
SHA512
58161946051e94af4afba2f12ffadd3c3ec60f2f329a48f20970e31b17c4b358e6ccd87bb39f68b41c3159e99b9e16b395b53e18b39b734adbaccc5c5b9fc2a2
CRC32 289129A0
ssdeep 12288:D71gfd+H6mAn3HMHQKOfmv4SBZaRtkuyQrioUaDBfLSpQOhygGyBjPVP+PVPXP04:X1gfdIAiHOfgDaRt/HeoUaDBfLoxcjy
Yara
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • Malicious_Packer_Zero - Malicious Packer
  • IsPE32 - (no description)
  • UPX_Zero - UPX packed file
  • mzp_file_format - MZP(Delphi) file format

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section CODE
section DATA
section BSS
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2556
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00560000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2556
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73bc2000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

DeviceIoControl

 input_buffer:
control_code: 475228 (IOCTL_DISK_GET_LENGTH_INFO)
device_handle: 0x00000180
output_buffer: ð÷(‹>G0ú%@G(úHê
0 0

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 0
free_bytes_available: 13320941568
root_path: C:\
total_number_of_bytes: 34252779520
1 1 0

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 0
free_bytes_available: 0
root_path: D:\
total_number_of_bytes: 0
0 0
url http://crl.comodo.net/TrustedCertificateServices.crl0
url http://users.ocsp.d-trust.net03
url http://crl.ssc.lt/root-b/cacrl.crl0
url http://crl.securetrust.com/STCA.crl0
url http://crl.securetrust.com/SGCA.crl0
url http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=
url http://www.ssc.lt/cps03
url http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
url http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0
url http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0
url http://www.microsoft.com/pki/certs/TrustListPCA.crt0
url https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0
url http://www.pkioverheid.nl/policies/root-policy0
url http://cps.chambersign.org/cps/chambersroot.html0
url http://www.disig.sk/ca/crl/ca_disig.crl0
url http://www.entrust.net/CRL/Client1.crl0
url http://crl.chambersign.org/publicnotaryroot.crl0
url http://crl.comodo.net/AAACertificateServices.crl0
url http://www.certplus.com/CRL/class3.crl0
url http://logo.verisign.com/vslogo.gif0
url http://www.acabogacia.org/doc0
url http://www.e-szigno.hu/SZSZ/0
url https://www.catcert.net/verarrel
url http://www.microsoft.com/schemas/ie8tldlistdescription/1.0
url http://www.sk.ee/cps/0
url http://www.quovadis.bm0
url https://www.catcert.net/verarrel05
url http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0
url http://crl.chambersign.org/chambersroot.crl0
url http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0
url http://crl.globalsign.net/root-r2.crl0
url http://certificates.starfieldtech.com/repository/1604
url http://www.d-trust.net0
url http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl0
url http://crl.ssc.lt/root-a/cacrl.crl0
url http://crl.usertrust.com/UTN-DATACorpSGC.crl0
url http://aezay.dk
url http://www.certicamara.com/certicamaraca.crl0
url http://www.d-trust.net/crl/d-trust_root_class_2_ca_2007.crl0
url http://crl.usertrust.com/UTN-USERFirst-Object.crl0)
url http://www.post.trust.ie/reposit/cps.html0
url http://www.d-trust.net/crl/d-trust_qualified_root_ca_1_2007_pn.crl0
url http://www2.public-trust.com/crl/ct/ctroot.crl0
url http://www.certicamara.com0
url http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
url http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
url http://www.comsign.co.il/cps0
url http://crl.usertrust.com/UTN-USERFirst-NetworkApplications.crl0
url http://www.microsoft.com/pki/crl/products/TrustListPCA.crl
url http://acraiz.icpbrasil.gov.br/LCRacraiz.crl0
description Create a windows service rule Create_Service
description Communications over RAW Socket rule Network_TCP_Socket
description Communication using DGA rule Network_DGA
description Match Windows Http API call rule Str_Win32_Http_API
description Take ScreenShot rule ScreenShot
description Escalate priviledges rule Escalate_priviledges
description Steal credential rule local_credential_Steal
description PWS Memory rule Generic_PWS_Memory_Zero
description Hijack network configuration rule Hijack_Network
description Record Audio rule Sniff_Audio
description Communications over HTTP rule Network_HTTP
description Communications use DNS rule Network_DNS
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerCheck__RemoteAPI
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__ConsoleCtrl
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description (no description) rule Check_Dlls
description Possibly employs anti-virtualization techniques rule vmdetect
description Checks if being debugged rule anti_dbg
description Anti-Sandbox checks for ThreatExpert rule antisb_threatExpert
description Bypass DEP rule disable_dep
description Affect hook table rule win_hook
description File Downloader rule Network_Downloader
description Match Windows Inet API call rule Str_Win32_Internet_API
description Install itself for autorun at Windows startup rule Persistence
description Communications over FTP rule Network_FTP
description Run a KeyLogger rule KeyLogger
description Communications over P2P network rule Network_P2P_Win
Time & API Arguments Status Return Repeated

NtCreateFile

 create_disposition: 1 (FILE_OPEN)
file_handle: 0x00000180
filepath: \??\PhysicalDrive0
desired_access: 0xc0100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 0 ()
filepath_r: \??\PhysicalDrive0
create_options: 104 (FILE_NON_DIRECTORY_FILE|FILE_NO_INTERMEDIATE_BUFFERING|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 1 (FILE_OPENED)
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
1 0 0

DeviceIoControl

 input_buffer:
control_code: 2954240 ()
device_handle: 0x00000180
output_buffer: (§Lu~ $ VBOX HARDDISK 1.0VBOX HARDDISK 1.0 42566234393262373030372d6533656331322036
1 1 0