popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

66c371744eb05_crt2.exe

Emotet Gen1 Generic Malware Malicious Library UPX Word 2007 file format(docx) PE64 MSOffice File MZP Format PE File OS Processor Check PE32 ZIP Format dll DLL DllRegisterServer
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Aug. 20, 2024, 9:36 a.m. Aug. 20, 2024, 9:49 a.m.
Size 3.3MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 34631daee5d4765989d302a86210dd64
SHA256 fb117e0fba94e34e785bb3f4cc3702c4af98d9e56ce5a04b155e17275a3fc5e9
CRC32 4C0F6D53
ssdeep 98304:NdqUVl+urnFNiW9lsY8FtdzMJxTLv1MKNlLwd0m:jTbELYOzonT1MKN5wGm
Yara
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • Win32_Trojan_Emotet_2_Zero - Win32 Trojan Emotet
  • IsPE32 - (no description)
  • UPX_Zero - UPX packed file
  • mzp_file_format - MZP(Delphi) file format

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameA

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section CODE
section DATA
section BSS
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
66c371744eb05_crt2+0x413be @ 0x4413be
66c371744eb05_crt2+0x43203 @ 0x443203
66c371744eb05_crt2+0x488cc @ 0x4488cc
66c371744eb05_crt2+0x3e7d1 @ 0x43e7d1
66c371744eb05_crt2+0x3d707 @ 0x43d707
66c371744eb05_crt2+0x947e6 @ 0x4947e6
66c371744eb05_crt2+0x80769 @ 0x480769
66c371744eb05_crt2+0x986ab @ 0x4986ab
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 8b 06 c7 45 fc fe ff ff ff 85 db 0f 85 97 34 00
exception.symbol: WNetCloseEnum+0x14 WNetOpenEnumW-0x11c mpr+0x2dea
exception.instruction: mov eax, dword ptr [esi]
exception.module: mpr.dll
exception.exception_code: 0xc0000005
exception.offset: 11754
exception.address: 0x74162dea
registers.esp: 1637604
registers.edi: 30974068
registers.eax: 1637632
registers.ebp: 1637648
registers.edx: 819
registers.ebx: 0
registers.esi: 819
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
66c371744eb05_crt2+0x413be @ 0x4413be
66c371744eb05_crt2+0x43203 @ 0x443203
66c371744eb05_crt2+0x488cc @ 0x4488cc
66c371744eb05_crt2+0x3e7d1 @ 0x43e7d1
66c371744eb05_crt2+0x3d707 @ 0x43d707
66c371744eb05_crt2+0x947e6 @ 0x4947e6
66c371744eb05_crt2+0x80769 @ 0x480769
66c371744eb05_crt2+0x986ab @ 0x4986ab
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 8b 06 c7 45 fc fe ff ff ff 85 db 0f 85 97 34 00
exception.symbol: WNetCloseEnum+0x14 WNetOpenEnumW-0x11c mpr+0x2dea
exception.instruction: mov eax, dword ptr [esi]
exception.module: mpr.dll
exception.exception_code: 0xc0000005
exception.offset: 11754
exception.address: 0x74162dea
registers.esp: 1637604
registers.edi: 30974260
registers.eax: 1637632
registers.ebp: 1637648
registers.edx: 44
registers.ebx: 0
registers.esi: 44
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
66c371744eb05_crt2+0x3e2f6 @ 0x43e2f6
66c371744eb05_crt2+0x3d707 @ 0x43d707
66c371744eb05_crt2+0x947e6 @ 0x4947e6
66c371744eb05_crt2+0x80769 @ 0x480769
66c371744eb05_crt2+0x986ab @ 0x4986ab
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: f7 37 89 06 e9 dd 07 00 00 8b 06 33 d2 8a 17 8b
exception.symbol: 66c371744eb05_crt2+0x3b5eb
exception.instruction: div dword ptr [edi]
exception.module: 66c371744eb05_crt2.tmp
exception.exception_code: 0xc0000094
exception.offset: 243179
exception.address: 0x43b5eb
registers.esp: 1637776
registers.edi: 30970044
registers.eax: 27652618
registers.ebp: 1637856
registers.edx: 0
registers.ebx: 1
registers.esi: 30970036
registers.ecx: 30970044
1 0 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 40960
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00401000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 20480
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0040f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73bc2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2600
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003d0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2600
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73bc2000
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\is-ECC9P.tmp\_isetup\_iscrypt.dll
file C:\Users\test22\AppData\Local\Temp\is-ECC9P.tmp\_isetup\_shfoldr.dll
file C:\Users\test22\AppData\Local\AudioBook\audiobook32_64.exe
file C:\Users\test22\AppData\Local\Temp\is-ECC9P.tmp\_isetup\_shfoldr.dll
file C:\Users\test22\AppData\Local\Temp\is-ECC9P.tmp\_isetup\_iscrypt.dll
file C:\Users\test22\AppData\Local\Temp\is-LQFJJ.tmp\66c371744eb05_crt2.tmp
file C:\Users\test22\AppData\Local\Temp\is-ECC9P.tmp\_isetup\_RegDLL.tmp
Time & API Arguments Status Return Repeated

RegOpenKeyExA

 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\AudioBook_is1
base_handle: 0x80000001
key_handle: 0x00000000
options: 0
access: 0x00000001
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\AudioBook_is1
2 0

RegOpenKeyExA

 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\AudioBook_is1
base_handle: 0x80000002
key_handle: 0x00000000
options: 0
access: 0x00000001
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\AudioBook_is1
2 0

RegOpenKeyExA

 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\AudioBook_is1
base_handle: 0x80000001
key_handle: 0x00000000
options: 0
access: 0x00000008
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\AudioBook_is1
2 0

RegOpenKeyExA

 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\AudioBook_is1
base_handle: 0x80000002
key_handle: 0x00000000
options: 0
access: 0x00000008
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\AudioBook_is1
2 0
Cynet Malicious (score: 99)
VIPRE Gen:Heur.Munp.1
BitDefender Gen:Heur.Munp.1
Cybereason malicious.ee5d47
Arcabit Trojan.Munp.1
ESET-NOD32 a variant of Win32/TrojanDropper.Agent.SLC
MicroWorld-eScan Gen:Heur.Munp.1
Emsisoft Gen:Heur.Munp.1 (B)
F-Secure Heuristic.HEUR/AGEN.1372994
FireEye Gen:Heur.Munp.1
Avira HEUR/AGEN.1372994
MAX malware (ai score=87)
Kingsoft malware.kb.a.858
Microsoft Trojan:Win32/Wacatac.B!ml
GData Gen:Heur.Munp.1
Ikarus Trojan.Win32.Crypt
huorong HEUR:TrojanDropper/Agent.p