popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

qq-1950222243-x%e2%80%aexcod.exe

Generic Malware Malicious Library UPX MSOffice File AntiDebug PE64 PE File OS Processor Check PE32 AntiVM
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Sept. 22, 2024, 3:10 p.m. Sept. 22, 2024, 3:12 p.m.
Size 522.7KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 06a0c92c691e980875b3345ce72fe78b
SHA256 136e03127b12cc2b5242530339b24ad7c082741c152783d996b3fa63bc21f6de
CRC32 07AFB990
ssdeep 12288:JzxzTDWikLSb4NS7QX+tjUXZkzF4Lyqe185h9pp3bQ/FO:zDWHSb4NkJ4S6hE/s
PDB Path D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb
Yara
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)
  • Generic_Malware_Zero - Generic Malware
  • UPX_Zero - UPX packed file
  • OS_Processor_Check_Zero - OS Processor Check

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
164.124.101.2 Active Moloch
8.130.82.167 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\12.0\Registration\{90120000-0030-0000-0000-0000000FF1CE}\DigitalProductID
pdb_path D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .didat
resource name PNG
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
EnterCriticalSection+0x1e ExitThread-0x19 kernel32+0xaa404 @ 0x76cba404
0x1d841fe
0x7fffffdd250
0x237f248
0x237f280
0x1d841fe
0xac
0xac
0xac
0xac
0xac
0xac
0xac
0xac
0xac
0xac
0xac
0xac
0xac
0xac
0xac
0xac
0xac
0xac
0xac
0xac
0xac
0xac
0xac
0xac
0xac
0xac
0xac
0xac
0xac
0xac
0xac
0xac
0xac
0xac
0xac
0xac
0xac
0xac
0xac
0xac
0xac
0xac
0xac
0xac
0xac
0xac
0xac
0xac
0xac
0xac
0xac
0xac
0xac
0xac
0xac
0xac
0xac
0xac

exception.instruction_r: 4e 54 44 4c 4c 2e 52 74 6c 45 78 69 74 55 73 65
exception.symbol: EnterCriticalSection+0x1e ExitThread-0x19 kernel32+0xaa404
exception.instruction: push rsp
exception.module: kernel32.dll
exception.exception_code: 0xc0000005
exception.offset: 697348
exception.address: 0x76cba404
registers.r14: 0
registers.r15: 0
registers.rcx: 0
registers.rsi: 0
registers.r10: 30949886
registers.rbx: 0
registers.rsp: 37222200
registers.r11: 514
registers.r8: 37220936
registers.r9: 37220992
registers.rdx: 8796092879440
registers.r12: 37222624
registers.rbp: 30949386
registers.rdi: 172
registers.rax: 1993057284
registers.r13: 37222632
1 0 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2676
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72d62000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 32768
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000005d0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 1114112
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000001ea0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000001f30000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000001d80000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2836
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x2fad1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2836
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x713b1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2836
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x70631000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2836
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7074e000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2836
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x715fe000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2836
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6f611000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2836
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6fb7a000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2836
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x755c8000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2836
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6f461000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2836
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6f461000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2836
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x733a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2836
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72d61000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2836
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72d62000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2836
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6e3a1000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2836
region_size: 2293760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02b50000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2836
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02d40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2836
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6e392000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2836
region_size: 1310720
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02b50000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2836
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02c50000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2836
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74211000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2836
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02ac0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2836
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02ac0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2836
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6e2c1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2836
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6e111000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2836
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6e16f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2836
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6e16f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2836
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6e0f1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2836
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73111000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2836
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72741000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2836
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05120000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2836
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05120000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2836
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05130000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2836
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05140000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
name PNG language LANG_CHINESE filetype PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000641ec size 0x000015a9
name PNG language LANG_CHINESE filetype PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000641ec size 0x000015a9
name RT_DIALOG language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0006fa3c size 0x000001e6
name RT_DIALOG language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0006fa3c size 0x000001e6
name RT_DIALOG language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0006fa3c size 0x000001e6
name RT_DIALOG language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0006fa3c size 0x000001e6
name RT_DIALOG language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0006fa3c size 0x000001e6
name RT_DIALOG language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0006fa3c size 0x000001e6
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00070354 size 0x00000078
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00070354 size 0x00000078
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00070354 size 0x00000078
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00070354 size 0x00000078
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00070354 size 0x00000078
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00070354 size 0x00000078
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00070354 size 0x00000078
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00070354 size 0x00000078
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00070354 size 0x00000078
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00070354 size 0x00000078
name RT_GROUP_ICON language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000703e0 size 0x00000068
name RT_GROUP_ICON language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000703e0 size 0x00000068
name RT_MANIFEST language LANG_CHINESE filetype XML 1.0 document, ASCII text, with CRLF line terminators sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00070448 size 0x00000753
file C:\Users\test22\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
file C:\Windows\Temp\3950.docx
file C:\Windows\Temp\i0C.exe
Time & API Arguments Status Return Repeated

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x000002d0
filepath: C:\Users\test22\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
create_options: 4194400 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 2 (FILE_CREATED)
share_access: 0 ()
1 0 0
file C:\Windows\Temp\i0C.exe
file C:\Windows\Temp\3950.docx
section {u'size_of_data': u'0x0000dc00', u'virtual_address': u'0x00063000', u'entropy': 6.812479323913837, u'name': u'.rsrc', u'virtual_size': u'0x0000e000'} entropy 6.81247932391 description A section with a high entropy has been found
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
host 8.130.82.167
Process injection Process 2676 resumed a thread in remote process 2836
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000002b4
suspend_count: 1
process_identifier: 2836
1 0 0
Bkav W32.AIDetectMalware
Lionic Trojan.Win32.ShellcodeRunner.4!c
Cynet Malicious (score: 100)
Skyhigh BehavesLike.Win32.Triusor.hc
ALYac Trojan.GenericKD.71006470
Cylance Unsafe
VIPRE Trojan.GenericKD.71006470
Sangfor Trojan.Win64.Shellcoderunner.Vois
CrowdStrike win/malicious_confidence_100% (W)
BitDefender Trojan.GenericKD.71006470
K7GW Trojan ( 005a0e851 )
K7AntiVirus Trojan ( 005a0e851 )
Arcabit Trojan.Generic.D43B7906
Symantec Trojan.Gen.MBT
Elastic malicious (high confidence)
ESET-NOD32 a variant of Win64/ShellcodeRunner.JQ
APEX Malicious
Avast Win64:Evo-gen [Trj]
Kaspersky Trojan.Win64.Donut.xof
Alibaba Trojan:Win64/Donut.27622dab
NANO-Antivirus Trojan.Win32.ShellcodeRunner.kgibfx
MicroWorld-eScan Trojan.GenericKD.71006470
Rising Trojan.ShellCodeRunner!1.F13B (CLASSIC)
Emsisoft Trojan.GenericKD.71006470 (B)
F-Secure Trojan.TR/AD.Nekark.dkbit
DrWeb BackDoor.Shell.244
McAfeeD ti!136E03127B12
CTX exe.trojan.generic
Sophos Mal/Generic-S
SentinelOne Static AI - Suspicious SFX
FireEye Generic.mg.06a0c92c691e9808
Google Detected
Avira TR/AD.Nekark.fqhtw
Antiy-AVL Trojan/Win64.Rozena.lf
Kingsoft Win32.Troj.Unknown.a
Xcitium Malware@#3t8knqxt4ze7l
Microsoft Trojan:Win64/Rozena.EN!MTB
ZoneAlarm Trojan.Win64.Donut.xof
GData Trojan.GenericKD.71006470
Varist W64/ABRisk.LXAV-5640
AhnLab-V3 Trojan/Win.Rozena.C5568326
McAfee RDN/Generic.dx
DeepInstinct MALICIOUS
Malwarebytes Trojan.ShellCode
Ikarus Trojan.Win64.Rozena
Panda Trj/CI.A
Tencent Win64.Trojan.Shellcode.Jjgl
Yandex Trojan.Donut!TOABRX18Qi0
huorong Backdoor/CobaltStrike.fw
MaxSecure Trojan.Malware.222052458.susgen
dead_host 8.130.82.167:5544
dead_host 192.168.56.101:49166