Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 15, 2024, 2:18 p.m.	Oct. 15, 2024, 2:40 p.m.

Size	4.0MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`b00c9bc606824dc90058f5ce00313ff6`
SHA256	`90998a60d134ec92e788f0c2c79fe00cf27dd440a794d683bc01656db76e145a`
CRC32	`511263EC`
ssdeep	`98304:xdWViMCe6YMUGOf0dJx1t9bhwGcyD6xzKEi2aLFo1fSQQz4dObpmB9:DWh2OMdJDt133sKEwLG1SQQzvbpmB9`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature ConfuserEx_Zero - Confuser .NET Win32_Trojan_Emotet_2_Zero - Win32 Trojan Emotet IsPE32 - (no description) UPX_Zero - UPX packed file mzp_file_format - MZP(Delphi) file format

stories.exe "C:\Users\test22\AppData\Local\Temp\stories.exe"
2548
- is-EFN0Q.tmp "C:\Users\test22\AppData\Local\Temp\is-CE6J6.tmp\is-EFN0Q.tmp" /SL4 $80178 "C:\Users\test22\AppData\Local\Temp\stories.exe" 3909930 52224
  2600
  - glassvideoconverter.exe "C:\Users\test22\AppData\Local\Glass Video Converter\glassvideoconverter.exe" -i
    2716

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA Oct. 15, 2024, 2:18 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 15, 2024, 2:18 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 15, 2024, 2:18 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

One or more processes crashed (3 events)

Time & API	Arguments	Status
__exception__ Oct. 15, 2024, 2:18 p.m.	stacktrace: is-efn0q+0x40722 @ 0x440722 is-efn0q+0x42567 @ 0x442567 is-efn0q+0x47bd4 @ 0x447bd4 is-efn0q+0x3db35 @ 0x43db35 is-efn0q+0x3ca6b @ 0x43ca6b is-efn0q+0x884b0 @ 0x4884b0 is-efn0q+0x75f02 @ 0x475f02 is-efn0q+0x8c071 @ 0x48c071 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 06 c7 45 fc fe ff ff ff 85 db 0f 85 97 34 00 exception.symbol: WNetCloseEnum+0x14 WNetOpenEnumW-0x11c mpr+0x2dea exception.instruction: mov eax, dword ptr [esi] exception.module: mpr.dll exception.exception_code: 0xc0000005 exception.offset: 11754 exception.address: 0x74162dea registers.esp: 1637616 registers.edi: 30948856 registers.eax: 1637644 registers.ebp: 1637660 registers.edx: 1014 registers.ebx: 0 registers.esi: 1014 registers.ecx: 0	1
__exception__ Oct. 15, 2024, 2:18 p.m.	stacktrace: is-efn0q+0x40722 @ 0x440722 is-efn0q+0x42567 @ 0x442567 is-efn0q+0x47bd4 @ 0x447bd4 is-efn0q+0x3db35 @ 0x43db35 is-efn0q+0x3ca6b @ 0x43ca6b is-efn0q+0x884b0 @ 0x4884b0 is-efn0q+0x75f02 @ 0x475f02 is-efn0q+0x8c071 @ 0x48c071 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 06 c7 45 fc fe ff ff ff 85 db 0f 85 97 34 00 exception.symbol: WNetCloseEnum+0x14 WNetOpenEnumW-0x11c mpr+0x2dea exception.instruction: mov eax, dword ptr [esi] exception.module: mpr.dll exception.exception_code: 0xc0000005 exception.offset: 11754 exception.address: 0x74162dea registers.esp: 1637616 registers.edi: 30949336 registers.eax: 1637644 registers.ebp: 1637660 registers.edx: 44 registers.ebx: 0 registers.esi: 44 registers.ecx: 0	1
__exception__ Oct. 15, 2024, 2:18 p.m.	stacktrace: is-efn0q+0x3d65a @ 0x43d65a is-efn0q+0x3ca6b @ 0x43ca6b is-efn0q+0x884b0 @ 0x4884b0 is-efn0q+0x75f02 @ 0x475f02 is-efn0q+0x8c071 @ 0x48c071 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: f7 37 89 06 e9 dd 07 00 00 8b 06 33 d2 8a 17 8b exception.symbol: is-efn0q+0x3a94f exception.instruction: div dword ptr [edi] exception.module: is-EFN0Q.tmp exception.exception_code: 0xc0000094 exception.offset: 239951 exception.address: 0x43a94f registers.esp: 1637788 registers.edi: 30809412 registers.eax: 25250857 registers.ebp: 1637868 registers.edx: 0 registers.ebx: 1 registers.esi: 30809404 registers.ecx: 30809412	1

Allocates read-write-execute memory (usually to unpack itself) (6 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Oct. 15, 2024, 2:18 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2024, 2:18 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 36864 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2024, 2:18 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 20480 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2024, 2:18 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 15, 2024, 2:18 p.m.	process_identifier: 2600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2024, 2:18 p.m.	process_identifier: 2600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1

Creates executable files on the filesystem (3 events)

file	C:\Users\test22\AppData\Local\Temp\is-38B8V.tmp\_isetup\_iscrypt.dll
file	C:\Users\test22\AppData\Local\Temp\is-38B8V.tmp\_isetup\_shfoldr.dll
file	C:\Users\test22\AppData\Local\Glass Video Converter\glassvideoconverter.exe

Drops an executable to the user AppData folder (4 events)

file	C:\Users\test22\AppData\Local\Temp\is-38B8V.tmp\_isetup\_RegDLL.tmp
file	C:\Users\test22\AppData\Local\Temp\is-CE6J6.tmp\is-EFN0Q.tmp
file	C:\Users\test22\AppData\Local\Temp\is-38B8V.tmp\_isetup\_shfoldr.dll
file	C:\Users\test22\AppData\Local\Temp\is-38B8V.tmp\_isetup\_iscrypt.dll

Queries for potentially installed applications (4 events)

Time & API	Arguments	Return
RegOpenKeyExA Oct. 15, 2024, 2:18 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Glass Video Converter_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Glass Video Converter_is1	2
RegOpenKeyExA Oct. 15, 2024, 2:18 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Glass Video Converter_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Glass Video Converter_is1	2
RegOpenKeyExA Oct. 15, 2024, 2:18 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Glass Video Converter_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000008 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Glass Video Converter_is1	2
RegOpenKeyExA Oct. 15, 2024, 2:18 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Glass Video Converter_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000008 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Glass Video Converter_is1	2

File has been identified by 35 AntiVirus engines on VirusTotal as malicious (35 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Generic.4!c
Cynet	Malicious (score: 99)
VIPRE	Gen:Heur.Munp.1
Sangfor	Trojan.Win32.Agent.V07y
BitDefender	Gen:Heur.Munp.1
Arcabit	Trojan.Munp.1
Symantec	Trojan.Gen.MBT
Elastic	malicious (high confidence)
ESET-NOD32	multiple detections
Avast	Win32:Malware-gen
Kaspersky	UDS:DangerousObject.Multi.Generic
MicroWorld-eScan	Gen:Heur.Munp.1
Emsisoft	Gen:Heur.Munp.1 (B)
F-Secure	Heuristic.HEUR/AGEN.1372994
DrWeb	Trojan.MulDrop28.30319
TrendMicro	Trojan.Win32.SOCKSSYSTEMZ.YXEJNZ
McAfeeD	ti!90998A60D134
CTX	exe.trojan.agen
Sophos	Generic Reputation PUA (PUA)
FireEye	Gen:Heur.Munp.1
Webroot	W32.Malware.Gen
Avira	HEUR/AGEN.1372994
Kingsoft	Win32.Troj.Unknown.a
Microsoft	Trojan:Win32/Wacatac.B!ml
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	Win32.Trojan.Kryptik.U3OT72
McAfee	Artemis!B00C9BC60682
DeepInstinct	MALICIOUS
TrendMicro-HouseCall	Trojan.Win32.SOCKSSYSTEMZ.YXEJNZ
Tencent	Win32.Trojan.Agen.Akjl
huorong	HEUR:TrojanDropper/Agent.t
Fortinet	Riskware/NDAoF
AVG	Win32:Malware-gen
Paloalto	generic.ml

stories.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All