Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 20, 2024, 9:11 a.m.	Oct. 20, 2024, 9:43 a.m.

Size	156.0KB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Foobar 1.0, Author: Acme Ltd., Keywords: Installer, Comments: This installer database contains the logic and data required to install Foobar 1.0., Template: Intel;0, Revision Number: {D5B08D6A-DC03-409A-AB72-D6164F95B141}, Create Time/Date: Fri Sep 27 19:02:48 2013, Last Saved Time/Date: Fri Sep 27 19:02:48 2013, Number of Pages: 100, Number of Words: 0, Name of Creating Application: Windows Installer XML (3.8.305.0), Security: 0
MD5	`229dd4025b3cc5374b9c40250023fa76`
SHA256	`b21fe6e102108b27d14d63f793ce92b2985047685e8af340e593605015e50708`
CRC32	`757C21E1`
ssdeep	`1536:Ek7KljKqKuyiTscabfEQw0mgnM7Mb+KR0Nc8QsJq3UDj0D:v7KxK27TJafnM7e0Nc8QsC`
Yara	Microsoft_Office_File_Zero - Microsoft Office File

msiexec.exe "C:\Windows\System32\msiexec.exe" /I C:\Users\test22\AppData\Local\Temp\update.msi
1508
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
86.104.74.31	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameW Oct. 20, 2024, 9:11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 20, 2024, 9:11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 20, 2024, 9:11 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 20, 2024, 9:11 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 20, 2024, 9:11 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (15 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Oct. 20, 2024, 9:11 a.m.	process_identifier: 1508 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2024, 9:11 a.m.	process_identifier: 1508 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73de1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2024, 9:11 a.m.	process_identifier: 1508 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2024, 9:11 a.m.	process_identifier: 1508 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73481000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2024, 9:11 a.m.	process_identifier: 1508 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2024, 9:11 a.m.	process_identifier: 1508 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c21000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2024, 9:11 a.m.	process_identifier: 1508 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2024, 9:11 a.m.	process_identifier: 1508 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73431000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2024, 9:11 a.m.	process_identifier: 1508 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03570000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2024, 9:11 a.m.	process_identifier: 1508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x036b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2024, 9:11 a.m.	process_identifier: 1508 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73422000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2024, 9:11 a.m.	process_identifier: 1508 region_size: 1114112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03570000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2024, 9:11 a.m.	process_identifier: 1508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03640000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2024, 9:11 a.m.	process_identifier: 1508 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73351000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2024, 9:11 a.m.	process_identifier: 1508 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75ab1000 process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (4 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceExW Oct. 20, 2024, 9:11 a.m.	total_number_of_free_bytes: 9933959168 free_bytes_available: 9933959168 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceW Oct. 20, 2024, 9:11 a.m.	number_of_free_clusters: 2425283 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceExW Oct. 20, 2024, 9:11 a.m.	total_number_of_free_bytes: 9933959168 free_bytes_available: 9933959168 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceW Oct. 20, 2024, 9:11 a.m.	number_of_free_clusters: 2425283 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (16 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Oct. 20, 2024, 9:11 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Oct. 20, 2024, 9:11 a.m.	system_name: privilege_name: SeCreateTokenPrivilege	1	1
LookupPrivilegeValueW Oct. 20, 2024, 9:11 a.m.	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	1	1
LookupPrivilegeValueW Oct. 20, 2024, 9:11 a.m.	system_name: privilege_name: SeMachineAccountPrivilege	1	1
LookupPrivilegeValueW Oct. 20, 2024, 9:11 a.m.	system_name: privilege_name: SeTcbPrivilege	1	1
LookupPrivilegeValueW Oct. 20, 2024, 9:11 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Oct. 20, 2024, 9:11 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW Oct. 20, 2024, 9:11 a.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW Oct. 20, 2024, 9:11 a.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW Oct. 20, 2024, 9:11 a.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Oct. 20, 2024, 9:11 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Oct. 20, 2024, 9:11 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 20, 2024, 9:11 a.m.	system_name: privilege_name: SeRemoteShutdownPrivilege	1	1
LookupPrivilegeValueW Oct. 20, 2024, 9:11 a.m.	system_name: privilege_name: SeEnableDelegationPrivilege	1	1
LookupPrivilegeValueW Oct. 20, 2024, 9:11 a.m.	system_name: privilege_name: SeManageVolumePrivilege	1	1
LookupPrivilegeValueW Oct. 20, 2024, 9:11 a.m.	system_name: privilege_name: SeCreateGlobalPrivilege	1	1

Communicates with host for which no DNS query was performed (1 event)

host

86.104.74.31

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

86.104.74.31:1911

File has been identified by 47 AntiVirus engines on VirusTotal as malicious (47 events)

Lionic	Trojan.Win32.Swrort.4!c
ClamAV	Win.Trojan.Swrort-5710536-0
CTX	msi.trojan.cryptz
CAT-QuickHeal	Trojan.Swrort.A
Skyhigh	Swrort.i
ALYac	Trojan.CryptZ.Marte.1.Gen
VIPRE	Trojan.CryptZ.Marte.1.Gen
Sangfor	Trojan.Win32.Save.a
K7GW	Trojan ( 005856601 )
K7AntiVirus	Trojan ( 005856601 )
Arcabit	Trojan.CryptZ.Marte.1.Gen
VirIT	Trojan.MSI.Agent.GNJ
Symantec	Packed.Generic.347
ESET-NOD32	a variant of Win32/Rozena.AA
Avast	Win32:Meterpreter-C [Trj]
Cynet	Malicious (score: 99)
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Trojan.CryptZ.Marte.1.Gen
NANO-Antivirus	Virus.Win32.Gen-Crypt.ccnc
MicroWorld-eScan	Trojan.CryptZ.Marte.1.Gen
Rising	HackTool.Swrort!1.6477 (CLASSIC)
Emsisoft	Trojan.CryptZ.Marte.1.Gen (B)
F-Secure	Trojan.TR/Patched.Gen2
DrWeb	Trojan.Swrort.1
Zillya	Trojan.Rozena.Win32.222809
TrendMicro	Trojan.Win32.METERPRETER.SMV
Sophos	ATK/Venom-D
Ikarus	Trojan.Win32.Swrort
FireEye	Trojan.CryptZ.Marte.1.Gen
Google	Detected
Avira	TR/Patched.Gen2
Antiy-AVL	Trojan/Win32.Rozena
Kingsoft	Win32.Troj.Unknown.a
Gridinsoft	Trojan.Win32.Swrort.zv!s2
Xcitium	TrojWare.Win32.Rozena.A@4jwdqr
ZoneAlarm	HEUR:Trojan.Win32.Generic
GData	Trojan.CryptZ.Marte.1.Gen
Varist	W32/Swrort.A.gen!Eldorado
AhnLab-V3	Trojan/Win32.Shell.R1283
McAfee	Swrort.i
VBA32	BScope.Trojan.Metasploit
Tencent	Trojan.Win32.Metasploit_heur.16000690
huorong	VirTool/Meterpreter.a
MaxSecure	Trojan.Malware.121218.susgen
Fortinet	W32/Rozena.ABV!tr
AVG	Win32:Meterpreter-C [Trj]
alibabacloud	Backdoor:Win/meterpreter.A

update.msi

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All