Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Jan. 10, 2025, 11:54 a.m.	Jan. 10, 2025, 12:01 p.m.

Size	5.3MB
Type	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5	`67b35433e066311e95419af40384dd92`
SHA256	`ef35b2565f53ea0320bf89a40de1589cf72ee363539da934c921d8b9ebccd7a3`
CRC32	`3175E6E1`
ssdeep	`49152:EZ56i1Ees+IdVGHMq40r5QrKiENtuJOmdMZlFXEmK4SacLrbzJy+EDKHy6k1Koy:Ej6i15wdVGHM9Q5tN2h/Fy+H9`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer DllRegisterServer_Zero - execute regsvr32.exe IsPE32 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

DyM4yXX.exe "C:\Users\test22\AppData\Local\Temp\DyM4yXX.exe"
2572

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.symtab

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Potentially malicious URLs were found in the process memory dump (2 events)

url	https://steamcommunity.com/profiles/76561199816275252
url	https://t.me/no111p

Yara rule detected in process memory (15 events)

description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Match Windows Inet API call	rule	Str_Win32_Internet_API

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Jan. 10, 2025, 11:55 a.m.	process_identifier: 2836 region_size: 393216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000fc	1	0	0
NtProtectVirtualMemory Jan. 10, 2025, 11:55 a.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xc324048b process_handle: 0x000000fc		3221225477	0

Manipulates memory of a non-child process indicative of process injection (9 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2572 manipulating memory of non-child process 2836
NtAllocateVirtualMemory Jan. 10, 2025, 11:55 a.m.	process_identifier: 2836 region_size: 393216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000fc	1	0	0
NtProtectVirtualMemory Jan. 10, 2025, 11:55 a.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 2 (PAGE_READONLY) base_address: 0x00905a4d process_handle: 0x000000fc		3221225477	0
NtProtectVirtualMemory Jan. 10, 2025, 11:55 a.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xc324048b process_handle: 0x000000fc		3221225477	0
NtProtectVirtualMemory Jan. 10, 2025, 11:55 a.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 2 (PAGE_READONLY) base_address: 0x707401f9 process_handle: 0x000000fc		3221225477	0
NtProtectVirtualMemory Jan. 10, 2025, 11:55 a.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 4 (PAGE_READWRITE) base_address: 0x89006e1c process_handle: 0x000000fc		3221225477	0
NtProtectVirtualMemory Jan. 10, 2025, 11:55 a.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 2 (PAGE_READONLY) base_address: 0xfffe3be9 process_handle: 0x000000fc		3221225477	0
NtProtectVirtualMemory Jan. 10, 2025, 11:55 a.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 2 (PAGE_READONLY) base_address: 0xbaf18900 process_handle: 0x000000fc		3221225477	0
NtProtectVirtualMemory Jan. 10, 2025, 11:55 a.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 2 (PAGE_READONLY) base_address: 0x1824948b process_handle: 0x000000fc		3221225477	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2572 called NtSetContextThread to modify thread in remote process 2836
NtSetContextThread Jan. 10, 2025, 11:55 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4381067 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000120 process_identifier: 2836	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2572 resumed a thread in remote process 2836
NtResumeThread Jan. 10, 2025, 11:55 a.m.	thread_handle: 0x00000120 suspend_count: 1 process_identifier: 2836	1	0	0

Detects the presence of Wine emulator (1 event)

Time & API	Arguments	Status	Return	Repeated
LdrGetProcedureAddress Jan. 10, 2025, 11:54 a.m.	ordinal: 0 function_address: 0x0018fe29 function_name: wine_get_version module: ntdll module_address: 0x76f10000		3221225785	0

Executed a process and injected code into it, probably while unpacking (47 events)

Time & API	Arguments	Status	Return
NtGetContextThread Jan. 10, 2025, 11:54 a.m.	thread_handle: 0x000000fc	1	0
NtResumeThread Jan. 10, 2025, 11:54 a.m.	thread_handle: 0x000000fc suspend_count: 1 process_identifier: 2572	1	0
NtGetContextThread Jan. 10, 2025, 11:54 a.m.	thread_handle: 0x000000fc	1	0
NtResumeThread Jan. 10, 2025, 11:54 a.m.	thread_handle: 0x000000fc suspend_count: 1 process_identifier: 2572	1	0
NtGetContextThread Jan. 10, 2025, 11:54 a.m.	thread_handle: 0x000000f8	1	0
NtResumeThread Jan. 10, 2025, 11:54 a.m.	thread_handle: 0x000000f8 suspend_count: 1 process_identifier: 2572	1	0
NtGetContextThread Jan. 10, 2025, 11:54 a.m.	thread_handle: 0x000000e8	1	0
NtResumeThread Jan. 10, 2025, 11:54 a.m.	thread_handle: 0x000000e8 suspend_count: 1 process_identifier: 2572	1	0
NtGetContextThread Jan. 10, 2025, 11:54 a.m.	thread_handle: 0x000000fc	1	0
NtResumeThread Jan. 10, 2025, 11:54 a.m.	thread_handle: 0x000000fc suspend_count: 1 process_identifier: 2572	1	0
NtGetContextThread Jan. 10, 2025, 11:54 a.m.	thread_handle: 0x000000fc	1	0
NtResumeThread Jan. 10, 2025, 11:54 a.m.	thread_handle: 0x000000fc suspend_count: 1 process_identifier: 2572	1	0
NtGetContextThread Jan. 10, 2025, 11:54 a.m.	thread_handle: 0x000000fc	1	0
NtSetContextThread Jan. 10, 2025, 11:54 a.m.	registers.eip: 4606576 registers.esp: 182606176 registers.edi: 0 registers.eax: 0 registers.ebp: 67584 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000fc process_identifier: 2572	1	0
NtResumeThread Jan. 10, 2025, 11:54 a.m.	thread_handle: 0x000000fc suspend_count: 1 process_identifier: 2572	1	0
NtGetContextThread Jan. 10, 2025, 11:54 a.m.	thread_handle: 0x000000fc	1	0
NtSetContextThread Jan. 10, 2025, 11:54 a.m.	registers.eip: 4606576 registers.esp: 182606176 registers.edi: 0 registers.eax: 0 registers.ebp: 134850 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000fc process_identifier: 2572	1	0
NtResumeThread Jan. 10, 2025, 11:54 a.m.	thread_handle: 0x000000fc suspend_count: 1 process_identifier: 2572	1	0
NtGetContextThread Jan. 10, 2025, 11:54 a.m.	thread_handle: 0x000000fc	1	0
NtSetContextThread Jan. 10, 2025, 11:54 a.m.	registers.eip: 4606576 registers.esp: 182606176 registers.edi: 0 registers.eax: 0 registers.ebp: 213553 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000fc process_identifier: 2572	1	0
NtResumeThread Jan. 10, 2025, 11:54 a.m.	thread_handle: 0x000000fc suspend_count: 1 process_identifier: 2572	1	0
CreateProcessInternalW Jan. 10, 2025, 11:54 a.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: filepath: C:\Windows\Boot\PCAT\memtest.exe track: 0 command_line: filepath_r: C:\Windows\Boot\PCAT\memtest.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000000		0
NtGetContextThread Jan. 10, 2025, 11:54 a.m.	thread_handle: 0x0000011c	1	0
NtResumeThread Jan. 10, 2025, 11:54 a.m.	thread_handle: 0x0000011c suspend_count: 1 process_identifier: 2572	1	0
NtGetContextThread Jan. 10, 2025, 11:54 a.m.	thread_handle: 0x0000011c	1	0
NtResumeThread Jan. 10, 2025, 11:54 a.m.	thread_handle: 0x0000011c suspend_count: 1 process_identifier: 2572	1	0
NtGetContextThread Jan. 10, 2025, 11:54 a.m.	thread_handle: 0x0000011c	1	0
NtResumeThread Jan. 10, 2025, 11:54 a.m.	thread_handle: 0x0000011c suspend_count: 1 process_identifier: 2572	1	0
NtGetContextThread Jan. 10, 2025, 11:54 a.m.	thread_handle: 0x0000011c	1	0
NtResumeThread Jan. 10, 2025, 11:54 a.m.	thread_handle: 0x0000011c suspend_count: 1 process_identifier: 2572	1	0
NtGetContextThread Jan. 10, 2025, 11:54 a.m.	thread_handle: 0x00000118	1	0
NtResumeThread Jan. 10, 2025, 11:54 a.m.	thread_handle: 0x00000118 suspend_count: 1 process_identifier: 2572	1	0
NtGetContextThread Jan. 10, 2025, 11:54 a.m.	thread_handle: 0x00000118	1	0
NtResumeThread Jan. 10, 2025, 11:54 a.m.	thread_handle: 0x00000118 suspend_count: 1 process_identifier: 2572	1	0
NtGetContextThread Jan. 10, 2025, 11:54 a.m.	thread_handle: 0x00000118	1	0
NtResumeThread Jan. 10, 2025, 11:54 a.m.	thread_handle: 0x00000118 suspend_count: 1 process_identifier: 2572	1	0
NtGetContextThread Jan. 10, 2025, 11:54 a.m.	thread_handle: 0x00000118	1	0
NtResumeThread Jan. 10, 2025, 11:54 a.m.	thread_handle: 0x00000118 suspend_count: 1 process_identifier: 2572	1	0
NtGetContextThread Jan. 10, 2025, 11:54 a.m.	thread_handle: 0x00000120	1	0
NtResumeThread Jan. 10, 2025, 11:54 a.m.	thread_handle: 0x00000120 suspend_count: 1 process_identifier: 2572	1	0
NtGetContextThread Jan. 10, 2025, 11:54 a.m.	thread_handle: 0x00000120	1	0
NtResumeThread Jan. 10, 2025, 11:54 a.m.	thread_handle: 0x00000120 suspend_count: 1 process_identifier: 2572	1	0
CreateProcessInternalW Jan. 10, 2025, 11:54 a.m.	thread_identifier: 2840 thread_handle: 0x00000120 process_identifier: 2836 current_directory: filepath: C:\Windows\Installer\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\ARPPRODUCTICON.exe track: 1 command_line: filepath_r: C:\Windows\Installer\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\ARPPRODUCTICON.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000000fc	1	1
NtGetContextThread Jan. 10, 2025, 11:55 a.m.	thread_handle: 0x00000120	1	0
NtAllocateVirtualMemory Jan. 10, 2025, 11:55 a.m.	process_identifier: 2836 region_size: 393216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000fc	1	0
NtSetContextThread Jan. 10, 2025, 11:55 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4381067 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000120 process_identifier: 2836	1	0
NtResumeThread Jan. 10, 2025, 11:55 a.m.	thread_handle: 0x00000120 suspend_count: 1 process_identifier: 2836	1	0

File has been identified by 40 AntiVirus engines on VirusTotal as malicious (40 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Encoder.tsd0
Cynet	Malicious (score: 99)
Skyhigh	BehavesLike.Win32.Trojan.th
Cylance	Unsafe
Sangfor	Dropper.Win32.Agent.V1pe
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Trojan.GenericKD.75314783
Elastic	malicious (moderate confidence)
ESET-NOD32	a variant of WinGo/TrojanDropper.Agent.EK
APEX	Malicious
Avast	Win32:Malware-gen
Kaspersky	Trojan.Win32.Inject.aqhtx
MicroWorld-eScan	Trojan.GenericKD.75314783
Emsisoft	Trojan.GenericKD.75314783 (B)
F-Secure	Trojan.TR/AVI.Agent.cpelz
DrWeb	Trojan.PWS.Steam.37882
TrendMicro	TrojanSpy.Win32.VIDAR.YXFAIZ
McAfeeD	ti!EF35B2565F53
CTX	exe.trojan.generic
Sophos	Mal/Generic-S
SentinelOne	Static AI - Suspicious PE
FireEye	Generic.mg.67b35433e066311e
Google	Detected
Avira	TR/AVI.Agent.cpelz
Kingsoft	Win32.Trojan.Inject.aqhtx
Microsoft	Trojan:Win32/Wacatac.B!ml
GData	Win32.Trojan.Agent.Y9SDL0
Varist	W32/ABRisk.AOGJ-4544
VBA32	BScope.TrojanPSW.Agent
DeepInstinct	MALICIOUS
Malwarebytes	Malware.AI.3999957528
Ikarus	Trojan-Dropper.WinGo.Agent
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TrojanSpy.Win32.VIDAR.YXFAIZ
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/Dropper.ES!tr
AVG	Win32:Malware-gen
Paloalto	generic.ml
alibabacloud	Trojan[dropper]:Multi/Sabsik.FE

DyM4yXX.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All