popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

The%20Foundry.exe

Generic Malware Malicious Library UPX Malicious Packer PE File dll OS Processor Check PE32 DllRegisterServer
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Jan. 13, 2025, 2:59 p.m. Jan. 13, 2025, 3:34 p.m.
Size 4.9MB
Type PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5 65d24fbde2ce4007a7ff42c831a96702
SHA256 5ef7c2444825d6fe6161fe927a9bd02c1e9a37f4a2f76c8330a53a960d8c9c3d
CRC32 E1A49FBA
ssdeep 49152:VqUXp2k/AcGB1/qPzeQPk2wNo/MAx5Sh1kP47v9yAH+8VsCRMRI05gbVytJkwCrW:VtX9/Ge3fwNo0aEh+c+WgtVCrGOkS8q
Yara
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • Malicious_Packer_Zero - Malicious Packer
  • DllRegisterServer_Zero - execute regsvr32.exe
  • IsPE32 - (no description)
  • Generic_Malware_Zero - Generic Malware
  • UPX_Zero - UPX packed file
  • OS_Processor_Check_Zero - OS Processor Check

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
164.124.101.2 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

section .symtab
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2840
region_size: 356352
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000100
3221225496 0

NtAllocateVirtualMemory

 process_identifier: 2840
region_size: 356352
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000b0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000100
1 0 0
Process injection Process 2560 manipulating memory of non-child process 2840
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2840
region_size: 356352
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000100
3221225496 0

NtAllocateVirtualMemory

 process_identifier: 2840
region_size: 356352
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000b0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000100
1 0 0

NtProtectVirtualMemory

 process_identifier: 2840
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 0
protection: 2 (PAGE_READONLY)
base_address: 0x00000000
process_handle: 0x00000100
3221225477 0

NtProtectVirtualMemory

 process_identifier: 2840
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 0
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x00000000
process_handle: 0x00000100
3221225477 0

NtProtectVirtualMemory

 process_identifier: 2840
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 0
protection: 2 (PAGE_READONLY)
base_address: 0x00000000
process_handle: 0x00000100
3221225477 0

NtProtectVirtualMemory

 process_identifier: 2840
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 0
protection: 4 (PAGE_READWRITE)
base_address: 0x00000000
process_handle: 0x00000100
3221225477 0

NtProtectVirtualMemory

 process_identifier: 2840
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 0
protection: 2 (PAGE_READONLY)
base_address: 0x00000000
process_handle: 0x00000100
3221225477 0
Process injection Process 2560 called NtSetContextThread to modify thread in remote process 2840
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 755264
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000110
process_identifier: 2840
1 0 0
Time & API Arguments Status Return Repeated

LdrGetProcedureAddress

 ordinal: 0
function_address: 0x0018fe29
function_name: wine_get_version
module: ntdll
module_address: 0x76f10000
3221225785 0
Time & API Arguments Status Return Repeated

NtGetContextThread

 thread_handle: 0x000000f4
1 0 0

NtSetContextThread

 registers.eip: 4605808
registers.esp: 182141780
registers.edi: 0
registers.eax: 0
registers.ebp: 14336
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000000f4
process_identifier: 2560
1 0 0

NtResumeThread

 thread_handle: 0x000000f4
suspend_count: 1
process_identifier: 2560
1 0 0

NtGetContextThread

 thread_handle: 0x00000108
1 0 0

NtResumeThread

 thread_handle: 0x00000108
suspend_count: 1
process_identifier: 2560
1 0 0

NtGetContextThread

 thread_handle: 0x00000108
1 0 0

NtResumeThread

 thread_handle: 0x00000108
suspend_count: 1
process_identifier: 2560
1 0 0

NtGetContextThread

 thread_handle: 0x00000108
1 0 0

NtResumeThread

 thread_handle: 0x00000108
suspend_count: 1
process_identifier: 2560
1 0 0

NtGetContextThread

 thread_handle: 0x00000108
1 0 0

NtResumeThread

 thread_handle: 0x00000108
suspend_count: 1
process_identifier: 2560
1 0 0

CreateProcessInternalW

 thread_identifier: 0
thread_handle: 0x00000000
process_identifier: 0
current_directory:
filepath: C:\Windows\Boot\PCAT\memtest.exe
track: 0
command_line:
filepath_r: C:\Windows\Boot\PCAT\memtest.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000000
0 0

NtGetContextThread

 thread_handle: 0x0000010c
1 0 0

NtResumeThread

 thread_handle: 0x0000010c
suspend_count: 1
process_identifier: 2560
1 0 0

NtGetContextThread

 thread_handle: 0x0000010c
1 0 0

NtResumeThread

 thread_handle: 0x0000010c
suspend_count: 1
process_identifier: 2560
1 0 0

NtGetContextThread

 thread_handle: 0x0000010c
1 0 0

NtResumeThread

 thread_handle: 0x0000010c
suspend_count: 1
process_identifier: 2560
1 0 0

NtGetContextThread

 thread_handle: 0x0000010c
1 0 0

NtResumeThread

 thread_handle: 0x0000010c
suspend_count: 1
process_identifier: 2560
1 0 0

NtGetContextThread

 thread_handle: 0x0000010c
1 0 0

NtResumeThread

 thread_handle: 0x0000010c
suspend_count: 1
process_identifier: 2560
1 0 0

NtGetContextThread

 thread_handle: 0x0000010c
1 0 0

NtResumeThread

 thread_handle: 0x0000010c
suspend_count: 1
process_identifier: 2560
1 0 0

NtGetContextThread

 thread_handle: 0x0000010c
1 0 0

NtSetContextThread

 registers.eip: 4605808
registers.esp: 182141988
registers.edi: 0
registers.eax: 0
registers.ebp: 55902
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 0
thread_handle: 0x0000010c
process_identifier: 2560
1 0 0

NtResumeThread

 thread_handle: 0x0000010c
suspend_count: 1
process_identifier: 2560
1 0 0

NtGetContextThread

 thread_handle: 0x0000010c
1 0 0

NtSetContextThread

 registers.eip: 4605808
registers.esp: 182141988
registers.edi: 0
registers.eax: 0
registers.ebp: 1
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 0
thread_handle: 0x0000010c
process_identifier: 2560
1 0 0

NtResumeThread

 thread_handle: 0x0000010c
suspend_count: 1
process_identifier: 2560
1 0 0

NtGetContextThread

 thread_handle: 0x0000010c
1 0 0

NtSetContextThread

 registers.eip: 4605808
registers.esp: 182141988
registers.edi: 0
registers.eax: 0
registers.ebp: 4
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 0
thread_handle: 0x0000010c
process_identifier: 2560
1 0 0

NtResumeThread

 thread_handle: 0x0000010c
suspend_count: 1
process_identifier: 2560
1 0 0

NtGetContextThread

 thread_handle: 0x00000108
1 0 0

NtSetContextThread

 registers.eip: 4605808
registers.esp: 182142032
registers.edi: 0
registers.eax: 0
registers.ebp: 48917
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000108
process_identifier: 2560
1 0 0

NtResumeThread

 thread_handle: 0x00000108
suspend_count: 1
process_identifier: 2560
1 0 0

NtGetContextThread

 thread_handle: 0x00000108
1 0 0

NtResumeThread

 thread_handle: 0x00000108
suspend_count: 1
process_identifier: 2560
1 0 0

NtGetContextThread

 thread_handle: 0x00000108
1 0 0

NtSetContextThread

 registers.eip: 4605808
registers.esp: 182142032
registers.edi: 0
registers.eax: 0
registers.ebp: 93296
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000108
process_identifier: 2560
1 0 0

NtResumeThread

 thread_handle: 0x00000108
suspend_count: 1
process_identifier: 2560
1 0 0

NtGetContextThread

 thread_handle: 0x00000108
1 0 0

NtSetContextThread

 registers.eip: 4605808
registers.esp: 182142032
registers.edi: 0
registers.eax: 0
registers.ebp: 7
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000108
process_identifier: 2560
1 0 0

NtResumeThread

 thread_handle: 0x00000108
suspend_count: 1
process_identifier: 2560
1 0 0

NtGetContextThread

 thread_handle: 0x00000108
1 0 0

NtSetContextThread

 registers.eip: 4605808
registers.esp: 182142032
registers.edi: 0
registers.eax: 0
registers.ebp: 605499
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000108
process_identifier: 2560
1 0 0

NtResumeThread

 thread_handle: 0x00000108
suspend_count: 1
process_identifier: 2560
1 0 0

NtGetContextThread

 thread_handle: 0x00000108
1 0 0

NtSetContextThread

 registers.eip: 4605808
registers.esp: 182141780
registers.edi: 0
registers.eax: 0
registers.ebp: 133843
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000108
process_identifier: 2560
1 0 0

NtResumeThread

 thread_handle: 0x00000108
suspend_count: 1
process_identifier: 2560
1 0 0
Bkav W32.AIDetectMalware
Lionic Trojan.Win32.ClipBanker.tscz
Cynet Malicious (score: 100)
CAT-QuickHeal Trojan.Ghanarava.1736689351a96702
Skyhigh BehavesLike.Win32.Trojan.rh
Cylance Unsafe
CrowdStrike win/malicious_confidence_100% (W)
Symantec ML.Attribute.HighConfidence
Elastic malicious (high confidence)
ESET-NOD32 a variant of WinGo/TrojanDropper.Agent.EK
APEX Malicious
Avast FileRepMalware [Misc]
Kaspersky Exploit.Win32.Shellcode.bzro
TrendMicro TrojanSpy.Win32.LUMMASTEALER.YXFALZ
McAfeeD ti!5EF7C2444825
CTX exe.trojan.shellcode
Sophos Mal/Generic-S
SentinelOne Static AI - Suspicious PE
Google Detected
Antiy-AVL Trojan/Win32.Agent
Kingsoft Win32.Exploit.Shellcode.a
Microsoft Trojan:Win32/Wacatac.B!ml
GData Win32.Trojan-Stealer.LummaStealer.U4C0EE
Varist W32/ABRisk.SAZR-5967
McAfee Artemis!65D24FBDE2CE
DeepInstinct MALICIOUS
VBA32 BScope.TrojanPSW.Agent
Malwarebytes Malware.AI.3999957528
Ikarus Trojan-Dropper.WinGo.Agent
TrendMicro-HouseCall TrojanSpy.Win32.LUMMASTEALER.YXFALZ
MaxSecure Trojan.Malware.300983.susgen
Fortinet W32/Dropper.ES!tr
AVG FileRepMalware [Misc]
alibabacloud Trojan[dropper]:Multi/Wacatac.B9nj