Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 2, 2025, 9:53 a.m.	April 2, 2025, 10:03 a.m.

Size	344.0KB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: MyProduct, Author: MyCompany, Keywords: Installer, Comments: This installer database contains the logic and data required to install MyProduct., Template: Intel;1033, Revision Number: {A2E9CDC2-0714-4580-A887-2EE4D0EFD60C}, Create Time/Date: Tue Mar 18 09:10:42 2025, Last Saved Time/Date: Tue Mar 18 09:10:42 2025, Number of Pages: 500, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
MD5	`36458266f31dc9867c144bf20bd9ca05`
SHA256	`887fa91190d0f0bfa150b7b887fa8407c273d70767b9912a6a29456a5bb39cc8`
CRC32	`F4CF1377`
ssdeep	`6144:Ft/hTzVPdL2Hw1SM4nBnkPjx/PgdYwaWWIuWtRV6+9BFK7QZLHL4+BZ3Y/:T/FzVPcQxcRE9PiYw8Ibk+ZK7QLHU`
Yara	CAB_file_format - CAB archive file Microsoft_Office_File_Zero - Microsoft Office File

msiexec.exe "C:\Windows\System32\msiexec.exe" /I C:\Users\test22\AppData\Local\Temp\r.msi
2544

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameW April 2, 2025, 9:53 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 2, 2025, 9:53 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 2, 2025, 9:53 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 2, 2025, 9:53 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 2, 2025, 9:53 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (17 events)

Time & API	Arguments	Status
NtProtectVirtualMemory April 2, 2025, 9:53 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x736b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 2, 2025, 9:53 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73951000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 2, 2025, 9:53 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 2, 2025, 9:53 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ac4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 2, 2025, 9:53 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b02000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 2, 2025, 9:53 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72781000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 2, 2025, 9:53 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72761000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 2, 2025, 9:53 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73921000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 2, 2025, 9:53 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72741000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 2, 2025, 9:53 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x726f1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 2, 2025, 9:53 a.m.	process_identifier: 2544 region_size: 1835008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03b90000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 2, 2025, 9:53 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03d10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 2, 2025, 9:53 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x726e2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 2, 2025, 9:53 a.m.	process_identifier: 2544 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03780000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 2, 2025, 9:53 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03790000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 2, 2025, 9:53 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72611000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 2, 2025, 9:53 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75511000 process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (2 events)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW April 2, 2025, 9:53 a.m.	total_number_of_free_bytes: 13322448896 free_bytes_available: 13322448896 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0
GetDiskFreeSpaceW April 2, 2025, 9:53 a.m.	number_of_free_clusters: 3252551 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (16 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW April 2, 2025, 9:53 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW April 2, 2025, 9:53 a.m.	system_name: privilege_name: SeCreateTokenPrivilege	1	1
LookupPrivilegeValueW April 2, 2025, 9:53 a.m.	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	1	1
LookupPrivilegeValueW April 2, 2025, 9:53 a.m.	system_name: privilege_name: SeMachineAccountPrivilege	1	1
LookupPrivilegeValueW April 2, 2025, 9:53 a.m.	system_name: privilege_name: SeTcbPrivilege	1	1
LookupPrivilegeValueW April 2, 2025, 9:53 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW April 2, 2025, 9:53 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW April 2, 2025, 9:53 a.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW April 2, 2025, 9:53 a.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW April 2, 2025, 9:53 a.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW April 2, 2025, 9:53 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW April 2, 2025, 9:53 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 2, 2025, 9:53 a.m.	system_name: privilege_name: SeRemoteShutdownPrivilege	1	1
LookupPrivilegeValueW April 2, 2025, 9:53 a.m.	system_name: privilege_name: SeEnableDelegationPrivilege	1	1
LookupPrivilegeValueW April 2, 2025, 9:53 a.m.	system_name: privilege_name: SeManageVolumePrivilege	1	1
LookupPrivilegeValueW April 2, 2025, 9:53 a.m.	system_name: privilege_name: SeCreateGlobalPrivilege	1	1

File has been identified by 36 AntiVirus engines on VirusTotal as malicious (36 events)

Lionic	Trojan.Win32.Crysan.m!c
CTX	msi.trojan.msil
CAT-QuickHeal	Trojan.Ghanarava.1743457533665a40
Skyhigh	Artemis!Trojan
ALYac	Gen:Trojan.Mardom.IN.9
VIPRE	Gen:Trojan.Mardom.IN.9
Sangfor	Suspicious.Win32.Save.a
K7GW	Trojan ( 005b9f041 )
K7AntiVirus	Trojan ( 005b9f041 )
Arcabit	Trojan.Mardom.IN.9
VirIT	Trojan.MSI.Agent.HXB
Symantec	Trojan Horse
ESET-NOD32	a variant of MSIL/Kryptik.AMFY
Avast	Win32:BackdoorX-gen [Trj]
Cynet	Malicious (score: 99)
Kaspersky	HEUR:Backdoor.MSIL.Crysan.gen
BitDefender	Gen:Trojan.Mardom.IN.9
NANO-Antivirus	Trojan.Win32.Crysan.kwkowi
MicroWorld-eScan	Gen:Trojan.Mardom.IN.9
Rising	Malware.Obfus/MSIL@AI.98 (RDM.MSIL2:oAxWfEtBgsE4heFau3k41g)
Emsisoft	Gen:Trojan.Mardom.IN.9 (B)
F-Secure	Trojan.TR/Dropper.Gen
Sophos	Mal/Generic-S
FireEye	Gen:Trojan.Mardom.IN.9
Google	Detected
Avira	TR/Dropper.Gen
GData	Gen:Trojan.Mardom.IN.9
Varist	W32/MSIL_Kryptik.MBK.gen!Eldorado
McAfee	Artemis!7A8BE2EA6B03
VBA32	Malware-Cryptor.MSIL.Alpha.Heur
Ikarus	Trojan-Spy.MSIL.AgentTesla
Tencent	Malware.Win32.Gencirc.1459c94f
huorong	Backdoor/MSIL.AsyncRAT.p
Fortinet	MSIL/Kryptik.AMFY!tr
AVG	Win32:BackdoorX-gen [Trj]
alibabacloud	Backdoor:MSIL/Jalapeno.AJ8PHU

r.msi

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All