Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 8, 2025, 5:16 a.m.	April 8, 2025, 5:18 a.m.

Size	80.0KB
Type	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5	`e59a1f8f4039ee8470009ef03a5cd292`
SHA256	`288da46cbf4aa6e74d650c31a50771afcac499ffc76c349153cceccd317cbb4f`
CRC32	`22227BE5`
ssdeep	`768:Io3pL/sVYzfwoWjIEQFOY+yBoGrAHCFcmlNPdHwvYXzl0MyxbgrxVH:IgLGbHBmlPD+HZgrxJ`
PDB Path	TSSysprep.pdb
Yara	PE_Header_Zero - PE File Signature Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet IsPE64 - (no description) IsDLL - (no description) Malicious_Packer_Zero - Malicious Packer

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\tssysprep.dll,AppsrvSysPrepSpecializeOffline
2632
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\tssysprep.dll,AppsrvSysPrepSpecializeOffline
  2976
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\tssysprep.dll,AppsrvSysPrepGeneralize
2548
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\tssysprep.dll,AppsrvSysPrepGeneralize
  2984
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\tssysprep.dll,AppsrvSysPrepSpecializeOnline
2724
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\tssysprep.dll,AppsrvSysPrepSpecializeOnline
  1120
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\tssysprep.dll,CBrokerSysPrepGeneralize
2812
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\tssysprep.dll,CBrokerSysPrepGeneralize
  1400
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\tssysprep.dll,CBrokerSysPrepSpecializeOffline
2908
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\tssysprep.dll,CBrokerSysPrepSpecializeOffline
  2464
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\tssysprep.dll,CBrokerSysPrepSpecializeOnline
2052
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\tssysprep.dll,CBrokerSysPrepSpecializeOnline
  2504
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\tssysprep.dll,LSMSysPrepBackup
196
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\tssysprep.dll,LSMSysPrepBackup
  2540
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\tssysprep.dll,LSMSysPrepRestoreOffline
2436
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\tssysprep.dll,LSMSysPrepRestoreOffline
  2892
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\tssysprep.dll,LSMSysPrepRestoreOnline
2792
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\tssysprep.dll,LSMSysPrepRestoreOnline
  2088
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\tssysprep.dll,RCMSysPrepGeneralize
2068
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\tssysprep.dll,RCMSysPrepGeneralize
  2720
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\tssysprep.dll,RdpSysPrepGeneralize
2616
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\tssysprep.dll,RdpSysPrepGeneralize
  2232
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\tssysprep.dll,RdpSysPrepRestoreOffline
2836
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\tssysprep.dll,RdpSysPrepRestoreOffline
  2860
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\tssysprep.dll,RdpSysPrepRestoreOnline
3032
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\tssysprep.dll,RdpSysPrepRestoreOnline
  2416
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\tssysprep.dll,
2772

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

This executable has a PDB path (1 event)

pdb_path

TSSysprep.pdb

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

fothk

Allocates read-write-execute memory (usually to unpack itself) (6 events)

Time & API	Arguments	Status
NtProtectVirtualMemory April 8, 2025, 5:10 a.m.	process_identifier: 2860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000074429000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 8, 2025, 5:10 a.m.	process_identifier: 2860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000074337000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 8, 2025, 5:10 a.m.	process_identifier: 2860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000742e9000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 8, 2025, 5:09 a.m.	process_identifier: 2416 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000074429000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 8, 2025, 5:09 a.m.	process_identifier: 2416 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000074337000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 8, 2025, 5:09 a.m.	process_identifier: 2416 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000742e9000 process_handle: 0xffffffffffffffff	1

tssysprep.dll

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All