Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 17, 2021, 6:37 p.m.	March 17, 2021, 6:39 p.m.

Size	449.6KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`e4647cc71d27837d5cb8a9a0b0707dab`
SHA256	`161464a54fb29e8c1f46bd11a514f26c10edccc258af5a38a1e6ae10db859ac7`
CRC32	`2C6B9F82`
ssdeep	`6144:QTqjFhWfTXx1ETE+woZQ7zjUs+RhLxj2mbxAH/ryuuy:IKW7B1cE6kjUTRhFS0Mr1`
Yara	PE_Header_Zero - PE File Signature Zero escalate_priv - Escalade priviledges screenshot - Take screenshot win_registry - Affect system registries win_token - Affect system token win_private_profile - Affect private profile win_files_operation - Affect private profile IsPE32 - (no description) IsWindowsGUI - (no description) HasOverlay - Overlay Check HasRichSignature - Rich Signature Check

winlog.exe "C:\Users\test22\AppData\Local\Temp\winlog.exe"
2548
- winlog.exe "C:\Users\test22\AppData\Local\Temp\winlog.exe"
  2208

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA March 17, 2021, 6:37 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW March 17, 2021, 6:37 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 17, 2021, 6:37 p.m.			0	0
IsDebuggerPresent March 17, 2021, 6:37 p.m.			0	0
IsDebuggerPresent March 17, 2021, 6:37 p.m.			0	0
IsDebuggerPresent March 17, 2021, 6:37 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 17, 2021, 6:37 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ March 17, 2021, 6:37 p.m.	stacktrace: SafeArrayDestroy+0xf SafeArrayUnlock-0x1d6 oleaut32+0x1defa @ 0x767bdefa winlog+0x12d5 @ 0x4012d5 winlog+0x14e5 @ 0x4014e5 winlog+0x1819 @ 0x401819 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 39 5e 08 0f 87 e6 9e 01 00 57 0f b7 7e 02 f7 c7 exception.symbol: SafeArrayDestroy+0x2c SafeArrayUnlock-0x1b9 oleaut32+0x1df17 exception.instruction: cmp dword ptr [esi + 8], ebx exception.module: OLEAUT32.dll exception.exception_code: 0xc0000005 exception.offset: 122647 exception.address: 0x767bdf17 registers.esp: 1637996 registers.edi: 2147942411 registers.eax: 0 registers.ebp: 1638004 registers.edx: 93 registers.ebx: 0 registers.esi: 164864 registers.ecx: 5281424	1	0	0

Allocates read-write-execute memory (usually to unpack itself) (15 events)

Time & API	Arguments	Status
NtProtectVirtualMemory March 17, 2021, 6:37 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x729a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 6:37 p.m.	process_identifier: 2208 region_size: 1966080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e70000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 6:37 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02010000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 17, 2021, 6:37 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72101000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 17, 2021, 6:37 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72102000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 6:37 p.m.	process_identifier: 2208 region_size: 1638400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e70000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 6:37 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 6:37 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00472000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 6:37 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02011000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 6:37 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02012000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 6:37 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 6:37 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 6:37 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 6:37 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 6:37 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\nsn62EB.tmp\wu24vyl5r9wvo3.dll

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\nsn62EB.tmp\wu24vyl5r9wvo3.dll

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (10 events)

Time & API	Arguments	Status	Return
Process32NextW March 17, 2021, 6:37 p.m.	snapshot_handle: 0x00000210 process_name: audiodg.exe process_identifier: 892	1	1
Process32NextW March 17, 2021, 6:37 p.m.	snapshot_handle: 0x00000210 process_name: WmiPrvSE.exe process_identifier: 1916	1	1
Process32NextW March 17, 2021, 6:37 p.m.	snapshot_handle: 0x00000210 process_name: pw.exe process_identifier: 2816	1	1
Process32NextW March 17, 2021, 6:37 p.m.	snapshot_handle: 0x00000210 process_name: SearchIndexer.exe process_identifier: 2940	1	1
Process32NextW March 17, 2021, 6:37 p.m.	snapshot_handle: 0x00000210 process_name: SearchProtocolHost.exe process_identifier: 1480	1	1
Process32NextW March 17, 2021, 6:37 p.m.	snapshot_handle: 0x00000210 process_name: SearchFilterHost.exe process_identifier: 3040	1	1
Process32NextW March 17, 2021, 6:37 p.m.	snapshot_handle: 0x00000210 process_name: SearchProtocolHost.exe process_identifier: 2120	1	1
Process32NextW March 17, 2021, 6:37 p.m.	snapshot_handle: 0x00000210 process_name: mobsync.exe process_identifier: 2064	1	1
Process32NextW March 17, 2021, 6:37 p.m.	snapshot_handle: 0x00000210 process_name: pw.exe process_identifier: 3064	1	1
Process32NextW March 17, 2021, 6:37 p.m.	snapshot_handle: 0x00000210 process_name: taskhost.exe process_identifier: 2576	1	1

Potentially malicious URLs were found in the process memory dump (12 events)

url	http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0
url	http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt0
url	http://microsoft.com0
url	http://www.microsoft.com/pkiops/certs/MicCodSigPCA2011_2011-07-08.crt0
url	http://www.microsoft.com/pkiops/docs/primarycps.htm0
url	http://www.microsoft.com/pki/certs/MicCodSigPCA_08-31-2010.crt0
url	http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0
url	http://www.microsoft.com/pki/certs/MicTimStaPCA_2010-07-01.crt0
url	http://www.microsoft.com/PKI/docs/CPS/default.htm0
url	http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0
url	http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl0a
url	http://nsis.sf.net/NSIS_Error

Yara rule detected in process memory (50 out of 86 events)

description	Code injection with CreateRemoteThread in a remote process	rule	inject_thread
description	Create a windows service	rule	create_service
description	Create a COM server	rule	create_com_service
description	Communications over UDP network	rule	network_udp_sock
description	Listen for incoming communication	rule	network_tcp_listen
description	Communications over P2P network	rule	network_p2p_win
description	Communications over HTTP	rule	network_http
description	File downloader/dropper	rule	network_dropper
description	Communications over FTP	rule	network_ftp
description	Communications over RAW socket	rule	network_tcp_socket
description	Communications use DNS	rule	network_dns
description	Communication using dga	rule	network_dga
description	Escalade priviledges	rule	escalate_priv
description	Take screenshot	rule	screenshot
description	Run a keylogger	rule	keylogger
description	Steal credential	rule	cred_local
description	Record Audio	rule	sniff_audio
description	APC queue tasks migration	rule	migrate_apc
description	Malware can spread east-west file	rule	spreading_file
description	Malware can spread east-west using share drive	rule	spreading_share
description	Create or check mutex	rule	win_mutex
description	Affect system registries	rule	win_registry
description	Affect system token	rule	win_token
description	Affect private profile	rule	win_private_profile
description	Affect private profile	rule	win_files_operation
description	Match Winsock 2 API library declaration	rule	Str_Win32_Winsock2_Library
description	Match Windows Inet API library declaration	rule	Str_Win32_Wininet_Library
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Code injection with CreateRemoteThread in a remote process	rule	inject_thread
description	Create a windows service	rule	create_service
description	Create a COM server	rule	create_com_service
description	Communications over UDP network	rule	network_udp_sock
description	Listen for incoming communication	rule	network_tcp_listen
description	Communications over P2P network	rule	network_p2p_win
description	Communications over HTTP	rule	network_http

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2548 called NtSetContextThread to modify thread in remote process 2208
NtSetContextThread March 17, 2021, 6:37 p.m.	registers.eip: 2000355780 registers.esp: 1638384 registers.edi: 0 registers.eax: 4200587 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000220 process_identifier: 2208	1	0	0

File has been identified by 27 AntiVirus engines on VirusTotal as malicious (27 events)

Bkav	W32.AIDetect.malware1
Elastic	malicious (high confidence)
FireEye	Generic.mg.e4647cc71d27837d
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
Cybereason	malicious.f7adfd
Cyren	W32/Injector.AFV.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
Avast	Win32:MalwareX-gen [Trj]
Kaspersky	UDS:DangerousObject.Multi.Generic
Rising	Trojan.Injector!8.C4 (CLOUD)
Sophos	Mal/Generic-S (PUA)
McAfee-GW-Edition	BehavesLike.Win32.Dropper.gh
SentinelOne	Static AI - Suspicious PE
Avira	HEUR/AGEN.1134255
Gridinsoft	Risk.Win32.CoinMiner.sd!s1
ZoneAlarm	UDS:DangerousObject.Multi.Generic
Microsoft	Trojan:Win32/Wacatac.B!ml
Cynet	Malicious (score: 90)
ESET-NOD32	a variant of Win32/Injector.EOWN
McAfee	RDN/Generic.dx
Malwarebytes	Generic.Malware/Suspicious
APEX	Malicious
Fortinet	W32/Injector.EOWC!tr
AVG	Win32:MalwareX-gen [Trj]
CrowdStrike	win/malicious_confidence_60% (W)
Qihoo-360	Win32/Heur.Generic.HxQB8SEA

winlog.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All