Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 28, 2025, 9:03 a.m.	April 28, 2025, 9:05 a.m.

Size	196.5KB
Type	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5	`c6dde31a037cbe64c608b053de821d5b`
SHA256	`19c20a75582a9be0b017cb3c208aa5222344e9173216125bae5297cab4c67a84`
CRC32	`D4AA30F5`
ssdeep	`3072:4//0pc30jAF9lmTYZxC1NrH744XYLtFweIwmOO6QWtOYJXOAg0FujpEp7bL:4HvJiYedH7zYLvweIHOO++AOQHL`
Yara	PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer IsDLL - (no description) Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check UPX_Zero - UPX packed file

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\WWLIB.dll,DllCanUnloadNow
2552
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\WWLIB.dll,DllGetClassObject
2640
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\WWLIB.dll,DllGetLCID
2732
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\WWLIB.dll,DllMain
2824
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\WWLIB.dll,FMain
2920
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\WWLIB.dll,_GetAllocCounters@0
3068
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\WWLIB.dll,wdCommandDispatch
1356
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\WWLIB.dll,wdGetApplicationObject
2420
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\WWLIB.dll,
2636

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 28, 2025, 9:03 a.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ April 28, 2025, 9:03 a.m.	stacktrace: CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x75aad08c TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x75aa964b TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x75a94d6b TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x75a96f7c CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x75a9e825 TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x75a96002 TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x75a95fe8 TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x75a949e3 TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x75a95a20 RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x76f49a91 LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x76f68f10 RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x76f68e5c ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x755c7a25 rundll32+0x135c @ 0xce135c rundll32+0x1901 @ 0xce1901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25 exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4 exception.instruction: call dword ptr [ecx + 0xc] exception.module: MSCTF.dll exception.exception_code: 0xc0000005 exception.offset: 278260 exception.address: 0x75ac3ef4 registers.esp: 1047588 registers.edi: 0 registers.eax: 47811216 registers.ebp: 1047616 registers.edx: 1 registers.ebx: 0 registers.esi: 2408784 registers.ecx: 1932342748	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

April 28, 2025, 9:03 a.m.

stacktrace:

CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x75aad08c
TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x75aa964b
TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x75a94d6b
TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x75a96f7c
CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x75a9e825
TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x75a96002
TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x75a95fe8
TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x75a949e3
TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x75a95a20
RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x76f49a91
LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x76f68f10
RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x76f68e5c
ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x755c7a25
rundll32+0x135c @ 0xce135c
rundll32+0x1901 @ 0xce1901
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25
exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4
exception.instruction: call dword ptr [ecx + 0xc]
exception.module: MSCTF.dll
exception.exception_code: 0xc0000005
exception.offset: 278260
exception.address: 0x75ac3ef4
registers.esp: 1047588
registers.edi: 0
registers.eax: 47811216
registers.ebp: 1047616
registers.edx: 1
registers.ebx: 0
registers.esi: 2408784
registers.ecx: 1932342748

Allocates read-write-execute memory (usually to unpack itself) (8 events)

Time & API	Arguments	Status
NtProtectVirtualMemory April 28, 2025, 9:03 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bd2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 28, 2025, 9:03 a.m.	process_identifier: 2640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bd2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 28, 2025, 9:03 a.m.	process_identifier: 2732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bd2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 28, 2025, 9:03 a.m.	process_identifier: 2824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73952000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 28, 2025, 9:03 a.m.	process_identifier: 2920 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73952000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 28, 2025, 9:03 a.m.	process_identifier: 3068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73952000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 28, 2025, 9:03 a.m.	process_identifier: 1356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73952000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 28, 2025, 9:03 a.m.	process_identifier: 2420 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73952000 process_handle: 0xffffffff	1

File has been identified by 46 AntiVirus engines on VirusTotal as malicious (46 events)

Cynet	Malicious (score: 100)
CAT-QuickHeal	Trojan.Dllhijacker
Skyhigh	BehavesLike.Win32.PUP.ch
ALYac	Gen:Variant.Fragtor.778380
Cylance	Unsafe
VIPRE	Gen:Variant.Fragtor.778380
Sangfor	Trojan.Win32.Shellcoderunner.Vizm
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Gen:Variant.Fragtor.778380
K7GW	Trojan ( 005c626a1 )
K7AntiVirus	Trojan ( 005c626a1 )
Arcabit	Trojan.Fragtor.DBE08C
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (moderate confidence)
ESET-NOD32	a variant of Win32/ShellcodeRunner.UH
APEX	Malicious
Avast	Win32:MalwareX-gen [Trj]
Kaspersky	VHO:Trojan.Win32.DllHijacker.gen
MicroWorld-eScan	Gen:Variant.Fragtor.778380
Rising	Trojan.Kryptik@AI.80 (RDML:B9i4+D8kJDYQC6H/9QK1AA)
Emsisoft	Gen:Variant.Fragtor.778380 (B)
F-Secure	Trojan.TR/Redcap.bmerb
McAfeeD	ti!19C20A75582A
CTX	dll.trojan.shellcoderunner
Sophos	Mal/Generic-S
Jiangmin	Trojan.Fragtor.ag
Google	Detected
Avira	TR/Redcap.bmerb
Antiy-AVL	GrayWare/Win32.Wacapew
Kingsoft	Win32.Trojan.DllHijacker.gen
Xcitium	Malware@#2y0400l2876my
Microsoft	Trojan:Win32/Wacatac.B!ml
GData	Gen:Variant.Fragtor.778380
Varist	W32/ABApplication.DTDD-1333
AhnLab-V3	Trojan/Win.Generic.C5689449
McAfee	Artemis!C6DDE31A037C
DeepInstinct	MALICIOUS
Ikarus	Trojan.Win32.Shellcoderunner
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R002H09DO25
Tencent	Win32.Trojan.Gencirc.Pjgl
huorong	Trojan/Generic!6098E0AD1C6EB1E5
Fortinet	W32/ShellcodeRunner.UH!tr
AVG	Win32:MalwareX-gen [Trj]
Paloalto	generic.ml
alibabacloud	Trojan:Win/ShellcodeRunner.UJ

WWLIB.dll

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All