Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 6, 2021, 4:40 p.m.	April 6, 2021, 4:42 p.m.

Size	2.3MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`aa2bac3e53d4a670c8728f862f5e2650`
SHA256	`2cf4726e7806ccf6017b5aadfa4f0efd07a419b39b738bfa89aa02d53fbc9213`
CRC32	`1C3FAE47`
ssdeep	`49152:nuuE7AnqIxGrGYyZa/tgrYJUGfZC3wA6EylfwEaFWd:ZE7AqrlyutLxC3sEwwMd`
PDB Path	F:\SogouSoftwareWorkDir\SogouSoftware\Src\MiniDownLoad\Release\MiniDownLoad.pdb
Yara	network_http - Communications over HTTP escalate_priv - Escalade priviledges screenshot - Take screenshot win_mutex - Create or check mutex win_registry - Affect system registries win_token - Affect system token win_private_profile - Affect private profile win_files_operation - Affect private profile Str_Win32_Wininet_Library - Match Windows Inet API library declaration Str_Win32_Internet_API - Match Windows Inet API call Str_Win32_Http_API - Match Windows Http API call PE_Header_Zero - PE File Signature Zero OS_Processor_Check_Zero - OS Processor Check Signature Zero IsPE32 - (no description) IsWindowsGUI - (no description) IsPacked - Entropy Check HasOverlay - Overlay Check HasDigitalSignature - DigitalSignature Check HasDebugData - DebugData Check HasRichSignature - Rich Signature Check

sogoufgnm.e "C:\Users\test22\AppData\Local\Temp\sogoufgnm.e"
2388
- minidownload.exe "C:\Users\test22\AppData\Local\Temp\minidownload.exe"
  2228
- SogouSoftware.exe "C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe" /Loader /DownLoad?status=true&softurl=https%3A%2F%2Fxiazai.sogou.com%2Fcomm%2Fredir%3Fsoftdown%3D1%26u%3D0Gd8piB6093518VUa7LBm1yIV6zqZFKj7ZQhfT9UvWntIAHwiQ60LS9VE9K5JGL4ccLmMA35vaynNvDGLImuBKXx_e1nVgQflvXxL3SFyOAD9A2rvYXC5q-OWVXw9TPa%26pcid%3D-7859875430131646001%26w%3D1950%26filename%3DInternet%2BExplorer%2B8.0%2BFor%2BXP%2B%E6%AD%A3%E5%BC%8F%E7%89%88.rar%26extra%3D8_pc6%26source%3Dpc6%26downloadtype%3Dsoftware%26stamp%3D20210406&iconurl=https%3A%2F%2Fimg02.sogoucdn.com%2Fv2%2Fthumb%2Fretype%2Fext%2Fjpg%2Fcls%2Fimagick%3Fappid%3D200504%26url%3Dhttp%3A%2F%2F3.pic.pc6.com%2Fup%2F2015-8%2F2015826153155.jpg&softname=Internet+Explorer+8&softsize=16.0+MB
  1316

Name	Response	Post-Analysis Lookup
yze.t.sogou.com	A 119.206.200.180 CNAME yze.t.sogou.com.wscdns.com	119.206.200.180
ping.t.sogou.com	A 211.159.235.216	211.159.235.216
yz.app.sogou.com	A 118.191.216.57 A 118.191.216.42 A 119.28.109.132	119.28.109.132
img02.sogoucdn.com	A 211.152.132.118 CNAME img02.sogoucdn.com.tweb.sched.ovscdns.com CNAME img02.sogoucdn.com.cdn.dnsv1.com A 211.152.132.122	211.152.132.122
xz.sogou.com	A 118.191.216.57 A 118.191.216.42 A 119.28.109.132	49.51.65.181

IP Address	Status	Action
118.191.216.42	Active	Moloch
118.191.216.57	Active	Moloch
119.206.200.180	Active	Moloch
164.124.101.2	Active	Moloch
211.152.132.118	Active	Moloch
211.159.235.216	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

This executable has a PDB path (1 event)

pdb_path

F:\SogouSoftwareWorkDir\SogouSoftware\Src\MiniDownLoad\Release\MiniDownLoad.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 6, 2021, 2:43 p.m.		1	1	0

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

EXE

Performs some HTTP requests (6 events)

request	GET http://yz.app.sogou.com/appinfo?num=22236
request	GET http://ping.t.sogou.com/pingd?srctype=sogousoftware&gid=xsCGk!CWs9I2rT9N79KjMx0000o60f--&unc=sogousoftware_normal&t=10&rand=1617697427
request	GET http://xz.sogou.com/handleUserIdDb256?userid=85c9aa53e9ba709b026f72711c9b93c2&downloadtype=bpackage&unc=sogousoftware_normal&pcid=0&mode=recommend
request	GET http://yze.t.sogou.com/externalapp/3.2.2.58/SogouSoftwareExternalApp.exe
request	HEAD https://img02.sogoucdn.com/v2/thumb/retype/ext/jpg/cls/imagick?appid=200504&url=http://3.pic.pc6.com/up/2015-8/2015826153155.jpg
request	GET https://img02.sogoucdn.com/v2/thumb/retype/ext/jpg/cls/imagick?appid=200504&url=http://3.pic.pc6.com/up/2015-8/2015826153155.jpg

Allocates read-write-execute memory (usually to unpack itself) (6 events)

Time & API	Arguments	Status
NtProtectVirtualMemory April 6, 2021, 2:43 p.m.	process_identifier: 2228 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73731000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 6, 2021, 2:43 p.m.	process_identifier: 2228 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74e51000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 2:43 p.m.	process_identifier: 1316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00660000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 6, 2021, 2:43 p.m.	process_identifier: 1316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x736f2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 2:43 p.m.	process_identifier: 1316 region_size: 1703936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 2:43 p.m.	process_identifier: 1316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Foreign language identified in PE resource (10 events)

name

EXE

language

LANG_CHINESE

filetype

PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0003a310

size

0x001ef578

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00243ce8

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00243ce8

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00243ce8

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00243ce8

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00243ce8

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00243ce8

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00243ce8

size

0x00000468

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00244150

size

0x00000068

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002441b8

size

0x000002f4

Creates executable files on the filesystem (15 events)

file	C:\Program Files (x86)\SogouSoftware\download\download\MiniThunderPlatform.exe
file	C:\Program Files (x86)\SogouSoftware\download\download\MiniTPFw.exe
file	C:\Program Files (x86)\SogouSoftware\download\download\msvcr71.dll
file	C:\Program Files (x86)\SogouSoftware\crash\ExceptionReport.exe
file	C:\Program Files (x86)\SogouSoftware\download\xldl.dll
file	C:\Program Files (x86)\SogouSoftware\download\download\msvcp71.dll
file	C:\Program Files (x86)\SogouSoftware\download\download\ThunderFW.exe
file	C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe
file	C:\Program Files (x86)\SogouSoftware\download\download\download_engine.dll
file	C:\Program Files (x86)\SogouSoftware\download\download\atl71.dll
file	C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe
file	C:\Users\test22\AppData\Local\Temp\minidownload.exe
file	C:\Program Files (x86)\SogouSoftware\download\download\zlib1.dll
file	C:\Program Files (x86)\SogouSoftware\SogouSoftwareLoader.dll
file	C:\Program Files (x86)\SogouSoftware\download\download\dl_peer_id.dll

Drops a binary and executes it (2 events)

file	C:\Users\test22\AppData\Local\Temp\minidownload.exe
file	C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\minidownload.exe

An executable file was downloaded by the process sogousoftware.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
recv April 6, 2021, 2:43 p.m.	buffer: HTTP/1.1 200 OK Date: Tue, 06 Apr 2021 07:41:01 GMT Content-Type: application/octet-stream Content-Length: 12435040 Connection: keep-alive ETag: "1939545478" Accept-Ranges: bytes Last-Modified: Mon, 12 Dec 2016 13:03:15 GMT Server: WS CDN Server Age: 2332209 X-Via: 1.1 PSfjqzdxsq151:5 (Cdn Cache Server V2.0)[7 200 0], 1.1 PShgseSEL5ps83:3 (Cdn Cache Server V2.0)[0 200 0] X-Ws-Request-Id: 606c108d_PShgseSEL5ps83_65423-15249 MZÿÿ¸@Øº´ Í!¸LÍ!This program cannot be run in DOS mode. $1¸:uÙêiuÙêiuÙêi¶ÖµiwÙêiuÙëiîÙêi¶Ö·idÙêi!úÚiÙêi²ßìitÙêiRichuÙêiPELÁãKàZÔË0p@POS¾¤s´ànH¥½p.textÒXZ `.rdatap^@@.datax¯p@ received: 1024 socket: 1464	1	1024	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0020a800', u'virtual_address': u'0x0003a000', u'entropy': 7.935676122614296, u'name': u'.rsrc', u'virtual_size': u'0x0020a638'}

entropy

7.93567612261

description

A section with a high entropy has been found

entropy

0.900279991385

description

Overall entropy of this PE file is high

Potentially malicious URLs were found in the process memory dump (1 event)

url	http://nsis.sf.net/NSIS_Error

Yara rule detected in process memory (14 events)

description	Escalade priviledges	rule	escalate_priv
description	Take screenshot	rule	screenshot
description	Affect system registries	rule	win_registry
description	Affect system token	rule	win_token
description	Affect private profile	rule	win_private_profile
description	Affect private profile	rule	win_files_operation
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob

Network activity contains more than one unique useragent (3 events)

process	sogoufgnm.e	useragent	HttpDownload
process	sogoufgnm.e	useragent	HttpRequest
process	SogouSoftware.exe	useragent	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; {D9D54F49-E51C-445e-92F2-1EE3C2313240})

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2388 resumed a thread in remote process 2228
NtResumeThread April 6, 2021, 2:43 p.m.	thread_handle: 0x000002bc suspend_count: 1 process_identifier: 2228	1	0	0

File has been identified by 46 AntiVirus engines on VirusTotal as malicious (46 events)

Elastic	malicious (high confidence)
FireEye	Generic.mg.aa2bac3e53d4a670
CAT-QuickHeal	Trojan.MauvaiseRI.S5244821
McAfee	PUP-FTL
Cylance	Unsafe
Zillya	Downloader.SogouCRTD.Win32.237
Sangfor	Malware
K7AntiVirus	Riskware ( 0040eff71 )
Alibaba	Downloader:Win32/Sogou.6d827b47
K7GW	Riskware ( 0040eff71 )
Invincea	Generic ML PUA (PUA)
Cyren	W32/Sogou.H.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	Win32:Malware-gen
ClamAV	Win.Worm.Chir-2282
Kaspersky	not-a-virus:Downloader.Win32.Sogou.g
NANO-Antivirus	Trojan.Win32.Gbot.fgypno
Emsisoft	Application.Chindo (A)
Comodo	Application.Win32.Sogou.C@6e9656
F-Secure	Adware.ADWARE/Sogou.wqqyp
DrWeb	BackDoor.Gbot.2850
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TROJ_FRS.VSN03H18
McAfee-GW-Edition	PUP-FTL
SentinelOne	DFI - Malicious PE
Webroot	Adware.Sogou
Avira	ADWARE/Sogou.wqqyp
Antiy-AVL	RiskWare[Downloader]/Win32.Sogou
Microsoft	PUA:Win32/Sogou
AegisLab	Riskware.Win32.Sogou.1!c
ZoneAlarm	not-a-virus:Downloader.Win32.Sogou.g
GData	Win32.Trojan.Agent.28ICKY
Cynet	Malicious (score: 100)
AhnLab-V3	PUP/Win32.Downloader.R180775
VBA32	Downloader.Sogou
MAX	malware (ai score=100)
Malwarebytes	Adware.Sogou
ESET-NOD32	a variant of Win32/Sogou.H potentially unwanted
TrendMicro-HouseCall	TROJ_FRS.VSN03H18
Yandex	PUA.Downloader!
Ikarus	PUA.Sogou
eGambit	Unsafe.AI_Score_99%
AVG	Win32:Malware-gen
Panda	PUP/Sogou
CrowdStrike	win/malicious_confidence_80% (D)

sogoufgnm.e

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All