Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	April 28, 2021, 7:39 a.m.	April 28, 2021, 7:42 a.m.

Size	782.0KB
Type	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5	`5b5a730628dc9eba2c12530d225c2f70`
SHA256	`e54f38d06a4f11e1b92bb7454e70c949d3e1a4db83894db1ab76e9d64146ee06`
CRC32	`D3684B27`
ssdeep	`6144:cZluCr7KHcEbEv+fKmwULUV8BoZM3q3Bur1VLcfZ1odtBk5Aum2m3axwRIeWWWWi:8Qb14ULr03Bur1Vgx1CtiyN9KxwRI`
Yara	IsPE64 - (no description) IsWindowsGUI - (no description) PE_Header_Zero - PE File Signature Zero win_registry - Affect system registries win_files_operation - Affect private profile

195145.exe "C:\Users\test22\AppData\Local\Temp\195145.exe"
2288
- cmd.exe cmd.exe /c echo NGAtoDgLpvgJwPLEPFdj>"C:\Users\test22\AppData\Local\Temp\DEMFE9C.tmp"&exit
  232

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
172.217.25.14	Active	Moloch
192.99.178.145	Active	Moloch

No Suricata Alerts

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA April 28, 2021, 7:39 a.m.	computer_name: TEST22-PC	1	1	0

suspicious_features

POST method with no referer header

suspicious_request

POST http://dimentos.com/btn_bg

request	GET http://dimentos.com/bg
request	POST http://dimentos.com/btn_bg

request

POST http://dimentos.com/btn_bg

description

195145.exe tried to sleep 209 seconds, actually delayed analysis time by 209 seconds

cmdline

cmd.exe /c echo NGAtoDgLpvgJwPLEPFdj>"C:\Users\test22\AppData\Local\Temp\DEMFE9C.tmp"&exit

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory April 28, 2021, 7:39 a.m.	process_identifier: 2288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 262144 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x00000000006c0000 process_handle: 0xffffffffffffffff	1	0	0

host	172.217.25.14
host	192.99.178.145

file	C:\Users\test22\AppData\Local\Temp\DEMFE9C.tmp

195145.exe