Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 12, 2021, 9:34 a.m.	May 12, 2021, 9:39 a.m.

Size	438.5KB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`01fbd69aa44b75f2948a817f340d599b`
SHA256	`18b056a1951f2e7c4ab96095d25e015da4e456493d0591c94584a9063c399025`
CRC32	`4B25001F`
ssdeep	`6144:oQoY7z0MVihidNhYkQRKUJTB4a4svREAHGz8xA4XgPwhparyyb49tTFDbEA38i7:kY7xYidNhYjwvsRHo8xnXQ2B28FvEzi`
Yara	IsPE64 - (no description) OS_Processor_Check_Zero - OS Processor Check PE_Header_Zero - PE File Signature

wd10dale.exe "C:\Users\test22\AppData\Local\Temp\wd10dale.exe"
2212
- sethc.exe C:\Windows\system32\sethc.exe
  2264

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
185.212.47.147	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA May 12, 2021, 9:27 a.m.	computer_name: TEST22-PC	1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

_RDATA

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory May 12, 2021, 9:27 a.m.	process_identifier: 2264 region_size: 311296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000500000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1	0	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory May 12, 2021, 9:27 a.m.	process_identifier: 2264 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 262144 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x0000000000090000 process_handle: 0x0000000000000090	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0004bc00', u'virtual_address': u'0x00021000', u'entropy': 7.993204949075783, u'name': u'.data', u'virtual_size': u'0x0004d03c'}

entropy

7.99320494908

description

A section with a high entropy has been found

entropy

0.692571428571

description

Overall entropy of this PE file is high

Yara rule detected in process memory (15 events)

description	Communications over HTTP	rule	Network_HTTP
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Take ScreenShot	rule	ScreenShot
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: a2780185317f5fe1d52106288a4b2ebe6e767b9b

Communicates with host for which no DNS query was performed (1 event)

host

185.212.47.147

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2212 called NtSetContextThread to modify thread in remote process 2264
NtSetContextThread May 12, 2021, 9:27 a.m.	registers.r14: 0 registers.r15: 0 registers.rcx: 589824 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 0 registers.r11: 0 registers.r8: 0 registers.r9: 0 registers.rip: 0 registers.rdx: 8796092887040 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 0 registers.r13: 0 thread_handle: 0x0000000000000038 process_identifier: 2264	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2212 resumed a thread in remote process 2264
NtResumeThread May 12, 2021, 9:27 a.m.	thread_handle: 0x0000000000000038 suspend_count: 1 process_identifier: 2264	1	0	0

Generates some ICMP traffic

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

185.212.47.147:559

Executed a process and injected code into it, probably while unpacking (7 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW May 12, 2021, 9:27 a.m.	thread_identifier: 2800 thread_handle: 0x0000000000000038 process_identifier: 2264 current_directory: filepath: track: 1 command_line: C:\Windows\system32\sethc.exe filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 1 process_handle: 0x0000000000000090	1	1
NtAllocateVirtualMemory May 12, 2021, 9:27 a.m.	process_identifier: 2264 region_size: 262144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x0000000000090000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x0000000000000090	1	0
WriteProcessMemory May 12, 2021, 9:27 a.m.	buffer: base_address: 0x0000000000090000 process_identifier: 2264 process_handle: 0x0000000000000090	1	1
NtGetContextThread May 12, 2021, 9:27 a.m.	thread_handle: 0x0000000000000038	1	0
NtSetContextThread May 12, 2021, 9:27 a.m.	registers.r14: 0 registers.r15: 0 registers.rcx: 589824 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 0 registers.r11: 0 registers.r8: 0 registers.r9: 0 registers.rip: 0 registers.rdx: 8796092887040 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 0 registers.r13: 0 thread_handle: 0x0000000000000038 process_identifier: 2264	1	0
NtResumeThread May 12, 2021, 9:27 a.m.	thread_handle: 0x0000000000000038 suspend_count: 1 process_identifier: 2264	1	0
NtResumeThread May 12, 2021, 9:27 a.m.	thread_handle: 0x0000000000000118 suspend_count: 1 process_identifier: 2264	1	0

File has been identified by 48 AntiVirus engines on VirusTotal as malicious (48 events)

FireEye	Generic.mg.01fbd69aa44b75f2
CAT-QuickHeal	Trojan.Cobalt
McAfee	RDN/Generic BackDoor
Cylance	Unsafe
VIPRE	Trojan.Win32.Generic!BT
K7AntiVirus	Riskware ( 0040eff71 )
Alibaba	Trojan:Win32/Cobalt.836ab162
K7GW	Riskware ( 0040eff71 )
Cybereason	malicious.aa44b7
Cyren	W64/Trojan.LQEW-2166
Symantec	Trojan.Gen.2
ESET-NOD32	a variant of Generik.GPUEYBA
APEX	Malicious
Avast	Win64:Malware-gen
Cynet	Malicious (score: 100)
Kaspersky	Trojan.Win32.Cobalt.ctm
BitDefender	Gen:Variant.Razy.723768
NANO-Antivirus	Trojan.Win64.Cobalt.iugrnq
Paloalto	generic.ml
ViRobot	Trojan.Win32.S.Agent.449024.EG
MicroWorld-eScan	Gen:Variant.Razy.723768
Rising	Backdoor.CobaltStrike!8.11F7B (C64:YzY0Ot1miiwpnqQ9)
Ad-Aware	Gen:Variant.Razy.723768
Emsisoft	Gen:Variant.Razy.723768 (B)
Comodo	Malware@#3fcl3pg6s8cgg
DrWeb	Trojan.DownLoader38.12615
Zillya	Tool.CobaltStrike.Win64.866
TrendMicro	TROJ_GEN.R002C0DCU21
McAfee-GW-Edition	BehavesLike.Win64.Generic.gc
Sophos	Mal/Generic-S
Ikarus	Trojan.SuspectCRC
Jiangmin	Trojan.Cobalt.jy
Avira	TR/AD.CobaltStrike.jrruf
Antiy-AVL	Trojan/Generic.ASMalwS.3225A92
Gridinsoft	Trojan.Win64.Downloader.sa
Microsoft	Backdoor:Win64/CobaltStrike.P!dha
AegisLab	Trojan.Win32.Razy.4!c
GData	Gen:Variant.Razy.723768
AhnLab-V3	Backdoor/Win.CobaltStrike.C4402147
ALYac	Gen:Variant.Razy.723768
MAX	malware (ai score=80)
Malwarebytes	Malware.AI.1144585200
TrendMicro-HouseCall	TROJ_GEN.R002C0DCU21
Yandex	Trojan.Cobalt!LCi3TYmEVxI
Fortinet	W32/PossibleThreat
AVG	Win64:Malware-gen
Panda	Trj/CI.A
CrowdStrike	win/malicious_confidence_80% (W)

wd10dale.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All