Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 24, 2021, 6:50 p.m.	June 24, 2021, 6:53 p.m.

Size	2.1MB
Type	MS-DOS executable, MZ for MS-DOS
MD5	`2020ddf1aac56d939f7ee5af52903258`
SHA256	`958085c479df4ae7ebbd407dd43f11edcb0fa4677470c819fcaf5df87191b992`
CRC32	`70C4E15B`
ssdeep	`49152:UW3Hyg+e2SV47ojGAUkMI5+e2SV47ojGAUkMI9+e2SV47ojGAUkMIS+e2SV47oj9:t3SyvNxvNFvNkvN5vN`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

4p-desktop.exe "C:\Users\test22\AppData\Local\Temp\4p-desktop.exe"
5776
- 4P-DESKTOP.exe C:\Users\test22\AppData\Roaming\4P-DESKTOP\4P-DESKTOP.exe
  4356
  - 4P-DESKTOP.exe "C:\Users\test22\AppData\Roaming\4P-DESKTOP\4P-DESKTOP.exe" /restart
    4384
explorer.exe C:\Windows\Explorer.EXE
1848

Name	Response	Post-Analysis Lookup
www.netikus.net	A 216.92.199.161 CNAME netikus.net	216.92.199.161
r3.i.lencr.org	CNAME crl.root-x1.letsencrypt.org.edgekey.net CNAME e8652.dscx.akamaiedge.net A 104.74.168.254	104.74.168.254
community.iw4play.de	A 195.90.200.240	195.90.200.240

IP Address	Status	Action
104.74.168.254	Active	Moloch
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
195.90.200.240	Active	Moloch
216.92.199.161	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49820 -> 216.92.199.161:80	2030187	ET POLICY External IP Lookup (www. netikus .net)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49816 -> 195.90.200.240:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49828 -> 216.92.199.161:80	2030187	ET POLICY External IP Lookup (www. netikus .net)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49821 -> 195.90.200.240:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49809 -> 195.90.200.240:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49822 -> 195.90.200.240:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49819 -> 216.92.199.161:80	2030187	ET POLICY External IP Lookup (www. netikus .net)	Device Retrieving External IP Address Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49816 195.90.200.240:443	None	None	None
TLSv1 192.168.56.102:49821 195.90.200.240:443	C=US, O=Let's Encrypt, CN=R3	CN=community.iw4play.de	ee:a8:dd:89:b5:9b:d0:04:00:a8:12:47:e5:15:d2:c4:c4:bf:81:3b
TLSv1 192.168.56.102:49809 195.90.200.240:443	C=US, O=Let's Encrypt, CN=R3	CN=community.iw4play.de	ee:a8:dd:89:b5:9b:d0:04:00:a8:12:47:e5:15:d2:c4:c4:bf:81:3b
TLSv1 192.168.56.102:49822 195.90.200.240:443	C=US, O=Let's Encrypt, CN=R3	CN=community.iw4play.de	ee:a8:dd:89:b5:9b:d0:04:00:a8:12:47:e5:15:d2:c4:c4:bf:81:3b

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW June 24, 2021, 6:50 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 24, 2021, 6:50 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 24, 2021, 6:50 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 24, 2021, 6:50 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 24, 2021, 6:50 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 24, 2021, 6:50 p.m.	computer_name: TEST22-PC	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 24, 2021, 6:50 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (22 events)

request	GET http://r3.i.lencr.org/
request	GET http://www.netikus.net/show_ip.html
request	GET https://community.iw4play.de/4p_games/data/games.ini
request	GET https://community.iw4play.de/4p_games/data/settings.ini
request	GET https://community.iw4play.de/4p_games/sprachen/uk.txt
request	GET https://community.iw4play.de/4p_games/version.txt
request	GET https://community.iw4play.de/4p_games/pictures/bobg.jpg
request	GET https://community.iw4play.de/4p_games/pictures/bgblack.png
request	GET https://community.iw4play.de/4p_games/pictures/logo.png
request	GET https://community.iw4play.de/4p_games/4p-games.md5
request	GET https://community.iw4play.de/4p_games/pictures/anmelden.png
request	GET https://community.iw4play.de/4p_games/pictures/bgblack100.png
request	GET https://community.iw4play.de/4p_games/pictures/drag.png
request	GET https://community.iw4play.de/4p_games/pictures/eingabe.png
request	GET https://community.iw4play.de/4p_games/pictures/freundeauswahl.png
request	GET https://community.iw4play.de/4p_games/pictures/leisteblack.png
request	GET https://community.iw4play.de/4p_games/pictures/liniegrau.png
request	GET https://community.iw4play.de/4p_games/data/connect.dll
request	GET https://community.iw4play.de/4p_games/data/pconnect.dll
request	GET https://community.iw4play.de/4p_games/pictures/verwalten.png
request	GET https://community.iw4play.de/4p_games/werbung/werbung.txt
request	GET https://community.iw4play.de/4p_games/werbung/musterwerbung.jpg

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtProtectVirtualMemory June 24, 2021, 6:50 p.m.	process_identifier: 5776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 24, 2021, 6:50 p.m.	process_identifier: 4356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 24, 2021, 6:50 p.m.	process_identifier: 4384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (2 events)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW June 24, 2021, 6:50 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13292265472 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer total_number_of_bytes: 0	1	1	0
GetDiskFreeSpaceExW June 24, 2021, 6:50 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13292167168 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer total_number_of_bytes: 0	1	1	0

Creates executable files on the filesystem (3 events)

file	C:\Users\test22\Desktop\4P-DESKTOP.lnk
file	C:\Users\test22\AppData\Roaming\4P-DESKTOP\data\connect.dll
file	C:\Users\test22\AppData\Roaming\4P-DESKTOP\data\pconnect.dll

Creates a shortcut to an executable file (2 events)

file	C:\Users\test22\Desktop\4P-DESKTOP.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration.lnk

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (12 events)

Time & API	Arguments	Status	Return
Process32NextW June 24, 2021, 6:50 p.m.	snapshot_handle: 0x00000108 process_name: mobsync.exe process_identifier: 9120	1	1
Process32NextW June 24, 2021, 6:50 p.m.	snapshot_handle: 0x00000108 process_name: pw.exe process_identifier: 3516	1	1
Process32NextW June 24, 2021, 6:50 p.m.	snapshot_handle: 0x00000108 process_name: taskhost.exe process_identifier: 2808	1	1
Process32NextW June 24, 2021, 6:50 p.m.	snapshot_handle: 0x00000108 process_name: cmd.exe process_identifier: 5580	1	1
Process32NextW June 24, 2021, 6:50 p.m.	snapshot_handle: 0x00000108 process_name: 4p-desktop.exe process_identifier: 5776	1	1
Process32NextW June 24, 2021, 6:50 p.m.	snapshot_handle: 0x00000108 process_name: pw.exe process_identifier: 2864	1	1
Process32NextW June 24, 2021, 6:50 p.m.	snapshot_handle: 0x00000108 process_name: 4P-DESKTOP.exe process_identifier: 4356	1	1
Process32NextW June 24, 2021, 6:50 p.m.	snapshot_handle: 0x00000108 process_name: inject-x64.exe process_identifier: 7400	1	1
Process32NextW June 24, 2021, 6:50 p.m.	snapshot_handle: 0x00000650 process_name: 4P-DESKTOP.exe process_identifier: 4384	1	1
Process32NextW June 24, 2021, 6:50 p.m.	snapshot_handle: 0x00000128 process_name: cmd.exe process_identifier: 1888	1	1
Process32NextW June 24, 2021, 6:50 p.m.	snapshot_handle: 0x00000128 process_name: conhost.exe process_identifier: 4408	1	1
Process32NextW June 24, 2021, 6:50 p.m.	snapshot_handle: 0x00000128 process_name: pw.exe process_identifier: 4496	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses June 24, 2021, 6:50 p.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x0004f600', u'virtual_address': u'0x00001000', u'entropy': 7.999429772675123, u'name': u'.', u'virtual_size': u'0x0029e000'}

entropy

7.99942977268

description

A section with a high entropy has been found

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: 826f27eea89e7540d4e33515ed5dde67383d96c6

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Creates an executable file in a user folder (1 event)

file	C:\Users\test22\AppData\Roaming\4P-DESKTOP\data\connect.dll

File has been identified by 32 AntiVirus engines on VirusTotal as malicious (32 events)

Bkav	W32.AIDetect.malware2
FireEye	Generic.mg.2020ddf1aac56d93
McAfee	FakeAlert-FJU!2020DDF1AAC5
Cylance	Unsafe
Sangfor	Trojan.Win32.Wacatac.B
CrowdStrike	win/malicious_confidence_70% (W)
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	FileRepMalware
Cynet	Malicious (score: 100)
BitDefender	Gen:Trojan.Heur.JP.fouaai2Rkbdi
Paloalto	generic.ml
MicroWorld-eScan	Gen:Trojan.Heur.JP.fouaai2Rkbdi
Ad-Aware	Gen:Trojan.Heur.JP.fouaai2Rkbdi
Sophos	ML/PE-A
Emsisoft	Gen:Trojan.Heur.JP.fouaai2Rkbdi (B)
MAX	malware (ai score=87)
Gridinsoft	Trojan.Heur!.03012061
Microsoft	Trojan:Win32/Wacatac.B!ml
GData	Gen:Trojan.Heur.JP.fouaai2Rkbdi
AhnLab-V3	Trojan/Win.FJU.C4530095
BitDefenderTheta	AI:Packer.6BED88F21F
ALYac	Gen:Trojan.Heur.JP.fouaai2Rkbdi
VBA32	BScope.TrojanSpy.AutoHK
Malwarebytes	Malware.AI.31658
TrendMicro-HouseCall	TROJ_GEN.R002H06FO21
Rising	Malware.Heuristic!ET#79% (RDMK:cmRtazpb+R4haCvBUFMfk1caOmUG)
SentinelOne	Static AI - Suspicious PE
eGambit	Unsafe.AI_Score_89%
Fortinet	W32/FakeAlert.FJU!tr
MaxSecure	Trojan.Malware.300983.susgen
AVG	FileRepMalware

4p-desktop.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All