Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 24, 2021, 10:52 p.m.	June 24, 2021, 11:08 p.m.

Size	1.3MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`431777bcaef03bd8480bf1b7305e3b90`
SHA256	`69858f544bafcbb3e3f32f1584fa4d162cdc44cd9fd05c129044ff081a8becae`
CRC32	`D2DB79EB`
ssdeep	`24576:yIRYuSvyAW+na84mVDyuuHpLrWWbrpu7AxwLMgvWKnipBJCAvvHNpID/v:FYuSKAypID4peCgExwLMgvWKipHHHHIj`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

doc.exe "C:\Users\test22\AppData\Local\Temp\doc.exe"
6240
- doc.exe "C:\Users\test22\AppData\Local\Temp\doc.exe"
  7528

Name	Response	Post-Analysis Lookup
docuserver1.com	A 66.45.232.203	66.45.232.203
8.tcp.ngrok.io	A 3.142.167.4	13.58.157.220

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
3.142.167.4	Active	Moloch
66.45.232.203	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.102:61459 -> 164.124.101.2:53	2022642	ET POLICY DNS Query to a *.ngrok domain (ngrok.io)	Potential Corporate Privacy Violation
TCP 192.168.56.102:49810 -> 66.45.232.203:80	2008350	ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile	Potential Corporate Privacy Violation

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW June 24, 2021, 10:52 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW June 24, 2021, 10:52 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 24, 2021, 10:52 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 24, 2021, 10:52 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

Performs some HTTP requests (1 event)

request

GET http://docuserver1.com/ng.txt

Allocates read-write-execute memory (usually to unpack itself) (4 events)

Time & API	Arguments	Status	Return
NtProtectVirtualMemory June 24, 2021, 10:52 p.m.	process_identifier: 6240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x745e4000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory June 24, 2021, 10:52 p.m.	process_identifier: 6240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x745d4000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory June 24, 2021, 10:52 p.m.	process_identifier: 6240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 58641 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00594e60 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory June 24, 2021, 10:52 p.m.	process_identifier: 7528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1	0

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

A process attempted to delay the analysis task. (1 event)

description

doc.exe tried to sleep 131 seconds, actually delayed analysis time by 131 seconds

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Roaming\Temp\word.exe
file	C:\Users\test22\AppData\Local\Temp\nsdFEBD.tmp\System.dll

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\nsdFEBD.tmp\System.dll
file	C:\Users\test22\AppData\Roaming\Temp\word.exe

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (5 events)

Time & API	Arguments	Status	Return
Process32NextW June 24, 2021, 10:52 p.m.	snapshot_handle: 0x000001dc process_name: mobsync.exe process_identifier: 1276	1	1
Process32NextW June 24, 2021, 10:52 p.m.	snapshot_handle: 0x000001dc process_name: doc.exe process_identifier: 6240	1	1
Process32NextW June 24, 2021, 10:52 p.m.	snapshot_handle: 0x000001dc process_name: slui.exe process_identifier: 232	1	1
Process32NextW June 24, 2021, 10:52 p.m.	snapshot_handle: 0x000002c8 process_name: doc.exe process_identifier: 7528	1	1
Process32NextW June 24, 2021, 10:54 p.m.	snapshot_handle: 0x000002c4 process_name: rundll32.exe process_identifier: 4232	1	1

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (6 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW June 24, 2021, 10:52 p.m.	snapshot_handle: 0x000001d8 process_name: slui.exe process_identifier: 232		0	0
Process32NextW June 24, 2021, 10:52 p.m.	snapshot_handle: 0x000001e4 process_name: slui.exe process_identifier: 232		0	0
Process32NextW June 24, 2021, 10:52 p.m.	snapshot_handle: 0x000001e8 process_name: slui.exe process_identifier: 232		0	0
Process32NextW June 24, 2021, 10:52 p.m.	snapshot_handle: 0x000002c8 process_name: doc.exe process_identifier: 7528		0	0
Process32NextW June 24, 2021, 10:54 p.m.	snapshot_handle: 0x000002c4 process_name: rundll32.exe process_identifier: 4232		0	0
Process32NextW June 24, 2021, 10:54 p.m.	snapshot_handle: 0x000002c4 process_name: rundll32.exe process_identifier: 4232		0	0

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe

reg_value

C:\Users\test22\AppData\Roaming\Temp\word.exe

Executes one or more WMI queries (1 event)

wmi	Select * from AntiVirusProduct

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 6240 called NtSetContextThread to modify thread in remote process 7528
NtSetContextThread June 24, 2021, 10:52 p.m.	registers.eip: 2000355780 registers.esp: 1638384 registers.edi: 0 registers.eax: 4353015 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000001ec process_identifier: 7528	1	0	0

File has been identified by 44 AntiVirus engines on VirusTotal as malicious (44 events)

DrWeb	Trojan.Loader.839
MicroWorld-eScan	Trojan.GenericKD.46522532
FireEye	Trojan.GenericKD.46522532
CAT-QuickHeal	Trojanpws.Stelega
ALYac	Trojan.GenericKD.46522532
Cylance	Unsafe
VIPRE	Trojan.Win32.Generic!BT
Sangfor	Infostealer.Win32.Stelega.gen
K7AntiVirus	Trojan ( 0057df1e1 )
Alibaba	TrojanPSW:Win32/FormBook.19d9c7ad
K7GW	Trojan ( 0057df1e1 )
CrowdStrike	win/malicious_confidence_100% (W)
Cyren	W32/Ninjector.J.gen!Camelot
Symantec	Trojan.Gen.MBT
ESET-NOD32	NSIS/Injector.AMA
APEX	Malicious
Avast	Win32:Trojan-gen
Kaspersky	HEUR:Trojan-PSW.Win32.Stelega.gen
BitDefender	Trojan.GenericKD.46522532
Paloalto	generic.ml
Tencent	Win32.Trojan-qqpass.Qqrob.Ozid
Ad-Aware	Trojan.GenericKD.46522532
Emsisoft	Trojan.GenericKD.46522532 (B)
TrendMicro	TROJ_FRS.VSNW10F21
McAfee-GW-Edition	NSIS/Injector.d
Sophos	Mal/Generic-S
SentinelOne	Static AI - Suspicious PE
Avira	TR/Injector.ajyqb
Kingsoft	Win32.PSWTroj.Undef.(kcloud)
Microsoft	Trojan:Win32/FormBook.AM!MTB
Gridinsoft	Trojan.Win32.Downloader.sa
AegisLab	Trojan.Win32.Stelega.i!c
GData	Trojan.GenericKD.46522532
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.FormBook.C4529366
McAfee	Artemis!431777BCAEF0
MAX	malware (ai score=80)
VBA32	Trojan.Wacatac
Malwarebytes	Malware.AI.4279878886
TrendMicro-HouseCall	TROJ_FRS.VSNW10F21
Rising	Trojan.Injector/NSIS!1.D743 (CLASSIC)
Fortinet	W32/Kryptik.J!tr
AVG	Win32:Trojan-gen
Panda	Trj/CI.A

doc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All