Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 25, 2021, 9:34 a.m.	June 25, 2021, 9:55 a.m.

Size	536.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`3f802f6b95addbe6d310b730bc6ff899`
SHA256	`2542e1ac4792217dad4759a34a95e74e4966b6006f378e1a1334f24cfd43012d`
CRC32	`E163A064`
ssdeep	`6144:FCFWYEORRZjpRa6iVEVjzRUR38LUnMVjtd2qSJcKvAvs/ngCeGPbBzDxZiKmKR:FCFWYEgCL8LUnMVjGqScKB/k6FH`
Yara	PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check Win32_Trojan_Emotet_1_Zero - Win32 Trojan Emotet IsPE32 - (no description)

setup.exe "C:\Users\test22\AppData\Local\Temp\setup.exe"
7960
- regsvr32.exe "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\xjkOcx_180301\xjkUKeyOcx.ocx"
  4980
- Setup.exe "C:\Program Files (x86)\xjkOcx_180301\Setup.exe"
  3908

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 25, 2021, 9:34 a.m.		1	1	0

The executable uses a known packer (1 event)

packer

Armadillo v1.71

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

MYOCX

Allocates read-write-execute memory (usually to unpack itself) (6 events)

Time & API	Arguments	Status
NtProtectVirtualMemory June 25, 2021, 9:34 a.m.	process_identifier: 7960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 9:34 a.m.	process_identifier: 4980 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10030000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 9:34 a.m.	process_identifier: 4980 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x756a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 9:34 a.m.	process_identifier: 4980 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74411000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 9:34 a.m.	process_identifier: 4980 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x745e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 9:34 a.m.	process_identifier: 3908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1

Foreign language identified in PE resource (28 events)

name

MYOCX

language

LANG_CHINESE

filetype

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000492a0

size

0x0004b000

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000943d8

size

0x000000b4

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000943d8

size

0x000000b4

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00094db0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00094db0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00094db0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00094db0

size

0x00000144

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00048f68

size

0x00000128

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00048f68

size

0x00000128

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00094aa0

size

0x000000e2

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00094aa0

size

0x000000e2

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00094aa0

size

0x000000e2

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00094aa0

size

0x000000e2

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000957c8

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000957c8

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000957c8

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000957c8

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000957c8

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000957c8

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000957c8

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000957c8

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000957c8

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000957c8

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000957c8

size

0x00000024

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x2

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00094490

size

0x00000022

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00049090

size

0x00000022

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00048948

size

0x00000338

name

RT_MANIFEST

language

LANG_CHINESE

filetype

XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000490b8

size

0x000001e8

Creates executable files on the filesystem (1 event)

file	C:\Program Files (x86)\xjkOcx_180301\xjkUKeyOcx.ocx

Creates a suspicious process (2 events)

cmdline	"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\xjkOcx_180301\xjkUKeyOcx.ocx"
cmdline	regsvr32.exe /s "C:\Program Files (x86)\xjkOcx_180301\xjkUKeyOcx.ocx"

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW June 25, 2021, 9:34 a.m.	show_type: 0 filepath_r: regsvr32.exe parameters: /s "C:\Program Files (x86)\xjkOcx_180301\xjkUKeyOcx.ocx" filepath: regsvr32.exe	1	1	0

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Installs itself for autorun at Windows startup (2 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xjkSetup				reg_value	C:\Program Files (x86)\xjkOcx_180301\Setup.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xjkSetup				reg_value	C:\Program Files (x86)\xjkOcx_180301\Setup.exe

File has been identified by 35 AntiVirus engines on VirusTotal as malicious (35 events)

MicroWorld-eScan	Trojan.GenericKD.46511185
CAT-QuickHeal	Trojan.Multi
ALYac	Trojan.GenericKD.46511185
Cylance	Unsafe
Sangfor	Riskware.Win32.Agent.ky
Alibaba	Trojan:Win32/Generic.06b47c68
Cybereason	malicious.eac458
Arcabit	Trojan.Generic.D2C5B451
Cyren	W32/Trojan.NDHA-7716
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Trojan.GenericKD.46511185
AegisLab	Trojan.Multi.Generic.4!c
Avast	Win32:Malware-gen
Ad-Aware	Trojan.GenericKD.46511185
Comodo	TrojWare.Win32.Agent.fopat@0
McAfee-GW-Edition	GenericRXOX-ZE!3F802F6B95AD
MaxSecure	Trojan.Malware.300983.susgen
FireEye	Trojan.GenericKD.46511185
Emsisoft	Trojan.GenericKD.46511185 (B)
Jiangmin	Trojan.Generic.efkkz
Webroot	W32.Malware.Gen
Microsoft	Trojan:Win32/Wacatac.A!ml
GData	Trojan.GenericKD.46511185
AhnLab-V3	Malware/Win32.Generic.C3051624
McAfee	GenericRXOX-ZE!3F802F6B95AD
MAX	malware (ai score=86)
VBA32	Trojan.Wacatac
Malwarebytes	Trojan.Agent
Fortinet	W32/PossibleThreat
BitDefenderTheta	Gen:NN.ZexaCO.34758.Hq0@aGi1TJjb
AVG	Win32:Malware-gen
Panda	Trj/CI.A
CrowdStrike	win/malicious_confidence_80% (W)

setup.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All