Summary | ZeroBOX

Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
09.19 02:09
66ea645129e6a_jacobs.exe
09.19 11:09
clip64.dll
09.19 11:09
cred64.dll
09.19 10:09
vsfdajg16.exe
09.19 10:09
QuickBooks_Setup.msi
09.19 10:09
QuickBooks_Desktop_Set...
09.19 10:09
game.exe
09.19 10:09
vlsadg.exe
09.19 10:09
lnfsda.exe
09.19 10:09
66eaadab755d2_installs...

Latest News
09.20 03:09
Bridge Detection Gaps ...
09.20 03:09
02 - Performing Basic ...
09.20 03:09
Exploiting Exchange Po...
09.20 03:09
KI in Hollywood: Wie L...
09.20 03:09
Google: PIN-Schutz für...
09.20 03:09
Chrome-Update für Work...
09.20 03:09
Attacker or IT admin? ...
09.20 03:09
EU’s Von der Leyen Ple...
09.20 02:09
Threat Intelligence Sn...
09.20 02:09
Compliance webinar ser...

Summary | ZeroBOX

Malicious Library PE32 PE File

Category	Machine	Started	Completed
ARCHIVE	s1_win7_x6401	June 29, 2021, 8:04 p.m.	June 29, 2021, 8:07 p.m.

Archive waads.bin @ waads.bin.zip

Summary

Size	14.0KB
Type	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5	`72e4f355907b6c91e6f8508d102bd896`
SHA1	`ae68bd08cd621b8049d0418bea514d6ddbfb0acf`
SHA256	`232a5fe454c9537ddea265d805d1daa8e016b1ed30cd2ebde7feb12f866f5608`
SHA512	`fe0356f479eac1f6125a909f5b331430bf73f36d8a33170d372dd2c0cd568cf7841316a17986803c900ea1b1ff4afbf6f8264b1c28a7373a4b7c85aae9b7ecd4`
CRC32	`BD395B30`
ssdeep	`192:AlH+DgGK83SxHn2OQ/dmBI4KBfTgir+xzARbqUqV/Qjo7AGa:A9+kGKqbOCdWIVBff+xz6fCXAn`
Yara	IsPE32 - (no description) PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library

waads.bin "C:\Users\test22\AppData\Local\Temp\waads.bin"
2444

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
45.227.253.66	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA June 29, 2021, 8:04 p.m.	computer_name: TEST22-PC	1	1	0

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory June 29, 2021, 8:04 p.m.	process_identifier: 2444 region_size: 4194304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x035d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory June 29, 2021, 8:04 p.m.	process_identifier: 2444 region_size: 253952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03210000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0	0

A process attempted to delay the analysis task. (1 event)

description

waads.bin tried to sleep 171 seconds, actually delayed analysis time by 171 seconds

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 29, 2021, 8:04 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x00480000 process_handle: 0xffffffff	1	0	0

Communicates with host for which no DNS query was performed (1 event)

host

45.227.253.66

Network activity contains more than one unique useragent (2 events)

process	waads.bin				useragent
process	waads.bin				useragent	Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; yie9)