Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 9, 2021, 6:15 p.m.	July 9, 2021, 6:26 p.m.

Size	445.0KB
Type	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5	`f3be390b01c85970deeae124ca36ce2d`
SHA256	`4eef8b6a5bcd808cd0ab0e33efcea2c2f9a36abe556e56556de8550383c9d3ce`
CRC32	`F9565911`
ssdeep	`12288:AmYDWUbdfyU+H93bJ3aBGQIuSR35F5VBpx:yBbdfJsJqBG5VB/`
PDB Path	c:\Reply-quite\Cry_Country\523\Gave\Color\shape.pdb
Yara	Generic_Malware_Zero - Generic Malware IsDLL - (no description) IsPE32 - (no description) OS_Processor_Check_Zero - OS Processor Check PE_Header_Zero - PE File Signature

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\app.dll,Fatreply
2212
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\app.dll,Periodwait
2208
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\app.dll,Seemprove
2256
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\app.dll,Which
2112
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\app.dll,
2312

Name	Response	Post-Analysis Lookup
gtr.antoinfer.com	A 165.232.183.49	165.232.183.49
app.bighomegl.at	A 165.232.183.49	165.232.183.49

IP Address	Status	Action
164.124.101.2	Active	Moloch
165.232.183.49	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (10 events)

Time & API	Arguments	Status	Return
GetComputerNameW July 9, 2021, 6:15 p.m.	computer_name:		0
GetComputerNameW July 9, 2021, 6:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 9, 2021, 6:15 p.m.	computer_name:		0
GetComputerNameW July 9, 2021, 6:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 9, 2021, 6:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 9, 2021, 6:15 p.m.	computer_name:		0
GetComputerNameW July 9, 2021, 6:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 9, 2021, 6:15 p.m.	computer_name:		0
GetComputerNameW July 9, 2021, 6:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 9, 2021, 6:15 p.m.	computer_name: TEST22-PC	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate

This executable has a PDB path (1 event)

pdb_path

c:\Reply-quite\Cry_Country\523\Gave\Color\shape.pdb

Performs some HTTP requests (6 events)

request	GET http://gtr.antoinfer.com/84nY4wtJBmCucm9DepJToo/tGtvaSc2UVcDR/2zHlzO1F/bNkW36xdnhqYoRr7YBQcCNa/y93Q11QS9a/D8M_2ByJBHO9XlQca/n0ujUh20zcI9/JxJawuOL3k9/qfxd1yRLYOgD3c/1_2BR23dLn0o7lTOlQj6I/kUuwdswHQj7W4QHw/RX5E9sxU1Nf_2F_/2FCk0NWnZZALbW1qUN/3laNV7YkW/bzwdg6OC4ss5aY7xDZL0/DepNLT7uvNFMwSTHHfJ/uKwzVAwpPaOOwc9YjByXIP/qHz3wHqzdYAk1/Ks_2B6Hl/6S7a417_2FAxN9VWj_2Fu/i
request	GET http://gtr.antoinfer.com/4mJue7_2FcPXhGPUkX1/rZFMwThbRasJYpzKNyzQzF/PSIg_2FXxk2wK/9Xz5OIly/Azc15kWESgqkvrg0YqgNbAB/ATDYoeq3xM/RBX01ZO_2BmeeEXMF/vj2wmHEa78z0/VHOqBBPXHyd/fS1ggK8erWH8nj/T0IfWVXaWZeufwtSbDUKQ/bMVoueTwDeGQ8L96/P1YqEr_2FPbvkPa/8PoIMYg_2BkG5matIU/Qv4oxHYee/VIrubMVZ3xhpW28NYWRR/nbNkiLj_2Fl7OhdObFa/4jnEr6P7bT_2Bk4uVTVD82/Vzy_2FWij6yj5/PpFiUfS_/2F4mgRqCJ3Tp_2BCJyaydDc/NSCEziz
request	GET http://app.bighomegl.at/6PHRJExJgv9F3f/RKCmZ5SZKe2U6BzdtHmIg/b2mAWCKN8AlBapky/mwvBC3HeM3_2F7H/v9jEttxUzMvPWSf413/oDSl46mjD/GXmTB73zEAxAZybtTx5Q/ujdPaxD7506Nju1VLqn/LkT3ohS0LepSgyWTtS99GU/_2BTVBhdt8fiG/jU9_2FHC/Ya_2FfttFjtqRe0PbxWVe4M/4CuA6rJL_2/BVrvg2P0Bcd3X_2F5/jJ3GBttmpYNT/puVl6lw5ksU/4ltOesholmlw2Z/MQTQhMeDD2FupfpKz_2BP/OTzI7HG86CMXh9M3/Sxfg4ilUgQDTcjQ/sd6dZ5Z6MfaGCm/zMavyA
request	GET http://app.bighomegl.at/k2XsNn4vNtbKN4bxM/cop2C8FLD9PQ/CIZDrhO4KbH/OEKMyhaO98VXTV/PdCUWIyDHFLKp_2BVqhyR/0oMHkaAYJpcU85cO/giOE9rYmV0qAJui/QzEO9VV5_2F5pR29Ko/Duva_2ByL/h3UWNQc1BSOW7Tv0hFEv/ozPQ_2BA8pr_2BwXOBQ/XMxOiuiw0_2BbxTN1C4C7T/U_2FU7vzVRo1y/3Opur3u_/2FD_2BwAWJgFY7JfA0YAmLg/sOto_2BflZ/kmF6_2BPE97VsUc6q/bRIzbX7qJLyG/ViK0hV0cJmx/XH4kEaBelmujO7/9zdTLa_2BuF0RLvgBGZNg/6vkXeVpV9j284H5Fcq3P/l
request	GET http://gtr.antoinfer.com/x0jwbi_2BVmvEJ/YY788UXko9WdP0lwUg9z4/xlr6eiTfr0M5_2F_/2B0hv6DVnmCYhu9/xBeBELJQLY7LGafuS2/z2RiTrGJD/J7ilpXhwqBeUfihrroZj/75PMFlX8LLWp9_2FLuj/VP9Q9nczTM8JpiGHr_2Bsl/C0AUAdOLMj_2B/BOOsuxWQ/sGToIoAjZaqeTO1iS_2FD6Y/0lCNBNK1V2/4B6MXLmQ15_2FCAnG/Hk47_2F5FoI9/rrpFAK_2BSL/7_2FiPuxAedUkd/nhoiovuceGmnNgARH3TBI/udLsB2l1pS1UMDs_/2FFv5W7m_2BNYUS/AxCMP5Q_2FZBzQxvVQ/zgIxA4nIG/1CFhC38
request	GET http://app.bighomegl.at/2xwPNaPWy1ZQiexiLbC6/VZ0GzYn7Pl8FGmoMK_2/F_2BmVt10PLNgWt6lgCkjZ/BQJaGkF5_2Bj2/WQk2vLCU/LVe9CiRaoW7DV4pZVQWpnOZ/v93d3I_2BO/snk70e4PO2P8yI7S3/FDNXnkjMgqfN/ssx_2BpUoFx/oWN5XIxgaRF3g6/7zZVvJTAYy9RIuxxE7_2F/E4_2BUZPu7ZpzK8K/KyosgQGgQ9Og3_2/Fq_2FFI_2BrekPPdWQ/LVGGqVTt6/UUoLX8uAy9wNYRtRVDrU/OdKLgk5lXT0ZTRQ9vBZ/10fuxVuwUS4Tz1WJiMsW6a/GYpAbcM5bYbiT/NLhLy71_2FFPbr5T/VtDd

Allocates read-write-execute memory (usually to unpack itself) (34 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 9, 2021, 6:15 p.m.	process_identifier: 2212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b0c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 9, 2021, 6:15 p.m.	process_identifier: 2212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76891000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 9, 2021, 6:15 p.m.	process_identifier: 2212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d40000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 9, 2021, 6:15 p.m.	process_identifier: 2212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 16384 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b2f000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2021, 6:15 p.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2021, 6:15 p.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2021, 6:15 p.m.	process_identifier: 2212 region_size: 147456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 9, 2021, 6:15 p.m.	process_identifier: 2212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x729c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 9, 2021, 6:15 p.m.	process_identifier: 2212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72971000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 9, 2021, 6:15 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b0c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 9, 2021, 6:15 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76891000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 9, 2021, 6:15 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d40000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 9, 2021, 6:15 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 16384 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b2f000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2021, 6:15 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2021, 6:15 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2021, 6:15 p.m.	process_identifier: 2208 region_size: 147456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00810000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 9, 2021, 6:15 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x729c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 9, 2021, 6:15 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72971000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 9, 2021, 6:15 p.m.	process_identifier: 2256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b0c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 9, 2021, 6:15 p.m.	process_identifier: 2256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76891000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 9, 2021, 6:15 p.m.	process_identifier: 2256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d40000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 9, 2021, 6:15 p.m.	process_identifier: 2256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 16384 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b2f000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2021, 6:15 p.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00790000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2021, 6:15 p.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2021, 6:15 p.m.	process_identifier: 2256 region_size: 147456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00800000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 9, 2021, 6:15 p.m.	process_identifier: 2256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x729c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 9, 2021, 6:15 p.m.	process_identifier: 2256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72971000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 9, 2021, 6:15 p.m.	process_identifier: 2112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b0c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 9, 2021, 6:15 p.m.	process_identifier: 2112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76891000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 9, 2021, 6:15 p.m.	process_identifier: 2112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d40000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 9, 2021, 6:15 p.m.	process_identifier: 2112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 16384 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b2f000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2021, 6:15 p.m.	process_identifier: 2112 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2021, 6:15 p.m.	process_identifier: 2112 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2021, 6:15 p.m.	process_identifier: 2112 region_size: 147456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00840000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

rundll32.exe tried to sleep 174 seconds, actually delayed analysis time by 174 seconds

File has been identified by 14 AntiVirus engines on VirusTotal as malicious (14 events)

Elastic	malicious (high confidence)
ESET-NOD32	Win32/Spy.Ursnif.CG
APEX	Malicious
Paloalto	generic.ml
BitDefender	Trojan.GenericKD.46602191
Avast	Win32:Malware-gen
Webroot	W32.Trojan.Gen
Microsoft	Trojan:Win32/Ursnif
Cynet	Malicious (score: 100)
Ikarus	Win32.Outbreak
Fortinet	PossibleThreat.MU
BitDefenderTheta	Gen:NN.ZedlaF.34790.Bq4@a8prUll
AVG	Win32:Malware-gen
Qihoo-360	Win32/Heur.Generic.Hx4CdcQA

Generates some ICMP traffic

app.dll

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All