Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 19, 2021, 5:23 p.m.	July 19, 2021, 5:25 p.m.

Size	3.2MB
Type	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5	`d37da4af6a94771d51d995d8683afed4`
SHA256	`978459919e8c7879f76889a4237703e4a7e58f5aaa02b4e1135dd940e8879c70`
CRC32	`4D418852`
ssdeep	`49152:vUS1miF0kU3F9A8dg1Qjtz2IAoDJUYxAVdNdfPBGYEXZpug+hnmWnuPB9bdJjmEV:zRF0b3xAxdB9EuVmguXRT`
Yara	PE_Header_Zero - PE File Signature IsPE64 - (no description) IsDLL - (no description) UPX_Zero - UPX packed file

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\G402.dll,?DD_chk@@YAHXZ
2232
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\G402.dll,?DD_chk@@YAHXZ
  2040
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\G402.dll,DD_btn
1824
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\G402.dll,DD_btn
  1204
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\G402.dll,DD_key
2744
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\G402.dll,DD_key
  204
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\G402.dll,DD_mov
2664
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\G402.dll,DD_mov
  2044
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\G402.dll,DD_movR
2936
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\G402.dll,DD_movR
  1348
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\G402.dll,DD_str
2564
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\G402.dll,DD_str
  2100
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\G402.dll,DD_todc
1972
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\G402.dll,DD_todc
  1016
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\G402.dll,DD_whl
1808
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\G402.dll,DD_whl
  2112
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\G402.dll,
2384

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
123.57.142.8	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 19, 2021, 5:23 p.m.			0	0
IsDebuggerPresent July 19, 2021, 5:23 p.m.			0	0
IsDebuggerPresent July 19, 2021, 5:23 p.m.			0	0
IsDebuggerPresent July 19, 2021, 5:23 p.m.			0	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	text
section	data
section	.inidata

Allocates read-write-execute memory (usually to unpack itself) (4 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 19, 2021, 5:23 p.m.	process_identifier: 1204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000735bc000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 19, 2021, 5:23 p.m.	process_identifier: 204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000735bc000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 19, 2021, 5:23 p.m.	process_identifier: 2100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000735bc000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 19, 2021, 5:23 p.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000735bc000 process_handle: 0xffffffffffffffff	1

Foreign language identified in PE resource (50 events)

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0021dbec

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0021dbec

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0021dbec

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0021dbec

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0021dbec

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0021dbec

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0021dbec

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0021dbec

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0021dbec

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0021dbec

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0021dbec

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0021dbec

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0021dbec

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0021dbec

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0021dbec

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0021dbec

size

0x00000134

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0021ddd8

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0021ddd8

size

0x00000144

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0021e000

size

0x00000034

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0021e000

size

0x00000034

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0021e920

size

0x000001a6

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0021e920

size

0x000001a6

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0021e920

size

0x000001a6

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0021e920

size

0x000001a6

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0021e920

size

0x000001a6

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0021e920

size

0x000001a6

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0021e920

size

0x000001a6

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0021e920

size

0x000001a6

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0021e920

size

0x000001a6

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0021e920

size

0x000001a6

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0021e920

size

0x000001a6

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0021e920

size

0x000001a6

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0021e920

size

0x000001a6

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x1

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0021ebf0

size

0x00000014

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x1

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0021ebf0

size

0x00000014

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x1

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0021ebf0

size

0x00000014

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x1

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0021ebf0

size

0x00000014

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x1

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0021ebf0

size

0x00000014

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x1

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0021ebf0

size

0x00000014

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x1

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0021ebf0

size

0x00000014

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x1

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0021ebf0

size

0x00000014

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x1

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0021ebf0

size

0x00000014

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x1

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0021ebf0

size

0x00000014

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x1

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0021ebf0

size

0x00000014

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x1

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0021ebf0

size

0x00000014

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x1

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0021ebf0

size

0x00000014

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x1

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0021ebf0

size

0x00000014

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x1

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0021ebf0

size

0x00000014

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0021ec04

size

0x000002e4

name

RT_HTML

language

LANG_CHINESE

filetype

PE32+ executable (native) x86-64, for MS Windows

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0021eee8

size

0x00097fc0

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x0009b200', u'virtual_address': u'0x0021c000', u'entropy': 7.949038353567183, u'name': u'.rsrc', u'virtual_size': u'0x0009b108'}

entropy

7.94903835357

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00080800', u'virtual_address': u'0x002b8000', u'entropy': 7.823758239666046, u'name': u'.reloc', u'virtual_size': u'0x0019e000'}

entropy

7.82375823967

description

A section with a high entropy has been found

entropy

0.35151045701

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (1 event)

host

123.57.142.8

Created a service where a service was also not started (8 events)

Time & API	Arguments	Status	Return
CreateServiceW July 19, 2021, 5:23 p.m.	service_start_name: start_type: 3 password: display_name: Display_DD94687 filepath: C:\DD94687.sys service_name: DD94687 filepath_r: C:\DD94687.sys desired_access: 983551 service_handle: 0x0000000000000000 error_control: 1 service_type: 1 service_manager_handle: 0x00000000002240f0		0
CreateServiceW July 19, 2021, 5:23 p.m.	service_start_name: start_type: 3 password: display_name: Display_DD94687 filepath: C:\DD94687.sys service_name: DD94687 filepath_r: C:\DD94687.sys desired_access: 983551 service_handle: 0x0000000000000000 error_control: 1 service_type: 1 service_manager_handle: 0x00000000003d40c0		0
CreateServiceW July 19, 2021, 5:23 p.m.	service_start_name: start_type: 3 password: display_name: Display_DD94687 filepath: C:\DD94687.sys service_name: DD94687 filepath_r: C:\DD94687.sys desired_access: 983551 service_handle: 0x0000000000000000 error_control: 1 service_type: 1 service_manager_handle: 0x00000000003340c0		0
CreateServiceW July 19, 2021, 5:23 p.m.	service_start_name: start_type: 3 password: display_name: Display_DD94687 filepath: C:\DD94687.sys service_name: DD94687 filepath_r: C:\DD94687.sys desired_access: 983551 service_handle: 0x0000000000000000 error_control: 1 service_type: 1 service_manager_handle: 0x00000000003540c0		0
CreateServiceW July 19, 2021, 5:23 p.m.	service_start_name: start_type: 3 password: display_name: Display_DD94687 filepath: C:\DD94687.sys service_name: DD94687 filepath_r: C:\DD94687.sys desired_access: 983551 service_handle: 0x00000000003240f0 error_control: 1 service_type: 1 service_manager_handle: 0x00000000003240c0	1	3293424
CreateServiceW July 19, 2021, 5:23 p.m.	service_start_name: start_type: 3 password: display_name: Display_DD94687 filepath: C:\DD94687.sys service_name: DD94687 filepath_r: C:\DD94687.sys desired_access: 983551 service_handle: 0x0000000000000000 error_control: 1 service_type: 1 service_manager_handle: 0x00000000000c40c0		0
CreateServiceW July 19, 2021, 5:23 p.m.	service_start_name: start_type: 3 password: display_name: Display_DD94687 filepath: C:\DD94687.sys service_name: DD94687 filepath_r: C:\DD94687.sys desired_access: 983551 service_handle: 0x0000000000000000 error_control: 1 service_type: 1 service_manager_handle: 0x00000000001d40c0		0
CreateServiceW July 19, 2021, 5:23 p.m.	service_start_name: start_type: 3 password: display_name: Display_DD94687 filepath: C:\DD94687.sys service_name: DD94687 filepath_r: C:\DD94687.sys desired_access: 983551 service_handle: 0x0000000000000000 error_control: 1 service_type: 1 service_manager_handle: 0x00000000004040c0		0

G402.dll

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All