Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 22, 2021, 1:57 p.m.	July 22, 2021, 1:59 p.m.

Size	544.0KB
Type	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5	`ea252a83f501a1fd293d4a649cce274a`
SHA256	`7bc0a27df5b8420ca23081fb973bb68729bab7b6229513c81019f7be76deb8e1`
CRC32	`8481E6DC`
ssdeep	`6144:6nhWubOStZ6AbgmgwLp3gUhWeGthOPc/woVPHma1MXohuPATdTpNSTrbkYW412ph:6nTltgBNwxgUXy/DGaXhu45pI3rep`
Yara	IsPE32 - (no description) OS_Processor_Check_Zero - OS Processor Check IsDLL - (no description) UPX_Zero - UPX packed file Win32_Trojan_Emotet_1_Zero - Win32 Trojan Emotet PE_Header_Zero - PE File Signature Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\lovemetertok.exe.dll,StartW
2088
- wermgr.exe C:\Windows\system32\wermgr.exe
  2256
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\lovemetertok.exe.dll,
2680

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
138.34.28.219	Active	Moloch
154.58.23.192	Active	Moloch
164.124.101.2	Active	Moloch
184.74.99.214	Active	Moloch
185.56.76.108	Active	Moloch
185.56.76.94	Active	Moloch
204.138.26.60	Active	Moloch
217.115.240.248	Active	Moloch
38.110.100.142	Active	Moloch
38.110.103.113	Active	Moloch
38.110.103.124	Active	Moloch
68.69.26.182	Active	Moloch
74.85.157.139	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49203 -> 138.34.28.219:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.101:49207 -> 38.110.103.124:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.101:49205 -> 38.110.103.113:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.101:49215 -> 38.110.100.142:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.101:49211 -> 204.138.26.60:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.101:49209 -> 74.85.157.139:443	2404321	ET CNC Feodo Tracker Reported CnC Server group 22	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 184.74.99.214:443	2404309	ET CNC Feodo Tracker Reported CnC Server group 10	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 184.74.99.214:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.101:49210 -> 217.115.240.248:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 184.74.99.214:443 -> 192.168.56.101:49216	2011540	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)	Not Suspicious Traffic

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49203 138.34.28.219:443	C=US, ST=CA, L=San Jose, O=Ubiquiti Networks Inc., OU=Technical Support, CN=UBNT-F4:92:BF:D6:1C:49/emailAddress=support@ubnt.com	C=US, ST=CA, L=San Jose, O=Ubiquiti Networks Inc., OU=Technical Support, CN=UBNT-F4:92:BF:D6:1C:49/emailAddress=support@ubnt.com	0f:6c:9c:c8:a9:10:1e:c8:98:3f:01:df:32:ad:f1:7f:5d:d0:4c:54
TLSv1 192.168.56.101:49207 38.110.103.124:443	C=US, ST=CA, L=San Jose, O=Ubiquiti Networks Inc., OU=Technical Support, CN=UBNT-78:8A:20:EC:48:A1/emailAddress=support@ubnt.com	C=US, ST=CA, L=San Jose, O=Ubiquiti Networks Inc., OU=Technical Support, CN=UBNT-78:8A:20:EC:48:A1/emailAddress=support@ubnt.com	e6:60:4a:40:4a:b9:63:85:da:e8:fc:ec:75:e2:1a:7e:85:1f:49:1e
TLSv1 192.168.56.101:49205 38.110.103.113:443	C=US, ST=CA, L=San Jose, O=Ubiquiti Networks Inc., OU=Technical Support, CN=UBNT-78:8A:20:10:C4:5A/emailAddress=support@ubnt.com	C=US, ST=CA, L=San Jose, O=Ubiquiti Networks Inc., OU=Technical Support, CN=UBNT-78:8A:20:10:C4:5A/emailAddress=support@ubnt.com	f8:a6:1d:83:c7:74:cb:aa:74:13:1b:31:74:93:a5:b4:a4:1b:bd:c5
TLSv1 192.168.56.101:49215 38.110.100.142:443	C=US, ST=NY, L=New York, O=Ubiquiti Inc., OU=Technical Support, CN=UBNT-18:E8:29:1F:F2:01/emailAddress=support@ui.com	C=US, ST=NY, L=New York, O=Ubiquiti Inc., OU=Technical Support, CN=UBNT-18:E8:29:1F:F2:01/emailAddress=support@ui.com	f1:bf:98:64:45:62:e6:de:5f:a4:b5:d9:2a:11:e4:6f:21:99:7b:61
TLSv1 192.168.56.101:49211 204.138.26.60:443	C=US, ST=CA, L=San Jose, O=Ubiquiti Networks Inc., OU=Technical Support, CN=UBNT-80:2A:A8:FE:3F:A4/emailAddress=support@ubnt.com	C=US, ST=CA, L=San Jose, O=Ubiquiti Networks Inc., OU=Technical Support, CN=UBNT-80:2A:A8:FE:3F:A4/emailAddress=support@ubnt.com	bd:6e:61:62:17:19:85:a8:d5:cd:95:e9:df:f4:e6:cf:e0:a6:2a:b6
TLSv1 192.168.56.101:49216 184.74.99.214:443	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	b5:21:a8:16:d5:97:b1:67:f6:60:a5:cb:20:27:76:ec:3c:9d:3b:02
TLSv1 192.168.56.101:49210 217.115.240.248:443	C=US, ST=GA, L=Canton, O=LigoWave LLC, OU=R&D, CN=LigoWave SSL CA	C=US, ST=GA, L=Canton, O=LigoWave LLC, OU=R&D, CN=LigoWave SSL CA	d3:39:ab:71:76:bb:9c:d2:1c:3e:b1:17:92:c7:3f:25:1f:25:f8:88

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW July 22, 2021, 1:57 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 22, 2021, 1:57 p.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

The executable uses a known packer (1 event)

packer

Armadillo v1.xx - v2.xx

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

None

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ July 22, 2021, 1:59 p.m.	stacktrace: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd hook_in_monitor+0x45 lde-0x133 @ 0x744142ea New_kernel32_GetSystemTimeAsFileTime+0x1d New_kernel32_GetSystemWindowsDirectoryA-0x8d @ 0x7442bdb5 0xa2f03 0x1bdfd8 0x94ce8 0x1be030 exception.instruction_r: 48 8b 01 4a 89 44 c6 78 4d 85 e4 74 08 4b 89 8c exception.symbol: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a exception.instruction: mov rax, qword ptr [rcx] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 105050 exception.address: 0x771d9a5a registers.r14: 613160 registers.r15: 1829504 registers.rcx: 0 registers.rsi: 1826776 registers.r10: 0 registers.rbx: 851841832 registers.rsp: 1826768 registers.r11: 0 registers.r8: 5 registers.r9: 1951129344 registers.rdx: 2 registers.r12: 1829472 registers.rbp: 0 registers.rdi: 1829496 registers.rax: 1 registers.r13: 1994795888	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

July 22, 2021, 1:59 p.m.

stacktrace:

RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x744205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x744205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x744205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x744205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x744205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x744205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x744205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x744205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x744205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x744205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x744205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x744205bd
hook_in_monitor+0x45 lde-0x133 @ 0x744142ea
New_kernel32_GetSystemTimeAsFileTime+0x1d New_kernel32_GetSystemWindowsDirectoryA-0x8d @ 0x7442bdb5
0xa2f03
0x1bdfd8
0x94ce8
0x1be030

exception.instruction_r: 48 8b 01 4a 89 44 c6 78 4d 85 e4 74 08 4b 89 8c
exception.symbol: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a
exception.instruction: mov rax, qword ptr [rcx]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 105050
exception.address: 0x771d9a5a
registers.r14: 613160
registers.r15: 1829504
registers.rcx: 0
registers.rsi: 1826776
registers.r10: 0
registers.rbx: 851841832
registers.rsp: 1826768
registers.r11: 0
registers.r8: 5
registers.r9: 1951129344
registers.rdx: 2
registers.r12: 1829472
registers.rbp: 0
registers.rdi: 1829496
registers.rax: 1
registers.r13: 1994795888

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (12 events)

suspicious_features	Connection to IP address	suspicious_request	GET https://138.34.28.219/rob109/TEST22-PC_W617601.033D15E7FF3E0057948BB374FD3A56B7/5/file/
suspicious_features	Connection to IP address	suspicious_request	GET https://138.34.28.219/cookiechecker?uri=/rob109/TEST22-PC_W617601.033D15E7FF3E0057948BB374FD3A56B7/5/file/
suspicious_features	Connection to IP address	suspicious_request	GET https://138.34.28.219/index.html
suspicious_features	Connection to IP address	suspicious_request	GET https://138.34.28.219/login.cgi?uri=/index.html
suspicious_features	Connection to IP address	suspicious_request	GET https://38.110.103.113/rob109/TEST22-PC_W617601.033D15E7FF3E0057948BB374FD3A56B7/5/file/
suspicious_features	Connection to IP address	suspicious_request	GET https://38.110.103.124/rob109/TEST22-PC_W617601.033D15E7FF3E0057948BB374FD3A56B7/5/file/
suspicious_features	Connection to IP address	suspicious_request	GET https://217.115.240.248/rob109/TEST22-PC_W617601.033D15E7FF3E0057948BB374FD3A56B7/5/file/
suspicious_features	Connection to IP address	suspicious_request	GET https://204.138.26.60/rob109/TEST22-PC_W617601.033D15E7FF3E0057948BB374FD3A56B7/5/file/
suspicious_features	Connection to IP address	suspicious_request	GET https://38.110.100.142/rob109/TEST22-PC_W617601.033D15E7FF3E0057948BB374FD3A56B7/5/file/
suspicious_features	Connection to IP address	suspicious_request	GET https://38.110.100.142/cookiechecker?uri=/rob109/TEST22-PC_W617601.033D15E7FF3E0057948BB374FD3A56B7/5/file/
suspicious_features	Connection to IP address	suspicious_request	GET https://38.110.100.142/index.html
suspicious_features	Connection to IP address	suspicious_request	GET https://184.74.99.214/rob109/TEST22-PC_W617601.033D15E7FF3E0057948BB374FD3A56B7/5/file/

Performs some HTTP requests (12 events)

request	GET https://138.34.28.219/rob109/TEST22-PC_W617601.033D15E7FF3E0057948BB374FD3A56B7/5/file/
request	GET https://138.34.28.219/cookiechecker?uri=/rob109/TEST22-PC_W617601.033D15E7FF3E0057948BB374FD3A56B7/5/file/
request	GET https://138.34.28.219/index.html
request	GET https://138.34.28.219/login.cgi?uri=/index.html
request	GET https://38.110.103.113/rob109/TEST22-PC_W617601.033D15E7FF3E0057948BB374FD3A56B7/5/file/
request	GET https://38.110.103.124/rob109/TEST22-PC_W617601.033D15E7FF3E0057948BB374FD3A56B7/5/file/
request	GET https://217.115.240.248/rob109/TEST22-PC_W617601.033D15E7FF3E0057948BB374FD3A56B7/5/file/
request	GET https://204.138.26.60/rob109/TEST22-PC_W617601.033D15E7FF3E0057948BB374FD3A56B7/5/file/
request	GET https://38.110.100.142/rob109/TEST22-PC_W617601.033D15E7FF3E0057948BB374FD3A56B7/5/file/
request	GET https://38.110.100.142/cookiechecker?uri=/rob109/TEST22-PC_W617601.033D15E7FF3E0057948BB374FD3A56B7/5/file/
request	GET https://38.110.100.142/index.html
request	GET https://184.74.99.214/rob109/TEST22-PC_W617601.033D15E7FF3E0057948BB374FD3A56B7/5/file/

Allocates read-write-execute memory (usually to unpack itself) (20 events)

Time & API	Arguments	Status	Return
NtProtectVirtualMemory July 22, 2021, 1:57 p.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10035000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory July 22, 2021, 1:57 p.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x756a1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory July 22, 2021, 1:57 p.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d21000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory July 22, 2021, 1:57 p.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73cb0000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory July 22, 2021, 1:57 p.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73701000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory July 22, 2021, 1:57 p.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b94000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory July 22, 2021, 1:57 p.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73702000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory July 22, 2021, 1:57 p.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c81000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 22, 2021, 1:57 p.m.	process_identifier: 2088 region_size: 229376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00970000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory July 22, 2021, 1:57 p.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c61000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory July 22, 2021, 1:57 p.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x737c1000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 22, 2021, 1:57 p.m.	process_identifier: 2088 region_size: 278528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 22, 2021, 1:57 p.m.	process_identifier: 2088 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 22, 2021, 1:57 p.m.	process_identifier: 2088 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10000000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory July 22, 2021, 1:57 p.m.	process_identifier: 2088 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c10000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 22, 2021, 1:57 p.m.	process_identifier: 2088 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c11000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 22, 2021, 1:57 p.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c20000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 22, 2021, 1:57 p.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c40000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 22, 2021, 1:57 p.m.	process_identifier: 2088 region_size: 163840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c50000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 22, 2021, 1:57 p.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000490000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0

A process attempted to delay the analysis task. (1 event)

description

wermgr.exe tried to sleep 142 seconds, actually delayed analysis time by 142 seconds

Creates a suspicious process (1 event)

cmdline

C:\Windows\system32\cmd.exe

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 22, 2021, 1:57 p.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8192 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x00b41000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses July 22, 2021, 1:57 p.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0003e000', u'virtual_address': u'0x00048000', u'entropy': 7.851749070700742, u'name': u'.rsrc', u'virtual_size': u'0x0003dab0'}

entropy

7.8517490707

description

A section with a high entropy has been found

entropy

0.459259259259

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 22, 2021, 1:57 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess July 22, 2021, 1:57 p.m.	status_code: 0x00000000 process_identifier: 2264 process_handle: 0x00000118		0	0
NtTerminateProcess July 22, 2021, 1:57 p.m.	status_code: 0x00000000 process_identifier: 2264 process_handle: 0x00000118	1	0	0

Communicates with host for which no DNS query was performed (12 events)

host	138.34.28.219
host	154.58.23.192
host	184.74.99.214
host	185.56.76.108
host	185.56.76.94
host	204.138.26.60
host	217.115.240.248
host	38.110.100.142
host	38.110.103.113
host	38.110.103.124
host	68.69.26.182
host	74.85.157.139

File has been identified by 29 AntiVirus engines on VirusTotal as malicious (29 events)

Lionic	Trojan.Win32.Trickpak.4!c
MicroWorld-eScan	Trojan.Agent.FKRT
Alibaba	Trojan:Win32/Trickpak.1ef37caf
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	Trojan.Agent.FKRT
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	Win32/TrickBot.DX
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan.Win32.Trickpak.gen
BitDefender	Trojan.Agent.FKRT
Avast	Win32:BankerX-gen [Trj]
Ad-Aware	Trojan.Agent.FKRT
Emsisoft	Trojan.Agent.FKRT (B)
McAfee-GW-Edition	Artemis!Trojan
FireEye	Generic.mg.ea252a83f501a1fd
Sophos	Mal/Generic-S
Ikarus	Win32.Outbreak
Webroot	W32.Trojan.Agent.Gen
Kingsoft	Win32.Troj.Undef.(kcloud)
Microsoft	Trojan:Win32/Trickbot.TB!MTB
GData	Trojan.Agent.FKRT
Cynet	Malicious (score: 100)
McAfee	Trickbot-FTKT!EA252A83F501
MAX	malware (ai score=82)
Fortinet	W32/Kryptik.L!tr
MaxSecure	Trojan.Malware.300983.susgen
AVG	Win32:BankerX-gen [Trj]
Panda	Trj/GdSda.A

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (7 events)

dead_host	74.85.157.139:443
dead_host	185.56.76.108:443
dead_host	68.69.26.182:443
dead_host	154.58.23.192:443
dead_host	192.168.56.101:49209
dead_host	192.168.56.101:49204
dead_host	185.56.76.94:443

lovemetertok.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All