Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	July 26, 2021, 7:03 a.m.	July 26, 2021, 7:05 a.m.

Size	76.9KB
Type	ASCII text, with very long lines
MD5	`6cebf8dcf4b5fa9f41913cd6e518d113`
SHA256	`8738b7ed60dea1c57c49f560b6d11ac9398b753b821d743d2098158121f6fa45`
CRC32	`D41C134D`
ssdeep	`1536:VXqvhOTMae1/fMKmIx0jHHPPEVIOxxY6+TmwljASEISnBWygn0+YUt:VXq5tfMJrjnEOOxRoygn0+YUt`
Yara	None matched

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "NHsqoFDzq" C:\Users\test22\AppData\Local\Temp\searchd-2021-07-19-104555.ips
768
- rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\test22\AppData\Local\Temp\searchd-2021-07-19-104555.ips
  1632
  - AcroRd32.exe "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\test22\AppData\Local\Temp\searchd-2021-07-19-104555.ips"
    1104
    - Adobe_Updater.exe "C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe" -doActionAppID=reader9rdr-en_US
      292
    - Adobe_Updater.exe "C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe" -AU_LAUNCH_MODE=1 -AU_DISPLAY_LANG=en_US -AU_LAUNCH_APPID=reader9rdr-en_US
      932
explorer.exe C:\Windows\Explorer.EXE
1180

Name	Response	Post-Analysis Lookup
swupmf.adobe.com	CNAME ssl.adobe.com.edgekey.net CNAME e4578.dscb.akamaiedge.net A 23.35.221.25	23.50.1.229

IP Address	Status	Action
164.124.101.2	Active	Moloch
23.35.221.25	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW July 26, 2021, 6:56 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW July 26, 2021, 6:56 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 26, 2021, 7:03 a.m.			0	0
IsDebuggerPresent July 26, 2021, 7:03 a.m.			0	0
IsDebuggerPresent July 26, 2021, 7:03 a.m.			0	0

Tries to locate where the browsers are installed (1 event)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 26, 2021, 7:03 a.m.		1	1	0

Performs some HTTP requests (2 events)

request	GET http://swupmf.adobe.com/manifest/60/win/reader9rdr-en_US.upd
request	GET http://swupmf.adobe.com/manifest/60/win/AdobeUpdater.upd

Allocates read-write-execute memory (usually to unpack itself) (8 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 26, 2021, 7:03 a.m.	process_identifier: 1632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74260000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 26, 2021, 7:03 a.m.	process_identifier: 1632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 26, 2021, 7:03 a.m.	process_identifier: 1632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74151000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 26, 2021, 7:03 a.m.	process_identifier: 1632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x742d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 26, 2021, 7:03 a.m.	process_identifier: 1632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 26, 2021, 7:03 a.m.	process_identifier: 1632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74121000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 26, 2021, 7:03 a.m.	process_identifier: 1632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75051000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 26, 2021, 7:03 a.m.	process_identifier: 1632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x724c1000 process_handle: 0xffffffff	1

Creates a shortcut to an executable file (13 events)

file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Snipping Tool.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Welcome Center.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Chrome.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip\7-Zip File Manager.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Calculator.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2013\Word 2013.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Thunderbird.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\displayswitch.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Sticky Notes.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader 9.lnk

Checks for the Locally Unique Identifier on the system for a suspicious privilege (8 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW July 26, 2021, 6:56 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW July 26, 2021, 6:56 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW July 26, 2021, 6:56 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW July 26, 2021, 6:56 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW July 26, 2021, 6:56 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW July 26, 2021, 6:56 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW July 26, 2021, 6:56 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW July 26, 2021, 6:56 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Harvests credentials from local email clients (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\Mozilla Thunderbird\Capabilities\Hidden

One or more non-whitelisted processes were created (2 events)

parent_process	acrord32.exe				martian_process	"C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe" -AU_LAUNCH_MODE=1 -AU_DISPLAY_LANG=en_US -AU_LAUNCH_APPID=reader9rdr-en_US
parent_process	acrord32.exe				martian_process	"C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe" -doActionAppID=reader9rdr-en_US

searchd-2021-07-19-104555.ips

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All