Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 6, 2021, 8:04 a.m.	Aug. 6, 2021, 8:06 a.m.

Size	656.0KB
Type	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5	`7c44e0a43e508476eda5f699d39a0c7f`
SHA256	`bf81ad343dce8b514941ffd47576b78e02b41c23aec991fd5a48ad00c67ad942`
CRC32	`3DA5DA7D`
ssdeep	`12288:5bjfhtlWxycV80o3xKA3cHfnoEQOuG/ENYIm8MxxO9qrcOJz8:5bj9ZcG0CxKA3cHPoEQRjNXNYxtnF`
Yara	UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check IsDLL - (no description) Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Win32_Trojan_Emotet_1_Zero - Win32 Trojan Emotet IsPE32 - (no description)

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dHAfdxR.img.dll,StartW
1908
- wermgr.exe C:\Windows\system32\wermgr.exe
  1332
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dHAfdxR.img.dll,
2208

Name	Response	Post-Analysis Lookup
150.134.208.175.b.barracudacentral.org	A 127.0.0.2	127.0.0.2
150.134.208.175.zen.spamhaus.org
wtfismyip.com	A 95.217.228.176	95.217.228.176
150.134.208.175.cbl.abuseat.org

IP Address	Status	Action
164.124.101.2	Active	Moloch
46.99.175.217	Active	Moloch
95.217.228.176	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49203 -> 46.99.175.217:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 46.99.175.217:443 -> 192.168.56.101:49203	2011540	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)	Not Suspicious Traffic
TCP 192.168.56.101:49204 -> 95.217.228.176:80	2019737	ET POLICY IP Check wtfismyip.com	Potential Corporate Privacy Violation
TCP 192.168.56.101:49204 -> 95.217.228.176:80	2013028	ET POLICY curl User-Agent Outbound	Attempted Information Leak

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49203 46.99.175.217:443	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	b5:21:a8:16:d5:97:b1:67:f6:60:a5:cb:20:27:76:ec:3c:9d:3b:02

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Aug. 6, 2021, 8:04 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 6, 2021, 8:04 a.m.			0	0

The executable uses a known packer (1 event)

packer

Armadillo v1.xx - v2.xx

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (6 events)

suspicious_features	Connection to IP address	suspicious_request	GET https://46.99.175.217/rob120/TEST22-PC_W617601.7FE1BBFB3D97947F3041B3C9EB33D5D9/5/file/
suspicious_features	Connection to IP address	suspicious_request	GET https://46.99.175.217/rob120/TEST22-PC_W617601.7FE1BBFB3D97947F3041B3C9EB33D5D9/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/fhTbf7JhRDRVtj5VTdXtfPPzNxH/
suspicious_features	Connection to IP address	suspicious_request	GET https://46.99.175.217/rob120/TEST22-PC_W617601.7FE1BBFB3D97947F3041B3C9EB33D5D9/14/user/test22/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://46.99.175.217/rob120/TEST22-PC_W617601.7FE1BBFB3D97947F3041B3C9EB33D5D9/14/path/C:%5CUsers%5Ctest22%5CAppData%5CRoaming%5Cwise-tools5HD5PH%5CnxdHAfdxRxl.grf/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://46.99.175.217/rob120/TEST22-PC_W617601.7FE1BBFB3D97947F3041B3C9EB33D5D9/23/100019/
suspicious_features	Connection to IP address	suspicious_request	GET https://46.99.175.217/rob120/TEST22-PC_W617601.7FE1BBFB3D97947F3041B3C9EB33D5D9/14/DNSBL/listed/0/

Performs some HTTP requests (7 events)

request	GET http://wtfismyip.com/text
request	GET https://46.99.175.217/rob120/TEST22-PC_W617601.7FE1BBFB3D97947F3041B3C9EB33D5D9/5/file/
request	GET https://46.99.175.217/rob120/TEST22-PC_W617601.7FE1BBFB3D97947F3041B3C9EB33D5D9/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/fhTbf7JhRDRVtj5VTdXtfPPzNxH/
request	GET https://46.99.175.217/rob120/TEST22-PC_W617601.7FE1BBFB3D97947F3041B3C9EB33D5D9/14/user/test22/0/
request	GET https://46.99.175.217/rob120/TEST22-PC_W617601.7FE1BBFB3D97947F3041B3C9EB33D5D9/14/path/C:%5CUsers%5Ctest22%5CAppData%5CRoaming%5Cwise-tools5HD5PH%5CnxdHAfdxRxl.grf/0/
request	GET https://46.99.175.217/rob120/TEST22-PC_W617601.7FE1BBFB3D97947F3041B3C9EB33D5D9/23/100019/
request	GET https://46.99.175.217/rob120/TEST22-PC_W617601.7FE1BBFB3D97947F3041B3C9EB33D5D9/14/DNSBL/listed/0/

Allocates read-write-execute memory (usually to unpack itself) (20 events)

Time & API	Arguments	Status	Return
NtProtectVirtualMemory Aug. 6, 2021, 8:04 a.m.	process_identifier: 1908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x1004b000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 6, 2021, 8:04 a.m.	process_identifier: 1908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x756a1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 6, 2021, 8:04 a.m.	process_identifier: 1908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d21000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 6, 2021, 8:04 a.m.	process_identifier: 1908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73cb0000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 6, 2021, 8:04 a.m.	process_identifier: 1908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73701000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 6, 2021, 8:04 a.m.	process_identifier: 1908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b94000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 6, 2021, 8:04 a.m.	process_identifier: 1908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73702000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 6, 2021, 8:04 a.m.	process_identifier: 1908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c81000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 6, 2021, 8:04 a.m.	process_identifier: 1908 region_size: 233472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02040000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 6, 2021, 8:04 a.m.	process_identifier: 1908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c61000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 6, 2021, 8:04 a.m.	process_identifier: 1908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x737c1000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 6, 2021, 8:04 a.m.	process_identifier: 1908 region_size: 278528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02280000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 6, 2021, 8:04 a.m.	process_identifier: 1908 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 6, 2021, 8:04 a.m.	process_identifier: 1908 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10000000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory Aug. 6, 2021, 8:04 a.m.	process_identifier: 1908 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a30000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 6, 2021, 8:04 a.m.	process_identifier: 1908 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a31000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 6, 2021, 8:04 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a40000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 6, 2021, 8:04 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 6, 2021, 8:04 a.m.	process_identifier: 1908 region_size: 163840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 6, 2021, 8:04 a.m.	process_identifier: 1332 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000002a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0

A process attempted to delay the analysis task. (1 event)

description

wermgr.exe tried to sleep 203 seconds, actually delayed analysis time by 203 seconds

Looks up the external IP address (1 event)

domain

wtfismyip.com

Creates a suspicious process (1 event)

cmdline

C:\Windows\system32\cmd.exe

File has been identified by 9 AntiVirus engines on VirusTotal as malicious (9 events)

FireEye	Generic.mg.7c44e0a43e508476
McAfee	Artemis!7C44E0A43E50
CrowdStrike	win/malicious_confidence_60% (D)
APEX	Malicious
Kaspersky	UDS:DangerousObject.Multi.Generic
McAfee-GW-Edition	BehavesLike.Win32.BadFile.jc
Microsoft	Trojan:Win32/TrickBotCrypt.DX!MTB
Cynet	Malicious (score: 100)
Rising	Trojan.Kryptik!1.D78B (CLASSIC)

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 6, 2021, 8:04 a.m.	process_identifier: 1908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8192 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x02201000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Aug. 6, 2021, 8:04 a.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00042000', u'virtual_address': u'0x0005f000', u'entropy': 7.775395827982044, u'name': u'.rsrc', u'virtual_size': u'0x00041310'}

entropy

7.77539582798

description

A section with a high entropy has been found

entropy

0.40490797546

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 6, 2021, 8:04 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess Aug. 6, 2021, 8:04 a.m.	status_code: 0x00000000 process_identifier: 2800 process_handle: 0x00000118		0	0
NtTerminateProcess Aug. 6, 2021, 8:04 a.m.	status_code: 0x00000000 process_identifier: 2800 process_handle: 0x00000118	1	0	0

Communicates with host for which no DNS query was performed (1 event)

host

46.99.175.217

dHAfdxR.img

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All