Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Aug. 7, 2021, 1:51 p.m.	Aug. 7, 2021, 1:57 p.m.

Size	14.0KB
Type	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5	`c47ad106639801ac97d4d676dbc700ec`
SHA256	`7f8f6685f7a93e134ea22dfc002505e12e68f37ca9dce13e0ecee894aab15bb2`
CRC32	`347CBD06`
ssdeep	`384:AH+kGKqbOCdWIVBff+xzbIMPPPyfCXAn:AH+kqRVpfUPPafiA`
Yara	UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description)

waads.exe "C:\Users\test22\AppData\Local\Temp\waads.exe"
2056
- rundll32.exe C:\Windows\syswow64\rundll32.exe
  2852

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
45.227.253.62	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49214 -> 45.227.253.62:443	2013926	ET POLICY HTTP traffic on port 443 (POST)	Potentially Bad Traffic
TCP 192.168.56.102:49186 -> 45.227.253.62:443	2013926	ET POLICY HTTP traffic on port 443 (POST)	Potentially Bad Traffic
TCP 192.168.56.102:49183 -> 45.227.253.62:443	2013926	ET POLICY HTTP traffic on port 443 (POST)	Potentially Bad Traffic
TCP 192.168.56.102:49166 -> 45.227.253.62:443	2013926	ET POLICY HTTP traffic on port 443 (POST)	Potentially Bad Traffic
TCP 192.168.56.102:49186 -> 45.227.253.62:443	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.102:49183 -> 45.227.253.62:443	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.102:49166 -> 45.227.253.62:443	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.102:49175 -> 45.227.253.62:443	2013926	ET POLICY HTTP traffic on port 443 (POST)	Potentially Bad Traffic
TCP 192.168.56.102:49175 -> 45.227.253.62:443	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.102:49180 -> 45.227.253.62:443	2013926	ET POLICY HTTP traffic on port 443 (POST)	Potentially Bad Traffic
TCP 192.168.56.102:49180 -> 45.227.253.62:443	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.102:49214 -> 45.227.253.62:443	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.102:49220 -> 45.227.253.62:443	2013926	ET POLICY HTTP traffic on port 443 (POST)	Potentially Bad Traffic
TCP 192.168.56.102:49220 -> 45.227.253.62:443	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.102:49217 -> 45.227.253.62:443	2013926	ET POLICY HTTP traffic on port 443 (POST)	Potentially Bad Traffic
TCP 192.168.56.102:49217 -> 45.227.253.62:443	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.102:49227 -> 45.227.253.62:443	2013926	ET POLICY HTTP traffic on port 443 (POST)	Potentially Bad Traffic
TCP 192.168.56.102:49227 -> 45.227.253.62:443	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.102:49208 -> 45.227.253.62:443	2013926	ET POLICY HTTP traffic on port 443 (POST)	Potentially Bad Traffic
TCP 192.168.56.102:49235 -> 45.227.253.62:443	2013926	ET POLICY HTTP traffic on port 443 (POST)	Potentially Bad Traffic
TCP 192.168.56.102:49235 -> 45.227.253.62:443	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.102:49254 -> 45.227.253.62:443	2013926	ET POLICY HTTP traffic on port 443 (POST)	Potentially Bad Traffic
TCP 192.168.56.102:49254 -> 45.227.253.62:443	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.102:49177 -> 45.227.253.62:443	2013926	ET POLICY HTTP traffic on port 443 (POST)	Potentially Bad Traffic
TCP 192.168.56.102:49177 -> 45.227.253.62:443	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.102:49211 -> 45.227.253.62:443	2013926	ET POLICY HTTP traffic on port 443 (POST)	Potentially Bad Traffic
TCP 192.168.56.102:49202 -> 45.227.253.62:443	2013926	ET POLICY HTTP traffic on port 443 (POST)	Potentially Bad Traffic
TCP 192.168.56.102:49202 -> 45.227.253.62:443	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.102:49248 -> 45.227.253.62:443	2013926	ET POLICY HTTP traffic on port 443 (POST)	Potentially Bad Traffic
TCP 192.168.56.102:49248 -> 45.227.253.62:443	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.102:49208 -> 45.227.253.62:443	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.102:49211 -> 45.227.253.62:443	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.102:49224 -> 45.227.253.62:443	2013926	ET POLICY HTTP traffic on port 443 (POST)	Potentially Bad Traffic
TCP 192.168.56.102:49224 -> 45.227.253.62:443	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.102:49230 -> 45.227.253.62:443	2013926	ET POLICY HTTP traffic on port 443 (POST)	Potentially Bad Traffic
TCP 192.168.56.102:49230 -> 45.227.253.62:443	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA Aug. 7, 2021, 1:51 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameA Aug. 7, 2021, 1:52 p.m.	computer_name: TEST22-PC	1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Starts servers listening (3 events)

Time & API	Arguments	Status	Return
bind Aug. 7, 2021, 1:52 p.m.	ip_address: 127.0.0.1 socket: 252 port: 9577	1	0
listen Aug. 7, 2021, 1:52 p.m.	socket: 252 backlog: 0	1	0
accept Aug. 7, 2021, 1:52 p.m.	ip_address: socket: 252 port: 0	1	256

Allocates read-write-execute memory (usually to unpack itself) (10 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 7, 2021, 1:51 p.m.	process_identifier: 2056 region_size: 4194304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03980000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 7, 2021, 1:51 p.m.	process_identifier: 2056 region_size: 253952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x034d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 7, 2021, 1:52 p.m.	process_identifier: 2852 region_size: 303104 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 7, 2021, 1:52 p.m.	process_identifier: 2852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 7, 2021, 1:52 p.m.	process_identifier: 2852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bf1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 7, 2021, 1:52 p.m.	process_identifier: 2852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73a91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 7, 2021, 1:52 p.m.	process_identifier: 2852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73a01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 7, 2021, 1:52 p.m.	process_identifier: 2852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73951000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 7, 2021, 1:52 p.m.	process_identifier: 2852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73a92000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 7, 2021, 1:52 p.m.	process_identifier: 2852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73b51000 process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

waads.exe tried to sleep 174 seconds, actually delayed analysis time by 174 seconds

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 7, 2021, 1:51 p.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x004f0000 process_handle: 0xffffffff	1	0	0

Yara rule detected in process memory (11 events)

description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Run a KeyLogger	rule	KeyLogger
description	Take ScreenShot	rule	ScreenShot
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: 439ca2dd8f6ed34d6a7bedb8101361e29f9aad1f

Communicates with host for which no DNS query was performed (1 event)

host

45.227.253.62

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Aug. 7, 2021, 1:52 p.m.	process_identifier: 2852 region_size: 290816 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00150000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002c0	1	0	0

Network activity contains more than one unique useragent (2 events)

process	waads.exe				useragent
process	waads.exe				useragent	Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) LBBROWSER

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2056 called NtSetContextThread to modify thread in remote process 2852
NtSetContextThread Aug. 7, 2021, 1:52 p.m.	registers.eip: 1955258581 registers.esp: 55399175 registers.edi: 0 registers.eax: 1376256 registers.ebp: 1948269416 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000013c process_identifier: 2852	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2056 resumed a thread in remote process 2852
NtResumeThread Aug. 7, 2021, 1:52 p.m.	thread_handle: 0x0000013c suspend_count: 1 process_identifier: 2852	1	0	0

Executed a process and injected code into it, probably while unpacking (8 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Aug. 7, 2021, 1:52 p.m.	thread_identifier: 2856 thread_handle: 0x0000013c process_identifier: 2852 current_directory: filepath: track: 1 command_line: C:\Windows\syswow64\rundll32.exe filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 1 process_handle: 0x000002c0	1	1
NtAllocateVirtualMemory Aug. 7, 2021, 1:52 p.m.	process_identifier: 2852 region_size: 290816 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00150000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002c0	1	0
WriteProcessMemory Aug. 7, 2021, 1:52 p.m.	buffer: base_address: 0x00150000 process_identifier: 2852 process_handle: 0x000002c0	1	1
NtGetContextThread Aug. 7, 2021, 1:52 p.m.	thread_handle: 0x0000013c	1	0
NtSetContextThread Aug. 7, 2021, 1:52 p.m.	registers.eip: 1955258581 registers.esp: 55399175 registers.edi: 0 registers.eax: 1376256 registers.ebp: 1948269416 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000013c process_identifier: 2852	1	0
NtResumeThread Aug. 7, 2021, 1:52 p.m.	thread_handle: 0x0000013c suspend_count: 1 process_identifier: 2852	1	0
NtResumeThread Aug. 7, 2021, 1:52 p.m.	thread_handle: 0x00000120 suspend_count: 1 process_identifier: 2852	1	0
NtResumeThread Aug. 7, 2021, 1:52 p.m.	thread_handle: 0x00000138 suspend_count: 1 process_identifier: 2852	1	0

File has been identified by 54 AntiVirus engines on VirusTotal as malicious (50 out of 54 events)

Lionic	Trojan.Win32.Sheljector.trJD
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Fugrafa.858
FireEye	Generic.mg.c47ad106639801ac
CAT-QuickHeal	Trojan.Cobaltstrike
McAfee	Cobalt-EVTS!C47AD1066398
Cylance	Unsafe
Zillya	Trojan.Rozena.Win32.99309
K7AntiVirus	Trojan ( 005622831 )
Alibaba	Trojan:Win32/Rozena.8a4dddf1
K7GW	Trojan ( 005622831 )
Cybereason	malicious.663980
Cyren	W32/Diple.G.gen!Eldorado
Symantec	Backdoor.Cobalt
ESET-NOD32	a variant of Win32/Rozena.AMZ
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Trojan.CobaltStrike-7899872-1
Kaspersky	HEUR:Trojan.Win32.CobaltStrike.gen
BitDefender	Gen:Variant.Fugrafa.858
NANO-Antivirus	Trojan.Win32.Inject3.horsiq
Avast	Win32:Trojan-gen
Tencent	Hacktool.Win32.CobaltStrike.za
Ad-Aware	Gen:Variant.Fugrafa.858
TACHYON	Trojan/W32.Agent.14336.WO
Sophos	ML/PE-A + ATK/Cobalt-A
DrWeb	Trojan.Inject3.2700
TrendMicro	Trojan.Win32.COBALT.SM
McAfee-GW-Edition	Cobalt-EVTS!C47AD1066398
Emsisoft	Trojan.Rozena (A)
SentinelOne	Static AI - Malicious PE
Jiangmin	Trojan.Generic.ftawl
Avira	TR/Crypt.XPACK.Gen7
Antiy-AVL	Trojan/Generic.ASMalwS.30BBA6D
Gridinsoft	Trojan.Win32.Heur.oa!s1
Microsoft	Trojan:Win32/Cobaltstrike.MK!MTB
ViRobot	Trojan.Win32.Cobalt.14336.J
ZoneAlarm	HEUR:Trojan.Win32.CobaltStrike.gen
GData	Gen:Variant.Fugrafa.858
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.CobaltStrike.R329694
VBA32	TScope.Malware-Cryptor.SB
ALYac	Gen:Variant.Fugrafa.858
MAX	malware (ai score=100)
Malwarebytes	Trojan.CobaltStrike
TrendMicro-HouseCall	Trojan.Win32.COBALT.SM
Rising	Backdoor.CobaltStrike!1.D049 (CLASSIC)
Yandex	Trojan.GenAsa!/C5jzoNrl5s
Ikarus	Trojan.Win32.Rozena
Fortinet	W32/Generic.AP.118EACE!tr

waads.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All