Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 10, 2021, 10:33 a.m.	Aug. 10, 2021, 10:41 a.m.

Size	299.4KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`0b97f7e640adbb46c56fb1229d97a894`
SHA256	`164ba76af931f4378edd9fac284a9d5fbb82f7fa6aba3610a93acad54cf01606`
CRC32	`2AAE2976`
ssdeep	`6144:/okJIphhn9BvuC/bnlKVpTAW+kdl9cJuUaHs36pbFxx/GazNS3vg1/:AkJCHWELyl9wu/H/plzcfg1/`
PDB Path	C:\xampp\htdocs\Loct\039668b2aa66435db4f36c45b4462c9a\Loader\Project1\Release\Project1.pdb
Yara	UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description)

myn.exe "C:\Users\test22\AppData\Local\Temp\myn.exe"
2444
- myn.exe "C:\Users\test22\AppData\Local\Temp\myn.exe"
  1756
explorer.exe C:\Windows\Explorer.EXE
1848

Name	Response	Post-Analysis Lookup
desireblex.ddns.net	A 2.56.59.13	2.56.59.13

IP Address	Status	Action
164.124.101.2	Active	Moloch
2.56.59.13	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:61479 -> 164.124.101.2:53	2028675	ET POLICY DNS Query to DynDNS Domain *.ddns .net	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (4 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 10, 2021, 10:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 10, 2021, 10:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 10, 2021, 10:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 10, 2021, 10:33 a.m.	computer_name: TEST22-PC	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

C:\xampp\htdocs\Loct\039668b2aa66435db4f36c45b4462c9a\Loader\Project1\Release\Project1.pdb

Tries to locate where the browsers are installed (1 event)

registry

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 10, 2021, 10:33 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.gfids

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 10, 2021, 10:33 a.m.	stacktrace: myn+0x3626 @ 0x403626 myn+0x1145b @ 0x41145b myn+0x13649 @ 0x413649 myn+0x5d61 @ 0x405d61 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 0f b7 01 66 89 02 41 41 42 42 66 85 c0 75 f1 c7 exception.symbol: lstrcpyW+0x16 IsBadStringPtrA-0x5b kernel32+0x33118 exception.instruction: movzx eax, word ptr [ecx] exception.module: kernel32.dll exception.exception_code: 0xc0000005 exception.offset: 209176 exception.address: 0x75753118 registers.esp: 1636416 registers.edi: 1636556 registers.eax: 1636440 registers.ebp: 1636456 registers.edx: 46399488 registers.ebx: 1636696 registers.esi: 1636712 registers.ecx: 0	1	0	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Connects to a Dynamic DNS Domain (1 event)

domain

desireblex.ddns.net

Allocates read-write-execute memory (usually to unpack itself) (5 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 10, 2021, 10:33 a.m.	process_identifier: 2444 stack_dep_bypass: 1 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0018f000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2021, 10:33 a.m.	process_identifier: 2444 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00490000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2021, 10:33 a.m.	process_identifier: 2444 region_size: 217088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2021, 10:33 a.m.	process_identifier: 1756 region_size: 540672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03cb0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2021, 10:33 a.m.	process_identifier: 1756 region_size: 540672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03d30000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (3 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceW Aug. 10, 2021, 10:33 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Aug. 10, 2021, 10:33 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceExW Aug. 10, 2021, 10:27 a.m.	total_number_of_free_bytes: 13726965760 free_bytes_available: 13726965760 root_path: C:\ total_number_of_bytes: 34252779520	1	1

Steals private information from local Internet browsers (3 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Chromium\User Data\Default\Login Data

Executes one or more WMI queries (1 event)

wmi

Harvests credentials from local email clients (3 events)

registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2444 called NtSetContextThread to modify thread in remote process 1756
NtSetContextThread Aug. 10, 2021, 10:33 a.m.	registers.eip: 2000355780 registers.esp: 1638384 registers.edi: 0 registers.eax: 4218082 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000bc process_identifier: 1756	1	0	0

Attempts to remove evidence of file being downloaded from the Internet (1 event)

file	C:\Users\test22\AppData\Local\Temp\:Zone.Identifier

File has been identified by 35 AntiVirus engines on VirusTotal as malicious (35 events)

Bkav	W32.AIDetect.malware2
Lionic	Trojan.Win32.Noon.l!c
Elastic	malicious (high confidence)
FireEye	Generic.mg.0b97f7e640adbb46
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
Alibaba	TrojanSpy:Win32/Kryptik.df48a3cf
CrowdStrike	win/malicious_confidence_90% (W)
Cyren	W32/Injector.AKK.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Kryptik.HMAB
APEX	Malicious
Kaspersky	HEUR:Trojan-Spy.Win32.Noon.gen
Avast	Win32:Trojan-gen
Tencent	Win32.Trojan.Inject.Auto
Sophos	Mal/Generic-S
DrWeb	Trojan.PWS.Siggen3.1955
VIPRE	LooksLike.Win32.Crowti.b (v)
McAfee-GW-Edition	BehavesLike.Win32.Generic.dc
Emsisoft	Trojan.Crypt (A)
Ikarus	Win32.Outbreak
eGambit	Unsafe.AI_Score_99%
Gridinsoft	Trojan.Win32.Kryptik.oa
Microsoft	Trojan:Win32/AgentTesla.BKP!MTB
GData	Win32.Backdoor.AMRat.13MAZD
Cynet	Malicious (score: 100)
McAfee	RDN/Generic.dx
MAX	malware (ai score=99)
VBA32	BScope.Trojan-Dropper.Injector
Malwarebytes	Spyware.PasswordStealer.Generic
SentinelOne	Static AI - Suspicious PE
Fortinet	W32/GenKryptik.FIBB!tr
BitDefenderTheta	Gen:NN.ZexaF.34058.suZ@aWUIUSbi
AVG	Win32:Trojan-gen
Qihoo-360	Win32/TrojanSpy.Noon.HwoCJ58A

myn.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All