Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Aug. 28, 2021, 5:43 p.m.	Aug. 28, 2021, 5:47 p.m.

Size	435.0KB
Type	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5	`6a124d95c5c5038daf38b7d0d8719996`
SHA256	`8a47b898b7c8aa16abef0d692c9c7bc123cee04c37027ac109df1c6d1fbd6f00`
CRC32	`6D969CD3`
ssdeep	`12288:BpmGo6NcFaOrWsrTrABM5iSFV5GfJLYNDBqkpg8D:BAGo6NcBtXrABM5imGfJLYpBqL8D`
Yara	PE_Header_Zero - PE File Signature IsPE64 - (no description) IsDLL - (no description)

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\44.dll,CvvuibpxxnejxroDsqhgxyzcujno
2504
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\44.dll,CvvuibpxxnejxroDsqhgxyzcujno
  932
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\44.dll,JfvrwqpngZxcdineOxnuutznn
896
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\44.dll,JfvrwqpngZxcdineOxnuutznn
  2176
  - cmd.exe cmd /c ping 127.0.0.1 -n 8 & "C:\Windows\system32\rundll32.exe" "C:\Users\test22\AppData\Local\Temp\44.dll", StartW mscp ahis & exit
    2480
    - PING.EXE ping 127.0.0.1 -n 8
      572
    - rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\Users\test22\AppData\Local\Temp\44.dll", StartW mscp ahis
      2316
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\44.dll,MzqvvwcgmfEvubknxjygklx
2880
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\44.dll,MzqvvwcgmfEvubknxjygklx
  2808
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\44.dll,StartW
2332
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\44.dll,StartW
  2664
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\44.dll,fgrererere
2400
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\44.dll,fgrererere
  2488
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\44.dll,qwwwwww
2948
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\44.dll,qwwwwww
  360
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\44.dll,
1768

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 28, 2021, 5:47 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (7 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 28, 2021, 5:36 p.m.	process_identifier: 2176 region_size: 2387968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001da0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 28, 2021, 5:36 p.m.	process_identifier: 932 region_size: 2387968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001e40000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 28, 2021, 5:36 p.m.	process_identifier: 2808 region_size: 2387968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001e40000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 28, 2021, 5:36 p.m.	process_identifier: 2664 region_size: 2387968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001ca0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 28, 2021, 5:36 p.m.	process_identifier: 2488 region_size: 2387968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001cc0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 28, 2021, 5:36 p.m.	process_identifier: 360 region_size: 2387968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001d40000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 28, 2021, 5:47 p.m.	process_identifier: 2316 region_size: 2387968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001d90000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1

A process attempted to delay the analysis task. (1 event)

description

rundll32.exe tried to sleep 495 seconds, actually delayed analysis time by 495 seconds

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	ping 127.0.0.1 -n 8
cmdline	cmd /c ping 127.0.0.1 -n 8 & "C:\Windows\system32\rundll32.exe" "C:\Users\test22\AppData\Local\Temp\44.dll", StartW mscp ahis & exit

File has been identified by 19 AntiVirus engines on VirusTotal as malicious (19 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Razy.913977
Cylance	Unsafe
ESET-NOD32	a variant of Win64/BazarLoader.AZ
APEX	Malicious
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Gen:Variant.Razy.913977
Avast	FileRepMalware
Ad-Aware	Gen:Variant.Razy.913977
Emsisoft	Gen:Variant.Razy.913977 (B)
FireEye	Generic.mg.6a124d95c5c5038d
MAX	malware (ai score=81)
Arcabit	Trojan.Razy.DDF239
GData	Gen:Variant.Razy.913977
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.IcedID.C4608701
ALYac	Gen:Variant.Razy.913977
Fortinet	W64/BazarLoader.AZ!tr
AVG	FileRepMalware

44.dll

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All