Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Sept. 4, 2021, 3:15 p.m.	Sept. 4, 2021, 3:17 p.m.

Size	6.3MB
Type	PE32 executable (console) Intel 80386, for MS Windows
MD5	`d43db563bc6efb1c6cbb86f4d21349d9`
SHA256	`be9e07dff4dd0d93825aadbda9174e107bc3de3223e4e8be6c15bef71dc92701`
CRC32	`1515E4D6`
ssdeep	`98304:IWeHPHev2chbU02i5V5gm2hVgB0ezO94ngxY/xxL29Kcu44aoww2TpMKEvc:IP+v9b28V5gjCBXs4nYYZxaKcu42Hc`
Yara	PE_Header_Zero - PE File Signature Win32_Trojan_Emotet_2_Zero - Win32 Trojan Emotet Malicious_Library_Zero - Malicious_Library IsPE32 - (no description)

Zenare.exe "C:\Users\test22\AppData\Local\Temp\Zenare.exe"
2480
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
bitbucket.org	A 104.192.141.1	104.192.141.1
iplogger.org	A 88.99.66.31	88.99.66.31

IP Address	Status	Action
104.192.141.1	Active	Moloch
164.124.101.2	Active	Moloch
88.99.66.31	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 104.192.141.1:443 -> 192.168.56.102:49173	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49165 -> 88.99.66.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 104.192.141.1:443 -> 192.168.56.102:49168	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 104.192.141.1:443 -> 192.168.56.102:49166	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49168 -> 104.192.141.1:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49166 -> 104.192.141.1:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 104.192.141.1:443 -> 192.168.56.102:49172	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 104.192.141.1:443 -> 192.168.56.102:49169	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49172 -> 104.192.141.1:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 104.192.141.1:443 -> 192.168.56.102:49171	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49171 -> 104.192.141.1:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49165 88.99.66.31:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=*.iplogger.org	55:1e:13:99:46:1c:67:40:a3:48:7f:38:0d:16:e7:51:f4:c4:43:cb

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleA Sept. 4, 2021, 3:15 p.m.	buffer: failed to open: C:\ProgramData\Data\GPU.zip console_handle: 0x00000007	1	1	0
WriteConsoleA Sept. 4, 2021, 3:15 p.m.	buffer: failed to open: C:\ProgramData\Systemd\CPU.zip console_handle: 0x00000007	1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

Candy Sm

Performs some HTTP requests (2 events)

request	GET http://iplogger.org/1mxPf7
request	GET https://iplogger.org/1mxPf7

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Sept. 4, 2021, 3:15 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0	0

A process attempted to delay the analysis task. (1 event)

description

Zenare.exe tried to sleep 176 seconds, actually delayed analysis time by 176 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Sept. 4, 2021, 3:16 p.m.	total_number_of_free_bytes: 10919608320 free_bytes_available: 10919608320 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exe.lnk

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exe.lnk

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (30 events)

Time & API	Arguments	Status	Return
Process32NextW Sept. 4, 2021, 3:15 p.m.	snapshot_handle: 0x000005d8 process_name: mobsync.exe process_identifier: 812	1	1
Process32NextW Sept. 4, 2021, 3:15 p.m.	snapshot_handle: 0x000005d8 process_name: pw.exe process_identifier: 2672	1	1
Process32NextW Sept. 4, 2021, 3:15 p.m.	snapshot_handle: 0x000005d8 process_name: taskhost.exe process_identifier: 2660	1	1
Process32NextW Sept. 4, 2021, 3:15 p.m.	snapshot_handle: 0x000005d8 process_name: cmd.exe process_identifier: 2328	1	1
Process32NextW Sept. 4, 2021, 3:15 p.m.	snapshot_handle: 0x000005d8 process_name: pw.exe process_identifier: 1092	1	1
Process32NextW Sept. 4, 2021, 3:15 p.m.	snapshot_handle: 0x000005d8 process_name: Zenare.exe process_identifier: 2480	1	1
Process32NextW Sept. 4, 2021, 3:15 p.m.	snapshot_handle: 0x000005d8 process_name: conhost.exe process_identifier: 2088	1	1
Process32NextW Sept. 4, 2021, 3:15 p.m.	snapshot_handle: 0x000005f4 process_name: cmd.exe process_identifier: 2880	1	1
Process32NextW Sept. 4, 2021, 3:15 p.m.	snapshot_handle: 0x000005f4 process_name: conhost.exe process_identifier: 2208	1	1
Process32NextW Sept. 4, 2021, 3:15 p.m.	snapshot_handle: 0x000005f4 process_name: pw.exe process_identifier: 2792	1	1
Process32NextW Sept. 4, 2021, 3:16 p.m.	snapshot_handle: 0x000005f4 process_name: cmd.exe process_identifier: 688	1	1
Process32NextW Sept. 4, 2021, 3:16 p.m.	snapshot_handle: 0x000005f4 process_name: conhost.exe process_identifier: 1988	1	1
Process32NextW Sept. 4, 2021, 3:16 p.m.	snapshot_handle: 0x000005f4 process_name: pw.exe process_identifier: 2200	1	1
Process32NextW Sept. 4, 2021, 3:16 p.m.	snapshot_handle: 0x00000584 process_name: cmd.exe process_identifier: 2544	1	1
Process32NextW Sept. 4, 2021, 3:16 p.m.	snapshot_handle: 0x00000584 process_name: conhost.exe process_identifier: 1792	1	1
Process32NextW Sept. 4, 2021, 3:16 p.m.	snapshot_handle: 0x00000584 process_name: pw.exe process_identifier: 532	1	1
Process32NextW Sept. 4, 2021, 3:16 p.m.	snapshot_handle: 0x00000584 process_name: cmd.exe process_identifier: 2264	1	1
Process32NextW Sept. 4, 2021, 3:16 p.m.	snapshot_handle: 0x00000584 process_name: conhost.exe process_identifier: 1784	1	1
Process32NextW Sept. 4, 2021, 3:16 p.m.	snapshot_handle: 0x00000584 process_name: pw.exe process_identifier: 2240	1	1
Process32NextW Sept. 4, 2021, 3:16 p.m.	snapshot_handle: 0x00000254 process_name: cmd.exe process_identifier: 2292	1	1
Process32NextW Sept. 4, 2021, 3:16 p.m.	snapshot_handle: 0x00000254 process_name: conhost.exe process_identifier: 424	1	1
Process32NextW Sept. 4, 2021, 3:16 p.m.	snapshot_handle: 0x00000254 process_name: pw.exe process_identifier: 1580	1	1
Process32NextW Sept. 4, 2021, 3:16 p.m.	snapshot_handle: 0x0000023c process_name: cmd.exe process_identifier: 2452	1	1
Process32NextW Sept. 4, 2021, 3:16 p.m.	snapshot_handle: 0x0000023c process_name: conhost.exe process_identifier: 2448	1	1
Process32NextW Sept. 4, 2021, 3:16 p.m.	snapshot_handle: 0x0000023c process_name: pw.exe process_identifier: 1464	1	1
Process32NextW Sept. 4, 2021, 3:17 p.m.	snapshot_handle: 0x0000023c process_name: cmd.exe process_identifier: 2980	1	1
Process32NextW Sept. 4, 2021, 3:17 p.m.	snapshot_handle: 0x0000023c process_name: conhost.exe process_identifier: 2840	1	1
Process32NextW Sept. 4, 2021, 3:17 p.m.	snapshot_handle: 0x0000023c process_name: pw.exe process_identifier: 1180	1	1
Process32NextW Sept. 4, 2021, 3:17 p.m.	snapshot_handle: 0x00000524 process_name: cmd.exe process_identifier: 2560	1	1
Process32NextW Sept. 4, 2021, 3:17 p.m.	snapshot_handle: 0x00000524 process_name: cmd.exe process_identifier: 2612	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 4, 2021, 3:15 p.m.	process_identifier: 2480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x004e0000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0057f600', u'virtual_address': u'0x00390000', u'entropy': 7.959654652830455, u'name': u'Candy Sm', u'virtual_size': u'0x0057f420'}

entropy

7.95965465283

description

A section with a high entropy has been found

entropy

0.878305640066

description

Overall entropy of this PE file is high

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (50 out of 233 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW Sept. 4, 2021, 3:15 p.m.	snapshot_handle: 0x000005d8 process_name: conhost.exe process_identifier: 2088		0	0
Process32NextW Sept. 4, 2021, 3:15 p.m.	snapshot_handle: 0x000005fc process_name: conhost.exe process_identifier: 2088		0	0
Process32NextW Sept. 4, 2021, 3:15 p.m.	snapshot_handle: 0x000005fc process_name: conhost.exe process_identifier: 2088		0	0
Process32NextW Sept. 4, 2021, 3:15 p.m.	snapshot_handle: 0x000005fc process_name: conhost.exe process_identifier: 2088		0	0
Process32NextW Sept. 4, 2021, 3:15 p.m.	snapshot_handle: 0x000005fc process_name: conhost.exe process_identifier: 2088		0	0
Process32NextW Sept. 4, 2021, 3:15 p.m.	snapshot_handle: 0x000005f4 process_name: conhost.exe process_identifier: 2088		0	0
Process32NextW Sept. 4, 2021, 3:15 p.m.	snapshot_handle: 0x000005f4 process_name: conhost.exe process_identifier: 2088		0	0
Process32NextW Sept. 4, 2021, 3:15 p.m.	snapshot_handle: 0x000005f4 process_name: conhost.exe process_identifier: 2088		0	0
Process32NextW Sept. 4, 2021, 3:15 p.m.	snapshot_handle: 0x000005f4 process_name: conhost.exe process_identifier: 2088		0	0
Process32NextW Sept. 4, 2021, 3:15 p.m.	snapshot_handle: 0x000005f4 process_name: conhost.exe process_identifier: 2088		0	0
Process32NextW Sept. 4, 2021, 3:15 p.m.	snapshot_handle: 0x000005f4 process_name: conhost.exe process_identifier: 2088		0	0
Process32NextW Sept. 4, 2021, 3:15 p.m.	snapshot_handle: 0x000005f4 process_name: conhost.exe process_identifier: 2088		0	0
Process32NextW Sept. 4, 2021, 3:15 p.m.	snapshot_handle: 0x000005f4 process_name: conhost.exe process_identifier: 2088		0	0
Process32NextW Sept. 4, 2021, 3:15 p.m.	snapshot_handle: 0x000005f4 process_name: conhost.exe process_identifier: 2088		0	0
Process32NextW Sept. 4, 2021, 3:15 p.m.	snapshot_handle: 0x000005f4 process_name: conhost.exe process_identifier: 2088		0	0
Process32NextW Sept. 4, 2021, 3:15 p.m.	snapshot_handle: 0x000005f4 process_name: conhost.exe process_identifier: 2088		0	0
Process32NextW Sept. 4, 2021, 3:15 p.m.	snapshot_handle: 0x000005f4 process_name: conhost.exe process_identifier: 2088		0	0
Process32NextW Sept. 4, 2021, 3:15 p.m.	snapshot_handle: 0x000005f4 process_name: conhost.exe process_identifier: 2088		0	0
Process32NextW Sept. 4, 2021, 3:15 p.m.	snapshot_handle: 0x000005f4 process_name: conhost.exe process_identifier: 2088		0	0
Process32NextW Sept. 4, 2021, 3:15 p.m.	snapshot_handle: 0x000005f4 process_name: pw.exe process_identifier: 2792		0	0
Process32NextW Sept. 4, 2021, 3:15 p.m.	snapshot_handle: 0x000005f4 process_name: pw.exe process_identifier: 2792		0	0
Process32NextW Sept. 4, 2021, 3:15 p.m.	snapshot_handle: 0x000005f4 process_name: pw.exe process_identifier: 2792		0	0
Process32NextW Sept. 4, 2021, 3:15 p.m.	snapshot_handle: 0x000005f4 process_name: pw.exe process_identifier: 2792		0	0
Process32NextW Sept. 4, 2021, 3:16 p.m.	snapshot_handle: 0x000005f4 process_name: pw.exe process_identifier: 2792		0	0
Process32NextW Sept. 4, 2021, 3:16 p.m.	snapshot_handle: 0x000005f4 process_name: pw.exe process_identifier: 2792		0	0
Process32NextW Sept. 4, 2021, 3:16 p.m.	snapshot_handle: 0x000005f4 process_name: pw.exe process_identifier: 2792		0	0
Process32NextW Sept. 4, 2021, 3:16 p.m.	snapshot_handle: 0x000005f4 process_name: pw.exe process_identifier: 2792		0	0
Process32NextW Sept. 4, 2021, 3:16 p.m.	snapshot_handle: 0x000005f4 process_name: pw.exe process_identifier: 2792		0	0
Process32NextW Sept. 4, 2021, 3:16 p.m.	snapshot_handle: 0x000005f4 process_name: pw.exe process_identifier: 2792		0	0
Process32NextW Sept. 4, 2021, 3:16 p.m.	snapshot_handle: 0x000005f4 process_name: conhost.exe process_identifier: 2088		0	0
Process32NextW Sept. 4, 2021, 3:16 p.m.	snapshot_handle: 0x000005f4 process_name: conhost.exe process_identifier: 2088		0	0
Process32NextW Sept. 4, 2021, 3:16 p.m.	snapshot_handle: 0x000005f4 process_name: conhost.exe process_identifier: 2088		0	0
Process32NextW Sept. 4, 2021, 3:16 p.m.	snapshot_handle: 0x000005f4 process_name: conhost.exe process_identifier: 2088		0	0
Process32NextW Sept. 4, 2021, 3:16 p.m.	snapshot_handle: 0x000005f4 process_name: conhost.exe process_identifier: 2088		0	0
Process32NextW Sept. 4, 2021, 3:16 p.m.	snapshot_handle: 0x000005f4 process_name: conhost.exe process_identifier: 2088		0	0
Process32NextW Sept. 4, 2021, 3:16 p.m.	snapshot_handle: 0x000005f4 process_name: conhost.exe process_identifier: 2088		0	0
Process32NextW Sept. 4, 2021, 3:16 p.m.	snapshot_handle: 0x000005f4 process_name: conhost.exe process_identifier: 2088		0	0
Process32NextW Sept. 4, 2021, 3:16 p.m.	snapshot_handle: 0x000005f4 process_name: conhost.exe process_identifier: 2088		0	0
Process32NextW Sept. 4, 2021, 3:16 p.m.	snapshot_handle: 0x000005f4 process_name: conhost.exe process_identifier: 2088		0	0
Process32NextW Sept. 4, 2021, 3:16 p.m.	snapshot_handle: 0x000005f4 process_name: conhost.exe process_identifier: 2088		0	0
Process32NextW Sept. 4, 2021, 3:16 p.m.	snapshot_handle: 0x000005f4 process_name: conhost.exe process_identifier: 2088		0	0
Process32NextW Sept. 4, 2021, 3:16 p.m.	snapshot_handle: 0x000005f4 process_name: conhost.exe process_identifier: 2088		0	0
Process32NextW Sept. 4, 2021, 3:16 p.m.	snapshot_handle: 0x000005f4 process_name: conhost.exe process_identifier: 2088		0	0
Process32NextW Sept. 4, 2021, 3:16 p.m.	snapshot_handle: 0x000005f4 process_name: pw.exe process_identifier: 2200		0	0
Process32NextW Sept. 4, 2021, 3:16 p.m.	snapshot_handle: 0x000005f4 process_name: pw.exe process_identifier: 2200		0	0
Process32NextW Sept. 4, 2021, 3:16 p.m.	snapshot_handle: 0x000005f4 process_name: pw.exe process_identifier: 2200		0	0
Process32NextW Sept. 4, 2021, 3:16 p.m.	snapshot_handle: 0x000005f4 process_name: pw.exe process_identifier: 2200		0	0
Process32NextW Sept. 4, 2021, 3:16 p.m.	snapshot_handle: 0x000005f4 process_name: pw.exe process_identifier: 2200		0	0
Process32NextW Sept. 4, 2021, 3:16 p.m.	snapshot_handle: 0x000005f4 process_name: pw.exe process_identifier: 2200		0	0
Process32NextW Sept. 4, 2021, 3:16 p.m.	snapshot_handle: 0x000005f4 process_name: pw.exe process_identifier: 2200		0	0

Installs itself for autorun at Windows startup (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exe.lnk

File has been identified by 10 AntiVirus engines on VirusTotal as malicious (10 events)

FireEye	Generic.mg.d43db563bc6efb1c
Cylance	Unsafe
BitDefenderTheta	Gen:NN.ZexaE.34126.@F1@a0VcOXpi
APEX	Malicious
Kaspersky	UDS:Trojan-Downloader.Win32.Miner
NANO-Antivirus	Virus.Win32.Gen.ccmw
Gridinsoft	Trojan.Heur!.00214021
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
Cynet	Malicious (score: 100)
Acronis	suspicious

Zenare.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All