Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 14, 2021, 10:44 a.m.	Sept. 14, 2021, 10:46 a.m.

Size	10.9MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`82d526a3173aca4b9c9c978cb3281e4e`
SHA256	`201c726448b89ad7ea68ae90b4c8fbb16262736bfabfb476b434d1ed6c3e60b3`
CRC32	`40BABDDB`
ssdeep	`196608:e2mQb8h1vVa7KSMEjSURy2Vg2Exdk7MG670uF+0ip1+OkLVDcdjO/R6KbhdPRgC:b41NSMEOURPHExSM0n1+OkLIjO/Rp9kC`
Yara	Malicious_Packer_Zero - Malicious Packer UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check Is_DotNET_EXE - (no description) Malicious_Library_Zero - Malicious_Library Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT IsPE32 - (no description) Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult

schtasks.exe "schtasks.exe" /create /tn OneDriveStandalone-API-Method-Update-8-7736888177-3994777-719430009-19199 /tr "C:\Users\test22\AppData\Roaming\Audio API MMS\C4E07DBC61\OneDriveStandaloneAPIMethod.exe" /st 16:10 /du 23:59 /sc daily /ri 1 /f
2764
cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\tmp2C53.tmp.bat""
1032
- timeout.exe timeout 4
  2080

Name	Response	Post-Analysis Lookup
api.telegram.org	A 149.154.167.220	149.154.167.220

IP Address	Status	Action
149.154.167.220	Active	Moloch
164.124.101.2	Active	Moloch
185.92.150.213	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 149.154.167.220:443 -> 192.168.56.101:49201	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49201 -> 149.154.167.220:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Sept. 14, 2021, 10:45 a.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Sept. 14, 2021, 10:45 a.m.	buffer: The batch file cannot be found. console_handle: 0x0000000b	1	1	0

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Roaming\Audio API MMS\C4E07DBC61\OneDriveStandaloneAPIMethod.exe

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\qYnjfKljhYhAhBx.exe
file	C:\Users\test22\AppData\Roaming\Audio API MMS\C4E07DBC61\OneDriveStandaloneAPIMethod.exe

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00aedc00', u'virtual_address': u'0x00002000', u'entropy': 7.6641047915507805, u'name': u'.text', u'virtual_size': u'0x00aedb94'}

entropy

7.66410479155

description

A section with a high entropy has been found

entropy

0.999821316894

description

Overall entropy of this PE file is high

Yara rule detected in process memory (31 events)

description	Communication using DGA	rule	Network_DGA
description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Create a windows service	rule	Create_Service
description	Record Audio	rule	Sniff_Audio
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Steal credential	rule	local_credential_Steal
description	File Downloader	rule	Network_Downloader
description	Communications over P2P network	rule	Network_P2P_Win
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Detection of Virtual Appliances through the use of WMI for use of evasion.	rule	WMI_VM_Detect
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook

Communicates with host for which no DNS query was performed (1 event)

host

185.92.150.213

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1032 resumed a thread in remote process 1296
NtResumeThread Sept. 14, 2021, 10:45 a.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 1296	1	0	0

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (4 events)

dead_host	185.92.150.213:6606
dead_host	192.168.56.101:49217
dead_host	192.168.56.101:49211
dead_host	185.92.150.213:7707

qYnjfKljhYhAhBx.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All