Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 22, 2021, 9:44 a.m.	Sept. 22, 2021, 10:12 a.m.

Size	733.0KB
Type	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5	`9f3d6ad1891e088e16f93a17da7e338e`
SHA256	`2f6392ed7bf24a4618ff1709a6c8ecc9c5b77aee3714a4770bf5c11cb7bbe4ec`
CRC32	`AB8C8C6B`
ssdeep	`12288:yzfwpdjxfrpIt1hz+mCLeSefQZhelLv26Xxg7McGFgBfwN/GAcIHdJ3EjVneM/Ed:yzfwPjxfrpIt1R+mCLeSefQZhelLv26v`
Yara	IsPE64 - (no description) PE_Header_Zero - PE File Signature IsDLL - (no description)

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ntcm.dll,DllGetClassObject
2648
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ntcm.dll,DllGetClassObject
  1296
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ntcm.dll,DllRegisterServer
2428
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ntcm.dll,DllRegisterServer
  3056
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ntcm.dll,PluginInit
2624
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ntcm.dll,PluginInit
  2944
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ntcm.dll,
2672

Name	Response	Post-Analysis Lookup
gigamerolini.top
aws.amazon.com	CNAME tp.8e49140c2-frontier.amazon.com CNAME dr49lng3n1n2s.cloudfront.net A 54.230.166.71	99.86.203.74

IP Address	Status	Action
164.124.101.2	Active	Moloch
54.230.166.71	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49205 -> 54.230.166.71:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.101:54056 -> 164.124.101.2:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic
TCP 192.168.56.101:49207 -> 54.230.166.71:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49208 -> 54.230.166.71:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49205 54.230.166.71:443	C=US, O=Amazon, OU=Server CA 1B, CN=Amazon	CN=aws.amazon.com	78:64:7a:bc:b1:44:57:70:a0:58:3a:5d:4f:e2:c4:f7:1f:83:d5:22
TLSv1 192.168.56.101:49207 54.230.166.71:443	C=US, O=Amazon, OU=Server CA 1B, CN=Amazon	CN=aws.amazon.com	78:64:7a:bc:b1:44:57:70:a0:58:3a:5d:4f:e2:c4:f7:1f:83:d5:22
TLSv1 192.168.56.101:49208 54.230.166.71:443	C=US, O=Amazon, OU=Server CA 1B, CN=Amazon	CN=aws.amazon.com	78:64:7a:bc:b1:44:57:70:a0:58:3a:5d:4f:e2:c4:f7:1f:83:d5:22

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 22, 2021, 9:44 a.m.			0	0
IsDebuggerPresent Sept. 22, 2021, 9:44 a.m.			0	0
IsDebuggerPresent Sept. 22, 2021, 9:44 a.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 22, 2021, 9:44 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET https://aws.amazon.com/

Performs some HTTP requests (1 event)

request

GET https://aws.amazon.com/

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

gigamerolini.top

description

Generic top level domain TLD

Allocates read-write-execute memory (usually to unpack itself) (6 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 22, 2021, 9:44 a.m.	process_identifier: 1296 region_size: 405504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c00000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 22, 2021, 9:44 a.m.	process_identifier: 1296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000735bc000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:44 a.m.	process_identifier: 3056 region_size: 405504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c00000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 22, 2021, 9:44 a.m.	process_identifier: 3056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000735bc000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:44 a.m.	process_identifier: 2944 region_size: 405504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000530000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 22, 2021, 9:44 a.m.	process_identifier: 2944 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000735bc000 process_handle: 0xffffffffffffffff	1

A process attempted to delay the analysis task. (1 event)

description

rundll32.exe tried to sleep 534 seconds, actually delayed analysis time by 534 seconds

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob

File has been identified by 34 AntiVirus engines on VirusTotal as malicious (34 events)

Lionic	Trojan.Multi.Generic.4!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 99)
ALYac	Trojan.GenericKD.46982868
Malwarebytes	Trojan.IcedID
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Trojan.GenericKD.46982868
K7GW	Trojan-Downloader ( 00580ce61 )
K7AntiVirus	Trojan-Downloader ( 00580ce61 )
Arcabit	Trojan.Generic.D2CCE6D4
Symantec	Trojan.Gen.2
ESET-NOD32	Win64/TrojanDownloader.IcedId.F
Paloalto	generic.ml
Kaspersky	Trojan-Banker.Win32.IcedID.txva
Alibaba	TrojanBanker:Win32/IcedID.7aa65050
MicroWorld-eScan	Trojan.GenericKD.46982868
Avast	Win64:BankerX-gen [Trj]
Ad-Aware	Trojan.GenericKD.46982868
McAfee-GW-Edition	BehavesLike.Win64.Drixed.bh
FireEye	Generic.mg.9f3d6ad1891e088e
Emsisoft	Trojan.GenericKD.46982868 (B)
Ikarus	Trojan.SuspectCRC
Avira	TR/AD.Bazar.kuqsp
MAX	malware (ai score=89)
Kingsoft	Win32.Troj.Banker.(kcloud)
Microsoft	Trojan:Win32/Tnega!ml
ZoneAlarm	Trojan-Banker.Win32.IcedID.txva
GData	Win32.Trojan-Downloader.IcedID.6JCWMN
McAfee	Artemis!9F3D6AD1891E
Cylance	Unsafe
SentinelOne	Static AI - Malicious PE
Fortinet	Malicious_Behavior.SB
AVG	Win64:BankerX-gen [Trj]
Panda	Trj/CI.A

ntcm.dll

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All