Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 24, 2021, 9:07 a.m.	Sept. 24, 2021, 9:16 a.m.

Size	350.0KB
Type	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5	`78f2458cc24af9604d6963087bf385bf`
SHA256	`0c1d347f614bcd43d9628debcc924b3c3276e5fb2ff9307aeeeef2a7920ace25`
CRC32	`B08D4CB6`
ssdeep	`6144:QGsKQRiAXtMXvUztJJjAeNa98ZrOaf4/OzuXWNTRczG8PWGw57Bp54U/0:9sfRpuXMztXdA+ZrOS4yuXk8OGC5Z/0`
PDB Path	c:\Our\Bone\Month-color\585_nation\581\sugar.pdb
Yara	PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check IsDLL - (no description) Malicious_Library_Zero - Malicious_Library IsPE32 - (no description)

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\xcvzn6sgATucn.cms.dll,Ledbad
2260
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\xcvzn6sgATucn.cms.dll,Saidwind
1304
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\xcvzn6sgATucn.cms.dll,
2408
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\xcvzn6sgATucn.cms.dll,Successwork
492

Name	Response	Post-Analysis Lookup
apt.updateffboruse.com	A 94.142.143.142	94.142.143.142

IP Address	Status	Action
164.124.101.2	Active	Moloch
94.142.143.142	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49211 -> 94.142.143.142:80	2033203	ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49211 -> 94.142.143.142:80	2033204	ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Queries for the computername (9 events)

Time & API	Arguments	Status	Return
GetComputerNameW Sept. 24, 2021, 9:07 a.m.	computer_name:		0
GetComputerNameW Sept. 24, 2021, 9:07 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 24, 2021, 9:07 a.m.	computer_name:		0
GetComputerNameW Sept. 24, 2021, 9:07 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 24, 2021, 9:07 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 24, 2021, 9:07 a.m.	computer_name:		0
GetComputerNameW Sept. 24, 2021, 9:07 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 24, 2021, 9:07 a.m.	computer_name:		0
GetComputerNameW Sept. 24, 2021, 9:07 a.m.	computer_name: TEST22-PC	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate

This executable has a PDB path (1 event)

pdb_path

c:\Our\Bone\Month-color\585_nation\581\sugar.pdb

Performs some HTTP requests (1 event)

request

GET http://apt.updateffboruse.com/WdSON6naJhd7NZw9Nfb_/2B6jJVjZ_2FxoalKYRW/Izq4eflqjjmGJwDwCqANlh/_2FmlhZ3tVBBq/qACG27Iz/MDSqQF0lfIIt35xnvThfkp0/wgNsv_2BY7/mxLTBEHWWV1xe3RTA/4MMMVFPrWkY7/TZ26YdTeHY_/2Bk37dK5mbwXHQ/9VitTIvySFW56aqYjOTFq/pSGhAYKxwLHgg2dC/_2B1_2FK_2FtvOJ/A0u_2F8qAsm1af5sDN/5_2FoTFWY/abRTUPuqNV_2FWCeStb7/7wYkbOF5EA_2FCctL8Q/4CmDudB2PVSgAM29EkPjun/p4UMugd6oYAMD/Y

Allocates read-write-execute memory (usually to unpack itself) (30 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 24, 2021, 9:07 a.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73cff000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2021, 9:07 a.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73751000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2021, 9:07 a.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2021, 9:07 a.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 24576 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d29000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2021, 9:07 a.m.	process_identifier: 2260 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2021, 9:07 a.m.	process_identifier: 2260 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2021, 9:07 a.m.	process_identifier: 2260 region_size: 151552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00320000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2021, 9:07 a.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72871000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2021, 9:07 a.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72821000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2021, 9:07 a.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2021, 9:07 a.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73321000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2021, 9:07 a.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72741000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2021, 9:07 a.m.	process_identifier: 1304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73cff000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2021, 9:07 a.m.	process_identifier: 1304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73751000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2021, 9:07 a.m.	process_identifier: 1304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2021, 9:07 a.m.	process_identifier: 1304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 24576 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d29000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2021, 9:07 a.m.	process_identifier: 1304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00340000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2021, 9:07 a.m.	process_identifier: 1304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00360000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2021, 9:07 a.m.	process_identifier: 1304 region_size: 151552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2021, 9:07 a.m.	process_identifier: 1304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72871000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2021, 9:07 a.m.	process_identifier: 1304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72821000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2021, 9:07 a.m.	process_identifier: 492 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73cff000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2021, 9:07 a.m.	process_identifier: 492 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73751000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2021, 9:07 a.m.	process_identifier: 492 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2021, 9:07 a.m.	process_identifier: 492 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 24576 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d29000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2021, 9:07 a.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00300000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2021, 9:07 a.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00320000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2021, 9:07 a.m.	process_identifier: 492 region_size: 151552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00360000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2021, 9:07 a.m.	process_identifier: 492 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72871000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2021, 9:07 a.m.	process_identifier: 492 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72821000 process_handle: 0xffffffff	1

File has been identified by 7 AntiVirus engines on VirusTotal as malicious (7 events)

McAfee	Artemis!78F2458CC24A
ESET-NOD32	a variant of Win32/Kryptik.HMOT
APEX	Malicious
Kaspersky	UDS:Trojan-Banker.Win32.Cridex.gen
SentinelOne	Static AI - Malicious PE
Webroot	W32.Malware.Gen
Ikarus	Win32.Outbreak

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Sept. 24, 2021, 9:07 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

xcvzn6sgATucn.cms

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All