Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 29, 2021, 11:32 a.m.	Sept. 29, 2021, 11:34 a.m.

Size	3.2MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`d0efa396aec4477851bb35136c716732`
SHA256	`268525c7023d25f141e7b756092d7566a1d1ce9407d3d31325dd4bf231208d6c`
CRC32	`CEDE8506`
ssdeep	`49152:tqe3f6aXdXWOfI7wgBVJYWBX/Ac4cxaMsm1wezopmJedSffPMWrQ0Zke:8SiaXEOfI51CMsmuIJNnPcM5`
Yara	PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library IsPE32 - (no description)

daiparl.exe "C:\Users\test22\AppData\Local\Temp\daiparl.exe"
2500
- daiparl.tmp "C:\Users\test22\AppData\Local\Temp\is-J2HJJ.tmp\daiparl.tmp" /SL5="$501AE,2564405,831488,C:\Users\test22\AppData\Local\Temp\daiparl.exe"
  2580
  - cmd.exe "cmd.exe" /C bcdedit /set {bootmgr} path \EFI\Boot\bareflank.efi
    2196
  - cmd.exe "cmd.exe" /C mountvol P: /D
    2116
    - mountvol.exe mountvol P: /D
      2060
  - cmd.exe "cmd.exe" /C setx /m PATH "%PATH%C:\Users\test22\AppData\Local\Temp\is-CV4N9.tmp"
    2140
    - setx.exe setx /m PATH "C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\util\cmd;C:\Python27;C:\util\cmd;C:\Python27C:\Users\test22\AppData\Local\Temp\is-CV4N9.tmp"
      2776
  - cmd.exe "cmd.exe" /C ""C:\Users\test22\AppData\Local\Temp\is-CV4N9.tmp\devcon.exe" remove "ROOT\bareflank""
    2840
  - cmd.exe "cmd.exe" /C ""C:\Users\test22\AppData\Local\Temp\is-CV4N9.tmp\devcon.exe" install "C:\Users\test22\AppData\Local\Temp\is-CV4N9.tmp\bareflank.inf" "ROOT\bareflank""
    2304
  - cmd.exe "cmd.exe" /C ""C:\Users\test22\AppData\Local\Temp\is-CV4N9.tmp\devcon.exe" remove "ROOT\bfbuilder""
    2548
  - cmd.exe "cmd.exe" /C ""C:\Users\test22\AppData\Local\Temp\is-CV4N9.tmp\devcon.exe" install "C:\Users\test22\AppData\Local\Temp\is-CV4N9.tmp\bfbuilder.inf" "ROOT\bfbuilder""
    2612
explorer.exe C:\Windows\Explorer.EXE
1924

Name	Response	Post-Analysis Lookup
imagizer.imageshack.com	A 151.139.128.11 CNAME h9i4k4c8.stackpathcdn.com	151.139.128.11

IP Address	Status	Action
151.139.128.11	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 151.139.128.11:443 -> 192.168.56.103:49187	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49183 -> 151.139.128.11:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49186 -> 151.139.128.11:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 151.139.128.11:443 -> 192.168.56.103:49184	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49185 -> 151.139.128.11:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Sept. 29, 2021, 11:32 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 29, 2021, 11:32 a.m.			0	0

Command line console output was observed (7 events)

Time & API	Arguments	Status	Return
WriteConsoleW Sept. 29, 2021, 11:32 a.m.	buffer: 'bcdedit' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 29, 2021, 11:32 a.m.	buffer: The system cannot find the file specified. console_handle: 0x00000007	1	1
WriteConsoleW Sept. 29, 2021, 11:32 a.m.	buffer: SUCCESS: Specified value was saved. console_handle: 0x00000007	1	1
WriteConsoleW Sept. 29, 2021, 11:32 a.m.	buffer: '"C:\Users\test22\AppData\Local\Temp\is-CV4N9.tmp\devcon.exe"' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 29, 2021, 11:32 a.m.	buffer: '"C:\Users\test22\AppData\Local\Temp\is-CV4N9.tmp\devcon.exe"' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 29, 2021, 11:32 a.m.	buffer: '"C:\Users\test22\AppData\Local\Temp\is-CV4N9.tmp\devcon.exe"' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 29, 2021, 11:32 a.m.	buffer: The system cannot find the path specified. console_handle: 0x0000000b	1	1

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.itext
section	.didata

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Sept. 29, 2021, 11:32 a.m.	stacktrace: TMethodImplementationIntercept+0x1fbb2e dbkFCallWrapperAddr-0x20cb2 daiparl+0x2b198e @ 0x6b198e TMethodImplementationIntercept+0x1fbb2e dbkFCallWrapperAddr-0x20cb2 daiparl+0x2b198e @ 0x6b198e TMethodImplementationIntercept+0x20e90c dbkFCallWrapperAddr-0xded4 daiparl+0x2c476c @ 0x6c476c BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77579ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77579ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x7677b727 registers.esp: 1637804 registers.edi: 0 registers.eax: 1637804 registers.ebp: 1637884 registers.edx: 0 registers.ebx: 3 registers.esi: 2 registers.ecx: 7	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Sept. 29, 2021, 11:32 a.m.

stacktrace:

TMethodImplementationIntercept+0x1fbb2e dbkFCallWrapperAddr-0x20cb2 daiparl+0x2b198e @ 0x6b198e
TMethodImplementationIntercept+0x1fbb2e dbkFCallWrapperAddr-0x20cb2 daiparl+0x2b198e @ 0x6b198e
TMethodImplementationIntercept+0x20e90c dbkFCallWrapperAddr-0xded4 daiparl+0x2c476c @ 0x6c476c
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763733ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77579ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77579ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xeedfade
exception.offset: 46887
exception.address: 0x7677b727
registers.esp: 1637804
registers.edi: 0
registers.eax: 1637804
registers.ebp: 1637884
registers.edx: 0
registers.ebx: 3
registers.esi: 2
registers.ecx: 7

Allocates read-write-execute memory (usually to unpack itself) (5 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 29, 2021, 11:32 a.m.	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 29, 2021, 11:32 a.m.	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 745472 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 29, 2021, 11:32 a.m.	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 29, 2021, 11:32 a.m.	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 73728 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c6000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 29, 2021, 11:32 a.m.	process_identifier: 2580 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00750000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\is-CV4N9.tmp\googlesystem.exe
file	C:\Users\test22\AppData\Local\Temp\is-CV4N9.tmp\express.dll

Creates a suspicious process (8 events)

cmdline	"cmd.exe" /C ""C:\Users\test22\AppData\Local\Temp\is-CV4N9.tmp\devcon.exe" install "C:\Users\test22\AppData\Local\Temp\is-CV4N9.tmp\bfbuilder.inf" "ROOT\bfbuilder""
cmdline	"cmd.exe" /C ""C:\Users\test22\AppData\Local\Temp\is-CV4N9.tmp\devcon.exe" remove "ROOT\bfbuilder""
cmdline	"cmd.exe" /C ""C:\Users\test22\AppData\Local\Temp\is-CV4N9.tmp\devcon.exe" install "C:\Users\test22\AppData\Local\Temp\is-CV4N9.tmp\bareflank.inf" "ROOT\bareflank""
cmdline	"cmd.exe" /C mountvol P: /D
cmdline	setx /m PATH "C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\util\cmd;C:\Python27;C:\util\cmd;C:\Python27C:\Users\test22\AppData\Local\Temp\is-CV4N9.tmp"
cmdline	"cmd.exe" /C ""C:\Users\test22\AppData\Local\Temp\is-CV4N9.tmp\devcon.exe" remove "ROOT\bareflank""
cmdline	"cmd.exe" /C setx /m PATH "%PATH%C:\Users\test22\AppData\Local\Temp\is-CV4N9.tmp"
cmdline	"cmd.exe" /C bcdedit /set {bootmgr} path \EFI\Boot\bareflank.efi

Drops an executable to the user AppData folder (3 events)

file	C:\Users\test22\AppData\Local\Temp\is-CV4N9.tmp\googlesystem.exe
file	C:\Users\test22\AppData\Local\Temp\is-J2HJJ.tmp\daiparl.tmp
file	C:\Users\test22\AppData\Local\Temp\is-CV4N9.tmp\express.dll

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Sept. 29, 2021, 11:32 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1	0
LookupPrivilegeValueW Sept. 29, 2021, 11:32 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1	0

Modifies boot configuration settings (1 event)

command

"cmd.exe" /c bcdedit /set {bootmgr} path \efi\boot\bareflank.efi

File has been identified by 29 AntiVirus engines on VirusTotal as malicious (29 events)

Lionic	Trojan.Win32.Penguish.a!c
MicroWorld-eScan	Trojan.GenericKD.37675674
FireEye	Trojan.GenericKD.37675674
K7AntiVirus	Trojan ( 005882651 )
Alibaba	TrojanDownloader:Win32/Penguish.2c815146
K7GW	Trojan ( 005882651 )
Symantec	Trojan.Gen.2
ESET-NOD32	a variant of Win32/GenKryptik.FKVU
Paloalto	generic.ml
Kaspersky	Trojan-Downloader.Win32.Penguish.wc
BitDefender	Trojan.GenericKD.37675674
Avast	FileRepMalware
Tencent	Win32.Trojan-downloader.Penguish.Wrql
Ad-Aware	Trojan.GenericKD.37675674
Emsisoft	Trojan.GenericKD.37675674 (B)
McAfee-GW-Edition	BehavesLike.Win32.Dropper.wc
Sophos	Mal/Generic-S
Ikarus	Trojan.Win32.Krypt
Webroot	W32.Malware.Gen
Avira	TR/Kryptik.wzzar
MAX	malware (ai score=83)
Kingsoft	Win32.TrojDownloader.Penguish.wc.(kcloud)
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
GData	Win32.Trojan.Kryptik.7W7IH5
Cynet	Malicious (score: 100)
McAfee	Artemis!D0EFA396AEC4
TrendMicro-HouseCall	TROJ_FRS.VSNW1CI21
Fortinet	W32/GenKryptik.FKVU!tr
AVG	FileRepMalware

daiparl.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All