Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 29, 2021, 5:13 p.m.	Sept. 29, 2021, 5:15 p.m.

Size	96.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`8993ca9025df7cdfee64edc454377def`
SHA256	`07f726f72e8ce44a69de17da2822ad4cba08e29e64c644f3f62954cfeb8b96d1`
CRC32	`10C10F44`
ssdeep	`1536:fDT8vLrQ9Y2YBrAGTBGhLJk2/fBAMIOafDoD+:rA4YBAgGh3BAMIOq`
Yara	UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware IsPE32 - (no description)

Shipping Documents-BL#SE20100068001.exe "C:\Users\test22\AppData\Local\Temp\Shipping Documents-BL#SE20100068001.exe"
2648
- RegAsm.exe "C:\Users\test22\AppData\Local\Temp\Shipping Documents-BL#SE20100068001.exe"
  2988
  - schtasks.exe "schtasks.exe" /create /f /tn "SMTP Host" /xml "C:\Users\test22\AppData\Local\Temp\tmp3145.tmp"
    1348
explorer.exe C:\Windows\Explorer.EXE
1848

Name	Response	Post-Analysis Lookup
7tgopa.am.files.1drv.com	A 13.107.42.12 CNAME odc-am-files-geo.onedrive.akadns.net CNAME am-files.ha.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net CNAME odc-am-files-brs.onedrive.akadns.net CNAME am-files.fe.1drv.com CNAME l-0003.l-msedge.net	13.107.42.12
darkeye.hopto.org	A 160.152.6.54	160.152.6.54
onedrive.live.com	CNAME odc-web-geo.onedrive.akadns.net CNAME l-0004.l-msedge.net A 13.107.42.13 CNAME odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net CNAME odc-web-brs.onedrive.akadns.net	13.107.42.13

IP Address	Status	Action
13.107.42.12	Active	Moloch
13.107.42.13	Active	Moloch
160.152.6.54	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:54056 -> 8.8.8.8:53	2028681	ET POLICY DNS Query to DynDNS Domain *.hopto .org	Potentially Bad Traffic
UDP 192.168.56.101:55450 -> 8.8.8.8:53	2028681	ET POLICY DNS Query to DynDNS Domain *.hopto .org	Potentially Bad Traffic
UDP 192.168.56.101:56977 -> 8.8.8.8:53	2028681	ET POLICY DNS Query to DynDNS Domain *.hopto .org	Potentially Bad Traffic
TCP 192.168.56.101:49204 -> 13.107.42.12:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49202 -> 13.107.42.13:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.101:65329 -> 8.8.8.8:53	2028681	ET POLICY DNS Query to DynDNS Domain *.hopto .org	Potentially Bad Traffic

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49204 13.107.42.12:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01	C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=storage.live.com	ec:e5:02:98:e6:c9:9a:12:fc:c0:4d:19:cd:2b:0c:ae:d0:c0:37:8e
TLSv1 192.168.56.101:49202 13.107.42.13:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01	CN=onedrive.com	50:2f:33:10:92:ac:27:7b:17:be:82:68:3b:e2:29:ad:97:41:b7:bb

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Sept. 29, 2021, 5:14 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Sept. 29, 2021, 5:14 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 29, 2021, 5:14 p.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Sept. 29, 2021, 5:14 p.m.	buffer: SUCCESS: The scheduled task "SMTP Host" has successfully been created. console_handle: 0x00000007	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 29, 2021, 5:14 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Connects to a Dynamic DNS Domain (1 event)

domain

darkeye.hopto.org

Performs some HTTP requests (2 events)

request	GET https://onedrive.live.com/download?cid=6BC744122027ACE8&resid=6BC744122027ACE8%21137&authkey=AHDc8B9P60uuA9c
request	GET https://7tgopa.am.files.1drv.com/y4mgxpWp6MuASym9689Gu9OG8JBEZdImPuWF8Jt3g9nSjLfECHCRL9ygUaWQdsoG1GX0-oc9EDP1KXA0U4UdMMnZ8kM8ogtP2jsnNr1wzR6tdejAJLZCL5AiCF5ZZL_P57JUsM_YPvJWRlHFbJb3lM5Ylmk9lcGLwSt3VvC6t138iQKIUjqgUVF1kjo191ujlXuc_A7R_tpWhoCYDTb1KQ5tw/LIGHT.bin?download&psid=1

Allocates read-write-execute memory (usually to unpack itself) (4 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 29, 2021, 5:13 p.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72d72000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 29, 2021, 5:13 p.m.	process_identifier: 2648 region_size: 81920 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02520000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 29, 2021, 5:13 p.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 876544 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x773b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 29, 2021, 5:14 p.m.	process_identifier: 2988 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 876544 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x773b0000 process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Sept. 29, 2021, 5:07 p.m.	total_number_of_free_bytes: 13725904896 free_bytes_available: 13725904896 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Creates a suspicious process (1 event)

cmdline

"schtasks.exe" /create /f /tn "SMTP Host" /xml "C:\Users\test22\AppData\Local\Temp\tmp3145.tmp"

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW Sept. 29, 2021, 5:14 p.m.	thread_identifier: 2660 thread_handle: 0x0000061c process_identifier: 1348 current_directory: C:\Windows\Microsoft.NET\Framework\v2.0.50727 filepath: track: 1 command_line: "schtasks.exe" /create /f /tn "SMTP Host" /xml "C:\Users\test22\AppData\Local\Temp\tmp3145.tmp" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000620	1	1	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 29, 2021, 5:13 p.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 24576 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x00480000 process_handle: 0xffffffff	1	0	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Sept. 29, 2021, 5:14 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	"schtasks.exe" /create /f /tn "SMTP Host" /xml "C:\Users\test22\AppData\Local\Temp\tmp3145.tmp"
cmdline	"C:\Users\test22\AppData\Local\Temp\Shipping Documents-BL#SE20100068001.exe"

One or more of the buffers contains an embedded PE file (2 events)

buffer	Buffer with sha1: 874b7c3c97cc5b13b9dd172fec5a54bc1f258005
buffer	Buffer with sha1: 874f3caf663265f7dd18fb565d91b7d915031251

Enumerates services, possibly for anti-virtualization (1 event)

Time & API	Arguments	Status	Return	Repeated
EnumServicesStatusA Sept. 29, 2021, 5:13 p.m.	service_handle: 0x005119a0 service_type: 48 service_status: 3		0	0

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

160.152.6.54:1942

File has been identified by 42 AntiVirus engines on VirusTotal as malicious (42 events)

Bkav	W32.AIDetect.malware2
Lionic	Trojan.MSIL.NanoBot.m!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.37494443
FireEye	Generic.mg.8993ca9025df7cdf
ALYac	Trojan.GenericKD.37494443
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 005818811 )
K7GW	Trojan ( 005818811 )
CrowdStrike	win/malicious_confidence_100% (W)
BitDefenderTheta	Gen:NN.ZevbaF.34110.gm0@aOJ7r4g
Symantec	Trojan.Gen.MBT
ESET-NOD32	a variant of Win32/GenKryptik.FJMX
Paloalto	generic.ml
Kaspersky	Backdoor.MSIL.NanoBot.besg
BitDefender	Trojan.GenericKD.37494443
APEX	Malicious
Ad-Aware	Trojan.GenericKD.37494443
Emsisoft	Trojan.GenericKD.37494443 (B)
DrWeb	Trojan.Inject4.15886
McAfee-GW-Edition	BehavesLike.Win32.VBObfus.nh
Sophos	Mal/Generic-S
Ikarus	Trojan.VB.Crypt
Jiangmin	Backdoor.MSIL.eysw
Avira	TR/Kryptik.orgtl
Gridinsoft	Trojan.Win32.Downloader.sa
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
GData	Trojan.GenericKD.37494443
Cynet	Malicious (score: 100)
McAfee	GuLoader-FDCP!8993CA9025DF
MAX	malware (ai score=88)
VBA32	BScope.Trojan.Mucc
Malwarebytes	Trojan.GuLoader
Avast	Win32:Trojan-gen
Yandex	Trojan.AvsArher.bTx33N
SentinelOne	Static AI - Suspicious PE
eGambit	Unsafe.AI_Score_74%
Fortinet	W32/GenKryptik.FJMX!tr
AVG	Win32:Trojan-gen
Panda	Trj/GdSda.A
MaxSecure	Trojan.Malware.300983.susgen

Shipping Documents-BL#SE20100068001.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All