Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Oct. 13, 2021, 10:51 a.m.	Oct. 13, 2021, 10:53 a.m.

Size	439.5KB
Type	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5	`a3dfaa6badd480c93af825510e7cd1d2`
SHA256	`97be7d572ed4a9720561ae03829477ef20ae0a7977499b230962eb234b14d73a`
CRC32	`562EF0BF`
ssdeep	`6144:1GLKdwISTscw67YvbSg1nNrGB48sEDyrSAO5oJYPGEL3DdyvO2TBCohKVIMdCTT9:QK7rROZ3BcO2T8oDhTT9`
Yara	IsPE64 - (no description) PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check IsDLL - (no description) Malicious_Library_Zero - Malicious_Library

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\1.dll,EnterDll
2132
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\1.dll,EnterDll
  688
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\1.dll,
2828

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 13, 2021, 10:44 a.m.			0	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

_RDATA

Allocates read-write-execute memory (usually to unpack itself) (50 out of 57 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 13, 2021, 10:44 a.m.	process_identifier: 688 region_size: 172032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000180000000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 13, 2021, 10:44 a.m.	process_identifier: 688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefb037000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 13, 2021, 10:44 a.m.	process_identifier: 688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007720a000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 13, 2021, 10:44 a.m.	process_identifier: 688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077295000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 13, 2021, 10:44 a.m.	process_identifier: 688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077212000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 13, 2021, 10:44 a.m.	process_identifier: 688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077209000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 13, 2021, 10:44 a.m.	process_identifier: 688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007721a000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 13, 2021, 10:44 a.m.	process_identifier: 688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077289000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 13, 2021, 10:44 a.m.	process_identifier: 688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007725b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 13, 2021, 10:44 a.m.	process_identifier: 688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007721e000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 13, 2021, 10:44 a.m.	process_identifier: 688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007724c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 13, 2021, 10:44 a.m.	process_identifier: 688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077216000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 13, 2021, 10:44 a.m.	process_identifier: 688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077202000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 13, 2021, 10:44 a.m.	process_identifier: 688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077216000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 13, 2021, 10:44 a.m.	process_identifier: 688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007724c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 13, 2021, 10:44 a.m.	process_identifier: 688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007721c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 13, 2021, 10:44 a.m.	process_identifier: 688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077204000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 13, 2021, 10:44 a.m.	process_identifier: 688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077204000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 13, 2021, 10:44 a.m.	process_identifier: 688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077219000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 13, 2021, 10:44 a.m.	process_identifier: 688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077219000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 13, 2021, 10:44 a.m.	process_identifier: 688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007720e000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 13, 2021, 10:44 a.m.	process_identifier: 688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007720d000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 13, 2021, 10:44 a.m.	process_identifier: 688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007724c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 13, 2021, 10:44 a.m.	process_identifier: 688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077211000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 13, 2021, 10:44 a.m.	process_identifier: 688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077209000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 13, 2021, 10:44 a.m.	process_identifier: 688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077222000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 13, 2021, 10:44 a.m.	process_identifier: 688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007720b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 13, 2021, 10:44 a.m.	process_identifier: 688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077217000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 13, 2021, 10:44 a.m.	process_identifier: 688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077261000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 13, 2021, 10:44 a.m.	process_identifier: 688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077221000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 13, 2021, 10:44 a.m.	process_identifier: 688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077262000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 13, 2021, 10:44 a.m.	process_identifier: 688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077270000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 13, 2021, 10:44 a.m.	process_identifier: 688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077210000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 13, 2021, 10:44 a.m.	process_identifier: 688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007725c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 13, 2021, 10:44 a.m.	process_identifier: 688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007720f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 13, 2021, 10:44 a.m.	process_identifier: 688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007724a000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 13, 2021, 10:44 a.m.	process_identifier: 688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007724a000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 13, 2021, 10:44 a.m.	process_identifier: 688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007728f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 13, 2021, 10:44 a.m.	process_identifier: 688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077201000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 13, 2021, 10:44 a.m.	process_identifier: 688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077202000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 13, 2021, 10:44 a.m.	process_identifier: 688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007724b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 13, 2021, 10:44 a.m.	process_identifier: 688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007724b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 13, 2021, 10:44 a.m.	process_identifier: 688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007724b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 13, 2021, 10:44 a.m.	process_identifier: 688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077219000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 13, 2021, 10:44 a.m.	process_identifier: 688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007724b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 13, 2021, 10:44 a.m.	process_identifier: 688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007724b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 13, 2021, 10:44 a.m.	process_identifier: 688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007720a000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 13, 2021, 10:44 a.m.	process_identifier: 688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007725b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 13, 2021, 10:44 a.m.	process_identifier: 688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007724b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 13, 2021, 10:44 a.m.	process_identifier: 688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077219000 process_handle: 0xffffffffffffffff	1

File has been identified by 8 AntiVirus engines on VirusTotal as malicious (8 events)

FireEye	Generic.mg.a3dfaa6badd480c9
CrowdStrike	win/malicious_confidence_60% (W)
ESET-NOD32	a variant of Win64/Agent_AGen.J
APEX	Malicious
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
Cynet	Malicious (score: 100)
Fortinet	W64/BazarLoader.AS!tr
Webroot	W32.Trojan.Gen

Attempts to identify installed AV products by registry key (1 event)

registry

HKEY_CURRENT_USER\SOFTWARE\Doctor Web

1.dll

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All