Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 29, 2021, 10 a.m.	Oct. 29, 2021, 10:02 a.m.

Size	133.5KB
Type	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5	`cd3e23cddeb92b7397eaf960da34c237`
SHA256	`b2a4b60dd0c7e9dfa6d88e9badad810ff74c5f42054b7af22e95fb5553d67331`
CRC32	`07A64CB4`
ssdeep	`3072:bKfk4isEZeMyM0BsEkxyzPZzihfXSO5vNFYVtZakBLj8fMTcE1B:mfk4isfNM+XOyzP1ihff3FYVT3JzTV`
Yara	IsPE64 - (no description) PE_Header_Zero - PE File Signature IsDLL - (no description)

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\temp.dll,cxzasada
2564
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\temp.dll,cxzasada
  2816
  - cmd.exe cmd /c ping 192.0.2.82 -n 6 -w 1000 > NUL & "C:\Windows\system32\rundll32.exe" "C:\Users\test22\AppData\Local\Temp\temp.dll", cxzasada wdtbkqfe koorgsfd & exit
    2228
    - PING.EXE ping 192.0.2.82 -n 6 -w 1000
      2312
    - rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\Users\test22\AppData\Local\Temp\temp.dll", cxzasada wdtbkqfe koorgsfd
      1128
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\temp.dll,ddsdfwe
2712
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\temp.dll,ddsdfwe
  2532
  - cmd.exe cmd /c ping 127.0.0.1 -n 6 > NUL & "C:\Windows\system32\rundll32.exe" "C:\Users\test22\AppData\Local\Temp\temp.dll", ddsdfwe wdtbkqfe koorgsfd & exit
    2184
    - PING.EXE ping 127.0.0.1 -n 6
      2548
    - rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\Users\test22\AppData\Local\Temp\temp.dll", ddsdfwe wdtbkqfe koorgsfd
      2672
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\temp.dll,htrhrr
2356
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\temp.dll,htrhrr
  2516
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\temp.dll,nvqqws
3000
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\temp.dll,nvqqws
  2728
  - cmd.exe cmd /c ping 127.0.0.1 -n 6 -4 > NUL & "C:\Windows\system32\rundll32.exe" "C:\Users\test22\AppData\Local\Temp\temp.dll", nvqqws wdtbkqfe koorgsfd & exit
    2668
    - PING.EXE ping 127.0.0.1 -n 6 -4
      1892
    - rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\Users\test22\AppData\Local\Temp\temp.dll", nvqqws wdtbkqfe koorgsfd
      2804
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\temp.dll,ClearNode
2464
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\temp.dll,ClearNode
  2160
  - cmd.exe cmd /c timeout /t 8 /nobreak & "C:\Windows\system32\rundll32.exe" "C:\Users\test22\AppData\Local\Temp\temp.dll", ClearNode wdtbkqfe koorgsfd & exit
    1700
    - timeout.exe timeout /t 8 /nobreak
      1728
    - rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\Users\test22\AppData\Local\Temp\temp.dll", ClearNode wdtbkqfe koorgsfd
      3044
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\temp.dll,pogfhgf
2824
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\temp.dll,pogfhgf
  2180
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\temp.dll,
2684

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Oct. 29, 2021, 9:54 a.m.	buffer: Waiting for 8 console_handle: 0x0000000000000007	1	1	0
WriteConsoleW Oct. 29, 2021, 9:54 a.m.	buffer: seconds, press CTRL+C to quit ... console_handle: 0x0000000000000007	1	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 29, 2021, 9:54 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (10 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 29, 2021, 10 a.m.	process_identifier: 2816 region_size: 126976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001f60000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 10 a.m.	process_identifier: 2516 region_size: 126976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000004e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 10 a.m.	process_identifier: 2532 region_size: 126976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001f60000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 10 a.m.	process_identifier: 2160 region_size: 126976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c10000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 10 a.m.	process_identifier: 2728 region_size: 126976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000004e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 10 a.m.	process_identifier: 2180 region_size: 126976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c10000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:54 a.m.	process_identifier: 2672 region_size: 126976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000003f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:54 a.m.	process_identifier: 2804 region_size: 126976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000002e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:55 a.m.	process_identifier: 3044 region_size: 126976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001f60000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:55 a.m.	process_identifier: 1128 region_size: 126976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c10000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1

A process attempted to delay the analysis task. (1 event)

description

rundll32.exe tried to sleep 401 seconds, actually delayed analysis time by 401 seconds

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0001ba00', u'virtual_address': u'0x00006000', u'entropy': 7.728152878306273, u'name': u'.rdata', u'virtual_size': u'0x0001b91c'}

entropy

7.72815287831

description

A section with a high entropy has been found

entropy

0.833962264151

description

Overall entropy of this PE file is high

Uses Windows utilities for basic Windows functionality (6 events)

cmdline	cmd /c ping 127.0.0.1 -n 6 -4 > NUL & "C:\Windows\system32\rundll32.exe" "C:\Users\test22\AppData\Local\Temp\temp.dll", nvqqws wdtbkqfe koorgsfd & exit
cmdline	cmd /c ping 192.0.2.82 -n 6 -w 1000 > NUL & "C:\Windows\system32\rundll32.exe" "C:\Users\test22\AppData\Local\Temp\temp.dll", cxzasada wdtbkqfe koorgsfd & exit
cmdline	cmd /c ping 127.0.0.1 -n 6 > NUL & "C:\Windows\system32\rundll32.exe" "C:\Users\test22\AppData\Local\Temp\temp.dll", ddsdfwe wdtbkqfe koorgsfd & exit
cmdline	ping 192.0.2.82 -n 6 -w 1000
cmdline	ping 127.0.0.1 -n 6 -4
cmdline	ping 127.0.0.1 -n 6

File has been identified by 12 AntiVirus engines on VirusTotal as malicious (12 events)

Cynet	Malicious (score: 100)
McAfee	Artemis!CD3E23CDDEB9
Sangfor	Suspicious.Win32.Save.a
CrowdStrike	win/malicious_confidence_60% (D)
Avast	Win64:MalwareX-gen [Trj]
McAfee-GW-Edition	BehavesLike.Win64.BadFile.cc
FireEye	Generic.mg.cd3e23cddeb92b73
Sophos	Generic ML PUA (PUA)
MaxSecure	Trojan.Malware.300983.susgen
Microsoft	Trojan:Win64/BazarLoader.MZK!MTB
Fortinet	W64/Kryptik.CQV!tr
AVG	Win64:MalwareX-gen [Trj]

Generates some ICMP traffic

temp.dll

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All