Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 1, 2021, 10:25 a.m.	Nov. 1, 2021, 10:51 a.m.

Size	99.0KB
Type	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5	`022bc73fb9791a575e7799c81158b70a`
SHA256	`f520f97e3aa065efc4b7633735530a7ea341f3b332122921cb9257bf55147fb7`
CRC32	`E965FB5A`
ssdeep	`3072:TWK939CyKO0NZThiKlNkZRmiXmAe/lY1lzBRjn9vOw:P0vhXsZBmEltRjh`
Yara	IsPE64 - (no description) PE_Header_Zero - PE File Signature IsDLL - (no description)

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\oldmystat.dll,DllGetClassObject
2300
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\oldmystat.dll,DllGetClassObject
  3056
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\oldmystat.dll,DllRegisterServer
2532
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\oldmystat.dll,DllRegisterServer
  2716
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\oldmystat.dll,DllUnregisterServer
2676
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\oldmystat.dll,DllUnregisterServer
  2500
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\oldmystat.dll,DllMain
2504
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\oldmystat.dll,DllMain
  2420
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\oldmystat.dll,StartW
352
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\oldmystat.dll,StartW
  2600
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\oldmystat.dll,
2800

Name	Response	Post-Analysis Lookup
oldmystat.com

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (5 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 1, 2021, 10:25 a.m.			0	0
IsDebuggerPresent Nov. 1, 2021, 10:25 a.m.			0	0
IsDebuggerPresent Nov. 1, 2021, 10:25 a.m.			0	0
IsDebuggerPresent Nov. 1, 2021, 10:25 a.m.			0	0
IsDebuggerPresent Nov. 1, 2021, 10:25 a.m.			0	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Nov. 1, 2021, 10:25 a.m.	stacktrace: 0x1e50030 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c exception.instruction_r: ac 3c 61 7c 02 2c 20 41 c1 c9 0d 41 01 c1 e2 ed exception.instruction: lodsb al, byte ptr [rsi] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x1e50030 registers.r14: 1453503984 registers.r15: 0 registers.rcx: 110 registers.rsi: 110 registers.r10: 0 registers.rbx: 31785465 registers.rsp: 35649256 registers.r11: 514 registers.r8: 8791747600644 registers.r9: 0 registers.rdx: 2001282656 registers.r12: 0 registers.rbp: 31784970 registers.rdi: 0 registers.rax: 0 registers.r13: 0	1	0	0

Allocates read-write-execute memory (usually to unpack itself) (5 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Nov. 1, 2021, 10:25 a.m.	process_identifier: 3056 region_size: 585728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c90000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:25 a.m.	process_identifier: 2716 region_size: 585728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c90000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:25 a.m.	process_identifier: 2420 region_size: 585728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000003b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:25 a.m.	process_identifier: 2600 region_size: 585728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001cc0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:25 a.m.	process_identifier: 2500 region_size: 585728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001be0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Nov. 1, 2021, 10:25 a.m.	process_identifier: 2600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x0000000001e50000 process_handle: 0xffffffffffffffff	1	0	0

File has been identified by 34 AntiVirus engines on VirusTotal as malicious (34 events)

Lionic	Trojan.Win32.Encoder.j!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.37906585
FireEye	Generic.mg.022bc73fb9791a57
McAfee	RDN/Ransom
Cylance	Unsafe
Sangfor	Trojan.Win64.Ogneglazka.hq
K7AntiVirus	Trojan ( 0058996c1 )
K7GW	Trojan ( 0058996c1 )
CrowdStrike	win/malicious_confidence_80% (W)
Symantec	Trojan.Gen.2
ESET-NOD32	Win64/CobaltStrike.Artifact.A
Paloalto	generic.ml
Kaspersky	Trojan.Win64.Ogneglazka.hq
BitDefender	Trojan.GenericKD.37906585
Avast	Win64:BankerX-gen [Trj]
Ad-Aware	Trojan.GenericKD.37906585
Sophos	Mal/Generic-S
TrendMicro	Trojan.Win64.BAZARLOADER.SMYXBIMZ
McAfee-GW-Edition	RDN/Ransom
Emsisoft	Trojan.GenericKD.37906585 (B)
Ikarus	Trojan.Win64.Krypt
Webroot	W32.Malware.Gen
Avira	TR/Crypt.Agent.xgtxb
Microsoft	Trojan:Win32/Wacatac.B!ml
GData	Trojan.GenericKD.37906585
Cynet	Malicious (score: 100)
ALYac	Trojan.GenericKD.47278610
MAX	malware (ai score=82)
Malwarebytes	Trojan.CobaltStrike
Yandex	Trojan.GenAsa!5MwrDO7BOgQ
Fortinet	W64/GenKryptik.FKYP!tr
AVG	Win64:BankerX-gen [Trj]
Panda	Trj/CI.A

oldmystat.dll

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All