Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 4, 2021, 2:41 p.m.	Nov. 4, 2021, 2:52 p.m.

Size	403.0KB
Type	PE32+ executable (DLL) (native) x86-64, for MS Windows
MD5	`628b068ebb6c34efd8b4d21d4f4c7723`
SHA256	`04d14e3e9c577b0fd56c1c63a6c9bdc5220db0b6af8d373831da2a3a79c45881`
CRC32	`7B67B9A4`
ssdeep	`12288:FJJl5XrG1wZ0OWt1J9JYPlEldxAaCActqm9bAfqb0PvrlwRF2UDLL2:bvaQc`
Yara	IsPE64 - (no description) PE_Header_Zero - PE File Signature IsDLL - (no description)

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\7576_1635862012_3623.dll,DllRegisterServer
2400
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\7576_1635862012_3623.dll,DllRegisterServer
  2648
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\7576_1635862012_3623.dll,PluginInit
2488
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\7576_1635862012_3623.dll,PluginInit
  2688
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\7576_1635862012_3623.dll,
2580
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\7576_1635862012_3623.dll,DllGetClassObject
2296
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\7576_1635862012_3623.dll,DllGetClassObject
  2744

Name	Response	Post-Analysis Lookup
actuallyobligat.info	A 172.105.27.36	172.105.27.36
aws.amazon.com	CNAME tp.8e49140c2-frontier.amazon.com CNAME dr49lng3n1n2s.cloudfront.net A 99.86.203.74	54.230.166.71

Flow	SID	Signature	Category
TCP 192.168.56.103:49168 -> 99.86.203.74:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49167 -> 99.86.203.74:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49172 -> 172.105.27.36:80	2032086	ET MALWARE Win32/IcedID Request Cookie	A Network Trojan was detected
TCP 192.168.56.103:49170 -> 99.86.203.74:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49171 -> 172.105.27.36:80	2032086	ET MALWARE Win32/IcedID Request Cookie	A Network Trojan was detected
TCP 192.168.56.103:49173 -> 172.105.27.36:80	2032086	ET MALWARE Win32/IcedID Request Cookie	A Network Trojan was detected
TCP 192.168.56.103:49174 -> 172.105.27.36:80	2032086	ET MALWARE Win32/IcedID Request Cookie	A Network Trojan was detected
TCP 192.168.56.103:49175 -> 172.105.27.36:80	2032086	ET MALWARE Win32/IcedID Request Cookie	A Network Trojan was detected
TCP 192.168.56.103:49176 -> 172.105.27.36:80	2032086	ET MALWARE Win32/IcedID Request Cookie	A Network Trojan was detected

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49168 99.86.203.74:443	C=US, O=Amazon, OU=Server CA 1B, CN=Amazon	CN=aws.amazon.com	78:64:7a:bc:b1:44:57:70:a0:58:3a:5d:4f:e2:c4:f7:1f:83:d5:22
TLSv1 192.168.56.103:49167 99.86.203.74:443	C=US, O=Amazon, OU=Server CA 1B, CN=Amazon	CN=aws.amazon.com	78:64:7a:bc:b1:44:57:70:a0:58:3a:5d:4f:e2:c4:f7:1f:83:d5:22
TLSv1 192.168.56.103:49170 99.86.203.74:443	C=US, O=Amazon, OU=Server CA 1B, CN=Amazon	CN=aws.amazon.com	78:64:7a:bc:b1:44:57:70:a0:58:3a:5d:4f:e2:c4:f7:1f:83:d5:22

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 4, 2021, 2:34 p.m.			0	0
IsDebuggerPresent Nov. 4, 2021, 2:34 p.m.			0	0
IsDebuggerPresent Nov. 4, 2021, 2:34 p.m.			0	0

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 4, 2021, 2:34 p.m.		1	1	0

section

.ndata

suspicious_features	GET method with no useragent header				suspicious_request	GET http://actuallyobligat.info/
suspicious_features	GET method with no useragent header				suspicious_request	GET https://aws.amazon.com/

request	GET http://actuallyobligat.info/
request	GET https://aws.amazon.com/

Time & API	Arguments	Status
NtAllocateVirtualMemory Nov. 4, 2021, 2:34 p.m.	process_identifier: 2648 region_size: 405504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001be0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 4, 2021, 2:34 p.m.	process_identifier: 2688 region_size: 405504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001be0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 4, 2021, 2:34 p.m.	process_identifier: 2744 region_size: 405504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c90000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1

description

rundll32.exe tried to sleep 534 seconds, actually delayed analysis time by 534 seconds

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.47323928
Sangfor	Trojan.Win32.IcedID.739U9R
CrowdStrike	win/malicious_confidence_90% (W)
Avast	Win64:Malware-gen
Ad-Aware	Trojan.GenericKD.47323928
McAfee-GW-Edition	Artemis!Trojan
FireEye	Trojan.GenericKD.47323928
Ikarus	Win32.Outbreak
GData	Win32.Trojan-Downloader.IcedID.739U9R
Cynet	Malicious (score: 100)
McAfee	Artemis!628B068EBB6C
MAX	malware (ai score=83)
AVG	Win64:Malware-gen
Paloalto	generic.ml

7576_1635862012_3623.dll