Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 5, 2021, 9:11 a.m.	Nov. 5, 2021, 9:38 a.m.

Size	1.0MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`ab47f89cf986d9e52822873e0052e7d4`
SHA256	`f4097221e19342e5b91103161eb7aaec277ff47ea694a86b92f7574be7959cc7`
CRC32	`8EEFF470`
ssdeep	`12288:JmF8ukZ1BjH652L9a3ZV6ImC/KGaIEfrcSjzMYIO3pxhOtFuhe3CL+NdJydmf:JywJjf9QVOg6zZ3nheu8swJ`
Yara	Admin_Tool_IN_Zero - Admin Tool Sysinternals PE_Header_Zero - PE File Signature IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file

vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
2780

Name	Response	Post-Analysis Lookup
login.live.com	CNAME www.tm.lg.prod.aadmsa.trafficmanager.net A 40.126.35.128 A 20.190.163.21 A 40.126.35.129 A 40.126.35.80 A 40.126.35.144 CNAME www.tm.a.prd.aadg.trafficmanager.net CNAME login.msa.msidentity.com A 20.190.163.19 A 40.126.35.86 CNAME prda.aadg.msidentity.com A 40.126.35.87	40.126.35.128
onedrive.live.com	CNAME odc-web-geo.onedrive.akadns.net CNAME l-0004.l-msedge.net A 13.107.42.13 CNAME odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net CNAME odc-web-brs.onedrive.akadns.net	13.107.42.13

IP Address	Status	Action
13.107.42.13	Active	Moloch
164.124.101.2	Active	Moloch
20.190.163.21	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49163 -> 13.107.42.13:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49166 -> 20.190.163.21:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49164 -> 20.190.163.21:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49165 -> 13.107.42.13:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49163 13.107.42.13:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01	CN=onedrive.com	50:2f:33:10:92:ac:27:7b:17:be:82:68:3b:e2:29:ad:97:41:b7:bb
TLSv1 192.168.56.101:49164 20.190.163.21:443	C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA	C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=graph.windows.net	b7:2c:02:a2:bb:df:8d:60:0d:c5:98:1a:c8:13:1f:31:26:4a:9d:83
TLSv1 192.168.56.101:49166 20.190.163.21:443	C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA	C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=graph.windows.net	b7:2c:02:a2:bb:df:8d:60:0d:c5:98:1a:c8:13:1f:31:26:4a:9d:83
TLSv1 192.168.56.101:49165 13.107.42.13:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01	CN=onedrive.com	50:2f:33:10:92:ac:27:7b:17:be:82:68:3b:e2:29:ad:97:41:b7:bb

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Nov. 5, 2021, 9:11 a.m.	stacktrace: 0x1ed3ee2 0x1ed3f70 DriverCallback+0x4e waveOutOpen-0xa2e winmm+0x3af0 @ 0x748a3af0 timeEndPeriod+0x54a timeKillEvent-0x57 winmm+0xa535 @ 0x748aa535 timeEndPeriod+0x449 timeKillEvent-0x158 winmm+0xa434 @ 0x748aa434 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 8b 40 50 50 6a 00 e8 c4 30 ff ff 89 45 f0 8b 45 exception.instruction: mov eax, dword ptr [eax + 0x50] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x1ed3509 registers.esp: 43253240 registers.edi: 32325480 registers.eax: 422227802 registers.ebp: 43253320 registers.edx: 0 registers.ebx: 0 registers.esi: 16 registers.ecx: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Nov. 5, 2021, 9:11 a.m.

stacktrace:

0x1ed3ee2
0x1ed3f70
DriverCallback+0x4e waveOutOpen-0xa2e winmm+0x3af0 @ 0x748a3af0
timeEndPeriod+0x54a timeKillEvent-0x57 winmm+0xa535 @ 0x748aa535
timeEndPeriod+0x449 timeKillEvent-0x158 winmm+0xa434 @ 0x748aa434
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5

exception.instruction_r: 8b 40 50 50 6a 00 e8 c4 30 ff ff 89 45 f0 8b 45
exception.instruction: mov eax, dword ptr [eax + 0x50]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x1ed3509
registers.esp: 43253240
registers.edi: 32325480
registers.eax: 422227802
registers.ebp: 43253320
registers.edx: 0
registers.ebx: 0
registers.esi: 16
registers.ecx: 0

Performs some HTTP requests (3 events)

request	GET https://onedrive.live.com/download?cid=92B2EF722ED2FA89&resid=92B2EF722ED2FA89%21117&authkey=AL8-gdX92sl2g5g
request	GET https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1636072606&rver=7.3.6962.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fcid%3D92B2EF722ED2FA89%26resid%3D92B2EF722ED2FA89%2521117%26authkey%3DAL8-gdX92sl2g5g&lc=1033&id=250206&cbcxt=sky&cbcxt=sky
request	GET https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1636072608&rver=7.3.6962.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fcid%3D92B2EF722ED2FA89%26resid%3D92B2EF722ED2FA89%2521117%26authkey%3DAL8-gdX92sl2g5g&lc=1033&id=250206&cbcxt=sky&cbcxt=sky

Allocates read-write-execute memory (usually to unpack itself) (6 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory Nov. 5, 2021, 9:11 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00560000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Nov. 5, 2021, 9:11 a.m.	process_identifier: 2780 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73b92000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Nov. 5, 2021, 9:11 a.m.	process_identifier: 2780 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00494000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Nov. 5, 2021, 9:11 a.m.	process_identifier: 2780 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c31a58 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Nov. 5, 2021, 9:11 a.m.	process_identifier: 2780 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 5 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory Nov. 5, 2021, 9:11 a.m.	process_identifier: 2780 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c31a58 process_handle: 0xffffffff		3221225477

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Nov. 5, 2021, 9:11 a.m.	process_identifier: 2780 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 81920 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x01ec1000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00064c00', u'virtual_address': u'0x000a8000', u'entropy': 6.92283744654433, u'name': u'.rsrc', u'virtual_size': u'0x00064c00'}

entropy

6.92283744654

description

A section with a high entropy has been found

entropy

0.381809568925

description

Overall entropy of this PE file is high

File has been identified by 14 AntiVirus engines on VirusTotal as malicious (14 events)

Cyren	W32/Delf.AABX-3115
APEX	Malicious
Paloalto	generic.ml
Kaspersky	UDS:DangerousObject.Multi.Generic
Avast	FileRepMalware
Sophos	Mal/Generic-S
Comodo	TrojWare.Win32.Agent.orqex@0
MaxSecure	Trojan.Malware.300983.susgen
Microsoft	Trojan:Script/Phonzy.C!ml
McAfee	Artemis!AB47F89CF986
VBA32	BScope.TrojanSpy.Noon
SentinelOne	Static AI - Suspicious PE
Fortinet	W32/Injector.EPWN!tr
AVG	FileRepMalware

Network activity contains more than one unique useragent (2 events)

process	vbc.exe				useragent	lVali
process	vbc.exe				useragent	aswe

vbc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All