Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Nov. 18, 2021, 10:40 a.m.	Nov. 18, 2021, 10:43 a.m.

Size	252.5KB
Type	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5	`722f898d814e4d04ed7c41bde6760eff`
SHA256	`00cbff7f8d6a37b7814319fa06cef30ac93088834ead5b485f562198a0f292bd`
CRC32	`5BCF4DE5`
ssdeep	`6144:M1QMyNKCAdudRtiVNC+aFMTu90Y7TCWTBqSXC:M1OsrPNyFMTQuWT+`
Yara	Win32_Trojan_Emotet_RL_Gen_Zero - Win32 Trojan Emotet PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description) Win32_Trojan_Emotet_RL_1_Zero - Win32 Trojan Emotet IsDLL - (no description) Win32_Trojan_Emotet_RL_2_Zero - Win32 Trojan Emotet Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\y76gkOkGrbYHjh.dll,
812
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\y76gkOkGrbYHjh.dll,Control_RunDLL
1860

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
142.4.219.173	Active	Moloch
164.124.101.2	Active	Moloch
168.197.250.14	Active	Moloch
177.72.80.14	Active	Moloch
185.148.169.10	Active	Moloch
191.252.103.16	Active	Moloch
195.154.146.35	Active	Moloch
195.77.239.39	Active	Moloch
196.44.98.190	Active	Moloch
207.148.81.119	Active	Moloch
37.44.244.177	Active	Moloch
37.59.209.141	Active	Moloch
45.79.33.48	Active	Moloch
51.178.61.60	Active	Moloch
51.210.242.234	Active	Moloch
54.37.228.122	Active	Moloch
54.38.242.185	Active	Moloch
66.42.57.149	Active	Moloch
78.46.73.125	Active	Moloch
78.47.204.80	Active	Moloch
85.214.67.203	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49165 -> 51.178.61.60:443	2404317	ET CNC Feodo Tracker Reported CnC Server group 18	A Network Trojan was detected
TCP 51.178.61.60:443 -> 192.168.56.102:49165	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49164 -> 51.178.61.60:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 168.197.250.14:80 -> 192.168.56.102:49169	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49167 -> 168.197.250.14:80	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 177.72.80.14:7080 -> 192.168.56.102:49181	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 196.44.98.190:8080 -> 192.168.56.102:49177	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49183 -> 51.210.242.234:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.102:49172 -> 45.79.33.48:8080	2404316	ET CNC Feodo Tracker Reported CnC Server group 17	A Network Trojan was detected
TCP 192.168.56.102:49179 -> 177.72.80.14:7080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.102:49190 -> 142.4.219.173:8080	2404304	ET CNC Feodo Tracker Reported CnC Server group 5	A Network Trojan was detected
TCP 192.168.56.102:49184 -> 51.210.242.234:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 142.4.219.173:8080 -> 192.168.56.102:49190	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49172 -> 45.79.33.48:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.102:49188 -> 142.4.219.173:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.102:49189 -> 142.4.219.173:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.102:49175 -> 196.44.98.190:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.102:49220 -> 177.72.80.14:7080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 51.210.242.234:8080 -> 192.168.56.102:49185	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 177.72.80.14:7080 -> 192.168.56.102:49222	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49200 -> 207.148.81.119:8080	2404312	ET CNC Feodo Tracker Reported CnC Server group 13	A Network Trojan was detected
TCP 168.197.250.14:80 -> 192.168.56.102:49210	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49209 -> 168.197.250.14:80	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.102:49168 -> 168.197.250.14:80	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.102:49163 -> 51.178.61.60:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.102:49224 -> 51.210.242.234:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.102:49176 -> 196.44.98.190:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.102:49230 -> 142.4.219.173:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.102:49171 -> 45.79.33.48:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.102:49180 -> 177.72.80.14:7080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 45.79.33.48:8080 -> 192.168.56.102:49173	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49204 -> 51.178.61.60:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.102:49205 -> 51.178.61.60:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.102:49212 -> 45.79.33.48:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 51.178.61.60:443 -> 192.168.56.102:49206	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49216 -> 196.44.98.190:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.102:49208 -> 168.197.250.14:80	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.102:49221 -> 177.72.80.14:7080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.102:49213 -> 45.79.33.48:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.102:49225 -> 51.210.242.234:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 45.79.33.48:8080 -> 192.168.56.102:49214	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 51.210.242.234:8080 -> 192.168.56.102:49226	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49217 -> 196.44.98.190:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 142.4.219.173:8080 -> 192.168.56.102:49231	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 196.44.98.190:8080 -> 192.168.56.102:49218	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49229 -> 142.4.219.173:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA Nov. 18, 2021, 10:40 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 18, 2021, 10:40 a.m.			0	0

Communication to multiple IPs on high port numbers possibly indicative of a peer-to-peer (P2P) or non-standard command and control protocol (5 events)

ip	142.4.219.173
ip	177.72.80.14
ip	196.44.98.190
ip	45.79.33.48
ip	51.210.242.234

Allocates read-write-execute memory (usually to unpack itself) (15 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Nov. 18, 2021, 10:40 a.m.	process_identifier: 1860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x746d4000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 18, 2021, 10:40 a.m.	process_identifier: 1860 region_size: 163840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10000000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 10:40 a.m.	process_identifier: 1860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74630000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 10:40 a.m.	process_identifier: 1860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74541000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 10:40 a.m.	process_identifier: 1860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 10:40 a.m.	process_identifier: 1860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 10:40 a.m.	process_identifier: 1860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74542000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 10:40 a.m.	process_identifier: 1860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74721000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 10:40 a.m.	process_identifier: 1860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74701000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 10:40 a.m.	process_identifier: 1860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75b91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 10:40 a.m.	process_identifier: 1860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x753b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 10:40 a.m.	process_identifier: 1860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76041000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 10:40 a.m.	process_identifier: 1860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75a61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 10:40 a.m.	process_identifier: 1860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x746f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 10:40 a.m.	process_identifier: 1860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x745e1000 process_handle: 0xffffffff	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (33 events)

Time & API	Arguments	Status	Return
Process32NextW Nov. 18, 2021, 10:40 a.m.	snapshot_handle: 0x00000160 process_name: smss.exe process_identifier: 228	1	1
Process32NextW Nov. 18, 2021, 10:40 a.m.	snapshot_handle: 0x00000160 process_name: csrss.exe process_identifier: 308	1	1
Process32NextW Nov. 18, 2021, 10:40 a.m.	snapshot_handle: 0x00000160 process_name: csrss.exe process_identifier: 372	1	1
Process32NextW Nov. 18, 2021, 10:40 a.m.	snapshot_handle: 0x00000160 process_name: winlogon.exe process_identifier: 412	1	1
Process32NextW Nov. 18, 2021, 10:40 a.m.	snapshot_handle: 0x00000160 process_name: services.exe process_identifier: 448	1	1
Process32NextW Nov. 18, 2021, 10:40 a.m.	snapshot_handle: 0x00000160 process_name: lsm.exe process_identifier: 472	1	1
Process32NextW Nov. 18, 2021, 10:40 a.m.	snapshot_handle: 0x00000160 process_name: svchost.exe process_identifier: 584	1	1
Process32NextW Nov. 18, 2021, 10:40 a.m.	snapshot_handle: 0x00000160 process_name: svchost.exe process_identifier: 664	1	1
Process32NextW Nov. 18, 2021, 10:40 a.m.	snapshot_handle: 0x00000160 process_name: svchost.exe process_identifier: 788	1	1
Process32NextW Nov. 18, 2021, 10:40 a.m.	snapshot_handle: 0x00000160 process_name: svchost.exe process_identifier: 840	1	1
Process32NextW Nov. 18, 2021, 10:40 a.m.	snapshot_handle: 0x00000160 process_name: svchost.exe process_identifier: 1000	1	1
Process32NextW Nov. 18, 2021, 10:40 a.m.	snapshot_handle: 0x00000160 process_name: spoolsv.exe process_identifier: 320	1	1
Process32NextW Nov. 18, 2021, 10:40 a.m.	snapshot_handle: 0x00000160 process_name: svchost.exe process_identifier: 1056	1	1
Process32NextW Nov. 18, 2021, 10:40 a.m.	snapshot_handle: 0x00000160 process_name: svchost.exe process_identifier: 1180	1	1
Process32NextW Nov. 18, 2021, 10:40 a.m.	snapshot_handle: 0x00000160 process_name: IMEDICTUPDATE.EXE process_identifier: 1240	1	1
Process32NextW Nov. 18, 2021, 10:40 a.m.	snapshot_handle: 0x00000160 process_name: taskhost.exe process_identifier: 1260	1	1
Process32NextW Nov. 18, 2021, 10:40 a.m.	snapshot_handle: 0x00000160 process_name: dwm.exe process_identifier: 1364	1	1
Process32NextW Nov. 18, 2021, 10:40 a.m.	snapshot_handle: 0x00000160 process_name: explorer.exe process_identifier: 1388	1	1
Process32NextW Nov. 18, 2021, 10:40 a.m.	snapshot_handle: 0x00000160 process_name: svchost.exe process_identifier: 1872	1	1
Process32NextW Nov. 18, 2021, 10:40 a.m.	snapshot_handle: 0x00000160 process_name: pw.exe process_identifier: 2040	1	1
Process32NextW Nov. 18, 2021, 10:40 a.m.	snapshot_handle: 0x00000160 process_name: SearchIndexer.exe process_identifier: 928	1	1
Process32NextW Nov. 18, 2021, 10:40 a.m.	snapshot_handle: 0x00000160 process_name: SearchProtocolHost.exe process_identifier: 1168	1	1
Process32NextW Nov. 18, 2021, 10:40 a.m.	snapshot_handle: 0x00000160 process_name: SearchFilterHost.exe process_identifier: 2064	1	1
Process32NextW Nov. 18, 2021, 10:40 a.m.	snapshot_handle: 0x00000160 process_name: mobsync.exe process_identifier: 2476	1	1
Process32NextW Nov. 18, 2021, 10:40 a.m.	snapshot_handle: 0x00000160 process_name: tvnserver.exe process_identifier: 2616	1	1
Process32NextW Nov. 18, 2021, 10:40 a.m.	snapshot_handle: 0x00000160 process_name: tvnserver.exe process_identifier: 2696	1	1
Process32NextW Nov. 18, 2021, 10:40 a.m.	snapshot_handle: 0x00000160 process_name: pw.exe process_identifier: 2724	1	1
Process32NextW Nov. 18, 2021, 10:40 a.m.	snapshot_handle: 0x00000160 process_name: wsqmcons.exe process_identifier: 2784	1	1
Process32NextW Nov. 18, 2021, 10:40 a.m.	snapshot_handle: 0x00000160 process_name: sdclt.exe process_identifier: 2800	1	1
Process32NextW Nov. 18, 2021, 10:40 a.m.	snapshot_handle: 0x00000160 process_name: taskhost.exe process_identifier: 2900	1	1
Process32NextW Nov. 18, 2021, 10:40 a.m.	snapshot_handle: 0x00000160 process_name: cmd.exe process_identifier: 2984	1	1
Process32NextW Nov. 18, 2021, 10:40 a.m.	snapshot_handle: 0x00000160 process_name: conhost.exe process_identifier: 2992	1	1
Process32NextW Nov. 18, 2021, 10:40 a.m.	snapshot_handle: 0x00000160 process_name: SearchProtocolHost.exe process_identifier: 3004	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00033000', u'virtual_address': u'0x00001000', u'entropy': 7.497196257790259, u'name': u'.text', u'virtual_size': u'0x00032f04'}

entropy

7.49719625779

description

A section with a high entropy has been found

entropy

0.811133200795

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 event)

process

rundll32.exe

Communicates with host for which no DNS query was performed (20 events)

host	142.4.219.173
host	168.197.250.14
host	177.72.80.14
host	185.148.169.10
host	191.252.103.16
host	195.154.146.35
host	195.77.239.39
host	196.44.98.190
host	207.148.81.119
host	37.44.244.177
host	37.59.209.141
host	45.79.33.48
host	51.178.61.60
host	51.210.242.234
host	54.37.228.122
host	54.38.242.185
host	66.42.57.149
host	78.46.73.125
host	78.47.204.80
host	85.214.67.203

Generates some ICMP traffic

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (35 events)

dead_host	192.168.56.102:49187
dead_host	192.168.56.102:49242
dead_host	191.252.103.16:80
dead_host	192.168.56.102:49233
dead_host	192.168.56.102:49195
dead_host	78.47.204.80:443
dead_host	195.154.146.35:443
dead_host	192.168.56.102:49237
dead_host	192.168.56.102:49199
dead_host	192.168.56.102:49228
dead_host	192.168.56.102:49196
dead_host	192.168.56.102:49241
dead_host	192.168.56.102:49203
dead_host	207.148.81.119:8080
dead_host	195.77.239.39:8080
dead_host	192.168.56.102:49236
dead_host	192.168.56.102:49198
dead_host	66.42.57.149:443
dead_host	54.37.228.122:443
dead_host	192.168.56.102:49240
dead_host	185.148.169.10:8080
dead_host	192.168.56.102:49202
dead_host	85.214.67.203:8080
dead_host	78.46.73.125:443
dead_host	192.168.56.102:49239
dead_host	192.168.56.102:49193
dead_host	37.44.244.177:8080
dead_host	192.168.56.102:49197
dead_host	192.168.56.102:49234
dead_host	54.38.242.185:443
dead_host	192.168.56.102:49201
dead_host	192.168.56.102:49200
dead_host	192.168.56.102:49238
dead_host	192.168.56.102:49192
dead_host	37.59.209.141:8080

y76gkOkGrbYHjh.dll

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All