Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Jan. 18, 2022, 10:24 a.m.	Jan. 18, 2022, 10:26 a.m.

Size	479.0KB
Type	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5	`10f5439bf6c4a72a845ba8945620bdc3`
SHA256	`57a3e0219ded358bbe3e8722d4c8806fd0b0ad844b6b3f3c1898e3abb616fa9a`
CRC32	`6D1B4F64`
ssdeep	`6144:FjjHl52ek2r4vRnFAbN7ZmNWXpdJlc+kq5Ulcb8/cKzLiag1/kO9IHSCgzUzA:1k2M+BZmNWZdHc+FNb8DzLiag1/knyC`
Yara	Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library IsDLL - (no description) UPX_Zero - UPX packed file

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\JcDnYBSKpyfU.dll,DllRegisterServer
2320
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\JcDnYBSKpyfU.dll,
2432

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
104.131.62.48	Active	Moloch
142.4.219.173	Active	Moloch
168.197.250.14	Active	Moloch
185.148.168.220	Active	Moloch
191.252.103.16	Active	Moloch
217.182.143.207	Active	Moloch
37.44.244.177	Active	Moloch
45.138.98.34	Active	Moloch
51.210.242.234	Active	Moloch
54.38.242.185	Active	Moloch
62.171.178.147	Active	Moloch
66.42.57.149	Active	Moloch
69.16.218.101	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA Jan. 18, 2022, 10:24 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Jan. 18, 2022, 10:24 a.m.			0	0

Allocates read-write-execute memory (usually to unpack itself) (21 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Jan. 18, 2022, 10:24 a.m.	process_identifier: 2320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10038000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 18, 2022, 10:24 a.m.	process_identifier: 2320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x753d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 18, 2022, 10:24 a.m.	process_identifier: 2320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 18, 2022, 10:24 a.m.	process_identifier: 2320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e71000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 18, 2022, 10:24 a.m.	process_identifier: 2320 region_size: 151552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002f0000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 18, 2022, 10:24 a.m.	process_identifier: 2320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e00000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 18, 2022, 10:24 a.m.	process_identifier: 2320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73dd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 18, 2022, 10:24 a.m.	process_identifier: 2320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73db1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 18, 2022, 10:24 a.m.	process_identifier: 2320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74bc1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 18, 2022, 10:24 a.m.	process_identifier: 2320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76741000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 18, 2022, 10:24 a.m.	process_identifier: 2320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74fd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 18, 2022, 10:24 a.m.	process_identifier: 2320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75981000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 18, 2022, 10:24 a.m.	process_identifier: 2320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74271000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 18, 2022, 10:24 a.m.	process_identifier: 2320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d71000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 18, 2022, 10:24 a.m.	process_identifier: 2320 region_size: 151552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00600000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 18, 2022, 10:24 a.m.	process_identifier: 2320 region_size: 151552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bb0000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 18, 2022, 10:24 a.m.	process_identifier: 2320 region_size: 151552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c70000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 18, 2022, 10:24 a.m.	process_identifier: 2320 region_size: 151552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02700000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 18, 2022, 10:24 a.m.	process_identifier: 2320 region_size: 151552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a50000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 18, 2022, 10:24 a.m.	process_identifier: 2320 region_size: 151552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b40000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 18, 2022, 10:25 a.m.	process_identifier: 2320 region_size: 151552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02bf0000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

Foreign language identified in PE resource (50 out of 52 events)

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00072cf4

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00072cf4

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00072cf4

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00072cf4

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00072cf4

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00072cf4

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00072cf4

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00072cf4

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00072cf4

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00072cf4

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00072cf4

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00072cf4

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00072cf4

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00072cf4

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00072cf4

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00072cf4

size

0x00000134

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00072ee0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00072ee0

size

0x00000144

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000736b0

size

0x00000034

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000736b0

size

0x00000034

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000736b0

size

0x00000034

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000736b0

size

0x00000034

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00074068

size

0x00000030

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00074068

size

0x00000030

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00074068

size

0x00000030

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00074068

size

0x00000030

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00074068

size

0x00000030

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00074068

size

0x00000030

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00074068

size

0x00000030

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00074068

size

0x00000030

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00074068

size

0x00000030

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00074068

size

0x00000030

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00074068

size

0x00000030

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00074068

size

0x00000030

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00074068

size

0x00000030

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00074068

size

0x00000030

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x1

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000741c0

size

0x00000014

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x1

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000741c0

size

0x00000014

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x1

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000741c0

size

0x00000014

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x1

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000741c0

size

0x00000014

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x1

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000741c0

size

0x00000014

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x1

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000741c0

size

0x00000014

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x1

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000741c0

size

0x00000014

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x1

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000741c0

size

0x00000014

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x1

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000741c0

size

0x00000014

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x1

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000741c0

size

0x00000014

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x1

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000741c0

size

0x00000014

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x1

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000741c0

size

0x00000014

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x1

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000741c0

size

0x00000014

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x1

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000741c0

size

0x00000014

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (5 events)

Time & API	Arguments	Status	Return
Process32NextW Jan. 18, 2022, 10:24 a.m.	snapshot_handle: 0x00000178 process_name: mobsync.exe process_identifier: 1584	1	1
Process32NextW Jan. 18, 2022, 10:24 a.m.	snapshot_handle: 0x00000178 process_name: taskhost.exe process_identifier: 2124	1	1
Process32NextW Jan. 18, 2022, 10:24 a.m.	snapshot_handle: 0x00000178 process_name: sdclt.exe process_identifier: 2140	1	1
Process32NextW Jan. 18, 2022, 10:24 a.m.	snapshot_handle: 0x00000178 process_name: cmd.exe process_identifier: 2248	1	1
Process32NextW Jan. 18, 2022, 10:24 a.m.	snapshot_handle: 0x00000178 process_name: rundll32.exe process_identifier: 2320	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Jan. 18, 2022, 10:24 a.m.	process_identifier: 2320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 147456 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x003a1000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00027800', u'virtual_address': u'0x00045000', u'entropy': 7.819307069573394, u'name': u'.data', u'virtual_size': u'0x0002b31c'}

entropy

7.81930706957

description

A section with a high entropy has been found

entropy

0.330543933054

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 event)

process

rundll32.exe

Communicates with host for which no DNS query was performed (13 events)

host	104.131.62.48
host	142.4.219.173
host	168.197.250.14
host	185.148.168.220
host	191.252.103.16
host	217.182.143.207
host	37.44.244.177
host	45.138.98.34
host	51.210.242.234
host	54.38.242.185
host	62.171.178.147
host	66.42.57.149
host	69.16.218.101

File has been identified by 10 AntiVirus engines on VirusTotal as malicious (10 events)

Bkav	W32.AIDetect.malware2
Elastic	malicious (high confidence)
Cyren	W32/Emotet.EEJ.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Kryptik.HOAD
APEX	Malicious
Kaspersky	VHO:Trojan-Banker.Win32.Emotet.gen
FireEye	Generic.mg.10f5439bf6c4a72a
SentinelOne	Static AI - Suspicious PE
Cynet	Malicious (score: 100)

Generates some ICMP traffic

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (15 events)

dead_host	62.171.178.147:8080
dead_host	51.210.242.234:8080
dead_host	66.42.57.149:443
dead_host	37.44.244.177:8080
dead_host	104.131.62.48:8080
dead_host	54.38.242.185:443
dead_host	45.138.98.34:80
dead_host	192.168.56.103:49177
dead_host	185.148.168.220:8080
dead_host	192.168.56.103:49176
dead_host	192.168.56.103:49175
dead_host	191.252.103.16:80
dead_host	192.168.56.103:49169
dead_host	192.168.56.103:49178
dead_host	217.182.143.207:443

JcDnYBSKpyfU

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All