Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Jan. 20, 2022, 7:51 a.m.	Jan. 20, 2022, 7:53 a.m.

Size	408.0KB
Type	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5	`81e77ccebc0c638812cd75368710b856`
SHA256	`d2b83bfffbaabef77800d6fec843d91fd0ca9f12109b8c2149b41b8fe5143691`
CRC32	`D8624A3C`
ssdeep	`6144:+14kZNuAXp3htAsH9dSKSKrjkPIMGCbkOQDb3hfm/U0DjeNqfnkEPJ:pmp3ht7H9dSK/rZz9xSUacqcEP`
Yara	Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library IsDLL - (no description) UPX_Zero - UPX packed file

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\AxVZTvof0xPasb9nP.dll,
2848
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\AxVZTvof0xPasb9nP.dll,DllRegisterServer
2764

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
104.131.62.48	Active	Moloch
142.4.219.173	Active	Moloch
168.197.250.14	Active	Moloch
185.148.168.220	Active	Moloch
191.252.103.16	Active	Moloch
217.182.143.207	Active	Moloch
37.44.244.177	Active	Moloch
45.138.98.34	Active	Moloch
51.210.242.234	Active	Moloch
54.38.242.185	Active	Moloch
62.171.178.147	Active	Moloch
66.42.57.149	Active	Moloch
69.16.218.101	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA Jan. 20, 2022, 7:51 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Jan. 20, 2022, 7:51 a.m.			0	0

Allocates read-write-execute memory (usually to unpack itself) (25 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Jan. 20, 2022, 7:51 a.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10026000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 20, 2022, 7:51 a.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73cf1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2022, 7:51 a.m.	process_identifier: 2764 region_size: 151552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00800000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 20, 2022, 7:51 a.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c80000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 20, 2022, 7:51 a.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73b91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 20, 2022, 7:51 a.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73b01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 20, 2022, 7:51 a.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ac4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 20, 2022, 7:51 a.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73b92000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 20, 2022, 7:51 a.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x746d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 20, 2022, 7:51 a.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x742e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 20, 2022, 7:51 a.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76941000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 20, 2022, 7:51 a.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75291000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 20, 2022, 7:51 a.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x750c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 20, 2022, 7:51 a.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76451000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 20, 2022, 7:51 a.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 20, 2022, 7:51 a.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c21000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2022, 7:51 a.m.	process_identifier: 2764 region_size: 151552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02080000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2022, 7:51 a.m.	process_identifier: 2764 region_size: 151552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025c0000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2022, 7:51 a.m.	process_identifier: 2764 region_size: 151552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02820000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2022, 7:51 a.m.	process_identifier: 2764 region_size: 151552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02920000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2022, 7:51 a.m.	process_identifier: 2764 region_size: 151552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ac0000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2022, 7:51 a.m.	process_identifier: 2764 region_size: 151552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b50000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2022, 7:51 a.m.	process_identifier: 2764 region_size: 151552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c40000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2022, 7:52 a.m.	process_identifier: 2764 region_size: 151552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ea0000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2022, 7:52 a.m.	process_identifier: 2764 region_size: 151552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f80000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

Foreign language identified in PE resource (50 out of 60 events)

name

RT_CURSOR

language

LANG_KOREAN

filetype

data

sublanguage

SUBLANG_KOREAN

offset

0x0005cde4

size

0x00000134

name

RT_CURSOR

language

LANG_KOREAN

filetype

data

sublanguage

SUBLANG_KOREAN

offset

0x0005cde4

size

0x00000134

name

RT_CURSOR

language

LANG_KOREAN

filetype

data

sublanguage

SUBLANG_KOREAN

offset

0x0005cde4

size

0x00000134

name

RT_CURSOR

language

LANG_KOREAN

filetype

data

sublanguage

SUBLANG_KOREAN

offset

0x0005cde4

size

0x00000134

name

RT_CURSOR

language

LANG_KOREAN

filetype

data

sublanguage

SUBLANG_KOREAN

offset

0x0005cde4

size

0x00000134

name

RT_CURSOR

language

LANG_KOREAN

filetype

data

sublanguage

SUBLANG_KOREAN

offset

0x0005cde4

size

0x00000134

name

RT_CURSOR

language

LANG_KOREAN

filetype

data

sublanguage

SUBLANG_KOREAN

offset

0x0005cde4

size

0x00000134

name

RT_CURSOR

language

LANG_KOREAN

filetype

data

sublanguage

SUBLANG_KOREAN

offset

0x0005cde4

size

0x00000134

name

RT_CURSOR

language

LANG_KOREAN

filetype

data

sublanguage

SUBLANG_KOREAN

offset

0x0005cde4

size

0x00000134

name

RT_CURSOR

language

LANG_KOREAN

filetype

data

sublanguage

SUBLANG_KOREAN

offset

0x0005cde4

size

0x00000134

name

RT_CURSOR

language

LANG_KOREAN

filetype

data

sublanguage

SUBLANG_KOREAN

offset

0x0005cde4

size

0x00000134

name

RT_CURSOR

language

LANG_KOREAN

filetype

data

sublanguage

SUBLANG_KOREAN

offset

0x0005cde4

size

0x00000134

name

RT_CURSOR

language

LANG_KOREAN

filetype

data

sublanguage

SUBLANG_KOREAN

offset

0x0005cde4

size

0x00000134

name

RT_CURSOR

language

LANG_KOREAN

filetype

data

sublanguage

SUBLANG_KOREAN

offset

0x0005cde4

size

0x00000134

name

RT_CURSOR

language

LANG_KOREAN

filetype

data

sublanguage

SUBLANG_KOREAN

offset

0x0005cde4

size

0x00000134

name

RT_CURSOR

language

LANG_KOREAN

filetype

data

sublanguage

SUBLANG_KOREAN

offset

0x0005cde4

size

0x00000134

name

RT_BITMAP

language

LANG_KOREAN

filetype

data

sublanguage

SUBLANG_KOREAN

offset

0x0005cfd0

size

0x00000144

name

RT_BITMAP

language

LANG_KOREAN

filetype

data

sublanguage

SUBLANG_KOREAN

offset

0x0005cfd0

size

0x00000144

name

RT_ICON

language

LANG_KOREAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_KOREAN

offset

0x00062194

size

0x00000368

name

RT_ICON

language

LANG_KOREAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_KOREAN

offset

0x00062194

size

0x00000368

name

RT_ICON

language

LANG_KOREAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_KOREAN

offset

0x00062194

size

0x00000368

name

RT_ICON

language

LANG_KOREAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_KOREAN

offset

0x00062194

size

0x00000368

name

RT_ICON

language

LANG_KOREAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_KOREAN

offset

0x00062194

size

0x00000368

name

RT_ICON

language

LANG_KOREAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_KOREAN

offset

0x00062194

size

0x00000368

name

RT_ICON

language

LANG_KOREAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_KOREAN

offset

0x00062194

size

0x00000368

name

RT_ICON

language

LANG_KOREAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_KOREAN

offset

0x00062194

size

0x00000368

name

RT_ICON

language

LANG_KOREAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_KOREAN

offset

0x00062194

size

0x00000368

name

RT_DIALOG

language

LANG_KOREAN

filetype

data

sublanguage

SUBLANG_KOREAN

offset

0x00062694

size

0x00000034

name

RT_DIALOG

language

LANG_KOREAN

filetype

data

sublanguage

SUBLANG_KOREAN

offset

0x00062694

size

0x00000034

name

RT_DIALOG

language

LANG_KOREAN

filetype

data

sublanguage

SUBLANG_KOREAN

offset

0x00062694

size

0x00000034

name

RT_STRING

language

LANG_KOREAN

filetype

data

sublanguage

SUBLANG_KOREAN

offset

0x000634f4

size

0x00000040

name

RT_STRING

language

LANG_KOREAN

filetype

data

sublanguage

SUBLANG_KOREAN

offset

0x000634f4

size

0x00000040

name

RT_STRING

language

LANG_KOREAN

filetype

data

sublanguage

SUBLANG_KOREAN

offset

0x000634f4

size

0x00000040

name

RT_STRING

language

LANG_KOREAN

filetype

data

sublanguage

SUBLANG_KOREAN

offset

0x000634f4

size

0x00000040

name

RT_STRING

language

LANG_KOREAN

filetype

data

sublanguage

SUBLANG_KOREAN

offset

0x000634f4

size

0x00000040

name

RT_STRING

language

LANG_KOREAN

filetype

data

sublanguage

SUBLANG_KOREAN

offset

0x000634f4

size

0x00000040

name

RT_STRING

language

LANG_KOREAN

filetype

data

sublanguage

SUBLANG_KOREAN

offset

0x000634f4

size

0x00000040

name

RT_STRING

language

LANG_KOREAN

filetype

data

sublanguage

SUBLANG_KOREAN

offset

0x000634f4

size

0x00000040

name

RT_STRING

language

LANG_KOREAN

filetype

data

sublanguage

SUBLANG_KOREAN

offset

0x000634f4

size

0x00000040

name

RT_STRING

language

LANG_KOREAN

filetype

data

sublanguage

SUBLANG_KOREAN

offset

0x000634f4

size

0x00000040

name

RT_STRING

language

LANG_KOREAN

filetype

data

sublanguage

SUBLANG_KOREAN

offset

0x000634f4

size

0x00000040

name

RT_STRING

language

LANG_KOREAN

filetype

data

sublanguage

SUBLANG_KOREAN

offset

0x000634f4

size

0x00000040

name

RT_STRING

language

LANG_KOREAN

filetype

data

sublanguage

SUBLANG_KOREAN

offset

0x000634f4

size

0x00000040

name

RT_GROUP_CURSOR

language

LANG_KOREAN

filetype

Lotus unknown worksheet or configuration, revision 0x1

sublanguage

SUBLANG_KOREAN

offset

0x0006365c

size

0x00000014

name

RT_GROUP_CURSOR

language

LANG_KOREAN

filetype

Lotus unknown worksheet or configuration, revision 0x1

sublanguage

SUBLANG_KOREAN

offset

0x0006365c

size

0x00000014

name

RT_GROUP_CURSOR

language

LANG_KOREAN

filetype

Lotus unknown worksheet or configuration, revision 0x1

sublanguage

SUBLANG_KOREAN

offset

0x0006365c

size

0x00000014

name

RT_GROUP_CURSOR

language

LANG_KOREAN

filetype

Lotus unknown worksheet or configuration, revision 0x1

sublanguage

SUBLANG_KOREAN

offset

0x0006365c

size

0x00000014

name

RT_GROUP_CURSOR

language

LANG_KOREAN

filetype

Lotus unknown worksheet or configuration, revision 0x1

sublanguage

SUBLANG_KOREAN

offset

0x0006365c

size

0x00000014

name

RT_GROUP_CURSOR

language

LANG_KOREAN

filetype

Lotus unknown worksheet or configuration, revision 0x1

sublanguage

SUBLANG_KOREAN

offset

0x0006365c

size

0x00000014

name

RT_GROUP_CURSOR

language

LANG_KOREAN

filetype

Lotus unknown worksheet or configuration, revision 0x1

sublanguage

SUBLANG_KOREAN

offset

0x0006365c

size

0x00000014

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (2 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW Jan. 20, 2022, 7:51 a.m.	snapshot_handle: 0x0000016c process_name: taskhost.exe process_identifier: 2548	1	1	0
Process32NextW Jan. 20, 2022, 7:51 a.m.	snapshot_handle: 0x0000016c process_name: SearchProtocolHost.exe process_identifier: 2664	1	1	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Jan. 20, 2022, 7:51 a.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 147456 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x00861000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00027200', u'virtual_address': u'0x00030000', u'entropy': 7.929129724243074, u'name': u'.data', u'virtual_size': u'0x0002ad60'}

entropy

7.92912972424

description

A section with a high entropy has been found

entropy

0.384520884521

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 event)

process

rundll32.exe

Communicates with host for which no DNS query was performed (13 events)

host	104.131.62.48
host	142.4.219.173
host	168.197.250.14
host	185.148.168.220
host	191.252.103.16
host	217.182.143.207
host	37.44.244.177
host	45.138.98.34
host	51.210.242.234
host	54.38.242.185
host	62.171.178.147
host	66.42.57.149
host	69.16.218.101

Generates some ICMP traffic

File has been identified by 21 AntiVirus engines on VirusTotal as malicious (21 events)

Bkav	W32.AIDetect.malware2
Elastic	malicious (high confidence)
DrWeb	Trojan.Emotet.1141
FireEye	Generic.mg.81e77ccebc0c6388
McAfee	Emotet-FSY!81E77CCEBC0C
CrowdStrike	win/malicious_confidence_60% (D)
Cyren	W32/Emotet.EEK.gen!Eldorado
ESET-NOD32	a variant of Win32/GenKryptik.FPYD
Kaspersky	HEUR:Trojan-Banker.Win32.Emotet.gen
Avast	Win32:BankerX-gen [Trj]
Sophos	ML/PE-A
McAfee-GW-Edition	Emotet-FSY!81E77CCEBC0C
SentinelOne	Static AI - Malicious PE
Microsoft	Trojan:Win32/Wacatac.B!ml
Cynet	Malicious (score: 100)
AhnLab-V3	Malware/Win.FSY.R466003
VBA32	BScope.Trojan-Banker.Emotet
Malwarebytes	Trojan.Emotet
APEX	Malicious
Fortinet	W32/Emotet.CJAM!tr
AVG	Win32:BankerX-gen [Trj]

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (15 events)

dead_host	192.168.56.101:49181
dead_host	51.210.242.234:8080
dead_host	66.42.57.149:443
dead_host	192.168.56.101:49178
dead_host	104.131.62.48:8080
dead_host	54.38.242.185:443
dead_host	37.44.244.177:8080
dead_host	45.138.98.34:80
dead_host	192.168.56.101:49179
dead_host	192.168.56.101:49180
dead_host	62.171.178.147:8080
dead_host	185.148.168.220:8080
dead_host	217.182.143.207:443
dead_host	191.252.103.16:80
dead_host	192.168.56.101:49172

AxVZTvof0xPasb9nP

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All