Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Jan. 20, 2022, 10:04 a.m.	Jan. 20, 2022, 10:07 a.m.

Size	794.5KB
Type	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5	`4925a10905e4df9d65e87afed2d77c45`
SHA256	`c4ee1c01c69af8c987dfc5f7790b3c8d2474ae1fe1771d4f2fef9720d54fd3ff`
CRC32	`9EDF9553`
ssdeep	`12288:hMKk6ZKaLa6pxm7aOO4mKkP8UurFpRlG/34facNQB6+tiEMGZOnEP:hMA26pKaOyKFUurF3kQCcNyX`
Yara	Malicious_Packer_Zero - Malicious Packer IsPE64 - (no description) PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library IsDLL - (no description) UPX_Zero - UPX packed file Win32_Trojan_Emotet_1_Zero - Win32 Trojan Emotet

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\image.png.dll,EproyAklW
2248
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\image.png.dll,EproyAklW
  1088
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\image.png.dll,K766MrG4
2372
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\image.png.dll,K766MrG4
  2528
  - cmd.exe cmd /c choice /c y /d y /t 6 & "C:\Windows\system32\rundll32.exe" "C:\Users\test22\AppData\Local\Temp\image.png.dll", K766MrG4 wD6bUqfE kO5rG7fD & exit
    2036
    - choice.exe choice /c y /d y /t 6
      2788
    - rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\Users\test22\AppData\Local\Temp\image.png.dll", K766MrG4 wD6bUqfE kO5rG7fD
      2288
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\image.png.dll,CarefullyAbout
2192
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\image.png.dll,CarefullyAbout
  2908
  - cmd.exe cmd /c ping 127.0.0.1 -n 10 -i 44 > NUL & "C:\Windows\system32\rundll32.exe" "C:\Users\test22\AppData\Local\Temp\image.png.dll", CarefullyAbout wD6bUqfE kO5rG7fD & exit
    968
    - PING.EXE ping 127.0.0.1 -n 10 -i 44
      1692
    - rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\Users\test22\AppData\Local\Temp\image.png.dll", CarefullyAbout wD6bUqfE kO5rG7fD
      2244
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\image.png.dll,OlPy2
2508
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\image.png.dll,OlPy2
  2808
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\image.png.dll,PeopleAcross
2572
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\image.png.dll,PeopleAcross
  2260
  - cmd.exe cmd /c ping 192.0.2.47 -n 6 -i 53 -w 1000 > NUL & "C:\Windows\system32\rundll32.exe" "C:\Users\test22\AppData\Local\Temp\image.png.dll", PeopleAcross wD6bUqfE kO5rG7fD & exit
    2024
    - PING.EXE ping 192.0.2.47 -n 6 -i 53 -w 1000
      2624
    - rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\Users\test22\AppData\Local\Temp\image.png.dll", PeopleAcross wD6bUqfE kO5rG7fD
      1308
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\image.png.dll,ProgrammeSome
2972
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\image.png.dll,ProgrammeSome
  2232
  - cmd.exe cmd /c ping 192.0.2.35 -n 10 -w 1000 > NUL & "C:\Windows\system32\rundll32.exe" "C:\Users\test22\AppData\Local\Temp\image.png.dll", ProgrammeSome wD6bUqfE kO5rG7fD & exit
    2500
    - PING.EXE ping 192.0.2.35 -n 10 -w 1000
      1732
    - rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\Users\test22\AppData\Local\Temp\image.png.dll", ProgrammeSome wD6bUqfE kO5rG7fD
      2492
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\image.png.dll,Yn6xc
2240
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\image.png.dll,Yn6xc
  2652
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\image.png.dll,n2E5g
2712
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\image.png.dll,n2E5g
  2420
  - cmd.exe cmd /c ping 192.0.2.28 -n 10 -4 -w 1000 & "C:\Windows\system32\rundll32.exe" "C:\Users\test22\AppData\Local\Temp\image.png.dll", n2E5g wD6bUqfE kO5rG7fD & exit
    2032
    - PING.EXE ping 192.0.2.28 -n 10 -4 -w 1000
      2740
    - rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\Users\test22\AppData\Local\Temp\image.png.dll", n2E5g wD6bUqfE kO5rG7fD
      1600
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\image.png.dll,
612

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Jan. 20, 2022, 9:59 a.m.	buffer: [Y]? console_handle: 0x0000000000000007	1	1	0
WriteConsoleW Jan. 20, 2022, 9:59 a.m.	buffer: Y console_handle: 0x0000000000000007	1	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Jan. 20, 2022, 9:59 a.m.		1	1	0

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

None

Allocates read-write-execute memory (usually to unpack itself) (13 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Jan. 20, 2022, 9:57 a.m.	process_identifier: 1088 region_size: 118784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c20000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 20, 2022, 9:57 a.m.	process_identifier: 2528 region_size: 118784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001ca0000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 20, 2022, 9:57 a.m.	process_identifier: 2908 region_size: 118784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c20000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 20, 2022, 9:57 a.m.	process_identifier: 2808 region_size: 118784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c30000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 20, 2022, 9:57 a.m.	process_identifier: 2260 region_size: 118784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001db0000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 20, 2022, 9:57 a.m.	process_identifier: 2232 region_size: 118784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c20000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 20, 2022, 9:57 a.m.	process_identifier: 2652 region_size: 118784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c20000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 20, 2022, 9:57 a.m.	process_identifier: 2420 region_size: 118784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000300000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 20, 2022, 9:59 a.m.	process_identifier: 1308 region_size: 118784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c20000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 20, 2022, 9:59 a.m.	process_identifier: 2492 region_size: 118784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c20000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 20, 2022, 10:06 a.m.	process_identifier: 2288 region_size: 118784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001db0000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 20, 2022, 10:07 a.m.	process_identifier: 2244 region_size: 118784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001d40000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 20, 2022, 10:07 a.m.	process_identifier: 1600 region_size: 118784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c20000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1

A process attempted to delay the analysis task. (1 event)

description

rundll32.exe tried to sleep 644 seconds, actually delayed analysis time by 644 seconds

File has been identified by 2 AntiVirus engines on VirusTotal as malicious (2 events)

Elastic	malicious (high confidence)
Webroot	W32.Trojan.Trickbot

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Jan. 20, 2022, 9:57 a.m.	process_identifier: 1088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 110592 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x0000000001c41000 process_handle: 0xffffffffffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x00020000', u'virtual_address': u'0x00092000', u'entropy': 7.800114792958684, u'name': u'.data', u'virtual_size': u'0x000260f0'}

entropy

7.80011479296

description

A section with a high entropy has been found

Uses Windows utilities for basic Windows functionality (8 events)

cmdline	cmd /c ping 192.0.2.35 -n 10 -w 1000 > NUL & "C:\Windows\system32\rundll32.exe" "C:\Users\test22\AppData\Local\Temp\image.png.dll", ProgrammeSome wD6bUqfE kO5rG7fD & exit
cmdline	cmd /c ping 192.0.2.28 -n 10 -4 -w 1000 & "C:\Windows\system32\rundll32.exe" "C:\Users\test22\AppData\Local\Temp\image.png.dll", n2E5g wD6bUqfE kO5rG7fD & exit
cmdline	cmd /c ping 127.0.0.1 -n 10 -i 44 > NUL & "C:\Windows\system32\rundll32.exe" "C:\Users\test22\AppData\Local\Temp\image.png.dll", CarefullyAbout wD6bUqfE kO5rG7fD & exit
cmdline	ping 127.0.0.1 -n 10 -i 44
cmdline	ping 192.0.2.35 -n 10 -w 1000
cmdline	cmd /c ping 192.0.2.47 -n 6 -i 53 -w 1000 > NUL & "C:\Windows\system32\rundll32.exe" "C:\Users\test22\AppData\Local\Temp\image.png.dll", PeopleAcross wD6bUqfE kO5rG7fD & exit
cmdline	ping 192.0.2.47 -n 6 -i 53 -w 1000
cmdline	ping 192.0.2.28 -n 10 -4 -w 1000

Generates some ICMP traffic

image.png

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All