Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 15, 2022, 5:07 a.m.	May 15, 2022, 5:08 a.m.

Size	614.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`6331736d5de348e92aa8ac377de8275d`
SHA256	`4846f21cf2c561b1885e52c29c1cae87863fb6b1a02b57980c5860bb4f5f9150`
CRC32	`6D32C0BC`
ssdeep	`12288:JV0wOEyuOv3iii4DMXqsYLbRSsq7/Ssdpk6dz:JyFuOt3WOLNSv764z`
Yara	IsPE32 - (no description) UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Admin_Tool_IN_Zero - Admin Tool Sysinternals

Gnwpizngkfaxnrdperkromddykwmeaazkg.exe "C:\Users\test22\AppData\Local\Temp\Gnwpizngkfaxnrdperkromddykwmeaazkg.exe"
2836

Name	Response	Post-Analysis Lookup
login.live.com	A 20.190.163.20 CNAME www.tm.lg.prod.aadmsa.trafficmanager.net A 20.190.163.21 A 40.126.35.80 A 40.126.35.144 CNAME www.tm.a.prd.aadg.trafficmanager.net CNAME login.msa.msidentity.com A 20.190.163.19 A 20.190.163.18 A 40.126.35.64 CNAME prda.aadg.msidentity.com A 40.126.35.87	20.190.141.39
onedrive.live.com	CNAME odc-web-geo.onedrive.akadns.net CNAME l-0004.l-msedge.net A 13.107.42.13 CNAME odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net CNAME odc-web-brs.onedrive.akadns.net	13.107.42.13

IP Address	Status	Action
13.107.42.13	Active	Moloch
164.124.101.2	Active	Moloch
20.190.163.18	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49164 -> 20.190.163.18:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49165 -> 20.190.163.18:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49163 -> 13.107.42.13:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49164 20.190.163.18:443	C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA	C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=graph.windows.net	01:06:32:7f:27:0e:90:0d:d5:f4:c9:79:4a:16:3a:9c:4d:e8:59:d0
TLSv1 192.168.56.101:49165 20.190.163.18:443	C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA	C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=graph.windows.net	01:06:32:7f:27:0e:90:0d:d5:f4:c9:79:4a:16:3a:9c:4d:e8:59:d0
TLSv1 192.168.56.101:49163 13.107.42.13:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02	CN=onedrive.com	77:7f:f2:95:29:a7:e3:cc:0f:bf:2f:ba:2e:6f:2a:38:62:8b:48:4d

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

The executable uses a known packer (1 event)

packer

BobSoft Mini Delphi -> BoB / BobSoft

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ May 15, 2022, 5:08 a.m.	stacktrace: 0x1f43c23 0x1f43cb0 DriverCallback+0x4e waveOutOpen-0xa2e winmm+0x3af0 @ 0x746d3af0 timeEndPeriod+0x54a timeKillEvent-0x57 winmm+0xa535 @ 0x746da535 timeEndPeriod+0x449 timeKillEvent-0x158 winmm+0xa434 @ 0x746da434 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 8b 40 50 50 6a 00 e8 b8 2d ff ff a3 94 58 f4 01 exception.instruction: mov eax, dword ptr [eax + 0x50] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x1f431e5 registers.esp: 57081360 registers.edi: 32790696 registers.eax: 1448117203 registers.ebp: 57081412 registers.edx: 0 registers.ebx: 1799990542 registers.esi: 32790692 registers.ecx: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

May 15, 2022, 5:08 a.m.

stacktrace:

0x1f43c23
0x1f43cb0
DriverCallback+0x4e waveOutOpen-0xa2e winmm+0x3af0 @ 0x746d3af0
timeEndPeriod+0x54a timeKillEvent-0x57 winmm+0xa535 @ 0x746da535
timeEndPeriod+0x449 timeKillEvent-0x158 winmm+0xa434 @ 0x746da434
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5

exception.instruction_r: 8b 40 50 50 6a 00 e8 b8 2d ff ff a3 94 58 f4 01
exception.instruction: mov eax, dword ptr [eax + 0x50]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x1f431e5
registers.esp: 57081360
registers.edi: 32790696
registers.eax: 1448117203
registers.ebp: 57081412
registers.edx: 0
registers.ebx: 1799990542
registers.esi: 32790692
registers.ecx: 0

Performs some HTTP requests (3 events)

request	GET https://onedrive.live.com/download?cid=DCD4F5588DB45110&resid=DCD4F5588DB45110%21117&authkey=ABNcDCFEJJwt5GE
request	GET https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1652558890&rver=7.3.6962.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fcid%3DDCD4F5588DB45110%26resid%3DDCD4F5588DB45110%2521117%26authkey%3DABNcDCFEJJwt5GE&lc=1033&id=250206&cbcxt=sky&cbcxt=sky
request	GET https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1652558891&rver=7.3.6962.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fcid%3DDCD4F5588DB45110%26resid%3DDCD4F5588DB45110%2521117%26authkey%3DABNcDCFEJJwt5GE&lc=1033&id=250206&cbcxt=sky&cbcxt=sky

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory May 15, 2022, 5:07 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory May 15, 2022, 5:07 a.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73da2000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00040200', u'virtual_address': u'0x0005f000', u'entropy': 6.972380802096853, u'name': u'.rsrc', u'virtual_size': u'0x00040160'}

entropy

6.9723808021

description

A section with a high entropy has been found

entropy

0.418092909535

description

Overall entropy of this PE file is high

Network activity contains more than one unique useragent (2 events)

process	Gnwpizngkfaxnrdperkromddykwmeaazkg.exe				useragent	zipo
process	Gnwpizngkfaxnrdperkromddykwmeaazkg.exe				useragent	aswe

File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 events)

Bkav	W32.AIDetect.malware2
Elastic	malicious (high confidence)
DrWeb	Trojan.Inject4.14525
Cynet	Malicious (score: 100)
FireEye	Generic.mg.6331736d5de348e9
ALYac	Spyware.LokiBot
Cylance	Unsafe
Zillya	Trojan.Noon.Win32.17648
Sangfor	Virus.Win32.Save.a
K7AntiVirus	Trojan ( 0057f9831 )
Alibaba	TrojanSpy:Win32/DelfInject.e46e09e0
K7GW	Trojan ( 0057f9831 )
Cybereason	malicious.15e6e4
Arcabit	Trojan.Generic.D23890BA
BitDefenderTheta	Gen:NN.ZelphiF.34236.MGW@aaWp9Xni
Cyren	W32/Delf.TXVA-4276
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	Win32/TrojanDownloader.Delf.DGG
Zoner	Trojan.Win32.119168
TrendMicro-HouseCall	TROJ_GEN.R01FC0DGM21
Kaspersky	HEUR:Trojan-Spy.Win32.Noon.gen
BitDefender	Trojan.GenericKD.37261498
NANO-Antivirus	Trojan.Win32.Noon.ixsjfd
MicroWorld-eScan	Trojan.GenericKD.37261498
Avast	Win32:InjectorX-gen [Trj]
Tencent	Malware.Win32.Gencirc.10ce7e27
Ad-Aware	Trojan.GenericKD.37261498
Emsisoft	Trojan.Injector (A)
F-Secure	Trojan.TR/Dldr.Delphi.oilby
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TROJ_GEN.R01FC0DGM21
McAfee-GW-Edition	BehavesLike.Win32.Backdoor.jc
Sophos	Mal/Generic-R + Troj/Fareit-LVA
Ikarus	Trojan.Inject
MaxSecure	Trojan.Malware.300983.susgen
Avira	TR/Dldr.Delphi.oilby
Antiy-AVL	Trojan[Spy]/Win32.Noon
Gridinsoft	Trojan.Win32.Downloader.oa!s1
Microsoft	Trojan:Win32/DelfInject.VAM!MTB
ZoneAlarm	HEUR:Trojan-Spy.Win32.Noon.gen
GData	Trojan.GenericKD.37261498
AhnLab-V3	Malware/Win.Generic.C4559104
McAfee	Fareit-FCVN!6331736D5DE3
MAX	malware (ai score=89)
VBA32	TScope.Trojan.Delf
Malwarebytes	Backdoor.Remcos
APEX	Malicious
Rising	Trojan.Generic@ML.87 (RDMK:x0zfXrhg9pjBhAiVL0nnzA)
Yandex	Trojan.Injector!081ev/18u/k
SentinelOne	Static AI - Malicious PE

Gnwpizngkfaxnrdperkromddykwmeaazkg.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All