Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	May 19, 2022, 9:06 a.m.	May 19, 2022, 9:08 a.m.

Size	846.5KB
Type	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5	`7193012cca53b96f116c07fb4a89e6fe`
SHA256	`ddad679c3a8ab9bb470db7958e1f35b6de619ff8b67b67c3e5e4e487ad94b52c`
CRC32	`402E558F`
ssdeep	`24576:sPMTg9U3G0ISDKvSeqfZaePWAy7SmpE3:BTg9UXRD2SeqfZZiOm`
Yara	OS_Processor_Check_Zero - OS Processor Check UPX_Zero - UPX packed file IsDLL - (no description) Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE64 - (no description)

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\himv0rbBofmABf3ewN.dll,DllRegisterServer
2316
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\himv0rbBofmABf3ewN.dll,DllRegisterServer
  2752
  - regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\OvMFfAXw\FMRaaflDj.dll"
    2772
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\himv0rbBofmABf3ewN.dll,fmFkmnQYB5TC2Sq5NGFkK
2504
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\himv0rbBofmABf3ewN.dll,fmFkmnQYB5TC2Sq5NGFkK
  2792
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\himv0rbBofmABf3ewN.dll,nrDjhnkd9nedaQwcCY
2600
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\himv0rbBofmABf3ewN.dll,nrDjhnkd9nedaQwcCY
  2836
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\himv0rbBofmABf3ewN.dll,
2688
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\himv0rbBofmABf3ewN.dll,YAeJyEAYL7F4eDck6YUaf
2420
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\himv0rbBofmABf3ewN.dll,YAeJyEAYL7F4eDck6YUaf
  2884
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA May 19, 2022, 9:08 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 19, 2022, 9:07 a.m.			0	0
IsDebuggerPresent May 19, 2022, 9:07 a.m.			0	0
IsDebuggerPresent May 19, 2022, 9:07 a.m.			0	0
IsDebuggerPresent May 19, 2022, 9:07 a.m.			0	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

_RDATA

One or more processes crashed (3 events)

Time & API	Arguments	Status
__exception__ May 19, 2022, 9:07 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 6442450944 registers.r15: 0 registers.rcx: 6442642136 registers.rsi: 0 registers.r10: -72340172838076673 registers.rbx: 0 registers.rsp: 1439672 registers.r11: -9187201950435737472 registers.r8: 2337230 registers.r9: 10 registers.rdx: 8785141168736 registers.r12: 10 registers.rbp: 2337072 registers.rdi: 2343192 registers.rax: -1 registers.r13: 0	1
__exception__ May 19, 2022, 9:07 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 6442450944 registers.r15: 0 registers.rcx: 6442642136 registers.rsi: 0 registers.r10: -72340172838076673 registers.rbx: 0 registers.rsp: 2619720 registers.r11: -9187201950435737472 registers.r8: 4827592 registers.r9: 10 registers.rdx: 8785141168712 registers.r12: 10 registers.rbp: 4827440 registers.rdi: 4833560 registers.rax: 1 registers.r13: 0	1
__exception__ May 19, 2022, 9:07 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 6442450944 registers.r15: 0 registers.rcx: 6442642136 registers.rsi: 0 registers.r10: -72340172838076673 registers.rbx: 0 registers.rsp: 1045912 registers.r11: -9187201950435737472 registers.r8: 1944014 registers.r9: 10 registers.rdx: 8785141168792 registers.r12: 10 registers.rbp: 1943856 registers.rdi: 1949976 registers.rax: -1 registers.r13: 0	1

Allocates read-write-execute memory (usually to unpack itself) (20 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 19, 2022, 9:06 a.m.	process_identifier: 2752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000002d0000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 19, 2022, 9:07 a.m.	process_identifier: 2752 region_size: 192512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 19, 2022, 9:06 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c00000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 19, 2022, 9:07 a.m.	process_identifier: 2792 region_size: 192512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c10000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 19, 2022, 9:06 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000460000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 19, 2022, 9:07 a.m.	process_identifier: 2836 region_size: 192512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c90000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 19, 2022, 9:06 a.m.	process_identifier: 2884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c80000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 19, 2022, 9:07 a.m.	process_identifier: 2884 region_size: 192512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c90000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 19, 2022, 9:07 a.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004430000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 19, 2022, 9:07 a.m.	process_identifier: 2772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef33a1000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 19, 2022, 9:07 a.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000003c0000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 19, 2022, 9:08 a.m.	process_identifier: 2772 region_size: 192512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000004f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 19, 2022, 9:08 a.m.	process_identifier: 2772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefcf27000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 19, 2022, 9:08 a.m.	process_identifier: 2772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefd6af000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 19, 2022, 9:08 a.m.	process_identifier: 2772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefd5d9000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 19, 2022, 9:08 a.m.	process_identifier: 2772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076cf0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 19, 2022, 9:08 a.m.	process_identifier: 2772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007feff10d000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 19, 2022, 9:08 a.m.	process_identifier: 2772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076eee000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 19, 2022, 9:08 a.m.	process_identifier: 2772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bc0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 19, 2022, 9:08 a.m.	process_identifier: 2772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefb6da000 process_handle: 0xffffffffffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW May 19, 2022, 9:07 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 8898277376 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer total_number_of_bytes: 0	1	1	0

Creates a suspicious process (1 event)

cmdline

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\OvMFfAXw\FMRaaflDj.dll"

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0002ec00', u'virtual_address': u'0x000a9000', u'entropy': 7.8141525822926, u'name': u'.rsrc', u'virtual_size': u'0x0002ea20'}

entropy

7.81415258229

description

A section with a high entropy has been found

entropy

0.22117090479

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 event)

process

regsvr32.exe

Installs itself for autorun at Windows startup (1 event)

service_name

FMRaaflDj.dll

service_path

C:\Windows\System32\regsvr32.exe "C:\Windows\system32\OvMFfAXw\FMRaaflDj.dll"

Created a service where a service was also not started (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceW May 19, 2022, 9:07 a.m.	service_start_name: start_type: 2 password: display_name: FMRaaflDj.dll filepath: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\OvMFfAXw\FMRaaflDj.dll" service_name: FMRaaflDj.dll filepath_r: C:\Windows\system32\regsvr32.exe "C:\Windows\system32\OvMFfAXw\FMRaaflDj.dll" desired_access: 2 service_handle: 0x0000000000393620 error_control: 0 service_type: 16 service_manager_handle: 0x0000000000393650	1	3749408	0

Attempts to remove evidence of file being downloaded from the Internet (1 event)

file	C:\Windows\System32\OvMFfAXw\FMRaaflDj.dll:Zone.Identifier

himv0rbBofmABf3ewN

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All