Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 20, 2022, 9:44 a.m.	May 20, 2022, 9:48 a.m.

Size	736.0KB
Type	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5	`814c61968eb47e3b94b880c2e9b2a7d9`
SHA256	`49e6d20429e832a5999c050bbc0436e2e2282afa853de11af1c1f5f9cec836a6`
CRC32	`3C88A80D`
ssdeep	`12288:LJsMwUL89WbZz4di6gy1X+1cxhSntqYuXKw29lTxbkTi+kK:LJsMwULdN8d3gy1X+UhIuXKwIlqTtkK`
Yara	IsDLL - (no description) Malicious_Packer_Zero - Malicious Packer Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE64 - (no description)

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\3.dll,DllRegisterServer
2848
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\3.dll,DllRegisterServer
  1948
  - regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\LHXQyUfpChX\sOIEfoiwTQ.dll"
    2488
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\3.dll,P8KN6Ry3VDViGrYu4GbA8RiNq
2952
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\3.dll,P8KN6Ry3VDViGrYu4GbA8RiNq
  788
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\3.dll,
3044
explorer.exe C:\Windows\Explorer.EXE
1156

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
131.100.24.231	Active	Moloch
149.56.131.28	Active	Moloch
150.95.66.124	Active	Moloch
159.65.88.10	Active	Moloch
164.124.101.2	Active	Moloch
172.105.70.96	Active	Moloch
173.239.37.178	Active	Moloch
201.94.166.162	Active	Moloch
209.97.163.214	Active	Moloch
89.29.244.7	Active	Moloch
94.23.45.86	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49186 -> 131.100.24.231:80	2404304	ET CNC Feodo Tracker Reported CnC Server group 5	A Network Trojan was detected
TCP 192.168.56.101:49186 -> 131.100.24.231:80	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.101:49177 -> 150.95.66.124:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 150.95.66.124:8080 -> 192.168.56.101:49179	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49181 -> 149.56.131.28:8080	2404305	ET CNC Feodo Tracker Reported CnC Server group 6	A Network Trojan was detected
TCP 192.168.56.101:49191 -> 94.23.45.86:4143	2404323	ET CNC Feodo Tracker Reported CnC Server group 24	A Network Trojan was detected
TCP 192.168.56.101:49173 -> 89.29.244.7:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.101:49181 -> 149.56.131.28:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.101:49191 -> 94.23.45.86:4143	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 131.100.24.231:80 -> 192.168.56.101:49188	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49182 -> 149.56.131.28:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.101:49172 -> 89.29.244.7:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 89.29.244.7:443 -> 192.168.56.101:49174	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49190 -> 94.23.45.86:4143	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.101:49178 -> 150.95.66.124:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 149.56.131.28:8080 -> 192.168.56.101:49183	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49187 -> 131.100.24.231:80	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 94.23.45.86:4143 -> 192.168.56.101:49192	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA May 20, 2022, 9:37 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 20, 2022, 9:37 a.m.			0	0
IsDebuggerPresent May 20, 2022, 9:37 a.m.			0	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ May 20, 2022, 9:37 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 4294967295 registers.rsi: 0 registers.r10: -5600666554368707728 registers.rbx: 196926 registers.rsp: 1111768 registers.r11: -9151031864016699136 registers.r8: 2342948 registers.r9: -6173819368 registers.rdx: -4610581773392977147 registers.r12: 10 registers.rbp: 2342816 registers.rdi: 2342968 registers.rax: 0 registers.r13: 0	1	0	0

Allocates read-write-execute memory (usually to unpack itself) (24 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 20, 2022, 9:37 a.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c40000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 20, 2022, 9:37 a.m.	process_identifier: 1948 region_size: 184320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c50000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 20, 2022, 9:37 a.m.	process_identifier: 1948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007391c000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 20, 2022, 9:37 a.m.	process_identifier: 788 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c30000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 20, 2022, 9:37 a.m.	process_identifier: 788 region_size: 184320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c50000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 20, 2022, 9:37 a.m.	process_identifier: 788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007391c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 20, 2022, 9:37 a.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000001005b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 20, 2022, 9:37 a.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdcc1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 20, 2022, 9:37 a.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007feff583000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 20, 2022, 9:37 a.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdfd0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 20, 2022, 9:37 a.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa8d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 20, 2022, 9:37 a.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa8b7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 20, 2022, 9:37 a.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007feff72d000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 20, 2022, 9:37 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000004f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 20, 2022, 9:37 a.m.	process_identifier: 2488 region_size: 184320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000530000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 20, 2022, 9:37 a.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefd2b7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 20, 2022, 9:37 a.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdbef000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 20, 2022, 9:37 a.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefd969000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 20, 2022, 9:37 a.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077160000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 20, 2022, 9:37 a.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d9e000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 20, 2022, 9:37 a.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772f0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 20, 2022, 9:37 a.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefbbba000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 20, 2022, 9:38 a.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef6d86000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 20, 2022, 9:38 a.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef6d31000 process_handle: 0xffffffffffffffff	1

Creates a suspicious process (1 event)

cmdline

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\LHXQyUfpChX\sOIEfoiwTQ.dll"

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00032a00', u'virtual_address': u'0x0008b000', u'entropy': 7.686633073538794, u'name': u'.rsrc', u'virtual_size': u'0x000328ac'}

entropy

7.68663307354

description

A section with a high entropy has been found

entropy

0.275510204082

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 event)

process

regsvr32.exe

Communicates with host for which no DNS query was performed (10 events)

host	131.100.24.231
host	149.56.131.28
host	150.95.66.124
host	159.65.88.10
host	172.105.70.96
host	173.239.37.178
host	201.94.166.162
host	209.97.163.214
host	89.29.244.7
host	94.23.45.86

Installs itself for autorun at Windows startup (1 event)

service_name

sOIEfoiwTQ.dll

service_path

C:\Windows\System32\regsvr32.exe "C:\Windows\system32\LHXQyUfpChX\sOIEfoiwTQ.dll"

Created a service where a service was also not started (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceW May 20, 2022, 9:37 a.m.	service_start_name: start_type: 2 password: display_name: sOIEfoiwTQ.dll filepath: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\LHXQyUfpChX\sOIEfoiwTQ.dll" service_name: sOIEfoiwTQ.dll filepath_r: C:\Windows\system32\regsvr32.exe "C:\Windows\system32\LHXQyUfpChX\sOIEfoiwTQ.dll" desired_access: 2 service_handle: 0x00000000003e2f60 error_control: 0 service_type: 16 service_manager_handle: 0x00000000003d5f10	1	4075360	0

Attempts to remove evidence of file being downloaded from the Internet (1 event)

file	C:\Windows\System32\LHXQyUfpChX\sOIEfoiwTQ.dll:Zone.Identifier

Generates some ICMP traffic

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (6 events)

dead_host	192.168.56.101:49194
dead_host	209.97.163.214:443
dead_host	192.168.56.101:49185
dead_host	172.105.70.96:443
dead_host	173.239.37.178:8080
dead_host	201.94.166.162:443

3

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All