Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	May 20, 2022, 1:17 p.m.	May 20, 2022, 1:25 p.m.

Size	736.0KB
Type	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5	`a779b4298cfb967f3dad8155e41bb53c`
SHA256	`d5a4ba0b28cf0bbf99e4609d04aa63b141254af2c7b8135e03df467dda016792`
CRC32	`2356CC56`
ssdeep	`12288:LJsMwUL89WbZz4di6gy1X+FcxhSntqYuXKw29lTxbkTi+kK:LJsMwULdN8d3gy1X+khIuXKwIlqTtkK`
Yara	IsDLL - (no description) Malicious_Packer_Zero - Malicious Packer Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE64 - (no description)

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\7.dll,P8KN6Ry3VDViGrYu4GbA8RiNq
2416
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\7.dll,P8KN6Ry3VDViGrYu4GbA8RiNq
  2568
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\7.dll,DllRegisterServer
2312
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\7.dll,DllRegisterServer
  2616
  - regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\ZOCCzkxNcNwpnNCF\GuhMRvDAMbKXCa.dll"
    2848
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\7.dll,
2504
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
131.100.24.231	Active	Moloch
149.56.131.28	Active	Moloch
150.95.66.124	Active	Moloch
159.65.88.10	Active	Moloch
172.105.70.96	Active	Moloch
173.239.37.178	Active	Moloch
201.94.166.162	Active	Moloch
209.97.163.214	Active	Moloch
89.29.244.7	Active	Moloch
94.23.45.86	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49187 -> 131.100.24.231:80	2404304	ET CNC Feodo Tracker Reported CnC Server group 5	A Network Trojan was detected
TCP 192.168.56.103:49178 -> 150.95.66.124:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.103:49183 -> 149.56.131.28:8080	2404305	ET CNC Feodo Tracker Reported CnC Server group 6	A Network Trojan was detected
TCP 192.168.56.103:49187 -> 131.100.24.231:80	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 149.56.131.28:8080 -> 192.168.56.103:49183	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49182 -> 149.56.131.28:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.103:49190 -> 94.23.45.86:4143	2404323	ET CNC Feodo Tracker Reported CnC Server group 24	A Network Trojan was detected
TCP 131.100.24.231:80 -> 192.168.56.103:49188	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 150.95.66.124:8080 -> 192.168.56.103:49179	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49172 -> 89.29.244.7:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.103:49181 -> 149.56.131.28:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 89.29.244.7:443 -> 192.168.56.103:49174	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49173 -> 89.29.244.7:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.103:49186 -> 131.100.24.231:80	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.103:49177 -> 150.95.66.124:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.103:49190 -> 94.23.45.86:4143	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 94.23.45.86:4143 -> 192.168.56.103:49192	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49191 -> 94.23.45.86:4143	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA May 20, 2022, 1:10 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 20, 2022, 1:10 p.m.			0	0
IsDebuggerPresent May 20, 2022, 1:10 p.m.			0	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ May 20, 2022, 1:10 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 4294967295 registers.rsi: 0 registers.r10: -5600666554368707728 registers.rbx: 393248 registers.rsp: 850344 registers.r11: -9151031864016699136 registers.r8: 1354148 registers.r9: -6173819368 registers.rdx: -7179672547673676983 registers.r12: 10 registers.rbp: 1354016 registers.rdi: 1360136 registers.rax: 0 registers.r13: 0	1	0	0

Allocates read-write-execute memory (usually to unpack itself) (23 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 20, 2022, 1:10 p.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001e10000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:10 p.m.	process_identifier: 2568 region_size: 184320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001e20000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:10 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c10000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:10 p.m.	process_identifier: 2616 region_size: 184320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001ca0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:12 p.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004d50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 20, 2022, 1:10 p.m.	process_identifier: 2848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000001005b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 20, 2022, 1:10 p.m.	process_identifier: 2848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007feff051000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 20, 2022, 1:10 p.m.	process_identifier: 2848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007feff1e3000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 20, 2022, 1:10 p.m.	process_identifier: 2848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefee30000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 20, 2022, 1:10 p.m.	process_identifier: 2848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef7411000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 20, 2022, 1:10 p.m.	process_identifier: 2848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3ae7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 20, 2022, 1:10 p.m.	process_identifier: 2848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007feff10d000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:10 p.m.	process_identifier: 2848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000002c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:10 p.m.	process_identifier: 2848 region_size: 184320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000004f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 20, 2022, 1:10 p.m.	process_identifier: 2848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefcf27000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 20, 2022, 1:10 p.m.	process_identifier: 2848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefd6af000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 20, 2022, 1:10 p.m.	process_identifier: 2848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefd5d9000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 20, 2022, 1:10 p.m.	process_identifier: 2848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076cf0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 20, 2022, 1:10 p.m.	process_identifier: 2848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076eee000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 20, 2022, 1:10 p.m.	process_identifier: 2848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bc0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 20, 2022, 1:10 p.m.	process_identifier: 2848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefb6da000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 20, 2022, 1:11 p.m.	process_identifier: 2848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefb356000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 20, 2022, 1:11 p.m.	process_identifier: 2848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa951000 process_handle: 0xffffffffffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW May 20, 2022, 1:11 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 8684396544 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer total_number_of_bytes: 0	1	1	0

Creates a suspicious process (1 event)

cmdline

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\ZOCCzkxNcNwpnNCF\GuhMRvDAMbKXCa.dll"

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00032a00', u'virtual_address': u'0x0008b000', u'entropy': 7.686633073538794, u'name': u'.rsrc', u'virtual_size': u'0x000328ac'}

entropy

7.68663307354

description

A section with a high entropy has been found

entropy

0.275510204082

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 event)

process

regsvr32.exe

Communicates with host for which no DNS query was performed (10 events)

host	131.100.24.231
host	149.56.131.28
host	150.95.66.124
host	159.65.88.10
host	172.105.70.96
host	173.239.37.178
host	201.94.166.162
host	209.97.163.214
host	89.29.244.7
host	94.23.45.86

Installs itself for autorun at Windows startup (1 event)

service_name

GuhMRvDAMbKXCa.dll

service_path

C:\Windows\System32\regsvr32.exe "C:\Windows\system32\ZOCCzkxNcNwpnNCF\GuhMRvDAMbKXCa.dll"

Created a service where a service was also not started (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceW May 20, 2022, 1:10 p.m.	service_start_name: start_type: 2 password: display_name: GuhMRvDAMbKXCa.dll filepath: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\ZOCCzkxNcNwpnNCF\GuhMRvDAMbKXCa.dll" service_name: GuhMRvDAMbKXCa.dll filepath_r: C:\Windows\system32\regsvr32.exe "C:\Windows\system32\ZOCCzkxNcNwpnNCF\GuhMRvDAMbKXCa.dll" desired_access: 2 service_handle: 0x000000000025bd10 error_control: 0 service_type: 16 service_manager_handle: 0x000000000025be30	1	2473232	0

Attempts to remove evidence of file being downloaded from the Internet (1 event)

file	C:\Windows\System32\ZOCCzkxNcNwpnNCF\GuhMRvDAMbKXCa.dll:Zone.Identifier

Generates some ICMP traffic

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (6 events)

dead_host	209.97.163.214:443
dead_host	192.168.56.103:49185
dead_host	192.168.56.103:49194
dead_host	172.105.70.96:443
dead_host	173.239.37.178:8080
dead_host	201.94.166.162:443

7

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All