Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 20, 2022, 2:08 p.m.	May 20, 2022, 2:12 p.m.

Size	742.0KB
Type	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5	`700777b9d962cc217a202312cef1a9eb`
SHA256	`3102382fdf002c72dd715e17c1da3b0a0846254ffc557ccc3d6e2941a489aa77`
CRC32	`53BEB524`
ssdeep	`12288:ckd4N2A+TyrjNDCaVN+SC1FXWWf3HlTT1LwmBvb:ckdxT2rZDCaVN+ZXWW3HBemBj`
Yara	IsDLL - (no description) Malicious_Packer_Zero - Malicious Packer Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE64 - (no description)

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\z1CD.dll,DllRegisterServer
2768
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\z1CD.dll,DllRegisterServer
  3008
  - regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\SGwClSeNfrYsQRoI\IYxhvVubYSr.dll"
    2432
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\z1CD.dll,P8KN6Ry3VDViGrYu4GbA8RiNq
2856
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\z1CD.dll,P8KN6Ry3VDViGrYu4GbA8RiNq
  3044
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\z1CD.dll,
2948
explorer.exe C:\Windows\Explorer.EXE
1156

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
103.133.214.242	Active	Moloch
103.8.26.17	Active	Moloch
104.248.225.227	Active	Moloch
116.124.128.206	Active	Moloch
134.122.119.23	Active	Moloch
178.62.112.199	Active	Moloch
188.225.32.231	Active	Moloch
195.154.146.35	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49172 -> 134.122.119.23:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.101:49173 -> 134.122.119.23:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 134.122.119.23:8080 -> 192.168.56.101:49174	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49176 -> 104.248.225.227:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.101:49177 -> 104.248.225.227:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 104.248.225.227:8080 -> 192.168.56.101:49178	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49180 -> 188.225.32.231:4143	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.101:49181 -> 188.225.32.231:4143	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 188.225.32.231:4143 -> 192.168.56.101:49182	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49186 -> 178.62.112.199:8080	2404307	ET CNC Feodo Tracker Reported CnC Server group 8	A Network Trojan was detected
TCP 192.168.56.101:49185 -> 178.62.112.199:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.101:49186 -> 178.62.112.199:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 178.62.112.199:8080 -> 192.168.56.101:49187	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49189 -> 116.124.128.206:8080	2404302	ET CNC Feodo Tracker Reported CnC Server group 3	A Network Trojan was detected
TCP 192.168.56.101:49189 -> 116.124.128.206:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 116.124.128.206:8080 -> 192.168.56.101:49191	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49190 -> 116.124.128.206:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA May 20, 2022, 2:01 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 20, 2022, 2:01 p.m.			0	0
IsDebuggerPresent May 20, 2022, 2:01 p.m.			0	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ May 20, 2022, 2:01 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 4294967295 registers.rsi: 0 registers.r10: -5600666554368707728 registers.rbx: 327982 registers.rsp: 2096184 registers.r11: -9151031864016699136 registers.r8: 2408522 registers.r9: -6173827616 registers.rdx: -6603902040084028592 registers.r12: 10 registers.rbp: 2408384 registers.rdi: 2408552 registers.rax: 0 registers.r13: 0	1	0	0

Communication to multiple IPs on high port numbers possibly indicative of a peer-to-peer (P2P) or non-standard command and control protocol (5 events)

ip	104.248.225.227
ip	116.124.128.206
ip	134.122.119.23
ip	178.62.112.199
ip	188.225.32.231

Allocates read-write-execute memory (usually to unpack itself) (24 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 20, 2022, 2 p.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001cb0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 20, 2022, 2:01 p.m.	process_identifier: 3044 region_size: 192512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001cd0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 20, 2022, 2:01 p.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007391c000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 20, 2022, 2 p.m.	process_identifier: 3008 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c30000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 20, 2022, 2:01 p.m.	process_identifier: 3008 region_size: 192512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c40000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 20, 2022, 2:01 p.m.	process_identifier: 3008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007391c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 20, 2022, 2:01 p.m.	process_identifier: 2432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000001005b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 20, 2022, 2:01 p.m.	process_identifier: 2432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdcc1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 20, 2022, 2:01 p.m.	process_identifier: 2432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007feff583000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 20, 2022, 2:01 p.m.	process_identifier: 2432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdfd0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 20, 2022, 2:01 p.m.	process_identifier: 2432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa8d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 20, 2022, 2:01 p.m.	process_identifier: 2432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa8b7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 20, 2022, 2:01 p.m.	process_identifier: 2432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007feff72d000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 20, 2022, 2:01 p.m.	process_identifier: 2432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000005f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 20, 2022, 2:01 p.m.	process_identifier: 2432 region_size: 192512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000600000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 20, 2022, 2:01 p.m.	process_identifier: 2432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefd2b7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 20, 2022, 2:01 p.m.	process_identifier: 2432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdbef000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 20, 2022, 2:01 p.m.	process_identifier: 2432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefd969000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 20, 2022, 2:01 p.m.	process_identifier: 2432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077160000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 20, 2022, 2:01 p.m.	process_identifier: 2432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d9e000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 20, 2022, 2:01 p.m.	process_identifier: 2432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772f0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 20, 2022, 2:01 p.m.	process_identifier: 2432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefbbba000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 20, 2022, 2:01 p.m.	process_identifier: 2432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef6d86000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 20, 2022, 2:01 p.m.	process_identifier: 2432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef6d31000 process_handle: 0xffffffffffffffff	1

Creates a suspicious process (1 event)

cmdline

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\SGwClSeNfrYsQRoI\IYxhvVubYSr.dll"

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00034200', u'virtual_address': u'0x0008b000', u'entropy': 7.642351829081628, u'name': u'.rsrc', u'virtual_size': u'0x000340ac'}

entropy

7.64235182908

description

A section with a high entropy has been found

entropy

0.281376518219

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 event)

process

regsvr32.exe

Communicates with host for which no DNS query was performed (8 events)

host	103.133.214.242
host	103.8.26.17
host	104.248.225.227
host	116.124.128.206
host	134.122.119.23
host	178.62.112.199
host	188.225.32.231
host	195.154.146.35

Installs itself for autorun at Windows startup (1 event)

service_name

IYxhvVubYSr.dll

service_path

C:\Windows\System32\regsvr32.exe "C:\Windows\system32\SGwClSeNfrYsQRoI\IYxhvVubYSr.dll"

Created a service where a service was also not started (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceW May 20, 2022, 2:01 p.m.	service_start_name: start_type: 2 password: display_name: IYxhvVubYSr.dll filepath: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\SGwClSeNfrYsQRoI\IYxhvVubYSr.dll" service_name: IYxhvVubYSr.dll filepath_r: C:\Windows\system32\regsvr32.exe "C:\Windows\system32\SGwClSeNfrYsQRoI\IYxhvVubYSr.dll" desired_access: 2 service_handle: 0x0000000000233940 error_control: 0 service_type: 16 service_manager_handle: 0x000000000024e590	1	2308416	0

Attempts to remove evidence of file being downloaded from the Internet (1 event)

file	C:\Windows\System32\SGwClSeNfrYsQRoI\IYxhvVubYSr.dll:Zone.Identifier

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (3 events)

dead_host	103.8.26.17:8080
dead_host	103.133.214.242:8080
dead_host	195.154.146.35:443

z1CD

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All