Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	May 23, 2022, 9:32 a.m.	May 23, 2022, 9:41 a.m.

Size	356.5KB
Type	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5	`dc718a4e9da03bbc0673313cd6d7715c`
SHA256	`67c21491d013e6dbe6e123530f6686010163e75ef3df41ceebf7601c78692434`
CRC32	`C8FD9A65`
ssdeep	`3072:JI0AM0yQkR9M6lglELtJUNjiWGyWcTD0JUiA2tqZ4IvUlDAj7UOjVifSwHEDQVLK:i5MR9M6y3TeRIvgMSS3AyUrhYu3j`
Yara	IsDLL - (no description) Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE64 - (no description)

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\11hYk3bHJ.dll,AddIn_SystemTime
2412
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\11hYk3bHJ.dll,AddIn_SystemTime
  2664
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\11hYk3bHJ.dll,DllRegisterServer
2504
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\11hYk3bHJ.dll,DllRegisterServer
  2704
  - regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\JdePcI\hGUCpK.dll"
    2972
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\11hYk3bHJ.dll,
2596
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\11hYk3bHJ.dll,AddIn_FileTime
2316
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\11hYk3bHJ.dll,AddIn_FileTime
  2748
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
103.43.75.120	Active	Moloch
103.70.28.102	Active	Moloch
119.193.124.41	Active	Moloch
150.95.66.124	Active	Moloch
159.65.140.115	Active	Moloch
159.89.202.34	Active	Moloch
173.239.37.178	Active	Moloch
173.82.82.196	Active	Moloch
196.218.30.83	Active	Moloch
209.97.163.214	Active	Moloch
51.254.140.238	Active	Moloch
77.81.247.144	Active	Moloch
82.165.152.127	Active	Moloch
89.29.244.7	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49191 -> 119.193.124.41:7080	2404303	ET CNC Feodo Tracker Reported CnC Server group 4	A Network Trojan was detected
TCP 192.168.56.103:49186 -> 150.95.66.124:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.103:49177 -> 159.89.202.34:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.103:49191 -> 119.193.124.41:7080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.103:49199 -> 51.254.140.238:7080	2404317	ET CNC Feodo Tracker Reported CnC Server group 18	A Network Trojan was detected
TCP 192.168.56.103:49196 -> 51.254.140.238:7080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.103:49182 -> 89.29.244.7:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.103:49197 -> 51.254.140.238:7080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 51.254.140.238:7080 -> 192.168.56.103:49198	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49176 -> 159.89.202.34:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 159.89.202.34:443 -> 192.168.56.103:49178	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49181 -> 89.29.244.7:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 89.29.244.7:443 -> 192.168.56.103:49183	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49185 -> 150.95.66.124:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.103:49192 -> 119.193.124.41:7080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 119.193.124.41:7080 -> 192.168.56.103:49193	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 150.95.66.124:8080 -> 192.168.56.103:49187	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA May 23, 2022, 9:25 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 23, 2022, 9:25 a.m.			0	0
IsDebuggerPresent May 23, 2022, 9:25 a.m.			0	0
IsDebuggerPresent May 23, 2022, 9:25 a.m.			0	0

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ May 23, 2022, 9:25 a.m.	stacktrace: 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0xb8 registers.r14: 0 registers.r15: 0 registers.rcx: 4289462272 registers.rsi: 0 registers.r10: 0 registers.rbx: 4289462272 registers.rsp: 1047128 registers.r11: 1046864 registers.r8: 2992514 registers.r9: 10 registers.rdx: 4289462272 registers.r12: 10 registers.rbp: 2992384 registers.rdi: 1047328 registers.rax: 121446316477623 registers.r13: 0	1	0	0
__exception__ May 23, 2022, 9:25 a.m.	stacktrace: 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0xb8 registers.r14: 0 registers.r15: 0 registers.rcx: 4289462272 registers.rsi: 0 registers.r10: 0 registers.rbx: 4289462272 registers.rsp: 718232 registers.r11: 717984 registers.r8: 2992510 registers.r9: 10 registers.rdx: 4289462272 registers.r12: 10 registers.rbp: 2992384 registers.rdi: 718448 registers.rax: 121446316692719 registers.r13: 0	1	0	0

Allocates read-write-execute memory (usually to unpack itself) (19 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 23, 2022, 9:25 a.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000004d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 23, 2022, 9:25 a.m.	process_identifier: 2664 region_size: 184320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001d10000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 23, 2022, 9:25 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c00000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 23, 2022, 9:25 a.m.	process_identifier: 2704 region_size: 184320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c10000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 23, 2022, 9:25 a.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c80000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 23, 2022, 9:25 a.m.	process_identifier: 2748 region_size: 184320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c90000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 23, 2022, 9:27 a.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000044b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 23, 2022, 9:25 a.m.	process_identifier: 2972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3432000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 23, 2022, 9:25 a.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000004c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 23, 2022, 9:25 a.m.	process_identifier: 2972 region_size: 184320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000500000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 23, 2022, 9:25 a.m.	process_identifier: 2972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefcf27000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 23, 2022, 9:25 a.m.	process_identifier: 2972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefd6af000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 23, 2022, 9:25 a.m.	process_identifier: 2972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefd5d9000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 23, 2022, 9:25 a.m.	process_identifier: 2972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076cf0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 23, 2022, 9:25 a.m.	process_identifier: 2972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007feff10d000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 23, 2022, 9:25 a.m.	process_identifier: 2972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076eee000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 23, 2022, 9:25 a.m.	process_identifier: 2972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bc0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 23, 2022, 9:25 a.m.	process_identifier: 2972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefb6da000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 23, 2022, 9:25 a.m.	process_identifier: 2972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefb44a000 process_handle: 0xffffffffffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW May 23, 2022, 9:26 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 8667045888 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer total_number_of_bytes: 0	1	1	0

Creates a suspicious process (1 event)

cmdline

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\JdePcI\hGUCpK.dll"

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (1 event)

Time & API	Arguments	Status	Return	Repeated
Process32NextW May 23, 2022, 9:25 a.m.	snapshot_handle: 0x0000000000000148 process_name: rundll32.exe process_identifier: 2412	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0002d200', u'virtual_address': u'0x00030000', u'entropy': 7.886639889833657, u'name': u'.rsrc', u'virtual_size': u'0x0002d1fc'}

entropy

7.88663988983

description

A section with a high entropy has been found

entropy

0.507735583685

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 event)

process

regsvr32.exe

Communicates with host for which no DNS query was performed (14 events)

host	103.43.75.120
host	103.70.28.102
host	119.193.124.41
host	150.95.66.124
host	159.65.140.115
host	159.89.202.34
host	173.239.37.178
host	173.82.82.196
host	196.218.30.83
host	209.97.163.214
host	51.254.140.238
host	77.81.247.144
host	82.165.152.127
host	89.29.244.7

Installs itself for autorun at Windows startup (1 event)

service_name

hGUCpK.dll

service_path

C:\Windows\System32\regsvr32.exe "C:\Windows\system32\JdePcI\hGUCpK.dll"

Created a service where a service was also not started (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceW May 23, 2022, 9:25 a.m.	service_start_name: start_type: 2 password: display_name: hGUCpK.dll filepath: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\JdePcI\hGUCpK.dll" service_name: hGUCpK.dll filepath_r: C:\Windows\system32\regsvr32.exe "C:\Windows\system32\JdePcI\hGUCpK.dll" desired_access: 2 service_handle: 0x000000000031d310 error_control: 0 service_type: 16 service_manager_handle: 0x0000000000337b00	1	3265296	0

Attempts to remove evidence of file being downloaded from the Internet (1 event)

file	C:\Windows\System32\JdePcI\hGUCpK.dll:Zone.Identifier

File has been identified by 21 AntiVirus engines on VirusTotal as malicious (21 events)

Elastic	malicious (high confidence)
DrWeb	Trojan.Siggen17.54657
MicroWorld-eScan	Trojan.Agent.FWJC
McAfee	Emotet-FTN!DC718A4E9DA0
Cylance	Unsafe
Cyren	W64/Emotet.EKC.gen!Eldorado
ESET-NOD32	a variant of Win64/GenKryptik.FUWI
Paloalto	generic.ml
Kaspersky	Trojan-Banker.Win64.Emotet.clts
BitDefender	Trojan.Agent.FWJC
Avast	BankerX-gen [Trj]
McAfee-GW-Edition	BehavesLike.Win64.Generic.fc
FireEye	Generic.mg.dc718a4e9da03bbc
MAX	malware (ai score=85)
Microsoft	Trojan:Win32/Wacatac.B!ml
GData	Trojan.Agent.FWJC
APEX	Malicious
Rising	Trojan.Kryptik!8.8 (CLOUD)
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W64/Emotet.FUWI!tr
AVG	BankerX-gen [Trj]

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (13 events)

dead_host	192.168.56.103:49201
dead_host	209.97.163.214:443
dead_host	159.65.140.115:443
dead_host	192.168.56.103:49190
dead_host	173.82.82.196:8080
dead_host	103.43.75.120:443
dead_host	192.168.56.103:49202
dead_host	196.218.30.83:443
dead_host	82.165.152.127:8080
dead_host	77.81.247.144:8080
dead_host	173.239.37.178:8080
dead_host	192.168.56.103:49200
dead_host	192.168.56.103:49189

11hYk3bHJ

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All