Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 23, 2022, 9:34 a.m.	May 23, 2022, 9:40 a.m.

Size	362.5KB
Type	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5	`e651e7c9f3ff0821ac85ac431ca367a3`
SHA256	`179bb93a9eb4acded81ef0a6b4c9f25d0ca6629cfa03cb97809e4acbcb964504`
CRC32	`51E87392`
ssdeep	`6144:hlNuuXQASByX7PxoJcXy16qFHJ7wwD1w3pq6jTK/V9OT0u:hlNu9ASByX7Vy/BJ7rGTK/V3`
Yara	IsDLL - (no description) Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE64 - (no description)

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\OqHwQ8xlWa5Goyo.dll,AddIn_SystemTime
2860
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\OqHwQ8xlWa5Goyo.dll,AddIn_SystemTime
  2052
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\OqHwQ8xlWa5Goyo.dll,AddIn_FileTime
2776
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\OqHwQ8xlWa5Goyo.dll,AddIn_FileTime
  1660
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\OqHwQ8xlWa5Goyo.dll,DllRegisterServer
2952
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\OqHwQ8xlWa5Goyo.dll,DllRegisterServer
  2144
  - regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\SXyBjMeyQs\IuEPVdTLfzZeBf.dll"
    2484
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\OqHwQ8xlWa5Goyo.dll,
3040
explorer.exe C:\Windows\Explorer.EXE
1156

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
104.248.225.227	Active	Moloch
110.235.83.107	Active	Moloch
134.122.119.23	Active	Moloch
160.16.143.191	Active	Moloch
165.22.73.229	Active	Moloch
190.90.233.66	Active	Moloch
195.77.239.39	Active	Moloch
196.44.98.190	Active	Moloch
202.28.34.99	Active	Moloch
202.29.239.162	Active	Moloch
210.57.209.142	Active	Moloch
37.44.244.177	Active	Moloch
62.171.178.147	Active	Moloch
87.106.97.83	Active	Moloch
88.217.172.165	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 160.16.143.191:7080 -> 192.168.56.101:49181	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49179 -> 160.16.143.191:7080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.101:49176 -> 165.22.73.229:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.101:49184 -> 134.122.119.23:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 134.122.119.23:8080 -> 192.168.56.101:49185	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49195 -> 202.29.239.162:443	2404312	ET CNC Feodo Tracker Reported CnC Server group 13	A Network Trojan was detected
TCP 192.168.56.101:49175 -> 165.22.73.229:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.101:49195 -> 202.29.239.162:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 202.29.239.162:443 -> 192.168.56.101:49197	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 165.22.73.229:8080 -> 192.168.56.101:49177	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49196 -> 202.29.239.162:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.101:49180 -> 160.16.143.191:7080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.101:49183 -> 134.122.119.23:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA May 23, 2022, 9:26 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 23, 2022, 9:26 a.m.			0	0
IsDebuggerPresent May 23, 2022, 9:26 a.m.			0	0
IsDebuggerPresent May 23, 2022, 9:26 a.m.			0	0

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ May 23, 2022, 9:26 a.m.	stacktrace: 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0xb8 registers.r14: 0 registers.r15: 0 registers.rcx: 4288086016 registers.rsi: 0 registers.r10: 0 registers.rbx: 4288086016 registers.rsp: 1965096 registers.r11: 1964832 registers.r8: 2736206 registers.r9: 10 registers.rdx: 4288086016 registers.r12: 10 registers.rbp: 2736064 registers.rdi: 1965296 registers.rax: 121386842046499 registers.r13: 0	1	0	0
__exception__ May 23, 2022, 9:26 a.m.	stacktrace: 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0xb8 registers.r14: 0 registers.r15: 0 registers.rcx: 4288086016 registers.rsi: 0 registers.r10: 0 registers.rbx: 4288086016 registers.rsp: 1832648 registers.r11: 1832400 registers.r8: 2867274 registers.r9: 10 registers.rdx: 4288086016 registers.r12: 10 registers.rbp: 2867136 registers.rdi: 1832864 registers.rax: 121386843895500 registers.r13: 0	1	0	0

Allocates read-write-execute memory (usually to unpack itself) (20 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 23, 2022, 9:26 a.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c20000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 23, 2022, 9:26 a.m.	process_identifier: 2052 region_size: 192512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001d60000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 23, 2022, 9:26 a.m.	process_identifier: 2052 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007391c000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 23, 2022, 9:26 a.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c20000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 23, 2022, 9:26 a.m.	process_identifier: 2144 region_size: 192512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c30000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 23, 2022, 9:26 a.m.	process_identifier: 2144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007391c000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 23, 2022, 9:26 a.m.	process_identifier: 1660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001da0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 23, 2022, 9:26 a.m.	process_identifier: 1660 region_size: 192512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001db0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 23, 2022, 9:26 a.m.	process_identifier: 1660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007391c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 23, 2022, 9:26 a.m.	process_identifier: 2484 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef4962000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 23, 2022, 9:26 a.m.	process_identifier: 2484 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000005e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 23, 2022, 9:26 a.m.	process_identifier: 2484 region_size: 192512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000005f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 23, 2022, 9:26 a.m.	process_identifier: 2484 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefd2b7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 23, 2022, 9:26 a.m.	process_identifier: 2484 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdbef000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 23, 2022, 9:26 a.m.	process_identifier: 2484 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefd969000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 23, 2022, 9:26 a.m.	process_identifier: 2484 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077160000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 23, 2022, 9:26 a.m.	process_identifier: 2484 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007feff72d000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 23, 2022, 9:26 a.m.	process_identifier: 2484 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d9e000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 23, 2022, 9:26 a.m.	process_identifier: 2484 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772f0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 23, 2022, 9:26 a.m.	process_identifier: 2484 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefbbba000 process_handle: 0xffffffffffffffff	1

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

Creates a suspicious process (1 event)

cmdline

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\SXyBjMeyQs\IuEPVdTLfzZeBf.dll"

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (1 event)

Time & API	Arguments	Status	Return	Repeated
Process32NextW May 23, 2022, 9:26 a.m.	snapshot_handle: 0x0000000000000148 process_name: rundll32.exe process_identifier: 1660	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0002ea00', u'virtual_address': u'0x00030000', u'entropy': 7.850495841019569, u'name': u'.rsrc', u'virtual_size': u'0x0002e9fc'}

entropy

7.85049584102

description

A section with a high entropy has been found

entropy

0.515905947441

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 event)

process

regsvr32.exe

Communicates with host for which no DNS query was performed (15 events)

host	104.248.225.227
host	110.235.83.107
host	134.122.119.23
host	160.16.143.191
host	165.22.73.229
host	190.90.233.66
host	195.77.239.39
host	196.44.98.190
host	202.28.34.99
host	202.29.239.162
host	210.57.209.142
host	37.44.244.177
host	62.171.178.147
host	87.106.97.83
host	88.217.172.165

Installs itself for autorun at Windows startup (1 event)

service_name

IuEPVdTLfzZeBf.dll

service_path

C:\Windows\System32\regsvr32.exe "C:\Windows\system32\SXyBjMeyQs\IuEPVdTLfzZeBf.dll"

Created a service where a service was also not started (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceW May 23, 2022, 9:26 a.m.	service_start_name: start_type: 2 password: display_name: IuEPVdTLfzZeBf.dll filepath: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\SXyBjMeyQs\IuEPVdTLfzZeBf.dll" service_name: IuEPVdTLfzZeBf.dll filepath_r: C:\Windows\system32\regsvr32.exe "C:\Windows\system32\SXyBjMeyQs\IuEPVdTLfzZeBf.dll" desired_access: 2 service_handle: 0x0000000000438a50 error_control: 0 service_type: 16 service_manager_handle: 0x0000000000420930	1	4426320	0

Attempts to remove evidence of file being downloaded from the Internet (1 event)

file	C:\Windows\System32\SXyBjMeyQs\IuEPVdTLfzZeBf.dll:Zone.Identifier

Generates some ICMP traffic

File has been identified by 29 AntiVirus engines on VirusTotal as malicious (29 events)

DrWeb	Trojan.Siggen17.54643
MicroWorld-eScan	Trojan.GenericKDZ.87939
ALYac	Trojan.GenericKDZ.87939
Cylance	Unsafe
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	Trojan.Generic.D15783
Cyren	W64/Emotet.EKC.gen!Eldorado
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win64/Kryptik.DBT
Paloalto	generic.ml
Kaspersky	Trojan-Banker.Win64.Emotet.cltr
BitDefender	Trojan.GenericKDZ.87939
Avast	Win64:BankerX-gen [Trj]
Tencent	Win64.Trojan-banker.Emotet.Ajkz
Ad-Aware	Trojan.GenericKDZ.87939
Emsisoft	Trojan.GenericKDZ.87939 (B)
McAfee-GW-Edition	BehavesLike.Win64.Generic.fc
FireEye	Generic.mg.e651e7c9f3ff0821
Microsoft	Trojan:Win32/Wacatac.B!ml
GData	Trojan.GenericKDZ.87939
Cynet	Malicious (score: 100)
AhnLab-V3	Malware/Win.FTN.R493366
McAfee	Emotet-FTN!E651E7C9F3FF
Malwarebytes	Trojan.Emotet
APEX	Malicious
MAX	malware (ai score=80)
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W64/Emotet.FUWI!tr
AVG	Win64:BankerX-gen [Trj]

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (19 events)

dead_host	192.168.56.101:49191
dead_host	196.44.98.190:8080
dead_host	202.28.34.99:8080
dead_host	192.168.56.101:49192
dead_host	87.106.97.83:7080
dead_host	104.248.225.227:8080
dead_host	192.168.56.101:49193
dead_host	192.168.56.101:49188
dead_host	190.90.233.66:443
dead_host	195.77.239.39:8080
dead_host	192.168.56.101:49194
dead_host	210.57.209.142:8080
dead_host	88.217.172.165:8080
dead_host	192.168.56.101:49190
dead_host	37.44.244.177:8080
dead_host	62.171.178.147:8080
dead_host	192.168.56.101:49199
dead_host	192.168.56.101:49187
dead_host	110.235.83.107:7080

OqHwQ8xlWa5Goyo

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All