Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

Summary | ZeroBOX

Delivery Note DHL AWB NO0023445667 MAY 2022.exe

UPX Malicious Library PE64 .NET DLL PNG Format PE File DLL PE32 JPEG Format

Category	Machine	Started	Completed
FILE	s1_win7_x6402	May 23, 2022, 5:37 p.m.	May 23, 2022, 5:39 p.m.

Size	660.2KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`b5a10e6336b475e0780e809761bf2e54`
SHA256	`22c72b2319f93a02b481a674f4fc9dd32f8b7cef814b888ca880a516ca0ac382`
CRC32	`F61EAA78`
ssdeep	`12288:tYJ7YaMPI+XCB6YrKhDvEgboH+7OtX71t2n:tYSmt6Tty+grOn`
Yara	IsPE32 - (no description) UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature

Delivery Note DHL AWB NO0023445667 MAY 2022.exe "C:\Users\test22\AppData\Local\Temp\Delivery Note DHL AWB NO0023445667 MAY 2022.exe"
2136

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 23, 2022, 5:37 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

Allocates read-write-execute memory (usually to unpack itself) (6 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory May 23, 2022, 5:37 p.m.	process_identifier: 2136 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74252000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory May 23, 2022, 5:37 p.m.	process_identifier: 2136 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74303000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory May 23, 2022, 5:37 p.m.	process_identifier: 2136 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x742f5000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory May 23, 2022, 5:37 p.m.	process_identifier: 2136 region_size: 2621440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04080000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory May 23, 2022, 5:37 p.m.	process_identifier: 2136 region_size: 1286144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x041c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory May 23, 2022, 5:37 p.m.	process_identifier: 2136 region_size: 1290240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03ed0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

Creates executable files on the filesystem (3 events)

file	C:\Users\test22\AppData\Local\Temp\nstEF15.tmp\System.dll
file	C:\Users\test22\AppData\Local\Temp\System.Runtime.Serialization.dll
file	C:\Users\test22\AppData\Local\Temp\ipc.dll

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
SetFileAttributesW May 23, 2022, 5:37 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\Temp\frugtbringendes.jpg filepath: C:\Users\test22\AppData\Local\Temp\frugtbringendes.jpg		0	0

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\System.Runtime.Serialization.dll
file	C:\Users\test22\AppData\Local\Temp\nstEF15.tmp\System.dll

File has been identified by 9 AntiVirus engines on VirusTotal as malicious (9 events)

Elastic	malicious (high confidence)
McAfee	Artemis!B5A10E6336B4
Cylance	Unsafe
Avast	FileRepMalware [Misc]
Kaspersky	UDS:Trojan-Downloader.Win32.GuLoader.gen
McAfee-GW-Edition	BehavesLike.Win32.Dropper.jc
Ikarus	Trojan.NSIS.Injector
Microsoft	Trojan:Win32/Guloader.AL!MTB
AVG	FileRepMalware [Misc]

Queries for potentially installed applications (1 event)

Time & API	Arguments	Status	Return	Repeated
RegOpenKeyExW May 23, 2022, 5:37 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Nonfeasible176 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Nonfeasible176		2	0