Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Dec. 9, 2022, 9:47 a.m.	Dec. 9, 2022, 9:53 a.m.

Size	150.0KB
Type	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5	`27dfc5e856a1de1beafddb8efb767016`
SHA256	`343d5c5319bf9d595f9fd4b1f932f2a64430133dfa3691fded92b35020fdea8d`
CRC32	`FDEB4FD6`
ssdeep	`3072:BQoHepM/1kJnf4OedNEhbOttExQ/8PigsT8XnyYU/pkaUJJ:6oj/1kJf4OUeSWVnj`
Yara	OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library IsDLL - (no description) PE_Header_Zero - PE File Signature IsPE64 - (no description) UPX_Zero - UPX packed file

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\sys_module.dll,DllRegisterServer
2052
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\sys_module.dll,DllRegisterServer
  2380
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\sys_module.dll,KMYDtl
2140
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\sys_module.dll,KMYDtl
  2548
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\sys_module.dll,CKQXU
2004
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\sys_module.dll,CKQXU
  2512
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\sys_module.dll,ZGWrNo7ng
2324
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\sys_module.dll,ZGWrNo7ng
  2604
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\sys_module.dll,
2456
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\sys_module.dll,OLtC11K
2232
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\sys_module.dll,OLtC11K
  2648

Name	Response	Post-Analysis Lookup
tektadgame.at

IP Address	Status	Action
164.124.101.2	Active	Moloch
179.43.154.154	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 179.43.154.154:80 -> 192.168.56.103:49174	2035442	ET MALWARE Successful Cobalt Strike Shellcode Download (x64) M1	A Network Trojan was detected

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA Dec. 9, 2022, 9:40 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (5 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Dec. 9, 2022, 9:40 a.m.			0	0
IsDebuggerPresent Dec. 9, 2022, 9:40 a.m.			0	0
IsDebuggerPresent Dec. 9, 2022, 9:40 a.m.			0	0
IsDebuggerPresent Dec. 9, 2022, 9:40 a.m.			0	0
IsDebuggerPresent Dec. 9, 2022, 9:40 a.m.			0	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.gfids

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ Dec. 9, 2022, 9:40 a.m.	stacktrace: CKQXU+0x150 KMYDtl-0x530 sys_module+0x15620 @ 0x7fef3f05620 rundll32+0x2f42 @ 0xff042f42 rundll32+0x3b7a @ 0xff043b7a BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76fd652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x776ec521 exception.instruction_r: 88 14 01 ff 47 7c 8b 87 9c 00 00 00 35 bf ab 10 exception.instruction: mov byte ptr [rcx + rax], dl exception.exception_code: 0xc0000005 exception.symbol: CKQXU+0x150 KMYDtl-0x530 sys_module+0x15620 exception.address: 0x7fef3f05620 registers.r14: 0 registers.r15: 0 registers.rcx: 0 registers.rsi: 0 registers.r10: 4278456575 registers.rbx: 0 registers.rsp: 2619440 registers.r11: 2619216 registers.r8: 492872360 registers.r9: 4 registers.rdx: 1925282 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 0 registers.r13: 0	1	0	0
__exception__ Dec. 9, 2022, 9:40 a.m.	stacktrace: RtlUnhandledExceptionFilter+0x2d2 LdrQueryModuleServiceTags-0x6e ntdll+0xc40f2 @ 0x777840f2 EtwEnumerateProcessRegGuids+0x216 RtlTraceDatabaseLock-0x2a ntdll+0xc4736 @ 0x77784736 RtlQueryProcessLockInformation+0x972 RtlTraceDatabaseEnumerate-0xe ntdll+0xc5942 @ 0x77785942 RtlLogStackBackTrace+0x444 RtlTraceDatabaseCreate-0x4ec ntdll+0xc75f4 @ 0x777875f4 RtlIsDosDeviceName_U+0x7afb NtdllDialogWndProc_A-0x26c71 ntdll+0x6157b @ 0x7772157b RtlAllocateHeap+0xd9d AlpcGetMessageAttribute-0x8c3 ntdll+0x5413d @ 0x7771413d LocalFree+0x32 LocalAlloc-0x2e kernelbase+0x1582 @ 0x7fefdbf1582 rundll32+0x3023 @ 0xff043023 rundll32+0x3b7a @ 0xff043b7a BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76fd652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x776ec521 exception.instruction_r: eb 00 48 8b 9c 24 d0 00 00 00 48 81 c4 c0 00 00 exception.symbol: RtlUnhandledExceptionFilter+0x2d2 LdrQueryModuleServiceTags-0x6e ntdll+0xc40f2 exception.instruction: jmp 0x777840f4 exception.module: ntdll.dll exception.exception_code: 0xc0000374 exception.offset: 803058 exception.address: 0x777840f2 registers.r14: 0 registers.r15: 0 registers.rcx: 1962272 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 1965744 registers.r11: 646 registers.r8: 6986219595993967764 registers.r9: 1571725354 registers.rdx: 2004857936 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 2003015871 registers.r13: 0	1	0	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

Connection to IP address

suspicious_request

GET http://179.43.154.154/wDaA

Performs some HTTP requests (1 event)

request

GET http://179.43.154.154/wDaA

Allocates read-write-execute memory (usually to unpack itself) (4 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Dec. 9, 2022, 9:40 a.m.	process_identifier: 2380 region_size: 36864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001be0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 9, 2022, 9:40 a.m.	process_identifier: 2380 region_size: 4194304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002b50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 9, 2022, 9:40 a.m.	process_identifier: 2380 region_size: 319488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002340000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 9, 2022, 9:40 a.m.	process_identifier: 2548 region_size: 4294963200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000ff050000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1

Communicates with host for which no DNS query was performed (1 event)

host

179.43.154.154

File has been identified by 14 AntiVirus engines on VirusTotal as malicious (14 events)

Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
CrowdStrike	win/malicious_confidence_90% (W)
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Kaspersky	UDS:DangerousObject.Multi.Generic
Avast	TrojanX-gen [Trj]
FireEye	Generic.mg.27dfc5e856a1de1b
Sophos	Mal/Generic-S
ZoneAlarm	UDS:DangerousObject.Multi.Generic
Microsoft	Trojan:Win64/BumbleBee.SAN!MTB
Rising	Trojan.BumbleBee!8.15A15 (CLOUD)
MaxSecure	Trojan.Malware.300983.susgen
AVG	TrojanX-gen [Trj]

Network activity contains more than one unique useragent (2 events)

process	rundll32.exe				useragent
process	rundll32.exe				useragent	Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; NP06)

sys_module.dll

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All