Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Dec. 10, 2022, 3:02 p.m.	Dec. 10, 2022, 3:14 p.m.

Size	7.2MB
Type	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5	`0d079a931e42f554016db36476e55ba7`
SHA256	`ead2c5aaf92fe07db45b99587f586c7a45f92c67220cd8113a5d2e7bcb320798`
CRC32	`D50FB079`
ssdeep	`196608:l3ksPqmzcl+LG314Hujb7KgkYCbGNBmHTER:lUON+2HBb8`
Yara	IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library IsDLL - (no description) PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\syncfiles.dll,
2052
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\syncfiles.dll,rundll
2040

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
89.22.236.225	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Dec. 10, 2022, 3:02 p.m.			0	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (8 events)

section	*;>%1sXO
section	7rP!Ni:j
section	bkE<E2?8
section	8*7`Joyq
section	0Ys'"rSd
section	nUPwRZiK
section	$u!6XeN&
section	K)'tLNvc

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Dec. 10, 2022, 3:02 p.m.	stacktrace: rundll+0x61b975 syncfiles+0x61c981 @ 0x1061c981 0xef618 0x1 exception.instruction_r: 90 53 9c bb 26 47 bd 13 c1 eb 25 0f 84 f2 ff ff exception.instruction: nop exception.exception_code: 0x80000004 exception.symbol: rundll+0xb08a9c syncfiles+0xb09aa8 exception.address: 0x10b09aa8 registers.esp: 978408 registers.edi: 268435456 registers.eax: 2679260630 registers.ebp: 980432 registers.edx: 77 registers.ebx: 0 registers.esi: 0 registers.ecx: 784896	1	0	0

Allocates read-write-execute memory (usually to unpack itself) (13 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Dec. 10, 2022, 3:02 p.m.	process_identifier: 2040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10433000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 10, 2022, 3:02 p.m.	process_identifier: 2040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 10, 2022, 3:02 p.m.	process_identifier: 2040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74501000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 10, 2022, 3:02 p.m.	process_identifier: 2040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 10, 2022, 3:02 p.m.	process_identifier: 2040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 10, 2022, 3:02 p.m.	process_identifier: 2040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00300000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 10, 2022, 3:02 p.m.	process_identifier: 2040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00310000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 10, 2022, 3:02 p.m.	process_identifier: 2040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00320000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 10, 2022, 3:02 p.m.	process_identifier: 2040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00340000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 10, 2022, 3:02 p.m.	process_identifier: 2040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00350000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 10, 2022, 3:02 p.m.	process_identifier: 2040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00360000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 10, 2022, 3:02 p.m.	process_identifier: 2040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74490000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 10, 2022, 3:02 p.m.	process_identifier: 2040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74461000 process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00734600', u'virtual_address': u'0x00434000', u'entropy': 7.977565871717797, u'name': u'nUPwRZiK', u'virtual_size': u'0x00734590'}

entropy

7.97756587172

description

A section with a high entropy has been found

entropy

0.999322722655

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (1 event)

host

89.22.236.225

File has been identified by 31 AntiVirus engines on VirusTotal as malicious (31 events)

Bkav	W32.AIDetect.malware1
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.64131877
FireEye	Trojan.GenericKD.64131877
Cylance	Unsafe
Sangfor	Backdoor.Win32.Coroxy.Vnt8
K7AntiVirus	Trojan ( 0059c4401 )
Arcabit	Trojan.Generic.D3D2787F
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	Win32/Coroxy.H
Cynet	Malicious (score: 100)
APEX	Malicious
Kaspersky	UDS:Trojan.Win32.Agent.a
BitDefender	Trojan.GenericKD.64131877
Avast	Win32:BackdoorX-gen [Trj]
Tencent	Win32.Trojan.FalseSign.Bwnw
Ad-Aware	Trojan.GenericKD.64131877
Emsisoft	Trojan.GenericKD.64125055 (B)
McAfee-GW-Edition	Artemis!Trojan
Sophos	Mal/Generic-S
Webroot	Pua.Gen
Avira	TR/Coroxy.ydcjs
Gridinsoft	Malware.Win32.Gen.bot
Microsoft	Backdoor:Win32/Coroxy.E
GData	Trojan.GenericKD.64131877
McAfee	Artemis!0D079A931E42
Rising	Trojan.Coroxy!8.10E83 (TFE:1:9p42WWiBeJC)
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/PossibleThreat
BitDefenderTheta	Gen:NN.ZedlaF.36106.@J9@aOoi1ncO
AVG	Win32:BackdoorX-gen [Trj]

syncfiles.dll

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All