Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	March 16, 2023, 7:44 a.m.	March 16, 2023, 7:46 a.m.

Size	309.5KB
Type	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5	`bfc060937dc90b273eccb6825145f298`
SHA256	`2f39c2879989ddd7f9ecf52b6232598e5595f8bf367846ff188c9dfbf1251253`
CRC32	`7E1837BF`
ssdeep	`6144:cwNQMQTlfdUPABVy559hhR3iP7TfPYbrF1EFVw0todxKROsCt:rNbadDBkZ6rPeEFizdxxsCt`
Yara	UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library OS_Processor_Check_Zero - OS Processor Check IsDLL - (no description) IsPE64 - (no description) Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Ses8712iGR8du.dll,
2140
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Ses8712iGR8du.dll,DllRegisterServer
1664
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Ses8712iGR8du.dll,DllRegisterServer
  2204
  - regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\UeRrnFlKTnINpx\DRjJVxuuxNrNF.dll"
    2356
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
104.168.155.143	Active	Moloch
160.16.142.56	Active	Moloch
163.44.196.120	Active	Moloch
164.90.222.65	Active	Moloch
167.172.199.165	Active	Moloch
182.162.143.56	Active	Moloch
187.63.160.88	Active	Moloch
66.228.32.31	Active	Moloch
91.121.146.47	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 91.121.146.47:8080 -> 192.168.56.103:49168	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 66.228.32.31:7080 -> 192.168.56.103:49170	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49177 -> 104.168.155.143:8080	2404300	ET CNC Feodo Tracker Reported CnC Server group 1	A Network Trojan was detected
TCP 192.168.56.103:49172 -> 182.162.143.56:443	2404306	ET CNC Feodo Tracker Reported CnC Server group 7	A Network Trojan was detected
TCP 182.162.143.56:443 -> 192.168.56.103:49172	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49176 -> 164.90.222.65:443	2404304	ET CNC Feodo Tracker Reported CnC Server group 5	A Network Trojan was detected
TCP 192.168.56.103:49173 -> 187.63.160.88:80	2404307	ET CNC Feodo Tracker Reported CnC Server group 8	A Network Trojan was detected
TCP 187.63.160.88:80 -> 192.168.56.103:49174	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA March 16, 2023, 7:38 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 16, 2023, 7:37 a.m.			0	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

_RDATA

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

LXGUM

Allocates read-write-execute memory (usually to unpack itself) (23 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 16, 2023, 7:37 a.m.	process_identifier: 2204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001be0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 16, 2023, 7:37 a.m.	process_identifier: 2204 region_size: 176128 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c90000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 16, 2023, 7:37 a.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004900000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 16, 2023, 7:37 a.m.	process_identifier: 2356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000180016000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 16, 2023, 7:37 a.m.	process_identifier: 2356 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000003b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 16, 2023, 7:37 a.m.	process_identifier: 2356 region_size: 176128 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000003c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 16, 2023, 7:37 a.m.	process_identifier: 2356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefd517000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 16, 2023, 7:37 a.m.	process_identifier: 2356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefddaf000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 16, 2023, 7:37 a.m.	process_identifier: 2356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdbc9000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 16, 2023, 7:37 a.m.	process_identifier: 2356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077400000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 16, 2023, 7:37 a.m.	process_identifier: 2356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefe52d000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 16, 2023, 7:37 a.m.	process_identifier: 2356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000774de000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 16, 2023, 7:37 a.m.	process_identifier: 2356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000771d0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 16, 2023, 7:37 a.m.	process_identifier: 2356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef915c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 16, 2023, 7:37 a.m.	process_identifier: 2356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef90db000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 16, 2023, 7:37 a.m.	process_identifier: 2356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefbd0a000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 16, 2023, 7:38 a.m.	process_identifier: 2356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefe471000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 16, 2023, 7:38 a.m.	process_identifier: 2356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007feff9a3000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 16, 2023, 7:38 a.m.	process_identifier: 2356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefd3b1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 16, 2023, 7:38 a.m.	process_identifier: 2356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefcf81000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 16, 2023, 7:38 a.m.	process_identifier: 2356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefd394000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 16, 2023, 7:38 a.m.	process_identifier: 2356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefd20e000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 16, 2023, 7:38 a.m.	process_identifier: 2356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefd183000 process_handle: 0xffffffffffffffff	1

Creates a suspicious process (1 event)

cmdline

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\UeRrnFlKTnINpx\DRjJVxuuxNrNF.dll"

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (6 events)

Time & API	Arguments	Status	Return
Process32NextW March 16, 2023, 7:37 a.m.	snapshot_handle: 0x0000000000000118 process_name: mobsync.exe process_identifier: 536	1	1
Process32NextW March 16, 2023, 7:37 a.m.	snapshot_handle: 0x0000000000000118 process_name: cmd.exe process_identifier: 1492	1	1
Process32NextW March 16, 2023, 7:37 a.m.	snapshot_handle: 0x0000000000000118 process_name: SearchFilterHost.exe process_identifier: 808	1	1
Process32NextW March 16, 2023, 7:37 a.m.	snapshot_handle: 0x0000000000000118 process_name: rundll32.exe process_identifier: 1664	1	1
Process32NextW March 16, 2023, 7:37 a.m.	snapshot_handle: 0x0000000000000118 process_name: pw.exe process_identifier: 2056	1	1
Process32NextW March 16, 2023, 7:37 a.m.	snapshot_handle: 0x0000000000000118 process_name: rundll32.exe process_identifier: 2204	1	1

File has been identified by 9 AntiVirus engines on VirusTotal as malicious (9 events)

Elastic	malicious (high confidence)
FireEye	Generic.mg.bfc060937dc90b27
Sangfor	Trojan.Win32.Save.a
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Paloalto	generic.ml
Emsisoft	Trojan.Emotet (A)
McAfee-GW-Edition	BehavesLike.Win64.Generic.fc
MaxSecure	Trojan.Malware.121218.susgen

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0002be00', u'virtual_address': u'0x00026000', u'entropy': 7.8414373828183646, u'name': u'.rsrc', u'virtual_size': u'0x0002bd28'}

entropy

7.84143738282

description

A section with a high entropy has been found

entropy

0.568881685575

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (2 events)

process	regsvr32.exe
process	rundll32.exe

Communicates with host for which no DNS query was performed (9 events)

host	104.168.155.143
host	160.16.142.56
host	163.44.196.120
host	164.90.222.65
host	167.172.199.165
host	182.162.143.56
host	187.63.160.88
host	66.228.32.31
host	91.121.146.47

Attempts to remove evidence of file being downloaded from the Internet (1 event)

file	C:\Windows\System32\UeRrnFlKTnINpx\DRjJVxuuxNrNF.dll:Zone.Identifier

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (5 events)

dead_host	164.90.222.65:443
dead_host	163.44.196.120:8080
dead_host	167.172.199.165:8080
dead_host	192.168.56.103:49178
dead_host	104.168.155.143:8080

Ses8712iGR8du

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All