Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	March 16, 2023, 7:57 a.m.	March 16, 2023, 7:59 a.m.

Size	300.5KB
Type	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5	`27c6e6bc4b46148fb4dcc6a6a9346914`
SHA256	`aa57889a91be96c5b5cae185792f5ad76eb5248abb66344a740266a1c297cfd7`
CRC32	`E946D997`
ssdeep	`6144:+TSJ5KqLXrlG1qTSZLJbgrVfpaHbEMbn9lTej0QjUZ:+aKqjgqTQVgjaHfbnOjZUZ`
Yara	UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library OS_Processor_Check_Zero - OS Processor Check IsDLL - (no description) IsPE64 - (no description) Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\PXN5J.dll,DllRegisterServer
1648
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\PXN5J.dll,DllRegisterServer
  2200
  - regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\UeRrnFlKTnINpx\DRjJVxuuxNrNF.dll"
    2352
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\PXN5J.dll,
2140
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
115.178.55.22	Active	Moloch
138.197.14.67	Active	Moloch
174.138.33.49	Active	Moloch
186.250.48.5	Active	Moloch
193.194.92.175	Active	Moloch
218.38.121.17	Active	Moloch
93.84.115.205	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49176 -> 174.138.33.49:7080	2404305	ET CNC Feodo Tracker Reported CnC Server group 6	A Network Trojan was detected
TCP 115.178.55.22:80 -> 192.168.56.103:49172	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49174 -> 218.38.121.17:443	2404310	ET CNC Feodo Tracker Reported CnC Server group 11	A Network Trojan was detected
TCP 218.38.121.17:443 -> 192.168.56.103:49174	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49175 -> 186.250.48.5:443	2404307	ET CNC Feodo Tracker Reported CnC Server group 8	A Network Trojan was detected
TCP 93.84.115.205:7080 -> 192.168.56.103:49170	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA March 16, 2023, 7:57 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 16, 2023, 7:57 a.m.			0	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

_RDATA

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

ZWCUGR

Allocates read-write-execute memory (usually to unpack itself) (23 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 16, 2023, 7:57 a.m.	process_identifier: 2200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c60000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 16, 2023, 7:57 a.m.	process_identifier: 2200 region_size: 172032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c70000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 16, 2023, 7:57 a.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004c00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 16, 2023, 7:57 a.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000180015000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 16, 2023, 7:57 a.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000002c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 16, 2023, 7:57 a.m.	process_identifier: 2352 region_size: 172032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001e80000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 16, 2023, 7:57 a.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefd517000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 16, 2023, 7:57 a.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefddaf000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 16, 2023, 7:57 a.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdbc9000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 16, 2023, 7:57 a.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077400000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 16, 2023, 7:57 a.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefe52d000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 16, 2023, 7:57 a.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000774de000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 16, 2023, 7:57 a.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000771d0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 16, 2023, 7:57 a.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef915c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 16, 2023, 7:57 a.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef90db000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 16, 2023, 7:57 a.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefbd0a000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 16, 2023, 7:57 a.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefe471000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 16, 2023, 7:57 a.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007feff9a3000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 16, 2023, 7:57 a.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefd3b1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 16, 2023, 7:57 a.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefcf81000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 16, 2023, 7:57 a.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefd394000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 16, 2023, 7:57 a.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefd20e000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 16, 2023, 7:58 a.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefd183000 process_handle: 0xffffffffffffffff	1

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

Creates a suspicious process (1 event)

cmdline

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\UeRrnFlKTnINpx\DRjJVxuuxNrNF.dll"

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (5 events)

Time & API	Arguments	Status	Return
Process32NextW March 16, 2023, 7:57 a.m.	snapshot_handle: 0x0000000000000118 process_name: mobsync.exe process_identifier: 2032	1	1
Process32NextW March 16, 2023, 7:57 a.m.	snapshot_handle: 0x0000000000000118 process_name: pw.exe process_identifier: 1696	1	1
Process32NextW March 16, 2023, 7:57 a.m.	snapshot_handle: 0x0000000000000118 process_name: taskhost.exe process_identifier: 772	1	1
Process32NextW March 16, 2023, 7:57 a.m.	snapshot_handle: 0x0000000000000118 process_name: pw.exe process_identifier: 2052	1	1
Process32NextW March 16, 2023, 7:57 a.m.	snapshot_handle: 0x0000000000000118 process_name: rundll32.exe process_identifier: 2200	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0002ac00', u'virtual_address': u'0x00025000', u'entropy': 7.8309775501142855, u'name': u'.rsrc', u'virtual_size': u'0x0002ab28'}

entropy

7.83097755011

description

A section with a high entropy has been found

entropy

0.570951585977

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (2 events)

process	regsvr32.exe
process	rundll32.exe

Communicates with host for which no DNS query was performed (7 events)

host	115.178.55.22
host	138.197.14.67
host	174.138.33.49
host	186.250.48.5
host	193.194.92.175
host	218.38.121.17
host	93.84.115.205

File has been identified by 10 AntiVirus engines on VirusTotal as malicious (10 events)

Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
CrowdStrike	win/malicious_confidence_100% (D)
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Sophos	Generic ML PUA (PUA)
McAfee-GW-Edition	BehavesLike.Win64.Generic.fc
FireEye	Generic.mg.27c6e6bc4b46148f
Emsisoft	Trojan.Emotet (A)
MaxSecure	Trojan.Malware.300983.susgen

Attempts to remove evidence of file being downloaded from the Internet (1 event)

file	C:\Windows\System32\UeRrnFlKTnINpx\DRjJVxuuxNrNF.dll:Zone.Identifier

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (4 events)

dead_host	174.138.33.49:7080
dead_host	186.250.48.5:443
dead_host	138.197.14.67:8080
dead_host	193.194.92.175:443

PXN5J

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All