Summary | ZeroBOX

Bpznb.msi

Malicious Library OS Processor Check CAB MSOffice File
Category Machine Started Completed
FILE s1_win7_x6401 March 17, 2023, 5:29 p.m. March 17, 2023, 5:31 p.m.
Size 3.8MB
Type Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: TuneFab Apple Music Converter 0.0.0.0, Subject: TuneFab Apple Music Converter, Author: TuneFab, Inc., Keywords: Installer, Comments: This installation was built with Inno Setup., Template: Intel;1033, Revision Number: {33FE604E-A7EE-48FA-A870-AD20ADC26059}, Create Time/Date: Sat Jul 23 12:01:26 2022, Last Saved Time/Date: Sat Jul 23 12:01:26 2022, Number of Pages: 200, Number of Words: 2, Name of Creating Application: MSI Wrapper (10.0.51.0), Security: 2
MD5 c39fec313f716b37b80ccf946ef5cc83
SHA256 015151bd2d2bfb88389899bfac44b0e17a28db00abc8e1463058d84de40b1925
CRC32 8641D12A
ssdeep 49152:LpUPlOPlQRNDP9nqI5KKs2p8iYu9ap7QqKHKG+n2H6h1Ug:LpTt4NDVPKB2vinG8n2Hs
Yara
  • Malicious_Library_Zero - Malicious_Library
  • OS_Processor_Check_Zero - OS Processor Check
  • CAB_file_format - CAB archive file
  • Microsoft_Office_File_Zero - Microsoft Office File
  • Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
193.233.20.145 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49163 -> 193.233.20.145:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 193.233.20.145:80 -> 192.168.56.101:49163 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 193.233.20.145:80 -> 192.168.56.101:49163 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 192.168.56.101:49165 -> 193.233.20.145:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 193.233.20.145:80 -> 192.168.56.101:49165 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 193.233.20.145:80 -> 192.168.56.101:49165 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 192.168.56.101:49165 -> 193.233.20.145:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 193.233.20.145:80 -> 192.168.56.101:49165 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 192.168.56.101:49163 -> 193.233.20.145:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 192.168.56.101:49163 -> 193.233.20.145:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 192.168.56.101:49165 -> 193.233.20.145:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 192.168.56.101:49165 -> 193.233.20.145:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

computer_name: TEST22-PC
1 1 0

GetComputerNameA

computer_name: TEST22-PC
1 1 0

GetComputerNameW

computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

0 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

1 1 0
suspicious_features POST method with no referer header, POST method with no useragent header, Connection to IP address suspicious_request POST http://193.233.20.145/d27b1d581e3729a6.php
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://193.233.20.145/5710029e9331c3e2/sqlite3.dll
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://193.233.20.145/5710029e9331c3e2/freebl3.dll
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://193.233.20.145/5710029e9331c3e2/mozglue.dll
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://193.233.20.145/5710029e9331c3e2/msvcp140.dll
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://193.233.20.145/5710029e9331c3e2/nss3.dll
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://193.233.20.145/5710029e9331c3e2/softokn3.dll
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://193.233.20.145/5710029e9331c3e2/vcruntime140.dll
request POST http://193.233.20.145/d27b1d581e3729a6.php
request GET http://193.233.20.145/5710029e9331c3e2/sqlite3.dll
request GET http://193.233.20.145/5710029e9331c3e2/freebl3.dll
request GET http://193.233.20.145/5710029e9331c3e2/mozglue.dll
request GET http://193.233.20.145/5710029e9331c3e2/msvcp140.dll
request GET http://193.233.20.145/5710029e9331c3e2/nss3.dll
request GET http://193.233.20.145/5710029e9331c3e2/softokn3.dll
request GET http://193.233.20.145/5710029e9331c3e2/vcruntime140.dll
request POST http://193.233.20.145/d27b1d581e3729a6.php
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x736b1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73951000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72b01000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72ac4000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72b02000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72781000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72761000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73921000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72741000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x726f1000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2552
region_size: 917504
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x039d0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2552
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03a70000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x726e2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2552
region_size: 917504
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03f50000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2552
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03ff0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72611000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75511000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetDiskFreeSpaceExW

total_number_of_free_bytes: 13317681152
free_bytes_available: 13317681152
root_path: C:\
total_number_of_bytes: 34252779520
1 1 0

GetDiskFreeSpaceW

number_of_free_clusters: 3251387
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: C:\
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceExW

total_number_of_free_bytes: 13317681152
free_bytes_available: 13317681152
root_path: C:\
total_number_of_bytes: 34252779520
1 1 0

GetDiskFreeSpaceW

number_of_free_clusters: 3251387
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: C:\
total_number_of_clusters: 8362495
1 1 0
ESET-NOD32 a variant of MSIL/GenKryptik.GHPD
Kaspersky HEUR:Trojan-Spy.MSIL.Stealer.gen
MAX malware (ai score=87)
VBA32 CIL.HeapOverride.Heur
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

system_name:
privilege_name: SeCreateTokenPrivilege
1 1 0

LookupPrivilegeValueW

system_name:
privilege_name: SeAssignPrimaryTokenPrivilege
1 1 0

LookupPrivilegeValueW

system_name:
privilege_name: SeMachineAccountPrivilege
1 1 0

LookupPrivilegeValueW

system_name:
privilege_name: SeTcbPrivilege
1 1 0

LookupPrivilegeValueW

system_name:
privilege_name: SeSecurityPrivilege
1 1 0

LookupPrivilegeValueW

system_name:
privilege_name: SeTakeOwnershipPrivilege
1 1 0

LookupPrivilegeValueW

system_name:
privilege_name: SeLoadDriverPrivilege
1 1 0

LookupPrivilegeValueW

system_name:
privilege_name: SeBackupPrivilege
1 1 0

LookupPrivilegeValueW

system_name:
privilege_name: SeRestorePrivilege
1 1 0

LookupPrivilegeValueW

system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

system_name:
privilege_name: SeRemoteShutdownPrivilege
1 1 0

LookupPrivilegeValueW

system_name:
privilege_name: SeEnableDelegationPrivilege
1 1 0

LookupPrivilegeValueW

system_name:
privilege_name: SeManageVolumePrivilege
1 1 0

LookupPrivilegeValueW

system_name:
privilege_name: SeCreateGlobalPrivilege
1 1 0
host 193.233.20.145