Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 10, 2023, 9:44 p.m.	April 10, 2023, 9:47 p.m.

Size	312.0KB
Type	PE32+ executable (DLL) (console) x86-64, for MS Windows
MD5	`7ce957f22b7f412ab41de9604aa9c674`
SHA256	`7d0d7e3df2fdf261585d0491c1d4b7d47ae9d6a9562a8ac372d8d37036d8b363`
CRC32	`E39DFC5C`
ssdeep	`6144:MyA+a/5f7IRdAjeR62njOnxsfC9lHoCfdoC2SKC:e+a/5f7IzAjeR6SjS8ClaqK`
PDB Path	fcon.pdb
Yara	UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library Win32_Trojan_Gen_2_0904B0_Zero - Win32 Trojan Gen OS_Processor_Check_Zero - OS Processor Check Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet IsDLL - (no description) IsPE64 - (no description) Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\fcon.dll,DllGetActivationFactory
2732
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\fcon.dll,DllGetActivationFactory
  2968
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\fcon.dll,DllGetClassObject
2820
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\fcon.dll,DllGetClassObject
  3040
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\fcon.dll,DllCanUnloadNow
2636
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\fcon.dll,DllCanUnloadNow
  1336
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\fcon.dll,GetCtacPropertyAlloc
2916
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\fcon.dll,GetCtacPropertyAlloc
  2404
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\fcon.dll,ModifyStagingControlVariants
1216
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\fcon.dll,ModifyStagingControlVariants
  2476
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\fcon.dll,ModifyStagingControls
1400
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\fcon.dll,ModifyStagingControls
  2716
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\fcon.dll,SubscribeFeatureReporting
2420
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\fcon.dll,SubscribeFeatureReporting
  2936
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\fcon.dll,UnsubscribeFeatureReporting
2676
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\fcon.dll,UnsubscribeFeatureReporting
  2416
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\fcon.dll,
2880

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

This executable has a PDB path (1 event)

pdb_path

fcon.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 10, 2023, 9:44 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.didat

The file contains an unknown PE resource name possibly indicative of a packer (2 events)

resource name	MUI
resource name	WEVT_TEMPLATE

fcon.dll

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All