popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

update.7z

KeyLogger Escalate priviledges AntiDebug AntiVM
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 May 9, 2023, 6:52 p.m. May 9, 2023, 6:54 p.m.
Size 7.5MB
Type 7-zip archive data, version 0.3
MD5 c9027a96969b77612260fd952c632a54
SHA256 9788c1614110fa6e1ab957e4563331a8f8bddd926a0c3f8c7b891afa2203cf68
CRC32 1A51B4AA
ssdeep 196608:q3DdX9x2JbiVxxRSu6cmHah4obwnFHeSbuRMAo+Im6dXsU:+HEuxRSu6cgK4HnFys8U
Yara None matched

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
110.253.0.141 Active Moloch
110.253.0.205 Active Moloch
110.253.0.69 Active Moloch
110.253.0.79 Active Moloch
110.253.103.107 Active Moloch
110.253.103.7 Active Moloch
110.253.105.111 Active Moloch
110.253.107.75 Active Moloch
110.253.115.25 Active Moloch
110.253.116.33 Active Moloch
110.253.117.43 Active Moloch
110.253.117.57 Active Moloch
110.253.118.125 Active Moloch
110.253.119.51 Active Moloch
110.253.12.41 Active Moloch
110.253.120.121 Active Moloch
110.253.122.179 Active Moloch
110.253.125.237 Active Moloch
110.253.126.15 Active Moloch
110.253.127.39 Active Moloch
110.253.129.141 Active Moloch
110.253.129.205 Active Moloch
110.253.131.35 Active Moloch
110.253.133.229 Active Moloch
110.253.135.209 Active Moloch
110.253.136.179 Active Moloch
110.253.136.7 Active Moloch
110.253.14.129 Active Moloch
110.253.147.249 Active Moloch
110.253.151.119 Active Moloch
110.253.151.163 Active Moloch
110.253.152.135 Active Moloch
110.253.155.171 Active Moloch
110.253.158.247 Active Moloch
110.253.161.179 Active Moloch
110.253.162.25 Active Moloch
110.253.162.45 Active Moloch
110.253.163.255 Active Moloch
110.253.164.121 Active Moloch
110.253.167.217 Active Moloch
110.253.170.157 Active Moloch
110.253.171.143 Active Moloch
110.253.174.111 Active Moloch
110.253.174.13 Active Moloch
110.253.174.139 Active Moloch
110.253.175.175 Active Moloch
110.253.176.79 Active Moloch
110.253.177.175 Active Moloch
110.253.177.187 Active Moloch
110.253.178.179 Active Moloch
110.253.180.233 Active Moloch
110.253.180.27 Active Moloch
110.253.180.79 Active Moloch
110.253.184.67 Active Moloch
110.253.185.11 Active Moloch
110.253.187.133 Active Moloch
110.253.189.119 Active Moloch
110.253.19.39 Active Moloch
110.253.194.171 Active Moloch
110.253.198.69 Active Moloch
110.253.199.83 Active Moloch
110.253.2.13 Active Moloch
110.253.2.35 Active Moloch
110.253.204.103 Active Moloch
110.253.206.135 Active Moloch
110.253.207.67 Active Moloch
110.253.208.175 Active Moloch
110.253.208.225 Active Moloch
110.253.210.213 Active Moloch
110.253.211.83 Active Moloch
110.253.215.131 Active Moloch
110.253.215.51 Active Moloch
110.253.216.133 Active Moloch
110.253.217.167 Active Moloch
110.253.217.241 Active Moloch
110.253.220.17 Active Moloch
110.253.222.39 Active Moloch
110.253.226.149 Active Moloch
110.253.229.47 Active Moloch
110.253.233.27 Active Moloch
110.253.234.243 Active Moloch
110.253.235.107 Active Moloch
110.253.235.13 Active Moloch
110.253.235.143 Active Moloch
110.253.236.125 Active Moloch
110.253.236.153 Active Moloch
110.253.239.27 Active Moloch
110.253.24.49 Active Moloch
110.253.241.217 Active Moloch
110.253.244.123 Active Moloch
110.253.244.3 Active Moloch
110.253.251.149 Active Moloch
110.253.253.141 Active Moloch
110.253.254.231 Active Moloch
110.253.255.129 Active Moloch
110.253.32.153 Active Moloch
110.253.32.163 Active Moloch
110.253.32.185 Active Moloch
110.253.32.187 Active Moloch
110.253.32.3 Active Moloch
110.253.35.85 Active Moloch
110.253.36.205 Active Moloch
110.253.4.171 Active Moloch
110.253.40.71 Active Moloch
110.253.42.77 Active Moloch
110.253.44.15 Active Moloch
110.253.45.105 Active Moloch
110.253.48.191 Active Moloch
110.253.5.177 Active Moloch
110.253.52.175 Active Moloch
110.253.54.29 Active Moloch
110.253.54.69 Active Moloch
110.253.58.27 Active Moloch
110.253.6.237 Active Moloch
110.253.67.85 Active Moloch
110.253.69.147 Active Moloch
110.253.7.201 Active Moloch
110.253.70.11 Active Moloch
110.253.76.99 Active Moloch
110.253.83.67 Active Moloch
110.253.83.81 Active Moloch
110.253.84.177 Active Moloch
110.253.84.33 Active Moloch
110.253.85.137 Active Moloch
110.253.90.123 Active Moloch
110.253.92.191 Active Moloch
110.253.93.141 Active Moloch
110.253.93.159 Active Moloch
110.253.94.143 Active Moloch
110.253.95.93 Active Moloch
110.253.96.67 Active Moloch
164.124.101.2 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.102:49694 -> 110.253.133.229:445 2001569 ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection Misc activity

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74002000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x737e3000
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\7zE8A897124\install.cmd
file C:\Users\test22\AppData\Local\Temp\7zE8A897124\sqhost_new.exe
file C:\Users\test22\AppData\Local\Temp\7zE8A897124\rdpcIip_new.exe
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeRestorePrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeSecurityPrivilege
1 1 0
description PWS Memory rule Generic_PWS_Memory_Zero
description Escalate priviledges rule Escalate_priviledges
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Run a KeyLogger rule KeyLogger
host 110.253.0.141
host 110.253.0.205
host 110.253.0.69
host 110.253.0.79
host 110.253.103.107
host 110.253.103.7
host 110.253.105.111
host 110.253.107.75
host 110.253.115.25
host 110.253.116.33
host 110.253.117.43
host 110.253.117.57
host 110.253.118.125
host 110.253.119.51
host 110.253.12.41
host 110.253.120.121
host 110.253.122.179
host 110.253.125.237
host 110.253.126.15
host 110.253.127.39
host 110.253.129.141
host 110.253.129.205
host 110.253.131.35
host 110.253.133.229
host 110.253.135.209
host 110.253.136.179
host 110.253.136.7
host 110.253.14.129
host 110.253.147.249
host 110.253.151.119
host 110.253.151.163
host 110.253.152.135
host 110.253.155.171
host 110.253.158.247
host 110.253.161.179
host 110.253.162.25
host 110.253.162.45
host 110.253.163.255
host 110.253.164.121
host 110.253.167.217
host 110.253.170.157
host 110.253.171.143
host 110.253.174.111
host 110.253.174.13
host 110.253.174.139
host 110.253.175.175
host 110.253.176.79
host 110.253.177.175
host 110.253.177.187
host 110.253.178.179