Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 12, 2023, 8:36 a.m.	June 12, 2023, 8:38 a.m.

Size	297.5KB
Type	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5	`53c2b4ff75b21e128fd6f3314e30fde4`
SHA256	`bddfc195683fa1b460d4637256ce0fcaaaa07cf64217bfc71e72ac80f3563443`
CRC32	`6CC076A1`
ssdeep	`6144:HtEkenhntp+bTjbtyIdi/MJcTBwq4FtwbqNFzJSTBKbybpbublt4uYbP:HqkenZr+bDdIVwq4JzJSTQg`
PDB Path	C:\Users\è°·å \Desktop\2022è¿ç¨ç®¡çgfi\cangku\WinOsClientProject\x64\Release\ä¸çº¿æ¨¡å.pdb
Yara	UPX_Zero - UPX packed file IsDLL - (no description) Malicious_Library_Zero - Malicious_Library IsPE64 - (no description) anti_vm_detect - Possibly employs anti-virtualization techniques Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature Antivirus - Contains references to security software Generic_Malware_Zero - Generic Malware

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\output_64.dll,GetInstallDetailsPayload
2556
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\output_64.dll,GetInstallDetailsPayload
  2928
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\output_64.dll,SignalChromeElf
2640
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\output_64.dll,SignalChromeElf
  2992
  - rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\output_64.dll,SignalChromeElf
    2272
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\output_64.dll,Version
2732
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\output_64.dll,Version
  1120
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\output_64.dll,load
2824
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\output_64.dll,load
  1356
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\output_64.dll,run
2916
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\output_64.dll,run
  148
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\output_64.dll,
2072

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
104.76.78.101	Active	Moloch
193.134.208.217	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (6 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 12, 2023, 8:29 a.m.			0	0
IsDebuggerPresent June 12, 2023, 8:29 a.m.			0	0
IsDebuggerPresent June 12, 2023, 8:29 a.m.			0	0
IsDebuggerPresent June 12, 2023, 8:29 a.m.			0	0
IsDebuggerPresent June 12, 2023, 8:29 a.m.			0	0
IsDebuggerPresent June 12, 2023, 8:29 a.m.			0	0

This executable has a PDB path (1 event)

pdb_path

C:\Users\è°·å \Desktop\2022è¿ç¨ç®¡çgfi\cangku\WinOsClientProject\x64\Release\ä¸çº¿æ¨¡å.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 12, 2023, 8:29 a.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ June 12, 2023, 8:29 a.m.	stacktrace: 0x4d1204 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 07 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4d1204 registers.r14: 1 registers.r15: 6 registers.rcx: 48 registers.rsi: 0 registers.r10: 0 registers.rbx: 32892820 registers.rsp: 43971896 registers.r11: 43972672 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 8796092858960 registers.r12: 1 registers.rbp: 43972016 registers.rdi: 32892896 registers.rax: 5050880 registers.r13: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

June 12, 2023, 8:29 a.m.

stacktrace:

0x4d1204
0xfffffa8000000030
0xfffffa8000000030
0xfffffa8000000030
0xfffffa8000000030
0xfffffa8000000030
0xfffffa8000000030
0xfffffa8000000030
0xfffffa8000000030
0xfffffa8000000030
0xfffffa8000000030
0xfffffa8000000030
0xfffffa8000000030
0xfffffa8000000030
0xfffffa8000000030
0xfffffa8000000030
0xfffffa8000000030
0xfffffa8000000030
0xfffffa8000000030
0xfffffa8000000030
0xfffffa8000000030
0xfffffa8000000030
0xfffffa8000000030
0xfffffa8000000030
0xfffffa8000000030
0xfffffa8000000030
0xfffffa8000000030
0xfffffa8000000030
0xfffffa8000000030
0xfffffa8000000030
0xfffffa8000000030
0xfffffa8000000030
0xfffffa8000000030
0xfffffa8000000030
0xfffffa8000000030
0xfffffa8000000030
0xfffffa8000000030
0xfffffa8000000030
0xfffffa8000000030
0xfffffa8000000030
0xfffffa8000000030
0xfffffa8000000030
0xfffffa8000000030
0xfffffa8000000030
0xfffffa8000000030
0xfffffa8000000030
0xfffffa8000000030
0xfffffa8000000030
0xfffffa8000000030
0xfffffa8000000030
0xfffffa8000000030
0xfffffa8000000030
0xfffffa8000000030
0xfffffa8000000030
0xfffffa8000000030
0xfffffa8000000030
0xfffffa8000000030
0xfffffa8000000030
0xfffffa8000000030
0xfffffa8000000030
0xfffffa8000000030
0xfffffa8000000030
0xfffffa8000000030
0xfffffa8000000030

exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 07
exception.instruction: cmp dword ptr [rip + 0x2d18d], 0
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x4d1204
registers.r14: 1
registers.r15: 6
registers.rcx: 48
registers.rsi: 0
registers.r10: 0
registers.rbx: 32892820
registers.rsp: 43971896
registers.r11: 43972672
registers.r8: 1994752396
registers.r9: 0
registers.rdx: 8796092858960
registers.r12: 1
registers.rbp: 43972016
registers.rdi: 32892896
registers.rax: 5050880
registers.r13: 0

Allocates read-write-execute memory (usually to unpack itself) (6 events)

Time & API	Arguments	Status
NtProtectVirtualMemory June 12, 2023, 8:29 a.m.	process_identifier: 2992 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2023, 8:29 a.m.	process_identifier: 2928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2023, 8:29 a.m.	process_identifier: 1120 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2023, 8:29 a.m.	process_identifier: 1356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2023, 8:29 a.m.	process_identifier: 148 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2023, 8:29 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1

A process attempted to delay the analysis task. (1 event)

description

rundll32.exe tried to sleep 592 seconds, actually delayed analysis time by 592 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (3 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceExW June 12, 2023, 8:29 a.m.	total_number_of_free_bytes: 13324771328 free_bytes_available: 13324771328 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW June 12, 2023, 8:29 a.m.	total_number_of_free_bytes: 13324771328 free_bytes_available: 13324771328 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW June 12, 2023, 8:29 a.m.	total_number_of_free_bytes: 13324771328 free_bytes_available: 13324771328 root_path: C:\ total_number_of_bytes: 34252779520	1	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (8 events)

Time & API	Arguments	Status	Return
Process32NextW June 12, 2023, 8:29 a.m.	snapshot_handle: 0x00000000000002a4 process_name: pw.exe process_identifier: 2332	1	1
Process32NextW June 12, 2023, 8:29 a.m.	snapshot_handle: 0x00000000000002a4 process_name: taskhost.exe process_identifier: 2388	1	1
Process32NextW June 12, 2023, 8:29 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2556	1	1
Process32NextW June 12, 2023, 8:29 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2824	1	1
Process32NextW June 12, 2023, 8:29 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2916	1	1
Process32NextW June 12, 2023, 8:29 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2928	1	1
Process32NextW June 12, 2023, 8:29 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 1356	1	1
Process32NextW June 12, 2023, 8:29 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 148	1	1

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (50 out of 108 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW June 12, 2023, 8:29 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2272		0	0
Process32NextW June 12, 2023, 8:29 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2272		0	0
Process32NextW June 12, 2023, 8:29 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2272		0	0
Process32NextW June 12, 2023, 8:29 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2272		0	0
Process32NextW June 12, 2023, 8:29 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2272		0	0
Process32NextW June 12, 2023, 8:29 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2272		0	0
Process32NextW June 12, 2023, 8:29 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2272		0	0
Process32NextW June 12, 2023, 8:29 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2272		0	0
Process32NextW June 12, 2023, 8:29 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2272		0	0
Process32NextW June 12, 2023, 8:29 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2272		0	0
Process32NextW June 12, 2023, 8:29 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2272		0	0
Process32NextW June 12, 2023, 8:29 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2272		0	0
Process32NextW June 12, 2023, 8:29 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2272		0	0
Process32NextW June 12, 2023, 8:29 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2272		0	0
Process32NextW June 12, 2023, 8:29 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2272		0	0
Process32NextW June 12, 2023, 8:29 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2272		0	0
Process32NextW June 12, 2023, 8:29 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2272		0	0
Process32NextW June 12, 2023, 8:29 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2272		0	0
Process32NextW June 12, 2023, 8:29 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2272		0	0
Process32NextW June 12, 2023, 8:29 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2272		0	0
Process32NextW June 12, 2023, 8:29 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2272		0	0
Process32NextW June 12, 2023, 8:29 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2272		0	0
Process32NextW June 12, 2023, 8:29 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2272		0	0
Process32NextW June 12, 2023, 8:29 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2272		0	0
Process32NextW June 12, 2023, 8:29 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2272		0	0
Process32NextW June 12, 2023, 8:29 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2272		0	0
Process32NextW June 12, 2023, 8:29 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2272		0	0
Process32NextW June 12, 2023, 8:29 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2272		0	0
Process32NextW June 12, 2023, 8:29 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2272		0	0
Process32NextW June 12, 2023, 8:29 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2272		0	0
Process32NextW June 12, 2023, 8:29 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2272		0	0
Process32NextW June 12, 2023, 8:29 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2272		0	0
Process32NextW June 12, 2023, 8:29 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2272		0	0
Process32NextW June 12, 2023, 8:29 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2272		0	0
Process32NextW June 12, 2023, 8:29 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2272		0	0
Process32NextW June 12, 2023, 8:29 a.m.	snapshot_handle: 0x00000000000002c8 process_name: rundll32.exe process_identifier: 2272		0	0
Process32NextW June 12, 2023, 8:29 a.m.	snapshot_handle: 0x00000000000002a0 process_name: rundll32.exe process_identifier: 2272		0	0
Process32NextW June 12, 2023, 8:29 a.m.	snapshot_handle: 0x00000000000002a0 process_name: rundll32.exe process_identifier: 2272		0	0
Process32NextW June 12, 2023, 8:29 a.m.	snapshot_handle: 0x00000000000002a0 process_name: rundll32.exe process_identifier: 2272		0	0
Process32NextW June 12, 2023, 8:29 a.m.	snapshot_handle: 0x00000000000002a0 process_name: rundll32.exe process_identifier: 2272		0	0
Process32NextW June 12, 2023, 8:29 a.m.	snapshot_handle: 0x00000000000002a0 process_name: rundll32.exe process_identifier: 2272		0	0
Process32NextW June 12, 2023, 8:29 a.m.	snapshot_handle: 0x00000000000002a0 process_name: rundll32.exe process_identifier: 2272		0	0
Process32NextW June 12, 2023, 8:29 a.m.	snapshot_handle: 0x00000000000002a0 process_name: rundll32.exe process_identifier: 2272		0	0
Process32NextW June 12, 2023, 8:29 a.m.	snapshot_handle: 0x00000000000002a0 process_name: rundll32.exe process_identifier: 2272		0	0
Process32NextW June 12, 2023, 8:29 a.m.	snapshot_handle: 0x00000000000002a0 process_name: rundll32.exe process_identifier: 2272		0	0
Process32NextW June 12, 2023, 8:29 a.m.	snapshot_handle: 0x00000000000002a0 process_name: rundll32.exe process_identifier: 2272		0	0
Process32NextW June 12, 2023, 8:29 a.m.	snapshot_handle: 0x00000000000002a0 process_name: rundll32.exe process_identifier: 2272		0	0
Process32NextW June 12, 2023, 8:29 a.m.	snapshot_handle: 0x00000000000002a0 process_name: rundll32.exe process_identifier: 2272		0	0
Process32NextW June 12, 2023, 8:29 a.m.	snapshot_handle: 0x00000000000002a0 process_name: rundll32.exe process_identifier: 2272		0	0
Process32NextW June 12, 2023, 8:29 a.m.	snapshot_handle: 0x00000000000002a0 process_name: rundll32.exe process_identifier: 2272		0	0

Communicates with host for which no DNS query was performed (2 events)

host	104.76.78.101
host	193.134.208.217

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

193.134.208.217:6000

output_64.dll

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All