Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	June 20, 2023, 7:29 a.m.	June 20, 2023, 7:40 a.m.

Size	212.7KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`ec77a84dddf6fef090dde4d2ab3a1007`
SHA256	`7e29847ad89b06a94bb9c64898f922688addbe295fad4667546338b3240aeffd`
CRC32	`596CBAFC`
ssdeep	`6144:gYa6HollUqtrdWGmJKJE70a6seVSXRs0TZ/J:gYdollXtaJma6TMRHf`
Yara	UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library NSIS_Installer - Null Soft Installer PE_Header_Zero - PE File Signature IsPE32 - (no description)

juneowar2.1.exe "C:\Users\test22\AppData\Local\Temp\juneowar2.1.exe"
1700
- juneowar2.1.exe "C:\Users\test22\AppData\Local\Temp\juneowar2.1.exe"
  2132
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
ifedinma.duckdns.org	A 84.54.50.66	84.54.50.66

IP Address	Status	Action
164.124.101.2	Active	Moloch
84.54.50.66	Active	Moloch

Flow	SID	Signature	Category
TCP 84.54.50.66:6060 -> 192.168.56.103:49165	2036735	ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49165 -> 84.54.50.66:6060	2036734	ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin	Malware Command and Control Activity Detected
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW June 20, 2023, 7:29 a.m.	computer_name: TEST22-PC	1	1	0

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 20, 2023, 7:29 a.m.		1	1	0

section

.ndata

domain

ifedinma.duckdns.org

Time & API	Arguments	Status
NtAllocateVirtualMemory June 20, 2023, 7:29 a.m.	process_identifier: 1700 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02d60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 20, 2023, 7:29 a.m.	process_identifier: 1700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02db0000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 20, 2023, 7:22 a.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000006760000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

file	C:\Users\test22\AppData\Local\Temp\nsxC1B7.tmp\kgthrdsiq.dll
file	C:\Users\test22\AppData\Roaming\rwgclupyien\jscxhqmv.exe

file	C:\Users\test22\AppData\Roaming\rwgclupyien\jscxhqmv.exe
file	C:\Users\test22\AppData\Local\Temp\nsxC1B7.tmp\kgthrdsiq.dll

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\rbkgpytdyir

reg_value

C:\Users\test22\AppData\Roaming\rwgclupyien\jscxhqmv.exe "C:\Users\test22\AppData\Local\Temp\juneowar2.1.exe"

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExA June 20, 2023, 7:29 a.m.	thread_identifier: 0 callback_function: 0x004074c0 hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00400000	1	131539	0

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1700 called NtSetContextThread to modify thread in remote process 2132
NtSetContextThread June 20, 2023, 7:29 a.m.	registers.eip: 2005598660 registers.esp: 1638384 registers.edi: 0 registers.eax: 4216632 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000220 process_identifier: 2132	1	0	0

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Agent.tshg
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Nemesis.22777
FireEye	Generic.mg.ec77a84dddf6fef0
McAfee	Artemis!EC77A84DDDF6
Cylance	unsafe
VIPRE	Gen:Variant.Nemesis.22777
Sangfor	Trojan.Win32.Agent.Vuoz
Cybereason	malicious.dddf6f
Arcabit	Trojan.Nemesis.D58F9 [many]
Cyren	W32/Injector.BOF.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Injector.ETBA
Cynet	Malicious (score: 100)
APEX	Malicious
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Gen:Variant.Nemesis.22777
Avast	FileRepMalware [Trj]
Emsisoft	Gen:Variant.Nemesis.22777 (B)
F-Secure	Heuristic.HEUR/AGEN.1337959
McAfee-GW-Edition	BehavesLike.Win32.Generic.dc
Sophos	Mal/Generic-S
Ikarus	Trojan.NSIS.Agent
Webroot	W32.Malware.Gen
Avira	HEUR/AGEN.1337959
Microsoft	Trojan:Win32/Wacatac.B!ml
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	Zum.Androm.1
Google	Detected
AhnLab-V3	Trojan/Win.NSISInject.R495658
MAX	malware (ai score=86)
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R002H07FJ23
Rising	Trojan.Avemariarat!8.11CB9 (TFE:6:M0iIpRjbqhI)
Fortinet	NSIS/Agent.DCAC!tr
AVG	FileRepMalware [Trj]
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_100% (W)

juneowar2.1.exe