Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 26, 2023, 5:30 p.m.	June 26, 2023, 5:33 p.m.

Size	92.0KB
Type	PE32+ executable (DLL) (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5	`650b84eaa4c3b6538ee4e427acb700da`
SHA256	`fecacfcbdc54786802588c81b646c55adb16ee83d5989220a2b8c90efcb8d712`
CRC32	`B6B5BDD4`
ssdeep	`768:aDHPBFnnp3MrrMBAkX/XX76PCGgvMJ91/W9/M8EK/sjUcnd02bsGLCHRAvPb5Go+:afnnp3OkX/H7x8nd0MCrJObdOBOO7H`
Yara	IsDLL - (no description) IsPE64 - (no description) PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\TeamsUpdate.dll,DllMain
2568
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\TeamsUpdate.dll,DllMain
  2800
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\TeamsUpdate.dll,Start
2652
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\TeamsUpdate.dll,Start
  2828
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\TeamsUpdate.dll,
2744

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
20.115.112.114	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 20.115.112.114:443 -> 192.168.56.101:49168	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.115.112.114:443 -> 192.168.56.101:49177	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.115.112.114:443 -> 192.168.56.101:49200	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.115.112.114:443 -> 192.168.56.101:49189	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.115.112.114:443 -> 192.168.56.101:49201	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.115.112.114:443 -> 192.168.56.101:49196	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.115.112.114:443 -> 192.168.56.101:49204	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.115.112.114:443 -> 192.168.56.101:49208	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.115.112.114:443 -> 192.168.56.101:49205	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.115.112.114:443 -> 192.168.56.101:49212	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.115.112.114:443 -> 192.168.56.101:49213	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.115.112.114:443 -> 192.168.56.101:49232	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.115.112.114:443 -> 192.168.56.101:49241	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.115.112.114:443 -> 192.168.56.101:49229	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.115.112.114:443 -> 192.168.56.101:49216	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.115.112.114:443 -> 192.168.56.101:49225	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.115.112.114:443 -> 192.168.56.101:49228	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.115.112.114:443 -> 192.168.56.101:49180	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.115.112.114:443 -> 192.168.56.101:49181	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.115.112.114:443 -> 192.168.56.101:49185	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.115.112.114:443 -> 192.168.56.101:49188	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.115.112.114:443 -> 192.168.56.101:49197	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.115.112.114:443 -> 192.168.56.101:49167	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.115.112.114:443 -> 192.168.56.101:49237	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.115.112.114:443 -> 192.168.56.101:49240	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.115.112.114:443 -> 192.168.56.101:49172	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.115.112.114:443 -> 192.168.56.101:49173	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.115.112.114:443 -> 192.168.56.101:49176	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.115.112.114:443 -> 192.168.56.101:49193	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.115.112.114:443 -> 192.168.56.101:49184	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.115.112.114:443 -> 192.168.56.101:49209	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.115.112.114:443 -> 192.168.56.101:49192	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.115.112.114:443 -> 192.168.56.101:49220	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.115.112.114:443 -> 192.168.56.101:49217	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.115.112.114:443 -> 192.168.56.101:49221	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.115.112.114:443 -> 192.168.56.101:49233	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.115.112.114:443 -> 192.168.56.101:49224	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.115.112.114:443 -> 192.168.56.101:49236	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 26, 2023, 5:23 p.m.			0	0
IsDebuggerPresent June 26, 2023, 5:23 p.m.			0	0

Allocates read-write-execute memory (usually to unpack itself) (6 events)

Time & API	Arguments	Status
NtProtectVirtualMemory June 26, 2023, 5:23 p.m.	process_identifier: 2800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 26, 2023, 5:23 p.m.	process_identifier: 2800 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002810000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 26, 2023, 5:23 p.m.	process_identifier: 2800 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002830000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 26, 2023, 5:23 p.m.	process_identifier: 2828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 26, 2023, 5:23 p.m.	process_identifier: 2828 region_size: 851968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000027c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 26, 2023, 5:23 p.m.	process_identifier: 2828 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002810000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses June 26, 2023, 5:23 p.m.	flags: 15 family: 0		111	0

Communicates with host for which no DNS query was performed (1 event)

host

20.115.112.114

File has been identified by 15 AntiVirus engines on VirusTotal as malicious (15 events)

MicroWorld-eScan	Generic.Trojan.Havokiz.Marte.D.BE8128EC
VIPRE	Generic.Trojan.Havokiz.Marte.D.BE8128EC
Arcabit	Generic.Trojan.Havokiz.Marte.D.BED1FC0EC
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win64/Havoc_AGen.B
Cynet	Malicious (score: 100)
Kaspersky	VHO:Backdoor.Win64.Havoc.gen
BitDefender	Generic.Trojan.Havokiz.Marte.D.BE8128EC
FireEye	Generic.Trojan.Havokiz.Marte.D.BE8128EC
Emsisoft	Generic.Trojan.Havokiz.Marte.D.BE8128EC (B)
ZoneAlarm	VHO:Backdoor.Win64.Havoc.gen
GData	Generic.Trojan.Havokiz.Marte.D.BE8128EC
ALYac	Generic.Trojan.Havokiz.Marte.D.BE8128EC
MAX	malware (ai score=80)
DeepInstinct	MALICIOUS

TeamsUpdate.dll

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All