Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 8, 2023, 1:59 p.m.	July 8, 2023, 2:12 p.m.

Size	3.4MB
Type	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5	`b63f57d948b00f885ce27af54503df3a`
SHA256	`22a094a2bdd1c3f865046f54b3cf3c958cf59f57f7a0ed9c0c31aadc8cf49ec4`
CRC32	`0EA6DF6F`
ssdeep	`98304:a830UshgHzyAUUxfystLGUtR/UfBt14SUyDIzC4ODoBZNlhK:arhMyO6aUpac+C4KoBl0`
Yara	IsDLL - (no description) IsPE64 - (no description) Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\new64x.dll,rundll
2548
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\new64x.dll,rundll
  2688
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\new64x.dll,
2632

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
172.67.75.172	Active	Moloch
5.42.65.67	Active	Moloch

No Suricata Alerts

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 8, 2023, 1:52 p.m.			0	0

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 8, 2023, 1:52 p.m.	process_identifier: 2688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1	0	0

section

{u'size_of_data': u'0x0036a800', u'virtual_address': u'0x00179000', u'entropy': 7.794869650281678, u'name': u'.rn}', u'virtual_size': u'0x0036a6b8'}

entropy

7.79486965028

description

A section with a high entropy has been found

entropy

0.998572652013

description

Overall entropy of this PE file is high

host	172.67.75.172
host	5.42.65.67

new64x.dll