Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	July 25, 2023, 7:35 a.m.	July 25, 2023, 7:44 a.m.

Size	8.2MB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`2e66189aa1b6fd345a9c13124844ebbc`
SHA256	`bdee4edbe7adf842b519a47d964e64b219700b2ba1d7faf4b899e34bd63006b7`
CRC32	`D8948110`
ssdeep	`98304:4CPL/ezqAMdGUFI6wJ1cak9pnNhtxVHeI30CPFCxfM30pkN7Ij5giDHX:4gL/ezTgA1LkNH+g0zxML7mR`
Yara	UPX_Zero - UPX packed file Network_Downloader - File Downloader Win32_Trojan_Emotet_1_Zero - Win32 Trojan Emotet IsPE64 - (no description) Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature ASPack_Zero - ASPack packed file

KavachAuthentication%20Updater.exe "C:\Users\test22\AppData\Local\Temp\KavachAuthentication%20Updater.exe"
300
- irsetup.exe "C:\Users\test22\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:5626914 "__IRAFN:C:\Users\test22\AppData\Local\Temp\KavachAuthentication%20Updater.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-3832866432-4053218753-3017428901-1001"
  2180
  - ApplicPywizable.exe "C:\Program Files\KavachAuthentication\ApplicPywizable.exe"
    2788
    - cmd.exe cmd ver
      2892
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
6jxbmkpe.torontobotdns.com	A 104.238.222.21 A 104.194.8.167 A 104.194.8.112 A 172.96.141.132 CNAME 8tqxpf27.torontobotdns.com A 172.96.140.32 A 172.96.140.157	104.194.8.112

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.96.140.157	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49180 -> 172.96.140.157:44441	2024897	ET USER_AGENTS Go HTTP Client User-Agent	Misc activity

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW July 25, 2023, 7:36 a.m.	computer_name: TEST22-PC	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 25, 2023, 7:35 a.m.		1	1	0

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (2 events)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW July 25, 2023, 7:35 a.m.	total_number_of_free_bytes: 9921110016 free_bytes_available: 9921110016 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0
GetDiskFreeSpaceExW July 25, 2023, 7:36 a.m.	total_number_of_free_bytes: 9921183744 free_bytes_available: 9921183744 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Creates executable files on the filesystem (4 events)

file	C:\Users\test22\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
file	C:\Program Files\KavachAuthentication\ApplicPywizable.exe
file	C:\Users\test22\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\KavachAuthentication\ApplicPywizable.lnk

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\KavachAuthentication\ApplicPywizable.lnk

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses July 25, 2023, 7:36 a.m.	flags: 16 family: 0	1	0	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 25, 2023, 7:36 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Potentially malicious URLs were found in the process memory dump (4 events)

url	http://www.indigorose.com/route.php?pid=suf9buy
url	http://www.indigorose.com
url	https://github.com/imroc/req)runtime.minit:
url	http://hybull

Yara rule detected in process memory (40 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Escalate priviledges	rule	Escalate_priviledges
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Disable AntiVirus	rule	disable_antivirus
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Install itself for autorun at Windows startup	rule	Persistence
description	Run a KeyLogger	rule	KeyLogger
description	File Downloader	rule	Network_Downloader
description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Escalate priviledges	rule	Escalate_priviledges
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Communications use DNS	rule	Network_DNS
description	Take ScreenShot	rule	ScreenShot
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Install itself for autorun at Windows startup	rule	Persistence
description	Run a KeyLogger	rule	KeyLogger

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation July 25, 2023, 7:36 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

Drops a binary and executes it (2 events)

file	C:\Users\test22\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
file	C:\Program Files\KavachAuthentication\ApplicPywizable.exe

File has been identified by 18 AntiVirus engines on VirusTotal as malicious (18 events)

Elastic	malicious (moderate confidence)
McAfee	Artemis!2E66189AA1B6
Sangfor	Trojan.Win32.Agent.V9fv
Cynet	Malicious (score: 100)
APEX	Malicious
Kaspersky	UDS:DangerousObject.Multi.Generic
F-Secure	Heuristic.HEUR/AGEN.1363328
McAfee-GW-Edition	BehavesLike.Win64.Dropper.rc
Sophos	Generic ML PUA (PUA)
Webroot	Pua.Gen
Avira	HEUR/AGEN.1363328
Gridinsoft	Trojan.Win64.CoinMiner.dd!s1
Microsoft	Trojan:Win32/Casdet!rfn
ZoneAlarm	UDS:DangerousObject.Multi.Generic
Google	Detected
Ikarus	Trojan-Dropper.SparkRat
Fortinet	W64/Biodata.GNVQ1TR
DeepInstinct	MALICIOUS

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 300 resumed a thread in remote process 2180
Process injection	Process 2180 resumed a thread in remote process 2788
NtResumeThread July 25, 2023, 7:35 a.m.	thread_handle: 0x0000000000000278 suspend_count: 1 process_identifier: 2180	1	0	0
NtResumeThread July 25, 2023, 7:36 a.m.	thread_handle: 0x0000000000000358 suspend_count: 1 process_identifier: 2788	1	0	0

Detects the presence of Wine emulator (1 event)

Time & API	Arguments	Status	Return	Repeated
LdrGetProcedureAddress July 25, 2023, 7:36 a.m.	ordinal: 0 function_address: 0x000007fefe467a50 function_name: wine_get_version module: ntdll module_address: 0x00000000776c0000		-1073741511	0

KavachAuthentication%20Updater.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All