Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 14, 2023, 7:36 a.m.	Aug. 14, 2023, 7:39 a.m.

Size	471.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`328064b232879fe34864e9c6d88608ed`
SHA256	`ada3f1fca37b6aa5a1b851c10e9d35fb9fd7d757c6e6bcccba173e933ef30837`
CRC32	`DE31DE6A`
ssdeep	`12288:sl2/13vxcqRQG6KPwy44mYQ6/0hYYVKOOu:DxcqRQGvPD4jYQbYYMOO`
Yara	OS_Processor_Check_Zero - OS Processor Check UPX_Zero - UPX packed file anti_vm_detect - Possibly employs anti-virtualization techniques Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description)

build666.exe "C:\Users\test22\AppData\Local\Temp\build666.exe"
2548

Name	Response	Post-Analysis Lookup
t.me	A 149.154.167.99	149.154.167.99
steamcommunity.com	A 104.75.41.21	104.76.78.101

IP Address	Status	Action
104.75.41.21	Active	Moloch
149.154.167.99	Active	Moloch
164.124.101.2	Active	Moloch
37.27.11.1	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameA Aug. 14, 2023, 7:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 14, 2023, 7:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 14, 2023, 7:36 a.m.	computer_name: TEST22-PC	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 14, 2023, 7:36 a.m.	stacktrace: LdrResFindResourceDirectory+0x606 RtlEncodeSystemPointer-0x3d ntdll+0x3e01b @ 0x76f4e01b LdrLoadDll+0x2f5 _strcmpi-0x8a ntdll+0x3c72f @ 0x76f4c72f RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x76f4c389 RtlFlsAlloc+0x993 EtwNotificationRegister-0x13c ntdll+0x3f3f6 @ 0x76f4f3f6 RtlEncodeSystemPointer+0x33d RtlFindClearBits-0x454 ntdll+0x3e395 @ 0x76f4e395 RtlSetBits+0x115 RtlFlsAlloc-0x5e ntdll+0x3ea05 @ 0x76f4ea05 RtlSetBits+0x162 RtlFlsAlloc-0x11 ntdll+0x3ea52 @ 0x76f4ea52 RtlSetBits+0x5d RtlFlsAlloc-0x116 ntdll+0x3e94d @ 0x76f4e94d RtlInitializeSid+0x35 RtlEncodePointer-0x3c ntdll+0x40f8f @ 0x76f50f8f RtlSetBits+0xea RtlFlsAlloc-0x89 ntdll+0x3e9da @ 0x76f4e9da RtlSetBits+0x162 RtlFlsAlloc-0x11 ntdll+0x3ea52 @ 0x76f4ea52 RtlSetBits+0x5d RtlFlsAlloc-0x116 ntdll+0x3e94d @ 0x76f4e94d RtlInitializeSid+0x35 RtlEncodePointer-0x3c ntdll+0x40f8f @ 0x76f50f8f RtlSetBits+0xea RtlFlsAlloc-0x89 ntdll+0x3e9da @ 0x76f4e9da RtlSetBits+0x162 RtlFlsAlloc-0x11 ntdll+0x3ea52 @ 0x76f4ea52 RtlSetBits+0x5d RtlFlsAlloc-0x116 ntdll+0x3e94d @ 0x76f4e94d RtlInitializeSid+0x35 RtlEncodePointer-0x3c ntdll+0x40f8f @ 0x76f50f8f RtlSetBits+0xea RtlFlsAlloc-0x89 ntdll+0x3e9da @ 0x76f4e9da RtlSetBits+0x162 RtlFlsAlloc-0x11 ntdll+0x3ea52 @ 0x76f4ea52 RtlSetBits+0x5d RtlFlsAlloc-0x116 ntdll+0x3e94d @ 0x76f4e94d LdrResSearchResource+0x943 LdrResFindResourceDirectory-0x376 ntdll+0x3d69f @ 0x76f4d69f LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x76f4c4b5 New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x736ed4cf LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x75981d2a LoadLibraryExA+0x26 FreeLibrary-0x18 kernelbase+0x11d7a @ 0x75981d7a LoadLibraryA+0x31 HeapCreate-0x25 kernel32+0x14a08 @ 0x755c4a08 build666+0x1deef @ 0x96deef build666+0x1e161 @ 0x96e161 build666+0x25096 @ 0x975096 build666+0x15e1b @ 0x965e1b build666+0x177cf @ 0x9677cf build666+0x3688c @ 0x98688c BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 83 38 48 0f 82 39 ff 01 00 8b 48 40 85 c9 0f 84 exception.symbol: LdrResFindResourceDirectory+0x9f RtlEncodeSystemPointer-0x5a4 ntdll+0x3dab4 exception.instruction: cmp dword ptr [eax], 0x48 exception.module: ntdll.dll exception.exception_code: 0xc0000006 exception.offset: 252596 exception.address: 0x76f4dab4 registers.esp: 3667152 registers.edi: 1 registers.eax: 268468152 registers.ebp: 3667156 registers.edx: 268468152 registers.ebx: 268435456 registers.esi: 1996562944 registers.ecx: 64	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Aug. 14, 2023, 7:36 a.m.

stacktrace:

LdrResFindResourceDirectory+0x606 RtlEncodeSystemPointer-0x3d ntdll+0x3e01b @ 0x76f4e01b
LdrLoadDll+0x2f5 _strcmpi-0x8a ntdll+0x3c72f @ 0x76f4c72f
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x76f4c389
RtlFlsAlloc+0x993 EtwNotificationRegister-0x13c ntdll+0x3f3f6 @ 0x76f4f3f6
RtlEncodeSystemPointer+0x33d RtlFindClearBits-0x454 ntdll+0x3e395 @ 0x76f4e395
RtlSetBits+0x115 RtlFlsAlloc-0x5e ntdll+0x3ea05 @ 0x76f4ea05
RtlSetBits+0x162 RtlFlsAlloc-0x11 ntdll+0x3ea52 @ 0x76f4ea52
RtlSetBits+0x5d RtlFlsAlloc-0x116 ntdll+0x3e94d @ 0x76f4e94d
RtlInitializeSid+0x35 RtlEncodePointer-0x3c ntdll+0x40f8f @ 0x76f50f8f
RtlSetBits+0xea RtlFlsAlloc-0x89 ntdll+0x3e9da @ 0x76f4e9da
RtlSetBits+0x162 RtlFlsAlloc-0x11 ntdll+0x3ea52 @ 0x76f4ea52
RtlSetBits+0x5d RtlFlsAlloc-0x116 ntdll+0x3e94d @ 0x76f4e94d
RtlInitializeSid+0x35 RtlEncodePointer-0x3c ntdll+0x40f8f @ 0x76f50f8f
RtlSetBits+0xea RtlFlsAlloc-0x89 ntdll+0x3e9da @ 0x76f4e9da
RtlSetBits+0x162 RtlFlsAlloc-0x11 ntdll+0x3ea52 @ 0x76f4ea52
RtlSetBits+0x5d RtlFlsAlloc-0x116 ntdll+0x3e94d @ 0x76f4e94d
RtlInitializeSid+0x35 RtlEncodePointer-0x3c ntdll+0x40f8f @ 0x76f50f8f
RtlSetBits+0xea RtlFlsAlloc-0x89 ntdll+0x3e9da @ 0x76f4e9da
RtlSetBits+0x162 RtlFlsAlloc-0x11 ntdll+0x3ea52 @ 0x76f4ea52
RtlSetBits+0x5d RtlFlsAlloc-0x116 ntdll+0x3e94d @ 0x76f4e94d
LdrResSearchResource+0x943 LdrResFindResourceDirectory-0x376 ntdll+0x3d69f @ 0x76f4d69f
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x76f4c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x736ed4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x75981d2a
LoadLibraryExA+0x26 FreeLibrary-0x18 kernelbase+0x11d7a @ 0x75981d7a
LoadLibraryA+0x31 HeapCreate-0x25 kernel32+0x14a08 @ 0x755c4a08
build666+0x1deef @ 0x96deef
build666+0x1e161 @ 0x96e161
build666+0x25096 @ 0x975096
build666+0x15e1b @ 0x965e1b
build666+0x177cf @ 0x9677cf
build666+0x3688c @ 0x98688c
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 83 38 48 0f 82 39 ff 01 00 8b 48 40 85 c9 0f 84
exception.symbol: LdrResFindResourceDirectory+0x9f RtlEncodeSystemPointer-0x5a4 ntdll+0x3dab4
exception.instruction: cmp dword ptr [eax], 0x48
exception.module: ntdll.dll
exception.exception_code: 0xc0000006
exception.offset: 252596
exception.address: 0x76f4dab4
registers.esp: 3667152
registers.edi: 1
registers.eax: 268468152
registers.ebp: 3667156
registers.edx: 268468152
registers.ebx: 268435456
registers.esi: 1996562944
registers.ecx: 64

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	Connection to IP address				suspicious_request	GET http://37.27.11.1/6ba937c4f557f3e5e256c94548f72a29
suspicious_features	Connection to IP address				suspicious_request	GET http://37.27.11.1/forum.zip

Performs some HTTP requests (3 events)

request	GET http://37.27.11.1/6ba937c4f557f3e5e256c94548f72a29
request	GET http://37.27.11.1/forum.zip
request	GET https://steamcommunity.com/profiles/76561199536605936

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Aug. 14, 2023, 7:36 a.m.	process_identifier: 2548 region_size: 995328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x61e00000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0	0

Creates executable files on the filesystem (6 events)

file	C:\ProgramData\vcruntime140.dll
file	C:\ProgramData\msvcp140.dll
file	C:\ProgramData\nss3.dll
file	C:\ProgramData\freebl3.dll
file	C:\ProgramData\mozglue.dll
file	C:\ProgramData\softokn3.dll

Communicates with host for which no DNS query was performed (1 event)

host

37.27.11.1

Network activity contains more than one unique useragent (2 events)

process	build666.exe				useragent	Mozilla/5.0 (Windows NT 10.0; x64 rv:107.0) Gecko / 20100101 Firefox / 107.0
process	build666.exe				useragent	Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.111 YaBrowser/21.2.1.94 (beta) Yowser/2.5 Safari/537.36

build666.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All