Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Aug. 18, 2023, 5:53 p.m.	Aug. 18, 2023, 5:56 p.m.

Size	5.7MB
Type	7-zip archive data, version 0.4
MD5	`cd129faa117216c35156304670140b06`
SHA256	`2ed51b16a10c47ea4cfc865e789b9f0a5f99a5f36cca9c15a17106325a03d45c`
CRC32	`CAA92182`
ssdeep	`98304:Y9jhqXahtjjA9ZUpP7ut9TLLfZFKA83tCQ4Cz83aVGGrzcfK1CMhWzXiDLjiK8e2:Y9NqXaLc9ZqatFPRFKA89N4T3KGffiSt`
Yara	None matched

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "XJpFCD" C:\Users\test22\AppData\Local\Temp\pass1234_setup.7z
3008
- 7zFM.exe "C:\Program Files (x86)\7-Zip\7zFM.exe" "C:\Users\test22\AppData\Local\Temp\pass1234_setup.7z"
  2204

Name	Response	Post-Analysis Lookup
bitbucket.org	A 104.192.141.1	104.192.141.1
iplogger.org	A 148.251.234.83	148.251.234.83
vk.com	A 87.240.129.133 A 87.240.132.72 A 87.240.132.67 A 87.240.137.164 A 93.186.225.194 A 87.240.132.78	87.240.132.78
zzz.fhauiehgha.com	A 103.100.211.218	103.100.211.218
iplis.ru	A 148.251.234.93	148.251.234.93
apps.identrust.com	A 61.111.58.35 CNAME a1952.dscq.akamai.net CNAME identrust.edgesuite.net A 61.111.58.34 A 23.67.53.17 A 23.67.53.18	23.67.53.18
busell.store	A 172.67.159.178 A 104.21.9.89	172.67.159.178
ipinfo.io	A 34.117.59.81	34.117.59.81
sun6-22.userapi.com	A 95.142.206.2	95.142.206.2
z.nnnaajjjgc.com	A 156.236.72.121	156.236.72.121
learn.microsoft.com	CNAME e13636.dscb.akamaiedge.net A 23.219.70.2 CNAME learn-public.trafficmanager.net CNAME learn.microsoft.com.edgekey.net CNAME learn.microsoft.com.edgekey.net.globalredir.akadns.net	23.200.154.53
api.myip.com	A 172.67.75.163 A 104.26.9.59 A 104.26.8.59	104.26.9.59
transfer.sh	A 144.76.136.153	144.76.136.153
db-ip.com	A 172.67.75.166 A 104.26.5.15 A 104.26.4.15	172.67.75.166
www.maxmind.com	A 104.17.214.67 A 104.17.215.67	104.17.214.67
sun6-21.userapi.com	A 95.142.206.1	95.142.206.1
sun6-23.userapi.com	A 95.142.206.3	95.142.206.3
api.db-ip.com	A 172.67.75.166 A 104.26.4.15 A 104.26.5.15	172.67.75.166

IP Address	Status	Action
103.100.211.218	Active	Moloch
104.17.214.67	Active	Moloch
104.192.141.1	Active	Moloch
104.21.9.89	Active	Moloch
144.76.136.153	Active	Moloch
149.202.0.242	Active	Moloch
148.251.234.83	Active	Moloch
148.251.234.93	Active	Moloch
156.236.72.121	Active	Moloch
163.123.143.4	Active	Moloch
164.124.101.2	Active	Moloch
172.67.75.163	Active	Moloch
172.67.75.166	Active	Moloch
185.244.181.112	Active	Moloch
193.233.254.61	Active	Moloch
194.169.175.128	Active	Moloch
194.169.175.233	Active	Moloch
194.26.135.162	Active	Moloch
208.67.104.60	Active	Moloch
23.219.70.2	Active	Moloch
23.67.53.17	Active	Moloch
34.117.59.81	Active	Moloch
45.15.156.229	Active	Moloch
61.111.58.34	Active	Moloch
77.91.124.231	Active	Moloch
77.91.124.54	Active	Moloch
87.121.221.58	Active	Moloch
93.186.225.194	Active	Moloch
94.142.138.131	Active	Moloch
95.142.206.1	Active	Moloch
95.142.206.2	Active	Moloch
95.142.206.3	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 18, 2023, 5:53 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 18, 2023, 5:53 p.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (10 events)

suspicious_features	Connection to IP address	suspicious_request	GET http://94.142.138.131/api/tracemap.php
suspicious_features	POST method with no referer header, Connection to IP address	suspicious_request	POST http://94.142.138.131/api/firegate.php
suspicious_features	Connection to IP address	suspicious_request	HEAD http://77.91.124.231/info/photo551.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://87.121.221.58/g.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://87.121.221.58/g.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://77.91.124.231/info/photo551.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://45.15.156.229/api/tracemap.php
suspicious_features	Connection to IP address	suspicious_request	GET http://208.67.104.60/api/tracemap.php
suspicious_features	POST method with no referer header, Connection to IP address	suspicious_request	POST http://193.233.254.61/loghub/master
suspicious_features	GET method with no useragent header	suspicious_request	GET https://transfer.sh/get/Els5w2XD23/1ds3y.exe

Performs some HTTP requests (32 events)

request	GET http://94.142.138.131/api/tracemap.php
request	POST http://94.142.138.131/api/firegate.php
request	HEAD http://77.91.124.231/info/photo551.exe
request	HEAD http://87.121.221.58/g.exe
request	GET http://87.121.221.58/g.exe
request	GET http://apps.identrust.com/roots/dstrootcax3.p7c
request	GET http://77.91.124.231/info/photo551.exe
request	HEAD http://zzz.fhauiehgha.com/m/okka25.exe
request	GET http://zzz.fhauiehgha.com/m/okka25.exe
request	GET http://45.15.156.229/api/tracemap.php
request	GET http://208.67.104.60/api/tracemap.php
request	POST http://193.233.254.61/loghub/master
request	GET http://www.maxmind.com/geoip/v2.1/city/me
request	GET http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=GPe3xmuleVDaoOMEldmdr3MP.exe&platform=0009&osver=5&isServer=0
request	GET https://api.myip.com/
request	GET https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1
request	GET https://busell.store/setup294.exe
request	GET https://vk.com/doc647736509_665757334?hash=BLle7vdX3iFMB4azpVJZYs9WrN6tEhp1wsHXrbQ6Ufz&dl=vr8PySakhGw7js63wfoBEncgnNsFZVbFO8czAHxd9Bk&api=1&no_preview=1#WW1
request	GET https://sun6-22.userapi.com/c237231/u647736509/docs/d56/ff6bde39d062/WWW1.bmp?extra=s__W1ni87TI6Duoswc_5WTp-ZIO2Qd59SKzhEqRFcQl-k1J4KAcBfVMo-bPsw0dFD9VXVx7H98KchsBhY5pJ34s_2Pecy9ZUMezwbbMr7285OlnifZTf678xl_FtoUV2KZ57GsxX98HPQN8_MQ
request	GET https://vk.com/doc647736509_665757351?hash=xRNMJvtBxeMy9F0ahVhVsVflJbZD3QhaFKB8SVYcH0D&dl=kYv4t3v9Ds2wZeYJd9j0pkiCfCSj0PVEWEjq6i56Xf0&api=1&no_preview=1
request	GET https://transfer.sh/get/S8wmOYi1yh/s28a1f.exe
request	GET https://sun6-21.userapi.com/c909628/u647736509/docs/d12/fd5c7be24aa4/PMmp.bmp?extra=QnkMoPcHh8Pcl9kFUIDvMGE9HrYxZTxMWrVO2SS1Sx4yHP5Q5kT-e7Goat-vWaxmZ-PrrfXp6boVtQQQstdn1i8BSip7NETyr912uQxRlY6BUbMA12qEMoVwuodJKRgPCPb3fkIKpOycnGY0kg
request	GET https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#stats
request	GET https://vk.com/doc647736509_665757320?hash=dfBBWeSNlNkIvHcK2uMdd2AbZmqfwD2ZZg0vYymBkR0&dl=gjNC6HkPkk10dAOYzHDYqNL4zQsWEaKk2Lm1A39kSP0&api=1&no_preview=1#rise
request	GET https://sun6-23.userapi.com/c909628/u647736509/docs/d6/739bc3acf24e/RisePro.bmp?extra=4CuDyfIZuYP0bK3ZthEhDyIY7JTcPdNDWB-xWugKYKMzm7GYkAaCWBmMPL-CeiDi5CKnAyxfeLzY30Q5g8hsgJz_kOpQ4VpvA10LWfEQdi1KZEwr-PlrVfsWuYLypMmNjbUlSwPqmc2w3ipuOQ
request	GET https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#test
request	GET https://vk.com/doc647736509_665789779?hash=apIBNy1YzIlgOTOme2DjZEPMlC8mQMOrnNK6KuFrvTc&dl=KncEUWyJtdzd8EZ0lpauSTMDceKmPJX1qASzGUdtBnw&api=1&no_preview=1#nudik
request	GET https://sun6-21.userapi.com/c235131/u647736509/docs/d12/1252c115442f/nudik.bmp?extra=DGoaqLEDsZ3vggeRfdmskz6ZM5azb77zzwL--59fZ45MDdw0qPOQf4y41LDFhStRPPoi2amvgrWPc6qnVp05BabutIeih26aH5tGiyYUTSF4JVORJU74v-DDmHCRMMAC6I3T2FLrjzABvjQEBQ
request	GET https://db-ip.com/
request	GET https://db-ip.com/demo/home.php?s=175.208.134.152
request	POST https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
request	GET https://transfer.sh/get/Els5w2XD23/1ds3y.exe

Sends data using the HTTP POST Method (3 events)

request	POST http://94.142.138.131/api/firegate.php
request	POST http://193.233.254.61/loghub/master
request	POST https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self

Communication to multiple IPs on high port numbers possibly indicative of a peer-to-peer (P2P) or non-standard command and control protocol (6 events)

ip	149.202.0.242
ip	185.244.181.112
ip	194.169.175.128
ip	194.169.175.233
ip	194.26.135.162
ip	77.91.124.54

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 18, 2023, 5:53 p.m.	process_identifier: 2204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74002000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Aug. 18, 2023, 5:53 p.m.	process_identifier: 2204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73913000 process_handle: 0xffffffff	1	0	0

Looks up the external IP address (1 event)

domain

ipinfo.io

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\7zEC98DD4AA\File.exe

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 18, 2023, 5:53 p.m.	system_name: privilege_name: SeRestorePrivilege	1	1	0
LookupPrivilegeValueW Aug. 18, 2023, 5:53 p.m.	system_name: privilege_name: SeSecurityPrivilege	1	1	0

Yara rule detected in process memory (11 events)

description	Escalate priviledges	rule	Escalate_priviledges
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Run a KeyLogger	rule	KeyLogger

Communicates with host for which no DNS query was performed (13 events)

host	149.202.0.242
host	163.123.143.4
host	185.244.181.112
host	193.233.254.61
host	194.169.175.128
host	194.169.175.233
host	194.26.135.162
host	208.67.104.60
host	45.15.156.229
host	77.91.124.231
host	77.91.124.54
host	87.121.221.58
host	94.142.138.131

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (4 events)

dead_host	192.168.56.102:49185
dead_host	144.76.136.153:80
dead_host	163.123.143.4:80
dead_host	194.169.175.233:80

pass1234_setup.7z

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All