Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Dec. 7, 2023, 6:52 a.m.	Dec. 7, 2023, 6:53 a.m.

Size	11.7MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`054c92c15c2574860d1fe07b9fad1b23`
SHA256	`b4e7c449825bd8f9725ddf61b30a9d7d4238228306e0c2deb40a51ef349afad2`
CRC32	`5ADB2A90`
ssdeep	`196608:/yEhU6i3fzQKpLePzTIgjhrrhELSEjfvS8de:/Z4LQKpLePPIwJEeUv9E`
Yara	Malicious_Library_Zero - Malicious_Library PhysicalDrive_20181001 - (no description) IsPE32 - (no description) HermeticWiper_Zero - HermeticWiper Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature Admin_Tool_IN_Zero - Admin Tool Sysinternals ASPack_Zero - ASPack packed file Antivirus - Contains references to security software anti_vm_detect - Possibly employs anti-virtualization techniques Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet UPX_Zero - UPX packed file mzp_file_format - MZP(Delphi) file format Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

GameCenter.exe "C:\Users\test22\AppData\Local\Temp\GameCenter.exe"
2548

Name	Response	Post-Analysis Lookup
apps.identrust.com	A 23.67.53.27 A 23.67.53.17 CNAME a1952.dscq.akamai.net CNAME identrust.edgesuite.net	23.32.56.80
stat.gc.vkplay.ru	A 95.163.41.136	95.163.41.136

IP Address	Status	Action
164.124.101.2	Active	Moloch
23.67.53.27	Active	Moloch
95.163.41.136	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49164 -> 95.163.41.136:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49164 95.163.41.136:443	C=US, O=Let's Encrypt, CN=R3	CN=gc.vkplay.ru	c0:37:2f:22:7b:07:e2:ed:54:53:3f:35:3f:ab:db:7d:a1:93:14:8d

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (2 events)

registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Dec. 7, 2023, 6:52 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.itext
section	.didata

The executable uses a known packer (1 event)

packer

BobSoft Mini Delphi -> BoB / BobSoft

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Dec. 7, 2023, 6:52 a.m.	stacktrace: CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x75aad08c TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x75aa964b TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x75a94d6b TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x75a96f7c CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x75a9e825 TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x75a96002 TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x75a95fe8 TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x75a949e3 TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x75a95a20 RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x76f49a91 LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x76f68f10 RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x76f68e5c ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x755c7a25 __dbk_fcall_wrapper-0x686a gamecenter+0x7346 @ 0x1277346 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25 exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4 exception.instruction: call dword ptr [ecx + 0xc] exception.module: MSCTF.dll exception.exception_code: 0xc0000005 exception.offset: 278260 exception.address: 0x75ac3ef4 registers.esp: 4323348 registers.edi: 0 registers.eax: 18320048 registers.ebp: 4323376 registers.edx: 1 registers.ebx: 0 registers.esi: 5145552 registers.ecx: 1923954140	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Dec. 7, 2023, 6:52 a.m.

stacktrace:

CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x75aad08c
TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x75aa964b
TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x75a94d6b
TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x75a96f7c
CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x75a9e825
TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x75a96002
TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x75a95fe8
TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x75a949e3
TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x75a95a20
RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x76f49a91
LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x76f68f10
RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x76f68e5c
ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x755c7a25
__dbk_fcall_wrapper-0x686a gamecenter+0x7346 @ 0x1277346
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25
exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4
exception.instruction: call dword ptr [ecx + 0xc]
exception.module: MSCTF.dll
exception.exception_code: 0xc0000005
exception.offset: 278260
exception.address: 0x75ac3ef4
registers.esp: 4323348
registers.edi: 0
registers.eax: 18320048
registers.ebp: 4323376
registers.edx: 1
registers.ebx: 0
registers.esi: 5145552
registers.ecx: 1923954140

Performs some HTTP requests (1 event)

request

GET http://apps.identrust.com/roots/dstrootcax3.p7c

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

stat.gc.vkplay.ru

description

Russian Federation domain TLD

Allocates read-write-execute memory (usually to unpack itself) (4 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Dec. 7, 2023, 6:52 a.m.	process_identifier: 2548 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6ef30000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 7, 2023, 6:52 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76f4c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 7, 2023, 6:52 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6ef30000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 7, 2023, 6:52 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01277000 process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Dec. 7, 2023, 6:52 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13311660032 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Dec. 7, 2023, 6:52 a.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x003e6200', u'virtual_address': u'0x00801000', u'entropy': 7.244897612560026, u'name': u'.rsrc', u'virtual_size': u'0x003e61e0'}

entropy

7.24489761256

description

A section with a high entropy has been found

entropy

0.332639033535

description

Overall entropy of this PE file is high

Creates an Alternate Data Stream (ADS) (1 event)

file	C:\Users\test22\AppData\Local\Temp\GameCenter.ini:Tamper

Detects Virtual Machines through their custom firmware (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Dec. 7, 2023, 6:52 a.m.	information_class: 76 (SystemFirmwareTableInformation)		3221225507	0

Detects the presence of Wine emulator (2 events)

Time & API	Arguments	Status	Return	Repeated
LdrGetProcedureAddress Dec. 7, 2023, 6:52 a.m.	ordinal: 0 function_address: 0x0127d748 function_name: wine_get_version module: ntdll module_address: 0x76f10000		3221225785	0
LdrGetProcedureAddress Dec. 7, 2023, 6:52 a.m.	ordinal: 0 function_address: 0x019f8020 function_name: wine_get_version module: ntdll module_address: 0x76f10000		3221225785	0

GameCenter.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All