Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Dec. 11, 2023, 7:16 p.m.	Dec. 11, 2023, 7:38 p.m.

Size	4.7MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`8b81d38713e8269f1fd5aff7be5a5788`
SHA256	`3d0c0aeaab7bd433d66603c2a1f1d819abf95508b6a4fbcf85dfcf6235d0f292`
CRC32	`CA93DA45`
ssdeep	`98304:rZAcCKGECuX4EwN/6+EKOMHVh3LG4JO/DAn9i00/uzT5:mBECuX4EwN/6+EKOwxt910Wzd`
Yara	Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) Win32_Trojan_Emotet_2_Zero - Win32 Trojan Emotet PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

fred.exe "C:\Users\test22\AppData\Local\Temp\fred.exe"
1880

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
142.251.220.78	Active	Moloch
142.251.220.97	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Dec. 11, 2023, 7:16 p.m.		1	1	0

Creates executable files on the filesystem (4 events)

file	C:\Users\test22\AppData\Local\Temp\ebe3327c-6b10-48ad-a146-96b61492f2fb.FusionApp\mmf2d3d11.dll
file	C:\Users\test22\AppData\Local\Temp\ebe3327c-6b10-48ad-a146-96b61492f2fb.FusionApp\mmf2d3d8.dll
file	C:\Users\test22\AppData\Local\Temp\ebe3327c-6b10-48ad-a146-96b61492f2fb.FusionApp\mmf2d3d9.dll
file	C:\Users\test22\AppData\Local\Temp\ebe3327c-6b10-48ad-a146-96b61492f2fb.FusionApp\mmfs2.dll

Drops an executable to the user AppData folder (16 events)

file	C:\Users\test22\AppData\Local\Temp\ebe3327c-6b10-48ad-a146-96b61492f2fb.FusionApp\RunInConsole.mfx
file	C:\Users\test22\AppData\Local\Temp\ebe3327c-6b10-48ad-a146-96b61492f2fb.FusionApp\waveflt.sft
file	C:\Users\test22\AppData\Local\Temp\ebe3327c-6b10-48ad-a146-96b61492f2fb.FusionApp\oggflt.sft
file	C:\Users\test22\AppData\Local\Temp\ebe3327c-6b10-48ad-a146-96b61492f2fb.FusionApp\kclist.mfx
file	C:\Users\test22\AppData\Local\Temp\ebe3327c-6b10-48ad-a146-96b61492f2fb.FusionApp\kcwctrl.mfx
file	C:\Users\test22\AppData\Local\Temp\ebe3327c-6b10-48ad-a146-96b61492f2fb.FusionApp\mmf2d3d9.dll
file	C:\Users\test22\AppData\Local\Temp\ebe3327c-6b10-48ad-a146-96b61492f2fb.FusionApp\mmf2d3d8.dll
file	C:\Users\test22\AppData\Local\Temp\ebe3327c-6b10-48ad-a146-96b61492f2fb.FusionApp\PCShutdownOperations.mfx
file	C:\Users\test22\AppData\Local\Temp\ebe3327c-6b10-48ad-a146-96b61492f2fb.FusionApp\Archive.mfx
file	C:\Users\test22\AppData\Local\Temp\ebe3327c-6b10-48ad-a146-96b61492f2fb.FusionApp\Web Query Object.mfx
file	C:\Users\test22\AppData\Local\Temp\ebe3327c-6b10-48ad-a146-96b61492f2fb.FusionApp\mmfs2.dll
file	C:\Users\test22\AppData\Local\Temp\ebe3327c-6b10-48ad-a146-96b61492f2fb.FusionApp\WndTransp.mfx
file	C:\Users\test22\AppData\Local\Temp\ebe3327c-6b10-48ad-a146-96b61492f2fb.FusionApp\kcfile.mfx
file	C:\Users\test22\AppData\Local\Temp\ebe3327c-6b10-48ad-a146-96b61492f2fb.FusionApp\mmf2d3d11.dll
file	C:\Users\test22\AppData\Local\Temp\ebe3327c-6b10-48ad-a146-96b61492f2fb.FusionApp\KcButton.mfx
file	C:\Users\test22\AppData\Local\Temp\ebe3327c-6b10-48ad-a146-96b61492f2fb.FusionApp\fcKernel.mfx

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Dec. 11, 2023, 7:16 p.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0xfff80000 process_handle: 0xffffffff	1	0	0

Communicates with host for which no DNS query was performed (2 events)

host	142.251.220.78
host	142.251.220.97

File has been identified by 28 AntiVirus engines on VirusTotal as malicious (28 events)

Bkav	W32.AIDetectMalware
DrWeb	Trojan.DownLoader45.53017
MicroWorld-eScan	Trojan.GenericKD.70657698
FireEye	Trojan.GenericKD.70657698
Skyhigh	BehavesLike.Win32.Generic.rc
Malwarebytes	Malware.AI.2081122683
Zillya	Trojan.Sdum.Win32.10190
Elastic	malicious (high confidence)
ClamAV	Win.Malware.Sdum-10013178-0
BitDefender	Trojan.GenericKD.70657698
NANO-Antivirus	Trojan.Win32.Dwn.jvlqmk
Emsisoft	Trojan.GenericKD.70657698 (B)
VIPRE	Trojan.GenericKD.70657698
MAX	malware (ai score=83)
Jiangmin	Trojan.Sdum.anm
Google	Detected
Gridinsoft	Trojan.Win32.Downloader.oa!s1
Arcabit	Trojan.Generic.D43626A2
GData	Trojan.GenericKD.70657698
Cynet	Malicious (score: 100)
VBA32	Win32.Malware.Dropper.Heur
ALYac	Trojan.GenericKD.70657698
TrendMicro-HouseCall	TROJ_GEN.R002H09L423
Rising	Trojan.Generic@AI.100 (RDML:8CD0Mg3Fym2i9IaI6dT4bA)
Ikarus	Trojan.Win32.Agent
MaxSecure	Trojan.Malware.221200984.susgen
Fortinet	W32/PossibleThreat
DeepInstinct	MALICIOUS

fred.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All