Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Dec. 18, 2023, 7:49 a.m.	Dec. 18, 2023, 7:53 a.m.

Size	313.9KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`a458d02487805c29b7e6b7ee09d1bee9`
SHA256	`59ee15056c8ca8f240ba10fe20a523e3dc315cc0304f1f1abcb2913d701d4f23`
CRC32	`9A613EB8`
ssdeep	`6144:2BlL/Zde0zS/srLhMZhCVpH1eboccu3tUksnnL2D78Z:UFeiS0rehC3AMccu9Uky2De`
Yara	Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) PE_Header_Zero - PE File Signature NSIS_Installer - Null Soft Installer UPX_Zero - UPX packed file

Name	Response	Post-Analysis Lookup
akcay.duckdns.org	A 91.92.243.245	91.92.243.245

IP Address	Status	Action
164.124.101.2	Active	Moloch
91.92.243.245	Active	Moloch

Flow	SID	Signature	Category
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:52760 -> 8.8.8.8:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.103:52760 -> 8.8.8.8:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
TCP 91.92.243.245:3245 -> 192.168.56.103:49166	2036735	ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 91.92.243.245:3245	2036734	ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin	Malware Command and Control Activity Detected

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Dec. 18, 2023, 7:49 a.m.	computer_name: TEST22-PC	1	1	0

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Dec. 18, 2023, 7:49 a.m.		1	1	0

section

.ndata

domain

akcay.duckdns.org

Time & API	Arguments	Status
NtAllocateVirtualMemory Dec. 18, 2023, 7:49 a.m.	process_identifier: 2164 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00560000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 18, 2023, 7:49 a.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00570000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 18, 2023, 7:49 a.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000006820000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

file	C:\Users\test22\AppData\Local\Temp\drnzy.exe
file	C:\Users\test22\AppData\Roaming\wggclluqaavffo\kttdyyie.exe

file	C:\Users\test22\AppData\Local\Temp\drnzy.exe

file	C:\Users\test22\AppData\Local\Temp\drnzy.exe

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\enwss

reg_value

C:\Users\test22\AppData\Roaming\wggclluqaavffo\kttdyyie.exe "C:\Users\test22\AppData\Local\Temp\drnzy.exe"

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExA Dec. 18, 2023, 7:49 a.m.	thread_identifier: 0 callback_function: 0x004074c0 hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00400000	1	262593	0

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2164 called NtSetContextThread to modify thread in remote process 2220
NtSetContextThread Dec. 18, 2023, 7:49 a.m.	registers.eip: 2005598660 registers.esp: 3275524 registers.edi: 0 registers.eax: 4216632 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000ec process_identifier: 2220	1	0	0

konordbox2.1.exe