Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Dec. 18, 2023, 7:51 a.m.	Dec. 18, 2023, 7:56 a.m.

Size	313.8KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`f525808e3a1d0040b3c60e5940f250fe`
SHA256	`3c36d574e4005d919706e2945a25f6704d48ea69b5960bdc544e59cc4e3295cc`
CRC32	`908D1EB2`
ssdeep	`6144:2BlL/Zde0zS/srkaLdInw5OFtoLTAzcO78ToYJyeNaXt:UFeiS0rkydboofAgOHReNaXt`
Yara	Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) PE_Header_Zero - PE File Signature NSIS_Installer - Null Soft Installer UPX_Zero - UPX packed file

Name	Response	Post-Analysis Lookup
mcwillis.duckdns.org	A 91.92.251.22	91.92.251.22

Flow	SID	Signature	Category
UDP 192.168.56.101:53004 -> 164.124.101.2:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.101:53004 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.101:54148 -> 164.124.101.2:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.101:54148 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.101:54148 -> 8.8.8.8:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.101:54148 -> 8.8.8.8:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Dec. 18, 2023, 7:51 a.m.		1	1	0

section

.ndata

domain

mcwillis.duckdns.org

Time & API	Arguments	Status
NtProtectVirtualMemory Dec. 18, 2023, 7:51 a.m.	process_identifier: 2672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73272000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 18, 2023, 7:51 a.m.	process_identifier: 2776 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 18, 2023, 7:51 a.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002f0000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 18, 2023, 7:45 a.m.	process_identifier: 1452 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000046f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

file	C:\Users\test22\AppData\Local\Temp\bficsgotez.exe
file	C:\Users\test22\AppData\Roaming\luqqajjfo\oxttdyiirn.exe

file	C:\Users\test22\AppData\Local\Temp\bficsgotez.exe

file	C:\Users\test22\AppData\Local\Temp\bficsgotez.exe

host

131.153.76.130

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\nwggbkggp

reg_value

C:\Users\test22\AppData\Roaming\luqqajjfo\oxttdyiirn.exe "C:\Users\test22\AppData\Local\Temp\bficsgotez.exe"

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2776 called NtSetContextThread to modify thread in remote process 2820
NtSetContextThread Dec. 18, 2023, 7:51 a.m.	registers.eip: 1995571652 registers.esp: 5372440 registers.edi: 0 registers.eax: 4216632 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000ec process_identifier: 2820	1	0	0

dead_host

91.92.251.22:5122

marcopack2.1.exe