Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Feb. 1, 2024, 7:59 a.m.	Feb. 1, 2024, 8:04 a.m.

Size	298.5KB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`5fd7aff48d27771ca0aec6776afefb93`
SHA256	`a9498e18f267a568b57d3a281d14118c70ffd1aae42411ee9a7661092beee97b`
CRC32	`C7ED089A`
ssdeep	`6144:k7F5GxMr+PtCE2kWCZ3j9Z0CINiNRpxyN90vE:4FYxMqAEVBkCIWZy90`
PDB Path	wusa.pdb
Yara	Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature IsPE64 - (no description) UPX_Zero - UPX packed file

rty25.exe "C:\Users\test22\AppData\Local\Temp\rty25.exe"
660

Name	Response	Post-Analysis Lookup
apps.identrust.com	A 182.162.106.33 A 182.162.106.144 CNAME a1952.dscq.akamai.net CNAME identrust.edgesuite.net	23.67.53.27
i.alie3ksgaa.com	A 154.92.15.189	154.92.15.189

IP Address	Status	Action
154.92.15.189	Active	Moloch
164.124.101.2	Active	Moloch
182.162.106.33	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49166 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49165 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49163 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49172 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49173 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49167 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49178 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49169 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49176 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49182 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49175 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49179 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49168 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49181 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49166 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49163 154.92.15.189:443	C=US, O=Let's Encrypt, CN=R3	CN=i.alie3ksgaa.com	e3:88:72:04:24:5c:12:17:a4:e2:c1:d9:33:f0:d9:60:91:71:d3:dc
TLSv1 192.168.56.103:49165 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49172 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49173 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49167 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49178 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49169 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49176 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49182 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49175 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49179 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49168 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49181 154.92.15.189:443	None	None	None

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

wusa.pdb

The file contains an unknown PE resource name possibly indicative of a packer (2 events)

resource name	MUI
resource name	WEVT_TEMPLATE

Performs some HTTP requests (1 event)

request

GET http://apps.identrust.com/roots/dstrootcax3.p7c

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Feb. 1, 2024, 7:59 a.m.	process_identifier: 660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000ff0db000 process_handle: 0xffffffffffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Feb. 1, 2024, 8 a.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00015000', u'virtual_address': u'0x00038000', u'entropy': 7.3971931278824155, u'name': u'.rsrc', u'virtual_size': u'0x00015000'}

entropy

7.39719312788

description

A section with a high entropy has been found

entropy

0.282352941176

description

Overall entropy of this PE file is high

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

rty25.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All