Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 7, 2024, 7:46 a.m.	March 7, 2024, 7:56 a.m.

Size	3.8MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`50a4eb1049a2034fbcd87274731aea36`
SHA256	`fe74dee5a9332cd3ed8f7ffa738599caf153956793a426dec6109e56d28258d1`
CRC32	`63CB7DD8`
ssdeep	`98304:ykLoZl/OCGTAB17YpM6opbHqrat+jLnbnX70Nt29s4C1eH9Y:dog8B9Y26opbHqQ+jLbnXMt5o9Y`
Yara	Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file mzp_file_format - MZP(Delphi) file format OS_Processor_Check_Zero - OS Processor Check

installer.exe "C:\Users\test22\AppData\Local\Temp\installer.exe"
2208
- installer.tmp "C:\Users\test22\AppData\Local\Temp\is-1B9EH.tmp\installer.tmp" /SL5="$80136,3121405,832512,C:\Users\test22\AppData\Local\Temp\installer.exe"
  1792
  - netcorecheck_x64.exe "C:\Users\test22\AppData\Local\Temp\is-Q87CC.tmp\netcorecheck_x64.exe" Microsoft.NETCore.App 3.1.22
    2516
  - netcorecheck_x64.exe "C:\Users\test22\AppData\Local\Temp\is-Q87CC.tmp\netcorecheck_x64.exe" Microsoft.NETCore.App 5.0.13
    1832
  - netcorecheck_x64.exe "C:\Users\test22\AppData\Local\Temp\is-Q87CC.tmp\netcorecheck_x64.exe" Microsoft.NETCore.App 6.0.11
    1872
  - netcorecheck_x64.exe "C:\Users\test22\AppData\Local\Temp\is-Q87CC.tmp\netcorecheck_x64.exe" Microsoft.NETCore.App 7.0.0
    2416
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49171 -> 23.219.70.120:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.101:49171 23.219.70.120:443	C=US, O=Microsoft Corporation, CN=Microsoft Azure RSA TLS Issuing CA 04	C=US, ST=WA, L=Redmond, O=Microsoft Corporation, CN=go.microsoft.com	77:01:70:50:0d:52:1b:1e:66:47:df:09:49:bd:c0:48:06:13:ed:80

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 7, 2024, 7:46 a.m.			0	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.itext
section	.didata

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ March 7, 2024, 7:47 a.m.	stacktrace: TMethodImplementationIntercept+0x1ba994 dbkFCallWrapperAddr-0x63e34 installer+0x27080c @ 0x67080c TMethodImplementationIntercept+0x1bae94 dbkFCallWrapperAddr-0x63934 installer+0x270d0c @ 0x670d0c TMethodImplementationIntercept+0x1bafb1 dbkFCallWrapperAddr-0x63817 installer+0x270e29 @ 0x670e29 TMethodImplementationIntercept+0x1ba390 dbkFCallWrapperAddr-0x64438 installer+0x270208 @ 0x670208 TMethodImplementationIntercept+0x1baa3a dbkFCallWrapperAddr-0x63d8e installer+0x2708b2 @ 0x6708b2 TMethodImplementationIntercept+0x1bb151 dbkFCallWrapperAddr-0x63677 installer+0x270fc9 @ 0x670fc9 TMethodImplementationIntercept+0x1d3bae dbkFCallWrapperAddr-0x4ac1a installer+0x289a26 @ 0x689a26 TMethodImplementationIntercept+0x1d863c dbkFCallWrapperAddr-0x4618c installer+0x28e4b4 @ 0x68e4b4 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 1632160 registers.edi: 1632540 registers.eax: 1632160 registers.ebp: 1632240 registers.edx: 0 registers.ebx: 35482016 registers.esi: 35481840 registers.ecx: 7	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

March 7, 2024, 7:47 a.m.

stacktrace:

TMethodImplementationIntercept+0x1ba994 dbkFCallWrapperAddr-0x63e34 installer+0x27080c @ 0x67080c
TMethodImplementationIntercept+0x1bae94 dbkFCallWrapperAddr-0x63934 installer+0x270d0c @ 0x670d0c
TMethodImplementationIntercept+0x1bafb1 dbkFCallWrapperAddr-0x63817 installer+0x270e29 @ 0x670e29
TMethodImplementationIntercept+0x1ba390 dbkFCallWrapperAddr-0x64438 installer+0x270208 @ 0x670208
TMethodImplementationIntercept+0x1baa3a dbkFCallWrapperAddr-0x63d8e installer+0x2708b2 @ 0x6708b2
TMethodImplementationIntercept+0x1bb151 dbkFCallWrapperAddr-0x63677 installer+0x270fc9 @ 0x670fc9
TMethodImplementationIntercept+0x1d3bae dbkFCallWrapperAddr-0x4ac1a installer+0x289a26 @ 0x689a26
TMethodImplementationIntercept+0x1d863c dbkFCallWrapperAddr-0x4618c installer+0x28e4b4 @ 0x68e4b4

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xeedfade
exception.offset: 46887
exception.address: 0x7597b727
registers.esp: 1632160
registers.edi: 1632540
registers.eax: 1632160
registers.ebp: 1632240
registers.edx: 0
registers.ebx: 35482016
registers.esi: 35481840
registers.ecx: 7

Allocates read-write-execute memory (usually to unpack itself) (7 events)

Time & API	Arguments	Status
NtProtectVirtualMemory March 7, 2024, 7:46 a.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 7, 2024, 7:46 a.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 745472 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 7, 2024, 7:46 a.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 7, 2024, 7:46 a.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 73728 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 7, 2024, 7:46 a.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x733b2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 7, 2024, 7:46 a.m.	process_identifier: 1792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x733b2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2024, 7:46 a.m.	process_identifier: 1792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00770000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\is-Q87CC.tmp\dxwebsetup.exe
file	C:\Users\test22\AppData\Local\Temp\is-Q87CC.tmp\netcorecheck_x64.exe

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\is-Q87CC.tmp\netcorecheck_x64.exe

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\is-1B9EH.tmp\installer.tmp
file	C:\Users\test22\AppData\Local\Temp\is-Q87CC.tmp\dxwebsetup.exe

A process created a hidden window (4 events)

Time & API	Arguments	Status	Return
ShellExecuteExW March 7, 2024, 7:47 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\is-Q87CC.tmp\netcorecheck_x64.exe parameters: Microsoft.NETCore.App 3.1.22 filepath: C:\Users\test22\AppData\Local\Temp\is-Q87CC.tmp\netcorecheck_x64.exe	1	1
ShellExecuteExW March 7, 2024, 7:47 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\is-Q87CC.tmp\netcorecheck_x64.exe parameters: Microsoft.NETCore.App 5.0.13 filepath: C:\Users\test22\AppData\Local\Temp\is-Q87CC.tmp\netcorecheck_x64.exe	1	1
ShellExecuteExW March 7, 2024, 7:47 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\is-Q87CC.tmp\netcorecheck_x64.exe parameters: Microsoft.NETCore.App 6.0.11 filepath: C:\Users\test22\AppData\Local\Temp\is-Q87CC.tmp\netcorecheck_x64.exe	1	1
ShellExecuteExW March 7, 2024, 7:47 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\is-Q87CC.tmp\netcorecheck_x64.exe parameters: Microsoft.NETCore.App 7.0.0 filepath: C:\Users\test22\AppData\Local\Temp\is-Q87CC.tmp\netcorecheck_x64.exe	1	1

File has been identified by 3 AntiVirus engines on VirusTotal as malicious (3 events)

Bkav	W32.AIDetectMalware
APEX	Malicious
Cynet	Malicious (score: 100)

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses March 7, 2024, 7:47 a.m.	flags: 15 family: 0		111	0

Queries for potentially installed applications (1 event)

Time & API	Arguments	Status	Return	Repeated
RegOpenKeyExW March 7, 2024, 7:47 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Phantomscript_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000101 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Phantomscript_is1		2	0

installer.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All