Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	June 3, 2024, 8:48 a.m.	June 3, 2024, 8:51 a.m.

Size	740.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`d65acc2321b1580bc524b991fad0f78a`
SHA256	`1f4c1b7370b3ba6ef950a84589fc458cf5b3a019a9bfe21aab986d0a26785291`
CRC32	`2741B30C`
ssdeep	`12288:YvJZtqNl8GkWnUYFhTJQQI3U3gAd0lpd0nLvwUbvwTjP:jl8GVUUikvd0/d0nbtLOb`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file Win32_Trojan_Emotet_1_Zero - Win32 Trojan Emotet OS_Processor_Check_Zero - OS Processor Check

mdll.exe "C:\Users\test22\AppData\Local\Temp\mdll.exe"
1000

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
149.88.76.85	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 3, 2024, 8:48 a.m.		1	1	0

The executable uses a known packer (1 event)

packer

Armadillo v1.71

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

GOOGLEUPDATEAPPLICATIONCOMMANDS

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (36 events)

Time & API	Arguments	Status	Return
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x00000104 process_name: mobsync.exe process_identifier: 1800	1	1
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x00000104 process_name: taskhost.exe process_identifier: 792	1	1
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x00000104 process_name: sdclt.exe process_identifier: 1540	1	1
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x00000104 process_name: cmd.exe process_identifier: 496	1	1
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x00000104 process_name: SearchProtocolHost.exe process_identifier: 416	1	1
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x00000104 process_name: conhost.exe process_identifier: 1704	1	1
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x00000104 process_name: SearchFilterHost.exe process_identifier: 1664	1	1
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x00000104 process_name: mdll.exe process_identifier: 1000	1	1
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x00000104 process_name: pw.exe process_identifier: 7602224		0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x000001ec process_name: pw.exe process_identifier: 7536688		0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x000001f4 process_name: pw.exe process_identifier: 3014768		0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x000001f8 process_name: pw.exe process_identifier: 7274573		0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x000001fc process_name: pw.exe process_identifier: 5046390		0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x00000200 process_name: pw.exe process_identifier: 6815859		0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x00000204 process_name: pw.exe process_identifier: 6881397		0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x00000208 process_name: pw.exe process_identifier: 7602277		0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x0000020c process_name: pw.exe process_identifier: 6619235		0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x00000210 process_name: pw.exe process_identifier: 4456552		0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x00000214 process_name: pw.exe process_identifier: 7536758		0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x00000218 process_name: pw.exe process_identifier: 6684769		0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x0000021c process_name: pw.exe process_identifier: 4390992		0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x00000220 process_name: process_identifier: 5439572		0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x00000224 process_name: pw.exe process_identifier: 6619182		0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x00000228 process_name: pw.exe process_identifier: 6553715		0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x0000022c process_name: pw.exe process_identifier: 5046338		0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x00000230 process_name: pw.exe process_identifier: 6619246		0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x00000234 process_name: pw.exe process_identifier: 6750273		0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x00000238 process_name: pw.exe process_identifier: 7471220		0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x0000023c process_name: pw.exe process_identifier: 7733331		0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x00000240 process_name: pw.exe process_identifier: 4980808		0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x00000244 process_name: pw.exe process_identifier: 6619251		0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x00000248 process_name: pw.exe process_identifier: 7864421		0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x0000024c process_name: pw.exe process_identifier: 3342387		0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x00000250 process_name: pw.exe process_identifier: 3014722		0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x00000254 process_name: process_identifier: 7733362		0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x00000258 process_name: pw.exe process_identifier: 6553705		0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 3, 2024, 8:48 a.m.	process_identifier: 1000 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 20480 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x10001000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00078000', u'virtual_address': u'0x00046000', u'entropy': 7.3531047080987095, u'name': u'.rsrc', u'virtual_size': u'0x00078000'}

entropy

7.3531047081

description

A section with a high entropy has been found

entropy

0.652173913043

description

Overall entropy of this PE file is high

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (28 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x00000104 process_name: pw.exe process_identifier: 7602224		0	0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x000001ec process_name: pw.exe process_identifier: 7536688		0	0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x000001f4 process_name: pw.exe process_identifier: 3014768		0	0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x000001f8 process_name: pw.exe process_identifier: 7274573		0	0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x000001fc process_name: pw.exe process_identifier: 5046390		0	0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x00000200 process_name: pw.exe process_identifier: 6815859		0	0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x00000204 process_name: pw.exe process_identifier: 6881397		0	0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x00000208 process_name: pw.exe process_identifier: 7602277		0	0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x0000020c process_name: pw.exe process_identifier: 6619235		0	0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x00000210 process_name: pw.exe process_identifier: 4456552		0	0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x00000214 process_name: pw.exe process_identifier: 7536758		0	0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x00000218 process_name: pw.exe process_identifier: 6684769		0	0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x0000021c process_name: pw.exe process_identifier: 4390992		0	0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x00000220 process_name: process_identifier: 5439572		0	0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x00000224 process_name: pw.exe process_identifier: 6619182		0	0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x00000228 process_name: pw.exe process_identifier: 6553715		0	0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x0000022c process_name: pw.exe process_identifier: 5046338		0	0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x00000230 process_name: pw.exe process_identifier: 6619246		0	0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x00000234 process_name: pw.exe process_identifier: 6750273		0	0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x00000238 process_name: pw.exe process_identifier: 7471220		0	0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x0000023c process_name: pw.exe process_identifier: 7733331		0	0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x00000240 process_name: pw.exe process_identifier: 4980808		0	0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x00000244 process_name: pw.exe process_identifier: 6619251		0	0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x00000248 process_name: pw.exe process_identifier: 7864421		0	0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x0000024c process_name: pw.exe process_identifier: 3342387		0	0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x00000250 process_name: pw.exe process_identifier: 3014722		0	0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x00000254 process_name: process_identifier: 7733362		0	0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x00000258 process_name: pw.exe process_identifier: 6553705		0	0

Communicates with host for which no DNS query was performed (1 event)

host

149.88.76.85

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

192.168.56.103:49161

File has been identified by 67 AntiVirus engines on VirusTotal as malicious (50 out of 67 events)

Bkav	W32.Common.E6E75C04
Lionic	Trojan.Win32.Zegost.m!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 99)
CAT-QuickHeal	Backdoor.Lotok
Skyhigh	BehavesLike.Win32.Worm.bc
ALYac	Gen:Variant.Mikey.139915
Cylance	Unsafe
VIPRE	Gen:Variant.Mikey.139915
Sangfor	Backdoor.Win32.Zegost.Vgyk
K7AntiVirus	Trojan ( 0057f0631 )
BitDefender	Gen:Variant.Mikey.139915
K7GW	Trojan ( 0057f0631 )
Cybereason	malicious.321b15
Arcabit	Trojan.Mikey.D2228B
Symantec	ML.Attribute.HighConfidence
tehtris	Generic.Malware
ESET-NOD32	a variant of Win32/Farfli.CTQ
APEX	Malicious
McAfee	GenericRXAA-AA!D65ACC2321B1
Avast	Win32:Trojan-gen
ClamAV	Win.Dropper.Gh0stRAT-9896744-0
Kaspersky	HEUR:Backdoor.Win32.Lotok.gen
Alibaba	Backdoor:Win32/Zegost.ef402e81
NANO-Antivirus	Trojan.Win32.Farfli.ixtqnh
MicroWorld-eScan	Gen:Variant.Mikey.139915
Rising	Trojan.Agent!1.F7B0 (CLASSIC)
Emsisoft	Gen:Variant.Mikey.139915 (B)
F-Secure	Trojan.TR/AD.Farfli.decyz
DrWeb	Trojan.MulDrop18.34457
Zillya	Trojan.GenKryptik.Win32.101507
TrendMicro	BKDR_ZEGOST.SM51
McAfeeD	ti!1F4C1B7370B3
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.d65acc2321b1580b
Sophos	Troj/Farfli-EV
Ikarus	Trojan.Win32.Farfli
Jiangmin	Trojan.Generic.hredl
Google	Detected
Avira	TR/AD.Farfli.decyz
MAX	malware (ai score=86)
Antiy-AVL	Trojan[Backdoor]/Win32.Zegost
Kingsoft	Win32.Hack.Generic.a
Gridinsoft	Trojan.Win32.Kryptik.oa!s1
Xcitium	TrojWare.Win32.Agent.PDSB@4q3i1w
Microsoft	Backdoor:Win32/Zegost.CQ!bit
ViRobot	Trojan.Win.Z.Zegost.757760
ZoneAlarm	HEUR:Backdoor.Win32.Lotok.gen
GData	Gen:Variant.Mikey.139915
Varist	W32/KillAV.AU.gen!Eldorado

mdll.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All