Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	June 7, 2024, 9:27 a.m.	June 7, 2024, 9:29 a.m.

Size	475.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`3311b8c3707f75831aa443db406c71e0`
SHA256	`364b087a1916c5f13675449a4470763adebd4977fc21ea2169d8d67b11e83ba7`
CRC32	`38ED3D7E`
ssdeep	`6144:tSPB0Gyvn8di2sPXZ/9h2r2D6LfMlh4Egky/96sggH4S9K3iwJywrq/eY762d5UO:MU8A/62WOKkU6sgK0y8YW2k0QnY3ZA`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

xxun.exe "C:\Users\test22\AppData\Local\Temp\xxun.exe"
444
- cmd.exe C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\test22\AppData\Local\Temp\xxun.exe > nul
  2164
  - PING.EXE ping -n 2 127.0.0.1
    2296

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
82.157.201.41	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 7, 2024, 9:27 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

The executable uses a known packer (1 event)

packer

NsPacK V3.7 -> LiuXingPing

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory June 7, 2024, 9:27 a.m.	process_identifier: 444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00380000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

Creates a service (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceA June 7, 2024, 9:27 a.m.	service_start_name: start_type: 2 password: display_name: Aqiyqi Arjariar Jbsjbrjb Skcs filepath: C:\Windows\System32\Meume.exe -auto service_name: Dtldtl Dumdu filepath_r: C:\Windows\System32\Meume.exe -auto desired_access: 18 service_handle: 0x0066fe70 error_control: 0 service_type: 16 service_manager_handle: 0x0066fe98	1	6749808	0

Creates a suspicious process (1 event)

cmdline

C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\test22\AppData\Local\Temp\xxun.exe > nul

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\xxun.exe

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 7, 2024, 9:27 a.m.	process_identifier: 444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 606208 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x10001000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00076a00', u'virtual_address': u'0x00140000', u'entropy': 7.999350239067291, u'name': u'', u'virtual_size': u'0x00077c3c'}

entropy

7.99935023907

description

A section with a high entropy has been found

entropy

1.0

description

Overall entropy of this PE file is high

Yara rule detected in process memory (9 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\test22\AppData\Local\Temp\xxun.exe > nul
cmdline	ping -n 2 127.0.0.1

Communicates with host for which no DNS query was performed (1 event)

host

82.157.201.41

Installs itself for autorun at Windows startup (1 event)

service_name

Dtldtl Dumdu

service_path

C:\Windows\System32\Meume.exe -auto

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 444 resumed a thread in remote process 2164
NtResumeThread June 7, 2024, 9:27 a.m.	thread_handle: 0x00000124 suspend_count: 1 process_identifier: 2164	1	0	0

File has been identified by 62 AntiVirus engines on VirusTotal as malicious (50 out of 62 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Agent.l7ah
Cynet	Malicious (score: 100)
CAT-QuickHeal	Trojan.FarfliRI.S27524112
Skyhigh	BehavesLike.Win32.Generic.gc
ALYac	Trojan.GenericKD.73025391
Cylance	Unsafe
VIPRE	Trojan.GenericKD.73025391
Sangfor	Backdoor.Win32.Farfli.V8fd
K7AntiVirus	Trojan ( 005257651 )
BitDefender	Trojan.GenericKD.73025391
K7GW	Trojan ( 005257651 )
Cybereason	malicious.3707f7
Arcabit	Trojan.Generic.D45A476F
VirIT	Win32.Kriz.4029
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/GenKryptik.DZUJ
APEX	Malicious
McAfee	Artemis!3311B8C3707F
Avast	Win32:Malware-gen
Kaspersky	UDS:DangerousObject.Multi.Generic
Alibaba	Backdoor:Win32/Farfli.d51279f3
NANO-Antivirus	Trojan.Win32.Farfli.jnxxnz
MicroWorld-eScan	Trojan.GenericKD.73025391
Rising	Backdoor.Gh0st!1.DF86 (CLOUD)
Emsisoft	Trojan.GenericKD.73025391 (B)
F-Secure	Heuristic.HEUR/AGEN.1339093
DrWeb	Win32.HLLW.Autoruner.1891
Zillya	Trojan.GenKryptik.Win32.675040
TrendMicro	TROJ_GEN.R002C0DEQ24
McAfeeD	Real Protect-LS!3311B8C3707F
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.3311b8c3707f7583
Sophos	Mal/Packer
Ikarus	Trojan.Win32.Crypt
Jiangmin	Backdoor/Huigezi.ezb
Google	Detected
Avira	HEUR/AGEN.1339093
MAX	malware (ai score=85)
Antiy-AVL	Trojan/Win32.GenKryptik
Kingsoft	malware.kb.b.978
Gridinsoft	Trojan.Win32.Gen.tr
Xcitium	TrojWare.Win32.Trojan.NSPM.~gen@20n73t
Microsoft	Backdoor:Win32/Farfli!pz
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	Trojan.GenericKD.73025391
AhnLab-V3	Worm/Win32.IRCBot.C6996
BitDefenderTheta	AI:Packer.E67BFE3B1E
DeepInstinct	MALICIOUS

xxun.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All