Summary

Category	Machine	Started	Completed
ARCHIVE	s1_win7_x6403_us	June 7, 2024, 5:49 p.m.	June 7, 2024, 5:50 p.m.

Archive csrs.exe @ sandbox.zip

Size	6.2MB
Type	PE32 executable (console) Intel 80386, for MS Windows
MD5	`ed43f6043f51fba6b2a8a4062256154d`
SHA1	`4cf081fde15f702c434b588f0556d28227ae1f1a`
SHA256	`a62c67bb2c90d79ffc64d3862c73ea77255581d224a8736c470dc72a6716c6e3`
SHA512	`7e47c25992a88f4d34fb6ce2ce4469d6d8a5a07682eabc032391a837c15a6bb62d1a7cde219ba59efc134c5d5113e5196077608a3e2623f6a751c56a5b031489`
CRC32	`21CECB4F`
ssdeep	`98304:188SKeTpHfNgRVccndCe+AOSF2lFGzo0qoyYUOzn52bISsD9C775URDNJLN:+ieT7gVccdF+cFYG4gkESsDseBNxN`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

csrs.exe "C:\Users\test22\AppData\Local\Temp\csrs.exe"
2096
- csrs.exe "C:\Users\test22\AppData\Local\Temp\csrs.exe"
  2224

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (39 events)

Time & API	Arguments	Status	Return
WriteConsoleA June 7, 2024, 5:48 p.m.	buffer: 024-06-07 20:08:26,780 - DEBUG - console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:48 p.m.	buffer: Traceback (most recent call last): console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:48 p.m.	buffer: File "MyExploiter.py", line 464, in <module> console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:48 p.m.	buffer: File "MyExploiter.py", line 401, in parseOptions console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:48 p.m.	buffer: IndexError console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:48 p.m.	buffer: l console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:48 p.m.	buffer: ist index out of range console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:48 p.m.	buffer: F console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:48 p.m.	buffer: a console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:48 p.m.	buffer: i console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:48 p.m.	buffer: l console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:48 p.m.	buffer: e console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:48 p.m.	buffer: d console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:48 p.m.	buffer: t console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:48 p.m.	buffer: o console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:48 p.m.	buffer: e console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:48 p.m.	buffer: x console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:48 p.m.	buffer: e console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:48 p.m.	buffer: c console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:48 p.m.	buffer: u console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:48 p.m.	buffer: t console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:48 p.m.	buffer: e console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:48 p.m.	buffer: s console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:48 p.m.	buffer: c console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:48 p.m.	buffer: r console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:48 p.m.	buffer: i console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:48 p.m.	buffer: p console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:48 p.m.	buffer: t console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:48 p.m.	buffer: M console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:48 p.m.	buffer: y console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:48 p.m.	buffer: E console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:48 p.m.	buffer: x console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:48 p.m.	buffer: p console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:48 p.m.	buffer: l console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:48 p.m.	buffer: o console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:48 p.m.	buffer: i console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:48 p.m.	buffer: t console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:48 p.m.	buffer: e console_handle: 0x0000000b	1	1
WriteConsoleA June 7, 2024, 5:48 p.m.	buffer: r console_handle: 0x0000000b	1	1

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.gfids

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory June 7, 2024, 5:48 p.m.	process_identifier: 2224 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00640000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

Creates executable files on the filesystem (4 events)

file	C:\Users\test22\AppData\Local\Temp\_MEI20962\msvcr90.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI20962\msvcp90.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI20962\python27.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI20962\msvcm90.dll

Drops an executable to the user AppData folder (24 events)

file	C:\Users\test22\AppData\Local\Temp\_MEI20962\Crypto.Util._counter.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI20962\Crypto.Cipher._DES3.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI20962\_hashlib.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI20962\cryptography.hazmat.bindings._constant_time.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI20962\msvcr90.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI20962\_socket.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI20962\select.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI20962\Crypto.Hash._MD4.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI20962\python27.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI20962\msvcm90.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI20962\msvcp90.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI20962\_ssl.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI20962\Crypto.Cipher._DES.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI20962\_cffi_backend.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI20962\Crypto.Random.OSRNG.winrandom.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI20962\pyexpat.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI20962\Crypto.Util.strxor.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI20962\cryptography.hazmat.bindings._openssl.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI20962\Crypto.Cipher._AES.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI20962\Crypto.Hash._SHA256.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI20962\Crypto.Cipher._ARC4.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI20962\bz2.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI20962\_ctypes.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI20962\unicodedata.pyd

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0000f000', u'virtual_address': u'0x0003d000', u'entropy': 7.286300316224105, u'name': u'.rsrc', u'virtual_size': u'0x0000efb0'}

entropy

7.28630031622

description

A section with a high entropy has been found

entropy

0.251572327044

description

Overall entropy of this PE file is high

Potentially malicious URLs were found in the process memory dump (50 out of 194 events)

url	http://crl.comodo.net/TrustedCertificateServices.crl0
url	http://google.com/
url	http://www.e-szigno.hu/RootCA.crt0
url	http://crl.ssc.lt/root-b/cacrl.crl0
url	http://www.acabogacia.org/doc0
url	http://username
url	https://urllib3.readthedocs.io/en/latest/advanced-usage.html
url	https://github.com/shazow/urllib3/issues/497
url	http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=
url	http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0
url	http://www.ssc.lt/cps03
url	http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
url	http://users.ocsp.d-trust.net03
url	http://curl.haxx.se/rfc/cookie_spec.html
url	http://proxy.example.com/
url	http://www.nightmare.com/squirl/python-ext/misc/syslog.py
url	http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0
url	http://json.org
url	http://lists.sourceforge.net/lists/listinfo/optik-users).
url	http://www.microsoft.com/pki/certs/TrustListPCA.crt0
url	https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0
url	http://www.pkioverheid.nl/policies/root-policy0
url	http://google.com/mail/
url	http://www.disig.sk/ca/crl/ca_disig.crl0
url	http://joe
url	http://crl.chambersign.org/publicnotaryroot.crl0
url	http://crl.comodo.net/AAACertificateServices.crl0
url	http://www.certplus.com/CRL/class3.crl0
url	http://www.faqs.org/rfcs/rfc822.html
url	http://logo.verisign.com/vslogo.gif0
url	http://www.sk.ee/cps/0
url	https://cryptography.io/en/latest/hazmat/
url	http://www.crc.bg0
url	http://www.python.org/dev/peps/pep-0205/
url	http://www.e-szigno.hu/SZSZ/0
url	https://www.catcert.net/verarrel
url	https://technotes.googlecode.com/git/nextprotoneg.html
url	http://python.org/dev/peps/pep-0263/
url	http://www.quovadis.bm0
url	http://crl.securetrust.com/STCA.crl0
url	https://www.catcert.net/verarrel05
url	http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0
url	http://crl.securetrust.com/SGCA.crl0
url	http://crl.chambersign.org/chambersroot.crl0
url	https://httpbin.org/
url	http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py
url	http://crl.globalsign.net/root-r2.crl0
url	http://certificates.starfieldtech.com/repository/1604
url	http://www.d-trust.net0
url	https://en.wikipedia.org/wiki/Server_Name_Indication

Yara rule detected in process memory (50 out of 63 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win
description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl

Found URLs in memory pointing to an IP address rather than a domain (potentially indicative of Command & Control traffic) (2 events)

url	http://185.47.128.124:8124/m17010.txt
url	http://139.5.177.32:9999

Archive csrs.exe @ sandbox.zip

Summary

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All