Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	July 3, 2024, 7:51 a.m.	July 3, 2024, 7:55 a.m.

Size	821.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`2f6f4f9674c6721b5ea8319ed90a8f20`
SHA256	`68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f`
CRC32	`645C6D47`
ssdeep	`12288:UpJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9j9DXMS9:QJ39LyjbJkQFMhmC+6GD9j1n9`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Network_Downloader - File Downloader IsPE32 - (no description) UPX_Zero - UPX packed file mzp_file_format - MZP(Delphi) file format

Build.exe "C:\Users\test22\AppData\Local\Temp\Build.exe"
1200
- Build.exe "C:\Users\test22\AppData\Local\Temp\3582-490\Build.exe"
  2116
  - ._cache_Build.exe "C:\Users\test22\AppData\Local\Temp\._cache_Build.exe"
    2212
    - svchost.com "C:\Windows\svchost.com" "C:\Users\test22\AppData\Roaming\AdobeART.exe"
      2340
      - AdobeART.exe C:\Users\test22\AppData\Roaming\AdobeART.exe
        2400
  - Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    2280

Name	Response	Post-Analysis Lookup
docs.google.com	A 142.251.220.78	172.217.25.174
xred.mooo.com
drive.usercontent.google.com	A 142.251.220.1	142.250.207.97
www.dropbox.com	CNAME www-env.dropbox-dns.com A 162.125.84.18	162.125.84.18
freedns.afraid.org	A 69.42.215.252	69.42.215.252

IP Address	Status	Action
142.251.220.1	Active	Moloch
142.251.220.78	Active	Moloch
162.125.84.18	Active	Moloch
164.124.101.2	Active	Moloch
45.141.26.232	Active	Moloch
69.42.215.252	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2015633	ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com	Misc activity
TCP 192.168.56.103:49176 -> 162.125.84.18:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49177 -> 162.125.84.18:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49175 -> 142.251.220.1:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49174 -> 142.251.220.78:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49175 142.251.220.1:443	C=US, O=Google Trust Services, CN=WR2	CN=*.usercontent.google.com	15:4e:0d:a6:4d:d4:a6:dd:fe:74:84:e2:59:43:bc:97:c9:df:4c:82
TLSv1 192.168.56.103:49174 142.251.220.78:443	C=US, O=Google Trust Services, CN=WR2	CN=*.google.com	5e:16:23:df:7d:42:8e:61:6e:aa:4a:cc:fb:08:1a:b9:8f:fa:e0:a2

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA July 3, 2024, 7:51 a.m.	computer_name: TEST22-PC	1	1	0

Tries to locate where the browsers are installed (1 event)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 3, 2024, 7:51 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

One or more processes crashed (3 events)

Time & API	Arguments	Status
__exception__ July 3, 2024, 7:51 a.m.	stacktrace: synaptics+0x7bda4 @ 0x47bda4 synaptics+0x7bcf2 @ 0x47bcf2 synaptics+0x7bcb3 @ 0x47bcb3 synaptics+0x845fd @ 0x4845fd synaptics+0x959fc @ 0x4959fc BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 53870044 registers.edi: 53870232 registers.eax: 53870044 registers.ebp: 53870124 registers.edx: 0 registers.ebx: 4703484 registers.esi: 11001 registers.ecx: 7	1
__exception__ July 3, 2024, 7:51 a.m.	stacktrace: synaptics+0x7bda4 @ 0x47bda4 synaptics+0x7bcf2 @ 0x47bcf2 synaptics+0x7bcb3 @ 0x47bcb3 synaptics+0x845fd @ 0x4845fd synaptics+0x95a83 @ 0x495a83 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 53867856 registers.edi: 53868044 registers.eax: 53867856 registers.ebp: 53867936 registers.edx: 0 registers.ebx: 4703484 registers.esi: 11004 registers.ecx: 7	1
__exception__ July 3, 2024, 7:51 a.m.	stacktrace: synaptics+0x7bda4 @ 0x47bda4 synaptics+0x7bcf2 @ 0x47bcf2 synaptics+0x7bcb3 @ 0x47bcb3 synaptics+0x845fd @ 0x4845fd synaptics+0x95b0a @ 0x495b0a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 53865668 registers.edi: 53865856 registers.eax: 53865668 registers.ebp: 53865748 registers.edx: 0 registers.ebx: 4703484 registers.esi: 11001 registers.ecx: 7	1

Connects to a Dynamic DNS Domain (1 event)

domain

xred.mooo.com

Performs some HTTP requests (5 events)

request	GET http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
request	GET https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
request	GET https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
request	GET https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
request	GET https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory July 3, 2024, 7:51 a.m.	process_identifier: 2116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory July 3, 2024, 7:51 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

A process attempted to delay the analysis task. (1 event)

description

AdobeART.exe tried to sleep 215 seconds, actually delayed analysis time by 215 seconds

Steals private information from local Internet browsers (1 event)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\101.3.34.11\ChromeRecovery.exe

Downloads a file or document from Google Drive (1 event)

domain

docs.google.com

Creates executable files on the filesystem (50 out of 196 events)

file	C:\Program Files (x86)\Mozilla Thunderbird\pingsender.exe
file	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE15\OLicenseHeartbeat.exe
file	C:\Program Files (x86)\Hnc\HncUtils\HncUpdate.exe
file	C:\Program Files (x86)\Microsoft Office\Office15\ACCICONS.EXE
file	C:\Program Files (x86)\Mozilla Thunderbird\plugin-container.exe
file	C:\Program Files (x86)\Microsoft Office\Office15\PDFREFLOW.EXE
file	C:\util\curl\curl.exe
file	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe
file	C:\Program Files (x86)\Microsoft Office\Office15\WORDICON.EXE
file	C:\Program Files (x86)\Java\jre1.8.0_131\bin\javaw.exe
file	C:\Program Files (x86)\Google\Update\1.3.36.101\GoogleUpdate.exe
file	C:\Program Files (x86)\Microsoft Office\Office15\GROOVE.EXE
file	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe
file	C:\Program Files (x86)\Java\jre1.8.0_131\bin\ssvagent.exe
file	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
file	C:\Program Files (x86)\Google\Update\1.3.36.101\GoogleUpdateBroker.exe
file	C:\Windows\svchost.com
file	C:\Python27\Scripts\easy_install.exe
file	C:\MSOCache\All Users\{91150000-0011-0000-0000-0000000FF1CE}-C\ose.exe
file	C:\ProgramData\Oracle\Java\javapath\java.exe
file	C:\Program Files (x86)\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.36.102\GoogleUpdateSetup.exe
file	C:\Program Files (x86)\Microsoft Office\Office15\CNFNOT32.EXE
file	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE15\MSOICONS.EXE
file	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE15\Office Setup Controller\ODeploy.exe
file	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE15\LICLUA.EXE
file	C:\Program Files (x86)\Google\Update\1.3.36.101\GoogleCrashHandler64.exe
file	C:\Program Files (x86)\Hnc\Common80\HimTrayIcon.exe
file	C:\Program Files (x86)\Java\jre1.8.0_131\bin\unpack200.exe
file	C:\Program Files (x86)\Microsoft Office\Office15\POWERPNT.EXE
file	C:\Program Files (x86)\Hnc\Hwp80\HwpFinder.exe
file	C:\Program Files (x86)\Hnc\HncUtils\HncInfo.exe
file	C:\Program Files (x86)\EditPlus\editplus.exe
file	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE15\CSISYNCCLIENT.EXE
file	C:\Program Files (x86)\Microsoft Office\Office15\DCF\DATABASECOMPARE.EXE
file	C:\Python27\Lib\site-packages\pip\_vendor\distlib\t64.exe
file	C:\MSOCache\All Users\{91150000-0011-0000-0000-0000000FF1CE}-C\setup.exe
file	C:\Program Files (x86)\Hnc\Hwp80\HwpPrnMng.exe
file	C:\Python27\Lib\site-packages\pip\_vendor\distlib\t32.exe
file	C:\Program Files (x86)\Google\Chrome\Application\chrome_proxy.exe
file	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe
file	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE15\FLTLDR.EXE
file	C:\Program Files (x86)\Common Files\Adobe\__ARM\1.0\AdobeARM.exe
file	C:\Program Files (x86)\Mozilla Thunderbird\minidump-analyzer.exe
file	C:\Program Files (x86)\Google\Update\Install\{9946EF02-26CF-4F0D-BC28-8677420F30DD}\GoogleUpdateSetup.exe
file	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe
file	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE
file	C:\Program Files (x86)\Mozilla Thunderbird\crashreporter.exe
file	C:\Program Files (x86)\Microsoft Office\Office15\OcPubMgr.exe
file	C:\Program Files (x86)\Microsoft Office\Office15\misc.exe
file	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE15\Office Setup Controller\Setup.exe

Creates a suspicious process (1 event)

cmdline

"C:\Windows\svchost.com" "C:\Users\test22\AppData\Roaming\AdobeART.exe"

Looks up the Dropbox cloud service (1 event)

domain

www.dropbox.com

Drops a binary and executes it (3 events)

file	C:\Users\test22\AppData\Local\Temp\3582-490\Build.exe
file	C:\Users\test22\AppData\Local\Temp\._cache_Build.exe
file	C:\Windows\svchost.com

Drops an executable to the user AppData folder (3 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\101.3.34.11\ChromeRecovery.exe
file	C:\Users\test22\AppData\Local\Temp\._cache_Build.exe
file	C:\Users\test22\AppData\Local\Temp\3582-490\Build.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW July 3, 2024, 7:51 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Roaming\AdobeART.exe parameters: filepath: C:\Users\test22\AppData\Roaming\AdobeART.exe	1	1	0

Communicates with host for which no DNS query was performed (1 event)

host

45.141.26.232

Installs itself for autorun at Windows startup (4 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\(Default)	reg_value	C:\Windows\svchost.com "%1" %*
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\?????	reg_value	C:\ProgramData\Synaptics\Synaptics.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\?????	reg_value	C:\ProgramData\Synaptics\Synaptics.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeART	reg_value	C:\Users\test22\AppData\Roaming\AdobeART.exe

Creates known Ceatrg Trojan files, registry keys and/or mutexes (1 event)

mutex

IPKMutex

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExA July 3, 2024, 7:51 a.m.	thread_identifier: 0 callback_function: 0x02233540 hook_identifier: 2 (WH_KEYBOARD) module_address: 0x02230000	1	196909	0

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Network activity contains more than one unique useragent (2 events)

process	Synaptics.exe				useragent	MyApp
process	Synaptics.exe				useragent	Synaptics.exe

File has been identified by 69 AntiVirus engines on VirusTotal as malicious (50 out of 69 events)

Bkav	W32.HanGu.PE
Lionic	Virus.Win32.Neshta.tntj
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
CAT-QuickHeal	W32.Neshta.B
Skyhigh	BehavesLike.Win32.HLLP.ch
ALYac	Win32.Nestha.C
Cylance	Unsafe
VIPRE	Win32.Nestha.C
Sangfor	Virus.Win32.Neshta.a
K7AntiVirus	Virus ( 00556e571 )
BitDefender	Win32.Nestha.C
K7GW	Virus ( 00556e571 )
Cybereason	malicious.674c67
Arcabit	Win32.Nestha.C
Baidu	Win32.Virus.Neshta.a
Symantec	W32.Neshuta
tehtris	Generic.Malware
ESET-NOD32	Win32/Neshta.B
APEX	Malicious
McAfee	W32/HLLP.41472
Avast	Other:Malware-gen [Trj]
ClamAV	Win.Trojan.Emotet-9850453-0
Kaspersky	Virus.Win32.Neshta.b
Alibaba	Virus:Win32/Neshta.3bb
NANO-Antivirus	Virus.Win32.Neshta.fnxshx
MicroWorld-eScan	Win32.Nestha.C
Rising	Virus.Synaptics!1.E51C (CLASSIC)
Emsisoft	Win32.Nestha.C (B)
F-Secure	Trojan:W97M/MaliciousMacro.GEN
DrWeb	Win32.HLLP.Neshta
Zillya	Virus.Neshta.Win32.2
TrendMicro	PE_NESHTA.A
McAfeeD	Real Protect-LS!2F6F4F9674C6
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.2f6f4f9674c6721b
Sophos	W32/Neshta-D
Ikarus	Virus.Win32.Neshta
Jiangmin	Virus.Neshta.b
Webroot	W32.Virus.B
Google	Detected
Avira	W32/Delf.I
MAX	malware (ai score=86)
Antiy-AVL	Virus/Win32.Neshta.b
Kingsoft	Win32.Neshta.a.41472
Gridinsoft	Trojan.Win32.Gen.tr
Xcitium	Win32.Neshta.B@3z07
Microsoft	Virus:Win32/Neshta.B
ViRobot	Win32.Neshta.Gen.A
ZoneAlarm	Virus.Win32.Neshta.b

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (20 events)

dead_host	192.168.56.103:49193
dead_host	192.168.56.103:49181
dead_host	192.168.56.103:49190
dead_host	192.168.56.103:49167
dead_host	45.141.26.232:1337
dead_host	192.168.56.103:49191
dead_host	192.168.56.103:49194
dead_host	192.168.56.103:49182
dead_host	192.168.56.103:49187
dead_host	192.168.56.103:49188
dead_host	192.168.56.103:49195
dead_host	192.168.56.103:49183
dead_host	192.168.56.103:49184
dead_host	192.168.56.103:49172
dead_host	192.168.56.103:49196
dead_host	192.168.56.103:49189
dead_host	192.168.56.103:49192
dead_host	192.168.56.103:49180
dead_host	192.168.56.103:49185
dead_host	192.168.56.103:49173

Build.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All