Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 17, 2024, 11:15 p.m.	Aug. 17, 2024, 11:18 p.m.

Size	4.7MB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`933612be98b1de1b5fb119a6b30e84db`
SHA256	`c94da0cc33cdaa8e70642330bfaa32ab0ec4b800f2b4cd30316dfff41ef45df2`
CRC32	`41A66955`
ssdeep	`49152:2HIMs0/tVdTQrAtbY++2h+sTRuT0U0pItLc8a2n7s+TTCP0VXbpX5Sl35mjAYRGo:2D/PxQh44P7hTbM`
PDB Path	D:\cpuid2\cpu_z\cpu_z_en_vc2008\x64\Release\cpuz_x64.pdb
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer ASPack_Zero - ASPack packed file IsPE64 - (no description) Win32_Trojan_Emotet_1_Zero - Win32 Trojan Emotet Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

cpuz.exe "C:\Users\test22\AppData\Local\Temp\cpuz.exe"
2652

Name	Response	Post-Analysis Lookup
download.cpuid.com	CNAME cpuz01.cpuid.com A 195.154.81.43	195.154.81.43

IP Address	Status	Action
164.124.101.2	Active	Moloch
195.154.81.43	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49162 -> 195.154.81.43:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49165 -> 195.154.81.43:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 195.154.81.43:443 -> 192.168.56.101:49166	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (13 events)

Time & API	Arguments	Status	Return
GetComputerNameA Aug. 17, 2024, 11:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 17, 2024, 11:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 17, 2024, 11:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 17, 2024, 11:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 17, 2024, 11:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 17, 2024, 11:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 17, 2024, 11:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 17, 2024, 11:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 17, 2024, 11:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 17, 2024, 11:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 17, 2024, 11:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 17, 2024, 11:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 17, 2024, 11:09 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 17, 2024, 11:08 p.m.			0	0

This executable has a PDB path (1 event)

pdb_path

D:\cpuid2\cpu_z\cpu_z_en_vc2008\x64\Release\cpuz_x64.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 17, 2024, 11:08 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

text

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 17, 2024, 11:08 p.m.	process_identifier: 2652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 11:09 p.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000054c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 11:09 p.m.	process_identifier: 2652 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000005a30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

A process attempted to delay the analysis task. (1 event)

description

cpuz.exe tried to sleep 609 seconds, actually delayed analysis time by 609 seconds

Creates a shortcut to an executable file (3 events)

file	C:\Users\test22\Links\Desktop.lnk
file	C:\Users\test22\Links\RecentPlaces.lnk
file	C:\Users\test22\Links\Downloads.lnk

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x001f8400', u'virtual_address': u'0x002c3000', u'entropy': 6.843878428251542, u'name': u'.rsrc', u'virtual_size': u'0x001f82d8'}

entropy

6.84387842825

description

A section with a high entropy has been found

entropy

0.421393502559

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Aug. 17, 2024, 11:08 p.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW Aug. 17, 2024, 11:08 p.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW Aug. 17, 2024, 11:08 p.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Aug. 17, 2024, 11:08 p.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

Operates on local firewall's policies and settings (1 event)

registry

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile

Created a service where a service was also not started (2 events)

Time & API	Arguments	Status	Return	Repeated
CreateServiceW Aug. 17, 2024, 11:08 p.m.	service_start_name: start_type: 3 password: display_name: cpuz159 filepath: C:\Windows\Temp\cpuz159\cpuz159_x64.sys service_name: cpuz159 filepath_r: C:\Windows\temp\cpuz159\cpuz159_x64.sys desired_access: 983551 service_handle: 0x00000000003b6b50 error_control: 1 service_type: 1 service_manager_handle: 0x00000000003b6b20	1	3894096	0
CreateServiceW Aug. 17, 2024, 11:08 p.m.	service_start_name: start_type: 3 password: display_name: cpuz152 filepath: C:\Windows\Temp\cpuz152\cpuz152_x64.sys service_name: cpuz152 filepath_r: C:\Windows\temp\cpuz152\cpuz152_x64.sys desired_access: 983551 service_handle: 0x00000000003b6b50 error_control: 1 service_type: 1 service_manager_handle: 0x00000000003b6c40	1	3894096	0

Queries information on disks, possibly for anti-virtualization (2 events)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile Aug. 17, 2024, 11:08 p.m.	create_disposition: 1 (FILE_OPEN) file_handle: 0x0000000000000438 filepath: \??\PhysicalDrive0 desired_access: 0xc0100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 128 (FILE_ATTRIBUTE_NORMAL) filepath_r: \??\PhysicalDrive0 create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 1 (FILE_OPENED) share_access: 3 (FILE_SHARE_READ\|FILE_SHARE_WRITE)	1	0	0
DeviceIoControl Aug. 17, 2024, 11:08 p.m.	input_buffer: @Ë control_code: 2954240 () device_handle: 0x0000000000000438 output_buffer: (§Lu~$ VBOX HARDDISK 1.0VBOX HARDDISK 1.0 42566234393262373030372d6533656331322036	1	1	0

Detects Virtual Machines through their custom firmware (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Aug. 17, 2024, 11:08 p.m.	information_class: 76 (SystemFirmwareTableInformation)		-1073741789	0

cpuz.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All