Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Aug. 18, 2024, 10 a.m.	Aug. 18, 2024, 10:02 a.m.

Size	9.6MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`23b9be57494e761584989265e5a2dcf3`
SHA256	`a850a227bc2a1de83c1afd170b1ac9b322270b3cbe3f87c9ef7b9e9cc5438024`
CRC32	`3A768F12`
ssdeep	`196608:+ijFL8Ogee3Kc66MUgGSqgIMQSXMWZ9AjnK6c/IT:bjFL8OgeeaqMo5gIMQcZg/cw`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file mzp_file_format - MZP(Delphi) file format

L3250_L3251_Lite_LA.exe "C:\Users\test22\AppData\Local\Temp\L3250_L3251_Lite_LA.exe"
3024
- L3250_L3251_Lite_LA.tmp "C:\Users\test22\AppData\Local\Temp\is-FSBI7.tmp\L3250_L3251_Lite_LA.tmp" /SL5="$2016C,9527528,410624,C:\Users\test22\AppData\Local\Temp\L3250_L3251_Lite_LA.exe"
  964
  - InstallNavi.exe "C:\Users\test22\AppData\Local\Temp\L3250\InstallNavi.exe"
    2528
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
download.ebz.epson.net	CNAME download.ebz.epson.net.edgekey.net A 104.94.216.97 CNAME e3374.b.akamaiedge.net	23.210.36.144
files.support.epson.com	A 45.60.49.158 CNAME zqn4hyf.ng.impervadns.net	45.60.49.158
plg3-research.epson.biz	A 54.192.175.13 A 54.192.175.50 A 54.192.175.24 CNAME d1slnbwr5asbp5.cloudfront.net A 54.192.175.72	54.192.175.72

IP Address	Status	Action
104.94.216.97	Active	Moloch
164.124.101.2	Active	Moloch
45.60.49.158	Active	Moloch
54.192.175.24	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 45.60.49.158:443 -> 192.168.56.102:49181	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49179 -> 45.60.49.158:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49180 -> 45.60.49.158:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.102:62846 -> 164.124.101.2:53	2027863	ET INFO Observed DNS Query to .biz TLD	Potentially Bad Traffic
TCP 192.168.56.102:49175 -> 104.94.216.97:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49178 -> 54.192.175.24:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49175 104.94.216.97:443	C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1	C=JP, ST=Nagano, L=Suwa-shi, O=SEIKO EPSON Corporation, CN=download2.ebz.epson.net	5f:21:3f:89:09:9a:3e:94:64:f2:15:11:4b:cf:84:f8:88:26:07:a1
TLSv1 192.168.56.102:49178 54.192.175.24:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=GeoTrust TLS RSA CA G1	C=JP, ST=Nagano, L=Suwa-Shi, O=SEIKO EPSON CORPORATION, CN=*.epson.biz	0c:c6:28:da:67:4b:c2:71:6d:e2:61:72:7d:82:d0:77:ea:bf:20:af

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Aug. 18, 2024, 10 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 18, 2024, 10 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 18, 2024, 10 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.itext

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET https://download.ebz.epson.net/dsc/du/01/DriverUpdateInfo?PR=SW&CTI=61&LG2=E2

Performs some HTTP requests (1 event)

request

GET https://download.ebz.epson.net/dsc/du/01/DriverUpdateInfo?PR=SW&CTI=61&LG2=E2

Allocates read-write-execute memory (usually to unpack itself) (10 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 18, 2024, 10 a.m.	process_identifier: 3024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2024, 10 a.m.	process_identifier: 3024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 69632 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2024, 10 a.m.	process_identifier: 3024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 339968 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2024, 10 a.m.	process_identifier: 3024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ed2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2024, 10 a.m.	process_identifier: 964 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ed2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 18, 2024, 10 a.m.	process_identifier: 964 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2024, 10 a.m.	process_identifier: 964 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c13000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2024, 10:01 a.m.	process_identifier: 2528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ed2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2024, 10:01 a.m.	process_identifier: 2528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c13000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 18, 2024, 10:01 a.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000007330000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\is-FSBI7.tmp\L3250_L3251_Lite_LA.tmp

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 18, 2024, 10:01 a.m.	process_identifier: 2528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef80000 process_handle: 0xffffffff	1	0	0

Queries for potentially installed applications (2 events)

Time & API	Arguments	Status	Return	Repeated
RegOpenKeyExW Aug. 18, 2024, 10 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\DBA50161-DF30-4E39-A9C2-2C80A649890D_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\DBA50161-DF30-4E39-A9C2-2C80A649890D_is1		2	0
RegOpenKeyExW Aug. 18, 2024, 10 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\DBA50161-DF30-4E39-A9C2-2C80A649890D_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\DBA50161-DF30-4E39-A9C2-2C80A649890D_is1		2	0

Network activity contains more than one unique useragent (2 events)

process	InstallNavi.exe				useragent
process	InstallNavi.exe				useragent	Install Navi

L3250_L3251_Lite_LA.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All