Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 18, 2024, 2:11 p.m.	Aug. 18, 2024, 2:15 p.m.

Size	9.7MB
Type	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5	`544fb98f86fbbbfe6adc50a62772df10`
SHA256	`bbda63aecb68285514b2bfc91b843c2d17c1d71abc3bcf10c1902599f84bf0d7`
CRC32	`35E73691`
ssdeep	`196608:GrmtKFPLrGbAeZpyeW2idrsvA0qltC0R/6L0:GSOPvG8eZpyh28svWc0t6I`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer anti_vm_detect - Possibly employs anti-virtualization techniques IsPE32 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

Images.exe "C:\Users\test22\AppData\Local\Temp\Images.exe"
1932
x0x.exe C:\Users\test22\AppData\Local\Temp\x0x.exe x -p148ifdh8ajAHAjaa -o+ C:\Users\test22\AppData\Local\Temp\mpc.part01.rar C:\Users\test22\AppData\Local\Temp
2596
mpc.exe C:\Users\test22\AppData\Local\Temp\mpc.exe
2676
- mpc.exe "C:\Users\test22\AppData\Local\Temp\ckz_OE8R\mpc.exe"
  2752
  - mpc.exe "C:\Users\test22\AppData\Local\Temp\ckz_OE8R\mpc.exe"
    2908
    - cmd.exe cmd.exe /c copy /y mpc\41678903251236549780 mpc\mpc.exe
      2980

Name	Response	Post-Analysis Lookup
raw.githubusercontent.com	A 185.199.109.133 A 185.199.111.133 A 185.199.110.133 A 185.199.108.133	185.199.109.133
github.com	A 20.200.245.247	20.200.245.247
www.heyderw.de	A 92.205.208.182	92.205.208.182

IP Address	Status	Action
164.124.101.2	Active	Moloch
185.199.109.133	Active	Moloch
20.200.245.247	Active	Moloch
92.205.208.182	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49195 -> 92.205.208.182:80	2013031	ET POLICY Python-urllib/ Suspicious User Agent	Attempted Information Leak

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.103:49164 20.200.245.247:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo ECC Domain Validation Secure Server CA	CN=github.com	e7:03:5b:cc:1c:18:77:1f:79:2f:90:86:6b:6c:1d:f8:df:aa:bd:c0
TLS 1.2 192.168.56.103:49165 185.199.109.133:443	C=US, O=DigiCert Inc, CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1	C=US, ST=California, L=San Francisco, O=GitHub, Inc., CN=*.github.io	97:d8:c5:70:0f:12:24:6c:88:bc:fa:06:7e:8c:a7:4d:a8:62:67:28
TLS 1.2 192.168.56.103:49166 20.200.245.247:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo ECC Domain Validation Secure Server CA	CN=github.com	e7:03:5b:cc:1c:18:77:1f:79:2f:90:86:6b:6c:1d:f8:df:aa:bd:c0
TLS 1.2 192.168.56.103:49167 185.199.109.133:443	C=US, O=DigiCert Inc, CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1	C=US, ST=California, L=San Francisco, O=GitHub, Inc., CN=*.github.io	97:d8:c5:70:0f:12:24:6c:88:bc:fa:06:7e:8c:a7:4d:a8:62:67:28
TLS 1.2 192.168.56.103:49169 185.199.109.133:443	C=US, O=DigiCert Inc, CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1	C=US, ST=California, L=San Francisco, O=GitHub, Inc., CN=*.github.io	97:d8:c5:70:0f:12:24:6c:88:bc:fa:06:7e:8c:a7:4d:a8:62:67:28
TLS 1.2 192.168.56.103:49168 20.200.245.247:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo ECC Domain Validation Secure Server CA	CN=github.com	e7:03:5b:cc:1c:18:77:1f:79:2f:90:86:6b:6c:1d:f8:df:aa:bd:c0

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Aug. 18, 2024, 2:13 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 18, 2024, 2:13 p.m.			0	0

Command line console output was observed (9 events)

Time & API	Arguments	Status	Return
WriteConsoleW Aug. 18, 2024, 2:13 p.m.	buffer: RAR 5.91 x86 Copyright (c) 1993-2020 Alexander Roshal 25 Giu 2020 Traduzione in italiano: Andrea Baitelli console_handle: 0x00000007	1	1
WriteConsoleW Aug. 18, 2024, 2:13 p.m.	buffer: Versione in prova Digita 'rar -?' per una guida console_handle: 0x00000007	1	1
WriteConsoleW Aug. 18, 2024, 2:13 p.m.	buffer: Estrazione da C:\Users\test22\AppData\Local\Temp\mpc.part01.rar console_handle: 0x00000007	1	1
WriteConsoleW Aug. 18, 2024, 2:13 p.m.	buffer: Estrazione C:\Users\test22\AppData\Local\Temp\mpc.exe console_handle: 0x00000007	1	1
WriteConsoleW Aug. 18, 2024, 2:13 p.m.	buffer: Estrazione da C:\Users\test22\AppData\Local\Temp\mpc.part02.rar console_handle: 0x00000007	1	1
WriteConsoleW Aug. 18, 2024, 2:13 p.m.	buffer: ... mpc.exe console_handle: 0x00000007	1	1
WriteConsoleW Aug. 18, 2024, 2:13 p.m.	buffer: OK console_handle: 0x00000007	1	1
WriteConsoleW Aug. 18, 2024, 2:13 p.m.	buffer: Tutto regolare console_handle: 0x00000007	1	1
WriteConsoleW Aug. 18, 2024, 2:13 p.m.	buffer: 1 file(s) copied. console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 18, 2024, 2:13 p.m.		1	1	0

Performs some HTTP requests (1 event)

request

GET http://www.heyderw.de/gpg/mpc-us.php

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Aug. 18, 2024, 2:13 p.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x22420000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

Creates executable files on the filesystem (16 events)

file	C:\Users\test22\AppData\Local\Temp\_MEI27522\mfc90.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI27522\mfc90u.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI27522\msvcm90.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI27522\mfcm90.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI19322\msvcr90.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI27522\mfcm90u.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI19322\python27.dll
file	C:\Users\test22\AppData\Local\Temp\mpc.exe
file	C:\Users\test22\AppData\Local\Temp\_MEI27522\msvcp90.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI27522\pywintypes27.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI27522\pythoncom27.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI19322\msvcm90.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI27522\python27.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI19322\msvcp90.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI27522\msvcr90.dll
file	C:\Users\test22\AppData\Local\Temp\ckz_OE8R\mpc.exe

Creates a suspicious process (1 event)

cmdline

cmd.exe /c copy /y mpc\41678903251236549780 mpc\mpc.exe

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\ckz_OE8R\mpc.exe

Drops an executable to the user AppData folder (26 events)

file	C:\Users\test22\AppData\Local\Temp\_MEI19322\bz2.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI19322\_ssl.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI27522\win32ui.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI27522\unicodedata.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI27522\mfc90.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI27522\win32event.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI19322\python27.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI19322\_ctypes.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI27522\mfcm90u.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI27522\pythoncom27.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI27522\win32process.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI27522\_win32sysloader.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI27522\pywintypes27.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI27522\win32api.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI27522\mfc90u.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI19322\select.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI27522\_hashlib.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI27522\msvcm90.dll
file	C:\Users\test22\AppData\Local\Temp\mpc.exe
file	C:\Users\test22\AppData\Local\Temp\_MEI19322\msvcp90.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI27522\mfcm90.dll
file	C:\Users\test22\AppData\Local\Temp\x0x.exe
file	C:\Users\test22\AppData\Local\Temp\_MEI27522\win32trace.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI27522\_socket.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI19322\msvcr90.dll
file	C:\Users\test22\AppData\Local\Temp\ckz_OE8R\mpc.exe

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x00005200', u'virtual_address': u'0x0000c000', u'entropy': 6.940294876766253, u'name': u'.rdata', u'virtual_size': u'0x00005008'}

entropy

6.94029487677

description

A section with a high entropy has been found

Potentially malicious URLs were found in the process memory dump (15 events)

url	http://s.symcb.com/universal-root.crl0
url	http://s2.symcb.com0
url	https://d.symcb.com/cps0%
url	http://sv.symcb.com/sv.crt0
url	http://ts-ocsp.ws.symantec.com0
url	http://sv.symcb.com/sv.crl0a
url	http://s.symcd.com06
url	http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
url	http://sv.symcd.com0
url	http://www.symauth.com/rpa00
url	http://s1.symcb.com/pca3-g5.crl0
url	http://www.symauth.com/cps0(
url	https://d.symcb.com/rpa0.
url	https://d.symcb.com/rpa0
url	http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0

Yara rule detected in process memory (1 event)

description

Checks if being debugged

rule

anti_dbg

Attempts to identify installed AV products by installation directory (2 events)

file	C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe
file	C:\Program Files (x86)\Malwarebytes\Anti-Malware\mbam.exe

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

reg_value

explorer.exe,"C:\ProgramData\Samsung\svdhost.exe","C:\Users\test22\AppData\Roaming\Fsdisk\Moderax\svdhost.exe","C:\Users\test22\AppData\Roaming\Alexa\Virtual\hostcls.exe"

File has been identified by 14 AntiVirus engines on VirusTotal as malicious (14 events)

Cylance	Unsafe
Sangfor	Trojan.Win32.Agent.V3yn
APEX	Malicious
Avast	Win32:Malware-gen
ClamAV	Win.Dropper.Detected-9969224-0
F-Secure	Trojan.TR/Dropper.Gen
FireEye	Generic.mg.544fb98f86fbbbfe
Sophos	Generic Reputation PUA (PUA)
Google	Detected
Avira	TR/Dropper.Gen
Microsoft	Trojan:Win32/Wacatac.B!ml
BitDefenderTheta	Gen:NN.ZexaF.36812.@J3@aKsopjyi
DeepInstinct	MALICIOUS
AVG	Win32:Malware-gen

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2676 resumed a thread in remote process 2752
NtResumeThread Aug. 18, 2024, 2:13 p.m.	thread_handle: 0x00000284 suspend_count: 1 process_identifier: 2752	1	0	0

Images.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All