Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 19, 2024, 2:08 p.m.	Aug. 19, 2024, 3:42 p.m.

Size	777.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`006edf0ac466164ddc9e0ac56474fe0a`
SHA256	`d343ea857cdf97aa0ccfd14970425c6888bd216d36ad7f6255a044bed36a4b2a`
CRC32	`655FDEED`
ssdeep	`24576:aG18MH/r+RAIFqLN7/uW/Nau09jMxrc5N:3aMD+RANBKIJ09j`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description)

66c1c5838f95f_file1808.exe#fileotr "C:\Users\test22\AppData\Local\Temp\66c1c5838f95f_file1808.exe#fileotr"
932
- 66c1c5838f95f_file1808.exe#fileotr "C:\Users\test22\AppData\Local\Temp\66c1c5838f95f_file1808.exe#fileotr"
  2056
  - icacls.exe icacls "C:\Users\test22\AppData\Local\9418c743-18a7-40b9-9028-1a3647a02b24" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    2240

Name	Response	Post-Analysis Lookup
cajgtus.com	A 201.110.232.60 A 211.202.224.10 A 185.18.245.58 A 183.100.39.16 A 190.187.52.42 A 213.172.74.157 A 78.89.199.216 A 190.156.239.49 A 190.220.21.28 A 187.156.104.194	190.187.52.42
api.2ip.ua	A 104.21.65.24 A 172.67.139.220	172.67.139.220

IP Address	Status	Action
104.21.65.24	Active	Moloch
164.124.101.2	Active	Moloch
183.100.39.16	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49164 -> 104.21.65.24:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.103:49164 -> 104.21.65.24:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2027026	ET POLICY External IP Address Lookup DNS Query (2ip .ua)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49170 -> 183.100.39.16:80	2002400	ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)	A Network Trojan was detected
TCP 192.168.56.103:49170 -> 183.100.39.16:80	2036334	ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key	A Network Trojan was detected
TCP 183.100.39.16:80 -> 192.168.56.103:49170	2036335	ET MALWARE Win32/Filecoder.STOP Variant Public Key Download	A Network Trojan was detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49164 104.21.65.24:443	C=US, O=Google Trust Services, CN=WE1	CN=2ip.ua	28:d2:72:b5:5a:32:4a:f4:cf:5d:4f:69:77:19:d4:af:98:e8:0a:8b

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 19, 2024, 2:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 19, 2024, 2:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 19, 2024, 2:08 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 19, 2024, 2:08 p.m.			0	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (2 events)

request	GET http://cajgtus.com/test1/get.php?pid=06280D9CD13939E9B7E95CDCAA6A83CC&first=true
request	GET https://api.2ip.ua/geo.json

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 19, 2024, 2:08 p.m.	process_identifier: 932 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 593920 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004e0000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2024, 2:08 p.m.	process_identifier: 932 region_size: 1159168 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2024, 2:08 p.m.	process_identifier: 2056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03610000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Foreign language identified in PE resource (26 events)

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x000cab60

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x000cab60

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x000cab60

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x000cab60

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x000cab60

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x000cab60

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x000cab60

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x000cab60

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x000cab60

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x000cab60

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x000cab60

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x000cab60

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x000cab60

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x000cab60

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x000cab60

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x000cab60

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x000cab60

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x000cab60

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x000cab60

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x000cab60

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x000cab60

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x000cab60

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x000cab60

size

0x00000468

name

RT_GROUP_ICON

language

LANG_TURKISH

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x000bf010

size

0x00000076

name

RT_GROUP_ICON

language

LANG_TURKISH

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x000bf010

size

0x00000076

name

RT_GROUP_ICON

language

LANG_TURKISH

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x000bf010

size

0x00000076

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x000a4000', u'virtual_address': u'0x00001000', u'entropy': 7.737435826945232, u'name': u'.text', u'virtual_size': u'0x000a3fc9'}

entropy

7.73743582695

description

A section with a high entropy has been found

entropy

0.845360824742

description

Overall entropy of this PE file is high

Potentially malicious URLs were found in the process memory dump (1 event)

url	http://www.openssl.org/support/faq.html

Yara rule detected in process memory (16 events)

description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Communications use DNS	rule	Network_DNS
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Match Windows Inet API call	rule	Str_Win32_Internet_API

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Aug. 19, 2024, 2:08 p.m.	process_identifier: 2056 region_size: 1273856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1	0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Aug. 19, 2024, 2:08 p.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper

reg_value

"C:\Users\test22\AppData\Local\9418c743-18a7-40b9-9028-1a3647a02b24\66c1c5838f95f_file1808.exe#fileotr" --AutoStart

Potential code injection by writing to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Aug. 19, 2024, 2:08 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2056 process_handle: 0x00000080	1	1	0

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 932 called NtSetContextThread to modify thread in remote process 2056
NtSetContextThread Aug. 19, 2024, 2:08 p.m.	registers.eip: 2005598660 registers.esp: 1638384 registers.edi: 0 registers.eax: 4342081 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 2056	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 932 resumed a thread in remote process 2056
NtResumeThread Aug. 19, 2024, 2:08 p.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 2056	1	0	0

Uses suspicious command line tools or Windows utilities (1 event)

cmdline

icacls "C:\Users\test22\AppData\Local\9418c743-18a7-40b9-9028-1a3647a02b24" /deny *S-1-1-0:(OI)(CI)(DE,DC)

File has been identified by 26 AntiVirus engines on VirusTotal as malicious (26 events)

Bkav	W32.AIDetectMalware
Elastic	malicious (high confidence)
Skyhigh	BehavesLike.Win32.Lockbit.bc
Cylance	Unsafe
K7GW	Hacktool ( 700007861 )
Symantec	ML.Attribute.HighConfidence
tehtris	Generic.Malware
APEX	Malicious
Avast	PWSX-gen [Trj]
Cynet	Malicious (score: 100)
Rising	Trojan.Kryptik@AI.95 (RDML:nmNzSMq8A/P7ki2v4pXUYw)
McAfeeD	Real Protect-LS!006EDF0AC466
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.006edf0ac466164d
SentinelOne	Static AI - Malicious PE
Google	Detected
Kingsoft	malware.kb.a.1000
Microsoft	Trojan:Win32/Wacatac.B!ml
AhnLab-V3	Trojan/Win.Generic.R658943
Acronis	suspicious
BitDefenderTheta	Gen:NN.ZexaF.36812.Wq0@aOEuOijG
DeepInstinct	MALICIOUS
VBA32	BScope.TrojanPSW.Convagent
Ikarus	Trojan.Win32.Azorult
AVG	PWSX-gen [Trj]
CrowdStrike	win/malicious_confidence_100% (W)

Executed a process and injected code into it, probably while unpacking (8 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Aug. 19, 2024, 2:08 p.m.	thread_identifier: 2060 thread_handle: 0x0000007c process_identifier: 2056 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\66c1c5838f95f_file1808.exe#fileotr track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\66c1c5838f95f_file1808.exe#fileotr" filepath_r: C:\Users\test22\AppData\Local\Temp\66c1c5838f95f_file1808.exe#fileotr stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000080	1	1
NtGetContextThread Aug. 19, 2024, 2:08 p.m.	thread_handle: 0x0000007c	1	0
NtUnmapViewOfSection Aug. 19, 2024, 2:08 p.m.	base_address: 0x00400000 region_size: 4096 process_identifier: 2056 process_handle: 0x00000080	1	0
NtAllocateVirtualMemory Aug. 19, 2024, 2:08 p.m.	process_identifier: 2056 region_size: 1273856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1	0
WriteProcessMemory Aug. 19, 2024, 2:08 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2056 process_handle: 0x00000080	1	1
NtSetContextThread Aug. 19, 2024, 2:08 p.m.	registers.eip: 2005598660 registers.esp: 1638384 registers.edi: 0 registers.eax: 4342081 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 2056	1	0
NtResumeThread Aug. 19, 2024, 2:08 p.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 2056	1	0
CreateProcessInternalW Aug. 19, 2024, 2:08 p.m.	thread_identifier: 2244 thread_handle: 0x0000030c process_identifier: 2240 current_directory: filepath: track: 1 command_line: icacls "C:\Users\test22\AppData\Local\9418c743-18a7-40b9-9028-1a3647a02b24" /deny *S-1-1-0:(OI)(CI)(DE,DC) filepath_r: stack_pivoted: 0 creation_flags: 72 (DETACHED_PROCESS\|IDLE_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x000004f4	1	1

66c1c5838f95f_file1808.exe#fileotr

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All