Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 8, 2024, 4:55 p.m.	Nov. 8, 2024, 5:01 p.m.

Size	328.9KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`2cca969570717a0af4f2531eb69cc7c9`
SHA256	`a9971d2f3b8c1611723938a3ea6578c27f31049d3297e607cf0ee6927a4a26c7`
CRC32	`E408491E`
ssdeep	`6144:k9Qc2liXmrLxcdRDLiH1vVRGVOhMp421/7YQxhWK87:BcvgLARDI1KIOzOl`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Win32_Trojan_Emotet_RL_Gen_Zero - Win32 Trojan Emotet CAB_file_format - CAB archive file IsPE32 - (no description) mzp_file_format - MZP(Delphi) file format

dxwebsetup.exe "C:\Users\test22\AppData\Local\Temp\dxwebsetup.exe"
2056
- dxwebsetup.exe "C:\Users\test22\AppData\Local\Temp\3582-490\dxwebsetup.exe"
  2140
  - dxwsetup.exe C:\Users\test22\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
    2188
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
download.microsoft.com		23.207.40.161

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Tries to locate where the browsers are installed (1 event)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 8, 2024, 4:55 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

Allocates read-write-execute memory (usually to unpack itself) (14 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Nov. 8, 2024, 4:55 p.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 8, 2024, 4:55 p.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 8, 2024, 4:55 p.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 8, 2024, 4:55 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 8, 2024, 4:55 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 8, 2024, 4:55 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 8, 2024, 4:55 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f11000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 8, 2024, 4:55 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ef1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 8, 2024, 4:55 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73db1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 8, 2024, 4:55 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 8, 2024, 4:55 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 8, 2024, 4:55 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x731a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 8, 2024, 4:55 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73191000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 8, 2024, 4:55 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x741d1000 process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (7 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceW Nov. 8, 2024, 4:55 p.m.	number_of_free_clusters: 2425002 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Nov. 8, 2024, 4:55 p.m.	number_of_free_clusters: 2425002 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Nov. 8, 2024, 4:55 p.m.	number_of_free_clusters: 2421958 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Nov. 8, 2024, 4:55 p.m.	number_of_free_clusters: 2421958 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Nov. 8, 2024, 4:55 p.m.	number_of_free_clusters: 2421958 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Nov. 8, 2024, 4:55 p.m.	number_of_free_clusters: 2421958 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Nov. 8, 2024, 4:55 p.m.	number_of_free_clusters: 2421958 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1

Steals private information from local Internet browsers (1 event)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\101.3.34.11\ChromeRecovery.exe

Creates executable files on the filesystem (50 out of 197 events)

file	C:\Program Files (x86)\Mozilla Thunderbird\pingsender.exe
file	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE15\OLicenseHeartbeat.exe
file	C:\Program Files (x86)\Hnc\HncUtils\HncUpdate.exe
file	C:\Program Files (x86)\Microsoft Office\Office15\ACCICONS.EXE
file	C:\Program Files (x86)\Mozilla Thunderbird\plugin-container.exe
file	C:\Program Files (x86)\Microsoft Office\Office15\PDFREFLOW.EXE
file	C:\util\curl\curl.exe
file	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe
file	C:\Program Files (x86)\Microsoft Office\Office15\WORDICON.EXE
file	C:\Program Files (x86)\Java\jre1.8.0_131\bin\javaw.exe
file	C:\Program Files (x86)\Google\Update\1.3.36.101\GoogleUpdate.exe
file	C:\Program Files (x86)\Microsoft Office\Office15\GROOVE.EXE
file	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe
file	C:\Program Files (x86)\Java\jre1.8.0_131\bin\ssvagent.exe
file	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
file	C:\Program Files (x86)\Google\Update\1.3.36.101\GoogleUpdateBroker.exe
file	C:\Windows\svchost.com
file	C:\Python27\Scripts\easy_install.exe
file	C:\MSOCache\All Users\{91150000-0011-0000-0000-0000000FF1CE}-C\ose.exe
file	C:\ProgramData\Oracle\Java\javapath\java.exe
file	C:\Program Files (x86)\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.36.102\GoogleUpdateSetup.exe
file	C:\Program Files (x86)\Microsoft Office\Office15\CNFNOT32.EXE
file	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE15\MSOICONS.EXE
file	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE15\Office Setup Controller\ODeploy.exe
file	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE15\LICLUA.EXE
file	C:\Program Files (x86)\Google\Update\1.3.36.101\GoogleCrashHandler64.exe
file	C:\Program Files (x86)\Hnc\Common80\HimTrayIcon.exe
file	C:\Program Files (x86)\Java\jre1.8.0_131\bin\unpack200.exe
file	C:\Program Files (x86)\Microsoft Office\Office15\POWERPNT.EXE
file	C:\Program Files (x86)\Hnc\Hwp80\HwpFinder.exe
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\dsetup.dll
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\dsetup32.dll
file	C:\Program Files (x86)\Hnc\HncUtils\HncInfo.exe
file	C:\Program Files (x86)\EditPlus\editplus.exe
file	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE15\CSISYNCCLIENT.EXE
file	C:\Program Files (x86)\Microsoft Office\Office15\DCF\DATABASECOMPARE.EXE
file	C:\Python27\Lib\site-packages\pip\_vendor\distlib\t64.exe
file	C:\MSOCache\All Users\{91150000-0011-0000-0000-0000000FF1CE}-C\setup.exe
file	C:\Program Files (x86)\Hnc\Hwp80\HwpPrnMng.exe
file	C:\Python27\Lib\site-packages\pip\_vendor\distlib\t32.exe
file	C:\Program Files (x86)\Google\Chrome\Application\chrome_proxy.exe
file	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe
file	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE15\FLTLDR.EXE
file	C:\Program Files (x86)\Common Files\Adobe\__ARM\1.0\AdobeARM.exe
file	C:\Program Files (x86)\Mozilla Thunderbird\minidump-analyzer.exe
file	C:\Program Files (x86)\Google\Update\Install\{9946EF02-26CF-4F0D-BC28-8677420F30DD}\GoogleUpdateSetup.exe
file	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe
file	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE
file	C:\Program Files (x86)\Mozilla Thunderbird\crashreporter.exe
file	C:\Program Files (x86)\Microsoft Office\Office15\OcPubMgr.exe

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\3582-490\dxwebsetup.exe

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\3582-490\dxwebsetup.exe
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\101.3.34.11\ChromeRecovery.exe

Installs itself for autorun at Windows startup (2 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\(Default)				reg_value	C:\Windows\svchost.com "%1" %*
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0				reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP000.TMP\"

File has been identified by 66 AntiVirus engines on VirusTotal as malicious (50 out of 66 events)

Bkav	W32.NeshtaB.PE
Lionic	Virus.Win32.Neshta.n!c
Cynet	Malicious (score: 100)
CAT-QuickHeal	W32.Neshta.C8
Skyhigh	BehavesLike.Win32.HLLP.fc
ALYac	Gen:Variant.Ransom.Venus.15
Cylance	Unsafe
VIPRE	Gen:Variant.Ransom.Venus.15
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Gen:Variant.Ransom.Venus.15
K7GW	Virus ( 00556e571 )
K7AntiVirus	Virus ( 00556e571 )
Arcabit	Trojan.Ransom.Venus.15
Baidu	Win32.Virus.Neshta.a
VirIT	Win32.Delf.FE
Symantec	W32.Neshuta
Elastic	Windows.Virus.Neshta
ESET-NOD32	Win32/Neshta.A
APEX	Malicious
Avast	Win32:Apanas [Trj]
ClamAV	Win.Trojan.Neshuta-1
Kaspersky	Virus.Win32.Neshta.a
Alibaba	Virus:Win32/Neshta.3bb
NANO-Antivirus	Trojan.Win32.Winlock.fmobyw
MicroWorld-eScan	Gen:Variant.Ransom.Venus.15
Rising	Virus.Neshta!1.EFA5 (CLASSIC)
Emsisoft	Gen:Variant.Ransom.Venus.15 (B)
F-Secure	Malware.W32/Neshta.A
DrWeb	Win32.HLLP.Neshta
Zillya	Virus.Neshta.Win32.1
TrendMicro	PE_NESHTA.A
McAfeeD	Real Protect-LS!2CCA96957071
Trapmine	malicious.high.ml.score
CTX	exe.ransomware.venus
Sophos	W32/Neshta-D
Ikarus	Virus.Win32.Renamer
FireEye	Generic.mg.2cca969570717a0a
Jiangmin	Virus.Neshta.a
Google	Detected
Avira	W32/Neshta.A
Antiy-AVL	Virus/Win32.Neshta.a
Kingsoft	Win32.Neshta.nl.30720
Gridinsoft	Virus.Neshta.A.sd!yf
Xcitium	Win32.Neshta.A@3ypg
Microsoft	Virus:Win32/Neshta.A
ViRobot	Win32.Neshta.Gen.A
ZoneAlarm	Virus.Win32.Neshta.a
GData	Win32.Virus.Neshta.D
Varist	W32/Neshta.OBIX-2981
AhnLab-V3	Win32/Neshta.Gen

dxwebsetup.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All