Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	May 2, 2025, 2:45 a.m.	May 2, 2025, 2:47 a.m.

Size	753.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`de7945db57ff9c218797e548c11b012b`
SHA256	`9a3afd3e6d8f6de62f47ab28505af4c8b47d9317127851f7450fc79237997fc3`
CRC32	`5CBBFAD7`
ssdeep	`12288:aMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9Ijr:ansJ39LyjbJkQFMhmC+6GD9U`
Yara	PE_Header_Zero - PE File Signature mzp_file_format - MZP(Delphi) file format Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) UPX_Zero - UPX packed file

Synaptics.exe "C:\Users\test22\AppData\Local\Temp\Synaptics.exe"
3012
- Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2208

Name	Response	Post-Analysis Lookup
www.dropbox.com	CNAME www-env.dropbox-dns.com A 162.125.84.18	162.125.84.18
drive.usercontent.google.com	A 142.250.197.1	142.250.206.193
docs.google.com	A 142.250.197.46	172.217.161.238
xred.mooo.com
freedns.afraid.org	A 69.42.215.252	69.42.215.252

IP Address	Status	Action
142.250.197.1	Active	Moloch
142.250.197.46	Active	Moloch
162.125.84.18	Active	Moloch
164.124.101.2	Active	Moloch
69.42.215.252	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49168 -> 142.250.197.1:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49167 -> 142.250.197.46:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49169 -> 162.125.84.18:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49170 -> 162.125.84.18:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.102:63709 -> 164.124.101.2:53	2015633	ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com	Potentially Bad Traffic

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49168 142.250.197.1:443	C=US, O=Google Trust Services, CN=WE2	CN=*.usercontent.google.com	e2:75:33:38:ea:c5:6b:07:01:99:0c:e5:64:b0:63:79:cc:b5:d4:83
TLSv1 192.168.56.102:49167 142.250.197.46:443	C=US, O=Google Trust Services, CN=WE2	CN=*.google.com	67:52:2f:ab:93:de:39:da:94:50:11:ae:8b:37:cb:88:8f:dc:56:7d

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA May 2, 2025, 2:45 a.m.	computer_name: TEST22-PC	1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

The executable uses a known packer (1 event)

packer

BobSoft Mini Delphi -> BoB / BobSoft

One or more processes crashed (3 events)

Time & API	Arguments	Status
__exception__ May 2, 2025, 2:45 a.m.	stacktrace: synaptics+0x7bda4 @ 0x47bda4 synaptics+0x7bcf2 @ 0x47bcf2 synaptics+0x7bcb3 @ 0x47bcb3 synaptics+0x845fd @ 0x4845fd synaptics+0x959fc @ 0x4959fc BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 58392028 registers.edi: 58392216 registers.eax: 58392028 registers.ebp: 58392108 registers.edx: 0 registers.ebx: 4703484 registers.esi: 11001 registers.ecx: 7	1
__exception__ May 2, 2025, 2:45 a.m.	stacktrace: synaptics+0x7bda4 @ 0x47bda4 synaptics+0x7bcf2 @ 0x47bcf2 synaptics+0x7bcb3 @ 0x47bcb3 synaptics+0x845fd @ 0x4845fd synaptics+0x95a83 @ 0x495a83 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 58389840 registers.edi: 58390028 registers.eax: 58389840 registers.ebp: 58389920 registers.edx: 0 registers.ebx: 4703484 registers.esi: 11004 registers.ecx: 7	1
__exception__ May 2, 2025, 2:45 a.m.	stacktrace: synaptics+0x7bda4 @ 0x47bda4 synaptics+0x7bcf2 @ 0x47bcf2 synaptics+0x7bcb3 @ 0x47bcb3 synaptics+0x845fd @ 0x4845fd synaptics+0x95b0a @ 0x495b0a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 58387652 registers.edi: 58387840 registers.eax: 58387652 registers.ebp: 58387732 registers.edx: 0 registers.ebx: 4703484 registers.esi: 11001 registers.ecx: 7	1

Connects to a Dynamic DNS Domain (1 event)

domain

xred.mooo.com

Performs some HTTP requests (5 events)

request	GET http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
request	GET https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
request	GET https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
request	GET https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
request	GET https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

Allocates read-write-execute memory (usually to unpack itself) (4 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 2, 2025, 2:45 a.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 2, 2025, 2:45 a.m.	process_identifier: 3012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74262000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 2:45 a.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 2, 2025, 2:45 a.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74472000 process_handle: 0xffffffff	1

Foreign language identified in PE resource (11 events)

name

RT_ICON

language

LANG_TURKISH

filetype

dBase IV DBT of @.DBF, block length 8192, next free block index 40

sublanguage

SUBLANG_DEFAULT

offset

0x000b39b8

size

0x000010a8

name

RT_ICON

language

LANG_TURKISH

filetype

dBase IV DBT of @.DBF, block length 8192, next free block index 40

sublanguage

SUBLANG_DEFAULT

offset

0x000b39b8

size

0x000010a8

name

RT_RCDATA

language

LANG_TURKISH

filetype

Microsoft Excel 2007+

sublanguage

SUBLANG_DEFAULT

offset

0x000bd178

size

0x000047d3

name

RT_RCDATA

language

LANG_TURKISH

filetype

Microsoft Excel 2007+

sublanguage

SUBLANG_DEFAULT

offset

0x000bd178

size

0x000047d3

name

RT_RCDATA

language

LANG_TURKISH

filetype

Microsoft Excel 2007+

sublanguage

SUBLANG_DEFAULT

offset

0x000bd178

size

0x000047d3

name

RT_RCDATA

language

LANG_TURKISH

filetype

Microsoft Excel 2007+

sublanguage

SUBLANG_DEFAULT

offset

0x000bd178

size

0x000047d3

name

RT_RCDATA

language

LANG_TURKISH

filetype

Microsoft Excel 2007+

sublanguage

SUBLANG_DEFAULT

offset

0x000bd178

size

0x000047d3

name

RT_RCDATA

language

LANG_TURKISH

filetype

Microsoft Excel 2007+

sublanguage

SUBLANG_DEFAULT

offset

0x000bd178

size

0x000047d3

name

RT_RCDATA

language

LANG_TURKISH

filetype

Microsoft Excel 2007+

sublanguage

SUBLANG_DEFAULT

offset

0x000bd178

size

0x000047d3

name

RT_GROUP_ICON

language

LANG_TURKISH

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x000c19d8

size

0x00000014

name

RT_VERSION

language

LANG_TURKISH

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x000c19ec

size

0x00000304

Downloads a file or document from Google Drive (1 event)

domain

docs.google.com

Creates executable files on the filesystem (1 event)

file	C:\ProgramData\Synaptics\Synaptics.dll

Looks up the Dropbox cloud service (1 event)

domain

www.dropbox.com

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver

reg_value

C:\ProgramData\Synaptics\Synaptics.exe

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExA May 2, 2025, 2:45 a.m.	thread_identifier: 0 callback_function: 0x037b3540 hook_identifier: 2 (WH_KEYBOARD) module_address: 0x037b0000	1	197105	0

Network activity contains more than one unique useragent (2 events)

process	Synaptics.exe				useragent	MyApp
process	Synaptics.exe				useragent	Synaptics.exe

Synaptics.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All