Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	March 10, 2021, 4:33 p.m.	March 10, 2021, 4:35 p.m.

Size	384.8KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`7882ac43b33bbb9793023b45cc6730ae`
SHA256	`66ba5ddfe4ba8eff18b461334b8e589d64ee3421fe7f5cd9e1c614e3661f70a3`
CRC32	`A16A006B`
ssdeep	`6144:YBlL/XcJ9b0zoZsVjOvLqSCe4D4aqhTsGVM769oNiVbd:qdcvQzo1j9t7T9oy`
Yara	IsPE32 - (no description) IsWindowsGUI - (no description) HasOverlay - Overlay Check HasRichSignature - Rich Signature Check PE_Header_Zero - PE File Signature Zero escalate_priv - Escalade priviledges screenshot - Take screenshot win_registry - Affect system registries win_token - Affect system token win_private_profile - Affect private profile win_files_operation - Affect private profile

label.exe "C:\Users\test22\AppData\Local\Temp\label.exe"
9068
- label.exe "C:\Users\test22\AppData\Local\Temp\label.exe"
  8052

Name	Response	Post-Analysis Lookup
goryhazel1.duckdns.org	A 31.220.4.216	31.220.4.216

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
31.220.4.216	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.102:57660 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.102:61459 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW March 10, 2021, 4:33 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 10, 2021, 4:33 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 10, 2021, 4:33 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

Connects to a Dynamic DNS Domain (1 event)

domain

goryhazel1.duckdns.org

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\nstFF68.tmp\pzsdnsqgj.dll

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\nstFF68.tmp\pzsdnsqgj.dll

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (15 events)

Time & API	Arguments	Status	Return
Process32NextW March 10, 2021, 4:33 p.m.	snapshot_handle: 0x0000020c process_name: SearchIndexer.exe process_identifier: 2548	1	1
Process32NextW March 10, 2021, 4:33 p.m.	snapshot_handle: 0x0000020c process_name: thunderbird.exe process_identifier: 3960	1	1
Process32NextW March 10, 2021, 4:33 p.m.	snapshot_handle: 0x0000020c process_name: pw.exe process_identifier: 5008	1	1
Process32NextW March 10, 2021, 4:33 p.m.	snapshot_handle: 0x0000020c process_name: audiodg.exe process_identifier: 7936	1	1
Process32NextW March 10, 2021, 4:33 p.m.	snapshot_handle: 0x0000020c process_name: splwow64.exe process_identifier: 3928	1	1
Process32NextW March 10, 2021, 4:33 p.m.	snapshot_handle: 0x0000020c process_name: SearchProtocolHost.exe process_identifier: 3816	1	1
Process32NextW March 10, 2021, 4:33 p.m.	snapshot_handle: 0x0000020c process_name: SearchFilterHost.exe process_identifier: 7776	1	1
Process32NextW March 10, 2021, 4:33 p.m.	snapshot_handle: 0x0000020c process_name: mobsync.exe process_identifier: 6504	1	1
Process32NextW March 10, 2021, 4:33 p.m.	snapshot_handle: 0x0000020c process_name: pw.exe process_identifier: 6252	1	1
Process32NextW March 10, 2021, 4:33 p.m.	snapshot_handle: 0x0000020c process_name: taskhost.exe process_identifier: 6856	1	1
Process32NextW March 10, 2021, 4:33 p.m.	snapshot_handle: 0x0000020c process_name: cmd.exe process_identifier: 7564	1	1
Process32NextW March 10, 2021, 4:33 p.m.	snapshot_handle: 0x0000020c process_name: conhost.exe process_identifier: 3272	1	1
Process32NextW March 10, 2021, 4:33 p.m.	snapshot_handle: 0x0000020c process_name: label.exe process_identifier: 9068	1	1
Process32NextW March 10, 2021, 4:33 p.m.	snapshot_handle: 0x0000020c process_name: pw.exe process_identifier: 4656	1	1
Process32NextW March 10, 2021, 4:33 p.m.	snapshot_handle: 0x0000020c process_name: slui.exe process_identifier: 232	1	1

Potentially malicious URLs were found in the process memory dump (50 out of 122 events)

url	http://crl.comodo.net/TrustedCertificateServices.crl0
url	http://users.ocsp.d-trust.net03
url	http://crl.ssc.lt/root-b/cacrl.crl0
url	http://crl.securetrust.com/STCA.crl0
url	http://crl.securetrust.com/SGCA.crl0
url	http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=
url	http://www.ssc.lt/cps03
url	http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
url	http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0
url	http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0
url	http://www.microsoft.com/pki/certs/TrustListPCA.crt0
url	https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0
url	http://www.pkioverheid.nl/policies/root-policy0
url	http://cps.chambersign.org/cps/chambersroot.html0
url	http://www.e-szigno.hu/SZSZ/0
url	http://www.entrust.net/CRL/Client1.crl0
url	http://crl.chambersign.org/publicnotaryroot.crl0
url	http://crl.comodo.net/AAACertificateServices.crl0
url	http://www.certplus.com/CRL/class3.crl0
url	http://logo.verisign.com/vslogo.gif0
url	http://www.acabogacia.org/doc0
url	http://www.disig.sk/ca/crl/ca_disig.crl0
url	https://www.catcert.net/verarrel
url	http://www.sk.ee/cps/0
url	http://www.quovadis.bm0
url	https://www.catcert.net/verarrel05
url	http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0
url	http://crl.chambersign.org/chambersroot.crl0
url	http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0
url	http://crl.globalsign.net/root-r2.crl0
url	http://certificates.starfieldtech.com/repository/1604
url	http://www.d-trust.net0
url	http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl0
url	http://crl.ssc.lt/root-a/cacrl.crl0
url	http://crl.usertrust.com/UTN-DATACorpSGC.crl0
url	http://www.certicamara.com/certicamaraca.crl0
url	http://www.d-trust.net/crl/d-trust_root_class_2_ca_2007.crl0
url	http://crl.usertrust.com/UTN-USERFirst-Object.crl0)
url	http://www.post.trust.ie/reposit/cps.html0
url	http://qual.ocsp.d-trust.net0
url	http://www2.public-trust.com/crl/ct/ctroot.crl0
url	http://www.certicamara.com0
url	http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
url	http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
url	http://www.comsign.co.il/cps0
url	http://crl.usertrust.com/UTN-USERFirst-NetworkApplications.crl0
url	http://www.microsoft.com/pki/crl/products/TrustListPCA.crl
url	http://acraiz.icpbrasil.gov.br/LCRacraiz.crl0
url	http://www.signatur.rtr.at/de/directory/cps.html0
url	http://www.globaltrust.info0

Yara rule detected in process memory (50 out of 95 events)

description	email clients info stealer	rule	infoStealer_emailClients_Zero
description	Code injection with CreateRemoteThread in a remote process	rule	inject_thread
description	Hijack network configuration	rule	hijack_network
description	Create a windows service	rule	create_service
description	Create a COM server	rule	create_com_service
description	Communications over UDP network	rule	network_udp_sock
description	Listen for incoming communication	rule	network_tcp_listen
description	Communications dyndns network	rule	network_dyndns
description	Communications over Toredo network	rule	network_toredo
description	Communications over P2P network	rule	network_p2p_win
description	Communications over HTTP	rule	network_http
description	File downloader/dropper	rule	network_dropper
description	Communications over FTP	rule	network_ftp
description	Communications over RAW socket	rule	network_tcp_socket
description	Communications use DNS	rule	network_dns
description	Communication using dga	rule	network_dga
description	Escalade priviledges	rule	escalate_priv
description	Take screenshot	rule	screenshot
description	Run a keylogger	rule	keylogger
description	Steal credential	rule	cred_local
description	Record Audio	rule	sniff_audio
description	APC queue tasks migration	rule	migrate_apc
description	Malware can spread east-west file	rule	spreading_file
description	Malware can spread east-west using share drive	rule	spreading_share
description	Create or check mutex	rule	win_mutex
description	Affect system registries	rule	win_registry
description	Affect system token	rule	win_token
description	Affect private profile	rule	win_private_profile
description	Affect private profile	rule	win_files_operation
description	Match Winsock 2 API library declaration	rule	Str_Win32_Winsock2_Library
description	Match Windows Inet API library declaration	rule	Str_Win32_Wininet_Library
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	browser info stealer	rule	infoStealer_browser_Zero
description	Google Chrome User Data Check	rule	Chrome_User_Data_Check_Zero
description	email clients info stealer	rule	infoStealer_emailClients_Zero

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 9068 called NtSetContextThread to modify thread in remote process 8052
NtSetContextThread March 10, 2021, 4:33 p.m.	registers.eip: 2000355780 registers.esp: 1638384 registers.edi: 0 registers.eax: 4203565 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000021c process_identifier: 8052	1	0	0

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

31.220.4.216:6504

File has been identified by 38 AntiVirus engines on VirusTotal as malicious (38 events)

Bkav	W32.AIDetect.malware2
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Jaik.44437
FireEye	Generic.mg.7882ac43b33bbb97
McAfee	RDN/Generic BackDoor
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 00578bfb1 )
K7GW	Trojan ( 00578bfb1 )
Cybereason	malicious.499e51
Arcabit	Trojan.Jaik.DAD95
Cyren	W32/Injector.AFM.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	FileRepMalware
Kaspersky	HEUR:Backdoor.Win32.NetWiredRC.gen
BitDefender	Gen:Variant.Jaik.44437
Paloalto	generic.ml
AegisLab	Trojan.Win32.NetWiredRC.m!c
Ad-Aware	Gen:Variant.Jaik.44437
F-Secure	Trojan.TR/AD.NetWiredRc.pwiid
McAfee-GW-Edition	BehavesLike.Win32.Dropper.fh
Emsisoft	Gen:Variant.Jaik.44437 (B)
SentinelOne	Static AI - Suspicious PE
ESET-NOD32	a variant of Win32/Injector.EOUM
Avira	TR/AD.NetWiredRc.pwiid
Kingsoft	Win32.Hack.Undef.(kcloud)
Microsoft	Trojan:Win32/SpyNoon.SS!MTB
ZoneAlarm	HEUR:Backdoor.Win32.NetWiredRC.gen
GData	Gen:Variant.Jaik.44437
Cynet	Malicious (score: 85)
AhnLab-V3	Malware/Gen.Reputation.C4361688
MAX	malware (ai score=100)
Malwarebytes	Generic.Malware/Suspicious
Rising	Trojan.Injector!8.C4 (CLOUD)
Fortinet	W32/Injector.EORP!tr
AVG	FileRepMalware
Qihoo-360	Win32/Backdoor.NetWire.HoMASQcA

label.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All