Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 21, 2021, 10:20 a.m.	March 21, 2021, 10:22 a.m.

Size	125.0KB
Type	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5	`9a85e1eccf35e0c2e4f1b4764228e0f9`
SHA256	`7857fb118ea676757804e373d4a743ad661b25e2f0aaef32ced6a68f0131568b`
CRC32	`8D26A037`
ssdeep	`1536:sWVRLqnG1awzieRnGgpO7zzOTuwLvDCLonXIV6cDy7AKS4x8kXTZq9doUg:sgFHiirOnzO6wKtV5+7Znx/XTZqdo`
Yara	PE_Header_Zero - PE File Signature Zero IsPE32 - (no description) IsDLL - (no description) IsWindowsGUI - (no description) HasRichSignature - Rich Signature Check

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\22001.dll,DllRegisterServer
112
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\22001.dll,
2076

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 21, 2021, 10:20 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 21, 2021, 10:20 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.code
section	.NewIT

Allocates read-write-execute memory (usually to unpack itself) (12 events)

Time & API	Arguments	Status
NtProtectVirtualMemory March 21, 2021, 10:20 a.m.	process_identifier: 112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10021000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 21, 2021, 10:20 a.m.	process_identifier: 112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d71000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2021, 10:20 a.m.	process_identifier: 112 region_size: 139264 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 21, 2021, 10:20 a.m.	process_identifier: 112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 139264 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10000000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 21, 2021, 10:20 a.m.	process_identifier: 112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d00000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 21, 2021, 10:20 a.m.	process_identifier: 112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73771000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 21, 2021, 10:20 a.m.	process_identifier: 112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 21, 2021, 10:20 a.m.	process_identifier: 112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b94000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 21, 2021, 10:20 a.m.	process_identifier: 112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 21, 2021, 10:20 a.m.	process_identifier: 112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b11000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 21, 2021, 10:20 a.m.	process_identifier: 112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ab1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 21, 2021, 10:20 a.m.	process_identifier: 112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72a61000 process_handle: 0xffffffff	1

Yara rule detected in process memory (43 events)

description	Code injection with CreateRemoteThread in a remote process	rule	inject_thread
description	Create a windows service	rule	create_service
description	Create a COM server	rule	create_com_service
description	Communications over UDP network	rule	network_udp_sock
description	Listen for incoming communication	rule	network_tcp_listen
description	Communications over P2P network	rule	network_p2p_win
description	Communications over HTTP	rule	network_http
description	File downloader/dropper	rule	network_dropper
description	Communications over FTP	rule	network_ftp
description	Communications over RAW socket	rule	network_tcp_socket
description	Communications use DNS	rule	network_dns
description	Communication using dga	rule	network_dga
description	Escalade priviledges	rule	escalate_priv
description	Take screenshot	rule	screenshot
description	Run a keylogger	rule	keylogger
description	Steal credential	rule	cred_local
description	Record Audio	rule	sniff_audio
description	APC queue tasks migration	rule	migrate_apc
description	Malware can spread east-west file	rule	spreading_file
description	Malware can spread east-west using share drive	rule	spreading_share
description	Create or check mutex	rule	win_mutex
description	Affect system registries	rule	win_registry
description	Affect system token	rule	win_token
description	Affect private profile	rule	win_private_profile
description	Affect private profile	rule	win_files_operation
description	Match Winsock 2 API library declaration	rule	Str_Win32_Winsock2_Library
description	Match Windows Inet API library declaration	rule	Str_Win32_Wininet_Library
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook

File has been identified by 19 AntiVirus engines on VirusTotal as malicious (19 events)

Elastic	malicious (high confidence)
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
NANO-Antivirus	Virus.Win32.Gen.ccmw
Sophos	Mal/EncPk-APW
FireEye	Generic.mg.9a85e1eccf35e0c2
SentinelOne	Static AI - Malicious PE
Microsoft	Program:Win32/Wacapew.C!ml
ViRobot	Win32.Patched.CH
Cynet	Malicious (score: 100)
VBA32	BScope.TrojanPSW.Papras
Malwarebytes	Malware.Heuristic.1003
ESET-NOD32	a variant of Win32/Kryptik.HJZU
Rising	Malware.Heuristic!ET#87% (RDMK:cmRtazqihoMwCGyzJOO1bUAe27Cr)
eGambit	Unsafe.AI_Score_94%
BitDefenderTheta	Gen:NN.ZedlaF.34628.hy4@aKtshZp
MaxSecure	Virus.Patched.OM

22001.dll

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All