Report - ZeroBOX

ScreenShot

Info
Location map


Created	2021.04.26 09:24	Machine	s1_win7_x6402
Filename	apps.exe
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
AI Score	13	Behavior Score	6.4
ZERO API	file : clean
VT API (file)	14 detected (Unsafe, Attribute, HighConfidence, Malicious, Generic ML PUA, Static AI, Suspicious PE, Score, Zpevdo, confidence, QVM11)
md5	cd155fbcc108d054d747ab4514f3cfd6
sha256	d52768831871c36f7e5a53dcfe3bd299f1a043b9bb09b8aa8073f6e60cec75e5
ssdeep	24576:zv7zplhCeHeesjmw/oOfCSvpj2GlYIAUVdtJQuVWKuTJL/6RejQ5dYGV4:vzJjSjmwgoCSblYYVdQoW1T16pdYGV
imphash	f17e72f0fc16396d7f07b856795dc64e
impfuzzy	6:dBJAEHGDzyRlbRmVOZ/EwgtTJuVM4PIKHGgZdj3EQbBnaMBaMyyTc5hEWSXmJJcn:VA/DzqYOZ9gt34gfgZJ3E8yITQhrSX+O

Network IP location

Signature (15cnts)

Level	Description
watch	Communicates with host for which no DNS query was performed
watch	File has been identified by 14 AntiVirus engines on VirusTotal as malicious
watch	Resumed a suspended thread in a remote process potentially indicative of process injection
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	An application raised an exception which may be indicative of an exploit crash
notice	Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice	Creates executable files on the filesystem
notice	One or more potentially interesting buffers were extracted
notice	Performs some HTTP requests
notice	Resolves a suspicious Top Level Domain (TLD)
notice	The binary likely contains encrypted or compressed data indicative of a packer
notice	The executable is compressed using UPX
notice	Uses Windows utilities for basic Windows functionality
notice	Yara rule detected in process memory
info	One or more processes crashed

Rules (20cnts)

Level	Name	Description	Collection
watch	UPX_Zero	UPX packed file	binaries (upload)
info	anti_dbg	Checks if being debugged	memory
info	DebuggerCheck__GlobalFlags	(no description)	memory
info	DebuggerCheck__QueryInfo	(no description)	memory
info	DebuggerHiding__Active	(no description)	memory
info	DebuggerHiding__Thread	(no description)	memory
info	disable_dep	Bypass DEP	memory
info	GIF_Format_Zero	GIF Format	binaries (download)
info	IsPE32	(no description)	binaries (upload)
info	PE_Header_Zero	PE File Signature Zero	binaries (upload)
info	PNG_Format_Zero	PNG Format	binaries (download)
info	SEH__vectored	(no description)	memory
info	ThreadControl__Context	(no description)	memory
info	IsPacked	Entropy Check	binaries (upload)
info	IsWindowsGUI	(no description)	binaries (upload)
info	Microsoft_Office_Document_Zero	Microsoft Office Document Signature Zero	binaries (download)
info	screenshot	Take screenshot	binaries (upload)
info	win_files_operation	Affect private profile	memory
info	win_registry	Affect system registries	memory
info	win_token	Affect system token	memory

Network (62cnts) ?

Request	ASN Co	IP4	ZERO ?
https://exws.ru/css/themify-icons.css whois	CLOUDFLARENET	104.21.55.21	clean
https://fonts.googleapis.com/css?family=Open+Sans:300,400,600%7CPoppins:300,400,500,600&subset=cyrillic whois	GOOGLE	142.250.204.42	clean
https://exws.ru/downloads/js/vendor/isotope.pkgd.min.js whois	CLOUDFLARENET	104.21.55.21	clean
https://exws.ru/downloads/js/main.js whois	CLOUDFLARENET	104.21.55.21	clean
https://exws.ru/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js whois	CLOUDFLARENET	104.21.55.21	clean
https://mc.yandex.ru/watch/36586115/1?callback=_ymjsp776041626&page-url=https%3A%2F%2Fexws.ru%2Fdownloads%2Fusercp.php%3Fmsg%3D%C3%90%C2%A2%C3%91%E2%82%AC%C3%90%C2%B5%C3%90%C2%B1%C3%91%C6%92%C3%90%C2%B5%C3%91%E2%80%9A%C3%91%C2%81%C3%91%C2%8F%2520%C3%90%C2 whois	YANDEX LLC	87.250.250.119	clean
https://exws.ru/downloads/js/jquery.ajaxchimp.min.js whois	CLOUDFLARENET	104.21.55.21	clean
https://exws.ru/images/logotype/logo-white.png whois	CLOUDFLARENET	104.21.55.21	clean
https://mc.yandex.ru/metrika/advert.gif whois	YANDEX LLC	87.250.250.119	clean
https://fonts.gstatic.com/s/opensans/v18/mem5YaGs126MiZpBA-UNirkOVuhv.woff whois	GOOGLE	216.58.220.195	clean
https://exws.ru/downloads/ whois	CLOUDFLARENET	104.21.55.21	clean
https://exws.ru/images/logotype/logo-dark.png whois	CLOUDFLARENET	104.21.55.21	clean
https://fonts.gstatic.com/s/poppins/v15/pxiByp8kv8JHgFVrLDz8Z1xlEw.woff whois	GOOGLE	216.58.220.195	clean
https://exws.ru/downloads/js/vendor/jquery-2.2.0.min.js whois	CLOUDFLARENET	104.21.55.21	clean
https://exws.ru/favicon.ico whois	CLOUDFLARENET	104.21.55.21	clean
https://use.fontawesome.com/releases/v5.0.6/js/all.js whois	HIGHWINDS2	23.111.9.35	clean
https://fonts.gstatic.com/s/opensans/v18/mem8YaGs126MiZpBA-UFUZ0d.woff whois	GOOGLE	216.58.220.195	clean
https://exws.ru/downloads/js/style.changer.js whois	CLOUDFLARENET	104.21.55.21	clean
https://exws.ru/css/sparkicons.css whois	CLOUDFLARENET	104.21.55.21	clean
https://exws.ru/downloads/js/placeholder.js whois	CLOUDFLARENET	104.21.55.21	clean
https://mc.yandex.ru/watch/36586115?callback=_ymjsp696528223&page-url=https%3A%2F%2Fexws.ru%2Fdownloads%2Fusercp.php%3Fmsg%3D%C3%90%C2%A2%C3%91%E2%82%AC%C3%90%C2%B5%C3%90%C2%B1%C3%91%C6%92%C3%90%C2%B5%C3%91%E2%80%9A%C3%91%C2%81%C3%91%C2%8F%2520%C3%90%C2%B whois	YANDEX LLC	87.250.250.119	clean
https://exws.ru/downloads/templates/default/default.css whois	CLOUDFLARENET	104.21.55.21	clean
https://exws.ru/css/et-line.css whois	CLOUDFLARENET	104.21.55.21	clean
https://fonts.gstatic.com/s/opensans/v18/mem5YaGs126MiZpBA-UN_r8OVuhv.woff whois	GOOGLE	216.58.220.195	clean
https://mc.yandex.ru/watch/36586115?callback=_ymjsp776041626&page-url=https%3A%2F%2Fexws.ru%2Fdownloads%2Fusercp.php%3Fmsg%3D%C3%90%C2%A2%C3%91%E2%82%AC%C3%90%C2%B5%C3%90%C2%B1%C3%91%C6%92%C3%90%C2%B5%C3%91%E2%80%9A%C3%91%C2%81%C3%91%C2%8F%2520%C3%90%C2%B whois	YANDEX LLC	87.250.250.119	clean
https://www.free-kassa.ru/img/fk_btn/16.png whois	CLOUDFLARENET	104.22.18.208	clean
https://fonts.gstatic.com/s/poppins/v15/pxiByp8kv8JHgFVrLEj6Z1xlEw.woff whois	GOOGLE	216.58.220.195	clean
https://exws.ru/downloads/js/jquery.magnific-popup.min.js whois	CLOUDFLARENET	104.21.55.21	clean
https://exws.ru/downloads/usercp.php?msg=Требуется%20авторизация: whois	CLOUDFLARENET	104.21.55.21	clean
https://exws.ru/css/bootstrap.min.css whois	CLOUDFLARENET	104.21.55.21	clean
https://mc.yandex.ru/watch/36586115/1?callback=_ymjsp696528223&page-url=https%3A%2F%2Fexws.ru%2Fdownloads%2Fusercp.php%3Fmsg%3D%C3%90%C2%A2%C3%91%E2%82%AC%C3%90%C2%B5%C3%90%C2%B1%C3%91%C6%92%C3%90%C2%B5%C3%91%E2%80%9A%C3%91%C2%81%C3%91%C2%8F%2520%C3%90%C2 whois	YANDEX LLC	87.250.250.119	clean
https://exws.ru/downloads/js/smoothscroll.js whois	CLOUDFLARENET	104.21.55.21	clean
https://exws.ru/downloads/js/owl.carousel.min.js whois	CLOUDFLARENET	104.21.55.21	clean
https://exws.ru/css/owl.carousel.css whois	CLOUDFLARENET	104.21.55.21	clean
https://mc.yandex.ru/metrika/tag.js whois	YANDEX LLC	87.250.250.119	clean
https://fonts.gstatic.com/s/poppins/v15/pxiEyp8kv8JHgFVrJJfedA.woff whois	GOOGLE	216.58.220.195	clean
https://exws.ru/css/magnific-popup.css whois	CLOUDFLARENET	104.21.55.21	clean
https://exws.ru/css/style.css whois	CLOUDFLARENET	104.21.55.21	clean
https://exws.ru/fonts/sparkicons.eot@wwjpvu whois	CLOUDFLARENET	104.21.55.21	clean
https://exws.ru/images/screen/launcher.png whois	CLOUDFLARENET	104.21.55.21	clean
https://informer.yandex.ru/informer/36586115/3_0_202020FF_000000FF_1_pageviews whois	YANDEX LLC	87.250.251.119	clean
https://exws.ru/downloads/js/plugins.js whois	CLOUDFLARENET	104.21.55.21	clean
https://exws.ru/downloads/login.php whois	CLOUDFLARENET	104.21.55.21	clean
https://www.webmoney.ru/img/icons/88x31_wm_white_blue.png whois	OVH SAS	51.254.201.70	clean
https://fonts.gstatic.com/s/poppins/v15/pxiByp8kv8JHgFVrLGT9Z1xlEw.woff whois	GOOGLE	216.58.220.195	clean
https://exws.ru/fonts/et-line.eot@ whois	CLOUDFLARENET	104.21.55.21	clean
exws.ru whois	CLOUDFLARENET	104.21.55.21	clean
informer.yandex.ru whois	YANDEX LLC	93.158.134.119	clean
fonts.googleapis.com whois	GOOGLE	172.217.26.42	clean
use.fontawesome.com whois	HIGHWINDS2	23.111.9.35	clean
fonts.gstatic.com whois	GOOGLE	216.58.220.131	clean
www.webmoney.ru whois	OVH SAS	145.239.95.188	clean
www.free-kassa.ru whois	CLOUDFLARENET	104.22.18.208	clean
mc.yandex.ru whois	YANDEX LLC	93.158.134.119	clean
23.111.9.35 whois	HIGHWINDS2	23.111.9.35	clean
87.250.250.119 whois	YANDEX LLC	87.250.250.119	clean
104.22.18.208 whois	CLOUDFLARENET	104.22.18.208	clean
87.250.251.119 whois	YANDEX LLC	87.250.251.119	clean
51.254.201.70 whois	OVH SAS	51.254.201.70	clean
142.250.204.42 whois	GOOGLE	142.250.204.42	clean
216.58.220.195 whois	GOOGLE	216.58.220.195	clean
104.21.55.21 whois	CLOUDFLARENET	104.21.55.21	clean

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.DLL
0x8db89c LoadLibraryA
0x8db8a0 GetProcAddress
0x8db8a4 VirtualProtect
0x8db8a8 VirtualAlloc
0x8db8ac VirtualFree
0x8db8b0 ExitProcess
advapi32.dll
0x8db8b8 RegLoadKeyW
comctl32.dll
0x8db8c0 ImageList_Add
gdi32.dll
0x8db8c8 Pie
msvcrt.dll
0x8db8d0 memcpy
netapi32.dll
0x8db8d8 NetWkstaGetInfo
ole32.dll
0x8db8e0 DoDragDrop
oleaut32.dll
0x8db8e8 VariantInit
shell32.dll
0x8db8f0 DragFinish
shlwapi.dll
0x8db8f8 PathIsUNCW
user32.dll
0x8db900 GetDC
version.dll
0x8db908 VerQueryValueW
winhttp.dll
0x8db910 WinHttpOpen
winspool.drv
0x8db918 ClosePrinter

EAT(Export Address Table) is none

Report - apps.exe

Signature (15cnts)

Rules (20cnts)

Network (62cnts) ?

Suricata ids

PE API

Similarity measure (PE file only) - Checking for service failure