Report - ZeroBOX

ScreenShot

Info
Location map


Created	2021.09.10 17:20	Machine	s1_win7_x6402
Filename	readytunes.png
Type	PE32 executable (GUI) Intel 80386, for MS Windows
AI Score	4	Behavior Score	6.6
ZERO API	file : clean
VT API (file)
md5	40932e7f31ad53c47c03592a1de47151
sha256	1afbb671cb511d867e5def880d34883ec05470d934d06bbb0ea074a98f196e5d
ssdeep	49152:SVB3Xujk16sb2FX6CzYQsWGAMA3YbGMctIBR:SzXuQ16sb2FX6RnWGJAyGMca
imphash	542a8c0c784537b1ec6f0eae4088f47d
impfuzzy	96:48yakkrc+/thYGGiclX17fysX+kMBpLj4o:1yhF7fHOk4t4o

Network IP location

Signature (15cnts)

Level	Description
danger	Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
watch	Communicates with host for which no DNS query was performed
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	Checks adapter addresses which can be used to detect virtual network interfaces
notice	Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice	Creates a suspicious process
notice	HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice	Looks up the external IP address
notice	One or more potentially interesting buffers were extracted
notice	Performs some HTTP requests
notice	Terminates another process
notice	The binary likely contains encrypted or compressed data indicative of a packer
info	One or more processes crashed
info	Queries for the computername
info	This executable has a PDB path

Rules (4cnts)

Level	Name	Description	Collection
watch	Malicious_Library_Zero	Malicious_Library	binaries (upload)
info	IsPE32	(no description)	binaries (upload)
info	OS_Processor_Check_Zero	OS Processor Check	binaries (upload)
info	PE_Header_Zero	PE File Signature	binaries (upload)

Network (13cnts) ?

Request	ASN Co	IP4	ZERO ?
http://wtfismyip.com/text whois	OVH SAS	51.79.249.161	clean
https://185.56.175.122/rob130/TEST22-PC_W617601.F23B783DDF38DBB86097125BBF17EB14/14/exc/E:%200xc0000005%20A:%200x0000000077919A5A/0/ whois	Virtuaoperator Sp. z o.o.	185.56.175.122	clean
https://185.56.175.122/rob130/TEST22-PC_W617601.F23B783DDF38DBB86097125BBF17EB14/14/path/C:%5CUsers%5Ctest22%5CAppData%5CRoaming%5CAnyLiteGamesYX5S%5Creadytunes.exe/0/ whois	Virtuaoperator Sp. z o.o.	185.56.175.122	clean
https://185.56.175.122/rob130/TEST22-PC_W617601.F23B783DDF38DBB86097125BBF17EB14/5/file/ whois	Virtuaoperator Sp. z o.o.	185.56.175.122	clean
https://185.56.175.122/rob130/TEST22-PC_W617601.F23B783DDF38DBB86097125BBF17EB14/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/3r3r57PfZRZnF5NBVnVbZZp15X9911N/ whois	Virtuaoperator Sp. z o.o.	185.56.175.122	clean
https://185.56.175.122/rob130/TEST22-PC_W617601.F23B783DDF38DBB86097125BBF17EB14/14/NAT%20status/client%20is%20behind%20NAT/0/ whois	Virtuaoperator Sp. z o.o.	185.56.175.122	clean
https://185.56.175.122/rob130/TEST22-PC_W617601.F23B783DDF38DBB86097125BBF17EB14/14/user/test22/0/ whois	Virtuaoperator Sp. z o.o.	185.56.175.122	clean
wtfismyip.com whois	OVH SAS	51.79.249.161	clean
105.27.205.34 whois	SEACOM-AS	105.27.205.34	mailcious
46.99.175.149 whois	IPKO Telecommunications LLC	46.99.175.149	mailcious
51.79.249.161 whois	OVH SAS	51.79.249.161	clean
185.56.175.122 whois	Virtuaoperator Sp. z o.o.	185.56.175.122	mailcious
65.152.201.203 whois	CENTURYLINK-US-LEGACY-QWEST	65.152.201.203	mailcious

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
0x50600c GetWindowsDirectoryA
0x506010 GetDateFormatA
0x506014 OpenProcess
0x506018 GetSystemDirectoryA
0x50601c VirtualProtectEx
0x506020 LoadLibraryA
0x506024 SetConsoleOutputCP
0x506028 GetModuleFileNameA
0x50602c GetModuleHandleA
0x506030 FindFirstChangeNotificationA
0x506034 GetVersionExA
0x506038 GetSystemTime
0x50603c CreateFileW
0x506040 LoadLibraryW
0x506044 WaitForMultipleObjectsEx
0x506048 ReadConsoleW
0x50604c WriteConsoleW
0x506050 WaitForSingleObject
0x506054 GetTimeZoneInformation
0x506058 UnregisterWaitEx
0x50605c QueryDepthSList
0x506060 InterlockedFlushSList
0x506064 InterlockedPushEntrySList
0x506068 InterlockedPopEntrySList
0x50606c InitializeSListHead
0x506070 ReleaseSemaphore
0x506074 SetProcessAffinityMask
0x506078 VirtualProtect
0x50607c VirtualFree
0x506080 VirtualAlloc
0x506084 GetVersionExW
0x506088 FreeLibraryAndExitThread
0x50608c FreeLibrary
0x506090 GetThreadTimes
0x506094 OutputDebugStringW
0x506098 HeapReAlloc
0x50609c QueryPerformanceCounter
0x5060a0 SetStdHandle
0x5060a4 CreateFileA
0x5060a8 SetFilePointerEx
0x5060ac ReadFile
0x5060b0 GetConsoleMode
0x5060b4 GetConsoleCP
0x5060b8 WideCharToMultiByte
0x5060bc CloseHandle
0x5060c0 DuplicateHandle
0x5060c4 GetCurrentProcess
0x5060c8 GetCurrentThread
0x5060cc GetCurrentThreadId
0x5060d0 GetExitCodeThread
0x5060d4 GetSystemTimeAsFileTime
0x5060d8 EncodePointer
0x5060dc DecodePointer
0x5060e0 EnterCriticalSection
0x5060e4 LeaveCriticalSection
0x5060e8 DeleteCriticalSection
0x5060ec MultiByteToWideChar
0x5060f0 GetStringTypeW
0x5060f4 GetLastError
0x5060f8 HeapFree
0x5060fc HeapAlloc
0x506100 GetCommandLineA
0x506104 GetCPInfo
0x506108 IsProcessorFeaturePresent
0x50610c UnhandledExceptionFilter
0x506110 SetUnhandledExceptionFilter
0x506114 SetLastError
0x506118 InitializeCriticalSectionAndSpinCount
0x50611c CreateEventW
0x506120 Sleep
0x506124 TerminateProcess
0x506128 TlsAlloc
0x50612c TlsGetValue
0x506130 TlsSetValue
0x506134 TlsFree
0x506138 GetStartupInfoW
0x50613c GetTickCount
0x506140 GetModuleHandleW
0x506144 GetProcAddress
0x506148 CreateSemaphoreW
0x50614c CreateThread
0x506150 ExitThread
0x506154 LoadLibraryExW
0x506158 RaiseException
0x50615c RtlUnwind
0x506160 FatalAppExitA
0x506164 TryEnterCriticalSection
0x506168 CreateTimerQueue
0x50616c RtlCaptureStackBackTrace
0x506170 SetEvent
0x506174 WaitForSingleObjectEx
0x506178 SignalObjectAndWait
0x50617c SwitchToThread
0x506180 SetThreadPriority
0x506184 GetThreadPriority
0x506188 GetLogicalProcessorInformation
0x50618c CreateTimerQueueTimer
0x506190 ChangeTimerQueueTimer
0x506194 DeleteTimerQueueTimer
0x506198 GetNumaHighestNodeNumber
0x50619c GetProcessAffinityMask
0x5061a0 SetThreadAffinityMask
0x5061a4 RegisterWaitForSingleObject
0x5061a8 UnregisterWait
0x5061ac GetDateFormatW
0x5061b0 GetTimeFormatW
0x5061b4 CompareStringW
0x5061b8 LCMapStringW
0x5061bc GetLocaleInfoW
0x5061c0 IsValidLocale
0x5061c4 GetUserDefaultLCID
0x5061c8 EnumSystemLocalesW
0x5061cc IsDebuggerPresent
0x5061d0 GetProcessHeap
0x5061d4 ExitProcess
0x5061d8 GetModuleHandleExW
0x5061dc AreFileApisANSI
0x5061e0 GetStdHandle
0x5061e4 WriteFile
0x5061e8 GetModuleFileNameW
0x5061ec HeapSize
0x5061f0 GetFileType
0x5061f4 GetCurrentProcessId
0x5061f8 GetEnvironmentStringsW
0x5061fc FreeEnvironmentStringsW
0x506200 IsValidCodePage
0x506204 GetACP
0x506208 GetOEMCP
0x50620c SetConsoleCtrlHandler
0x506210 FlushFileBuffers
0x506214 SetEnvironmentVariableA
USER32.dll
0x506224 GetMessagePos
0x506228 ValidateRect
0x50622c FindWindowA
0x506230 DestroyMenu
0x506234 UpdateWindow
0x506238 MapWindowPoints
0x50623c GetClassNameA
0x506240 BeginPaint
0x506244 GetDC
0x506248 GetWindowTextA
0x50624c GetAsyncKeyState
0x506250 MessageBoxA
0x506254 InvalidateRect
0x506258 SetWindowPos
0x50625c EnumChildWindows
0x506260 PostMessageA
0x506264 OpenClipboard
0x506268 GetSystemMetrics
ole32.dll
0x506270 CoTaskMemAlloc
0x506274 CoInitialize
0x506278 CoUninitialize
0x50627c CoTaskMemFree
COMCTL32.dll
0x506000 ImageList_Draw
0x506004 ImageList_ReplaceIcon
SensApi.dll
0x50621c IsDestinationReachableA
sfc.dll
0x506284 SfcGetNextProtectedFile

EAT(Export Address Table) is none

Report - readytunes.png

Signature (15cnts)

Rules (4cnts)

Network (13cnts) ?

Suricata ids

PE API

Similarity measure (PE file only) - Checking for service failure