Report - ZeroBOX

ScreenShot

Info
Location map


Created	2023.11.03 15:54	Machine	s1_win7_x6401
Filename	1.exe
Type	PE32 executable (GUI) Intel 80386, for MS Windows
AI Score	6	Behavior Score	8.4
ZERO API	file : clean
VT API (file)
md5	1819332f150048eed72a2d891390dad1
sha256	bf6b7aa73550f381dc6f2b8cc3751cd0b76bdf8e6f7b6da1a94070efefc5004c
ssdeep	24576:Jw8KjKjGFygcc23L1/NVOmOSGb6E3ecS4fzrjxJh9UZXlpbPvC7xtYUrEmFlo+LT:PKjKWQc2b1FVgbjrjxPe1pbPSQm1FloS
imphash	d6d33cfa83489bf5ba9c5b52261af2b7
impfuzzy	24:bS1jtuhlJnc+pl3eDo/CyozFUSOovbO9Ziv2GMkpj090yO3oNdEvwkgU:bS1jtu5c+ppmyH3Aq9JO4PEv/gU

Network IP location

Signature (21cnts)

Level	Description
warning	Generates some ICMP traffic
watch	Communicates with host for which no DNS query was performed
watch	Deletes a large number of files from the system indicative of ransomware
watch	Installs itself for autorun at Windows startup
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	Checks adapter addresses which can be used to detect virtual network interfaces
notice	Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice	Creates executable files on the filesystem
notice	Expresses interest in specific running processes
notice	Foreign language identified in PE resource
notice	HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice	Performs some HTTP requests
notice	Searches running processes potentially to identify processes for sandbox evasion
notice	Sends data using the HTTP POST Method
notice	The binary likely contains encrypted or compressed data indicative of a packer
notice	Uses Windows utilities for basic Windows functionality
info	Checks amount of memory in system
info	Checks if process is being debugged by a debugger
info	Queries for the computername
info	The file contains an unknown PE resource name possibly indicative of a packer
info	This executable has a PDB path

Rules (19cnts)

Level	Name	Description	Collection
danger	Win32_Trojan_Emotet_2_Zero	Win32 Trojan Emotet	binaries (download)
danger	Win32_Trojan_Emotet_2_Zero	Win32 Trojan Emotet	binaries (upload)
warning	Generic_Malware_Zero	Generic Malware	binaries (download)
watch	Malicious_Library_Zero	Malicious_Library	binaries (download)
watch	Malicious_Library_Zero	Malicious_Library	binaries (upload)
watch	Malicious_Packer_Zero	Malicious Packer	binaries (download)
watch	UPX_Zero	UPX packed file	binaries (download)
watch	UPX_Zero	UPX packed file	binaries (upload)
info	CAB_file_format	CAB archive file	binaries (download)
info	DllRegisterServer_Zero	execute regsvr32.exe	binaries (download)
info	IsDLL	(no description)	binaries (download)
info	IsPE32	(no description)	binaries (download)
info	IsPE32	(no description)	binaries (upload)
info	IsPE64	(no description)	binaries (download)
info	Microsoft_Office_File_Zero	Microsoft Office File	binaries (download)
info	OS_Processor_Check_Zero	OS Processor Check	binaries (download)
info	OS_Processor_Check_Zero	OS Processor Check	binaries (upload)
info	PE_Header_Zero	PE File Signature	binaries (download)
info	PE_Header_Zero	PE File Signature	binaries (upload)

Network (31cnts) ?

Request	ASN Co	IP4	ZERO ?
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acwcdm4bj7lx4xbm2ireywxlhvca_4.10.2710.0/oimompecagnajdejgnnjijobebaeigek_4.10.2710.0_win64_adsurwm4gclupf32xdrpgdnapira.crx3 whois	GOOGLE	34.104.35.123	clean
http://edgedl.me.gvt1.com/edgedl/release2/chrome/czao2hrvpk5wgqrkz4kks5r734_109.0.5414.120/109.0.5414.120_chrome_installer.exe whois	GOOGLE	34.104.35.123	clean
https://update.googleapis.com/service/update2?cup2key=12:fiH-rpFmRD_9K6RrmjLJh__4TUMN6H9j0EsLvPpPbKw&cup2hreq=d0876e1be58e78f6be4d5e4f2cb7dd29f25148548a5a47d58e905d10712788fc whois	GOOGLE	142.250.66.99	clean
https://update.googleapis.com/service/update2 whois	GOOGLE	142.250.66.99	clean
edgedl.me.gvt1.com whois	GOOGLE	34.104.35.123	clean
dns.google whois	GOOGLE	8.8.4.4	clean
www.google.com whois	GOOGLE	142.250.76.132	clean
www.gstatic.com whois	GOOGLE	142.250.206.227	clean
r1---sn-3u-bh2ss.gvt1.com whois	Korea Telecom	211.114.64.12	clean
clients2.googleusercontent.com whois	GOOGLE	142.250.206.225	clean
accounts.google.com whois	GOOGLE	142.250.206.205	clean
_googlecast._tcp.local whois			clean
apis.google.com whois	GOOGLE	142.250.206.238	clean
clientservices.googleapis.com whois	GOOGLE	142.251.42.195	clean
142.250.207.65 whois	GOOGLE	142.250.207.65	clean
216.58.203.78 whois	GOOGLE	216.58.203.78	clean
211.114.64.12 whois	Korea Telecom	211.114.64.12	clean
172.217.175.227 whois	GOOGLE	172.217.175.227	clean
142.250.204.131 whois	GOOGLE	142.250.204.131	clean
142.250.206.225 whois	GOOGLE	142.250.206.225	mailcious
142.250.204.110 whois	GOOGLE	142.250.204.110	clean
142.250.199.68 whois	GOOGLE	142.250.199.68	clean
142.250.66.99 whois	GOOGLE	142.250.66.99	clean
34.104.35.123 whois	GOOGLE	34.104.35.123	clean
216.58.200.227 whois	GOOGLE	216.58.200.227	clean
142.250.76.138 whois	GOOGLE	142.250.76.138	phishing
142.250.76.142 whois	GOOGLE	142.250.76.142	mailcious
172.217.161.202 whois	GOOGLE	172.217.161.202	malware
142.250.199.77 whois	GOOGLE	142.250.199.77	clean
142.250.199.67 whois	GOOGLE	142.250.199.67	clean
172.217.25.174 whois	GOOGLE	172.217.25.174	mailcious

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
0x419000 QueryPerformanceCounter
0x419004 GetCurrentProcessId
0x419008 GetCurrentThreadId
0x41900c GetSystemTimeAsFileTime
0x419010 InitializeSListHead
0x419014 IsDebuggerPresent
0x419018 UnhandledExceptionFilter
0x41901c SetUnhandledExceptionFilter
0x419020 GetStartupInfoW
0x419024 IsProcessorFeaturePresent
0x419028 GetModuleHandleW
0x41902c GetCurrentProcess
0x419030 TerminateProcess
0x419034 RtlUnwind
0x419038 GetLastError
0x41903c SetLastError
0x419040 EnterCriticalSection
0x419044 LeaveCriticalSection
0x419048 DeleteCriticalSection
0x41904c InitializeCriticalSectionAndSpinCount
0x419050 TlsAlloc
0x419054 TlsGetValue
0x419058 TlsSetValue
0x41905c TlsFree
0x419060 FreeLibrary
0x419064 GetProcAddress
0x419068 LoadLibraryExW
0x41906c EncodePointer
0x419070 RaiseException
0x419074 GetStdHandle
0x419078 WriteFile
0x41907c GetModuleFileNameW
0x419080 ExitProcess
0x419084 GetModuleHandleExW
0x419088 OutputDebugStringW
0x41908c HeapAlloc
0x419090 HeapFree
0x419094 FindClose
0x419098 FindFirstFileExW
0x41909c FindNextFileW
0x4190a0 IsValidCodePage
0x4190a4 GetACP
0x4190a8 GetOEMCP
0x4190ac GetCPInfo
0x4190b0 GetCommandLineA
0x4190b4 GetCommandLineW
0x4190b8 MultiByteToWideChar
0x4190bc WideCharToMultiByte
0x4190c0 GetEnvironmentStringsW
0x4190c4 FreeEnvironmentStringsW
0x4190c8 SetStdHandle
0x4190cc GetFileType
0x4190d0 GetStringTypeW
0x4190d4 LCMapStringW
0x4190d8 GetProcessHeap
0x4190dc HeapSize
0x4190e0 HeapReAlloc
0x4190e4 FlushFileBuffers
0x4190e8 GetConsoleOutputCP
0x4190ec GetConsoleMode
0x4190f0 SetFilePointerEx
0x4190f4 ReadFile
0x4190f8 CreateFileW
0x4190fc CloseHandle
0x419100 WriteConsoleW
0x419104 DecodePointer
0x419108 GetExitCodeProcess
0x41910c CreateProcessW
0x419110 WaitForSingleObject
0x419114 SetFilePointer
0x419118 CreateDirectoryW
0x41911c SizeofResource
0x419120 RemoveDirectoryW
0x419124 GetTempPathW
0x419128 FormatMessageW
0x41912c LockResource
0x419130 DeleteFileW
0x419134 FindResourceExW
0x419138 LoadResource
0x41913c FindResourceW
0x419140 HeapDestroy
0x419144 LocalFree
0x419148 VerSetConditionMask
0x41914c CopyFileW
0x419150 VerifyVersionInfoW
0x419154 GetTempFileNameW
0x419158 lstrcmpiW
0x41915c UnmapViewOfFile
0x419160 CreateFileMappingW
0x419164 MapViewOfFile
0x419168 VirtualQuery
SHLWAPI.dll
0x41917c PathQuoteSpacesW
0x419180 PathAppendW
ole32.dll
0x419194 CoUninitialize
0x419198 CoInitializeEx
SHELL32.dll
0x419170 SHGetFolderPathW
0x419174 None
USER32.dll
0x419188 MessageBoxW
0x41918c CharLowerBuffW

EAT(Export Address Table) is none

Report - 1.exe

Signature (21cnts)

Rules (19cnts)

Network (31cnts) ?

Suricata ids

PE API

Similarity measure (PE file only) - Checking for service failure