Analysis Report

Overview

General Information

Joe Sandbox Version:	22.0.0
Analysis ID:	609630
Start time:	14:25:30
Joe Sandbox Product:	Cloud
Start date:	16.07.2018
Overall analysis duration:	0h 8m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	ZrfRZCzOXC.exe
Cookbook file name:	sysmon.jbs
Analysis system description:	Windows 7 (Office 2010 SP2, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies	HCA enabled EGA enabled GSI enabled (VBA) GSI enabled (Javascript) GSI enabled (Java)
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal72.evad.winEXE@6/3@11/3
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Correcting counters for adjusted boot time Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe, WmiPrvSE.exe Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Detection

Strategy	Score	Range	Reporting	Detection
Threshold	72	0 - 100	Report FP / FN

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Analysis Advice

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior

Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Signature Overview

Click to jump to signature section

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: ZrfRZCzOXC.exe

virustotal: Detection: 73%

Perma Link

Networking:

Connects to IPs without corresponding DNS lookups

Show sources

Source: unknown

TCP traffic detected without corresponding DNS query: 23.42.27.27

Uses a known web browser user agent for HTTP communication

Show sources

Source: global traffic	HTTP traffic detected: GET /ncsi.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoHost: www.msftncsi.com
Source: global traffic	HTTP traffic detected: GET /ncsi.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoHost: www.msftncsi.com

Downloads files from webservers via HTTP

Show sources

Source: global traffic	HTTP traffic detected: GET /ncsi.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoHost: www.msftncsi.com
Source: global traffic	HTTP traffic detected: GET /ncsi.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoHost: www.msftncsi.com

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: 8.8.8.8.in-addr.arpa

Urls found in memory or binary data

Show sources

Source: explorer.exe, 00000002.00000000.10291306634.04E6A000.00000004.sdmp	String found in binary or memory: file:///C:/
Source: explorer.exe, 00000002.00000000.10291306634.04E6A000.00000004.sdmp	String found in binary or memory: file:///C:/:y
Source: explorer.exe, 00000002.00000000.10285365277.02BB0000.00000004.sdmp	String found in binary or memory: file:///C:/Program%20Files/AutoIt3/AutoIt3.exe
Source: explorer.exe, 00000002.00000000.10285365277.02BB0000.00000004.sdmp	String found in binary or memory: file:///C:/Program%20Files/AutoIt3/AutoIt3.exeZH
Source: explorer.exe, 00000002.00000000.10285365277.02BB0000.00000004.sdmp	String found in binary or memory: file:///C:/Program%20Files/AutoIt3/AutoIt3.exeoH
Source: explorer.exe, 00000002.00000000.10281883975.0051C000.00000004.sdmp	String found in binary or memory: file:///C:/Program%20Files/Common%20Files/Adobe/ARM/1.0/AdobeARM.exe
Source: explorer.exe, 00000002.00000000.10291033327.04CFF000.00000004.sdmp	String found in binary or memory: file:///C:/Users/user/AppData/Roaming/Microsoft/Internet%20Explorer/Quick%20Launch/User%20Pinn
Source: explorer.exe, 00000002.00000000.10291223183.04DD7000.00000004.sdmp	String found in binary or memory: file:///C:/Windows/explorer.exe
Source: explorer.exe, 00000002.00000000.10291223183.04DD7000.00000004.sdmp	String found in binary or memory: file:///C:/Windows/explorer.exe%_%
Source: explorer.exe, 00000002.00000000.10283103260.01F86000.00000004.sdmp	String found in binary or memory: file:///C:/jbxinitvm.au3
Source: explorer.exe, 00000002.00000000.10283103260.01F86000.00000004.sdmp	String found in binary or memory: file:///C:/jbxinitvm.au39
Source: explorer.exe, 00000002.00000000.10281883975.0051C000.00000004.sdmp	String found in binary or memory: file:///C:/jbxinitvm.au3ta
Source: ZrfRZCzOXC.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: ZrfRZCzOXC.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: ZrfRZCzOXC.exe	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: ZrfRZCzOXC.exe	String found in binary or memory: http://crt.comodoca.com/COMODORSAAddTrustCA.crt0$
Source: ZrfRZCzOXC.exe	String found in binary or memory: http://crt.comodoca.com/COMODORSACodeSigningCA.crt0$
Source: explorer.exe, 00000002.00000000.10291223183.04DD7000.00000004.sdmp	String found in binary or memory: http://java
Source: explorer.exe, 00000002.00000000.10291223183.04DD7000.00000004.sdmp	String found in binary or memory: http://java.com
Source: explorer.exe, 00000002.00000000.10281883975.0051C000.00000004.sdmp	String found in binary or memory: http://java.com/
Source: explorer.exe, 00000002.00000000.10281883975.0051C000.00000004.sdmp	String found in binary or memory: http://java.com/5A4
Source: explorer.exe, 00000002.00000000.10281883975.0051C000.00000004.sdmp	String found in binary or memory: http://java.com/F2E
Source: explorer.exe, 00000002.00000000.10281883975.0051C000.00000004.sdmp	String found in binary or memory: http://java.com/fau
Source: explorer.exe, 00000002.00000000.10281883975.0051C000.00000004.sdmp	String found in binary or memory: http://java.com/help
Source: explorer.exe, 00000002.00000000.10290767042.04C90000.00000004.sdmp	String found in binary or memory: http://java.com/helphttp://java.com/help
Source: explorer.exe, 00000002.00000000.10285365277.02BB0000.00000004.sdmp	String found in binary or memory: http://java.com/http://java.com/
Source: explorer.exe, 00000002.00000000.10291223183.04DD7000.00000004.sdmp	String found in binary or memory: http://java.comm
Source: explorer.exe, 00000002.00000000.10291223183.04DD7000.00000004.sdmp	String found in binary or memory: http://java.sun.com
Source: ZrfRZCzOXC.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: ZrfRZCzOXC.exe	String found in binary or memory: http://ocsp.thawte.com0
Source: ZrfRZCzOXC.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: ZrfRZCzOXC.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: ZrfRZCzOXC.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: explorer.exe, 00000002.00000000.10283123038.01FB0000.00000008.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000002.00000000.10290767042.04C90000.00000004.sdmp	String found in binary or memory: http://www.ado
Source: ZrfRZCzOXC.exe	String found in binary or memory: http://www.example.com/0
Source: explorer.exe, 00000002.00000000.10281883975.0051C000.00000004.sdmp	String found in binary or memory: https://aka.ms/WEF.
Source: explorer.exe, 00000002.00000000.10291539017.05220000.00000008.sdmp	String found in binary or memory: https://en.wikipedia.org/wiki/XSLT/Muenchian_grouping
Source: explorer.exe, 00000002.00000000.10281883975.0051C000.00000004.sdmp	String found in binary or memory: https://github.com/SwiftOnSecurity/sysmon-config
Source: ZrfRZCzOXC.exe	String found in binary or memory: https://secure.comodo.net/CPS0C

System Summary:

Contains functionality to call native functions

Show sources

Source: C:\Users\user\Desktop\ZrfRZCzOXC.exe	Code function: 1_2_00401B18 CreateFileMappingW,MapViewOfFile,WaitForSingleObject,NtTerminateProcess,	1_2_00401B18
Source: C:\Users\user\Desktop\ZrfRZCzOXC.exe	Code function: 1_2_00401BC5 NtFreeVirtualMemory,WaitForSingleObject,NtTerminateProcess,	1_2_00401BC5
Source: C:\Users\user\Desktop\ZrfRZCzOXC.exe	Code function: 1_2_00401C19 NtFreeVirtualMemory,WaitForSingleObject,NtTerminateProcess,	1_2_00401C19

PE file has an invalid certificate

Show sources

Source: ZrfRZCzOXC.exe

Static PE information: invalid certificate

Reads the hosts file

Show sources

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Sample file is different than original file name gathered from version info

Show sources

Source: ZrfRZCzOXC.exe, 00000001.00000002.10346790896.001D0000.00000008.sdmp

Binary or memory string: OriginalFilenameodbcint.dll.muij% vs ZrfRZCzOXC.exe

Tries to load missing DLLs

Show sources

Source: C:\Users\user\Desktop\ZrfRZCzOXC.exe	Section loaded: vdbcbcp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wshtcpip.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\chviwehv\dtevaaaa.exe	Section loaded: vdbcbcp.dll	Jump to behavior

Classification label

Show sources

Source: classification engine

Classification label: mal72.evad.winEXE@6/3@11/3

Creates files inside the user directory

Show sources

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\chviwehv

Jump to behavior

Reads ini files

Show sources

Source: C:\Windows\explorer.exe

File read: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini

Jump to behavior

Reads software policies

Show sources

Source: C:\Users\user\Desktop\ZrfRZCzOXC.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Sample is known by Antivirus

Show sources

Source: ZrfRZCzOXC.exe

virustotal: Detection: 73%

Spawns processes

Show sources

Source: unknown	Process created: C:\Users\user\Desktop\ZrfRZCzOXC.exe 'C:\Users\user\Desktop\ZrfRZCzOXC.exe'
Source: unknown	Process created: C:\Windows\System32\taskeng.exe taskeng.exe {353C8FCD-E7D7-4901-A1FC-CC4E5F09B639} S-1-5-21-312302014-279660585-3511680526-1004:computer\user:Interactive:[1]
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start '' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\chviwehv\dtevaaaa.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\chviwehv\dtevaaaa.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\chviwehv\dtevaaaa.exe'
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start '' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\chviwehv\dtevaaaa.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\chviwehv\dtevaaaa.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\chviwehv\dtevaaaa.exe'	Jump to behavior

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72eb61e0-8672-4303-9175-f2e4c68b2e7c}\InProcServer32

Jump to behavior

Found graphical window changes (likely an installer)

Show sources

Source: Window Recorder

Window detected: More than 3 window changes detected

Data Obfuscation:

PE file contains an invalid checksum

Show sources

Source: dtevaaaa.exe.2.dr	Static PE information: real checksum: 0x43dfb should be: 0x495b2
Source: ZrfRZCzOXC.exe	Static PE information: real checksum: 0x43dfb should be: 0x495b2

PE file contains sections with non-standard names

Show sources

Source: ZrfRZCzOXC.exe	Static PE information: section name: .xml
Source: dtevaaaa.exe.2.dr	Static PE information: section name: .xml

Uses code obfuscation techniques (call, push, ret)

Show sources

Source: C:\Users\user\Desktop\ZrfRZCzOXC.exe	Code function: 1_2_00403E48 push edi; iretd	1_2_00403E4B
Source: C:\Users\user\Desktop\ZrfRZCzOXC.exe	Code function: 1_2_00405E08 push 024F7F4Bh; iretd	1_2_00405E0D
Source: C:\Users\user\Desktop\ZrfRZCzOXC.exe	Code function: 1_2_004038C9 push 270B9D80h; ret	1_2_004038FE
Source: C:\Users\user\Desktop\ZrfRZCzOXC.exe	Code function: 1_2_004046F1 push cs; ret	1_2_004046F2
Source: C:\Users\user\Desktop\ZrfRZCzOXC.exe	Code function: 1_2_00405094 push cs; ret	1_2_004050AE
Source: C:\Users\user\Desktop\ZrfRZCzOXC.exe	Code function: 1_2_00405D40 push 2217E8B9h; ret	1_2_00405D45
Source: C:\Users\user\Desktop\ZrfRZCzOXC.exe	Code function: 1_2_00405141 push cs; ret	1_2_00405142
Source: C:\Users\user\Desktop\ZrfRZCzOXC.exe	Code function: 1_2_00406754 push edx; ret	1_2_00406755
Source: C:\Users\user\Desktop\ZrfRZCzOXC.exe	Code function: 1_2_0040111E push esp; retf	1_2_00401147
Source: C:\Users\user\Desktop\ZrfRZCzOXC.exe	Code function: 1_2_0040392D push edx; ret	1_2_0040393C
Source: C:\Users\user\Desktop\ZrfRZCzOXC.exe	Code function: 1_2_0040513F push edx; ret	1_2_00405140
Source: C:\Users\user\Desktop\ZrfRZCzOXC.exe	Code function: 1_2_00403FC9 push ss; iretd	1_2_00403FD4
Source: C:\Users\user\Desktop\ZrfRZCzOXC.exe	Code function: 1_2_004037E8 push cs; ret	1_2_004037FA
Source: C:\Users\user\Desktop\ZrfRZCzOXC.exe	Code function: 1_2_004029FA push eax; ret	1_2_00402A90
Source: C:\Users\user\Desktop\ZrfRZCzOXC.exe	Code function: 1_2_004045FF push edx; ret	1_2_00404600
Source: C:\Users\user\Desktop\ZrfRZCzOXC.exe	Code function: 1_2_00404981 push cs; ret	1_2_00404982
Source: C:\Users\user\Desktop\ZrfRZCzOXC.exe	Code function: 1_2_00405B9C push ds; iretd	1_2_00405B9D

Persistence and Installation Behavior:

Drops PE files

Show sources

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\chviwehv\dtevaaaa.exe

Jump to dropped file

Boot Survival:

Creates a start menu entry (Start Menu\Programs\Startup)

Show sources

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chviwehv.lnk

Jump to behavior

Stores files to the Windows start menu directory

Show sources

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chviwehv.lnk

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect sandboxes and other dynamic analysis tools (process name or module)

Show sources

Source: explorer.exe, 00000002.00000000.10281837375.004ED000.00000004.sdmp

Binary or memory string: \\192.168.1.2\ALL\PROCEXP.EXES

Contains capabilities to detect virtual machines

Show sources

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\chviwehv\dtevaaaa.exe

Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Disk\Enum name: 0

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Show sources

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 555	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 521	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 437	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 420	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 529	Jump to behavior

Queries a list of all running processes

Show sources

Source: C:\Windows\explorer.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\Windows\System32\taskeng.exe

System information queried: KernelDebuggerInformation

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Benign windows process drops PE files

Show sources

Source: C:\Windows\explorer.exe

File created: dtevaaaa.exe.2.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe

Network Connect: 23.10.249.17 80

Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\ZrfRZCzOXC.exe

Section loaded: unknown target pid: 1376 protection: execute and read and write

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Show sources

Source: C:\Windows\System32\taskeng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start '' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\chviwehv\dtevaaaa.exe'			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\chviwehv\dtevaaaa.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\chviwehv\dtevaaaa.exe'			Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Show sources

Source: explorer.exe, 00000002.00000000.10282089541.00860000.00000002.sdmp, taskeng.exe, 00000003.00000002.10574796883.00E00000.00000002.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000002.00000000.10282089541.00860000.00000002.sdmp, taskeng.exe, 00000003.00000002.10574796883.00E00000.00000002.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000002.00000000.10282089541.00860000.00000002.sdmp, taskeng.exe, 00000003.00000002.10574796883.00E00000.00000002.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000000.10281837375.004ED000.00000004.sdmp	Binary or memory string: Progmanp

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Show sources

Source: C:\Users\user\Desktop\ZrfRZCzOXC.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\chviwehv\dtevaaaa.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Queries the cryptographic machine GUID

Show sources

Source: C:\Windows\System32\taskeng.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious

Simulations

Behavior and APIs

Time	Type	Description
14:26:22	API Interceptor	602x Sleep call for process: explorer.exe modified
14:26:52	Task Scheduler	Run new task: Opera scheduled Autoupdate 211371202 path: C:\Windows\system32\cmd.exe s>/c start "" "C:\Users\user\AppData\Roaming\Microsoft\Windows\chviwehv\dtevaaaa.exe"
14:30:00	API Interceptor	3x Sleep call for process: taskeng.exe modified
14:30:01	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chviwehv.lnk

Antivirus Detection

Initial Sample

Source	Detection	Scanner	Label	Link
ZrfRZCzOXC.exe	74%	virustotal		Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Link
a1621.g.akamai.net	0%	virustotal	Browse
a1363.dscg.akamai.net	0%	virustotal	Browse
a1961.g2.akamai.net	0%	virustotal	Browse

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Screenshots

Startup

System is w7_1

ZrfRZCzOXC.exe (PID: 2872 cmdline: 'C:\Users\user\Desktop\ZrfRZCzOXC.exe' MD5: 2C99759A02CA32D1A7E8AFA09130633F)

explorer.exe (PID: 1376 cmdline: C:\Windows\Explorer.EXE MD5: 6DDCA324434FFA506CF7DC4E51DB7935)

taskeng.exe (PID: 1916 cmdline: taskeng.exe {353C8FCD-E7D7-4901-A1FC-CC4E5F09B639} S-1-5-21-312302014-279660585-3511680526-1004:computer\user:Interactive:[1] MD5: 4F2659160AFCCA990305816946F69407)

cmd.exe (PID: 2520 cmdline: C:\Windows\system32\cmd.exe /c start '' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\chviwehv\dtevaaaa.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)

dtevaaaa.exe (PID: 3044 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\chviwehv\dtevaaaa.exe' MD5: 2C99759A02CA32D1A7E8AFA09130633F)

cleanup

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chviwehv.lnk
Process:	C:\Windows\explorer.exe
File Type:	MS Windows shortcut
Size (bytes):	1026
Entropy (8bit):	4.423097878654493
Encrypted:	false
MD5:	F0EA0125513E3E79F55D3D7964374E72
SHA1:	98C214D021AAA5638093E52A47ACF73A33943F14
SHA-256:	110D2DFD5612584042F3775FC33FE5C88CEF14D040F3796983F5945CDC8382DC
SHA-512:	AC61C5EA05A522D3B9B0DA82CE1F42DE388DC16466A509DA026ADB3B3B52D30AAD80EA475D0A900D7566324526BE7A21F8C5A4039E2A7963F877ECE4B84E2CAF
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Roaming\Microsoft\Windows\chviwehv\dtevaaaa.exe
Process:	C:\Windows\explorer.exe
File Type:	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Size (bytes):	242888
Entropy (8bit):	3.770967533024012
Encrypted:	false
MD5:	2C99759A02CA32D1A7E8AFA09130633F
SHA1:	DDF98971664EB7B554C86B4AB2E2BA7D469F893C
SHA-256:	B65806521AA662BFF2C655C8A7A3B6C8E598D709E35F3390DF880A70C3FDED40
SHA-512:	89DF4E78C583F409BEB3DDE03A4E439BA52676DC8ECACD02271D2C30E3FC151C677446652CB7EC7A080C4C00DFC80D63FBDFB369B25DEACE1752D77B93310DCC
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Roaming\Microsoft\Windows\chviwehv\dtevaaaa.exe:Zone.Identifier
Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with CRLF line terminators
Size (bytes):	26
Entropy (8bit):	3.9500637564362093
Encrypted:	false
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Reputation:	low

Contacted Domains/Contacted IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
a1621.g.akamai.net	23.10.249.34	true	false	0%, virustotal, Browse	high
a1363.dscg.akamai.net	23.10.249.18	true	false	0%, virustotal, Browse	high
a1961.g2.akamai.net	23.10.249.17	true	false	0%, virustotal, Browse	high
18.249.10.23.in-addr.arpa	unknown	unknown	true		unknown
www.msftncsi.com	unknown	unknown	false		high
252.0.0.224.in-addr.arpa	unknown	unknown	true		unknown
34.249.10.23.in-addr.arpa	unknown	unknown	true		unknown
17.249.10.23.in-addr.arpa	unknown	unknown	true		unknown
8.8.8.8.in-addr.arpa	unknown	unknown	true		unknown
68.72.101.95.in-addr.arpa	unknown	unknown	true		unknown
ukcompany.top	unknown	unknown	true		unknown
ukcompany.pw	unknown	unknown	true		unknown
ukcompany.me	unknown	unknown	true		unknown

Contacted URLs

Name	Process
http://www.msftncsi.com/ncsi.txt	C:\Windows\explorer.exe

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Country	Flag	ASN	ASN Name	Malicious
23.10.249.17	United States		20940	AKAMAI-ASN1US	false

Private

IP
192.168.1.255
192.168.1.81

Static File Info

General
File type:	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Entropy (8bit):	3.770967533024012
TrID:	Win32 Executable (generic) a (10002005/4) 99.92% Win16/32 Executable Delphi generic (2074/23) 0.02% Clipper DOS Executable (2020/12) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	ZrfRZCzOXC.exe
File size:	242888
MD5:	2c99759a02ca32d1a7e8afa09130633f
SHA1:	ddf98971664eb7b554c86b4ab2e2ba7d469f893c
SHA256:	b65806521aa662bff2c655c8a7a3b6c8e598d709e35f3390df880a70c3fded40
SHA512:	89df4e78c583f409beb3dde03a4e439ba52676dc8ecacd02271d2c30e3fc151c677446652cb7ec7a080c4c00dfc80d63fbdfb369b25deace1752d77b93310dcc
File Content Preview:	MZ......................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon

Static PE Info

General
Entrypoint:	0x404773
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED
DLL Characteristics:	TERMINAL_SERVER_AWARE, NX_COMPAT
Time Stamp:	0x56DC0E61 [Sun Mar 6 11:02:57 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2f71d1b0b8c82759171e7374068065a9

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	No signature was present in the subject
Error Number:	-2146762496
Not Before, Not After	5/9/2013 2:00:00 AM 5/9/2028 1:59:59 AM
Subject Chain	CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Version:	3
Thumbprint:	B69E752BBE88B4458200A7C0F4F5B3CCE6F35B47
Serial:	2E7C87CC0E934A52FE94FD1CB7CD34AF

Entrypoint Preview

Instruction
push ebp
xor ebp, 6Ah
mov ebp, esp
add esp, FFFFFF9Ch
push 00000011h
push 00423471h
push 00423464h
lea eax, dword ptr [004250E0h]
call dword ptr [eax]
jmp 5B559529h
add byte ptr [eax], al
add byte ptr [edx+11h], ch
push 00423471h
push 00423464h
lea eax, dword ptr [004250E0h]
call dword ptr [eax]
push 00000011h
push 00423471h
push 00423464h
lea eax, dword ptr [004250E0h]
call dword ptr [eax]
jmp 5B5594F9h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push 00000011h
push 00423471h
push 00423464h
lea eax, dword ptr [004250E0h]
call dword ptr [eax]
jmp 5B55ABC9h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push 00000011h
push 00423471h
push 00423464h
lea eax, dword ptr [004250E0h]
call dword ptr [eax]
push 00000011h
push 00423471h
push 00423464h
lea eax, dword ptr [004250E0h]
call dword ptr [eax]
jmp 5B557A17h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x250e8	0x8c	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x28000	0x1693e	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x39600	0x1ec8	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x25000	0xe8	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x1300	0x60	.text
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x20e9c	0x21000	False	0.313306403883	ump; data	3.9974479969	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.itext	0x22000	0x800	0x800	False	0.01123046875	ump; data	0.0	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x23000	0x482	0x600	False	0.0703125	ump; data	0.574709138496	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.bss	0x24000	0x1000	0x0	False	0	ump; empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.idata	0x25000	0x660	0x800	False	0.41015625	ump; data	4.19350746654	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.tls	0x26000	0x1000	0x0	False	0	ump; empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.xml	0x27000	0x18	0x200	False	0.02734375	ump; data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x28000	0x1693e	0x16a00	False	0.0472634668508	ump; data	1.84043873219	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
TRED	0x28100	0x6000	ump; data
RT_ICON	0x2e116	0x10828	ump; data
RT_GROUP_ICON	0x2e100	0x16	ump; MS Windows icon resource - 1 icon

Imports

DLL	Import
odbctrac.dll	TraceSQLCancel, TraceSQLFetch, TraceSQLBindCol
dbnmpntw.dll	ConnectionVer, ConnectionError, ConnectionRead, ConnectionClose, ConnectionWrite
user32.dll	PeekMessageA, wsprintfW, GetDlgItemTextW, GetMessageW, GetClassInfoW, DialogBoxParamW, CharToOemW, IsIconic, LoadStringW, MessageBoxA, PostMessageW, IsCharLowerA
wtsapi32.dll	WTSEnumerateProcessesA, WTSQuerySessionInformationA, WTSOpenServerW, WTSVirtualChannelOpen, WTSVirtualChannelQuery, WTSEnumerateSessionsW, WTSFreeMemory, WTSVirtualChannelPurgeInput, WTSVirtualChannelClose, WTSQueryUserToken, WTSUnRegisterSessionNotification
kernel32.dll	CreateFileA, CreateDirectoryW, GetDiskFreeSpaceA, GetCommandLineA, LoadLibraryA, lstrcmpi, CreateSemaphoreA, GetProcAddress, GetFileAttributesA, GetStartupInfoA, GetDriveTypeA, GetFileSize, GetLastError, GetModuleFileNameA, ReadFile, CreateFileMappingA, HeapAlloc, GetLocaleInfoA, CopyFileW, SetCurrentDirectoryW, GetModuleHandleA, QueryDosDeviceA

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 16, 2018 14:26:24.905462027 MESZ	55175	53	192.168.1.81	8.8.8.8
Jul 16, 2018 14:26:24.916542053 MESZ	65476	53	192.168.1.81	8.8.8.8
Jul 16, 2018 14:26:24.917490959 MESZ	52882	53	192.168.1.81	8.8.8.8
Jul 16, 2018 14:26:24.932554960 MESZ	53	55175	8.8.8.8	192.168.1.81
Jul 16, 2018 14:26:24.940689087 MESZ	53	65476	8.8.8.8	192.168.1.81
Jul 16, 2018 14:26:24.943067074 MESZ	53	52882	8.8.8.8	192.168.1.81
Jul 16, 2018 14:26:26.160932064 MESZ	49841	53	192.168.1.81	8.8.8.8
Jul 16, 2018 14:26:26.206634998 MESZ	53	49841	8.8.8.8	192.168.1.81
Jul 16, 2018 14:26:26.230596066 MESZ	53667	53	192.168.1.81	8.8.8.8
Jul 16, 2018 14:26:26.266649008 MESZ	53	53667	8.8.8.8	192.168.1.81
Jul 16, 2018 14:26:26.386177063 MESZ	51748	53	192.168.1.81	8.8.8.8
Jul 16, 2018 14:26:26.426289082 MESZ	53	51748	8.8.8.8	192.168.1.81
Jul 16, 2018 14:26:26.429572105 MESZ	53199	53	192.168.1.81	8.8.8.8
Jul 16, 2018 14:26:26.466010094 MESZ	53	53199	8.8.8.8	192.168.1.81
Jul 16, 2018 14:26:28.278844118 MESZ	54134	53	192.168.1.81	8.8.8.8
Jul 16, 2018 14:26:28.288492918 MESZ	59582	53	192.168.1.81	8.8.8.8
Jul 16, 2018 14:26:28.302697897 MESZ	62941	53	192.168.1.81	8.8.8.8
Jul 16, 2018 14:26:28.312007904 MESZ	53	54134	8.8.8.8	192.168.1.81
Jul 16, 2018 14:26:28.313796997 MESZ	53	59582	8.8.8.8	192.168.1.81
Jul 16, 2018 14:26:28.327927113 MESZ	53	62941	8.8.8.8	192.168.1.81
Jul 16, 2018 14:26:28.331676006 MESZ	53271	53	192.168.1.81	8.8.8.8
Jul 16, 2018 14:26:28.372262955 MESZ	53	53271	8.8.8.8	192.168.1.81
Jul 16, 2018 14:26:30.408819914 MESZ	49168	53	192.168.1.81	8.8.8.8
Jul 16, 2018 14:26:30.434210062 MESZ	53	49168	8.8.8.8	192.168.1.81
Jul 16, 2018 14:26:36.471602917 MESZ	63129	53	192.168.1.81	8.8.8.8
Jul 16, 2018 14:26:36.496046066 MESZ	53	63129	8.8.8.8	192.168.1.81
Jul 16, 2018 14:26:57.929929018 MESZ	65457	53	192.168.1.81	8.8.8.8
Jul 16, 2018 14:26:57.965293884 MESZ	53	65457	8.8.8.8	192.168.1.81
Jul 16, 2018 14:26:57.984416008 MESZ	62062	53	192.168.1.81	8.8.8.8
Jul 16, 2018 14:26:58.009413958 MESZ	53	62062	8.8.8.8	192.168.1.81
Jul 16, 2018 14:26:58.012358904 MESZ	49171	80	192.168.1.81	23.10.249.17
Jul 16, 2018 14:26:58.024348974 MESZ	80	49171	23.10.249.17	192.168.1.81
Jul 16, 2018 14:26:58.024512053 MESZ	49171	80	192.168.1.81	23.10.249.17
Jul 16, 2018 14:26:58.025387049 MESZ	49171	80	192.168.1.81	23.10.249.17
Jul 16, 2018 14:26:58.036992073 MESZ	80	49171	23.10.249.17	192.168.1.81
Jul 16, 2018 14:26:58.037357092 MESZ	80	49171	23.10.249.17	192.168.1.81
Jul 16, 2018 14:26:58.223989964 MESZ	49645	53	192.168.1.81	8.8.8.8
Jul 16, 2018 14:26:58.255578041 MESZ	53	49645	8.8.8.8	192.168.1.81
Jul 16, 2018 14:26:58.263539076 MESZ	80	49171	23.10.249.17	192.168.1.81
Jul 16, 2018 14:26:58.263663054 MESZ	49171	80	192.168.1.81	23.10.249.17
Jul 16, 2018 14:26:59.330351114 MESZ	50512	53	192.168.1.81	8.8.8.8
Jul 16, 2018 14:26:59.355695009 MESZ	53	50512	8.8.8.8	192.168.1.81
Jul 16, 2018 14:27:00.549827099 MESZ	63229	53	192.168.1.81	8.8.8.8
Jul 16, 2018 14:27:00.582915068 MESZ	53	63229	8.8.8.8	192.168.1.81
Jul 16, 2018 14:27:02.985342026 MESZ	53332	53	192.168.1.81	8.8.8.8
Jul 16, 2018 14:27:03.011266947 MESZ	53	53332	8.8.8.8	192.168.1.81
Jul 16, 2018 14:27:14.699872971 MESZ	80	49164	23.42.27.27	192.168.1.81
Jul 16, 2018 14:27:14.700234890 MESZ	49164	80	192.168.1.81	23.42.27.27
Jul 16, 2018 14:27:18.239494085 MESZ	49171	80	192.168.1.81	23.10.249.17
Jul 16, 2018 14:27:18.251550913 MESZ	80	49171	23.10.249.17	192.168.1.81
Jul 16, 2018 14:27:18.479299068 MESZ	80	49171	23.10.249.17	192.168.1.81
Jul 16, 2018 14:27:18.479406118 MESZ	49171	80	192.168.1.81	23.10.249.17
Jul 16, 2018 14:28:17.881387949 MESZ	49171	80	192.168.1.81	23.10.249.17
Jul 16, 2018 14:28:23.197154045 MESZ	58012	53	192.168.1.81	8.8.8.8
Jul 16, 2018 14:28:23.221857071 MESZ	53	58012	8.8.8.8	192.168.1.81

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 16, 2018 14:26:24.905462027 MESZ	55175	53	192.168.1.81	8.8.8.8
Jul 16, 2018 14:26:24.916542053 MESZ	65476	53	192.168.1.81	8.8.8.8
Jul 16, 2018 14:26:24.917490959 MESZ	52882	53	192.168.1.81	8.8.8.8
Jul 16, 2018 14:26:24.932554960 MESZ	53	55175	8.8.8.8	192.168.1.81
Jul 16, 2018 14:26:24.940689087 MESZ	53	65476	8.8.8.8	192.168.1.81
Jul 16, 2018 14:26:24.943067074 MESZ	53	52882	8.8.8.8	192.168.1.81
Jul 16, 2018 14:26:26.160932064 MESZ	49841	53	192.168.1.81	8.8.8.8
Jul 16, 2018 14:26:26.206634998 MESZ	53	49841	8.8.8.8	192.168.1.81
Jul 16, 2018 14:26:26.230596066 MESZ	53667	53	192.168.1.81	8.8.8.8
Jul 16, 2018 14:26:26.266649008 MESZ	53	53667	8.8.8.8	192.168.1.81
Jul 16, 2018 14:26:26.386177063 MESZ	51748	53	192.168.1.81	8.8.8.8
Jul 16, 2018 14:26:26.426289082 MESZ	53	51748	8.8.8.8	192.168.1.81
Jul 16, 2018 14:26:26.429572105 MESZ	53199	53	192.168.1.81	8.8.8.8
Jul 16, 2018 14:26:26.466010094 MESZ	53	53199	8.8.8.8	192.168.1.81
Jul 16, 2018 14:26:28.278844118 MESZ	54134	53	192.168.1.81	8.8.8.8
Jul 16, 2018 14:26:28.288492918 MESZ	59582	53	192.168.1.81	8.8.8.8
Jul 16, 2018 14:26:28.302697897 MESZ	62941	53	192.168.1.81	8.8.8.8
Jul 16, 2018 14:26:28.312007904 MESZ	53	54134	8.8.8.8	192.168.1.81
Jul 16, 2018 14:26:28.313796997 MESZ	53	59582	8.8.8.8	192.168.1.81
Jul 16, 2018 14:26:28.327927113 MESZ	53	62941	8.8.8.8	192.168.1.81
Jul 16, 2018 14:26:28.331676006 MESZ	53271	53	192.168.1.81	8.8.8.8
Jul 16, 2018 14:26:28.372262955 MESZ	53	53271	8.8.8.8	192.168.1.81
Jul 16, 2018 14:26:30.408819914 MESZ	49168	53	192.168.1.81	8.8.8.8
Jul 16, 2018 14:26:30.434210062 MESZ	53	49168	8.8.8.8	192.168.1.81
Jul 16, 2018 14:26:36.471602917 MESZ	63129	53	192.168.1.81	8.8.8.8
Jul 16, 2018 14:26:36.496046066 MESZ	53	63129	8.8.8.8	192.168.1.81
Jul 16, 2018 14:26:57.929929018 MESZ	65457	53	192.168.1.81	8.8.8.8
Jul 16, 2018 14:26:57.965293884 MESZ	53	65457	8.8.8.8	192.168.1.81
Jul 16, 2018 14:26:57.984416008 MESZ	62062	53	192.168.1.81	8.8.8.8
Jul 16, 2018 14:26:58.009413958 MESZ	53	62062	8.8.8.8	192.168.1.81
Jul 16, 2018 14:26:58.223989964 MESZ	49645	53	192.168.1.81	8.8.8.8
Jul 16, 2018 14:26:58.255578041 MESZ	53	49645	8.8.8.8	192.168.1.81
Jul 16, 2018 14:26:59.330351114 MESZ	50512	53	192.168.1.81	8.8.8.8
Jul 16, 2018 14:26:59.355695009 MESZ	53	50512	8.8.8.8	192.168.1.81
Jul 16, 2018 14:27:00.549827099 MESZ	63229	53	192.168.1.81	8.8.8.8
Jul 16, 2018 14:27:00.582915068 MESZ	53	63229	8.8.8.8	192.168.1.81
Jul 16, 2018 14:27:02.985342026 MESZ	53332	53	192.168.1.81	8.8.8.8
Jul 16, 2018 14:27:03.011266947 MESZ	53	53332	8.8.8.8	192.168.1.81
Jul 16, 2018 14:28:23.197154045 MESZ	58012	53	192.168.1.81	8.8.8.8
Jul 16, 2018 14:28:23.221857071 MESZ	53	58012	8.8.8.8	192.168.1.81

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Jul 16, 2018 14:26:25.249877930 MESZ	192.168.1.2	192.168.1.81	80ec	(Port unreachable)	Destination Unreachable
Jul 16, 2018 14:26:26.883707047 MESZ	192.168.1.2	192.168.1.81	80ec	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jul 16, 2018 14:26:24.905462027 MESZ	192.168.1.81	8.8.8.8	0x4d3c	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Jul 16, 2018 14:26:24.916542053 MESZ	192.168.1.81	8.8.8.8	0x6dfa	Standard query (0)	252.0.0.224.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Jul 16, 2018 14:26:28.278844118 MESZ	192.168.1.81	8.8.8.8	0x3744	Standard query (0)	18.249.10.23.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Jul 16, 2018 14:26:28.288492918 MESZ	192.168.1.81	8.8.8.8	0xa8be	Standard query (0)	34.249.10.23.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Jul 16, 2018 14:26:30.408819914 MESZ	192.168.1.81	8.8.8.8	0x6106	Standard query (0)	68.72.101.95.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Jul 16, 2018 14:26:57.929929018 MESZ	192.168.1.81	8.8.8.8	0x90f3	Standard query (0)	www.msftncsi.com	A (IP address)	IN (0x0001)
Jul 16, 2018 14:26:57.984416008 MESZ	192.168.1.81	8.8.8.8	0x4742	Standard query (0)	www.msftncsi.com	A (IP address)	IN (0x0001)
Jul 16, 2018 14:26:58.223989964 MESZ	192.168.1.81	8.8.8.8	0xe650	Standard query (0)	ukcompany.me	A (IP address)	IN (0x0001)
Jul 16, 2018 14:26:59.330351114 MESZ	192.168.1.81	8.8.8.8	0x8237	Standard query (0)	17.249.10.23.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Jul 16, 2018 14:27:00.549827099 MESZ	192.168.1.81	8.8.8.8	0x79ec	Standard query (0)	ukcompany.pw	A (IP address)	IN (0x0001)
Jul 16, 2018 14:27:02.985342026 MESZ	192.168.1.81	8.8.8.8	0xdca4	Standard query (0)	ukcompany.top	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Replay Code	Name	CName	Address	Type	Class
Jul 16, 2018 14:26:24.932554960 MESZ	8.8.8.8	192.168.1.81	0x4d3c	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Jul 16, 2018 14:26:24.940689087 MESZ	8.8.8.8	192.168.1.81	0x6dfa	Name error (3)	252.0.0.224.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)
Jul 16, 2018 14:26:26.206634998 MESZ	8.8.8.8	192.168.1.81	0x7f01	No error (0)	a1363.dscg.akamai.net		23.10.249.18	A (IP address)	IN (0x0001)
Jul 16, 2018 14:26:26.206634998 MESZ	8.8.8.8	192.168.1.81	0x7f01	No error (0)	a1363.dscg.akamai.net		23.10.249.25	A (IP address)	IN (0x0001)
Jul 16, 2018 14:26:26.266649008 MESZ	8.8.8.8	192.168.1.81	0x288	No error (0)	a1363.dscg.akamai.net		23.10.249.18	A (IP address)	IN (0x0001)
Jul 16, 2018 14:26:26.266649008 MESZ	8.8.8.8	192.168.1.81	0x288	No error (0)	a1363.dscg.akamai.net		23.10.249.25	A (IP address)	IN (0x0001)
Jul 16, 2018 14:26:26.426289082 MESZ	8.8.8.8	192.168.1.81	0xeebd	No error (0)	ctldl.windowsupdate.nsatc.net	ctldl.windowsupdate.com.edgesuite.net		CNAME (Canonical name)	IN (0x0001)
Jul 16, 2018 14:26:26.426289082 MESZ	8.8.8.8	192.168.1.81	0xeebd	No error (0)	a1621.g.akamai.net		23.10.249.34	A (IP address)	IN (0x0001)
Jul 16, 2018 14:26:26.426289082 MESZ	8.8.8.8	192.168.1.81	0xeebd	No error (0)	a1621.g.akamai.net		23.10.249.19	A (IP address)	IN (0x0001)
Jul 16, 2018 14:26:26.466010094 MESZ	8.8.8.8	192.168.1.81	0x67fe	No error (0)	ctldl.windowsupdate.nsatc.net	ctldl.windowsupdate.com.edgesuite.net		CNAME (Canonical name)	IN (0x0001)
Jul 16, 2018 14:26:26.466010094 MESZ	8.8.8.8	192.168.1.81	0x67fe	No error (0)	a1621.g.akamai.net		23.10.249.34	A (IP address)	IN (0x0001)
Jul 16, 2018 14:26:26.466010094 MESZ	8.8.8.8	192.168.1.81	0x67fe	No error (0)	a1621.g.akamai.net		23.10.249.19	A (IP address)	IN (0x0001)
Jul 16, 2018 14:26:28.312007904 MESZ	8.8.8.8	192.168.1.81	0x3744	No error (0)	18.249.10.23.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Jul 16, 2018 14:26:28.313796997 MESZ	8.8.8.8	192.168.1.81	0xa8be	No error (0)	34.249.10.23.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Jul 16, 2018 14:26:28.327927113 MESZ	8.8.8.8	192.168.1.81	0x6dc1	No error (0)	a1363.dscg.akamai.net		95.101.72.68	A (IP address)	IN (0x0001)
Jul 16, 2018 14:26:28.327927113 MESZ	8.8.8.8	192.168.1.81	0x6dc1	No error (0)	a1363.dscg.akamai.net		95.101.72.17	A (IP address)	IN (0x0001)
Jul 16, 2018 14:26:28.372262955 MESZ	8.8.8.8	192.168.1.81	0xef49	No error (0)	a1363.dscg.akamai.net		23.10.249.18	A (IP address)	IN (0x0001)
Jul 16, 2018 14:26:28.372262955 MESZ	8.8.8.8	192.168.1.81	0xef49	No error (0)	a1363.dscg.akamai.net		23.10.249.25	A (IP address)	IN (0x0001)
Jul 16, 2018 14:26:30.434210062 MESZ	8.8.8.8	192.168.1.81	0x6106	No error (0)	68.72.101.95.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Jul 16, 2018 14:26:57.965293884 MESZ	8.8.8.8	192.168.1.81	0x90f3	No error (0)	www.msftncsi.com	www.msftncsi.com.edgesuite.net		CNAME (Canonical name)	IN (0x0001)
Jul 16, 2018 14:26:57.965293884 MESZ	8.8.8.8	192.168.1.81	0x90f3	No error (0)	a1961.g2.akamai.net		23.10.249.17	A (IP address)	IN (0x0001)
Jul 16, 2018 14:26:57.965293884 MESZ	8.8.8.8	192.168.1.81	0x90f3	No error (0)	a1961.g2.akamai.net		23.10.249.40	A (IP address)	IN (0x0001)
Jul 16, 2018 14:26:58.009413958 MESZ	8.8.8.8	192.168.1.81	0x4742	No error (0)	www.msftncsi.com	www.msftncsi.com.edgesuite.net		CNAME (Canonical name)	IN (0x0001)
Jul 16, 2018 14:26:58.009413958 MESZ	8.8.8.8	192.168.1.81	0x4742	No error (0)	a1961.g2.akamai.net		23.10.249.17	A (IP address)	IN (0x0001)
Jul 16, 2018 14:26:58.009413958 MESZ	8.8.8.8	192.168.1.81	0x4742	No error (0)	a1961.g2.akamai.net		23.10.249.40	A (IP address)	IN (0x0001)
Jul 16, 2018 14:26:58.255578041 MESZ	8.8.8.8	192.168.1.81	0xe650	Name error (3)	ukcompany.me	none	none	A (IP address)	IN (0x0001)
Jul 16, 2018 14:26:59.355695009 MESZ	8.8.8.8	192.168.1.81	0x8237	No error (0)	17.249.10.23.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Jul 16, 2018 14:27:03.011266947 MESZ	8.8.8.8	192.168.1.81	0xdca4	Name error (3)	ukcompany.top	none	none	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.msftncsi.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.1.81	49171	23.10.249.17	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jul 16, 2018 14:26:58.025387049 MESZ	19	OUT	GET /ncsi.txt HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Host: www.msftncsi.com
Jul 16, 2018 14:26:58.037357092 MESZ	20	IN	HTTP/1.1 200 OK Content-Length: 14 Date: Mon, 16 Jul 2018 12:26:58 GMT Connection: keep-alive Content-Type: text/plain Cache-Control: max-age=30, must-revalidate Data Raw: 4d 69 63 72 6f 73 6f 66 74 20 4e 43 53 49 Data Ascii: Microsoft NCSI
Jul 16, 2018 14:26:58.263539076 MESZ	20	IN	HTTP/1.1 200 OK Content-Length: 14 Date: Mon, 16 Jul 2018 12:26:58 GMT Connection: keep-alive Content-Type: text/plain Cache-Control: max-age=30, must-revalidate Data Raw: 4d 69 63 72 6f 73 6f 66 74 20 4e 43 53 49 Data Ascii: Microsoft NCSI
Jul 16, 2018 14:27:18.239494085 MESZ	21	OUT	GET /ncsi.txt HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Host: www.msftncsi.com
Jul 16, 2018 14:27:18.251550913 MESZ	21	IN	HTTP/1.1 200 OK Content-Length: 14 Date: Mon, 16 Jul 2018 12:27:18 GMT Connection: keep-alive Content-Type: text/plain Cache-Control: max-age=30, must-revalidate Data Raw: 4d 69 63 72 6f 73 6f 66 74 20 4e 43 53 49 Data Ascii: Microsoft NCSI
Jul 16, 2018 14:27:18.479299068 MESZ	22	IN	HTTP/1.1 200 OK Content-Length: 14 Date: Mon, 16 Jul 2018 12:27:18 GMT Connection: keep-alive Content-Type: text/plain Cache-Control: max-age=30, must-revalidate Data Raw: 4d 69 63 72 6f 73 6f 66 74 20 4e 43 53 49 Data Ascii: Microsoft NCSI

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: ZrfRZCzOXC.exe PID: 2872 Parent PID: 3004

General

Start time:	14:26:21
Start date:	16/07/2018
Path:	C:\Users\user\Desktop\ZrfRZCzOXC.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\ZrfRZCzOXC.exe'
Imagebase:	0x400000
File size:	242888 bytes
MD5 hash:	2C99759A02CA32D1A7E8AFA09130633F
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 1376 Parent PID: 2872

General

Start time:	14:26:22
Start date:	16/07/2018
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x30000
File size:	2972672 bytes
MD5 hash:	6DDCA324434FFA506CF7DC4E51DB7935
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: taskeng.exe PID: 1916 Parent PID: 820

General

Start time:	14:30:00
Start date:	16/07/2018
Path:	C:\Windows\System32\taskeng.exe
Wow64 process (32bit):	false
Commandline:	taskeng.exe {353C8FCD-E7D7-4901-A1FC-CC4E5F09B639} S-1-5-21-312302014-279660585-3511680526-1004:computer\user:Interactive:[1]
Imagebase:	0xdd0000
File size:	192000 bytes
MD5 hash:	4F2659160AFCCA990305816946F69407
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 2520 Parent PID: 1916

General

Start time:	14:30:00
Start date:	16/07/2018
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c start '' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\chviwehv\dtevaaaa.exe'
Imagebase:	0x4a060000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: dtevaaaa.exe PID: 3044 Parent PID: 2520

General

Start time:	14:30:01
Start date:	16/07/2018
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\chviwehv\dtevaaaa.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\AppData\Roaming\Microsoft\Windows\chviwehv\dtevaaaa.exe'
Imagebase:	0x400000
File size:	242888 bytes
MD5 hash:	2C99759A02CA32D1A7E8AFA09130633F
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: ZrfRZCzOXC.exe PID: 2872 Parent PID: 3004

Execution Graph

Execution Coverage:	4.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	100%
Total number of Nodes:	16
Total number of Limit Nodes:	0

Executed Functions

Function 00401B18, Relevance: 6.1, APIs: 4, Instructions: 65
filenative

Control-flow Graph

Executed
Not Executed

APIs

CreateFileMappingW.KERNELBASE(00000000,00000000,08000004,00000000,0000020C,?), ref: 00401B33
MapViewOfFile.KERNELBASE(00000000,000F001F,00000000,00000000,00000000), ref: 00401B47
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00401C84
NtTerminateProcess.NTDLL(000000FF,00000000), ref: 00401C8B

Memory Dump Source

Source File: 00000001.00000002.10347099679.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.10347089874.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ZrfRZCzOXC.jbxd

Function 00401BC5, Relevance: 4.6, APIs: 3, Instructions: 87
native

Control-flow Graph

Executed
Not Executed

APIs

NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000,?,00000000,?,?,?,?,?), ref: 00401C79
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00401C84
NtTerminateProcess.NTDLL(000000FF,00000000), ref: 00401C8B

Memory Dump Source

Source File: 00000001.00000002.10347099679.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.10347089874.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ZrfRZCzOXC.jbxd

Function 00401C19, Relevance: 4.5, APIs: 3, Instructions: 49
native

Control-flow Graph

Executed
Not Executed

APIs

NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000,?,00000000,?,?,?,?,?), ref: 00401C79
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00401C84
NtTerminateProcess.NTDLL(000000FF,00000000), ref: 00401C8B

Memory Dump Source

Source File: 00000001.00000002.10347099679.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.10347089874.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ZrfRZCzOXC.jbxd

Non-executed Functions

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report

Overview

General Information

Detection

Confidence

Classification

Analysis Advice

Signature Overview

AV Detection:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Behavior Graph

Simulations

Behavior and APIs

Antivirus Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Screenshots

Startup

Created / dropped Files

Contacted Domains/Contacted IPs

Contacted Domains

Contacted URLs

Contacted IPs

Public

Private

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: ZrfRZCzOXC.exe PID: 2872 Parent PID: 3004

General

Function 00401B18, Relevance: 6.1, APIs: 4, Instructions: 65
filenative

Function 00401BC5, Relevance: 4.6, APIs: 3, Instructions: 87
native

Function 00401C19, Relevance: 4.5, APIs: 3, Instructions: 49
native