Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

Summary | ZeroBOX

logo-l2d-300x92.png.webp

Http API Code injection PWS AntiVM AntiDebug

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 2, 2025, 3:18 a.m.	May 2, 2025, 3:21 a.m.

Size	13.3KB
Type	RIFF (little-endian) data, Web/P image
MD5	`39647aed01d8339dc54824b7b0896b35`
SHA256	`849958b1fe2009f5d9ecb10eccf200485eb85d23a449a9cecdb73d0b29b05b1d`
CRC32	`AAEA23F6`
ssdeep	`384:h1V1Xc9Iy0EdAtY8zEemLj0G2/b/D3PI0FFeR:PV1s9IyLIfGYzZFFu`
Yara	None matched

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "djoMrZ" C:\Users\test22\AppData\Local\Temp\logo-l2d-300x92.png.webp
2576
- chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" -- "C:\Users\test22\AppData\Local\Temp\logo-l2d-300x92.png.webp"
  2688
  - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef41cf1e8,0x7fef41cf1f8,0x7fef41cf208
    2772
  - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2692 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6
    2844

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (5 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 2, 2025, 2:50 a.m.			0	0
IsDebuggerPresent May 2, 2025, 2:49 a.m.			0	0
IsDebuggerPresent May 2, 2025, 2:50 a.m.			0	0
IsDebuggerPresent May 2, 2025, 2:50 a.m.			0	0
IsDebuggerPresent May 2, 2025, 2:50 a.m.			0	0

Tries to locate where the browsers are installed (1 event)

file	C:\Program Files (x86)\Google\Chrome\Application\65.0.3325.181\chrome_watcher.dll

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory May 2, 2025, 2:50 a.m.	process_identifier: 2772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1	0	0
NtProtectVirtualMemory May 2, 2025, 2:50 a.m.	process_identifier: 2844 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1	0	0

Steals private information from local Internet browsers (7 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-spare.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\reports
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\metadata

Potentially malicious URLs were found in the process memory dump (2 events)

url	https://crashpad.chromium.org/bug/new
url	https://crashpad.chromium.org/

Yara rule detected in process memory (13 events)

description	Match Windows Http API call				rule	Str_Win32_Http_API
description	PWS Memory				rule	Generic_PWS_Memory_Zero
description	Code injection with CreateRemoteThread in a remote process				rule	Code_injection
description	(no description)				rule	DebuggerCheck__GlobalFlags
description	(no description)				rule	DebuggerCheck__QueryInfo
description	(no description)				rule	DebuggerHiding__Thread
description	(no description)				rule	DebuggerHiding__Active
description	(no description)				rule	DebuggerException__SetConsoleCtrl
description	(no description)				rule	ThreadControl__Context
description	(no description)				rule	SEH__vectored
description	Checks if being debugged				rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert				rule	antisb_threatExpert
description	Bypass DEP				rule	disable_dep

One or more non-whitelisted processes were created (2 events)

parent_process	chrome.exe				martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2692 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6
parent_process	chrome.exe				martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef41cf1e8,0x7fef41cf1f8,0x7fef41cf208