Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 7, 2021, 9:25 a.m.	April 7, 2021, 9:27 a.m.

Size	903.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`7f8a15aca0965d3ef7f5e36245ee20fa`
SHA256	`4fc6b82cb39e7ba08b5c9d519bf11111e76d3313f0e2bd93c3b67d15b155c2e7`
CRC32	`E582D0CB`
ssdeep	`24576:ptqmRTTqKdijAEoZHeMg1cHZq9rgAuvJ:ptAwxZzCSZMrL`
Yara	Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT Win32_Trojan_PWS_Azorult_Net_1_Zero - Win32 Trojan PWS .NET Azorult PE_Header_Zero - PE File Signature Zero IsPE32 - (no description) IsNET_EXE - (no description) IsWindowsGUI - (no description) IsPacked - Entropy Check

sample.exe "C:\Users\test22\AppData\Local\Temp\sample.exe"
2388
- InstallUtil.exe "C:\Users\test22\AppData\Local\Temp\InstallUtil.exe"
  2164

Name	Response	Post-Analysis Lookup
www.google.com	A 142.250.204.132	172.217.174.100

IP Address	Status	Action
13.107.21.200	Active	Moloch
142.250.204.132	Active	Moloch
159.69.119.114	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 7, 2021, 9:25 a.m.			0	0
IsDebuggerPresent April 7, 2021, 9:25 a.m.			0	0
IsDebuggerPresent April 7, 2021, 9:25 a.m.			0	0
IsDebuggerPresent April 7, 2021, 9:25 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (6 events)

Time & API	Arguments	Status	Return
CryptExportKey April 7, 2021, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c1290 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 7, 2021, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c1310 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 7, 2021, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c1310 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 7, 2021, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c13d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 7, 2021, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c13d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 7, 2021, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c1590 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 7, 2021, 9:25 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	GET method with no useragent header				suspicious_request	GET https://www.google.com/
suspicious_features	GET method with no useragent header				suspicious_request	GET https://www.bing.com/

Performs some HTTP requests (2 events)

request	GET https://www.google.com/
request	GET https://www.bing.com/

Allocates read-write-execute memory (usually to unpack itself) (50 out of 121 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory April 7, 2021, 9:25 a.m.	process_identifier: 2388 region_size: 1245184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00630000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 7, 2021, 9:25 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00720000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory April 7, 2021, 9:25 a.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72741000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory April 7, 2021, 9:25 a.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72742000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 7, 2021, 9:25 a.m.	process_identifier: 2388 region_size: 1966080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b00000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 7, 2021, 9:25 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ca0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 7, 2021, 9:25 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00422000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 7, 2021, 9:25 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 7, 2021, 9:25 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 7, 2021, 9:25 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00455000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 7, 2021, 9:25 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0045b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 7, 2021, 9:25 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00457000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 7, 2021, 9:25 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007a1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 7, 2021, 9:25 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00446000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 7, 2021, 9:25 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 7, 2021, 9:25 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00447000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 7, 2021, 9:25 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 7, 2021, 9:25 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 7, 2021, 9:25 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 7, 2021, 9:25 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 7, 2021, 9:25 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007a3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory April 7, 2021, 9:25 a.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d3b2000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 7, 2021, 9:25 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007a4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 7, 2021, 9:25 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 7, 2021, 9:25 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 7, 2021, 9:25 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0624f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 7, 2021, 9:25 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06240000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 7, 2021, 9:25 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007a6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 7, 2021, 9:25 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007a7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 7, 2021, 9:25 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007a8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 7, 2021, 9:25 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00721000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 7, 2021, 9:25 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 7, 2021, 9:25 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007a9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 7, 2021, 9:25 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 7, 2021, 9:25 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06241000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 7, 2021, 9:25 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 7, 2021, 9:25 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 7, 2021, 9:25 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 7, 2021, 9:25 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007ad000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 7, 2021, 9:25 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007ae000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 7, 2021, 9:25 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007af000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 7, 2021, 9:25 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06430000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 7, 2021, 9:25 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory April 7, 2021, 9:25 a.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 15872 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x063b0400 process_handle: 0xffffffff		3221225550
NtAllocateVirtualMemory April 7, 2021, 9:25 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06431000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 7, 2021, 9:25 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06432000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 7, 2021, 9:25 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06433000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 7, 2021, 9:25 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06434000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 7, 2021, 9:25 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06435000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory April 7, 2021, 9:25 a.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x063b0178 process_handle: 0xffffffff		3221225550

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses April 7, 2021, 9:25 a.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x000da400', u'virtual_address': u'0x00002000', u'entropy': 7.113949652272218, u'name': u'.text', u'virtual_size': u'0x000da334'}

entropy

7.11394965227

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00007600', u'virtual_address': u'0x000de000', u'entropy': 6.908453059468728, u'name': u'.rsrc', u'virtual_size': u'0x000075da'}

entropy

6.90845305947

description

A section with a high entropy has been found

entropy

0.999446290144

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW April 7, 2021, 9:25 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (12 events)

description	Listen for incoming communication	rule	network_tcp_listen
description	Affect private profile	rule	win_files_operation
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Possibly employs anti-virtualization techniques	rule	vmdetect
description	Detection of Virtual Appliances through the use of WMI for use of evasion.	rule	WMI_VM_Detect
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Communicates with host for which no DNS query was performed (2 events)

host	13.107.21.200
host	159.69.119.114

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory April 7, 2021, 9:25 a.m.	process_identifier: 2164 region_size: 155648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000670	1	0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation April 7, 2021, 9:25 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

sample.exe tried to sleep 10912667 seconds, actually delayed analysis time by 10912667 seconds

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory April 7, 2021, 9:25 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÝ¯Æà0ÿ @ `@DÿO Ä@(ÿ H.textÿ `.rsrcÄ @@.reloc@@B base_address: 0x00400000 process_identifier: 2164 process_handle: 0x00000670	1	1
WriteProcessMemory April 7, 2021, 9:25 a.m.	buffer: P8hÄ 224VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfon000004b0* CommentsFTP Tool0CompanyNameFTP Inc>FileDescriptionFTP Client0FileVersion1.2.3.16InternalNameBlokes.exe4LegalCopyrightFTP Inc8LegalTrademarksFTP Inc>OriginalFilenameBlokes.exe6ProductNameFTP Client4ProductVersion1.2.3.1: Assembly Version12.5.1.3Ô#êï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00422000 process_identifier: 2164 process_handle: 0x00000670	1	1
WriteProcessMemory April 7, 2021, 9:25 a.m.	buffer: ð? base_address: 0x00424000 process_identifier: 2164 process_handle: 0x00000670	1	1
WriteProcessMemory April 7, 2021, 9:25 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2164 process_handle: 0x00000670	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory April 7, 2021, 9:25 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÝ¯Æà0ÿ @ `@DÿO Ä@(ÿ H.textÿ `.rsrcÄ @@.reloc@@B base_address: 0x00400000 process_identifier: 2164 process_handle: 0x00000670	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2388 called NtSetContextThread to modify thread in remote process 2164
NtSetContextThread April 7, 2021, 9:25 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4325270 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000066c process_identifier: 2164	1	0	0

Attempts to remove evidence of file being downloaded from the Internet (1 event)

file	C:\Users\test22\AppData\Local\Temp\sample.exe\:Zone.Identifier

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2388 resumed a thread in remote process 2164
NtResumeThread April 7, 2021, 9:25 a.m.	thread_handle: 0x0000066c suspend_count: 1 process_identifier: 2164	1	0	0

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

159.69.119.114:3214

Executed a process and injected code into it, probably while unpacking (30 events)

Time & API	Arguments	Status	Return
NtResumeThread April 7, 2021, 9:25 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2388	1	0
NtResumeThread April 7, 2021, 9:25 a.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2388	1	0
NtResumeThread April 7, 2021, 9:25 a.m.	thread_handle: 0x00000194 suspend_count: 1 process_identifier: 2388	1	0
NtResumeThread April 7, 2021, 9:25 a.m.	thread_handle: 0x00000348 suspend_count: 1 process_identifier: 2388	1	0
NtResumeThread April 7, 2021, 9:25 a.m.	thread_handle: 0x0000060c suspend_count: 1 process_identifier: 2388	1	0
NtResumeThread April 7, 2021, 9:25 a.m.	thread_handle: 0x00000634 suspend_count: 1 process_identifier: 2388	1	0
NtGetContextThread April 7, 2021, 9:25 a.m.	thread_handle: 0x000000e8	1	0
NtGetContextThread April 7, 2021, 9:25 a.m.	thread_handle: 0x000000e8	1	0
NtResumeThread April 7, 2021, 9:25 a.m.	thread_handle: 0x000000e8 suspend_count: 1 process_identifier: 2388	1	0
NtGetContextThread April 7, 2021, 9:25 a.m.	thread_handle: 0x000000e8	1	0
NtGetContextThread April 7, 2021, 9:25 a.m.	thread_handle: 0x000000e8	1	0
NtResumeThread April 7, 2021, 9:25 a.m.	thread_handle: 0x000000e8 suspend_count: 1 process_identifier: 2388	1	0
NtResumeThread April 7, 2021, 9:25 a.m.	thread_handle: 0x00000654 suspend_count: 1 process_identifier: 2388	1	0
NtResumeThread April 7, 2021, 9:25 a.m.	thread_handle: 0x00000668 suspend_count: 1 process_identifier: 2388	1	0
CreateProcessInternalW April 7, 2021, 9:25 a.m.	thread_identifier: 492 thread_handle: 0x0000066c process_identifier: 2164 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\InstallUtil.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\InstallUtil.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\InstallUtil.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000670	1	1
NtGetContextThread April 7, 2021, 9:25 a.m.	thread_handle: 0x0000066c	1	0
NtAllocateVirtualMemory April 7, 2021, 9:25 a.m.	process_identifier: 2164 region_size: 155648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000670	1	0
WriteProcessMemory April 7, 2021, 9:25 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÝ¯Æà0ÿ @ `@DÿO Ä@(ÿ H.textÿ `.rsrcÄ @@.reloc@@B base_address: 0x00400000 process_identifier: 2164 process_handle: 0x00000670	1	1
WriteProcessMemory April 7, 2021, 9:25 a.m.	buffer: base_address: 0x00402000 process_identifier: 2164 process_handle: 0x00000670	1	1
WriteProcessMemory April 7, 2021, 9:25 a.m.	buffer: P8hÄ 224VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfon000004b0* CommentsFTP Tool0CompanyNameFTP Inc>FileDescriptionFTP Client0FileVersion1.2.3.16InternalNameBlokes.exe4LegalCopyrightFTP Inc8LegalTrademarksFTP Inc>OriginalFilenameBlokes.exe6ProductNameFTP Client4ProductVersion1.2.3.1: Assembly Version12.5.1.3Ô#êï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00422000 process_identifier: 2164 process_handle: 0x00000670	1	1
WriteProcessMemory April 7, 2021, 9:25 a.m.	buffer: ð? base_address: 0x00424000 process_identifier: 2164 process_handle: 0x00000670	1	1
WriteProcessMemory April 7, 2021, 9:25 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2164 process_handle: 0x00000670	1	1
NtSetContextThread April 7, 2021, 9:25 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4325270 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000066c process_identifier: 2164	1	0
NtResumeThread April 7, 2021, 9:25 a.m.	thread_handle: 0x0000066c suspend_count: 1 process_identifier: 2164	1	0
NtResumeThread April 7, 2021, 9:25 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2164	1	0
NtResumeThread April 7, 2021, 9:25 a.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2164	1	0
NtResumeThread April 7, 2021, 9:25 a.m.	thread_handle: 0x00000194 suspend_count: 1 process_identifier: 2164	1	0
NtResumeThread April 7, 2021, 9:25 a.m.	thread_handle: 0x00000210 suspend_count: 1 process_identifier: 2164	1	0
NtResumeThread April 7, 2021, 9:25 a.m.	thread_handle: 0x00000224 suspend_count: 1 process_identifier: 2164	1	0
NtResumeThread April 7, 2021, 9:25 a.m.	thread_handle: 0x000003a4 suspend_count: 1 process_identifier: 2164	1	0

File has been identified by 53 AntiVirus engines on VirusTotal as malicious (50 out of 53 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.36464441
FireEye	Generic.mg.7f8a15aca0965d3e
CAT-QuickHeal	Trojan.Kryptik
McAfee	PWS-FCSO!7F8A15ACA096
Cylance	Unsafe
Zillya	Trojan.Kryptik.Win32.2945273
Sangfor	Trojan.MSIL.Kryptik.TF
K7AntiVirus	Trojan ( 00578b451 )
Alibaba	TrojanPSW:MSIL/Kryptik.d5dd9039
K7GW	Trojan ( 00578b451 )
CrowdStrike	win/malicious_confidence_90% (W)
Cyren	W32/Trojan.PHFF-3817
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	Win32:MalwareX-gen [Trj]
Kaspersky	HEUR:Trojan-PSW.MSIL.Agensla.gen
BitDefender	Trojan.GenericKD.36464441
NANO-Antivirus	Trojan.Win32.Agensla.ipitiq
Paloalto	generic.ml
Tencent	Malware.Win32.Gencirc.11baf8b9
Ad-Aware	Trojan.GenericKD.36464441
Emsisoft	Trojan.GenericKD.36464441 (B)
Comodo	Malware@#19dap3tcldldr
DrWeb	Trojan.PWS.Siggen2.62547
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	Trojan.MSIL.MALREP.THCOGBA
McAfee-GW-Edition	PWS-FCSO!7F8A15ACA096
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
Webroot	W32.Trojan.Gen
Avira	HEUR/AGEN.1141554
MAX	malware (ai score=99)
Kingsoft	Win32.PSWTroj.Undef.(kcloud)
Gridinsoft	Trojan.Win32.Kryptik.oa
Microsoft	Trojan:MSIL/Kryptik.TF!MTB
ZoneAlarm	HEUR:Trojan-PSW.MSIL.Agensla.gen
GData	Trojan.GenericKD.36464441
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.RL_Generic.C4368366
BitDefenderTheta	Gen:NN.ZemsilF.34628.4m0@a4inFSoi
ALYac	Spyware.Infostealer.RedLine
VBA32	TScope.Trojan.MSIL
Malwarebytes	Malware.AI.4186686823
ESET-NOD32	a variant of MSIL/Kryptik.ZWC
TrendMicro-HouseCall	Trojan.MSIL.MALREP.THCOGBA
Rising	Trojan.Kryptik!8.8 (CLOUD)
Yandex	Trojan.Kryptik!MPLiEgM76KM
Ikarus	Trojan.MSIL.Inject
Fortinet	MSIL/Kryptik.ZXL!tr

sample.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All