regasm.exe

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 13, 2021, 9:59 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 13, 2021, 9:59 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

HTTP traffic contains suspicious features which may be indicative of malware related traffic (9 events)

suspicious_features	GET method with no useragent header				suspicious_request	GET http://www.cashforhoustonhomes.com/svh9/?GzuD=WBjTZrPXs&_ZOx46=Z+2KIbireQ1N7FnKwLUmOBJgZshI3Ou6JZzTQOj9ZzGKN8aedgfhiB5hJ5s24i6+PaavtCZ9
suspicious_features	GET method with no useragent header				suspicious_request	GET http://www.miucce.com/svh9/?_ZOx46=wImYdmeU9tMtg/ybNGHTf7iC39Zd9KaNnEwv//3GJN/5pEvSh61uDhX8FRs12IefCIEjTat4&GzuD=WBjTZrPXs
suspicious_features	GET method with no useragent header				suspicious_request	GET http://www.daaprank.com/svh9/?GzuD=WBjTZrPXs&_ZOx46=pOyVBkpmjBl4UQ+st/zSPGZd3EmnGMA7ZuEPueNaeaG7OVKWgRfShdYn3SUkBQvyKRSGQXDu
suspicious_features	GET method with no useragent header				suspicious_request	GET http://www.dookietime.com/svh9/?_ZOx46=E6nAtqyEn1iF0QlYxoLq2xWmaAW9lfylABBStkBhUOqiY1kqa+UcTjKQEuubYbEJPTnOF0eV&GzuD=WBjTZrPXs
suspicious_features	GET method with no useragent header				suspicious_request	GET http://www.liuhanbao.com/svh9/?GzuD=WBjTZrPXs&_ZOx46=Wl3B3sBelUB4cX692W6XSN4h6pr274pQJPb9Dw6eyNKsSWZYCCPq26JR2eTyLHRPHDGEFeiL
suspicious_features	GET method with no useragent header				suspicious_request	GET http://www.nearbygetaway.com/svh9/?_ZOx46=XkjUSRgusg5V481eiV1JDOqrMhhip3CDqkn8d3DGL0KYgs5OKfgRuUtNTmUiqmPQKS9U0CoI&GzuD=WBjTZrPXs
suspicious_features	GET method with no useragent header				suspicious_request	GET http://www.aldlan-studio.com/svh9/?GzuD=WBjTZrPXs&_ZOx46=iUgadD8mG99znoInhcIeLrQXBXKqEwA1IwwA4YgT2BCb1zuBx9MX2SxVDgkG52FkHnGec8p3
suspicious_features	GET method with no useragent header				suspicious_request	GET http://www.cultbehaviour.net/svh9/?GzuD=WBjTZrPXs&_ZOx46=j9Pk+tYvJJbsnCvnCx2gDll+Thl/DV2CEZ3yRX1xT3TJXASdxPEvuE+xFnWuRQ+KItuqSuNK
suspicious_features	GET method with no useragent header				suspicious_request	GET http://www.orangepensiontrust.com/svh9/?_ZOx46=yVIJ+1ekb4x5Nt1sGTaSINqEVreOhkPwJg2QoK71/KoVrHRHPpEFie4loXw5vtKsgDWOW1Kt&GzuD=WBjTZrPXs

Performs some HTTP requests (18 events)

request	POST http://www.cashforhoustonhomes.com/svh9/
request	GET http://www.cashforhoustonhomes.com/svh9/?GzuD=WBjTZrPXs&_ZOx46=Z+2KIbireQ1N7FnKwLUmOBJgZshI3Ou6JZzTQOj9ZzGKN8aedgfhiB5hJ5s24i6+PaavtCZ9
request	POST http://www.miucce.com/svh9/
request	GET http://www.miucce.com/svh9/?_ZOx46=wImYdmeU9tMtg/ybNGHTf7iC39Zd9KaNnEwv//3GJN/5pEvSh61uDhX8FRs12IefCIEjTat4&GzuD=WBjTZrPXs
request	POST http://www.daaprank.com/svh9/
request	GET http://www.daaprank.com/svh9/?GzuD=WBjTZrPXs&_ZOx46=pOyVBkpmjBl4UQ+st/zSPGZd3EmnGMA7ZuEPueNaeaG7OVKWgRfShdYn3SUkBQvyKRSGQXDu
request	POST http://www.dookietime.com/svh9/
request	GET http://www.dookietime.com/svh9/?_ZOx46=E6nAtqyEn1iF0QlYxoLq2xWmaAW9lfylABBStkBhUOqiY1kqa+UcTjKQEuubYbEJPTnOF0eV&GzuD=WBjTZrPXs
request	POST http://www.liuhanbao.com/svh9/
request	GET http://www.liuhanbao.com/svh9/?GzuD=WBjTZrPXs&_ZOx46=Wl3B3sBelUB4cX692W6XSN4h6pr274pQJPb9Dw6eyNKsSWZYCCPq26JR2eTyLHRPHDGEFeiL
request	POST http://www.nearbygetaway.com/svh9/
request	GET http://www.nearbygetaway.com/svh9/?_ZOx46=XkjUSRgusg5V481eiV1JDOqrMhhip3CDqkn8d3DGL0KYgs5OKfgRuUtNTmUiqmPQKS9U0CoI&GzuD=WBjTZrPXs
request	POST http://www.aldlan-studio.com/svh9/
request	GET http://www.aldlan-studio.com/svh9/?GzuD=WBjTZrPXs&_ZOx46=iUgadD8mG99znoInhcIeLrQXBXKqEwA1IwwA4YgT2BCb1zuBx9MX2SxVDgkG52FkHnGec8p3
request	POST http://www.cultbehaviour.net/svh9/
request	GET http://www.cultbehaviour.net/svh9/?GzuD=WBjTZrPXs&_ZOx46=j9Pk+tYvJJbsnCvnCx2gDll+Thl/DV2CEZ3yRX1xT3TJXASdxPEvuE+xFnWuRQ+KItuqSuNK
request	POST http://www.orangepensiontrust.com/svh9/
request	GET http://www.orangepensiontrust.com/svh9/?_ZOx46=yVIJ+1ekb4x5Nt1sGTaSINqEVreOhkPwJg2QoK71/KoVrHRHPpEFie4loXw5vtKsgDWOW1Kt&GzuD=WBjTZrPXs

Sends data using the HTTP POST Method (9 events)

request	POST http://www.cashforhoustonhomes.com/svh9/
request	POST http://www.miucce.com/svh9/
request	POST http://www.daaprank.com/svh9/
request	POST http://www.dookietime.com/svh9/
request	POST http://www.liuhanbao.com/svh9/
request	POST http://www.nearbygetaway.com/svh9/
request	POST http://www.aldlan-studio.com/svh9/
request	POST http://www.cultbehaviour.net/svh9/
request	POST http://www.orangepensiontrust.com/svh9/

Allocates read-write-execute memory (usually to unpack itself) (5 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory April 13, 2021, 9:59 a.m.	process_identifier: 9076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory April 13, 2021, 9:59 a.m.	process_identifier: 9076 region_size: 262144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory April 13, 2021, 9:59 a.m.	process_identifier: 9076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory April 13, 2021, 9:59 a.m.	process_identifier: 9076 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023d1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory April 13, 2021, 9:59 a.m.	process_identifier: 3388 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00970000 allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE) process_handle: 0xffffffff	1	0	0

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\nsd8590.tmp\lp2q5fglra.dll

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\nsd8590.tmp\lp2q5fglra.dll

File has been identified by 8 AntiVirus engines on VirusTotal as malicious (8 events)

FireEye	Generic.mg.dc8a2259a6b20756
Kaspersky	HEUR:Trojan.Win32.Zenpak.gen
VIPRE	Trojan.Win32.Generic!BT
Sophos	Generic ML PUA (PUA)
APEX	Malicious
Microsoft	Trojan:Win32/Wacatac.B!ml
AhnLab-V3	Trojan/Win.Generic.R415229
Qihoo-360	HEUR/QVM42.0.8C2F.Malware.Gen

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW April 13, 2021, 9:59 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Communicates with host for which no DNS query was performed (1 event)

host	172.217.25.14

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Process injection	Process 9076 called NtSetContextThread to modify thread in remote process 3388
Time & API	Arguments	Status	Return	Repeated
NtSetContextThread April 13, 2021, 9:59 a.m.	registers.eip: 2000355780 registers.esp: 1638384 registers.edi: 0 registers.eax: 4313152 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000210 process_identifier: 3388	1	0	0

Generates some ICMP traffic

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 events)

dead_host	198.54.117.198:80
dead_host	198.54.117.197:80