Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	May 3, 2021, 4:47 p.m.	May 3, 2021, 4:52 p.m.

Size	750.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`9da5129864c291e4a906fb6c7f39c2e7`
SHA256	`82356d8ae16384974d8394286b95b348e83abf6cbcf7550c739067c00681641e`
CRC32	`86394750`
ssdeep	`12288:utMy8DVceejlYMj1AR21r5BmhxW3RvDU56q6aH3PM:py8D7WYMj1U2/cIBvYPP`
PDB Path	C:\Users\Administrator\Desktop\Client\Temp\tSGwnPoQBg\src\obj\Debug\FUNCFLAGS.pdb
Yara	Malicious_Library_Zero - Malicious_Library Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature IsPE32 - (no description)

5bXw21jauyHi85L.exe "C:\Users\test22\AppData\Local\Temp\5bXw21jauyHi85L.exe"
996
- RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  4404

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
172.217.25.14	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (4 events)

Time & API	Arguments	Status	Return
GetComputerNameW May 3, 2021, 4:48 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 3, 2021, 4:48 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 3, 2021, 4:48 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 3, 2021, 4:48 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 3, 2021, 4:46 p.m.			0	0
IsDebuggerPresent May 3, 2021, 4:46 p.m.			0	0
IsDebuggerPresent May 3, 2021, 4:48 p.m.			0	0
IsDebuggerPresent May 3, 2021, 4:48 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey May 3, 2021, 4:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006e6370 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 3, 2021, 4:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006e6d70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 3, 2021, 4:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006e6d70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

This executable has a PDB path (1 event)

pdb_path

C:\Users\Administrator\Desktop\Client\Temp\tSGwnPoQBg\src\obj\Debug\FUNCFLAGS.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 3, 2021, 4:46 p.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ May 3, 2021, 4:48 p.m.	stacktrace: 0x671788 0x670fb3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6f502652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6f51264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6f512e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6f5c74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6f5c7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6f651dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6f651e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6f651f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6f65416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7387f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 e0 8b 4d dc e8 9b d7 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x671bfb registers.esp: 3927200 registers.edi: 3927224 registers.eax: 0 registers.ebp: 3927236 registers.edx: 195 registers.ebx: 3927484 registers.esi: 40305716 registers.ecx: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

May 3, 2021, 4:48 p.m.

stacktrace:

0x671788
0x670fb3
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6f502652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6f51264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6f512e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6f5c74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6f5c7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6f651dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6f651e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6f651f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6f65416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7387f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 e0 8b 4d dc e8 9b d7
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x671bfb
registers.esp: 3927200
registers.edi: 3927224
registers.eax: 0
registers.ebp: 3927236
registers.edx: 195
registers.ebx: 3927484
registers.esi: 40305716
registers.ecx: 0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 110 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory May 3, 2021, 4:46 p.m.	process_identifier: 996 region_size: 393216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00380000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 3, 2021, 4:46 p.m.	process_identifier: 996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 3, 2021, 4:46 p.m.	process_identifier: 996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 3, 2021, 4:46 p.m.	process_identifier: 996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba2000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 3, 2021, 4:46 p.m.	process_identifier: 996 region_size: 1703936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ab0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 3, 2021, 4:46 p.m.	process_identifier: 996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 3, 2021, 4:46 p.m.	process_identifier: 996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00422000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 3, 2021, 4:46 p.m.	process_identifier: 996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00455000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 3, 2021, 4:46 p.m.	process_identifier: 996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0045b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 3, 2021, 4:46 p.m.	process_identifier: 996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00457000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 3, 2021, 4:46 p.m.	process_identifier: 996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 3, 2021, 4:46 p.m.	process_identifier: 996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 3, 2021, 4:46 p.m.	process_identifier: 996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 3, 2021, 4:46 p.m.	process_identifier: 996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 3, 2021, 4:46 p.m.	process_identifier: 996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00447000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 3, 2021, 4:46 p.m.	process_identifier: 996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 3, 2021, 4:47 p.m.	process_identifier: 996 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 3, 2021, 4:47 p.m.	process_identifier: 996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 3, 2021, 4:47 p.m.	process_identifier: 996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 3, 2021, 4:47 p.m.	process_identifier: 996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 3, 2021, 4:47 p.m.	process_identifier: 996 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 3, 2021, 4:47 p.m.	process_identifier: 996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 3, 2021, 4:47 p.m.	process_identifier: 996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b01000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 3, 2021, 4:47 p.m.	process_identifier: 996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b02000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 3, 2021, 4:47 p.m.	process_identifier: 996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 3, 2021, 4:47 p.m.	process_identifier: 996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 3, 2021, 4:47 p.m.	process_identifier: 996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00446000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 3, 2021, 4:47 p.m.	process_identifier: 996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b03000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 3, 2021, 4:48 p.m.	process_identifier: 996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b04000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 3, 2021, 4:48 p.m.	process_identifier: 996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 3, 2021, 4:48 p.m.	process_identifier: 996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b05000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 3, 2021, 4:48 p.m.	process_identifier: 996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b06000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 3, 2021, 4:48 p.m.	process_identifier: 996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b07000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 3, 2021, 4:48 p.m.	process_identifier: 996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b08000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 3, 2021, 4:48 p.m.	process_identifier: 996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b09000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 3, 2021, 4:48 p.m.	process_identifier: 996 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b0a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 3, 2021, 4:48 p.m.	process_identifier: 996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05340178 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 3, 2021, 4:48 p.m.	process_identifier: 996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x053401a0 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 3, 2021, 4:48 p.m.	process_identifier: 996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x053401c8 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 3, 2021, 4:48 p.m.	process_identifier: 996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 11 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x053ed7ae process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 3, 2021, 4:48 p.m.	process_identifier: 996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 11 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x053ed7a2 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 3, 2021, 4:48 p.m.	process_identifier: 996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 72 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05340208 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 3, 2021, 4:48 p.m.	process_identifier: 996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x053c7038 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 3, 2021, 4:48 p.m.	process_identifier: 996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x053c705c process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 3, 2021, 4:48 p.m.	process_identifier: 996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x053c7064 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 3, 2021, 4:48 p.m.	process_identifier: 996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x053c7068 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 3, 2021, 4:48 p.m.	process_identifier: 996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x053c7070 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 3, 2021, 4:48 p.m.	process_identifier: 996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x053c7074 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 3, 2021, 4:48 p.m.	process_identifier: 996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x053c7078 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 3, 2021, 4:48 p.m.	process_identifier: 996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x053c707c process_handle: 0xffffffff		3221225550

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x000bac00', u'virtual_address': u'0x00002000', u'entropy': 7.9170185114613805, u'name': u'.text', u'virtual_size': u'0x000baa1c'}

entropy

7.91701851146

description

A section with a high entropy has been found

entropy

0.996664442962

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 3, 2021, 4:48 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (11 events)

description	Communications smtp	rule	Network_SMTP_dotNet
description	Run a KeyLogger	rule	KeyLogger
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory May 3, 2021, 4:48 p.m.	process_identifier: 4404 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002a0	1	0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation May 3, 2021, 4:48 p.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

RegSvcs.exe tried to sleep 5456342 seconds, actually delayed analysis time by 5456342 seconds

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\newapp

reg_value

C:\Users\test22\AppData\Roaming\newapp\newapp.exe

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory May 3, 2021, 4:48 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELíw`àXw @ À@ÄvW H.text$W X `.rsrc Z@@.reloc `@B base_address: 0x00400000 process_identifier: 4404 process_handle: 0x000002a0	1	1
WriteProcessMemory May 3, 2021, 4:48 p.m.	buffer: 8Ph 0ê4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°ìStringFileInfoÈ000004b0,FileDescription 0FileVersion0.0.0.0\InternalNameASvcsstzJfaANpuKCfRmJKIe.exe(LegalCopyright dOriginalFilenameASvcsstzJfaANpuKCfRmJKIe.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00438000 process_identifier: 4404 process_handle: 0x000002a0	1	1
WriteProcessMemory May 3, 2021, 4:48 p.m.	buffer: p 7 base_address: 0x0043a000 process_identifier: 4404 process_handle: 0x000002a0	1	1
WriteProcessMemory May 3, 2021, 4:48 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 4404 process_handle: 0x000002a0	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory May 3, 2021, 4:48 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELíw`àXw @ À@ÄvW H.text$W X `.rsrc Z@@.reloc `@B base_address: 0x00400000 process_identifier: 4404 process_handle: 0x000002a0	1	1	0

File has been identified by 15 AntiVirus engines on VirusTotal as malicious (15 events)

Sangfor	Trojan.Win32.Save.a
Symantec	Scr.Malcode!gdn30
ESET-NOD32	a variant of MSIL/Kryptik.AASA
APEX	Malicious
Paloalto	generic.ml
Kaspersky	VHO:Trojan-Dropper.Win32.Dapato.gen
Avast	Win32:PWSX-gen [Trj]
McAfee-GW-Edition	Artemis
Microsoft	Trojan:Script/Wacatac.B!ml
Cynet	Malicious (score: 100)
McAfee	Artemis!9DA5129864C2
Malwarebytes	Trojan.MalPack.ADC
SentinelOne	Static AI - Malicious PE
Fortinet	MSIL/Kryptik.AARD!tr
AVG	Win32:PWSX-gen [Trj]

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 996 called NtSetContextThread to modify thread in remote process 4404
NtSetContextThread May 3, 2021, 4:48 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4421406 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000029c process_identifier: 4404	1	0	0

Attempts to remove evidence of file being downloaded from the Internet (1 event)

file	C:\Users\test22\AppData\Roaming\newapp\newapp.exe:Zone.Identifier

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 996 resumed a thread in remote process 4404
NtResumeThread May 3, 2021, 4:48 p.m.	thread_handle: 0x0000029c suspend_count: 1 process_identifier: 4404	1	0	0

Executed a process and injected code into it, probably while unpacking (21 events)

Time & API	Arguments	Status	Return
NtResumeThread May 3, 2021, 4:46 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 996	1	0
NtResumeThread May 3, 2021, 4:46 p.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 996	1	0
NtResumeThread May 3, 2021, 4:46 p.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 996	1	0
NtResumeThread May 3, 2021, 4:48 p.m.	thread_handle: 0x00000254 suspend_count: 1 process_identifier: 996	1	0
CreateProcessInternalW May 3, 2021, 4:48 p.m.	thread_identifier: 7552 thread_handle: 0x0000029c process_identifier: 4404 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000002a0	1	1
NtGetContextThread May 3, 2021, 4:48 p.m.	thread_handle: 0x0000029c	1	0
NtAllocateVirtualMemory May 3, 2021, 4:48 p.m.	process_identifier: 4404 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002a0	1	0
WriteProcessMemory May 3, 2021, 4:48 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELíw`àXw @ À@ÄvW H.text$W X `.rsrc Z@@.reloc `@B base_address: 0x00400000 process_identifier: 4404 process_handle: 0x000002a0	1	1
WriteProcessMemory May 3, 2021, 4:48 p.m.	buffer: base_address: 0x00402000 process_identifier: 4404 process_handle: 0x000002a0	1	1
WriteProcessMemory May 3, 2021, 4:48 p.m.	buffer: 8Ph 0ê4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°ìStringFileInfoÈ000004b0,FileDescription 0FileVersion0.0.0.0\InternalNameASvcsstzJfaANpuKCfRmJKIe.exe(LegalCopyright dOriginalFilenameASvcsstzJfaANpuKCfRmJKIe.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00438000 process_identifier: 4404 process_handle: 0x000002a0	1	1
WriteProcessMemory May 3, 2021, 4:48 p.m.	buffer: p 7 base_address: 0x0043a000 process_identifier: 4404 process_handle: 0x000002a0	1	1
WriteProcessMemory May 3, 2021, 4:48 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 4404 process_handle: 0x000002a0	1	1
NtSetContextThread May 3, 2021, 4:48 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4421406 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000029c process_identifier: 4404	1	0
NtResumeThread May 3, 2021, 4:48 p.m.	thread_handle: 0x0000029c suspend_count: 1 process_identifier: 4404	1	0
NtResumeThread May 3, 2021, 4:48 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 4404	1	0
NtResumeThread May 3, 2021, 4:48 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 4404	1	0
NtResumeThread May 3, 2021, 4:48 p.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 4404	1	0
NtResumeThread May 3, 2021, 4:48 p.m.	thread_handle: 0x00000324 suspend_count: 1 process_identifier: 4404	1	0
NtResumeThread May 3, 2021, 4:48 p.m.	thread_handle: 0x00000344 suspend_count: 1 process_identifier: 4404	1	0
NtResumeThread May 3, 2021, 4:48 p.m.	thread_handle: 0x000003a8 suspend_count: 1 process_identifier: 4404	1	0
NtResumeThread May 3, 2021, 4:48 p.m.	thread_handle: 0x00000420 suspend_count: 1 process_identifier: 4404	1	0

5bXw21jauyHi85L.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All