Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 24, 2021, 5:21 p.m.	May 24, 2021, 5:23 p.m.

Size	262.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`63a11a44eeb7ee8c76f834d4435f4af3`
SHA256	`4183cf2a069d5e118870e3b9e001f3369b415d7d5e1f071ceffb216deece44be`
CRC32	`E39450F8`
ssdeep	`6144:/QqaV8iAbO6mDIqpV5LBZJveaCzlH8KQALPsL2lJbZJ:QVybODdpVZJ/CzPQAA2ltZJ`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) Win_Backdoor_GhostCringe_Zero - Win Backdoor GhostCringe

run.exe "C:\Users\test22\AppData\Local\Temp\run.exe"
2776
- Ser.exe "C:\Windows\temp\Ser.exe"
  1836
- Sec.exe "C:\Windows\temp\Sec.exe"
  2428
  - 360diao.exe 360diao.exe
    752
- Sel.exe "C:\Windows\temp\Sel.exe"
  1396

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
139.155.178.173	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49201 -> 139.155.178.173:19060	2013214	ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server	Malware Command and Control Activity Detected
TCP 192.168.56.101:49201 -> 139.155.178.173:19060	2016922	ET MALWARE Backdoor family PCRat/Gh0st CnC traffic	Malware Command and Control Activity Detected
TCP 192.168.56.101:49201 -> 139.155.178.173:19060	2021716	ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 102	Malware Command and Control Activity Detected
TCP 192.168.56.101:49202 -> 139.155.178.173:888	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 139.155.178.173:888 -> 192.168.56.101:49202	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 139.155.178.173:888 -> 192.168.56.101:49202	2020500	ET EXPLOIT_KIT DRIVEBY Likely Evil EXE with no referer from HFS webserver (used by Unknown EK)	Exploit Kit Activity Detected
TCP 139.155.178.173:888 -> 192.168.56.101:49202	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 139.155.178.173:888 -> 192.168.56.101:49202	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 192.168.56.101:49258 -> 139.155.178.173:19060	2013214	ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server	Malware Command and Control Activity Detected
TCP 192.168.56.101:49258 -> 139.155.178.173:19060	2016922	ET MALWARE Backdoor family PCRat/Gh0st CnC traffic	Malware Command and Control Activity Detected
TCP 192.168.56.101:49258 -> 139.155.178.173:19060	2021716	ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 102	Malware Command and Control Activity Detected
TCP 192.168.56.101:49306 -> 139.155.178.173:19060	2013214	ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server	Malware Command and Control Activity Detected
TCP 192.168.56.101:49306 -> 139.155.178.173:19060	2016922	ET MALWARE Backdoor family PCRat/Gh0st CnC traffic	Malware Command and Control Activity Detected
TCP 192.168.56.101:49306 -> 139.155.178.173:19060	2021716	ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 102	Malware Command and Control Activity Detected
TCP 192.168.56.101:49202 -> 139.155.178.173:888	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.101:49352 -> 139.155.178.173:19060	2013214	ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server	Malware Command and Control Activity Detected
TCP 192.168.56.101:49352 -> 139.155.178.173:19060	2016922	ET MALWARE Backdoor family PCRat/Gh0st CnC traffic	Malware Command and Control Activity Detected
TCP 192.168.56.101:49352 -> 139.155.178.173:19060	2021716	ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 102	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 24, 2021, 5:21 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 24, 2021, 5:21 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ May 24, 2021, 5:21 p.m.	stacktrace: Host+0x14c @ 0x10002bfc exception.instruction_r: 0f 3f 07 0b 85 db 0f 94 45 e4 5b eb 24 8b 45 ec exception.exception_code: 0xc000001d exception.symbol: Host-0x1307 exception.address: 0x100017a9 registers.esp: 1637528 registers.edi: 0 registers.eax: 1 registers.ebp: 1637580 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 1970484437 registers.ecx: 3016	1	0	0
__exception__ May 24, 2021, 5:21 p.m.	stacktrace: Host+0x155 @ 0x10002c05 exception.instruction_r: ed 81 fb 68 58 4d 56 0f 94 45 e4 5b 59 5a c7 45 exception.instruction: in eax, dx exception.exception_code: 0xc0000096 exception.symbol: Host-0x1268 exception.address: 0x10001848 registers.esp: 1637528 registers.edi: 0 registers.eax: 1447909480 registers.ebp: 1637580 registers.edx: 22104 registers.ebx: 0 registers.esi: 1970484437 registers.ecx: 10	1	0	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 425 events)

Time & API	Arguments	Status	Return
NtProtectVirtualMemory May 24, 2021, 5:21 p.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74231000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 24, 2021, 5:21 p.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74e51000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 24, 2021, 5:21 p.m.	process_identifier: 1836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74251000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 24, 2021, 5:21 p.m.	process_identifier: 1836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74221000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 24, 2021, 5:21 p.m.	process_identifier: 1836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74191000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 24, 2021, 5:21 p.m.	process_identifier: 1836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76891000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 24, 2021, 5:21 p.m.	process_identifier: 1836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77371000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 24, 2021, 5:21 p.m.	process_identifier: 1836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74101000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 24, 2021, 5:21 p.m.	process_identifier: 1836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x740f1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 24, 2021, 5:21 p.m.	process_identifier: 1836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x740d1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 24, 2021, 5:21 p.m.	process_identifier: 1836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x740b1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 24, 2021, 5:21 p.m.	process_identifier: 1836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10001000 process_handle: 0xffffffff		3221225713
NtProtectVirtualMemory May 24, 2021, 5:21 p.m.	process_identifier: 1836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 155648 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x100fa000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 24, 2021, 5:21 p.m.	process_identifier: 1836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10120000 process_handle: 0xffffffff		3221225713
NtAllocateVirtualMemory May 24, 2021, 5:21 p.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 24, 2021, 5:21 p.m.	process_identifier: 2428 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72131000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 24, 2021, 5:21 p.m.	process_identifier: 2428 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74251000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 24, 2021, 5:21 p.m.	process_identifier: 2428 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74221000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 24, 2021, 5:21 p.m.	process_identifier: 2428 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74191000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 24, 2021, 5:21 p.m.	process_identifier: 2428 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74101000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 24, 2021, 5:21 p.m.	process_identifier: 2428 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x740f1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 24, 2021, 5:21 p.m.	process_identifier: 2428 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x740d1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 24, 2021, 5:21 p.m.	process_identifier: 2428 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x740b1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 24, 2021, 5:21 p.m.	process_identifier: 2428 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 942080 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10001000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 24, 2021, 5:21 p.m.	process_identifier: 2428 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 217088 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x100e7000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 24, 2021, 5:21 p.m.	process_identifier: 1396 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74191000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 24, 2021, 5:21 p.m.	process_identifier: 1396 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x723b1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 24, 2021, 5:21 p.m.	process_identifier: 1396 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72374000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 24, 2021, 5:21 p.m.	process_identifier: 1396 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x723b2000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 24, 2021, 5:21 p.m.	process_identifier: 1396 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76891000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 24, 2021, 5:21 p.m.	process_identifier: 1396 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77371000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 24, 2021, 5:21 p.m.	process_identifier: 1396 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75401000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 24, 2021, 5:21 p.m.	process_identifier: 1396 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x765b1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 24, 2021, 5:21 p.m.	process_identifier: 1396 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75431000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 24, 2021, 5:21 p.m.	process_identifier: 1396 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c61000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 24, 2021, 5:21 p.m.	process_identifier: 1396 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74251000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 24, 2021, 5:21 p.m.	process_identifier: 1396 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74221000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 24, 2021, 5:21 p.m.	process_identifier: 1396 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74251000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 24, 2021, 5:21 p.m.	process_identifier: 1396 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74221000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 24, 2021, 5:21 p.m.	process_identifier: 1396 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74251000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 24, 2021, 5:21 p.m.	process_identifier: 1396 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74221000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 24, 2021, 5:21 p.m.	process_identifier: 1396 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74251000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 24, 2021, 5:21 p.m.	process_identifier: 1396 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74221000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 24, 2021, 5:21 p.m.	process_identifier: 1396 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74251000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 24, 2021, 5:21 p.m.	process_identifier: 1396 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74221000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 24, 2021, 5:21 p.m.	process_identifier: 1396 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74251000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 24, 2021, 5:21 p.m.	process_identifier: 1396 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74221000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 24, 2021, 5:21 p.m.	process_identifier: 1396 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74251000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 24, 2021, 5:21 p.m.	process_identifier: 1396 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74221000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 24, 2021, 5:21 p.m.	process_identifier: 1396 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74251000 process_handle: 0xffffffff	1	0

A process attempted to delay the analysis task. (1 event)

description

Ser.exe tried to sleep 253 seconds, actually delayed analysis time by 253 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (2 events)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW May 24, 2021, 5:21 p.m.	total_number_of_free_bytes: 13716664320 free_bytes_available: 13716664320 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0
GetDiskFreeSpaceExW May 24, 2021, 5:23 p.m.	total_number_of_free_bytes: 13716992000 free_bytes_available: 13716992000 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Creates executable files on the filesystem (5 events)

file	C:\Windows\Temp\Ser.exe
file	C:\Windows\Temp\360diao.exe
file	C:\Windows\Temp\Sec.exe
file	C:\Program Files\Cacrk\Cacrk.dll
file	C:\Windows\Temp\Sel.exe

Creates a service (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceA May 24, 2021, 5:21 p.m.	service_start_name: start_type: 2 password: display_name: Internet Connection Sharing (ICS) filepath: C:\Program Files (x86)\Arrange\NULL.jpg service_name: SharedAccess filepath_r: C:\Program Files (x86)\Arrange\NULL.jpg desired_access: 983551 service_handle: 0x00000000 error_control: 0 service_type: 272 service_manager_handle: 0x004dccc0		0	0

Drops a binary and executes it (2 events)

file	C:\Windows\Temp\Sec.exe
file	C:\Windows\Temp\Ser.exe

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (44 events)

Time & API	Arguments	Status	Return
Process32NextW May 24, 2021, 5:21 p.m.	snapshot_handle: 0x00000110 process_name: mobsync.exe process_identifier: 2140	1	1
Process32NextW May 24, 2021, 5:21 p.m.	snapshot_handle: 0x00000110 process_name: taskhost.exe process_identifier: 1240	1	1
Process32NextW May 24, 2021, 5:21 p.m.	snapshot_handle: 0x00000110 process_name: Sec.exe process_identifier: 2428	1	1
Process32NextW May 24, 2021, 5:21 p.m.	snapshot_handle: 0x00000110 process_name: Ser.exe process_identifier: 1836	1	1
Process32NextW May 24, 2021, 5:21 p.m.	snapshot_handle: 0x00000110 process_name: Sel.exe process_identifier: 1396	1	1
Process32NextW May 24, 2021, 5:21 p.m.	snapshot_handle: 0x00000110 process_name: Sel.exe process_identifier: 7471220		0
Process32NextW May 24, 2021, 5:21 p.m.	snapshot_handle: 0x0000014c process_name: Sel.exe process_identifier: 6684769		0
Process32NextW May 24, 2021, 5:21 p.m.	snapshot_handle: 0x0000039c process_name: 360diao.exe process_identifier: 752	1	1
Process32NextW May 24, 2021, 5:21 p.m.	snapshot_handle: 0x0000039c process_name: 360diao.exe process_identifier: 7602224		0
Process32NextW May 24, 2021, 5:21 p.m.	snapshot_handle: 0x0000039c process_name: 360diao.exe process_identifier: 7536688		0
Process32NextW May 24, 2021, 5:21 p.m.	snapshot_handle: 0x0000039c process_name: 360diao.exe process_identifier: 3014768		0
Process32NextW May 24, 2021, 5:21 p.m.	snapshot_handle: 0x0000039c process_name: 360diao.exe process_identifier: 7274573		0
Process32NextW May 24, 2021, 5:21 p.m.	snapshot_handle: 0x0000039c process_name: 360diao.exe process_identifier: 5046390		0
Process32NextW May 24, 2021, 5:21 p.m.	snapshot_handle: 0x0000039c process_name: 360diao.exe process_identifier: 6815859		0
Process32NextW May 24, 2021, 5:21 p.m.	snapshot_handle: 0x0000039c process_name: 360diao.exe process_identifier: 6881397		0
Process32NextW May 24, 2021, 5:21 p.m.	snapshot_handle: 0x0000039c process_name: 360diao.exe process_identifier: 7602277		0
Process32NextW May 24, 2021, 5:21 p.m.	snapshot_handle: 0x0000039c process_name: 360diao.exe process_identifier: 6619235		0
Process32NextW May 24, 2021, 5:21 p.m.	snapshot_handle: 0x0000039c process_name: 360diao.exe process_identifier: 4456552		0
Process32NextW May 24, 2021, 5:21 p.m.	snapshot_handle: 0x0000039c process_name: 360diao.exe process_identifier: 7536758		0
Process32NextW May 24, 2021, 5:21 p.m.	snapshot_handle: 0x0000039c process_name: 360diao.exe process_identifier: 4390992		0
Process32NextW May 24, 2021, 5:21 p.m.	snapshot_handle: 0x0000039c process_name: process_identifier: 5439572		0
Process32NextW May 24, 2021, 5:21 p.m.	snapshot_handle: 0x0000039c process_name: 360diao.exe process_identifier: 6619182		0
Process32NextW May 24, 2021, 5:21 p.m.	snapshot_handle: 0x0000039c process_name: 360diao.exe process_identifier: 6553715		0
Process32NextW May 24, 2021, 5:21 p.m.	snapshot_handle: 0x0000039c process_name: 360diao.exe process_identifier: 5046338		0
Process32NextW May 24, 2021, 5:21 p.m.	snapshot_handle: 0x0000039c process_name: 360diao.exe process_identifier: 6619246		0
Process32NextW May 24, 2021, 5:21 p.m.	snapshot_handle: 0x0000039c process_name: 360diao.exe process_identifier: 6750273		0
Process32NextW May 24, 2021, 5:21 p.m.	snapshot_handle: 0x0000039c process_name: 360diao.exe process_identifier: 7733331		0
Process32NextW May 24, 2021, 5:21 p.m.	snapshot_handle: 0x0000039c process_name: 360diao.exe process_identifier: 4980808		0
Process32NextW May 24, 2021, 5:21 p.m.	snapshot_handle: 0x0000039c process_name: 360diao.exe process_identifier: 6619251		0
Process32NextW May 24, 2021, 5:21 p.m.	snapshot_handle: 0x0000039c process_name: 360diao.exe process_identifier: 7864421		0
Process32NextW May 24, 2021, 5:21 p.m.	snapshot_handle: 0x0000039c process_name: 360diao.exe process_identifier: 3342387		0
Process32NextW May 24, 2021, 5:21 p.m.	snapshot_handle: 0x0000039c process_name: 360diao.exe process_identifier: 3014722		0
Process32NextW May 24, 2021, 5:21 p.m.	snapshot_handle: 0x0000039c process_name: process_identifier: 7733362		0
Process32NextW May 24, 2021, 5:21 p.m.	snapshot_handle: 0x0000039c process_name: 360diao.exe process_identifier: 6553705		0
Process32NextW May 24, 2021, 5:21 p.m.	snapshot_handle: 0x000002e4 process_name: Sel.exe process_identifier: 4456521		0
Process32NextW May 24, 2021, 5:21 p.m.	snapshot_handle: 0x000002e8 process_name: Sel.exe process_identifier: 3014771		0
Process32NextW May 24, 2021, 5:21 p.m.	snapshot_handle: 0x000002f4 process_name: Sel.exe process_identifier: 7798887		0
Process32NextW May 24, 2021, 5:21 p.m.	snapshot_handle: 0x0000031c process_name: Sel.exe process_identifier: 7667821		0
Process32NextW May 24, 2021, 5:21 p.m.	snapshot_handle: 0x000001c4 process_name: Sel.exe process_identifier: 7798829		0
Process32NextW May 24, 2021, 5:21 p.m.	snapshot_handle: 0x0000032c process_name: Sel.exe process_identifier: 6815828		0
Process32NextW May 24, 2021, 5:21 p.m.	snapshot_handle: 0x00000338 process_name: Sel.exe process_identifier: 3670069		0
Process32NextW May 24, 2021, 5:21 p.m.	snapshot_handle: 0x0000033c process_name: Sel.exe process_identifier: 6357102		0
Process32NextW May 24, 2021, 5:22 p.m.	snapshot_handle: 0x000001d4 process_name: cmd.exe process_identifier: 2976	1	1
Process32NextW May 24, 2021, 5:22 p.m.	snapshot_handle: 0x000001d4 process_name: conhost.exe process_identifier: 2344	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory May 24, 2021, 5:21 p.m.	process_identifier: 1836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 434176 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x10001000 process_handle: 0xffffffff	1	0	0

An executable file was downloaded by the process sec.exe (2 events)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile May 24, 2021, 5:21 p.m.	buffer: MZÿÿ¸@(º´ Í!¸LÍ!This program cannot be run in DOS mode. $LNáî ²î ²î ²sò,² î ²gñ+²î ²gñ²î ²ò.²$î ²>È²Âî ²>È+²Tî ²^ñ3²$î ²jñ3²î ²î!²¤ì ²æ}²î ²ôÎ2² î ²àñ+²iî ²àñ*²î ²î ²Sî ²Ïè&² î ²Richî ²PEL¡@v`à` ÀBap @Pè\|K, Oh_p T.textU ` `.rdata¢3Ap @Ap @@.dataJè°K °K@À.rsrch_ O`ÐL@@ request_handle: 0x00cc000c	1	1	0
InternetReadFile May 24, 2021, 5:21 p.m.	buffer: kernel32IsWow64Processú¦Ï©ÅoïÉ[©Á~¿ÍfC±NtZwuser32.dllgdi32.dll ÷×_ÒÖ¯ÆfCÁ¾/ÎCÃ6G¥ÏWçÅïÉ[©Á~¿ÍfC±@ãð7«Å[ïÉ[©Á~¿ÍfC±D@#\Software\Valve\Steam\RememberPasswordêAõA\|hA4iAÅkAtA¢tAwAszAÊzA'{Aæ\|AA&A¯A8A·A'ÀA]ÀAAåAÌA¿AA`A´AAbA-A AÕAÇA¹AA^A/ A!¡A¢A£A÷£Aé¤Aß¥A¶¦A§A¨AÎ©AÄªA«AÃ°A±A^²AB³A´Aò´Aã·A¹A8ºAÀ»A¼Av½AX¾A<¿ABBäÀAMáAuëAúAwB7B7B´BSBB±BºBOB BÚB"'B@®<B¹<BM:BÀ?MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $yÌ³Þ=Ý=Ý=Ý¾±ÓÝ×ÝÖkÝF±Ñ>Ýk²ÎÝ_²Î(Ý=Ür¯ÝÕ²ÖwÝÕ²×$Ý=Ý"Ýú«Û<ÝÂÙ<ÝRich=ÝPELw ^à!ð@ÛQ request_handle: 0x00cc000c	1	1	0

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (50 out of 6545 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW May 24, 2021, 5:21 p.m.	snapshot_handle: 0x0000014c process_name: Sel.exe process_identifier: 6684769		0	0
Process32NextW May 24, 2021, 5:21 p.m.	snapshot_handle: 0x0000039c process_name: 360diao.exe process_identifier: 7536688		0	0
Process32NextW May 24, 2021, 5:21 p.m.	snapshot_handle: 0x0000039c process_name: 360diao.exe process_identifier: 3014768		0	0
Process32NextW May 24, 2021, 5:21 p.m.	snapshot_handle: 0x0000039c process_name: 360diao.exe process_identifier: 7274573		0	0
Process32NextW May 24, 2021, 5:21 p.m.	snapshot_handle: 0x0000039c process_name: 360diao.exe process_identifier: 5046390		0	0
Process32NextW May 24, 2021, 5:21 p.m.	snapshot_handle: 0x0000039c process_name: 360diao.exe process_identifier: 6815859		0	0
Process32NextW May 24, 2021, 5:21 p.m.	snapshot_handle: 0x0000039c process_name: 360diao.exe process_identifier: 6881397		0	0
Process32NextW May 24, 2021, 5:21 p.m.	snapshot_handle: 0x0000039c process_name: 360diao.exe process_identifier: 7602277		0	0
Process32NextW May 24, 2021, 5:21 p.m.	snapshot_handle: 0x0000039c process_name: 360diao.exe process_identifier: 6619235		0	0
Process32NextW May 24, 2021, 5:21 p.m.	snapshot_handle: 0x0000039c process_name: 360diao.exe process_identifier: 4456552		0	0
Process32NextW May 24, 2021, 5:21 p.m.	snapshot_handle: 0x0000039c process_name: 360diao.exe process_identifier: 7536758		0	0
Process32NextW May 24, 2021, 5:21 p.m.	snapshot_handle: 0x0000039c process_name: 360diao.exe process_identifier: 6684769		0	0
Process32NextW May 24, 2021, 5:21 p.m.	snapshot_handle: 0x0000039c process_name: 360diao.exe process_identifier: 4390992		0	0
Process32NextW May 24, 2021, 5:21 p.m.	snapshot_handle: 0x0000039c process_name: process_identifier: 5439572		0	0
Process32NextW May 24, 2021, 5:21 p.m.	snapshot_handle: 0x0000039c process_name: 360diao.exe process_identifier: 6619182		0	0
Process32NextW May 24, 2021, 5:21 p.m.	snapshot_handle: 0x0000039c process_name: 360diao.exe process_identifier: 6553715		0	0
Process32NextW May 24, 2021, 5:21 p.m.	snapshot_handle: 0x0000039c process_name: 360diao.exe process_identifier: 5046338		0	0
Process32NextW May 24, 2021, 5:21 p.m.	snapshot_handle: 0x0000039c process_name: 360diao.exe process_identifier: 6619246		0	0
Process32NextW May 24, 2021, 5:21 p.m.	snapshot_handle: 0x0000039c process_name: 360diao.exe process_identifier: 6750273		0	0
Process32NextW May 24, 2021, 5:21 p.m.	snapshot_handle: 0x0000039c process_name: 360diao.exe process_identifier: 7471220		0	0
Process32NextW May 24, 2021, 5:21 p.m.	snapshot_handle: 0x0000039c process_name: 360diao.exe process_identifier: 7733331		0	0
Process32NextW May 24, 2021, 5:21 p.m.	snapshot_handle: 0x0000039c process_name: 360diao.exe process_identifier: 4980808		0	0
Process32NextW May 24, 2021, 5:21 p.m.	snapshot_handle: 0x0000039c process_name: 360diao.exe process_identifier: 6619251		0	0
Process32NextW May 24, 2021, 5:21 p.m.	snapshot_handle: 0x0000039c process_name: 360diao.exe process_identifier: 7864421		0	0
Process32NextW May 24, 2021, 5:21 p.m.	snapshot_handle: 0x0000039c process_name: 360diao.exe process_identifier: 3342387		0	0
Process32NextW May 24, 2021, 5:21 p.m.	snapshot_handle: 0x0000039c process_name: 360diao.exe process_identifier: 3014722		0	0
Process32NextW May 24, 2021, 5:21 p.m.	snapshot_handle: 0x0000039c process_name: process_identifier: 7733362		0	0
Process32NextW May 24, 2021, 5:21 p.m.	snapshot_handle: 0x0000039c process_name: 360diao.exe process_identifier: 6553705		0	0
Process32NextW May 24, 2021, 5:23 p.m.	snapshot_handle: 0x00000388 process_name: 360diao.exe process_identifier: 7602224		0	0
Process32NextW May 24, 2021, 5:23 p.m.	snapshot_handle: 0x00000388 process_name: 360diao.exe process_identifier: 7536688		0	0
Process32NextW May 24, 2021, 5:23 p.m.	snapshot_handle: 0x00000388 process_name: 360diao.exe process_identifier: 3014768		0	0
Process32NextW May 24, 2021, 5:23 p.m.	snapshot_handle: 0x00000388 process_name: 360diao.exe process_identifier: 7274573		0	0
Process32NextW May 24, 2021, 5:23 p.m.	snapshot_handle: 0x00000388 process_name: 360diao.exe process_identifier: 5046390		0	0
Process32NextW May 24, 2021, 5:23 p.m.	snapshot_handle: 0x00000388 process_name: 360diao.exe process_identifier: 6815859		0	0
Process32NextW May 24, 2021, 5:23 p.m.	snapshot_handle: 0x00000388 process_name: 360diao.exe process_identifier: 6881397		0	0
Process32NextW May 24, 2021, 5:23 p.m.	snapshot_handle: 0x00000388 process_name: 360diao.exe process_identifier: 7602277		0	0
Process32NextW May 24, 2021, 5:23 p.m.	snapshot_handle: 0x00000388 process_name: 360diao.exe process_identifier: 6619235		0	0
Process32NextW May 24, 2021, 5:23 p.m.	snapshot_handle: 0x00000388 process_name: 360diao.exe process_identifier: 4456552		0	0
Process32NextW May 24, 2021, 5:23 p.m.	snapshot_handle: 0x00000388 process_name: 360diao.exe process_identifier: 7536758		0	0
Process32NextW May 24, 2021, 5:23 p.m.	snapshot_handle: 0x00000388 process_name: 360diao.exe process_identifier: 6684769		0	0
Process32NextW May 24, 2021, 5:23 p.m.	snapshot_handle: 0x00000388 process_name: 360diao.exe process_identifier: 4390992		0	0
Process32NextW May 24, 2021, 5:23 p.m.	snapshot_handle: 0x00000388 process_name: process_identifier: 5439572		0	0
Process32NextW May 24, 2021, 5:23 p.m.	snapshot_handle: 0x00000388 process_name: 360diao.exe process_identifier: 6619182		0	0
Process32NextW May 24, 2021, 5:23 p.m.	snapshot_handle: 0x00000388 process_name: 360diao.exe process_identifier: 6553715		0	0
Process32NextW May 24, 2021, 5:23 p.m.	snapshot_handle: 0x00000388 process_name: 360diao.exe process_identifier: 5046338		0	0
Process32NextW May 24, 2021, 5:23 p.m.	snapshot_handle: 0x00000388 process_name: 360diao.exe process_identifier: 6619246		0	0
Process32NextW May 24, 2021, 5:23 p.m.	snapshot_handle: 0x00000388 process_name: 360diao.exe process_identifier: 6750273		0	0
Process32NextW May 24, 2021, 5:23 p.m.	snapshot_handle: 0x00000388 process_name: 360diao.exe process_identifier: 7471220		0	0
Process32NextW May 24, 2021, 5:23 p.m.	snapshot_handle: 0x00000388 process_name: 360diao.exe process_identifier: 7733331		0	0
Process32NextW May 24, 2021, 5:23 p.m.	snapshot_handle: 0x00000388 process_name: 360diao.exe process_identifier: 4980808		0	0

Communicates with host for which no DNS query was performed (1 event)

host

139.155.178.173

Installs itself for autorun at Windows startup (2 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\XXXXXX5B07E7D0				reg_value	C:\Windows\XXXXXX5B07E7D0\svchsot.exe
service_name	SharedAccess				service_path	C:\Program Files (x86)\Arrange\NULL.jpg

Expresses interest in specific running processes (4 events)

process	ser.exe
process	sel.exe
process	kmservice.exe
process: potential process injection target	explorer.exe

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ May 24, 2021, 5:21 p.m.	stacktrace: Host+0x155 @ 0x10002c05 exception.instruction_r: ed 81 fb 68 58 4d 56 0f 94 45 e4 5b 59 5a c7 45 exception.instruction: in eax, dx exception.exception_code: 0xc0000096 exception.symbol: Host-0x1268 exception.address: 0x10001848 registers.esp: 1637528 registers.edi: 0 registers.eax: 1447909480 registers.ebp: 1637580 registers.edx: 22104 registers.ebx: 0 registers.esi: 1970484437 registers.ecx: 10	1	0	0

Creates known Zegost files, registry changes and/or mutexes (1 event)

mutex

AAAAAArrCmva6ysr2utKe9rrSwqa6mr7Wvnw==

File has been identified by 48 AntiVirus engines on VirusTotal as malicious (48 events)

MicroWorld-eScan	MemScan:Trojan.GenericKDZ.41799
FireEye	MemScan:Trojan.GenericKDZ.41799
CAT-QuickHeal	Trojan.Magania.18692
McAfee	Artemis!63A11A44EEB7
Malwarebytes	Malware.AI.4016639641
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan-Downloader ( 0055e3da1 )
K7GW	Trojan-Downloader ( 0055e3da1 )
Cybereason	malicious.4eeb7e
Baidu	Win32.Trojan.Dialer.d
Cyren	W32/Kryptik.EAW.gen!Eldorado
Symantec	Backdoor.Trojan
ESET-NOD32	multiple detections
APEX	Malicious
Avast	Win32:Malware-gen
ClamAV	Win.Trojan.Farfli-9811912-0
Kaspersky	Trojan-Downloader.Win32.Dupzom.blr
BitDefender	MemScan:Trojan.GenericKDZ.41799
NANO-Antivirus	Trojan.Win32.Dwn.eahibw
Paloalto	generic.ml
Tencent	Win32.Trojan-downloader.Dupzom.Wopt
Ad-Aware	MemScan:Trojan.GenericKDZ.41799
Sophos	Troj/AutoG-JE
Comodo	TrojWare.Win32.Agent.PDSB@4q3i1w
DrWeb	Trojan.DownLoader19.23899
TrendMicro	BKDR_ZEGOST.SM50
McAfee-GW-Edition	BackDoor-EMA.gen.e
Emsisoft	MemScan:Trojan.GenericKDZ.41799 (B)
Ikarus	Trojan.Win32.Crypt
Jiangmin	Trojan/Dialer.mgr
eGambit	Unsafe.AI_Score_99%
Avira	HEUR/AGEN.1124319
MAX	malware (ai score=89)
Antiy-AVL	Trojan/Generic.ASMalwS.17175DA
Kingsoft	Win32.Troj.Undef.(kcloud)
Microsoft	Trojan:Win32/Dorv.A
ZoneAlarm	HEUR:Trojan.Win32.Farfli.gen
GData	Win32.Trojan-Downloader.Agent.WC
Cynet	Malicious (score: 99)
AhnLab-V3	Trojan/Win.Generic.R419237
BitDefenderTheta	Gen:NN.ZexaF.34690.cq0@aqF6coeb
VBA32	BScope.Trojan.Downloader
Zoner	Trojan.Win32.22067
TrendMicro-HouseCall	BKDR_ZEGOST.SM50
Rising	Trojan.Win32.Lebag.b (CLOUD)
Yandex	Trojan.GenAsa!puNbw774luA
Fortinet	W32/Agent.BVS!tr
AVG	Win32:Malware-gen

run.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All