Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	May 28, 2021, 8:20 a.m.	May 28, 2021, 8:27 a.m.

Size	1.4MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`5bcb9ac769b8c069e202b42b16773af7`
SHA256	`63293e2c954c974e685dcb975d009448838d0ed659719d29340b587cc89c203f`
CRC32	`E53B39E1`
ssdeep	`24576:POgEh3PniveXZtwGoeI/r2RB3IGmZiAe4G1y+9inUO8KtYVvuulhj:J8PnyAOV2RBpkiAe4G1b9y8tuuv`
Yara	Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library

covid.exe "C:\Users\test22\AppData\Local\Temp\covid.exe"
4208
- schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gguZZQaSk" /XML "C:\Users\test22\AppData\Local\Temp\tmp97F9.tmp"
  3456
- RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  4440

Name	Response	Post-Analysis Lookup
edgedl.me.gvt1.com	A 34.104.35.123	34.104.35.123
wekeepworking.sytes.net	A 185.140.53.40	185.140.53.40

IP Address	Status	Action
142.250.66.99	Active	Moloch
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
185.140.53.40	Active	Moloch
34.104.35.123	Active	Moloch
211.114.66.77	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 34.104.35.123:80 -> 192.168.56.102:49812	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 34.104.35.123:80 -> 192.168.56.102:49812	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 192.168.56.102:49811 -> 142.250.66.99:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 34.104.35.123:80 -> 192.168.56.102:49812	2015744	ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)	Misc activity

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.102:49811 142.250.66.99:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=upload.video.google.com	4c:f7:71:9d:b2:c7:1b:2b:a2:f7:d5:41:9c:01:ca:78:4e:d0:c4:cb

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameW May 28, 2021, 8:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 28, 2021, 8:21 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 28, 2021, 8:21 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 28, 2021, 8:19 a.m.			0	0
IsDebuggerPresent May 28, 2021, 8:21 a.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW May 28, 2021, 8:21 a.m.	buffer: SUCCESS: The scheduled task "Updates\gguZZQaSk" has successfully been created. console_handle: 0x00000007	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 28, 2021, 8:19 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Starts servers listening (6 events)

Time & API	Arguments	Status	Return
bind May 28, 2021, 8:19 a.m.	ip_address: 127.0.0.1 socket: 616 port: 0	1	0
listen May 28, 2021, 8:19 a.m.	socket: 616 backlog: 2147483647	1	0
accept May 28, 2021, 8:19 a.m.	ip_address: 127.0.0.1 socket: 616 port: 0		4294967295
bind May 28, 2021, 8:21 a.m.	ip_address: 0.0.0.0 socket: 808 port: 0	1	0
bind May 28, 2021, 8:21 a.m.	ip_address: 0.0.0.0 socket: 884 port: 0	1	0
bind May 28, 2021, 8:21 a.m.	ip_address: 0.0.0.0 socket: 896 port: 0	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header

suspicious_request

POST https://update.googleapis.com/service/update2?cup2key=10:2210899602&cup2hreq=4af8a317c8f3b4f0e5cc0232ccdfe81ee58927156e4e3612666c5b15dbc1ee68

Connects to a Dynamic DNS Domain (1 event)

domain

wekeepworking.sytes.net

Performs some HTTP requests (3 events)

request	HEAD http://edgedl.me.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request	GET http://edgedl.me.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request	POST https://update.googleapis.com/service/update2?cup2key=10:2210899602&cup2hreq=4af8a317c8f3b4f0e5cc0232ccdfe81ee58927156e4e3612666c5b15dbc1ee68

Sends data using the HTTP POST Method (1 event)

request

POST https://update.googleapis.com/service/update2?cup2key=10:2210899602&cup2hreq=4af8a317c8f3b4f0e5cc0232ccdfe81ee58927156e4e3612666c5b15dbc1ee68

Allocates read-write-execute memory (usually to unpack itself) (50 out of 261 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 28, 2021, 8:19 a.m.	process_identifier: 4208 region_size: 851968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 28, 2021, 8:19 a.m.	process_identifier: 4208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00440000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 28, 2021, 8:19 a.m.	process_identifier: 4208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fc91000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 28, 2021, 8:19 a.m.	process_identifier: 4208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 28, 2021, 8:19 a.m.	process_identifier: 4208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fc92000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 28, 2021, 8:19 a.m.	process_identifier: 4208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 28, 2021, 8:19 a.m.	process_identifier: 4208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 28, 2021, 8:19 a.m.	process_identifier: 4208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 28, 2021, 8:19 a.m.	process_identifier: 4208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 28, 2021, 8:19 a.m.	process_identifier: 4208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 28, 2021, 8:19 a.m.	process_identifier: 4208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 28, 2021, 8:19 a.m.	process_identifier: 4208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00660000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 28, 2021, 8:19 a.m.	process_identifier: 4208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00661000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 28, 2021, 8:19 a.m.	process_identifier: 4208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 28, 2021, 8:19 a.m.	process_identifier: 4208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00662000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 28, 2021, 8:19 a.m.	process_identifier: 4208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00663000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 28, 2021, 8:19 a.m.	process_identifier: 4208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00664000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 28, 2021, 8:19 a.m.	process_identifier: 4208 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00665000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 28, 2021, 8:19 a.m.	process_identifier: 4208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 28, 2021, 8:19 a.m.	process_identifier: 4208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c5d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 28, 2021, 8:19 a.m.	process_identifier: 4208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c5d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 28, 2021, 8:19 a.m.	process_identifier: 4208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00af0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 28, 2021, 8:19 a.m.	process_identifier: 4208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00af0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 28, 2021, 8:19 a.m.	process_identifier: 4208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00af0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 28, 2021, 8:19 a.m.	process_identifier: 4208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00af2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 28, 2021, 8:19 a.m.	process_identifier: 4208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c15000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 28, 2021, 8:19 a.m.	process_identifier: 4208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c15000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 28, 2021, 8:19 a.m.	process_identifier: 4208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c15000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 28, 2021, 8:19 a.m.	process_identifier: 4208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c15000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 28, 2021, 8:19 a.m.	process_identifier: 4208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c15000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 28, 2021, 8:19 a.m.	process_identifier: 4208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c15000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 28, 2021, 8:19 a.m.	process_identifier: 4208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c15000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 28, 2021, 8:19 a.m.	process_identifier: 4208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c15000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 28, 2021, 8:19 a.m.	process_identifier: 4208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c15000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 28, 2021, 8:19 a.m.	process_identifier: 4208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c15000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 28, 2021, 8:19 a.m.	process_identifier: 4208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c15000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 28, 2021, 8:19 a.m.	process_identifier: 4208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c15000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 28, 2021, 8:19 a.m.	process_identifier: 4208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c15000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 28, 2021, 8:19 a.m.	process_identifier: 4208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c15000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 28, 2021, 8:19 a.m.	process_identifier: 4208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c15000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 28, 2021, 8:19 a.m.	process_identifier: 4208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c15000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 28, 2021, 8:19 a.m.	process_identifier: 4208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c15000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 28, 2021, 8:19 a.m.	process_identifier: 4208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c15000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 28, 2021, 8:19 a.m.	process_identifier: 4208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c15000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 28, 2021, 8:19 a.m.	process_identifier: 4208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c15000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 28, 2021, 8:19 a.m.	process_identifier: 4208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c15000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 28, 2021, 8:19 a.m.	process_identifier: 4208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c15000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 28, 2021, 8:19 a.m.	process_identifier: 4208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c15000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 28, 2021, 8:19 a.m.	process_identifier: 4208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c15000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 28, 2021, 8:19 a.m.	process_identifier: 4208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c15000 process_handle: 0xffffffff	1

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

Creates a suspicious process (2 events)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gguZZQaSk" /XML "C:\Users\test22\AppData\Local\Temp\tmp97F9.tmp"
cmdline	schtasks.exe /Create /TN "Updates\gguZZQaSk" /XML "C:\Users\test22\AppData\Local\Temp\tmp97F9.tmp"

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW May 28, 2021, 8:21 a.m.	show_type: 0 filepath_r: schtasks.exe parameters: /Create /TN "Updates\gguZZQaSk" /XML "C:\Users\test22\AppData\Local\Temp\tmp97F9.tmp" filepath: schtasks.exe	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0016ba00', u'virtual_address': u'0x00002000', u'entropy': 7.52288018362031, u'name': u'.text', u'virtual_size': u'0x0016b924'}

entropy

7.52288018362

description

A section with a high entropy has been found

entropy

0.996915695682

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 28, 2021, 8:21 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW May 28, 2021, 8:21 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (9 events)

description	Communications use DNS	rule	Network_DNS
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gguZZQaSk" /XML "C:\Users\test22\AppData\Local\Temp\tmp97F9.tmp"
cmdline	schtasks.exe /Create /TN "Updates\gguZZQaSk" /XML "C:\Users\test22\AppData\Local\Temp\tmp97F9.tmp"

One or more of the buffers contains an embedded PE file (13 events)

buffer	Buffer with sha1: 636b8187f0cb59d43c9ee1eedf144043941b62d9
buffer	Buffer with sha1: 4380fb6de89a7776d52214359ce213d24a2239ad
buffer	Buffer with sha1: c19d9db351af75fec019fe76506a455eba7fd168
buffer	Buffer with sha1: c1ef2ca62189121934d1a7944ef1bdc1aa319877
buffer	Buffer with sha1: 063fb8b27c0872c54bff35e2b76d8f522e13f8b4
buffer	Buffer with sha1: 925c5236c59dd8f3efea4b3e091ef735b405a880
buffer	Buffer with sha1: c54e7c5cac5fac68dc564ce64355d948422bf1ce
buffer	Buffer with sha1: dcdec0ea839844e977c1151d2eeedbb0788a34b1
buffer	Buffer with sha1: 0c6598a0a37eaf12ce188fa66bc6c5db394af8a4
buffer	Buffer with sha1: 874b7c3c97cc5b13b9dd172fec5a54bc1f258005
buffer	Buffer with sha1: efa4948abb218e47d809bedd1aff08cfb76d40e1
buffer	Buffer with sha1: 1b68e773e3522fa8edc7cb20d7c7f156b08ec73a
buffer	Buffer with sha1: 874f3caf663265f7dd18fb565d91b7d915031251

Communicates with host for which no DNS query was performed (3 events)

host	142.250.66.99
host	172.217.25.14
host	211.114.66.77

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory May 28, 2021, 8:21 a.m.	process_identifier: 4440 region_size: 573440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000390	1	0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation May 28, 2021, 8:21 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (2 events)

description	RegSvcs.exe tried to sleep 5456362 seconds, actually delayed analysis time by 5456362 seconds
description	covid.exe tried to sleep 2728267 seconds, actually delayed analysis time by 2728267 seconds

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\tmp97F9.tmp

Potential code injection by writing to the memory of another process (3 events)

Time & API	Arguments	Status	Return
WriteProcessMemory May 28, 2021, 8:21 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¡'éTàÈç @ À8çW ð H.textÇ È `.relocÊ@B.rsrcð Ì@@ base_address: 0x00400000 process_identifier: 4440 process_handle: 0x00000390	1	1
WriteProcessMemory May 28, 2021, 8:21 a.m.	buffer: à7 base_address: 0x00420000 process_identifier: 4440 process_handle: 0x00000390	1	1
WriteProcessMemory May 28, 2021, 8:21 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 4440 process_handle: 0x00000390	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory May 28, 2021, 8:21 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¡'éTàÈç @ À8çW ð H.textÇ È `.relocÊ@B.rsrcð Ì@@ base_address: 0x00400000 process_identifier: 4440 process_handle: 0x00000390	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 4208 called NtSetContextThread to modify thread in remote process 4440
NtSetContextThread May 28, 2021, 8:21 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4319122 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000003d8 process_identifier: 4440	1	0	0

Attempts to remove evidence of file being downloaded from the Internet (1 event)

file	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe:Zone.Identifier

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 4208 resumed a thread in remote process 4440
NtResumeThread May 28, 2021, 8:21 a.m.	thread_handle: 0x000003d8 suspend_count: 1 process_identifier: 4440	1	0	0

File has been identified by 21 AntiVirus engines on VirusTotal as malicious (21 events)

Elastic	malicious (high confidence)
FireEye	Generic.mg.5bcb9ac769b8c069
Cylance	Unsafe
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Paloalto	generic.ml
Kaspersky	UDS:DangerousObject.Multi.Generic
Avast	FileRepMalware
McAfee-GW-Edition	BehavesLike.Win32.Fareit.tc
Sophos	ML/PE-A
SentinelOne	Static AI - Malicious PE
eGambit	Unsafe.AI_Score_91%
Avira	HEUR/AGEN.1142394
Microsoft	Trojan:Win32/Wacatac.B!ml
AegisLab	Trojan.Multi.Generic.4!c
Cynet	Malicious (score: 100)
McAfee	Artemis!5BCB9AC769B8
VBA32	CIL.HeapOverride.Heur
MaxSecure	Trojan.Malware.300983.susgen
AVG	FileRepMalware
Cybereason	malicious.c933e2

Executed a process and injected code into it, probably while unpacking (24 events)

Time & API	Arguments	Status	Return
NtResumeThread May 28, 2021, 8:19 a.m.	thread_handle: 0x000000d0 suspend_count: 1 process_identifier: 4208	1	0
NtResumeThread May 28, 2021, 8:19 a.m.	thread_handle: 0x0000015c suspend_count: 1 process_identifier: 4208	1	0
NtResumeThread May 28, 2021, 8:19 a.m.	thread_handle: 0x000001e8 suspend_count: 1 process_identifier: 4208	1	0
NtResumeThread May 28, 2021, 8:19 a.m.	thread_handle: 0x00000284 suspend_count: 1 process_identifier: 4208	1	0
CreateProcessInternalW May 28, 2021, 8:21 a.m.	thread_identifier: 3980 thread_handle: 0x000003c8 process_identifier: 3456 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gguZZQaSk" /XML "C:\Users\test22\AppData\Local\Temp\tmp97F9.tmp" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003d0	1	1
CreateProcessInternalW May 28, 2021, 8:21 a.m.	thread_identifier: 7312 thread_handle: 0x000003d8 process_identifier: 4440 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000390	1	1
NtGetContextThread May 28, 2021, 8:21 a.m.	thread_handle: 0x000003d8	1	0
NtAllocateVirtualMemory May 28, 2021, 8:21 a.m.	process_identifier: 4440 region_size: 573440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000390	1	0
WriteProcessMemory May 28, 2021, 8:21 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¡'éTàÈç @ À8çW ð H.textÇ È `.relocÊ@B.rsrcð Ì@@ base_address: 0x00400000 process_identifier: 4440 process_handle: 0x00000390	1	1
WriteProcessMemory May 28, 2021, 8:21 a.m.	buffer: base_address: 0x00402000 process_identifier: 4440 process_handle: 0x00000390	1	1
WriteProcessMemory May 28, 2021, 8:21 a.m.	buffer: à7 base_address: 0x00420000 process_identifier: 4440 process_handle: 0x00000390	1	1
WriteProcessMemory May 28, 2021, 8:21 a.m.	buffer: base_address: 0x00422000 process_identifier: 4440 process_handle: 0x00000390	1	1
WriteProcessMemory May 28, 2021, 8:21 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 4440 process_handle: 0x00000390	1	1
NtSetContextThread May 28, 2021, 8:21 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4319122 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000003d8 process_identifier: 4440	1	0
NtResumeThread May 28, 2021, 8:21 a.m.	thread_handle: 0x000003d8 suspend_count: 1 process_identifier: 4440	1	0
NtResumeThread May 28, 2021, 8:21 a.m.	thread_handle: 0x000003ec suspend_count: 1 process_identifier: 4208	1	0
NtResumeThread May 28, 2021, 8:21 a.m.	thread_handle: 0x000000d0 suspend_count: 1 process_identifier: 4440	1	0
NtResumeThread May 28, 2021, 8:21 a.m.	thread_handle: 0x0000015c suspend_count: 1 process_identifier: 4440	1	0
NtResumeThread May 28, 2021, 8:21 a.m.	thread_handle: 0x00000204 suspend_count: 1 process_identifier: 4440	1	0
NtResumeThread May 28, 2021, 8:21 a.m.	thread_handle: 0x00000260 suspend_count: 1 process_identifier: 4440	1	0
NtResumeThread May 28, 2021, 8:21 a.m.	thread_handle: 0x00000264 suspend_count: 1 process_identifier: 4440	1	0
NtResumeThread May 28, 2021, 8:21 a.m.	thread_handle: 0x0000033c suspend_count: 1 process_identifier: 4440	1	0
NtResumeThread May 28, 2021, 8:21 a.m.	thread_handle: 0x00000350 suspend_count: 1 process_identifier: 4440	1	0
NtResumeThread May 28, 2021, 8:21 a.m.	thread_handle: 0x00000368 suspend_count: 1 process_identifier: 4440	1	0

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (3 events)

dead_host	185.140.53.40:1144
dead_host	192.168.56.102:49818
dead_host	192.168.56.102:49817

covid.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All