Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 6, 2021, 9:43 p.m.	June 6, 2021, 9:46 p.m.

Size	1.6MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`2e5b7fe1474016edb2e5af6c23373e5d`
SHA256	`3f18c846952902badceaaf870f321598465a785963e098a621d7660aceffdbec`
CRC32	`6A525AEE`
ssdeep	`24576:WBFQWpQn0e1NPWhAvtTvt4jrfUfbupI0pg3tWPk:+FQRJ1NehAvtTv0QTupIagA`
Yara	Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult PE_Header_Zero - PE File Signature anti_vm_detect - Possibly employs anti-virtualization techniques Is_DotNET_EXE - (no description) IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library

as.exe "C:\Users\test22\AppData\Local\Temp\as.exe"
1868
- schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vklnPBCxxp" /XML "C:\Users\test22\AppData\Local\Temp\tmpED90.tmp"
  3056
- as.exe "C:\Users\test22\AppData\Local\Temp\as.exe"
  2228

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW June 6, 2021, 9:45 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 6, 2021, 9:43 p.m.			0	0
IsDebuggerPresent June 6, 2021, 9:43 p.m.			0	0
IsDebuggerPresent June 6, 2021, 9:45 p.m.			0	0
IsDebuggerPresent June 6, 2021, 9:45 p.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW June 6, 2021, 9:45 p.m.	buffer: SUCCESS: The scheduled task "Updates\vklnPBCxxp" has successfully been created. console_handle: 0x00000007	1	1	0

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey June 6, 2021, 9:43 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00481ad0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 6, 2021, 9:43 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00481d50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 6, 2021, 9:43 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00481d50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 6, 2021, 9:43 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 141 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory June 6, 2021, 9:43 p.m.	process_identifier: 1868 region_size: 983040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 6, 2021, 9:43 p.m.	process_identifier: 1868 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00750000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 6, 2021, 9:43 p.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72741000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 6, 2021, 9:43 p.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72742000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 6, 2021, 9:43 p.m.	process_identifier: 1868 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00570000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 6, 2021, 9:43 p.m.	process_identifier: 1868 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00580000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 6, 2021, 9:43 p.m.	process_identifier: 1868 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00412000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 6, 2021, 9:43 p.m.	process_identifier: 1868 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 6, 2021, 9:43 p.m.	process_identifier: 1868 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00790000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 6, 2021, 9:43 p.m.	process_identifier: 1868 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00791000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 6, 2021, 9:43 p.m.	process_identifier: 1868 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00792000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 6, 2021, 9:43 p.m.	process_identifier: 1868 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00793000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 6, 2021, 9:43 p.m.	process_identifier: 1868 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00794000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 6, 2021, 9:43 p.m.	process_identifier: 1868 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00795000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 6, 2021, 9:43 p.m.	process_identifier: 1868 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00796000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 6, 2021, 9:43 p.m.	process_identifier: 1868 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 6, 2021, 9:43 p.m.	process_identifier: 1868 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 6, 2021, 9:43 p.m.	process_identifier: 1868 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00547000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 6, 2021, 9:43 p.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ae9000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 6, 2021, 9:43 p.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ae9000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 6, 2021, 9:43 p.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00950000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 6, 2021, 9:43 p.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00950000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 6, 2021, 9:43 p.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00950000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 6, 2021, 9:43 p.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00952000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 6, 2021, 9:43 p.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a98000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 6, 2021, 9:43 p.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a98000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 6, 2021, 9:43 p.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a98000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 6, 2021, 9:43 p.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a99000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 6, 2021, 9:43 p.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a99000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 6, 2021, 9:43 p.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a99000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 6, 2021, 9:43 p.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a99000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 6, 2021, 9:43 p.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a99000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 6, 2021, 9:43 p.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a99000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 6, 2021, 9:43 p.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a99000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 6, 2021, 9:43 p.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a99000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 6, 2021, 9:43 p.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a99000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 6, 2021, 9:43 p.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a99000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 6, 2021, 9:43 p.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a99000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 6, 2021, 9:43 p.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a99000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 6, 2021, 9:43 p.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a99000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 6, 2021, 9:43 p.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a99000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 6, 2021, 9:43 p.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a99000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 6, 2021, 9:43 p.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a99000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 6, 2021, 9:43 p.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a99000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 6, 2021, 9:43 p.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a99000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 6, 2021, 9:43 p.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a99000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 6, 2021, 9:43 p.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a99000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 6, 2021, 9:43 p.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a99000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 6, 2021, 9:43 p.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a99000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 6, 2021, 9:43 p.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a99000 process_handle: 0xffffffff	1

Creates a suspicious process (2 events)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vklnPBCxxp" /XML "C:\Users\test22\AppData\Local\Temp\tmpED90.tmp"
cmdline	schtasks.exe /Create /TN "Updates\vklnPBCxxp" /XML "C:\Users\test22\AppData\Local\Temp\tmpED90.tmp"

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW June 6, 2021, 9:45 p.m.	show_type: 0 filepath_r: schtasks.exe parameters: /Create /TN "Updates\vklnPBCxxp" /XML "C:\Users\test22\AppData\Local\Temp\tmpED90.tmp" filepath: schtasks.exe	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00197200', u'virtual_address': u'0x00002000', u'entropy': 7.054251240955937, u'name': u'.text', u'virtual_size': u'0x00197054'}

entropy

7.05425124096

description

A section with a high entropy has been found

entropy

0.998467198038

description

Overall entropy of this PE file is high

Yara rule detected in process memory (10 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Possibly employs anti-virtualization techniques	rule	vmdetect
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vklnPBCxxp" /XML "C:\Users\test22\AppData\Local\Temp\tmpED90.tmp"
cmdline	schtasks.exe /Create /TN "Updates\vklnPBCxxp" /XML "C:\Users\test22\AppData\Local\Temp\tmpED90.tmp"

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory June 6, 2021, 9:45 p.m.	process_identifier: 2228 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000378	1	0	0

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\tmpED90.tmp

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory June 6, 2021, 9:45 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL#·^à¨ .Ç à@ @ØÆSàÿ H.text4§ ¨ `.rsrcÿàª@@.reloc²@B base_address: 0x00400000 process_identifier: 2228 process_handle: 0x00000378	1	1
WriteProcessMemory June 6, 2021, 9:45 p.m.	buffer: P8h àÌlãÌ4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°,StringFileInfo000004b0Comments"CompanyNameFileDescription0FileVersion1.0.0.02 InternalNameStub.exe&LegalCopyrightLegalTrademarks: OriginalFilenameStub.exe"ProductName4ProductVersion1.0.0.08Assembly Version1.0.0.0ï»¿<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false" /> </requestedPrivileges> </security> </trustInfo> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <!-- Windows Vista --> <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> <!-- Windows 7 --> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> <!-- Windows 8 --> <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/> <!-- Windows 8.1 --> <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/> <!-- Windows 10 --> <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/> </application> </compatibility> <asmv3:application xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" > <asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings"> <dpiAware>true</dpiAware> </asmv3:windowsSettings> </asmv3:application> </assembly> base_address: 0x0040e000 process_identifier: 2228 process_handle: 0x00000378	1	1
WriteProcessMemory June 6, 2021, 9:45 p.m.	buffer: À07 base_address: 0x00410000 process_identifier: 2228 process_handle: 0x00000378	1	1
WriteProcessMemory June 6, 2021, 9:45 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2228 process_handle: 0x00000378	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory June 6, 2021, 9:45 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL#·^à¨ .Ç à@ @ØÆSàÿ H.text4§ ¨ `.rsrcÿàª@@.reloc²@B base_address: 0x00400000 process_identifier: 2228 process_handle: 0x00000378	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1868 called NtSetContextThread to modify thread in remote process 2228
NtSetContextThread June 6, 2021, 9:45 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4245294 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000037c process_identifier: 2228	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1868 resumed a thread in remote process 2228
NtResumeThread June 6, 2021, 9:45 p.m.	thread_handle: 0x0000037c suspend_count: 1 process_identifier: 2228	1	0	0

Executed a process and injected code into it, probably while unpacking (25 events)

Time & API	Arguments	Status	Return
NtResumeThread June 6, 2021, 9:43 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 1868	1	0
NtResumeThread June 6, 2021, 9:43 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 1868	1	0
NtResumeThread June 6, 2021, 9:43 p.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 1868	1	0
NtResumeThread June 6, 2021, 9:43 p.m.	thread_handle: 0x00000200 suspend_count: 1 process_identifier: 1868	1	0
NtGetContextThread June 6, 2021, 9:43 p.m.	thread_handle: 0x000000e4	1	0
NtGetContextThread June 6, 2021, 9:43 p.m.	thread_handle: 0x000000e4	1	0
NtResumeThread June 6, 2021, 9:43 p.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 1868	1	0
NtGetContextThread June 6, 2021, 9:43 p.m.	thread_handle: 0x000000e4	1	0
NtGetContextThread June 6, 2021, 9:43 p.m.	thread_handle: 0x000000e4	1	0
NtResumeThread June 6, 2021, 9:43 p.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 1868	1	0
CreateProcessInternalW June 6, 2021, 9:45 p.m.	thread_identifier: 2444 thread_handle: 0x000003b4 process_identifier: 3056 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vklnPBCxxp" /XML "C:\Users\test22\AppData\Local\Temp\tmpED90.tmp" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003bc	1	1
CreateProcessInternalW June 6, 2021, 9:45 p.m.	thread_identifier: 2252 thread_handle: 0x0000037c process_identifier: 2228 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\as.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\as.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000378	1	1
NtGetContextThread June 6, 2021, 9:45 p.m.	thread_handle: 0x0000037c	1	0
NtAllocateVirtualMemory June 6, 2021, 9:45 p.m.	process_identifier: 2228 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000378	1	0
WriteProcessMemory June 6, 2021, 9:45 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL#·^à¨ .Ç à@ @ØÆSàÿ H.text4§ ¨ `.rsrcÿàª@@.reloc²@B base_address: 0x00400000 process_identifier: 2228 process_handle: 0x00000378	1	1
WriteProcessMemory June 6, 2021, 9:45 p.m.	buffer: base_address: 0x00402000 process_identifier: 2228 process_handle: 0x00000378	1	1
WriteProcessMemory June 6, 2021, 9:45 p.m.	buffer: P8h àÌlãÌ4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°,StringFileInfo000004b0Comments"CompanyNameFileDescription0FileVersion1.0.0.02 InternalNameStub.exe&LegalCopyrightLegalTrademarks: OriginalFilenameStub.exe"ProductName4ProductVersion1.0.0.08Assembly Version1.0.0.0ï»¿<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false" /> </requestedPrivileges> </security> </trustInfo> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <!-- Windows Vista --> <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> <!-- Windows 7 --> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> <!-- Windows 8 --> <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/> <!-- Windows 8.1 --> <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/> <!-- Windows 10 --> <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/> </application> </compatibility> <asmv3:application xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" > <asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings"> <dpiAware>true</dpiAware> </asmv3:windowsSettings> </asmv3:application> </assembly> base_address: 0x0040e000 process_identifier: 2228 process_handle: 0x00000378	1	1
WriteProcessMemory June 6, 2021, 9:45 p.m.	buffer: À07 base_address: 0x00410000 process_identifier: 2228 process_handle: 0x00000378	1	1
WriteProcessMemory June 6, 2021, 9:45 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2228 process_handle: 0x00000378	1	1
NtSetContextThread June 6, 2021, 9:45 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4245294 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000037c process_identifier: 2228	1	0
NtResumeThread June 6, 2021, 9:45 p.m.	thread_handle: 0x0000037c suspend_count: 1 process_identifier: 2228	1	0
NtResumeThread June 6, 2021, 9:45 p.m.	thread_handle: 0x000003a8 suspend_count: 1 process_identifier: 1868	1	0
NtResumeThread June 6, 2021, 9:45 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2228	1	0
NtResumeThread June 6, 2021, 9:45 p.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 2228	1	0
NtResumeThread June 6, 2021, 9:45 p.m.	thread_handle: 0x00000194 suspend_count: 1 process_identifier: 2228	1	0

File has been identified by 48 AntiVirus engines on VirusTotal as malicious (48 events)

Elastic	malicious (high confidence)
DrWeb	Trojan.Packed2.43174
Cynet	Malicious (score: 100)
CAT-QuickHeal	Backdoor.MSIL
ALYac	Trojan.GenericKD.46414758
Sangfor	Backdoor.MSIL.Crysan.gen
BitDefender	Trojan.GenericKD.46414758
K7GW	Trojan ( 0057d94c1 )
CrowdStrike	win/malicious_confidence_60% (W)
Arcabit	Trojan.Generic.D2C43BA6
Cyren	W32/MSIL_Troj.AZK.gen!Eldorado
Symantec	Trojan.Gen.2
ESET-NOD32	a variant of MSIL/Kryptik.ABHC
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Backdoor.MSIL.Crysan.gen
Alibaba	Trojan:Win32/starter.ali1000139
ViRobot	Trojan.Win32.Z.Kryptik.1670656.D
MicroWorld-eScan	Trojan.GenericKD.46414758
Avast	Win32:RATX-gen [Trj]
Tencent	Msil.Backdoor.Crysan.Htct
Ad-Aware	Trojan.GenericKD.46414758
Emsisoft	Trojan.GenericKD.46414758 (B)
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TROJ_GEN.R002C0WF421
McAfee-GW-Edition	BehavesLike.Win32.Fareit.tc
FireEye	Generic.mg.2e5b7fe1474016ed
Sophos	Mal/Generic-S
Ikarus	Trojan.MSIL.Krypt
Avira	TR/Kryptik.ihjuk
Kingsoft	Win32.Hack.Undef.(kcloud)
Microsoft	Trojan:Win32/AgentTesla!ml
AegisLab	Trojan.MSIL.Crysan.m!c
ZoneAlarm	HEUR:Backdoor.MSIL.Crysan.gen
GData	Trojan.GenericKD.46414758
AhnLab-V3	Unwanted/Win.Generic.C4514448
McAfee	Artemis!2E5B7FE14740
MAX	malware (ai score=86)
VBA32	CIL.HeapOverride.Heur
Cylance	Unsafe
TrendMicro-HouseCall	TROJ_GEN.R002C0WF421
SentinelOne	Static AI - Malicious PE
eGambit	Unsafe.AI_Score_99%
Fortinet	MSIL/Kryptik.ABGM!tr
MaxSecure	Trojan.Malware.300983.susgen
AVG	Win32:RATX-gen [Trj]
Cybereason	malicious.78e99b
Panda	Trj/GdSda.A

as.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All