Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 9, 2021, 9:46 a.m.	June 9, 2021, 9:55 a.m.

Size	1003.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`56e0119501bf355295603914d3b13519`
SHA256	`3ad2457e52eb03fd7b204b2ec2ab648f26cbbc064d8893842c131382921d32d8`
CRC32	`8E120315`
ssdeep	`24576:aMqX2gUVYtXiZSWnqScaBKYmgGGsqo6u:SUYtXiZZnyaBKYmgQ`
PDB Path	C:\Users\Administrator\Desktop\Client\Temp\fOyLXZXVGG\src\obj\x86\Debug\InvalidTimeZoneException.pdb
Yara	Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult PE_Header_Zero - PE File Signature Admin_Tool_IN_Zero - Admin Tool Sysinternals Is_DotNET_EXE - (no description) IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library

binok-098.exe "C:\Users\test22\AppData\Local\Temp\binok-098.exe"
7784
- binok-098.exe "C:\Users\test22\AppData\Local\Temp\binok-098.exe"
  1608

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
172.217.25.14	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 9, 2021, 9:46 a.m.			0	0
IsDebuggerPresent June 9, 2021, 9:46 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey June 9, 2021, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004503a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 9, 2021, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00450328 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 9, 2021, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00450328 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

This executable has a PDB path (1 event)

pdb_path

C:\Users\Administrator\Desktop\Client\Temp\fOyLXZXVGG\src\obj\x86\Debug\InvalidTimeZoneException.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 9, 2021, 9:46 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 80 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory June 9, 2021, 9:46 a.m.	process_identifier: 7784 region_size: 1769472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 9, 2021, 9:46 a.m.	process_identifier: 7784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00820000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory June 9, 2021, 9:46 a.m.	process_identifier: 7784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory June 9, 2021, 9:46 a.m.	process_identifier: 7784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba2000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 9, 2021, 9:46 a.m.	process_identifier: 7784 region_size: 983040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 9, 2021, 9:46 a.m.	process_identifier: 7784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00760000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 9, 2021, 9:46 a.m.	process_identifier: 7784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00532000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 9, 2021, 9:46 a.m.	process_identifier: 7784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00565000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 9, 2021, 9:46 a.m.	process_identifier: 7784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 9, 2021, 9:46 a.m.	process_identifier: 7784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00567000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 9, 2021, 9:46 a.m.	process_identifier: 7784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 9, 2021, 9:46 a.m.	process_identifier: 7784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 9, 2021, 9:46 a.m.	process_identifier: 7784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 9, 2021, 9:46 a.m.	process_identifier: 7784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0055a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 9, 2021, 9:46 a.m.	process_identifier: 7784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00557000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 9, 2021, 9:46 a.m.	process_identifier: 7784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 9, 2021, 9:46 a.m.	process_identifier: 7784 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 9, 2021, 9:46 a.m.	process_identifier: 7784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 9, 2021, 9:46 a.m.	process_identifier: 7784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 9, 2021, 9:46 a.m.	process_identifier: 7784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 9, 2021, 9:46 a.m.	process_identifier: 7784 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 9, 2021, 9:46 a.m.	process_identifier: 7784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 9, 2021, 9:46 a.m.	process_identifier: 7784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 9, 2021, 9:46 a.m.	process_identifier: 7784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00556000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 9, 2021, 9:46 a.m.	process_identifier: 7784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007a1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 9, 2021, 9:48 a.m.	process_identifier: 7784 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory June 9, 2021, 9:48 a.m.	process_identifier: 7784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 9, 2021, 9:48 a.m.	process_identifier: 7784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007a8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 9, 2021, 9:48 a.m.	process_identifier: 7784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 9, 2021, 9:48 a.m.	process_identifier: 7784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 9, 2021, 9:48 a.m.	process_identifier: 7784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007a9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 9, 2021, 9:48 a.m.	process_identifier: 7784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 9, 2021, 9:48 a.m.	process_identifier: 7784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 9, 2021, 9:48 a.m.	process_identifier: 7784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 9, 2021, 9:48 a.m.	process_identifier: 7784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007ad000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 9, 2021, 9:48 a.m.	process_identifier: 7784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007ae000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 9, 2021, 9:48 a.m.	process_identifier: 7784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04fd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 9, 2021, 9:48 a.m.	process_identifier: 7784 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04fd1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory June 9, 2021, 9:48 a.m.	process_identifier: 7784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05240178 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory June 9, 2021, 9:48 a.m.	process_identifier: 7784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x052401a0 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory June 9, 2021, 9:48 a.m.	process_identifier: 7784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x052401c8 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory June 9, 2021, 9:48 a.m.	process_identifier: 7784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 11 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x052b794e process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory June 9, 2021, 9:48 a.m.	process_identifier: 7784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 11 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x052b7942 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory June 9, 2021, 9:48 a.m.	process_identifier: 7784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 72 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05240208 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory June 9, 2021, 9:48 a.m.	process_identifier: 7784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05291298 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory June 9, 2021, 9:48 a.m.	process_identifier: 7784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x052912bc process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory June 9, 2021, 9:48 a.m.	process_identifier: 7784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x052912c4 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory June 9, 2021, 9:48 a.m.	process_identifier: 7784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x052912c8 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory June 9, 2021, 9:48 a.m.	process_identifier: 7784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x052912d0 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory June 9, 2021, 9:48 a.m.	process_identifier: 7784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x052912d4 process_handle: 0xffffffff		3221225550

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x000f9a00', u'virtual_address': u'0x00002000', u'entropy': 7.31589790165136, u'name': u'.text', u'virtual_size': u'0x000f984c'}

entropy

7.31589790165

description

A section with a high entropy has been found

entropy

0.996009975062

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 9, 2021, 9:48 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (7 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory June 9, 2021, 9:48 a.m.	process_identifier: 1608 region_size: 163840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000029c	1	0	0

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory June 9, 2021, 9:48 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPELu=à pðÏ@@.text op ` base_address: 0x00400000 process_identifier: 1608 process_handle: 0x0000029c	1	1	0
WriteProcessMemory June 9, 2021, 9:48 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1608 process_handle: 0x0000029c	1	1	0

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory June 9, 2021, 9:48 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPELu=à pðÏ@@.text op ` base_address: 0x00400000 process_identifier: 1608 process_handle: 0x0000029c	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 7784 called NtSetContextThread to modify thread in remote process 1608
NtSetContextThread June 9, 2021, 9:48 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4313072 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000298 process_identifier: 1608	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 7784 resumed a thread in remote process 1608
NtResumeThread June 9, 2021, 9:48 a.m.	thread_handle: 0x00000298 suspend_count: 1 process_identifier: 1608	1	0	0

File has been identified by 29 AntiVirus engines on VirusTotal as malicious (29 events)

Cynet	Malicious (score: 100)
Alibaba	Trojan:Win32/Kryptik.ali2000016
Cyren	W32/MSIL_Troj.BAB.gen!Eldorado
Symantec	Trojan.Gen.2
ESET-NOD32	a variant of MSIL/Kryptik.ABIB
TrendMicro-HouseCall	TROJ_GEN.R06CH0DF721
Paloalto	generic.ml
Kaspersky	HEUR:Trojan-Spy.MSIL.Noon.gen
BitDefender	Gen:Variant.MSILHeracles.17583
MicroWorld-eScan	Gen:Variant.MSILHeracles.17583
Avast	Win32:MalwareX-gen [Trj]
Ad-Aware	Gen:Variant.MSILHeracles.17583
Emsisoft	Trojan.Crypt (A)
DrWeb	Trojan.PackedNET.820
McAfee-GW-Edition	Artemis!Trojan
FireEye	Gen:Variant.MSILHeracles.17583
Sophos	Mal/Generic-S
GData	Gen:Variant.MSILHeracles.17583
MAX	malware (ai score=89)
Kingsoft	Win32.Troj.Undef.(kcloud)
ZoneAlarm	HEUR:Trojan-Spy.MSIL.Noon.gen
Microsoft	Trojan:Script/Phonzy.B!ml
AhnLab-V3	Trojan/Win.Generic.R424589
McAfee	PWS-FCZF!56E0119501BF
Cylance	Unsafe
Ikarus	Trojan.MSIL.Inject
Fortinet	MSIL/Kryptik.ABIB!tr
MaxSecure	Trojan.Malware.300983.susgen
AVG	Win32:MalwareX-gen [Trj]

Executed a process and injected code into it, probably while unpacking (12 events)

Time & API	Arguments	Status	Return
NtResumeThread June 9, 2021, 9:46 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 7784	1	0
NtResumeThread June 9, 2021, 9:46 a.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 7784	1	0
NtResumeThread June 9, 2021, 9:46 a.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 7784	1	0
NtResumeThread June 9, 2021, 9:48 a.m.	thread_handle: 0x00000250 suspend_count: 1 process_identifier: 7784	1	0
CreateProcessInternalW June 9, 2021, 9:48 a.m.	thread_identifier: 8772 thread_handle: 0x00000298 process_identifier: 1608 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\binok-098.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\binok-098.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000029c	1	1
NtGetContextThread June 9, 2021, 9:48 a.m.	thread_handle: 0x00000298	1	0
NtAllocateVirtualMemory June 9, 2021, 9:48 a.m.	process_identifier: 1608 region_size: 163840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000029c	1	0
WriteProcessMemory June 9, 2021, 9:48 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPELu=à pðÏ@@.text op ` base_address: 0x00400000 process_identifier: 1608 process_handle: 0x0000029c	1	1
WriteProcessMemory June 9, 2021, 9:48 a.m.	buffer: base_address: 0x00401000 process_identifier: 1608 process_handle: 0x0000029c	1	1
WriteProcessMemory June 9, 2021, 9:48 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1608 process_handle: 0x0000029c	1	1
NtSetContextThread June 9, 2021, 9:48 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4313072 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000298 process_identifier: 1608	1	0
NtResumeThread June 9, 2021, 9:48 a.m.	thread_handle: 0x00000298 suspend_count: 1 process_identifier: 1608	1	0

binok-098.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All