Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 23, 2021, 9:04 a.m.	June 23, 2021, 9:23 a.m.

Size	1.3MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`1cced9999ff0a6e2c7e02fd76298a42b`
SHA256	`d09ef84a2d2a316985b6a88223daa967c7531733070a3590c16808f6069cf820`
CRC32	`0E5D4A14`
ssdeep	`24576:LipizrSmceaZWe2zxUo84gXjgSRe2l3hk+Yrr4XDscujMH+:Nceaoe0Uo858SY/VMe`
Yara	PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description) Generic_Malware_Zero - Generic Malware IsPE32 - (no description)

new%20one.exe "C:\Users\test22\AppData\Local\Temp\new%20one.exe"
5776
- schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UbVnmUAmwk" /XML "C:\Users\test22\AppData\Local\Temp\tmpC49C.tmp"
  5888
- RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  6472

Name	Response	Post-Analysis Lookup
wekeepworking12.sytes.net
wekeepworking.sytes.net	A 79.134.225.100	79.134.225.100

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
79.134.225.100	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW June 23, 2021, 9:05 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW June 23, 2021, 9:05 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 23, 2021, 9:04 a.m.			0	0
IsDebuggerPresent June 23, 2021, 9:05 a.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW June 23, 2021, 9:05 a.m.	buffer: SUCCESS: The scheduled task "Updates\UbVnmUAmwk" has successfully been created. console_handle: 0x00000007	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 23, 2021, 9:05 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Connects to a Dynamic DNS Domain (2 events)

domain	wekeepworking12.sytes.net
domain	wekeepworking.sytes.net

Allocates read-write-execute memory (usually to unpack itself) (50 out of 194 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory June 23, 2021, 9:04 a.m.	process_identifier: 5776 region_size: 1179648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00500000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 23, 2021, 9:04 a.m.	process_identifier: 5776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 23, 2021, 9:04 a.m.	process_identifier: 5776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fc91000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 23, 2021, 9:04 a.m.	process_identifier: 5776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 23, 2021, 9:04 a.m.	process_identifier: 5776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fc92000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 23, 2021, 9:04 a.m.	process_identifier: 5776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 23, 2021, 9:04 a.m.	process_identifier: 5776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 23, 2021, 9:04 a.m.	process_identifier: 5776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 23, 2021, 9:04 a.m.	process_identifier: 5776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 23, 2021, 9:04 a.m.	process_identifier: 5776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00427000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 23, 2021, 9:04 a.m.	process_identifier: 5776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 23, 2021, 9:04 a.m.	process_identifier: 5776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003fc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 23, 2021, 9:04 a.m.	process_identifier: 5776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 23, 2021, 9:04 a.m.	process_identifier: 5776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 23, 2021, 9:04 a.m.	process_identifier: 5776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 23, 2021, 9:04 a.m.	process_identifier: 5776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 23, 2021, 9:04 a.m.	process_identifier: 5776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 23, 2021, 9:04 a.m.	process_identifier: 5776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00407000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 23, 2021, 9:04 a.m.	process_identifier: 5776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 23, 2021, 9:04 a.m.	process_identifier: 5776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00412000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 23, 2021, 9:04 a.m.	process_identifier: 5776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 23, 2021, 9:04 a.m.	process_identifier: 5776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 23, 2021, 9:04 a.m.	process_identifier: 5776 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef60000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 23, 2021, 9:04 a.m.	process_identifier: 5776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 23, 2021, 9:04 a.m.	process_identifier: 5776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 23, 2021, 9:04 a.m.	process_identifier: 5776 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 23, 2021, 9:04 a.m.	process_identifier: 5776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 23, 2021, 9:04 a.m.	process_identifier: 5776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00406000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 23, 2021, 9:04 a.m.	process_identifier: 5776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 23, 2021, 9:04 a.m.	process_identifier: 5776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 23, 2021, 9:04 a.m.	process_identifier: 5776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00425000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 23, 2021, 9:04 a.m.	process_identifier: 5776 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a80000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 23, 2021, 9:04 a.m.	process_identifier: 5776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ab0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 23, 2021, 9:04 a.m.	process_identifier: 5776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ab1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 23, 2021, 9:04 a.m.	process_identifier: 5776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ab2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 23, 2021, 9:04 a.m.	process_identifier: 5776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ab3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 23, 2021, 9:04 a.m.	process_identifier: 5776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ab4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 23, 2021, 9:04 a.m.	process_identifier: 5776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 23, 2021, 9:04 a.m.	process_identifier: 5776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 23, 2021, 9:04 a.m.	process_identifier: 5776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ab5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 23, 2021, 9:04 a.m.	process_identifier: 5776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ab6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 23, 2021, 9:04 a.m.	process_identifier: 5776 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ab7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 23, 2021, 9:04 a.m.	process_identifier: 5776 region_size: 69632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04abb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 23, 2021, 9:04 a.m.	process_identifier: 5776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04acc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 23, 2021, 9:04 a.m.	process_identifier: 5776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 23, 2021, 9:04 a.m.	process_identifier: 5776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 23, 2021, 9:04 a.m.	process_identifier: 5776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 23, 2021, 9:04 a.m.	process_identifier: 5776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 23, 2021, 9:05 a.m.	process_identifier: 5776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005e1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 23, 2021, 9:05 a.m.	process_identifier: 5776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

Creates a suspicious process (2 events)

cmdline	schtasks.exe /Create /TN "Updates\UbVnmUAmwk" /XML "C:\Users\test22\AppData\Local\Temp\tmpC49C.tmp"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UbVnmUAmwk" /XML "C:\Users\test22\AppData\Local\Temp\tmpC49C.tmp"

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW June 23, 2021, 9:05 a.m.	show_type: 0 filepath_r: schtasks.exe parameters: /Create /TN "Updates\UbVnmUAmwk" /XML "C:\Users\test22\AppData\Local\Temp\tmpC49C.tmp" filepath: schtasks.exe	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00157800', u'virtual_address': u'0x00002000', u'entropy': 7.556030706171708, u'name': u'.text', u'virtual_size': u'0x001576f4'}

entropy

7.55603070617

description

A section with a high entropy has been found

entropy

0.998546511628

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 23, 2021, 9:05 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (9 events)

description	Communications use DNS	rule	Network_DNS
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	schtasks.exe /Create /TN "Updates\UbVnmUAmwk" /XML "C:\Users\test22\AppData\Local\Temp\tmpC49C.tmp"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UbVnmUAmwk" /XML "C:\Users\test22\AppData\Local\Temp\tmpC49C.tmp"

One or more of the buffers contains an embedded PE file (13 events)

buffer	Buffer with sha1: 636b8187f0cb59d43c9ee1eedf144043941b62d9
buffer	Buffer with sha1: 4380fb6de89a7776d52214359ce213d24a2239ad
buffer	Buffer with sha1: c19d9db351af75fec019fe76506a455eba7fd168
buffer	Buffer with sha1: c1ef2ca62189121934d1a7944ef1bdc1aa319877
buffer	Buffer with sha1: 063fb8b27c0872c54bff35e2b76d8f522e13f8b4
buffer	Buffer with sha1: 925c5236c59dd8f3efea4b3e091ef735b405a880
buffer	Buffer with sha1: c54e7c5cac5fac68dc564ce64355d948422bf1ce
buffer	Buffer with sha1: dcdec0ea839844e977c1151d2eeedbb0788a34b1
buffer	Buffer with sha1: 0c6598a0a37eaf12ce188fa66bc6c5db394af8a4
buffer	Buffer with sha1: 874b7c3c97cc5b13b9dd172fec5a54bc1f258005
buffer	Buffer with sha1: efa4948abb218e47d809bedd1aff08cfb76d40e1
buffer	Buffer with sha1: 1b68e773e3522fa8edc7cb20d7c7f156b08ec73a
buffer	Buffer with sha1: 874f3caf663265f7dd18fb565d91b7d915031251

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory June 23, 2021, 9:05 a.m.	process_identifier: 6472 region_size: 573440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000340	1	0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation June 23, 2021, 9:05 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

RegSvcs.exe tried to sleep 5456560 seconds, actually delayed analysis time by 5456560 seconds

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\tmpC49C.tmp

Potential code injection by writing to the memory of another process (3 events)

Time & API	Arguments	Status	Return
WriteProcessMemory June 23, 2021, 9:05 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¡'éTàÈç @ À8çW ø H.textÇ È `.relocÊ@B.rsrcø Ì@@ base_address: 0x00400000 process_identifier: 6472 process_handle: 0x00000340	1	1
WriteProcessMemory June 23, 2021, 9:05 a.m.	buffer: à7 base_address: 0x00420000 process_identifier: 6472 process_handle: 0x00000340	1	1
WriteProcessMemory June 23, 2021, 9:05 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 6472 process_handle: 0x00000340	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory June 23, 2021, 9:05 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¡'éTàÈç @ À8çW ø H.textÇ È `.relocÊ@B.rsrcø Ì@@ base_address: 0x00400000 process_identifier: 6472 process_handle: 0x00000340	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 5776 called NtSetContextThread to modify thread in remote process 6472
NtSetContextThread June 23, 2021, 9:05 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4319122 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000398 process_identifier: 6472	1	0	0

Attempts to remove evidence of file being downloaded from the Internet (1 event)

file	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe:Zone.Identifier

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 5776 resumed a thread in remote process 6472
NtResumeThread June 23, 2021, 9:05 a.m.	thread_handle: 0x00000398 suspend_count: 1 process_identifier: 6472	1	0	0

Executed a process and injected code into it, probably while unpacking (24 events)

Time & API	Arguments	Status	Return
NtResumeThread June 23, 2021, 9:04 a.m.	thread_handle: 0x000000d0 suspend_count: 1 process_identifier: 5776	1	0
NtResumeThread June 23, 2021, 9:04 a.m.	thread_handle: 0x00000160 suspend_count: 1 process_identifier: 5776	1	0
NtResumeThread June 23, 2021, 9:05 a.m.	thread_handle: 0x00000270 suspend_count: 1 process_identifier: 5776	1	0
CreateProcessInternalW June 23, 2021, 9:05 a.m.	thread_identifier: 5332 thread_handle: 0x00000378 process_identifier: 5888 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UbVnmUAmwk" /XML "C:\Users\test22\AppData\Local\Temp\tmpC49C.tmp" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000380	1	1
CreateProcessInternalW June 23, 2021, 9:05 a.m.	thread_identifier: 4672 thread_handle: 0x00000398 process_identifier: 6472 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000340	1	1
NtGetContextThread June 23, 2021, 9:05 a.m.	thread_handle: 0x00000398	1	0
NtAllocateVirtualMemory June 23, 2021, 9:05 a.m.	process_identifier: 6472 region_size: 573440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000340	1	0
WriteProcessMemory June 23, 2021, 9:05 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¡'éTàÈç @ À8çW ø H.textÇ È `.relocÊ@B.rsrcø Ì@@ base_address: 0x00400000 process_identifier: 6472 process_handle: 0x00000340	1	1
WriteProcessMemory June 23, 2021, 9:05 a.m.	buffer: base_address: 0x00402000 process_identifier: 6472 process_handle: 0x00000340	1	1
WriteProcessMemory June 23, 2021, 9:05 a.m.	buffer: à7 base_address: 0x00420000 process_identifier: 6472 process_handle: 0x00000340	1	1
WriteProcessMemory June 23, 2021, 9:05 a.m.	buffer: base_address: 0x00422000 process_identifier: 6472 process_handle: 0x00000340	1	1
WriteProcessMemory June 23, 2021, 9:05 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 6472 process_handle: 0x00000340	1	1
NtSetContextThread June 23, 2021, 9:05 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4319122 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000398 process_identifier: 6472	1	0
NtResumeThread June 23, 2021, 9:05 a.m.	thread_handle: 0x00000398 suspend_count: 1 process_identifier: 6472	1	0
NtResumeThread June 23, 2021, 9:05 a.m.	thread_handle: 0x000003ac suspend_count: 1 process_identifier: 5776	1	0
NtResumeThread June 23, 2021, 9:05 a.m.	thread_handle: 0x000000d0 suspend_count: 1 process_identifier: 6472	1	0
NtResumeThread June 23, 2021, 9:05 a.m.	thread_handle: 0x00000158 suspend_count: 1 process_identifier: 6472	1	0
NtResumeThread June 23, 2021, 9:05 a.m.	thread_handle: 0x00000200 suspend_count: 1 process_identifier: 6472	1	0
NtResumeThread June 23, 2021, 9:05 a.m.	thread_handle: 0x0000025c suspend_count: 1 process_identifier: 6472	1	0
NtResumeThread June 23, 2021, 9:05 a.m.	thread_handle: 0x00000260 suspend_count: 1 process_identifier: 6472	1	0
NtResumeThread June 23, 2021, 9:05 a.m.	thread_handle: 0x0000033c suspend_count: 1 process_identifier: 6472	1	0
NtResumeThread June 23, 2021, 9:05 a.m.	thread_handle: 0x00000354 suspend_count: 1 process_identifier: 6472	1	0
NtResumeThread June 23, 2021, 9:05 a.m.	thread_handle: 0x0000036c suspend_count: 1 process_identifier: 6472	1	0
NtResumeThread June 23, 2021, 9:05 a.m.	thread_handle: 0x00000384 suspend_count: 1 process_identifier: 6472	1	0

File has been identified by 47 AntiVirus engines on VirusTotal as malicious (47 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.46524541
FireEye	Generic.mg.1cced9999ff0a6e2
ALYac	Trojan.GenericKD.46524541
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
Alibaba	Trojan:Win32/starter.ali1000139
K7GW	Trojan ( 0057e6aa1 )
CrowdStrike	win/malicious_confidence_100% (W)
Cyren	W32/MSIL_Kryptik.EPC.gen!Eldorado
Symantec	Trojan Horse
ESET-NOD32	a variant of MSIL/GenKryptik.FGSU
APEX	Malicious
Avast	Win32:PWSX-gen [Trj]
Kaspersky	HEUR:Backdoor.MSIL.NanoBot.gen
BitDefender	Trojan.GenericKD.46524541
Paloalto	generic.ml
Ad-Aware	Trojan.GenericKD.46524541
Sophos	Generic PUA CK (PUA)
Comodo	TrojWare.Win32.Agent.defbg@0
DrWeb	Trojan.PackedNET.863
TrendMicro	Backdoor.MSIL.NANOCORE.USMANFM21
McAfee-GW-Edition	BehavesLike.Win32.Fareit.tc
Emsisoft	Trojan.GenericKD.46524541 (B)
Ikarus	Trojan.MSIL.Agent
Webroot	W32.Trojan.Gen
Avira	HEUR/AGEN.1142734
MAX	malware (ai score=100)
Kingsoft	Win32.Hack.Undef.(kcloud)
Gridinsoft	Trojan.Win32.Agent.oa
Microsoft	Trojan:Win32/Tiggre!rfn
AegisLab	Trojan.Win32.Malicious.4!c
GData	Trojan.GenericKD.46524541
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.Agent.C4531826
McAfee	PWS-FCXV!1CCED9999FF0
Malwarebytes	Trojan.MalPack.PNG.Generic
TrendMicro-HouseCall	Backdoor.MSIL.NANOCORE.USMANFM21
Yandex	Trojan.AvsArher.bTJEKx
SentinelOne	Static AI - Malicious PE
eGambit	Unsafe.AI_Score_99%
Fortinet	PossibleThreat.PALLAS.H
BitDefenderTheta	Gen:NN.ZemsilF.34758.wn0@a4NbpKc
AVG	Win32:PWSX-gen [Trj]
Cybereason	malicious.829c53
Panda	Trj/GdSda.A
MaxSecure	Trojan.Malware.300983.susgen

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (8 events)

dead_host	192.168.56.102:49812
dead_host	192.168.56.102:49813
dead_host	192.168.56.102:49818
dead_host	79.134.225.100:83
dead_host	192.168.56.102:49816
dead_host	192.168.56.102:49817
dead_host	192.168.56.102:49814
dead_host	192.168.56.102:49815

new%20one.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All