Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 25, 2021, 9:30 a.m.	June 25, 2021, 9:53 a.m.

Size	396.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`cca3d19cf671c5c867ec29f296f78a93`
SHA256	`df0f8724a5cff12da65f785ffdba965eac4ccec51e5ff2c9338344aeb4e01a8b`
CRC32	`51E91FDF`
ssdeep	`12288:+9PCseD00eOHppZRWbFxHbH+HawURK+MQe:yPXQPBpwWD1Q`
Yara	PE_Header_Zero - PE File Signature Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult Malicious_Packer_Zero - Malicious Packer Is_DotNET_EXE - (no description) Generic_Malware_Zero - Generic Malware IsPE32 - (no description)

microsoft.exe "C:\Users\test22\AppData\Local\Temp\microsoft.exe"
3028
- microsoft.exe "{path}"
  2224

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
194.226.139.106	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (4 events)

Time & API	Arguments	Status	Return
GetComputerNameW June 25, 2021, 9:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 25, 2021, 9:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 25, 2021, 9:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 25, 2021, 9:31 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 25, 2021, 9:30 a.m.			0	0
IsDebuggerPresent June 25, 2021, 9:30 a.m.			0	0
IsDebuggerPresent June 25, 2021, 9:31 a.m.			0	0
IsDebuggerPresent June 25, 2021, 9:31 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 25, 2021, 9:30 a.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ June 25, 2021, 9:31 a.m.	stacktrace: 0x2001798 0x2000fc3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x720a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x720b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x720b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72167610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x721f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x721f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x721f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x721f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x736ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 e0 8b 4d dc e8 8b d7 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x2001c0b registers.esp: 5893520 registers.edi: 5893544 registers.eax: 0 registers.ebp: 5893556 registers.edx: 195 registers.ebx: 5893804 registers.esi: 36160440 registers.ecx: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

June 25, 2021, 9:31 a.m.

stacktrace:

0x2001798
0x2000fc3
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x720a2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x720b264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x720b2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721674ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72167610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x721f1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x721f1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x721f1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x721f416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x736ef5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 e0 8b 4d dc e8 8b d7
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x2001c0b
registers.esp: 5893520
registers.edi: 5893544
registers.eax: 0
registers.ebp: 5893556
registers.edx: 195
registers.ebx: 5893804
registers.esi: 36160440
registers.ecx: 0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 70 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory June 25, 2021, 9:30 a.m.	process_identifier: 3028 region_size: 2162688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 9:30 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 9:30 a.m.	process_identifier: 3028 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72741000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 9:30 a.m.	process_identifier: 3028 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72742000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 9:30 a.m.	process_identifier: 3028 region_size: 1441792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f60000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 9:30 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02080000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 9:30 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00592000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 9:30 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 9:30 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005cb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 9:30 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 9:30 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 9:30 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02050000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 9:30 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0059a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 9:30 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02051000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 9:30 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 9:30 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 9:30 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 9:30 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 9:30 a.m.	process_identifier: 3028 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02052000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 9:30 a.m.	process_identifier: 3028 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71f62000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 9:31 a.m.	process_identifier: 3028 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02057000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 9:31 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0205a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 9:31 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0205b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 9:31 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0205c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 9:31 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0205d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 9:31 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0205e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 9:31 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0205f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 9:31 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x051b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 9:31 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x051b1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 9:31 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x051b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 9:31 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x051b3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 9:31 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x051b4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 9:31 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x051b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 9:31 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x051b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 9:31 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x051b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 9:31 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x051b8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 9:31 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x051b9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 9:31 a.m.	process_identifier: 2224 region_size: 983040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 9:31 a.m.	process_identifier: 2224 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00650000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 9:31 a.m.	process_identifier: 2224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x720a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 9:31 a.m.	process_identifier: 2224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x720a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 9:31 a.m.	process_identifier: 2224 region_size: 262144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 9:31 a.m.	process_identifier: 2224 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 9:31 a.m.	process_identifier: 2224 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 9:31 a.m.	process_identifier: 2224 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005f5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 9:31 a.m.	process_identifier: 2224 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005fb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 9:31 a.m.	process_identifier: 2224 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005f7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 9:31 a.m.	process_identifier: 2224 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 9:31 a.m.	process_identifier: 2224 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005dd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 9:31 a.m.	process_identifier: 2224 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02000000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00062800', u'virtual_address': u'0x00002000', u'entropy': 7.780489505144881, u'name': u'.text', u'virtual_size': u'0x00062720'}

entropy

7.78048950514

description

A section with a high entropy has been found

entropy

0.994949494949

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 25, 2021, 9:31 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW June 25, 2021, 9:31 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (10 events)

description	Communications smtp	rule	Network_SMTP_dotNet
description	Run a KeyLogger	rule	KeyLogger
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess June 25, 2021, 9:31 a.m.	status_code: 0xffffffff process_identifier: 1472 process_handle: 0x000002bc		0	0
NtTerminateProcess June 25, 2021, 9:31 a.m.	status_code: 0xffffffff process_identifier: 1472 process_handle: 0x000002bc	1	0	0

Communicates with host for which no DNS query was performed (1 event)

host

194.226.139.106

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory June 25, 2021, 9:31 a.m.	process_identifier: 1472 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002b8		3221225496	0
NtAllocateVirtualMemory June 25, 2021, 9:31 a.m.	process_identifier: 2224 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002c4	1	0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation June 25, 2021, 9:31 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

microsoft.exe tried to sleep 10912841 seconds, actually delayed analysis time by 10912841 seconds

Manipulates memory of a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3028 manipulating memory of non-child process 1472
NtAllocateVirtualMemory June 25, 2021, 9:31 a.m.	process_identifier: 1472 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002b8		3221225496	0

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory June 25, 2021, 9:31 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL]iÐ`àXNv @ À@üuOP H.textTV X `.rsrcPZ@@.reloc `@B base_address: 0x00400000 process_identifier: 2224 process_handle: 0x000002c4	1	1
WriteProcessMemory June 25, 2021, 9:31 a.m.	buffer: 8Ph ¼`ê¼4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoø000004b0,FileDescription 0FileVersion0.0.0.0t)InternalNameXzdIteNOVusZhCPqeYSgpUrLmwttPSxHEuQw.exe(LegalCopyright \|)OriginalFilenameXzdIteNOVusZhCPqeYSgpUrLmwttPSxHEuQw.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00438000 process_identifier: 2224 process_handle: 0x000002c4	1	1
WriteProcessMemory June 25, 2021, 9:31 a.m.	buffer: pP6 base_address: 0x0043a000 process_identifier: 2224 process_handle: 0x000002c4	1	1
WriteProcessMemory June 25, 2021, 9:31 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2224 process_handle: 0x000002c4	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory June 25, 2021, 9:31 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL]iÐ`àXNv @ À@üuOP H.textTV X `.rsrcPZ@@.reloc `@B base_address: 0x00400000 process_identifier: 2224 process_handle: 0x000002c4	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3028 called NtSetContextThread to modify thread in remote process 2224
NtSetContextThread June 25, 2021, 9:31 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4421198 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002bc process_identifier: 2224	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3028 resumed a thread in remote process 2224
NtResumeThread June 25, 2021, 9:31 a.m.	thread_handle: 0x000002bc suspend_count: 1 process_identifier: 2224	1	0	0

File has been identified by 29 AntiVirus engines on VirusTotal as malicious (29 events)

Elastic	malicious (high confidence)
Malwarebytes	MachineLearning/Anomalous.94%
Sangfor	Trojan.Win32.Save.a
K7GW	Riskware ( 0040eff71 )
CrowdStrike	win/malicious_confidence_70% (W)
Cyren	W32/MSIL_Troj.BDM.gen!Eldorado
Symantec	Trojan.Gen.2
APEX	Malicious
Paloalto	generic.ml
Cynet	Malicious (score: 100)
Kaspersky	UDS:DangerousObject.Multi.Generic
McAfee-GW-Edition	BehavesLike.Win32.Generic.fc
FireEye	Generic.mg.cca3d19cf671c5c8
Sophos	Mal/Generic-S
Ikarus	Trojan.Inject
GData	MSIL.Trojan-Stealer.AgentTesla.0ITIFS
Kingsoft	Win32.Hack.Undef.(kcloud)
AegisLab	Trojan.MSIL.NanoBot.m!c
Microsoft	Trojan:MSIL/AgentTesla.BFE!MTB
McAfee	Artemis!CCA3D19CF671
Cylance	Unsafe
Panda	Trj/GdSda.A
SentinelOne	Static AI - Malicious PE
Fortinet	MSIL/GenKryptik.FGVA!tr
BitDefenderTheta	Gen:NN.ZemsilF.34758.ym0@aeLBh8e
AVG	Win32:MalwareX-gen [Trj]
Cybereason	malicious.9a6597
Avast	Win32:MalwareX-gen [Trj]
MaxSecure	Trojan.Malware.300983.susgen

Executed a process and injected code into it, probably while unpacking (30 events)

Time & API	Arguments	Status	Return
NtResumeThread June 25, 2021, 9:30 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 3028	1	0
NtResumeThread June 25, 2021, 9:30 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 3028	1	0
NtResumeThread June 25, 2021, 9:30 a.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 3028	1	0
NtResumeThread June 25, 2021, 9:31 a.m.	thread_handle: 0x000002ac suspend_count: 1 process_identifier: 3028	1	0
NtGetContextThread June 25, 2021, 9:31 a.m.	thread_handle: 0x000000e4	1	0
NtGetContextThread June 25, 2021, 9:31 a.m.	thread_handle: 0x000000e4	1	0
NtResumeThread June 25, 2021, 9:31 a.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 3028	1	0
CreateProcessInternalW June 25, 2021, 9:31 a.m.	thread_identifier: 1828 thread_handle: 0x000002b4 process_identifier: 1472 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\microsoft.exe track: 1 command_line: "{path}" filepath_r: C:\Users\test22\AppData\Local\Temp\microsoft.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000002b8	1	1
NtGetContextThread June 25, 2021, 9:31 a.m.	thread_handle: 0x000002b4	1	0
NtAllocateVirtualMemory June 25, 2021, 9:31 a.m.	process_identifier: 1472 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002b8		3221225496
CreateProcessInternalW June 25, 2021, 9:31 a.m.	thread_identifier: 2592 thread_handle: 0x000002bc process_identifier: 2224 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\microsoft.exe track: 1 command_line: "{path}" filepath_r: C:\Users\test22\AppData\Local\Temp\microsoft.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000002c4	1	1
NtGetContextThread June 25, 2021, 9:31 a.m.	thread_handle: 0x000002bc	1	0
NtAllocateVirtualMemory June 25, 2021, 9:31 a.m.	process_identifier: 2224 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002c4	1	0
WriteProcessMemory June 25, 2021, 9:31 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL]iÐ`àXNv @ À@üuOP H.textTV X `.rsrcPZ@@.reloc `@B base_address: 0x00400000 process_identifier: 2224 process_handle: 0x000002c4	1	1
WriteProcessMemory June 25, 2021, 9:31 a.m.	buffer: base_address: 0x00402000 process_identifier: 2224 process_handle: 0x000002c4	1	1
WriteProcessMemory June 25, 2021, 9:31 a.m.	buffer: 8Ph ¼`ê¼4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoø000004b0,FileDescription 0FileVersion0.0.0.0t)InternalNameXzdIteNOVusZhCPqeYSgpUrLmwttPSxHEuQw.exe(LegalCopyright \|)OriginalFilenameXzdIteNOVusZhCPqeYSgpUrLmwttPSxHEuQw.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00438000 process_identifier: 2224 process_handle: 0x000002c4	1	1
WriteProcessMemory June 25, 2021, 9:31 a.m.	buffer: pP6 base_address: 0x0043a000 process_identifier: 2224 process_handle: 0x000002c4	1	1
WriteProcessMemory June 25, 2021, 9:31 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2224 process_handle: 0x000002c4	1	1
NtSetContextThread June 25, 2021, 9:31 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4421198 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002bc process_identifier: 2224	1	0
NtResumeThread June 25, 2021, 9:31 a.m.	thread_handle: 0x000002bc suspend_count: 1 process_identifier: 2224	1	0
NtResumeThread June 25, 2021, 9:31 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2224	1	0
NtResumeThread June 25, 2021, 9:31 a.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2224	1	0
NtResumeThread June 25, 2021, 9:31 a.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 2224	1	0
NtResumeThread June 25, 2021, 9:31 a.m.	thread_handle: 0x00000314 suspend_count: 1 process_identifier: 2224	1	0
NtResumeThread June 25, 2021, 9:31 a.m.	thread_handle: 0x00000334 suspend_count: 1 process_identifier: 2224	1	0
NtResumeThread June 25, 2021, 9:31 a.m.	thread_handle: 0x00000394 suspend_count: 1 process_identifier: 2224	1	0
NtResumeThread June 25, 2021, 9:31 a.m.	thread_handle: 0x00000410 suspend_count: 1 process_identifier: 2224	1	0
NtResumeThread June 25, 2021, 9:32 a.m.	thread_handle: 0x00000354 suspend_count: 1 process_identifier: 2224	1	0
NtResumeThread June 25, 2021, 9:32 a.m.	thread_handle: 0x00000404 suspend_count: 1 process_identifier: 2224	1	0
NtResumeThread June 25, 2021, 9:32 a.m.	thread_handle: 0x00000404 suspend_count: 1 process_identifier: 2224	1	0

microsoft.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All