Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 27, 2021, 6:47 p.m.	June 27, 2021, 6:49 p.m.

Size	1.3MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`96f11a983ca4b33743fa1c63779d9344`
SHA256	`8067ef9073fdb633e0be1d590c03c0091b1801202ad070cf3872e8fda2a41639`
CRC32	`0AE19A4A`
ssdeep	`12288:dwYhZawoQC0Z0uH7h2ZsIfm+yWBGUATczdqOc4ClSTubgdIb+lmh3EXmPLl8/iL8:5Cn1ZsjM9A4z4ST9muk`
Yara	Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult Is_DotNET_EXE - (no description) Generic_Malware_Zero - Generic Malware IsPE32 - (no description) Admin_Tool_IN_Zero - Admin Tool Sysinternals PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library

vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
2216
- schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QzAEyguzUU" /XML "C:\Users\test22\AppData\Local\Temp\tmp2927.tmp"
  2884
- vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
  3056

Name	Response	Post-Analysis Lookup
www.iptrackeronline.com	A 104.26.0.222 A 104.26.1.222 A 172.67.74.63	172.67.74.63
safeduringthecoronavirus.duckdns.org	A 185.235.219.204	185.235.219.204

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.67.74.63	Active	Moloch
185.235.219.204	Active	Moloch
20.43.94.199	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49207 -> 172.67.74.63:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.101:61479 -> 164.124.101.2:53	2029710	ET HUNTING Suspicious Domain Request for Possible COVID-19 Domain M2	Potentially Bad Traffic
UDP 192.168.56.101:61479 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49207 172.67.74.63:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	fd:85:66:b5:ad:91:10:bc:c3:8b:35:5e:ae:e9:8a:bd:de:97:ac:e9

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW June 27, 2021, 6:48 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 27, 2021, 6:48 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 27, 2021, 6:48 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 27, 2021, 6:48 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 27, 2021, 6:48 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 27, 2021, 6:48 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 27, 2021, 6:47 p.m.			0	0
IsDebuggerPresent June 27, 2021, 6:47 p.m.			0	0
IsDebuggerPresent June 27, 2021, 6:48 p.m.			0	0
IsDebuggerPresent June 27, 2021, 6:48 p.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW June 27, 2021, 6:48 p.m.	buffer: SUCCESS: The scheduled task "Updates\QzAEyguzUU" has successfully been created. console_handle: 0x00000007	1	1	0

Uses Windows APIs to generate a cryptographic key (6 events)

Time & API	Arguments	Status	Return
CryptExportKey June 27, 2021, 6:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00206b20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 27, 2021, 6:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00206b20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 27, 2021, 6:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00206b20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 27, 2021, 6:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b31a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 27, 2021, 6:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b31a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 27, 2021, 6:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b3228 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 27, 2021, 6:47 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Connects to a Dynamic DNS Domain (1 event)

domain

safeduringthecoronavirus.duckdns.org

Performs some HTTP requests (2 events)

request	GET http://www.iptrackeronline.com/
request	GET https://www.iptrackeronline.com/

Allocates read-write-execute memory (usually to unpack itself) (50 out of 159 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2216 region_size: 393216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00500000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72741000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72742000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2216 region_size: 1638400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00562000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ac0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2216 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ac1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0059b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00597000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f73000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f73000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e30000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e30000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e30000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e32000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f1e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f1e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f1e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f1e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f1e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f1e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f1e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f1e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f1e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f1e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f1e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f1e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f1f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f1f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f1f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f1f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f1f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f1f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f1f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f1f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f1f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f1f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f1f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f1f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f1f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f1f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f1f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f1f000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00595000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00587000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

A process attempted to delay the analysis task. (1 event)

description

vbc.exe tried to sleep 568 seconds, actually delayed analysis time by 568 seconds

Creates a suspicious process (2 events)

cmdline	schtasks.exe /Create /TN "Updates\QzAEyguzUU" /XML "C:\Users\test22\AppData\Local\Temp\tmp2927.tmp"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QzAEyguzUU" /XML "C:\Users\test22\AppData\Local\Temp\tmp2927.tmp"

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW June 27, 2021, 6:48 p.m.	show_type: 0 filepath_r: schtasks.exe parameters: /Create /TN "Updates\QzAEyguzUU" /XML "C:\Users\test22\AppData\Local\Temp\tmp2927.tmp" filepath: schtasks.exe	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses June 27, 2021, 6:48 p.m.	flags: 1158 family: 0	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00141200', u'virtual_address': u'0x00002000', u'entropy': 6.834511397786405, u'name': u'.text', u'virtual_size': u'0x001411b4'}

entropy

6.83451139779

description

A section with a high entropy has been found

entropy

0.998057498057

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 27, 2021, 6:48 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW June 27, 2021, 6:48 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (13 events)

description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Record Audio	rule	Sniff_Audio
description	Run a KeyLogger	rule	KeyLogger
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess June 27, 2021, 6:48 p.m.	status_code: 0xffffffff process_identifier: 1512 process_handle: 0x000003a4		0	0
NtTerminateProcess June 27, 2021, 6:48 p.m.	status_code: 0xffffffff process_identifier: 1512 process_handle: 0x000003a4	1	0	0

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	schtasks.exe /Create /TN "Updates\QzAEyguzUU" /XML "C:\Users\test22\AppData\Local\Temp\tmp2927.tmp"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QzAEyguzUU" /XML "C:\Users\test22\AppData\Local\Temp\tmp2927.tmp"

Communicates with host for which no DNS query was performed (1 event)

host

20.43.94.199

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory June 27, 2021, 6:48 p.m.	process_identifier: 1512 region_size: 393216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000039c		3221225496	0
NtAllocateVirtualMemory June 27, 2021, 6:48 p.m.	process_identifier: 3056 region_size: 393216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000394	1	0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation June 27, 2021, 6:48 p.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\tmp2927.tmp

Manipulates memory of a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2216 manipulating memory of non-child process 1512
NtAllocateVirtualMemory June 27, 2021, 6:48 p.m.	process_identifier: 1512 region_size: 393216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000039c		3221225496	0

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory June 27, 2021, 6:48 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELj"ïTàþ£ À@ @¨£SÀhà H.text `.rsrchÀ@@.relocà@B base_address: 0x00400000 process_identifier: 3056 process_handle: 0x00000394	1	1
WriteProcessMemory June 27, 2021, 6:48 p.m.	buffer: 0HXÀ4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°lStringFileInfoH000004b00CommentsDescription4 CompanyNameMicrosoft8FileDescriptionClient0FileVersion1.0.0.0,InternalName1.exe\LegalCopyrightCopyright © Microsoft 20134OriginalFilename1.exe<ProductNameClientProduct4ProductVersion1.0.0.08Assembly Version1.0.0.0 base_address: 0x0045c000 process_identifier: 3056 process_handle: 0x00000394	1	1
WriteProcessMemory June 27, 2021, 6:48 p.m.	buffer: 4 base_address: 0x0045e000 process_identifier: 3056 process_handle: 0x00000394	1	1
WriteProcessMemory June 27, 2021, 6:48 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 3056 process_handle: 0x00000394	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory June 27, 2021, 6:48 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELj"ïTàþ£ À@ @¨£SÀhà H.text `.rsrchÀ@@.relocà@B base_address: 0x00400000 process_identifier: 3056 process_handle: 0x00000394	1	1	0

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExW June 27, 2021, 6:48 p.m.	thread_identifier: 0 callback_function: 0x00a408a2 hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00000000	1	1245809	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2216 called NtSetContextThread to modify thread in remote process 3056
NtSetContextThread June 27, 2021, 6:48 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4563966 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000003a4 process_identifier: 3056	1	0	0

Attempts to remove evidence of file being downloaded from the Internet (1 event)

file	C:\Users\test22\AppData\Local\Temp\vbc.exe:Zone.Identifier

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2216 resumed a thread in remote process 3056
NtResumeThread June 27, 2021, 6:48 p.m.	thread_handle: 0x000003a4 suspend_count: 1 process_identifier: 3056	1	0	0

File has been identified by 21 AntiVirus engines on VirusTotal as malicious (21 events)

Elastic	malicious (high confidence)
FireEye	Generic.mg.96f11a983ca4b337
Cylance	Unsafe
Cybereason	malicious.f08c80
BitDefenderTheta	Gen:NN.ZemsilF.34758.qn0@aygVjIi
Cyren	W32/MSIL_Kryptik.CYQ.gen!Eldorado
Symantec	Scr.Malcode!gdn30
Avast	Win32:PWSX-gen [Trj]
Kaspersky	HEUR:Trojan-PSW.MSIL.Agensla.gen
Sophos	ML/PE-A
McAfee-GW-Edition	BehavesLike.Win32.Generic.th
SentinelOne	Static AI - Malicious PE
APEX	Malicious
MaxSecure	Trojan.Malware.300983.susgen
Microsoft	Trojan:Win32/AgentTesla!ml
Cynet	Malicious (score: 100)
VBA32	CIL.HeapOverride.Heur
Malwarebytes	MachineLearning/Anomalous.93%
Ikarus	Trojan-Spy.Agent
AVG	Win32:PWSX-gen [Trj]
CrowdStrike	win/malicious_confidence_80% (D)

Executed a process and injected code into it, probably while unpacking (42 events)

Time & API	Arguments	Status	Return
NtResumeThread June 27, 2021, 6:47 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2216	1	0
NtResumeThread June 27, 2021, 6:47 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2216	1	0
NtResumeThread June 27, 2021, 6:47 p.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 2216	1	0
NtResumeThread June 27, 2021, 6:48 p.m.	thread_handle: 0x00000260 suspend_count: 1 process_identifier: 2216	1	0
CreateProcessInternalW June 27, 2021, 6:48 p.m.	thread_identifier: 1568 thread_handle: 0x000003d8 process_identifier: 2884 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QzAEyguzUU" /XML "C:\Users\test22\AppData\Local\Temp\tmp2927.tmp" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003e0	1	1
CreateProcessInternalW June 27, 2021, 6:48 p.m.	thread_identifier: 1204 thread_handle: 0x000003a0 process_identifier: 1512 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\vbc.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\vbc.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000039c	1	1
NtGetContextThread June 27, 2021, 6:48 p.m.	thread_handle: 0x000003a0	1	0
NtAllocateVirtualMemory June 27, 2021, 6:48 p.m.	process_identifier: 1512 region_size: 393216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000039c		3221225496
CreateProcessInternalW June 27, 2021, 6:48 p.m.	thread_identifier: 1912 thread_handle: 0x000003a4 process_identifier: 3056 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\vbc.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\vbc.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000394	1	1
NtGetContextThread June 27, 2021, 6:48 p.m.	thread_handle: 0x000003a4	1	0
NtAllocateVirtualMemory June 27, 2021, 6:48 p.m.	process_identifier: 3056 region_size: 393216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000394	1	0
WriteProcessMemory June 27, 2021, 6:48 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELj"ïTàþ£ À@ @¨£SÀhà H.text `.rsrchÀ@@.relocà@B base_address: 0x00400000 process_identifier: 3056 process_handle: 0x00000394	1	1
WriteProcessMemory June 27, 2021, 6:48 p.m.	buffer: base_address: 0x00402000 process_identifier: 3056 process_handle: 0x00000394	1	1
WriteProcessMemory June 27, 2021, 6:48 p.m.	buffer: 0HXÀ4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°lStringFileInfoH000004b00CommentsDescription4 CompanyNameMicrosoft8FileDescriptionClient0FileVersion1.0.0.0,InternalName1.exe\LegalCopyrightCopyright © Microsoft 20134OriginalFilename1.exe<ProductNameClientProduct4ProductVersion1.0.0.08Assembly Version1.0.0.0 base_address: 0x0045c000 process_identifier: 3056 process_handle: 0x00000394	1	1
WriteProcessMemory June 27, 2021, 6:48 p.m.	buffer: 4 base_address: 0x0045e000 process_identifier: 3056 process_handle: 0x00000394	1	1
WriteProcessMemory June 27, 2021, 6:48 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 3056 process_handle: 0x00000394	1	1
NtSetContextThread June 27, 2021, 6:48 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4563966 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000003a4 process_identifier: 3056	1	0
NtResumeThread June 27, 2021, 6:48 p.m.	thread_handle: 0x000003a4 suspend_count: 1 process_identifier: 3056	1	0
NtResumeThread June 27, 2021, 6:48 p.m.	thread_handle: 0x000003e8 suspend_count: 1 process_identifier: 2216	1	0
NtResumeThread June 27, 2021, 6:48 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 3056	1	0
NtResumeThread June 27, 2021, 6:48 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 3056	1	0
NtResumeThread June 27, 2021, 6:48 p.m.	thread_handle: 0x0000019c suspend_count: 1 process_identifier: 3056	1	0
NtResumeThread June 27, 2021, 6:48 p.m.	thread_handle: 0x00000200 suspend_count: 1 process_identifier: 3056	1	0
NtResumeThread June 27, 2021, 6:48 p.m.	thread_handle: 0x00000214 suspend_count: 1 process_identifier: 3056	1	0
NtResumeThread June 27, 2021, 6:48 p.m.	thread_handle: 0x00000234 suspend_count: 1 process_identifier: 3056	1	0
NtGetContextThread June 27, 2021, 6:48 p.m.	thread_handle: 0x000000e4	1	0
NtResumeThread June 27, 2021, 6:48 p.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 3056	1	0
NtResumeThread June 27, 2021, 6:48 p.m.	thread_handle: 0x00000290 suspend_count: 1 process_identifier: 3056	1	0
NtResumeThread June 27, 2021, 6:48 p.m.	thread_handle: 0x000002a4 suspend_count: 1 process_identifier: 3056	1	0
NtResumeThread June 27, 2021, 6:48 p.m.	thread_handle: 0x000002b8 suspend_count: 1 process_identifier: 3056	1	0
NtResumeThread June 27, 2021, 6:48 p.m.	thread_handle: 0x000002f0 suspend_count: 1 process_identifier: 3056	1	0
NtResumeThread June 27, 2021, 6:48 p.m.	thread_handle: 0x00000320 suspend_count: 1 process_identifier: 3056	1	0
NtResumeThread June 27, 2021, 6:48 p.m.	thread_handle: 0x0000036c suspend_count: 1 process_identifier: 3056	1	0
NtResumeThread June 27, 2021, 6:48 p.m.	thread_handle: 0x00000384 suspend_count: 1 process_identifier: 3056	1	0
NtResumeThread June 27, 2021, 6:48 p.m.	thread_handle: 0x000003cc suspend_count: 1 process_identifier: 3056	1	0
NtResumeThread June 27, 2021, 6:48 p.m.	thread_handle: 0x000003e4 suspend_count: 1 process_identifier: 3056	1	0
NtResumeThread June 27, 2021, 6:48 p.m.	thread_handle: 0x00000514 suspend_count: 1 process_identifier: 3056	1	0
NtResumeThread June 27, 2021, 6:48 p.m.	thread_handle: 0x00000614 suspend_count: 1 process_identifier: 3056	1	0
NtResumeThread June 27, 2021, 6:49 p.m.	thread_handle: 0x000003e4 suspend_count: 1 process_identifier: 3056	1	0
NtResumeThread June 27, 2021, 6:49 p.m.	thread_handle: 0x000003ec suspend_count: 1 process_identifier: 3056	1	0
NtResumeThread June 27, 2021, 6:49 p.m.	thread_handle: 0x00000470 suspend_count: 1 process_identifier: 3056	1	0
NtResumeThread June 27, 2021, 6:49 p.m.	thread_handle: 0x0000039c suspend_count: 1 process_identifier: 3056	1	0

vbc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All