Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 1, 2021, 6:38 a.m.	July 1, 2021, 6:41 a.m.

Size	715.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`d6f3ec9f9650c5a9f881e76c16115315`
SHA256	`49b9631169ec5fb8c29e44bfc11d0b8724e86051a7270faaf1d5293f2e68a596`
CRC32	`07FA2CC1`
ssdeep	`12288:penOqwIBbX5TyAUtcT6zC9g2WJUDHgZlrjGGNfruAOd0dmNGjM:penOqZw2s7nOgZlrjGkfruDD`
Yara	Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT Is_DotNET_EXE - (no description) Generic_Malware_Zero - Generic Malware IsPE32 - (no description) Admin_Tool_IN_Zero - Admin Tool Sysinternals PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library

ab.exe "C:\Users\test22\AppData\Local\Temp\ab.exe"
5580
- schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DZJJiH" /XML "C:\Users\test22\AppData\Local\Temp\tmpE38E.tmp"
  6420
- ab.exe "C:\Users\test22\AppData\Local\Temp\ab.exe"
  4120

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
172.217.25.14	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (5 events)

Time & API	Arguments	Status	Return
GetComputerNameW July 1, 2021, 6:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 1, 2021, 6:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 1, 2021, 6:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 1, 2021, 6:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 1, 2021, 6:39 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 1, 2021, 6:38 a.m.			0	0
IsDebuggerPresent July 1, 2021, 6:38 a.m.			0	0
IsDebuggerPresent July 1, 2021, 6:39 a.m.			0	0
IsDebuggerPresent July 1, 2021, 6:39 a.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW July 1, 2021, 6:39 a.m.	buffer: SUCCESS: The scheduled task "Updates\DZJJiH" has successfully been created. console_handle: 0x00000007	1	1	0

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey July 1, 2021, 6:38 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00566018 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2021, 6:38 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005663d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2021, 6:38 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005663d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 1, 2021, 6:38 a.m.		1	1	0

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ July 1, 2021, 6:39 a.m.	stacktrace: CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x6fd51194 LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x6fc22ba1 0x875e29 0x874e27 0x874a80 0x873f85 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x6fbc9df8 CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x6fbc9e2f CoUninitializeEE+0xa6b9 CreateAssemblyNameObject-0x359c clr+0x29efd @ 0x6fbc9efd CoUninitializeEE+0xa75e CreateAssemblyNameObject-0x34f7 clr+0x29fa2 @ 0x6fbc9fa2 LogHelp_TerminateOnAssert+0x16b0b GetPrivateContextsPerfCounters-0x2937 clr+0x8564b @ 0x6fc2564b CreateAssemblyNameObject+0x2e9ca GetMetaDataInternalInterface-0x9aa5 clr+0x5be63 @ 0x6fbfbe63 CreateAssemblyNameObject+0x2e4ff GetMetaDataInternalInterface-0x9f70 clr+0x5b998 @ 0x6fbfb998 CreateAssemblyNameObject+0x2e28d GetMetaDataInternalInterface-0xa1e2 clr+0x5b726 @ 0x6fbfb726 CreateAssemblyNameObject+0x2eacf GetMetaDataInternalInterface-0x99a0 clr+0x5bf68 @ 0x6fbfbf68 CreateAssemblyNameObject+0x2e84b GetMetaDataInternalInterface-0x9c24 clr+0x5bce4 @ 0x6fbfbce4 DllRegisterServerInternal+0xa898 CoUninitializeEE-0x2ba0 clr+0x1cca4 @ 0x6fbbcca4 DllRegisterServerInternal+0xa92b CoUninitializeEE-0x2b0d clr+0x1cd37 @ 0x6fbbcd37 DllGetClassObjectInternal+0x437c8 CorDllMainForThunk-0x48d33 clr+0x108841 @ 0x6fca8841 LogHelp_TerminateOnAssert+0x129a9 GetPrivateContextsPerfCounters-0x6a99 clr+0x814e9 @ 0x6fc214e9 mscorlib+0x2d3711 @ 0x6eeb3711 mscorlib+0x308f2d @ 0x6eee8f2d mscorlib+0x2cb060 @ 0x6eeab060 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6fc21838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6fc21737 mscorlib+0x2d36ad @ 0x6eeb36ad mscorlib+0x308f2d @ 0x6eee8f2d microsoft+0x50c17 @ 0x72050c17 microsoft+0x3f05f @ 0x7203f05f microsoft+0x3e4d4 @ 0x7203e4d4 microsoft+0x3cda4 @ 0x7203cda4 0x87355c 0x8732aa DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6fc21838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6fc21737 mscorlib+0x305edf @ 0x6eee5edf mscorlib+0x2e9e1b @ 0x6eec9e1b mscorlib+0x2e99c1 @ 0x6eec99c1 mscorlib+0x2de184 @ 0x6eebe184 0x872a87 0x8729a1 0x8720dd 0x871540 0x87099d DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 CoUninitializeEE+0x789b CreateAssemblyNameObject-0x63ba clr+0x270df @ 0x6fbc70df LogHelp_TerminateOnAssert+0x55ee GetPrivateContextsPerfCounters-0x13e54 clr+0x7412e @ 0x6fc1412e mscorlib+0x2f1c22 @ 0x6eed1c22 mscorlib+0x2f1b99 @ 0x6eed1b99 mscorlib+0x30e9a6 @ 0x6eeee9a6 0x870747 0x8704c1 0x8703d5 microsoft+0x129ed1 @ 0x72129ed1 microsoft+0x12ad86 @ 0x7212ad86 microsoft+0x12b441 @ 0x7212b441 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe0434f4e exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 4837476 registers.edi: 0 registers.eax: 4837476 registers.ebp: 4837556 registers.edx: 0 registers.ebx: 93211912 registers.esi: 5134016 registers.ecx: 1430302911	1	0	0
__exception__ July 1, 2021, 6:39 a.m.	stacktrace: 0x611798 0x610fbb DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6f502652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6f51264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6f512e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6f5c74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6f5c7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6f651dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6f651e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6f651f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6f65416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7387f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 e0 8b 4d dc e8 8b d7 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x611c0b registers.esp: 3798048 registers.edi: 3798072 registers.eax: 0 registers.ebp: 3798084 registers.edx: 195 registers.ebx: 3798332 registers.esi: 38881272 registers.ecx: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

July 1, 2021, 6:39 a.m.

stacktrace:

CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x6fd51194
LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x6fc22ba1
0x875e29
0x874e27
0x874a80
0x873f85
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x6fbc9df8
CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x6fbc9e2f
CoUninitializeEE+0xa6b9 CreateAssemblyNameObject-0x359c clr+0x29efd @ 0x6fbc9efd
CoUninitializeEE+0xa75e CreateAssemblyNameObject-0x34f7 clr+0x29fa2 @ 0x6fbc9fa2
LogHelp_TerminateOnAssert+0x16b0b GetPrivateContextsPerfCounters-0x2937 clr+0x8564b @ 0x6fc2564b
CreateAssemblyNameObject+0x2e9ca GetMetaDataInternalInterface-0x9aa5 clr+0x5be63 @ 0x6fbfbe63
CreateAssemblyNameObject+0x2e4ff GetMetaDataInternalInterface-0x9f70 clr+0x5b998 @ 0x6fbfb998
CreateAssemblyNameObject+0x2e28d GetMetaDataInternalInterface-0xa1e2 clr+0x5b726 @ 0x6fbfb726
CreateAssemblyNameObject+0x2eacf GetMetaDataInternalInterface-0x99a0 clr+0x5bf68 @ 0x6fbfbf68
CreateAssemblyNameObject+0x2e84b GetMetaDataInternalInterface-0x9c24 clr+0x5bce4 @ 0x6fbfbce4
DllRegisterServerInternal+0xa898 CoUninitializeEE-0x2ba0 clr+0x1cca4 @ 0x6fbbcca4
DllRegisterServerInternal+0xa92b CoUninitializeEE-0x2b0d clr+0x1cd37 @ 0x6fbbcd37
DllGetClassObjectInternal+0x437c8 CorDllMainForThunk-0x48d33 clr+0x108841 @ 0x6fca8841
LogHelp_TerminateOnAssert+0x129a9 GetPrivateContextsPerfCounters-0x6a99 clr+0x814e9 @ 0x6fc214e9
mscorlib+0x2d3711 @ 0x6eeb3711
mscorlib+0x308f2d @ 0x6eee8f2d
mscorlib+0x2cb060 @ 0x6eeab060
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6fc21838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6fc21737
mscorlib+0x2d36ad @ 0x6eeb36ad
mscorlib+0x308f2d @ 0x6eee8f2d
microsoft+0x50c17 @ 0x72050c17
microsoft+0x3f05f @ 0x7203f05f
microsoft+0x3e4d4 @ 0x7203e4d4
microsoft+0x3cda4 @ 0x7203cda4
0x87355c
0x8732aa
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6fc21838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6fc21737
mscorlib+0x305edf @ 0x6eee5edf
mscorlib+0x2e9e1b @ 0x6eec9e1b
mscorlib+0x2e99c1 @ 0x6eec99c1
mscorlib+0x2de184 @ 0x6eebe184
0x872a87
0x8729a1
0x8720dd
0x871540
0x87099d
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95
CoUninitializeEE+0x789b CreateAssemblyNameObject-0x63ba clr+0x270df @ 0x6fbc70df
LogHelp_TerminateOnAssert+0x55ee GetPrivateContextsPerfCounters-0x13e54 clr+0x7412e @ 0x6fc1412e
mscorlib+0x2f1c22 @ 0x6eed1c22
mscorlib+0x2f1b99 @ 0x6eed1b99
mscorlib+0x30e9a6 @ 0x6eeee9a6
0x870747
0x8704c1
0x8703d5
microsoft+0x129ed1 @ 0x72129ed1
microsoft+0x12ad86 @ 0x7212ad86
microsoft+0x12b441 @ 0x7212b441

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xe0434f4e
exception.offset: 46887
exception.address: 0x76a7b727
registers.esp: 4837476
registers.edi: 0
registers.eax: 4837476
registers.ebp: 4837556
registers.edx: 0
registers.ebx: 93211912
registers.esi: 5134016
registers.ecx: 1430302911

__exception__

July 1, 2021, 6:39 a.m.

stacktrace:

0x611798
0x610fbb
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6f502652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6f51264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6f512e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6f5c74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6f5c7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6f651dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6f651e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6f651f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6f65416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7387f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 e0 8b 4d dc e8 8b d7
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x611c0b
registers.esp: 3798048
registers.edi: 3798072
registers.eax: 0
registers.ebp: 3798084
registers.edx: 195
registers.ebx: 3798332
registers.esi: 38881272
registers.ecx: 0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Starts servers listening (3 events)

Time & API	Arguments	Status	Return
bind July 1, 2021, 6:38 a.m.	ip_address: 127.0.0.1 socket: 616 port: 0	1	0
listen July 1, 2021, 6:38 a.m.	socket: 616 backlog: 2147483647	1	0
accept July 1, 2021, 6:38 a.m.	ip_address: 127.0.0.1 socket: 616 port: 0		4294967295

Allocates read-write-execute memory (usually to unpack itself) (50 out of 78 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 1, 2021, 6:38 a.m.	process_identifier: 5580 region_size: 1245184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 6:38 a.m.	process_identifier: 5580 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 6:38 a.m.	process_identifier: 5580 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 6:38 a.m.	process_identifier: 5580 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 6:38 a.m.	process_identifier: 5580 region_size: 1966080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02050000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 6:38 a.m.	process_identifier: 5580 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 6:38 a.m.	process_identifier: 5580 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 6:38 a.m.	process_identifier: 5580 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00605000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 6:38 a.m.	process_identifier: 5580 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0060b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 6:38 a.m.	process_identifier: 5580 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00607000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 6:38 a.m.	process_identifier: 5580 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 6:38 a.m.	process_identifier: 5580 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00870000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 6:38 a.m.	process_identifier: 5580 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 6:38 a.m.	process_identifier: 5580 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 6:38 a.m.	process_identifier: 5580 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005f7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 6:38 a.m.	process_identifier: 5580 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 6:38 a.m.	process_identifier: 5580 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005f6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 6:38 a.m.	process_identifier: 5580 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 6:38 a.m.	process_identifier: 5580 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 6:38 a.m.	process_identifier: 5580 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 6:38 a.m.	process_identifier: 5580 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 6:38 a.m.	process_identifier: 5580 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 6:38 a.m.	process_identifier: 5580 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 6:38 a.m.	process_identifier: 5580 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00871000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 6:38 a.m.	process_identifier: 5580 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005fb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 6:38 a.m.	process_identifier: 5580 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 6:38 a.m.	process_identifier: 5580 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00872000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 6:38 a.m.	process_identifier: 5580 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 6:38 a.m.	process_identifier: 5580 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00873000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 6:39 a.m.	process_identifier: 5580 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005ed000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 6:39 a.m.	process_identifier: 5580 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00874000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 6:39 a.m.	process_identifier: 5580 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00875000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 6:39 a.m.	process_identifier: 5580 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00876000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 6:39 a.m.	process_identifier: 5580 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00877000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 6:39 a.m.	process_identifier: 5580 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00878000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 6:39 a.m.	process_identifier: 5580 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00879000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 6:39 a.m.	process_identifier: 5580 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0087a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 6:39 a.m.	process_identifier: 5580 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0087b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 6:39 a.m.	process_identifier: 5580 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0087c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 6:39 a.m.	process_identifier: 5580 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0087d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 6:39 a.m.	process_identifier: 5580 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0087e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 6:39 a.m.	process_identifier: 5580 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0087f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 6:39 a.m.	process_identifier: 5580 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02130000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 6:39 a.m.	process_identifier: 5580 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02131000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 6:39 a.m.	process_identifier: 5580 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02132000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 6:39 a.m.	process_identifier: 4120 region_size: 851968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00440000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 6:39 a.m.	process_identifier: 4120 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 6:39 a.m.	process_identifier: 4120 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6f501000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 6:39 a.m.	process_identifier: 4120 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6f502000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 6:39 a.m.	process_identifier: 4120 region_size: 1376256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1

Creates a suspicious process (2 events)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DZJJiH" /XML "C:\Users\test22\AppData\Local\Temp\tmpE38E.tmp"
cmdline	schtasks.exe /Create /TN "Updates\DZJJiH" /XML "C:\Users\test22\AppData\Local\Temp\tmpE38E.tmp"

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW July 1, 2021, 6:39 a.m.	show_type: 0 filepath_r: schtasks.exe parameters: /Create /TN "Updates\DZJJiH" /XML "C:\Users\test22\AppData\Local\Temp\tmpE38E.tmp" filepath: schtasks.exe	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x000b2000', u'virtual_address': u'0x00002000', u'entropy': 7.404470074181841, u'name': u'.text', u'virtual_size': u'0x000b1e7c'}

entropy

7.40447007418

description

A section with a high entropy has been found

entropy

0.996501049685

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 1, 2021, 6:39 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW July 1, 2021, 6:39 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (10 events)

description	Communications smtp	rule	Network_SMTP_dotNet
description	Run a KeyLogger	rule	KeyLogger
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess July 1, 2021, 6:39 a.m.	status_code: 0xffffffff process_identifier: 8868 process_handle: 0x00000414		0	0
NtTerminateProcess July 1, 2021, 6:39 a.m.	status_code: 0xffffffff process_identifier: 8868 process_handle: 0x00000414	1	0	0

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DZJJiH" /XML "C:\Users\test22\AppData\Local\Temp\tmpE38E.tmp"
cmdline	schtasks.exe /Create /TN "Updates\DZJJiH" /XML "C:\Users\test22\AppData\Local\Temp\tmpE38E.tmp"

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory July 1, 2021, 6:39 a.m.	process_identifier: 8868 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000404		3221225496	0
NtAllocateVirtualMemory July 1, 2021, 6:39 a.m.	process_identifier: 4120 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000408	1	0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation July 1, 2021, 6:39 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

ab.exe tried to sleep 10912798 seconds, actually delayed analysis time by 10912798 seconds

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\tmpE38E.tmp

Manipulates memory of a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 5580 manipulating memory of non-child process 8868
NtAllocateVirtualMemory July 1, 2021, 6:39 a.m.	process_identifier: 8868 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000404		3221225496	0

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory July 1, 2021, 6:39 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELîê`àX>v @ À@ìuO H.textDV X `.rsrcZ@@.reloc `@B base_address: 0x00400000 process_identifier: 4120 process_handle: 0x00000408	1	1
WriteProcessMemory July 1, 2021, 6:39 a.m.	buffer: 8Ph \| ê\|4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°ÜStringFileInfo¸000004b0,FileDescription 0FileVersion0.0.0.0TInternalNamedLbCuUkHzFJcsbTqqcqoI.exe(LegalCopyright \OriginalFilenamedLbCuUkHzFJcsbTqqcqoI.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00438000 process_identifier: 4120 process_handle: 0x00000408	1	1
WriteProcessMemory July 1, 2021, 6:39 a.m.	buffer: p@6 base_address: 0x0043a000 process_identifier: 4120 process_handle: 0x00000408	1	1
WriteProcessMemory July 1, 2021, 6:39 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 4120 process_handle: 0x00000408	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory July 1, 2021, 6:39 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELîê`àX>v @ À@ìuO H.textDV X `.rsrcZ@@.reloc `@B base_address: 0x00400000 process_identifier: 4120 process_handle: 0x00000408	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 5580 called NtSetContextThread to modify thread in remote process 4120
NtSetContextThread July 1, 2021, 6:39 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4421182 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000414 process_identifier: 4120	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 5580 resumed a thread in remote process 4120
NtResumeThread July 1, 2021, 6:39 a.m.	thread_handle: 0x00000414 suspend_count: 1 process_identifier: 4120	1	0	0

File has been identified by 23 AntiVirus engines on VirusTotal as malicious (23 events)

Elastic	malicious (high confidence)
McAfee	Artemis!D6F3EC9F9650
Cybereason	malicious.ea6b86
Cyren	W32/MSIL_Kryptik.DLO.gen!Eldorado
Symantec	Trojan.Gen.2
ESET-NOD32	a variant of MSIL/Kryptik.ABTA
APEX	Malicious
Avast	FileRepMalware
Kaspersky	UDS:Trojan-PSW.MSIL.Agensla.gen
Paloalto	generic.ml
AegisLab	Trojan.MSIL.Agensla.i!c
McAfee-GW-Edition	BehavesLike.Win32.Fareit.bc
FireEye	Generic.mg.d6f3ec9f9650c5a9
Microsoft	Trojan:Win32/AgentTesla!ml
Cynet	Malicious (score: 100)
MAX	malware (ai score=92)
Malwarebytes	MachineLearning/Anomalous.95%
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/Kryptik.ABOX!tr
AVG	FileRepMalware
CrowdStrike	win/malicious_confidence_60% (D)
Qihoo-360	Win32/Backdoor.Rat.HwMARp8A

Executed a process and injected code into it, probably while unpacking (33 events)

Time & API	Arguments	Status	Return
NtResumeThread July 1, 2021, 6:38 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 5580	1	0
NtResumeThread July 1, 2021, 6:38 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 5580	1	0
NtResumeThread July 1, 2021, 6:38 a.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 5580	1	0
NtResumeThread July 1, 2021, 6:38 a.m.	thread_handle: 0x00000284 suspend_count: 1 process_identifier: 5580	1	0
NtResumeThread July 1, 2021, 6:39 a.m.	thread_handle: 0x000002e8 suspend_count: 1 process_identifier: 5580	1	0
NtGetContextThread July 1, 2021, 6:39 a.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread July 1, 2021, 6:39 a.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread July 1, 2021, 6:39 a.m.	thread_handle: 0x000000e0	1	0
NtSetContextThread July 1, 2021, 6:39 a.m.	registers.eip: 1874996100 registers.esp: 4837684 registers.edi: 4838044 registers.eax: 17408174 registers.ebp: 4838056 registers.edx: 15 registers.ebx: 0 registers.esi: 36040076 registers.ecx: 54 thread_handle: 0x000000e0 process_identifier: 5580	1	0
NtResumeThread July 1, 2021, 6:39 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 5580	1	0
CreateProcessInternalW July 1, 2021, 6:39 a.m.	thread_identifier: 7664 thread_handle: 0x000003ec process_identifier: 6420 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DZJJiH" /XML "C:\Users\test22\AppData\Local\Temp\tmpE38E.tmp" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003f0	1	1
CreateProcessInternalW July 1, 2021, 6:39 a.m.	thread_identifier: 4884 thread_handle: 0x00000394 process_identifier: 8868 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\ab.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\ab.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000404	1	1
NtGetContextThread July 1, 2021, 6:39 a.m.	thread_handle: 0x00000394	1	0
NtAllocateVirtualMemory July 1, 2021, 6:39 a.m.	process_identifier: 8868 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000404		3221225496
CreateProcessInternalW July 1, 2021, 6:39 a.m.	thread_identifier: 3812 thread_handle: 0x00000414 process_identifier: 4120 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\ab.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\ab.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000408	1	1
NtGetContextThread July 1, 2021, 6:39 a.m.	thread_handle: 0x00000414	1	0
NtAllocateVirtualMemory July 1, 2021, 6:39 a.m.	process_identifier: 4120 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000408	1	0
WriteProcessMemory July 1, 2021, 6:39 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELîê`àX>v @ À@ìuO H.textDV X `.rsrcZ@@.reloc `@B base_address: 0x00400000 process_identifier: 4120 process_handle: 0x00000408	1	1
WriteProcessMemory July 1, 2021, 6:39 a.m.	buffer: base_address: 0x00402000 process_identifier: 4120 process_handle: 0x00000408	1	1
WriteProcessMemory July 1, 2021, 6:39 a.m.	buffer: 8Ph \| ê\|4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°ÜStringFileInfo¸000004b0,FileDescription 0FileVersion0.0.0.0TInternalNamedLbCuUkHzFJcsbTqqcqoI.exe(LegalCopyright \OriginalFilenamedLbCuUkHzFJcsbTqqcqoI.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00438000 process_identifier: 4120 process_handle: 0x00000408	1	1
WriteProcessMemory July 1, 2021, 6:39 a.m.	buffer: p@6 base_address: 0x0043a000 process_identifier: 4120 process_handle: 0x00000408	1	1
WriteProcessMemory July 1, 2021, 6:39 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 4120 process_handle: 0x00000408	1	1
NtSetContextThread July 1, 2021, 6:39 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4421182 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000414 process_identifier: 4120	1	0
NtResumeThread July 1, 2021, 6:39 a.m.	thread_handle: 0x00000414 suspend_count: 1 process_identifier: 4120	1	0
NtResumeThread July 1, 2021, 6:39 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 4120	1	0
NtResumeThread July 1, 2021, 6:39 a.m.	thread_handle: 0x00000158 suspend_count: 1 process_identifier: 4120	1	0
NtResumeThread July 1, 2021, 6:39 a.m.	thread_handle: 0x0000019c suspend_count: 1 process_identifier: 4120	1	0
NtResumeThread July 1, 2021, 6:39 a.m.	thread_handle: 0x00000320 suspend_count: 1 process_identifier: 4120	1	0
NtResumeThread July 1, 2021, 6:39 a.m.	thread_handle: 0x00000340 suspend_count: 1 process_identifier: 4120	1	0
NtResumeThread July 1, 2021, 6:39 a.m.	thread_handle: 0x000003a4 suspend_count: 1 process_identifier: 4120	1	0
NtResumeThread July 1, 2021, 6:39 a.m.	thread_handle: 0x0000041c suspend_count: 1 process_identifier: 4120	1	0
NtResumeThread July 1, 2021, 6:40 a.m.	thread_handle: 0x00000358 suspend_count: 1 process_identifier: 4120	1	0
NtResumeThread July 1, 2021, 6:40 a.m.	thread_handle: 0x00000410 suspend_count: 1 process_identifier: 4120	1	0

ab.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All