Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 2, 2021, 9:29 a.m.	July 2, 2021, 9:36 a.m.

Size	1.1MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`37e21c11f2b7b0033ecac9dc3a5232f9`
SHA256	`1f395105436d3b493c8682a2cf6081f5e85f07d1657b73fba0809a6c6a419bf7`
CRC32	`EF7EB22B`
ssdeep	`12288:7mKQrJhzhbGHEdHDncWxGI0g6qFBfn2IzgQ8aXSayA7ec1Egh5:uJhzhldjT4grrJB8aXGJcagh5`
Yara	Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult IsPE32 - (no description) Generic_Malware_Zero - Generic Malware Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature

oga.exe "C:\Users\test22\AppData\Local\Temp\oga.exe"
2952
- schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rmaABUEf" /XML "C:\Users\test22\AppData\Local\Temp\tmp8888.tmp"
  8408
- oga.exe "C:\Users\test22\AppData\Local\Temp\oga.exe"
  2648

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
172.217.25.14	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (5 events)

Time & API	Arguments	Status	Return
GetComputerNameW July 2, 2021, 9:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 2, 2021, 9:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 2, 2021, 9:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 2, 2021, 9:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 2, 2021, 9:31 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 2, 2021, 9:29 a.m.			0	0
IsDebuggerPresent July 2, 2021, 9:29 a.m.			0	0
IsDebuggerPresent July 2, 2021, 9:31 a.m.			0	0
IsDebuggerPresent July 2, 2021, 9:31 a.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW July 2, 2021, 9:31 a.m.	buffer: SUCCESS: The scheduled task "Updates\rmaABUEf" has successfully been created. console_handle: 0x00000007	1	1	0

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey July 2, 2021, 9:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b32f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 2, 2021, 9:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b2bf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 2, 2021, 9:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b2bf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 2, 2021, 9:29 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.sdata

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ July 2, 2021, 9:31 a.m.	stacktrace: 0x951798 0x950fbb DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6f502652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6f51264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6f512e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6f5c74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6f5c7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6f651dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6f651e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6f651f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6f65416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7387f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 e0 8b 4d dc e8 8b d7 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x951c0b registers.esp: 3994064 registers.edi: 3994088 registers.eax: 0 registers.ebp: 3994100 registers.edx: 195 registers.ebx: 3994348 registers.esi: 38771136 registers.ecx: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

July 2, 2021, 9:31 a.m.

stacktrace:

0x951798
0x950fbb
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6f502652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6f51264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6f512e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6f5c74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6f5c7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6f651dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6f651e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6f651f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6f65416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7387f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 e0 8b 4d dc e8 8b d7
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x951c0b
registers.esp: 3994064
registers.edi: 3994088
registers.eax: 0
registers.ebp: 3994100
registers.edx: 195
registers.ebx: 3994348
registers.esi: 38771136
registers.ecx: 0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 79 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 2, 2021, 9:29 a.m.	process_identifier: 2952 region_size: 1114112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00660000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 2, 2021, 9:29 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00730000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 2, 2021, 9:29 a.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 2, 2021, 9:29 a.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 2, 2021, 9:29 a.m.	process_identifier: 2952 region_size: 1114112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02100000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 2, 2021, 9:29 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 2, 2021, 9:29 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00552000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 2, 2021, 9:29 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00685000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 2, 2021, 9:29 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0068b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 2, 2021, 9:29 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00687000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 2, 2021, 9:29 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0066c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 2, 2021, 9:29 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 2, 2021, 9:29 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0055a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 2, 2021, 9:29 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0067a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 2, 2021, 9:29 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00677000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 2, 2021, 9:29 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0066a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 2, 2021, 9:29 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00676000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 2, 2021, 9:29 a.m.	process_identifier: 2952 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008d1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 2, 2021, 9:29 a.m.	process_identifier: 2952 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008d4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 2, 2021, 9:29 a.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 2, 2021, 9:29 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 2, 2021, 9:29 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0055c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 2, 2021, 9:29 a.m.	process_identifier: 2952 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 2, 2021, 9:29 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 2, 2021, 9:29 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 2, 2021, 9:29 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 2, 2021, 9:29 a.m.	process_identifier: 2952 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 2, 2021, 9:29 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 2, 2021, 9:29 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 2, 2021, 9:30 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0066d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 2, 2021, 9:30 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 2, 2021, 9:30 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008dd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 2, 2021, 9:30 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008de000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 2, 2021, 9:30 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008df000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 2, 2021, 9:30 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04950000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 2, 2021, 9:30 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04951000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 2, 2021, 9:30 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0066e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 2, 2021, 9:30 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04952000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 2, 2021, 9:30 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04953000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 2, 2021, 9:30 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04954000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 2, 2021, 9:30 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04955000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 2, 2021, 9:30 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04956000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 2, 2021, 9:30 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04957000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 2, 2021, 9:31 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04958000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 2, 2021, 9:31 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04959000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 2, 2021, 9:31 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0495a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 2, 2021, 9:31 a.m.	process_identifier: 2648 region_size: 1310720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 2, 2021, 9:31 a.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ad0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 2, 2021, 9:31 a.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6f501000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 2, 2021, 9:31 a.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6f502000 process_handle: 0xffffffff	1

Creates a suspicious process (2 events)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rmaABUEf" /XML "C:\Users\test22\AppData\Local\Temp\tmp8888.tmp"
cmdline	schtasks.exe /Create /TN "Updates\rmaABUEf" /XML "C:\Users\test22\AppData\Local\Temp\tmp8888.tmp"

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW July 2, 2021, 9:31 a.m.	show_type: 0 filepath_r: schtasks.exe parameters: /Create /TN "Updates\rmaABUEf" /XML "C:\Users\test22\AppData\Local\Temp\tmp8888.tmp" filepath: schtasks.exe	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 2, 2021, 9:31 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW July 2, 2021, 9:31 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (11 events)

description	Communications smtp	rule	Network_SMTP_dotNet
description	Run a KeyLogger	rule	KeyLogger
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook

Terminates another process (4 events)

Time & API	Arguments	Status
NtTerminateProcess July 2, 2021, 9:31 a.m.	status_code: 0xffffffff process_identifier: 3180 process_handle: 0x00000354
NtTerminateProcess July 2, 2021, 9:31 a.m.	status_code: 0xffffffff process_identifier: 3180 process_handle: 0x00000354	1
NtTerminateProcess July 2, 2021, 9:31 a.m.	status_code: 0xffffffff process_identifier: 4376 process_handle: 0x000003ac
NtTerminateProcess July 2, 2021, 9:31 a.m.	status_code: 0xffffffff process_identifier: 4376 process_handle: 0x000003ac	1

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rmaABUEf" /XML "C:\Users\test22\AppData\Local\Temp\tmp8888.tmp"
cmdline	schtasks.exe /Create /TN "Updates\rmaABUEf" /XML "C:\Users\test22\AppData\Local\Temp\tmp8888.tmp"

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Allocates execute permission to another process indicative of possible code injection (3 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory July 2, 2021, 9:31 a.m.	process_identifier: 3180 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000034c		3221225496
NtAllocateVirtualMemory July 2, 2021, 9:31 a.m.	process_identifier: 4376 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000344		3221225496
NtAllocateVirtualMemory July 2, 2021, 9:31 a.m.	process_identifier: 2648 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003a8	1	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation July 2, 2021, 9:31 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

oga.exe tried to sleep 5456442 seconds, actually delayed analysis time by 5456442 seconds

Manipulates memory of a non-child process indicative of process injection (4 events)

Time & API	Arguments	Return	Repeated
Process injection	Process 2952 manipulating memory of non-child process 3180
Process injection	Process 2952 manipulating memory of non-child process 4376
NtAllocateVirtualMemory July 2, 2021, 9:31 a.m.	process_identifier: 3180 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000034c	3221225496	0
NtAllocateVirtualMemory July 2, 2021, 9:31 a.m.	process_identifier: 4376 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000344	3221225496	0

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory July 2, 2021, 9:31 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÙ`àVt @ À@8tS H.textT V `.rsrc X@@.reloc ^@B base_address: 0x00400000 process_identifier: 2648 process_handle: 0x000003a8	1	1
WriteProcessMemory July 2, 2021, 9:31 a.m.	buffer: 8Ph 0ê4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°ìStringFileInfoÈ000004b0,FileDescription 0FileVersion0.0.0.0\InternalNameCsgWgBnFfjjFzvKrJMWbTuxE.exe(LegalCopyright dOriginalFilenameCsgWgBnFfjjFzvKrJMWbTuxE.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00438000 process_identifier: 2648 process_handle: 0x000003a8	1	1
WriteProcessMemory July 2, 2021, 9:31 a.m.	buffer: p4 base_address: 0x0043a000 process_identifier: 2648 process_handle: 0x000003a8	1	1
WriteProcessMemory July 2, 2021, 9:31 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2648 process_handle: 0x000003a8	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory July 2, 2021, 9:31 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÙ`àVt @ À@8tS H.textT V `.rsrc X@@.reloc ^@B base_address: 0x00400000 process_identifier: 2648 process_handle: 0x000003a8	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2952 called NtSetContextThread to modify thread in remote process 2648
NtSetContextThread July 2, 2021, 9:31 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4420750 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000003ac process_identifier: 2648	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2952 resumed a thread in remote process 2648
NtResumeThread July 2, 2021, 9:31 a.m.	thread_handle: 0x000003ac suspend_count: 1 process_identifier: 2648	1	0	0

File has been identified by 24 AntiVirus engines on VirusTotal as malicious (24 events)

MicroWorld-eScan	Trojan.MSIL.Basic.6.Gen
FireEye	Trojan.MSIL.Basic.6.Gen
Sangfor	Trojan.Win32.Save.a
Cybereason	malicious.1f2b7b
BitDefenderTheta	Gen:NN.ZemsilF.34770.ir0@aGOSMNf
Cyren	W32/MSIL_Troj.BEJ.gen!Eldorado
Symantec	Scr.Malcode!gdn30
ESET-NOD32	a variant of MSIL/Kryptik.ABTG
APEX	Malicious
Avast	Win32:PWSX-gen [Trj]
Kaspersky	VHO:Trojan.MSIL.Taskun.gen
BitDefender	Trojan.MSIL.Basic.6.Gen
Ad-Aware	Trojan.MSIL.Basic.6.Gen
Emsisoft	Trojan.MSIL.Basic.6.Gen (B)
Microsoft	Trojan:Win32/Wacatac.B!ml
Arcabit	Trojan.MSIL.Basic.6.Gen
GData	Trojan.MSIL.Basic.6.Gen
ALYac	Trojan.MSIL.Basic.6.Gen
MAX	malware (ai score=84)
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/Kryptik.DLO!tr
AVG	Win32:PWSX-gen [Trj]
CrowdStrike	win/malicious_confidence_70% (W)

Executed a process and injected code into it, probably while unpacking (29 events)

Time & API	Arguments	Status	Return
NtResumeThread July 2, 2021, 9:29 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2952	1	0
NtResumeThread July 2, 2021, 9:29 a.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2952	1	0
NtResumeThread July 2, 2021, 9:29 a.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 2952	1	0
NtResumeThread July 2, 2021, 9:30 a.m.	thread_handle: 0x00000250 suspend_count: 1 process_identifier: 2952	1	0
CreateProcessInternalW July 2, 2021, 9:31 a.m.	thread_identifier: 4964 thread_handle: 0x000003a8 process_identifier: 8408 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rmaABUEf" /XML "C:\Users\test22\AppData\Local\Temp\tmp8888.tmp" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003ac	1	1
CreateProcessInternalW July 2, 2021, 9:31 a.m.	thread_identifier: 4420 thread_handle: 0x00000350 process_identifier: 3180 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\oga.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\oga.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000034c	1	1
NtGetContextThread July 2, 2021, 9:31 a.m.	thread_handle: 0x00000350	1	0
NtAllocateVirtualMemory July 2, 2021, 9:31 a.m.	process_identifier: 3180 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000034c		3221225496
CreateProcessInternalW July 2, 2021, 9:31 a.m.	thread_identifier: 5992 thread_handle: 0x00000354 process_identifier: 4376 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\oga.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\oga.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000344	1	1
NtGetContextThread July 2, 2021, 9:31 a.m.	thread_handle: 0x00000354	1	0
NtAllocateVirtualMemory July 2, 2021, 9:31 a.m.	process_identifier: 4376 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000344		3221225496
CreateProcessInternalW July 2, 2021, 9:31 a.m.	thread_identifier: 3968 thread_handle: 0x000003ac process_identifier: 2648 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\oga.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\oga.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000003a8	1	1
NtGetContextThread July 2, 2021, 9:31 a.m.	thread_handle: 0x000003ac	1	0
NtAllocateVirtualMemory July 2, 2021, 9:31 a.m.	process_identifier: 2648 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003a8	1	0
WriteProcessMemory July 2, 2021, 9:31 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÙ`àVt @ À@8tS H.textT V `.rsrc X@@.reloc ^@B base_address: 0x00400000 process_identifier: 2648 process_handle: 0x000003a8	1	1
WriteProcessMemory July 2, 2021, 9:31 a.m.	buffer: base_address: 0x00402000 process_identifier: 2648 process_handle: 0x000003a8	1	1
WriteProcessMemory July 2, 2021, 9:31 a.m.	buffer: 8Ph 0ê4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°ìStringFileInfoÈ000004b0,FileDescription 0FileVersion0.0.0.0\InternalNameCsgWgBnFfjjFzvKrJMWbTuxE.exe(LegalCopyright dOriginalFilenameCsgWgBnFfjjFzvKrJMWbTuxE.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00438000 process_identifier: 2648 process_handle: 0x000003a8	1	1
WriteProcessMemory July 2, 2021, 9:31 a.m.	buffer: p4 base_address: 0x0043a000 process_identifier: 2648 process_handle: 0x000003a8	1	1
WriteProcessMemory July 2, 2021, 9:31 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2648 process_handle: 0x000003a8	1	1
NtSetContextThread July 2, 2021, 9:31 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4420750 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000003ac process_identifier: 2648	1	0
NtResumeThread July 2, 2021, 9:31 a.m.	thread_handle: 0x000003ac suspend_count: 1 process_identifier: 2648	1	0
NtResumeThread July 2, 2021, 9:31 a.m.	thread_handle: 0x000003c4 suspend_count: 1 process_identifier: 2952	1	0
NtResumeThread July 2, 2021, 9:31 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2648	1	0
NtResumeThread July 2, 2021, 9:31 a.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 2648	1	0
NtResumeThread July 2, 2021, 9:31 a.m.	thread_handle: 0x000001c0 suspend_count: 1 process_identifier: 2648	1	0
NtResumeThread July 2, 2021, 9:31 a.m.	thread_handle: 0x0000031c suspend_count: 1 process_identifier: 2648	1	0
NtResumeThread July 2, 2021, 9:31 a.m.	thread_handle: 0x0000033c suspend_count: 1 process_identifier: 2648	1	0
NtResumeThread July 2, 2021, 9:31 a.m.	thread_handle: 0x000003a0 suspend_count: 1 process_identifier: 2648	1	0
NtResumeThread July 2, 2021, 9:31 a.m.	thread_handle: 0x00000418 suspend_count: 1 process_identifier: 2648	1	0

oga.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All