Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 3, 2021, 9:18 a.m.	July 3, 2021, 9:22 a.m.

Size	1.2MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`35b76b8187301dece290bd83c7a3a5e3`
SHA256	`d6a4310eacb4ab4761b1504fcbe6d5e0da6c6b04563897b527a0de0acca9e83d`
CRC32	`F12FD102`
ssdeep	`24576:mM/x1ZjhDnkn4CPIy3kcnY00zqkY8ShdnzuJ8vugRWvWT1ruZU:1x1ZjlXCPfkKYRzqNbzu1ZOhrgU`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

lv.exe "C:\Users\test22\AppData\Local\Temp\lv.exe"
8452
- vpn.exe "C:\Users\test22\AppData\Local\Temp\New Feature\vpn.exe"
  8604
  - cmd.exe "C:\Windows\System32\cmd.exe" /c cmd < Sussulto.wma
    5084
    - cmd.exe cmd
      6500
      - findstr.exe findstr /V /R "^LXmKJkIvUqYCaDklbWMYErRVBHqPzfiGpAvAJJQodEWOpuhtYKCIpGYHyDpekTrFTszRuLBNuEIZirLxzWRIMnbCBPxymNWvBsVRNvXjpPCEYZAeSPJfwcT$" Sbigottito.wma
        4788
      - Accompagna.exe.com Accompagna.exe.com H
        7080
        
        Accompagna.exe.com C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\Accompagna.exe.com H
        7424
      - PING.EXE ping 127.0.0.1 -n 30
        6916
- 4.exe "C:\Users\test22\AppData\Local\Temp\New Feature\4.exe"
  5236

Name	Response	Post-Analysis Lookup
d2js2viceajwla.cloudfront.net	AAAA 2600:9000:2139:e400:11:6feb:6f80:93a1 AAAA 2600:9000:2139:d800:11:6feb:6f80:93a1 AAAA 2600:9000:2139:6a00:11:6feb:6f80:93a1 AAAA 2600:9000:2139:b000:11:6feb:6f80:93a1 AAAA 2600:9000:2139:ee00:11:6feb:6f80:93a1 AAAA 2600:9000:2139:4e00:11:6feb:6f80:93a1 AAAA 2600:9000:2139:e600:11:6feb:6f80:93a1 AAAA 2600:9000:2139:1600:11:6feb:6f80:93a1	99.86.202.75
aus.thunderbird.net	A 99.86.202.23 A 99.86.202.125 CNAME d2js2viceajwla.cloudfront.net A 99.86.202.67 A 99.86.202.75	99.86.202.125
WYEnXVSECgshKtHcubAXXu.WYEnXVSECgshKtHcubAXXu
prod.balrog.prod.cloudops.mozgcp.net	A 35.244.181.201	35.244.181.201
d2js2viceajwla.cloudfront.net	A 99.86.202.67 A 99.86.202.125 A 99.86.202.23 A 99.86.202.75	99.86.202.75
aus5.mozilla.org	A 35.244.181.201 CNAME balrog-aus5.r53-2.services.mozilla.com CNAME prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201
prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201

IP Address	Status	Action
164.124.101.2	Active	Moloch
35.244.181.201	Active	Moloch
99.86.144.100	Active	Moloch
99.86.144.46	Active	Moloch
99.86.144.61	Active	Moloch
99.86.144.82	Active	Moloch
99.86.202.75	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.102:49334 99.86.202.75:443	C=US, O=Let's Encrypt, CN=R3	CN=thunderbird.net	dd:92:a0:f3:c5:f2:3a:c7:42:66:30:75:8a:b3:b3:03:6b:8c:df:9d
TLS 1.2 192.168.56.102:49335 35.244.181.201:443	C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA	C=US, ST=California, L=Mountain View, O=Mozilla Corporation, CN=aus5.mozilla.org	37:1a:8a:6e:ae:e7:b7:ae:1f:a9:c0:87:53:e5:a0:94:ef:0b:de:0c

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 3, 2021, 9:18 a.m.			0	0
IsDebuggerPresent July 3, 2021, 9:18 a.m.			0	0
IsDebuggerPresent July 3, 2021, 9:18 a.m.			0	0

Command line console output was observed (50 out of 141 events)

Time & API	Arguments	Status	Return
WriteConsoleW July 3, 2021, 9:18 a.m.	buffer: Microsoft Windows [Version 6.1.7601] console_handle: 0x00000007	1	1
WriteConsoleW July 3, 2021, 9:18 a.m.	buffer: Copyright (c) 2009 Microsoft Corporation. All rights reserved. console_handle: 0x00000007	1	1
WriteConsoleW July 3, 2021, 9:18 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000> console_handle: 0x00000007	1	1
WriteConsoleW July 3, 2021, 9:18 a.m.	buffer: if %userdomain%==DESKTOP-QO5QU33 exit 1 console_handle: 0x00000007	1	1
WriteConsoleW July 3, 2021, 9:18 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000> console_handle: 0x00000007	1	1
WriteConsoleW July 3, 2021, 9:18 a.m.	buffer: <nul set /p = "MZ" > Accompagna.exe.com console_handle: 0x00000007	1	1
WriteConsoleW July 3, 2021, 9:18 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000> console_handle: 0x00000007	1	1
WriteConsoleW July 3, 2021, 9:18 a.m.	buffer: findstr /V /R "^LXmKJkIvUqYCaDklbWMYErRVBHqPzfiGpAvAJJQodEWOpuhtYKCIpGYHyDpekTrFTszRuLBNuEIZirLxzWRIMnbCBPxymNWvBsVRNvXjpPCEYZAeSPJfwcT$" Sbigottito.wma >> Accompagna.exe.com" console_handle: 0x00000007	1	1
WriteConsoleW July 3, 2021, 9:18 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000> console_handle: 0x00000007	1	1
WriteConsoleW July 3, 2021, 9:18 a.m.	buffer: copy Sul.wma H console_handle: 0x00000007	1	1
WriteConsoleW July 3, 2021, 9:18 a.m.	buffer: 1 file(s) copied. console_handle: 0x00000007	1	1
WriteConsoleW July 3, 2021, 9:18 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000> console_handle: 0x00000007	1	1
WriteConsoleW July 3, 2021, 9:18 a.m.	buffer: start Accompagna.exe.com H console_handle: 0x00000007	1	1
WriteConsoleW July 3, 2021, 9:18 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000> console_handle: 0x00000007	1	1
WriteConsoleW July 3, 2021, 9:18 a.m.	buffer: ping 127.0.0.1 -n 30 console_handle: 0x00000007	1	1
WriteConsoleW July 3, 2021, 9:19 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000> console_handle: 0x00000007	1	1
WriteConsoleW July 3, 2021, 9:19 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000> console_handle: 0x00000007	1	1
WriteConsoleA July 3, 2021, 9:18 a.m.	buffer: Pinging 127.0.0.1 console_handle: 0x00000007	1	1
WriteConsoleA July 3, 2021, 9:18 a.m.	buffer: with 32 bytes of data: console_handle: 0x00000007	1	1
WriteConsoleA July 3, 2021, 9:18 a.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA July 3, 2021, 9:18 a.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA July 3, 2021, 9:18 a.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA July 3, 2021, 9:18 a.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA July 3, 2021, 9:18 a.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA July 3, 2021, 9:18 a.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA July 3, 2021, 9:18 a.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA July 3, 2021, 9:18 a.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA July 3, 2021, 9:18 a.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA July 3, 2021, 9:18 a.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA July 3, 2021, 9:18 a.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA July 3, 2021, 9:18 a.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA July 3, 2021, 9:18 a.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA July 3, 2021, 9:18 a.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA July 3, 2021, 9:18 a.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA July 3, 2021, 9:18 a.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA July 3, 2021, 9:18 a.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA July 3, 2021, 9:18 a.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA July 3, 2021, 9:18 a.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA July 3, 2021, 9:18 a.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA July 3, 2021, 9:18 a.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA July 3, 2021, 9:18 a.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA July 3, 2021, 9:18 a.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA July 3, 2021, 9:18 a.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA July 3, 2021, 9:18 a.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA July 3, 2021, 9:18 a.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA July 3, 2021, 9:18 a.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA July 3, 2021, 9:18 a.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA July 3, 2021, 9:18 a.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA July 3, 2021, 9:18 a.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA July 3, 2021, 9:18 a.m.	buffer: time<1ms console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 3, 2021, 9:18 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

Allocates read-write-execute memory (usually to unpack itself) (29 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 3, 2021, 9:18 a.m.	process_identifier: 8452 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73dd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2021, 9:18 a.m.	process_identifier: 8452 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74e51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2021, 9:18 a.m.	process_identifier: 8452 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2021, 9:18 a.m.	process_identifier: 8452 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x743c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2021, 9:18 a.m.	process_identifier: 8452 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73771000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2021, 9:18 a.m.	process_identifier: 8452 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72da4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2021, 9:18 a.m.	process_identifier: 8452 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2021, 9:18 a.m.	process_identifier: 8604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73771000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2021, 9:18 a.m.	process_identifier: 8604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72da4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2021, 9:18 a.m.	process_identifier: 8604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2021, 9:18 a.m.	process_identifier: 8604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72821000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2021, 9:18 a.m.	process_identifier: 8604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73dd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2021, 9:18 a.m.	process_identifier: 8604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74e51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2021, 9:18 a.m.	process_identifier: 8604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x743c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2021, 9:18 a.m.	process_identifier: 5236 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 86016 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a51000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 3, 2021, 9:18 a.m.	process_identifier: 5236 region_size: 155648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2021, 9:18 a.m.	process_identifier: 7080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73771000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2021, 9:18 a.m.	process_identifier: 7080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72da4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2021, 9:18 a.m.	process_identifier: 7080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2021, 9:18 a.m.	process_identifier: 7424 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73771000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2021, 9:18 a.m.	process_identifier: 7424 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72da4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2021, 9:18 a.m.	process_identifier: 7424 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 3, 2021, 9:18 a.m.	process_identifier: 7424 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00820000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2021, 9:18 a.m.	process_identifier: 7424 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 102400 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x040d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2021, 9:18 a.m.	process_identifier: 7424 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x040ea000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2021, 9:18 a.m.	process_identifier: 7424 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x040f2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2021, 9:18 a.m.	process_identifier: 7424 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x040f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2021, 9:18 a.m.	process_identifier: 7424 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x040f5000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2021, 9:18 a.m.	process_identifier: 6916 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73321000 process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW July 3, 2021, 9:18 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13466943488 root_path: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000 total_number_of_bytes: 0	1	1	0

Creates executable files on the filesystem (7 events)

file	C:\Users\test22\AppData\Local\Temp\nsfB0AC.tmp\UAC.dll
file	C:\Program Files (x86)\foler\olader\acppage.dll
file	C:\Users\test22\AppData\Local\Temp\New Feature\vpn.exe
file	C:\Program Files (x86)\foler\olader\acledit.dll
file	C:\Program Files (x86)\foler\olader\adprovider.dll
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\Accompagna.exe.com
file	C:\Users\test22\AppData\Local\Temp\New Feature\4.exe

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\cmd.exe" /c cmd < Sussulto.wma

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\Accompagna.exe.com

Drops an executable to the user AppData folder (4 events)

file	C:\Users\test22\AppData\Local\Temp\nsfB0AC.tmp\UAC.dll
file	C:\Users\test22\AppData\Local\Temp\New Feature\4.exe
file	C:\Users\test22\AppData\Local\Temp\New Feature\vpn.exe
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\Accompagna.exe.com

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW July 3, 2021, 9:18 a.m.	show_type: 0 filepath_r: cmd parameters: /c cmd < Sussulto.wma filepath: cmd	1	1	0

Potentially malicious URLs were found in the process memory dump (3 events)

url	http://www.microsoft.com/schemas/ie8tldlistdescription/1.0
url	http://purl.org/rss/1.0/
url	http://www.passport.com

Yara rule detected in process memory (32 events)

description	Communication using DGA	rule	Network_DGA
description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Create a windows service	rule	Create_Service
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Communications over FTP	rule	Network_FTP
description	Hijack network configuration	rule	Hijack_Network
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Steal credential	rule	local_credential_Steal
description	Take ScreenShot	rule	ScreenShot
description	File Downloader	rule	Network_Downloader
description	Communications over P2P network	rule	Network_P2P_Win
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Install itself for autorun at Windows startup	rule	Persistence

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

ping 127.0.0.1 -n 30

Communicates with host for which no DNS query was performed (4 events)

host	99.86.144.100
host	99.86.144.46
host	99.86.144.61
host	99.86.144.82

Attempts to identify installed AV products by installation directory (2 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\AVG

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 6500 resumed a thread in remote process 7080
NtResumeThread July 3, 2021, 9:18 a.m.	thread_handle: 0x00000134 suspend_count: 0 process_identifier: 7080	1	0	0

File has been identified by 34 AntiVirus engines on VirusTotal as malicious (34 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Doina.10795
FireEye	Gen:Variant.Doina.10795
ALYac	Gen:Variant.Doina.10795
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 0057da551 )
K7GW	Trojan ( 0057da551 )
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	multiple detections
APEX	Malicious
Avast	Win32:Trojan-gen
ClamAV	Win.Packed.Filerepmalware-9864117-0
Kaspersky	Trojan.Win32.Crypzip.ou
BitDefender	Gen:Variant.Doina.10795
Tencent	Win32.Trojan-qqpass.Qqrob.Lkxr
Ad-Aware	Gen:Variant.Doina.10795
Sophos	Mal/Generic-R + Troj/Agent-BHFT
DrWeb	BAT.Drop.2756
TrendMicro	TROJ_GEN.R06CC0DG221
McAfee-GW-Edition	BehavesLike.Win32.FakeRena.tc
Emsisoft	Trojan.Crypt (A)
MAX	malware (ai score=82)
Microsoft	Trojan:Win32/Glupteba.QV!MTB
GData	Gen:Variant.Doina.10795
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.Generic.C4493298
McAfee	GenericRXAA-FA!35B76B818730
VBA32	Malware-Cryptor.InstallCore.6
Malwarebytes	Malware.AI.2177412044
Rising	Trojan.Kryptik!1.D7CF (CLASSIC)
BitDefenderTheta	Gen:NN.ZexaF.34790.cr3@aWAVf8ok
AVG	Win32:Trojan-gen
Cybereason	malicious.c59907
Panda	Trj/CI.A

lv.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All