pktU9LoKSDqhtovq.jpg.ps1

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW July 12, 2021, 5:51 p.m.	buffer: True console_handle: 0x00000013	1	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 12, 2021, 5:51 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Connects to a Dynamic DNS Domain (1 event)

domain

coolbixb0y.ddns.net

Allocates read-write-execute memory (usually to unpack itself) (9 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory July 12, 2021, 5:51 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026fb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory July 12, 2021, 5:51 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0270f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory July 12, 2021, 5:51 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory July 12, 2021, 5:51 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02800000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory July 12, 2021, 5:51 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02801000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory July 12, 2021, 5:51 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02802000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory July 12, 2021, 5:51 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02803000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory July 12, 2021, 5:51 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02820000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory July 12, 2021, 5:51 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02804000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

File has been identified by 3 AntiVirus engines on VirusTotal as malicious (3 events)

Symantec	Backdoor.ASync!gm
DrWeb	PowerShell.Dropper.31
Rising	Trojan.Injector/PS!1.D2AD (CLASSIC)

Yara rule detected in process memory (9 events)

description	(no description)				rule	DebuggerCheck__GlobalFlags
description	(no description)				rule	DebuggerCheck__QueryInfo
description	(no description)				rule	DebuggerCheck__RemoteAPI
description	(no description)				rule	DebuggerHiding__Thread
description	(no description)				rule	DebuggerHiding__Active
description	(no description)				rule	ThreadControl__Context
description	(no description)				rule	SEH__vectored
description	Checks if being debugged				rule	anti_dbg
description	Bypass DEP				rule	disable_dep

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory July 12, 2021, 5:51 p.m.	process_identifier: 2744 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE) process_handle: 0x000003a4	1	0	0

Manipulates memory of a non-child process indicative of process injection (2 events)

Process injection	Process 732 manipulating memory of non-child process 2744
Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory July 12, 2021, 5:51 p.m.	process_identifier: 2744 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE) process_handle: 0x000003a4	1	0	0

Potential code injection by writing to the memory of another process (5 events)

Process injection	Process 732 injected into non-child 2744
Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory July 12, 2021, 5:51 p.m.	buffer: MZÿÿ¸@€º´ Í!¸ LÍ!This program cannot be run in DOS mode. $PEL #·^à  ² ®Ð à@  @ TÐWàÿ   H.text´° ² `.rsrcÿà´@@.reloc ¼@B base_address: 0x00400000 process_identifier: 2744 process_handle: 0x000003a4	1	1	0
WriteProcessMemory July 12, 2021, 5:51 p.m.	buffer:  €P€ 8€ € h€  àÌlã“Ì4VS_VERSION_INFO½ïþ ? D VarFileInfo$Translation°, StringFileInfo 000004b0 Comments" CompanyName* FileDescription0 FileVersion1.0.0.02 InternalNameStub.exe& LegalCopyright* LegalTrademarks: OriginalFilenameStub.exe" ProductName4 ProductVersion1.0.0.08 Assembly Version1.0.0.0<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false" /> </requestedPrivileges> </security> </trustInfo> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <!-- Windows Vista --> <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> <!-- Windows 7 --> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> <!-- Windows 8 --> <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/> <!-- Windows 8.1 --> <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/> <!-- Windows 10 --> <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/> </application> </compatibility> <asmv3:application xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" > <asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings"> <dpiAware>true</dpiAware> </asmv3:windowsSettings> </asmv3:application> </assembly> base_address: 0x0040e000 process_identifier: 2744 process_handle: 0x000003a4	1	1	0
WriteProcessMemory July 12, 2021, 5:51 p.m.	buffer: Ð°0 base_address: 0x00410000 process_identifier: 2744 process_handle: 0x000003a4	1	1	0
WriteProcessMemory July 12, 2021, 5:51 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2744 process_handle: 0x000003a4	1	1	0

Code injection by writing an executable or DLL to the memory of another process (2 events)

Process injection	Process 732 injected into non-child 2744
Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory July 12, 2021, 5:51 p.m.	buffer: MZÿÿ¸@€º´ Í!¸ LÍ!This program cannot be run in DOS mode. $PEL #·^à  ² ®Ð à@  @ TÐWàÿ   H.text´° ² `.rsrcÿà´@@.reloc ¼@B base_address: 0x00400000 process_identifier: 2744 process_handle: 0x000003a4	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Process injection	Process 732 called NtSetContextThread to modify thread in remote process 2744
Time & API	Arguments	Status	Return	Repeated
NtSetContextThread July 12, 2021, 5:51 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4247726 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000004cc process_identifier: 2744	1	0	0

One or more non-whitelisted processes were created (1 event)

parent_process

powershell.exe

martian_process

#cmd

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Process injection	Process 732 resumed a thread in remote process 2744
Time & API	Arguments	Status	Return	Repeated
NtResumeThread July 12, 2021, 5:51 p.m.	thread_handle: 0x000004cc suspend_count: 1 process_identifier: 2744	1	0	0

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

147.189.170.240:6666

Executed a process and injected code into it, probably while unpacking (11 events)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW July 12, 2021, 5:51 p.m.	thread_identifier: 2084 thread_handle: 0x000004cc process_identifier: 2744 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe track: 1 command_line: #cmd filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000003a4	1	1	0
NtGetContextThread July 12, 2021, 5:51 p.m.	thread_handle: 0x000004cc	1	0	0
NtAllocateVirtualMemory July 12, 2021, 5:51 p.m.	process_identifier: 2744 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE) process_handle: 0x000003a4	1	0	0
WriteProcessMemory July 12, 2021, 5:51 p.m.	buffer: MZÿÿ¸@€º´ Í!¸ LÍ!This program cannot be run in DOS mode. $PEL #·^à  ² ®Ð à@  @ TÐWàÿ   H.text´° ² `.rsrcÿà´@@.reloc ¼@B base_address: 0x00400000 process_identifier: 2744 process_handle: 0x000003a4	1	1	0
WriteProcessMemory July 12, 2021, 5:51 p.m.	buffer: base_address: 0x00402000 process_identifier: 2744 process_handle: 0x000003a4	1	1	0
WriteProcessMemory July 12, 2021, 5:51 p.m.	buffer:  €P€ 8€ € h€  àÌlã“Ì4VS_VERSION_INFO½ïþ ? D VarFileInfo$Translation°, StringFileInfo 000004b0 Comments" CompanyName* FileDescription0 FileVersion1.0.0.02 InternalNameStub.exe& LegalCopyright* LegalTrademarks: OriginalFilenameStub.exe" ProductName4 ProductVersion1.0.0.08 Assembly Version1.0.0.0<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false" /> </requestedPrivileges> </security> </trustInfo> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <!-- Windows Vista --> <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> <!-- Windows 7 --> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> <!-- Windows 8 --> <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/> <!-- Windows 8.1 --> <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/> <!-- Windows 10 --> <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/> </application> </compatibility> <asmv3:application xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" > <asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings"> <dpiAware>true</dpiAware> </asmv3:windowsSettings> </asmv3:application> </assembly> base_address: 0x0040e000 process_identifier: 2744 process_handle: 0x000003a4	1	1	0
WriteProcessMemory July 12, 2021, 5:51 p.m.	buffer: Ð°0 base_address: 0x00410000 process_identifier: 2744 process_handle: 0x000003a4	1	1	0
WriteProcessMemory July 12, 2021, 5:51 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2744 process_handle: 0x000003a4	1	1	0
NtSetContextThread July 12, 2021, 5:51 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4247726 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000004cc process_identifier: 2744	1	0	0
NtResumeThread July 12, 2021, 5:51 p.m.	thread_handle: 0x000004cc suspend_count: 1 process_identifier: 2744	1	0	0
NtResumeThread July 12, 2021, 5:51 p.m.	thread_handle: 0x00000384 suspend_count: 1 process_identifier: 732	1	0	0