Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 30, 2021, 10:28 a.m.	July 30, 2021, 10:36 a.m.

Size	3.0MB
Type	PE32 executable (console) Intel 80386, for MS Windows
MD5	`2136731abbe410fb24240c34f1a47260`
SHA256	`e63ae6b6a21682cc06993ce09d717f3713b04a84b5567653bd8ccfdba1f89f06`
CRC32	`C23D8A29`
ssdeep	`49152:j2Tz8wIYwesVWRj1DLBaxMHQH2DeVpsjN8lLJ+cSK8ZOqUgzXVJVjIK9zWLNCab5:MzPsYR9LBaxLWD2sh8l4ASOqUQVJhd9E`
PDB Path	G:\PP\Reddead\loader\Release\loader.pdb
Yara	IsPE32 - (no description) VMProtect_Zero - VMProtect packed file Malicious_Packer_Zero - Malicious Packer OS_Processor_Check_Zero - OS Processor Check UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature

loader.exe "C:\Users\test22\AppData\Local\Temp\loader.exe"
2080
- svchost.exe svchost.exe
  2184

Name	Response	Post-Analysis Lookup
www.ez-cheats.com	A 43.255.241.176	43.255.241.176

IP Address	Status	Action
164.124.101.2	Active	Moloch
43.255.241.176	Active	Moloch
34.117.59.81	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49166 -> 43.255.241.176:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49165 -> 43.255.241.176:1337	2013214	ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server	Malware Command and Control Activity Detected
TCP 192.168.56.102:49165 -> 43.255.241.176:1337	2016922	ET MALWARE Backdoor family PCRat/Gh0st CnC traffic	Malware Command and Control Activity Detected
TCP 192.168.56.102:49165 -> 43.255.241.176:1337	2021716	ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 102	Malware Command and Control Activity Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49166 43.255.241.176:443	C=US, O=Let's Encrypt, CN=R3	CN=ez-cheats.com	d7:29:76:a4:3b:25:ce:d3:9c:c3:da:88:a9:58:5c:ce:f4:d8:09:81

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA July 30, 2021, 10:28 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (9 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 30, 2021, 10:28 a.m.			0	0
IsDebuggerPresent July 30, 2021, 10:28 a.m.			0	0
IsDebuggerPresent July 30, 2021, 10:28 a.m.			0	0
IsDebuggerPresent July 30, 2021, 10:28 a.m.			0	0
IsDebuggerPresent July 30, 2021, 10:28 a.m.			0	0
IsDebuggerPresent July 30, 2021, 10:28 a.m.			0	0
IsDebuggerPresent July 30, 2021, 10:28 a.m.			0	0
IsDebuggerPresent July 30, 2021, 10:28 a.m.			0	0
IsDebuggerPresent July 30, 2021, 10:28 a.m.			0	0

This executable has a PDB path (1 event)

pdb_path

G:\PP\Reddead\loader\Release\loader.pdb

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	.gfids
section	.vmp0
section	.vmp1

One or more processes crashed (4 events)

Time & API	Arguments	Status
__exception__ July 30, 2021, 10:28 a.m.	stacktrace: exception.instruction_r: ed 60 e8 69 65 da ff 89 1c 24 0f c8 8d 05 34 f0 exception.instruction: in eax, dx exception.module: loader.exe exception.exception_code: 0xc0000096 exception.offset: 4909824 exception.address: 0x5beb00 registers.esp: 9433288 registers.edi: 9435308 registers.eax: 1447909480 registers.ebp: 9435348 registers.edx: 22104 registers.ebx: 0 registers.esi: 9435336 registers.ecx: 10	1
__exception__ July 30, 2021, 10:28 a.m.	stacktrace: exception.instruction_r: 90 0f 89 16 2a dd ff 68 8e bd d4 f2 e9 bf d3 dd exception.instruction: nop exception.module: loader.exe exception.exception_code: 0x80000004 exception.offset: 4900879 exception.address: 0x5bc80f registers.esp: 9433288 registers.edi: 9435308 registers.eax: 3730646001 registers.ebp: 9435348 registers.edx: 59 registers.ebx: 0 registers.esi: 9435336 registers.ecx: 10	1
__exception__ July 30, 2021, 10:28 a.m.	stacktrace: exception.instruction_r: 90 9c e9 c8 a1 00 00 84 58 5b 62 22 7a 3d 58 db exception.instruction: nop exception.module: loader.exe exception.exception_code: 0x80000004 exception.offset: 2442886 exception.address: 0x364686 registers.esp: 9433288 registers.edi: 9435308 registers.eax: 591594 registers.ebp: 9435348 registers.edx: 395049983 registers.ebx: 133120 registers.esi: 9435336 registers.ecx: 3738837507	1
__exception__ July 30, 2021, 10:28 a.m.	stacktrace: exception.instruction_r: cc 9d 9c c7 04 24 85 bd e4 6b e8 58 58 fd ff 00 exception.instruction: int3 exception.module: loader.exe exception.exception_code: 0x80000003 exception.offset: 2619902 exception.address: 0x38f9fe registers.esp: 9433284 registers.edi: 3221226323 registers.eax: 0 registers.ebp: 9435348 registers.edx: 395049983 registers.ebx: 0 registers.esi: 3221226323 registers.ecx: 3738837507	1

Performs some HTTP requests (1 event)

request

GET https://www.ez-cheats.com/panel/topup_hwid.php?h=085ec62e9b2ec0ab976156f2008398da

Allocates read-write-execute memory (usually to unpack itself) (50 out of 54 events)

Time & API	Arguments	Status	Return
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 139264 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00111000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x772f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x748f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74900000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74910000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74920000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74930000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74940000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74950000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74960000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74970000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74980000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74990000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x749a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x749b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x749c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x749d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x749e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x749f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74a00000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74a10000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74a20000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74a30000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74a40000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74a50000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74a60000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74a70000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74a80000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74a90000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74aa0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74ab0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74ac0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74ad0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74ae0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74af0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74b00000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74b10000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74b20000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74b30000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74b40000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74b50000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74b60000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74b70000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74b80000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74b90000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74ba0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74bb0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74bc0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74bd0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74be0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496

Creates executable files on the filesystem (1 event)

file	C:\Windows\System32\tcpapi.dll

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile July 30, 2021, 10:28 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000000a0 filepath: C:\Windows\System32\tcpapi.dll desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Windows\system32\tcpapi.dll create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

Creates a suspicious process (1 event)

cmdline

svchost.exe

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x002f5c00', u'virtual_address': u'0x00254000', u'entropy': 7.771249960077782, u'name': u'.vmp1', u'virtual_size': u'0x002f5b14'}

entropy

7.77124996008

description

A section with a high entropy has been found

entropy

0.999505358615

description

Overall entropy of this PE file is high

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

The executable is likely packed with VMProtect (2 events)

section	.vmp0				description	Section name indicates VMProtect
section	.vmp1				description	Section name indicates VMProtect

Communicates with host for which no DNS query was performed (1 event)

host

34.117.59.81

Creates a thread using NtQueueApcThread in a remote process potentially indicative of process injection (3 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2080 created a thread in remote process 2184
NtQueueApcThread July 30, 2021, 10:28 a.m.	function_address: 0x750749d7 parameter: 0x000b0000 thread_handle: 0x000000a0 process_identifier: 2184	1	0	0
NtQueueApcThread July 30, 2021, 10:28 a.m.	function_address: 0x771bd598 parameter: 0x00000000 thread_handle: 0x000000a0 process_identifier: 2184	1	0	0

Potential code injection by writing to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory July 30, 2021, 10:28 a.m.	buffer: C:\Windows\system32\tcpapi.dllw ¨wÊPÊäõØOÌr(/ÌPÊ6Ê/Ì(/Ì¸0ÌH.ÌÐÊ`.Ì÷8w8Êz8w4¨wÊ/ÌÊ@.Ì ÷t<w£<w¨wÊÊPÊà"2¢t base_address: 0x000b0000 process_identifier: 2184 process_handle: 0x000000a4	1	1	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2080 resumed a thread in remote process 2184
NtResumeThread July 30, 2021, 10:28 a.m.	thread_handle: 0x000000a0 suspend_count: 1 process_identifier: 2184	1	0	0

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ July 30, 2021, 10:28 a.m.	stacktrace: exception.instruction_r: ed 60 e8 69 65 da ff 89 1c 24 0f c8 8d 05 34 f0 exception.instruction: in eax, dx exception.module: loader.exe exception.exception_code: 0xc0000096 exception.offset: 4909824 exception.address: 0x5beb00 registers.esp: 9433288 registers.edi: 9435308 registers.eax: 1447909480 registers.ebp: 9435348 registers.edx: 22104 registers.ebx: 0 registers.esi: 9435336 registers.ecx: 10	1	0	0

File has been identified by 20 AntiVirus engines on VirusTotal as malicious (20 events)

Bkav	W32.AIDetect.malware2
Elastic	malicious (high confidence)
FireEye	Generic.mg.2136731abbe410fb
Sangfor	Trojan.Win32.Save.a
Cybereason	malicious.b62d78
Cyren	W32/Trojan.FOC.gen!Eldorado
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	Backdoor.Win32.Zegost.mtslb
Sophos	Generic ML PUA (PUA)
McAfee-GW-Edition	BehavesLike.Win32.Generic.vc
ZoneAlarm	Backdoor.Win32.Zegost.mtslb
AhnLab-V3	Trojan/Win.Generic.C4529870
Acronis	suspicious
VBA32	BScope.Backdoor.Spy
Malwarebytes	Malware.AI.4109652637
Rising	Trojan.Generic@ML.100 (RDML:nD87fj9sWPCA2D4QHc7ckQ)
SentinelOne	Static AI - Malicious PE
eGambit	Unsafe.AI_Score_99%
CrowdStrike	win/malicious_confidence_100% (D)

Executed a process and injected code into it, probably while unpacking (4 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW July 30, 2021, 10:28 a.m.	thread_identifier: 2188 thread_handle: 0x000000a0 process_identifier: 2184 current_directory: filepath: track: 1 command_line: svchost.exe filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000000a4	1	1
NtAllocateVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x000b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000a4	1	0
WriteProcessMemory July 30, 2021, 10:28 a.m.	buffer: C:\Windows\system32\tcpapi.dllw ¨wÊPÊäõØOÌr(/ÌPÊ6Ê/Ì(/Ì¸0ÌH.ÌÐÊ`.Ì÷8w8Êz8w4¨wÊ/ÌÊ@.Ì ÷t<w£<w¨wÊÊPÊà"2¢t base_address: 0x000b0000 process_identifier: 2184 process_handle: 0x000000a4	1	1
NtResumeThread July 30, 2021, 10:28 a.m.	thread_handle: 0x000000a0 suspend_count: 1 process_identifier: 2184	1	0

loader.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All