Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 3, 2021, 9:07 a.m.	Aug. 3, 2021, 9:11 a.m.

Size	1.5MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`5c8fdd6c67790256bda928d03cf524a9`
SHA256	`0afd6d772b09767847f0635c5e1e56d51ab97997bcd5cf82701f2159195065e7`
CRC32	`A7EC09A8`
ssdeep	`24576:K8enHugfcdhnrnili2t9wJE749Yge8ULffKy3JP3heERE7QXXiQBuBvL+iyqzMRH:buZ4hnTSbK147fHP3heEKQXyO4DRlzMR`
Yara	Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware Is_DotNET_EXE - (no description) UPX_Zero - UPX packed file IsPE32 - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT

win32d.exe "C:\Users\test22\AppData\Local\Temp\win32d.exe"
1908
- schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xAxenuY" /XML "C:\Users\test22\AppData\Local\Temp\tmpBEB.tmp"
  2540
- win32d.exe "C:\Users\test22\AppData\Local\Temp\win32d.exe"
  2984

Name	Response	Post-Analysis Lookup
duck50501.hopto.org	A 91.193.75.162	91.193.75.162

IP Address	Status	Action
164.124.101.2	Active	Moloch
91.193.75.162	Active	Moloch
203.159.80.186	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:61479 -> 164.124.101.2:53	2028681	ET POLICY DNS Query to DynDNS Domain *.hopto .org	Potentially Bad Traffic
UDP 192.168.56.101:59369 -> 164.124.101.2:53	2028681	ET POLICY DNS Query to DynDNS Domain *.hopto .org	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Aug. 3, 2021, 9:08 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 3, 2021, 9:07 a.m.			0	0
IsDebuggerPresent Aug. 3, 2021, 9:07 a.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Aug. 3, 2021, 9:08 a.m.	buffer: SUCCESS: The scheduled task "Updates\xAxenuY" has successfully been created. console_handle: 0x00000007	1	1	0

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey Aug. 3, 2021, 9:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007aa8b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 3, 2021, 9:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007aa830 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 3, 2021, 9:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007aa830 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 3, 2021, 9:07 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Connects to a Dynamic DNS Domain (1 event)

domain

duck50501.hopto.org

Allocates read-write-execute memory (usually to unpack itself) (50 out of 57 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1908 region_size: 1114112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00350000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00420000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72741000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72742000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1908 region_size: 1245184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ac0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1908 region_size: 28672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a21000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a28000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72644000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1908 region_size: 53248 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f31000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1908 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f3e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x044f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1908 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x044f1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1908 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x044f4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x044f8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x044f9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x044fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1908 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1908 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x044fb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 3, 2021, 9:08 a.m.	process_identifier: 1908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6de82000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:08 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003bd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:08 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003be000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:08 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x044fc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:08 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x044fd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:08 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x044fe000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:08 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x044ff000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:08 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:08 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b71000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:08 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003bf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:08 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b72000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:08 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b73000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

win32d.exe tried to sleep 136 seconds, actually delayed analysis time by 136 seconds

Creates a suspicious process (2 events)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xAxenuY" /XML "C:\Users\test22\AppData\Local\Temp\tmpBEB.tmp"
cmdline	schtasks.exe /Create /TN "Updates\xAxenuY" /XML "C:\Users\test22\AppData\Local\Temp\tmpBEB.tmp"

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Aug. 3, 2021, 9:08 a.m.	show_type: 0 filepath_r: schtasks.exe parameters: /Create /TN "Updates\xAxenuY" /XML "C:\Users\test22\AppData\Local\Temp\tmpBEB.tmp" filepath: schtasks.exe	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00170400', u'virtual_address': u'0x00002000', u'entropy': 7.939446062633663, u'name': u'.text', u'virtual_size': u'0x00170214'}

entropy

7.93944606263

description

A section with a high entropy has been found

entropy

0.964320785597

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 3, 2021, 9:07 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (19 events)

description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Create a windows service	rule	Create_Service
description	Record Audio	rule	Sniff_Audio
description	Google Chrome User Data Check	rule	Chrome_User_Data_Check_Zero
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Win.Trojan.agentTesla	rule	Win_Trojan_agentTesla_Zero
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	browser info stealer	rule	infoStealer_browser_Zero
description	File Downloader	rule	Network_Downloader
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xAxenuY" /XML "C:\Users\test22\AppData\Local\Temp\tmpBEB.tmp"
cmdline	schtasks.exe /Create /TN "Updates\xAxenuY" /XML "C:\Users\test22\AppData\Local\Temp\tmpBEB.tmp"

Communicates with host for which no DNS query was performed (1 event)

host

203.159.80.186

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Aug. 3, 2021, 9:08 a.m.	process_identifier: 2984 region_size: 491520 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000038c	1	0	0

Potential code injection by writing to the memory of another process (5 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Aug. 3, 2021, 9:08 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $oxä-+~+~+~{~9~y~´~x~5~x:~)~f:~~µ¹M~~G1~G~G ~"a~8~+~7~¼Gv~¹Gu~~¼G~Rich+~PELrf`àïî @@xwÜð$I@$80\8Ä\h\@ l.text& `.rdataÂo p@@.data<=@À.tls Ð@À.gfids0à@@.rsrc$IðJ@@.reloc$8@:â@B base_address: 0x00400000 process_identifier: 2984 process_handle: 0x0000038c	1	1
WriteProcessMemory Aug. 3, 2021, 9:08 a.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.ÿÿÿÿ ¤dE¨gE¢dE..FL¦FL¦FL¦FL¦FL¦FL¦FL¦FL¦FL¦FFP¦FP¦FP¦FP¦FP¦FP¦FP¦FFÿÿÿÿ¨gE¨F¨F¨F¨F¨FF(jE¨kEzEèFFCPSTPDT°FðFÿÿÿÿÿÿÿÿÿÿÿÿ ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZFþÿÿÿþÿÿÿu0Ï!tåa¾e¸Â¢z»^ âÈ¨3$&E.?AVtype_info@@$&E.?AVbad_alloc@std@@$&E.?AVbad_array_new_length@std@@$&E.?AVlogic_error@std@@$&E.?AVlength_error@std@@$&E.?AVout_of_range@std@@$&E.?AV_Facet_base@std@@$&E.?AV_Locimp@locale@std@@$&E.?AVfacet@locale@std@@$&E.?AU_Crt_new_delete@std@@$&E.?AVcodecvt_base@std@@$&E.?AUctype_base@std@@$&E.?AV?$ctype@D@std@@$&E.?AV?$codecvt@DDU_Mbstatet@@@std@@$&E.?AVbad_exception@std@@$&E.H$&E.?AVfailure@ios_base@std@@$&E.?AVruntime_error@std@@$&E.?AVsystem_error@std@@$&E.?AVbad_cast@std@@$&E.?AV_System_error@std@@$&E.?AVexception@std@@ base_address: 0x00469000 process_identifier: 2984 process_handle: 0x0000038c	1	1
WriteProcessMemory Aug. 3, 2021, 9:08 a.m.	buffer: base_address: 0x0046d000 process_identifier: 2984 process_handle: 0x0000038c	1	1
WriteProcessMemory Aug. 3, 2021, 9:08 a.m.	buffer: ú¾ß¾d?TÃnÃd?¼Ãd?ÉZd?û]Êtç»³ÃOf>fÈÙpÙd?d?avÃBÃÏzuñpÞßß[Sa+bAQÉ}g´DêªÄ,ö b Er4NPNWN]TUZ[ äøää äö_^îØØäüûüû í9<8;ú` ¢§µ¶³´±²¯°¸ Y base_address: 0x0046e000 process_identifier: 2984 process_handle: 0x0000038c	1	1
WriteProcessMemory Aug. 3, 2021, 9:08 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2984 process_handle: 0x0000038c	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Aug. 3, 2021, 9:08 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $oxä-+~+~+~{~9~y~´~x~5~x:~)~f:~~µ¹M~~G1~G~G ~"a~8~+~7~¼Gv~¹Gu~~¼G~Rich+~PELrf`àïî @@xwÜð$I@$80\8Ä\h\@ l.text& `.rdataÂo p@@.data<=@À.tls Ð@À.gfids0à@@.rsrc$IðJ@@.reloc$8@:â@B base_address: 0x00400000 process_identifier: 2984 process_handle: 0x0000038c	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1908 called NtSetContextThread to modify thread in remote process 2984
NtSetContextThread Aug. 3, 2021, 9:08 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4386543 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000390 process_identifier: 2984	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1908 resumed a thread in remote process 2984
NtResumeThread Aug. 3, 2021, 9:08 a.m.	thread_handle: 0x00000390 suspend_count: 1 process_identifier: 2984	1	0	0

Executed a process and injected code into it, probably while unpacking (27 events)

Time & API	Arguments	Status	Return
NtResumeThread Aug. 3, 2021, 9:07 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 1908	1	0
NtResumeThread Aug. 3, 2021, 9:07 a.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 1908	1	0
NtResumeThread Aug. 3, 2021, 9:07 a.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 1908	1	0
NtResumeThread Aug. 3, 2021, 9:07 a.m.	thread_handle: 0x00000228 suspend_count: 1 process_identifier: 1908	1	0
NtGetContextThread Aug. 3, 2021, 9:07 a.m.	thread_handle: 0x000000e8	1	0
NtGetContextThread Aug. 3, 2021, 9:07 a.m.	thread_handle: 0x000000e8	1	0
NtResumeThread Aug. 3, 2021, 9:07 a.m.	thread_handle: 0x000000e8 suspend_count: 1 process_identifier: 1908	1	0
NtResumeThread Aug. 3, 2021, 9:08 a.m.	thread_handle: 0x00000268 suspend_count: 1 process_identifier: 1908	1	0
CreateProcessInternalW Aug. 3, 2021, 9:08 a.m.	thread_identifier: 2492 thread_handle: 0x000003c8 process_identifier: 2540 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xAxenuY" /XML "C:\Users\test22\AppData\Local\Temp\tmpBEB.tmp" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003d0	1	1
CreateProcessInternalW Aug. 3, 2021, 9:08 a.m.	thread_identifier: 2748 thread_handle: 0x00000390 process_identifier: 2984 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\win32d.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\win32d.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000038c	1	1
NtGetContextThread Aug. 3, 2021, 9:08 a.m.	thread_handle: 0x00000390	1	0
NtAllocateVirtualMemory Aug. 3, 2021, 9:08 a.m.	process_identifier: 2984 region_size: 491520 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000038c	1	0
WriteProcessMemory Aug. 3, 2021, 9:08 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $oxä-+~+~+~{~9~y~´~x~5~x:~)~f:~~µ¹M~~G1~G~G ~"a~8~+~7~¼Gv~¹Gu~~¼G~Rich+~PELrf`àïî @@xwÜð$I@$80\8Ä\h\@ l.text& `.rdataÂo p@@.data<=@À.tls Ð@À.gfids0à@@.rsrc$IðJ@@.reloc$8@:â@B base_address: 0x00400000 process_identifier: 2984 process_handle: 0x0000038c	1	1
WriteProcessMemory Aug. 3, 2021, 9:08 a.m.	buffer: base_address: 0x00401000 process_identifier: 2984 process_handle: 0x0000038c	1	1
WriteProcessMemory Aug. 3, 2021, 9:08 a.m.	buffer: base_address: 0x00452000 process_identifier: 2984 process_handle: 0x0000038c	1	1
WriteProcessMemory Aug. 3, 2021, 9:08 a.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.ÿÿÿÿ ¤dE¨gE¢dE..FL¦FL¦FL¦FL¦FL¦FL¦FL¦FL¦FL¦FFP¦FP¦FP¦FP¦FP¦FP¦FP¦FFÿÿÿÿ¨gE¨F¨F¨F¨F¨FF(jE¨kEzEèFFCPSTPDT°FðFÿÿÿÿÿÿÿÿÿÿÿÿ ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZFþÿÿÿþÿÿÿu0Ï!tåa¾e¸Â¢z»^ âÈ¨3$&E.?AVtype_info@@$&E.?AVbad_alloc@std@@$&E.?AVbad_array_new_length@std@@$&E.?AVlogic_error@std@@$&E.?AVlength_error@std@@$&E.?AVout_of_range@std@@$&E.?AV_Facet_base@std@@$&E.?AV_Locimp@locale@std@@$&E.?AVfacet@locale@std@@$&E.?AU_Crt_new_delete@std@@$&E.?AVcodecvt_base@std@@$&E.?AUctype_base@std@@$&E.?AV?$ctype@D@std@@$&E.?AV?$codecvt@DDU_Mbstatet@@@std@@$&E.?AVbad_exception@std@@$&E.H$&E.?AVfailure@ios_base@std@@$&E.?AVruntime_error@std@@$&E.?AVsystem_error@std@@$&E.?AVbad_cast@std@@$&E.?AV_System_error@std@@$&E.?AVexception@std@@ base_address: 0x00469000 process_identifier: 2984 process_handle: 0x0000038c	1	1
WriteProcessMemory Aug. 3, 2021, 9:08 a.m.	buffer: base_address: 0x0046d000 process_identifier: 2984 process_handle: 0x0000038c	1	1
WriteProcessMemory Aug. 3, 2021, 9:08 a.m.	buffer: ú¾ß¾d?TÃnÃd?¼Ãd?ÉZd?û]Êtç»³ÃOf>fÈÙpÙd?d?avÃBÃÏzuñpÞßß[Sa+bAQÉ}g´DêªÄ,ö b Er4NPNWN]TUZ[ äøää äö_^îØØäüûüû í9<8;ú` ¢§µ¶³´±²¯°¸ Y base_address: 0x0046e000 process_identifier: 2984 process_handle: 0x0000038c	1	1
WriteProcessMemory Aug. 3, 2021, 9:08 a.m.	buffer: base_address: 0x0046f000 process_identifier: 2984 process_handle: 0x0000038c	1	1
WriteProcessMemory Aug. 3, 2021, 9:08 a.m.	buffer: base_address: 0x00474000 process_identifier: 2984 process_handle: 0x0000038c	1	1
WriteProcessMemory Aug. 3, 2021, 9:08 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2984 process_handle: 0x0000038c	1	1
NtSetContextThread Aug. 3, 2021, 9:08 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4386543 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000390 process_identifier: 2984	1	0
NtResumeThread Aug. 3, 2021, 9:08 a.m.	thread_handle: 0x00000390 suspend_count: 1 process_identifier: 2984	1	0
NtResumeThread Aug. 3, 2021, 9:08 a.m.	thread_handle: 0x000003bc suspend_count: 1 process_identifier: 1908	1	0
NtGetContextThread Aug. 3, 2021, 9:08 a.m.	thread_handle: 0x000003bc	1	0
NtGetContextThread Aug. 3, 2021, 9:08 a.m.	thread_handle: 0x000003bc	1	0
NtResumeThread Aug. 3, 2021, 9:08 a.m.	thread_handle: 0x000003bc suspend_count: 1 process_identifier: 1908	1	0

File has been identified by 36 AntiVirus engines on VirusTotal as malicious (36 events)

Elastic	malicious (high confidence)
Cynet	Malicious (score: 99)
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 0053ba121 )
K7GW	Trojan ( 0053ba121 )
Cybereason	malicious.1db40d
Cyren	W32/MSIL_Kryptik.FAM.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	Win32/Rescoms.B
APEX	Malicious
Avast	Win32:RATX-gen [Trj]
Kaspersky	HEUR:Trojan.MSIL.Taskun.gen
Emsisoft	Trojan.Crypt (A)
Comodo	TrojWare.Win32.Agent.vpmhv@0
DrWeb	Trojan.Packed2.43350
McAfee-GW-Edition	Artemis!Trojan
FireEye	Generic.mg.5c8fdd6c67790256
Sophos	Mal/Generic-S
Paloalto	generic.ml
GData	Win32.Backdoor.Remcos.H7NFKA
Avira	TR/ATRAPS.Gen
eGambit	Unsafe.AI_Score_99%
MAX	malware (ai score=99)
Kingsoft	Win32.Troj.Undef.(kcloud)
Microsoft	Trojan:Win32/Woreflint.A!cl
McAfee	Artemis!5C8FDD6C6779
VBA32	Malware-Cryptor.MSIL.AgentTesla.Heur
Malwarebytes	MachineLearning/Anomalous.95%
TrendMicro-HouseCall	TROJ_GEN.F0D1C00H221
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	PossibleThreat.PALLAS.H
BitDefenderTheta	Gen:NN.ZemsilF.34050.Fn0@aqjvb@i
AVG	Win32:RATX-gen [Trj]
CrowdStrike	win/malicious_confidence_90% (W)
Qihoo-360	Win32/Backdoor.Rat.HgIASZkA

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (23 events)

dead_host	192.168.56.101:49222
dead_host	192.168.56.101:49211
dead_host	91.193.75.162:50501
dead_host	192.168.56.101:49206
dead_host	192.168.56.101:49219
dead_host	192.168.56.101:49215
dead_host	192.168.56.101:49223
dead_host	192.168.56.101:49224
dead_host	192.168.56.101:49207
dead_host	192.168.56.101:49228
dead_host	192.168.56.101:49208
dead_host	192.168.56.101:49216
dead_host	192.168.56.101:49212
dead_host	192.168.56.101:49225
dead_host	192.168.56.101:49220
dead_host	192.168.56.101:49209
dead_host	192.168.56.101:49217
dead_host	192.168.56.101:49213
dead_host	192.168.56.101:49226
dead_host	192.168.56.101:49221
dead_host	192.168.56.101:49218
dead_host	192.168.56.101:49214
dead_host	192.168.56.101:49227

win32d.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All