Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Aug. 9, 2021, 7 p.m.	Aug. 9, 2021, 7:23 p.m.

Size	845.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`9b5d0b2727ad3129860cd68a32065431`
SHA256	`976a675d05bad332d53474456b0eb37c7f8560142894b979b52142a388584502`
CRC32	`68118723`
ssdeep	`12288:2Eov2glt2NjFmzPFLYZ4UB9zkBU2xdOd0sU46ZMc+I2Zj:2jv2eMNjoLYR9zkGg25Uhd+dZ`
Yara	Generic_Malware_Zero - Generic Malware Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature IsPE32 - (no description) Admin_Tool_IN_Zero - Admin Tool Sysinternals Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult

jobo.exe "C:\Users\test22\AppData\Local\Temp\jobo.exe"
524
- schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UkPBkhXUC" /XML "C:\Users\test22\AppData\Local\Temp\tmp96B8.tmp"
  2952
- jobo.exe "C:\Users\test22\AppData\Local\Temp\jobo.exe"
  3016

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (5 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 9, 2021, 7:02 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 9, 2021, 7:02 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 9, 2021, 7:02 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 9, 2021, 7:02 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 9, 2021, 7:02 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 9, 2021, 7 p.m.			0	0
IsDebuggerPresent Aug. 9, 2021, 7 p.m.			0	0
IsDebuggerPresent Aug. 9, 2021, 7:02 p.m.			0	0
IsDebuggerPresent Aug. 9, 2021, 7:02 p.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Aug. 9, 2021, 7:02 p.m.	buffer: SUCCESS: The scheduled task "Updates\UkPBkhXUC" has successfully been created. console_handle: 0x00000007	1	1	0

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey Aug. 9, 2021, 7 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007a6630 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2021, 7 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007a6af0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2021, 7 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007a6af0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 9, 2021, 7 p.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 9, 2021, 7:02 p.m.	stacktrace: 0x741790 0x740fbb DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x739f2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73a0264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73a02e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73ab74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73ab7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73b41dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73b41e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73b41f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73b4416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7409f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743a7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743a4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77199ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77199ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 e0 8b 4d dc e8 93 d7 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x741c03 registers.esp: 2354576 registers.edi: 2354600 registers.eax: 0 registers.ebp: 2354612 registers.edx: 195 registers.ebx: 2354868 registers.esi: 38230632 registers.ecx: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Aug. 9, 2021, 7:02 p.m.

stacktrace:

0x741790
0x740fbb
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x739f2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73a0264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73a02e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73ab74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73ab7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73b41dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73b41e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73b41f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73b4416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7409f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743a7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743a4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77199ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77199ea5

exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 e0 8b 4d dc e8 93 d7
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x741c03
registers.esp: 2354576
registers.edi: 2354600
registers.eax: 0
registers.ebp: 2354612
registers.edx: 195
registers.ebx: 2354868
registers.esi: 38230632
registers.ecx: 0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 83 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 9, 2021, 7 p.m.	process_identifier: 524 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b30000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 7 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 9, 2021, 7 p.m.	process_identifier: 524 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73a71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 9, 2021, 7 p.m.	process_identifier: 524 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73a72000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 7 p.m.	process_identifier: 524 region_size: 1703936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02580000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 7 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 7 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00292000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 7 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 7 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002cb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 7 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 7 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 7 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00520000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 7 p.m.	process_identifier: 524 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 7 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 7 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 7 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 7 p.m.	process_identifier: 524 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 7 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 7 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0029a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 7 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 7 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 7 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 7 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 7 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00521000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 9, 2021, 7 p.m.	process_identifier: 524 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 7 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0029c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 7 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 7 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00522000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 7 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008cf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 7 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 7 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00523000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 7:01 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00524000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 7:01 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002ad000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 7:01 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002ae000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 7:01 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00525000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 7:01 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00526000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 7:01 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00527000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 7:01 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00528000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 7:01 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00529000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 7:01 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 7:01 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 7:01 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 7:01 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 7:01 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 7:01 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 7:01 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00690000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 7:02 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00691000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 7:02 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00692000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 7:02 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00693000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2021, 7:02 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002af000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a suspicious process (2 events)

cmdline	schtasks.exe /Create /TN "Updates\UkPBkhXUC" /XML "C:\Users\test22\AppData\Local\Temp\tmp96B8.tmp"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UkPBkhXUC" /XML "C:\Users\test22\AppData\Local\Temp\tmp96B8.tmp"

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Aug. 9, 2021, 7:02 p.m.	show_type: 0 filepath_r: schtasks.exe parameters: /Create /TN "Updates\UkPBkhXUC" /XML "C:\Users\test22\AppData\Local\Temp\tmp96B8.tmp" filepath: schtasks.exe	1	1	0

Moves the original executable to a new location (1 event)

Time & API	Arguments	Status	Return	Repeated
MoveFileWithProgressW Aug. 9, 2021, 7:02 p.m.	newfilepath_r: C:\Users\test22\AppData\Local\Temp\\tmpG687.tmp flags: 8 oldfilepath_r: C:\Users\test22\AppData\Local\Temp\jobo.exe newfilepath: C:\Users\test22\AppData\Local\Temp\tmpG687.tmp oldfilepath: C:\Users\test22\AppData\Local\Temp\jobo.exe	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x000d1800', u'virtual_address': u'0x00002000', u'entropy': 7.635645949869865, u'name': u'.text', u'virtual_size': u'0x000d1704'}

entropy

7.63564594987

description

A section with a high entropy has been found

entropy

0.991715976331

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 9, 2021, 7:02 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Aug. 9, 2021, 7:02 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (10 events)

description	Communications smtp	rule	Network_SMTP_dotNet
description	Run a KeyLogger	rule	KeyLogger
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	schtasks.exe /Create /TN "Updates\UkPBkhXUC" /XML "C:\Users\test22\AppData\Local\Temp\tmp96B8.tmp"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UkPBkhXUC" /XML "C:\Users\test22\AppData\Local\Temp\tmp96B8.tmp"

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Aug. 9, 2021, 7:02 p.m.	process_identifier: 3016 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000037c	1	0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Aug. 9, 2021, 7:02 p.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

jobo.exe tried to sleep 5456441 seconds, actually delayed analysis time by 5456441 seconds

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\newapp

reg_value

C:\Users\test22\AppData\Roaming\newapp\newapp.exe

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\tmp96B8.tmp

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Aug. 9, 2021, 7:02 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELFaàX^w @ À@wO H.textdW X `.rsrcZ@@.reloc `@B base_address: 0x00400000 process_identifier: 3016 process_handle: 0x0000037c	1	1
WriteProcessMemory Aug. 9, 2021, 7:02 p.m.	buffer: 8Ph (ê4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°äStringFileInfoÀ000004b0,FileDescription 0FileVersion0.0.0.0XInternalNamepyRttKKeXIBPDIHysmoCnAq.exe(LegalCopyright `OriginalFilenamepyRttKKeXIBPDIHysmoCnAq.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00438000 process_identifier: 3016 process_handle: 0x0000037c	1	1
WriteProcessMemory Aug. 9, 2021, 7:02 p.m.	buffer: p`7 base_address: 0x0043a000 process_identifier: 3016 process_handle: 0x0000037c	1	1
WriteProcessMemory Aug. 9, 2021, 7:02 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 3016 process_handle: 0x0000037c	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Aug. 9, 2021, 7:02 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELFaàX^w @ À@wO H.textdW X `.rsrcZ@@.reloc `@B base_address: 0x00400000 process_identifier: 3016 process_handle: 0x0000037c	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 524 called NtSetContextThread to modify thread in remote process 3016
NtSetContextThread Aug. 9, 2021, 7:02 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4421470 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000380 process_identifier: 3016	1	0	0

Attempts to remove evidence of file being downloaded from the Internet (1 event)

file	C:\Users\test22\AppData\Roaming\newapp\newapp.exe:Zone.Identifier

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 524 resumed a thread in remote process 3016
NtResumeThread Aug. 9, 2021, 7:02 p.m.	thread_handle: 0x00000380 suspend_count: 1 process_identifier: 3016	1	0	0

File has been identified by 24 AntiVirus engines on VirusTotal as malicious (24 events)

Lionic	Trojan.MSIL.ClipBanker.7!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
FireEye	Gen:Variant.MSILHeracles.23608
McAfee	Artemis!9B5D0B2727AD
Cylance	Unsafe
Alibaba	Trojan:Win32/starter.ali1000139
CrowdStrike	win/malicious_confidence_90% (W)
Cyren	W32/MSIL_Kryptik.DZG.gen!Eldorado
Symantec	Scr.Malcode!gdn30
ESET-NOD32	a variant of MSIL/Kryptik.ACIC
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan-Banker.MSIL.ClipBanker.gen
BitDefender	Gen:Variant.MSILHeracles.23608
MicroWorld-eScan	Gen:Variant.MSILHeracles.23608
Ad-Aware	Gen:Variant.MSILHeracles.23608
McAfee-GW-Edition	Artemis!Trojan
Microsoft	Trojan:Win32/Wacatac.B!ml
MAX	malware (ai score=87)
Tencent	Win32.Trojan.Inject.Auto
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/Kryptik.ACHS!tr

Executed a process and injected code into it, probably while unpacking (23 events)

Time & API	Arguments	Status	Return
NtResumeThread Aug. 9, 2021, 7 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 524	1	0
NtResumeThread Aug. 9, 2021, 7 p.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 524	1	0
NtResumeThread Aug. 9, 2021, 7 p.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 524	1	0
NtResumeThread Aug. 9, 2021, 7:01 p.m.	thread_handle: 0x0000025c suspend_count: 1 process_identifier: 524	1	0
CreateProcessInternalW Aug. 9, 2021, 7:02 p.m.	thread_identifier: 2956 thread_handle: 0x000003f8 process_identifier: 2952 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UkPBkhXUC" /XML "C:\Users\test22\AppData\Local\Temp\tmp96B8.tmp" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000404	1	1
CreateProcessInternalW Aug. 9, 2021, 7:02 p.m.	thread_identifier: 3020 thread_handle: 0x00000380 process_identifier: 3016 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\jobo.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\jobo.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000037c	1	1
NtGetContextThread Aug. 9, 2021, 7:02 p.m.	thread_handle: 0x00000380	1	0
NtAllocateVirtualMemory Aug. 9, 2021, 7:02 p.m.	process_identifier: 3016 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000037c	1	0
WriteProcessMemory Aug. 9, 2021, 7:02 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELFaàX^w @ À@wO H.textdW X `.rsrcZ@@.reloc `@B base_address: 0x00400000 process_identifier: 3016 process_handle: 0x0000037c	1	1
WriteProcessMemory Aug. 9, 2021, 7:02 p.m.	buffer: base_address: 0x00402000 process_identifier: 3016 process_handle: 0x0000037c	1	1
WriteProcessMemory Aug. 9, 2021, 7:02 p.m.	buffer: 8Ph (ê4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°äStringFileInfoÀ000004b0,FileDescription 0FileVersion0.0.0.0XInternalNamepyRttKKeXIBPDIHysmoCnAq.exe(LegalCopyright `OriginalFilenamepyRttKKeXIBPDIHysmoCnAq.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00438000 process_identifier: 3016 process_handle: 0x0000037c	1	1
WriteProcessMemory Aug. 9, 2021, 7:02 p.m.	buffer: p`7 base_address: 0x0043a000 process_identifier: 3016 process_handle: 0x0000037c	1	1
WriteProcessMemory Aug. 9, 2021, 7:02 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 3016 process_handle: 0x0000037c	1	1
NtSetContextThread Aug. 9, 2021, 7:02 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4421470 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000380 process_identifier: 3016	1	0
NtResumeThread Aug. 9, 2021, 7:02 p.m.	thread_handle: 0x00000380 suspend_count: 1 process_identifier: 3016	1	0
NtResumeThread Aug. 9, 2021, 7:02 p.m.	thread_handle: 0x000003ec suspend_count: 1 process_identifier: 524	1	0
NtResumeThread Aug. 9, 2021, 7:02 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 3016	1	0
NtResumeThread Aug. 9, 2021, 7:02 p.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 3016	1	0
NtResumeThread Aug. 9, 2021, 7:02 p.m.	thread_handle: 0x000001c0 suspend_count: 1 process_identifier: 3016	1	0
NtResumeThread Aug. 9, 2021, 7:02 p.m.	thread_handle: 0x00000314 suspend_count: 1 process_identifier: 3016	1	0
NtResumeThread Aug. 9, 2021, 7:02 p.m.	thread_handle: 0x00000334 suspend_count: 1 process_identifier: 3016	1	0
NtResumeThread Aug. 9, 2021, 7:02 p.m.	thread_handle: 0x00000398 suspend_count: 1 process_identifier: 3016	1	0
NtResumeThread Aug. 9, 2021, 7:02 p.m.	thread_handle: 0x00000418 suspend_count: 1 process_identifier: 3016	1	0

jobo.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All