Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Aug. 10, 2021, 9:59 a.m.	Aug. 10, 2021, 10:05 a.m.

Size	848.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`bd65b6f625a29dcf2f8ee0508fd0e49e`
SHA256	`ba4541e570d270663cce5d1f51103fe77c915922b67f4aa0c05b10abe169aaeb`
CRC32	`82045B8C`
ssdeep	`24576:XG492MbZkCot8eh4AShJ0qa/0Um3mKi0b:XNkC2CM8SEt`
Yara	Generic_Malware_Zero - Generic Malware Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature IsPE32 - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT

yg.exe "C:\Users\test22\AppData\Local\Temp\yg.exe"
2508
- schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tAiVfjaRNtym" /XML "C:\Users\test22\AppData\Local\Temp\tmpCC2D.tmp"
  2512
- yg.exe "C:\Users\test22\AppData\Local\Temp\yg.exe"
  240

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (5 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 10, 2021, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 10, 2021, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 10, 2021, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 10, 2021, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 10, 2021, 10 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 10, 2021, 9:59 a.m.			0	0
IsDebuggerPresent Aug. 10, 2021, 9:59 a.m.			0	0
IsDebuggerPresent Aug. 10, 2021, 10 a.m.			0	0
IsDebuggerPresent Aug. 10, 2021, 10 a.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Aug. 10, 2021, 10 a.m.	buffer: SUCCESS: The scheduled task "Updates\tAiVfjaRNtym" has successfully been created. console_handle: 0x00000007	1	1	0

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey Aug. 10, 2021, 9:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00886a58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 10, 2021, 9:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00886458 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 10, 2021, 9:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00886458 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 10, 2021, 9:59 a.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 10, 2021, 10 a.m.	stacktrace: 0xb51788 0xb50fb3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72b02652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72b1264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72b12e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72bc74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72bc7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72c51dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72c51e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72c51f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72c5416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7405f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74d37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74d34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 e0 8b 4d dc e8 9b d7 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb51bfb registers.esp: 3010320 registers.edi: 3010344 registers.eax: 0 registers.ebp: 3010356 registers.edx: 195 registers.ebx: 3010612 registers.esi: 36742328 registers.ecx: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Aug. 10, 2021, 10 a.m.

stacktrace:

0xb51788
0xb50fb3
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72b02652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72b1264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72b12e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72bc74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72bc7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72c51dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72c51e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72c51f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72c5416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7405f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74d37f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74d34de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5

exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 e0 8b 4d dc e8 9b d7
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xb51bfb
registers.esp: 3010320
registers.edi: 3010344
registers.eax: 0
registers.ebp: 3010356
registers.edx: 195
registers.ebx: 3010612
registers.esi: 36742328
registers.ecx: 0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 91 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 10, 2021, 9:59 a.m.	process_identifier: 2508 region_size: 2293760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d70000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2021, 9:59 a.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 10, 2021, 9:59 a.m.	process_identifier: 2508 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x731a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 10, 2021, 9:59 a.m.	process_identifier: 2508 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x731a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2021, 9:59 a.m.	process_identifier: 2508 region_size: 983040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00460000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2021, 9:59 a.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00510000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2021, 9:59 a.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00292000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2021, 9:59 a.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2021, 9:59 a.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2021, 9:59 a.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2021, 9:59 a.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2021, 9:59 a.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2021, 9:59 a.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2021, 9:59 a.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2021, 9:59 a.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2021, 9:59 a.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002cb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2021, 9:59 a.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2021, 9:59 a.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2021, 9:59 a.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0029a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2021, 9:59 a.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2021, 9:59 a.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2021, 9:59 a.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2021, 9:59 a.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2021, 9:59 a.m.	process_identifier: 2508 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2021, 9:59 a.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2021, 9:59 a.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2021, 9:59 a.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2021, 9:59 a.m.	process_identifier: 2508 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2021, 9:59 a.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2021, 9:59 a.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2021, 9:59 a.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2021, 9:59 a.m.	process_identifier: 2508 region_size: 45056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f51000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 10, 2021, 9:59 a.m.	process_identifier: 2508 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70062000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2021, 9:59 a.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f5c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2021, 9:59 a.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f5d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2021, 9:59 a.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f5e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2021, 9:59 a.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f5f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2021, 9:59 a.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2021, 9:59 a.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0029c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2021, 9:59 a.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002ad000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2021, 9:59 a.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d81000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2021, 9:59 a.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002ae000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2021, 9:59 a.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002af000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2021, 9:59 a.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d82000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2021, 9:59 a.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d83000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2021, 9:59 a.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d84000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2021, 9:59 a.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d85000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2021, 9:59 a.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d86000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2021, 9:59 a.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d87000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2021, 9:59 a.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d88000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a suspicious process (2 events)

cmdline	schtasks.exe /Create /TN "Updates\tAiVfjaRNtym" /XML "C:\Users\test22\AppData\Local\Temp\tmpCC2D.tmp"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tAiVfjaRNtym" /XML "C:\Users\test22\AppData\Local\Temp\tmpCC2D.tmp"

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Aug. 10, 2021, 10 a.m.	show_type: 0 filepath_r: schtasks.exe parameters: /Create /TN "Updates\tAiVfjaRNtym" /XML "C:\Users\test22\AppData\Local\Temp\tmpCC2D.tmp" filepath: schtasks.exe	1	1	0

Moves the original executable to a new location (1 event)

Time & API	Arguments	Status	Return	Repeated
MoveFileWithProgressW Aug. 10, 2021, 10 a.m.	newfilepath_r: C:\Users\test22\AppData\Local\Temp\\tmpG218.tmp flags: 8 oldfilepath_r: C:\Users\test22\AppData\Local\Temp\yg.exe newfilepath: C:\Users\test22\AppData\Local\Temp\tmpG218.tmp oldfilepath: C:\Users\test22\AppData\Local\Temp\yg.exe	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x000d2c00', u'virtual_address': u'0x00002000', u'entropy': 7.753550990296362, u'name': u'.text', u'virtual_size': u'0x000d2b14'}

entropy

7.7535509903

description

A section with a high entropy has been found

entropy

0.994690265487

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 10, 2021, 10 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Aug. 10, 2021, 10 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (10 events)

description	Communications smtp	rule	Network_SMTP_dotNet
description	Run a KeyLogger	rule	KeyLogger
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	schtasks.exe /Create /TN "Updates\tAiVfjaRNtym" /XML "C:\Users\test22\AppData\Local\Temp\tmpCC2D.tmp"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tAiVfjaRNtym" /XML "C:\Users\test22\AppData\Local\Temp\tmpCC2D.tmp"

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Aug. 10, 2021, 10 a.m.	process_identifier: 240 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000378	1	0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Aug. 10, 2021, 10 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

yg.exe tried to sleep 5456501 seconds, actually delayed analysis time by 5456501 seconds

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\newapp

reg_value

C:\Users\test22\AppData\Roaming\newapp\newapp.exe

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\tmpCC2D.tmp

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Aug. 10, 2021, 10 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELó>aàXnw @ À@wS H.texttW X `.rsrc Z@@.reloc `@B base_address: 0x00400000 process_identifier: 240 process_handle: 0x00000378	1	1
WriteProcessMemory Aug. 10, 2021, 10 a.m.	buffer: 8Ph 0ê4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°ìStringFileInfoÈ000004b0,FileDescription 0FileVersion0.0.0.0\InternalNameUajWgEfMSQIrLSQFCTVQWLWX.exe(LegalCopyright dOriginalFilenameUajWgEfMSQIrLSQFCTVQWLWX.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00438000 process_identifier: 240 process_handle: 0x00000378	1	1
WriteProcessMemory Aug. 10, 2021, 10 a.m.	buffer: pp7 base_address: 0x0043a000 process_identifier: 240 process_handle: 0x00000378	1	1
WriteProcessMemory Aug. 10, 2021, 10 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 240 process_handle: 0x00000378	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Aug. 10, 2021, 10 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELó>aàXnw @ À@wS H.texttW X `.rsrc Z@@.reloc `@B base_address: 0x00400000 process_identifier: 240 process_handle: 0x00000378	1	1	0

File has been identified by 17 AntiVirus engines on VirusTotal as malicious (17 events)

Elastic	malicious (high confidence)
Cylance	Unsafe
Cyren	W32/MSIL_Kryptik.FDM.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Kaspersky	VHO:Trojan.MSIL.Taskun.gen
Sophos	Generic ML PUA (PUA)
McAfee-GW-Edition	BehavesLike.Win32.Generic.cc
FireEye	Generic.mg.bd65b6f625a29dcf
SentinelOne	Static AI - Malicious PE
Microsoft	Trojan:Win32/AgentTesla!ml
BitDefenderTheta	Gen:NN.ZemsilF.34058.1m0@aOSC5hc
VBA32	CIL.HeapOverride.Heur
eGambit	Unsafe.AI_Score_100%
Fortinet	MSIL/GenKryptik.FIQW!tr
MaxSecure	Trojan.Malware.300983.susgen
Qihoo-360	HEUR/QVM03.0.2946.Malware.Gen

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2508 called NtSetContextThread to modify thread in remote process 240
NtSetContextThread Aug. 10, 2021, 10 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4421486 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000037c process_identifier: 240	1	0	0

Attempts to remove evidence of file being downloaded from the Internet (1 event)

file	C:\Users\test22\AppData\Roaming\newapp\newapp.exe:Zone.Identifier

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2508 resumed a thread in remote process 240
NtResumeThread Aug. 10, 2021, 10 a.m.	thread_handle: 0x0000037c suspend_count: 1 process_identifier: 240	1	0	0

Executed a process and injected code into it, probably while unpacking (27 events)

Time & API	Arguments	Status	Return
NtResumeThread Aug. 10, 2021, 9:59 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2508	1	0
NtResumeThread Aug. 10, 2021, 9:59 a.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 2508	1	0
NtResumeThread Aug. 10, 2021, 9:59 a.m.	thread_handle: 0x00000188 suspend_count: 1 process_identifier: 2508	1	0
NtResumeThread Aug. 10, 2021, 9:59 a.m.	thread_handle: 0x000001fc suspend_count: 1 process_identifier: 2508	1	0
NtGetContextThread Aug. 10, 2021, 9:59 a.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread Aug. 10, 2021, 9:59 a.m.	thread_handle: 0x000000e0	1	0
NtResumeThread Aug. 10, 2021, 9:59 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2508	1	0
NtResumeThread Aug. 10, 2021, 9:59 a.m.	thread_handle: 0x000002b4 suspend_count: 1 process_identifier: 2508	1	0
CreateProcessInternalW Aug. 10, 2021, 10 a.m.	thread_identifier: 2812 thread_handle: 0x00000420 process_identifier: 2512 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tAiVfjaRNtym" /XML "C:\Users\test22\AppData\Local\Temp\tmpCC2D.tmp" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000424	1	1
CreateProcessInternalW Aug. 10, 2021, 10 a.m.	thread_identifier: 424 thread_handle: 0x0000037c process_identifier: 240 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\yg.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\yg.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000378	1	1
NtGetContextThread Aug. 10, 2021, 10 a.m.	thread_handle: 0x0000037c	1	0
NtAllocateVirtualMemory Aug. 10, 2021, 10 a.m.	process_identifier: 240 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000378	1	0
WriteProcessMemory Aug. 10, 2021, 10 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELó>aàXnw @ À@wS H.texttW X `.rsrc Z@@.reloc `@B base_address: 0x00400000 process_identifier: 240 process_handle: 0x00000378	1	1
WriteProcessMemory Aug. 10, 2021, 10 a.m.	buffer: base_address: 0x00402000 process_identifier: 240 process_handle: 0x00000378	1	1
WriteProcessMemory Aug. 10, 2021, 10 a.m.	buffer: 8Ph 0ê4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°ìStringFileInfoÈ000004b0,FileDescription 0FileVersion0.0.0.0\InternalNameUajWgEfMSQIrLSQFCTVQWLWX.exe(LegalCopyright dOriginalFilenameUajWgEfMSQIrLSQFCTVQWLWX.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00438000 process_identifier: 240 process_handle: 0x00000378	1	1
WriteProcessMemory Aug. 10, 2021, 10 a.m.	buffer: pp7 base_address: 0x0043a000 process_identifier: 240 process_handle: 0x00000378	1	1
WriteProcessMemory Aug. 10, 2021, 10 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 240 process_handle: 0x00000378	1	1
NtSetContextThread Aug. 10, 2021, 10 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4421486 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000037c process_identifier: 240	1	0
NtResumeThread Aug. 10, 2021, 10 a.m.	thread_handle: 0x0000037c suspend_count: 1 process_identifier: 240	1	0
NtResumeThread Aug. 10, 2021, 10 a.m.	thread_handle: 0x00000430 suspend_count: 1 process_identifier: 2508	1	0
NtResumeThread Aug. 10, 2021, 10 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 240	1	0
NtResumeThread Aug. 10, 2021, 10 a.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 240	1	0
NtResumeThread Aug. 10, 2021, 10 a.m.	thread_handle: 0x000001bc suspend_count: 1 process_identifier: 240	1	0
NtResumeThread Aug. 10, 2021, 10 a.m.	thread_handle: 0x0000031c suspend_count: 1 process_identifier: 240	1	0
NtResumeThread Aug. 10, 2021, 10 a.m.	thread_handle: 0x0000033c suspend_count: 1 process_identifier: 240	1	0
NtResumeThread Aug. 10, 2021, 10 a.m.	thread_handle: 0x000003a0 suspend_count: 1 process_identifier: 240	1	0
NtResumeThread Aug. 10, 2021, 10 a.m.	thread_handle: 0x00000418 suspend_count: 1 process_identifier: 240	1	0

yg.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All