Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Aug. 14, 2021, 9:30 a.m.	Aug. 14, 2021, 9:36 a.m.

Size	2.1MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`898f0ec3d9588199aa00da724447b5bb`
SHA256	`e139a350242af220a379940c1a667891161ff92bdcdbb5acd024076a27ddbf56`
CRC32	`2F5F6D8C`
ssdeep	`49152:QfQtjoZLBU0ZId3qgF6TuWrYWjvGyh8iw:Qf4oZ3INqgUT1rYWjuy`
PDB Path	C:\sabive\fedahonev-hayuwenac.pdb
Yara	OS_Processor_Check_Zero - OS Processor Check UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description)

wsd.exe "C:\Users\test22\AppData\Local\Temp\wsd.exe"
2528
- wsd.exe "C:\Users\test22\AppData\Local\Temp\wsd.exe"
  572

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
45.153.241.244	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 14, 2021, 9:30 a.m.			0	0

This executable has a PDB path (1 event)

pdb_path

C:\sabive\fedahonev-hayuwenac.pdb

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 14, 2021, 9:30 a.m.	process_identifier: 2528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 1982464 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00fe0000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2021, 9:30 a.m.	process_identifier: 2528 region_size: 3952640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x011d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 14, 2021, 9:30 a.m.	process_identifier: 572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e92000 process_handle: 0xffffffff	1

Foreign language identified in PE resource (7 events)

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SINGAPORE

offset

0x006cf158

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SINGAPORE

offset

0x006cf158

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SINGAPORE

offset

0x006cf158

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SINGAPORE

offset

0x006cf158

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SINGAPORE

offset

0x006cf158

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SINGAPORE

offset

0x006cf158

size

0x00000468

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SINGAPORE

offset

0x006cf5c0

size

0x0000005a

Creates hidden or system file (20 events)

Time & API	Arguments	Status	Return
SetFileAttributesW Aug. 14, 2021, 9:30 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\esb6asg\wsd.exe filepath: C:\Users\test22\AppData\Local\esb6asg\wsd.exe	1	1
SetFileAttributesW Aug. 14, 2021, 9:30 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\esb6asg\wsd.exe filepath: C:\Users\test22\AppData\Local\esb6asg\wsd.exe	1	1
SetFileAttributesW Aug. 14, 2021, 9:30 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\esb6asg\wsd.exe filepath: C:\Users\test22\AppData\Local\esb6asg\wsd.exe	1	1
SetFileAttributesW Aug. 14, 2021, 9:30 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\esb6asg\wsd.exe filepath: C:\Users\test22\AppData\Local\esb6asg\wsd.exe	1	1
SetFileAttributesW Aug. 14, 2021, 9:31 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\esb6asg\wsd.exe filepath: C:\Users\test22\AppData\Local\esb6asg\wsd.exe	1	1
SetFileAttributesW Aug. 14, 2021, 9:31 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\esb6asg\wsd.exe filepath: C:\Users\test22\AppData\Local\esb6asg\wsd.exe	1	1
SetFileAttributesW Aug. 14, 2021, 9:31 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\esb6asg\wsd.exe filepath: C:\Users\test22\AppData\Local\esb6asg\wsd.exe	1	1
SetFileAttributesW Aug. 14, 2021, 9:31 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\esb6asg\wsd.exe filepath: C:\Users\test22\AppData\Local\esb6asg\wsd.exe	1	1
SetFileAttributesW Aug. 14, 2021, 9:31 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\esb6asg\wsd.exe filepath: C:\Users\test22\AppData\Local\esb6asg\wsd.exe	1	1
SetFileAttributesW Aug. 14, 2021, 9:31 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\esb6asg\wsd.exe filepath: C:\Users\test22\AppData\Local\esb6asg\wsd.exe	1	1
SetFileAttributesW Aug. 14, 2021, 9:31 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\esb6asg\wsd.exe filepath: C:\Users\test22\AppData\Local\esb6asg\wsd.exe	1	1
SetFileAttributesW Aug. 14, 2021, 9:31 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\esb6asg\wsd.exe filepath: C:\Users\test22\AppData\Local\esb6asg\wsd.exe	1	1
SetFileAttributesW Aug. 14, 2021, 9:31 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\esb6asg\wsd.exe filepath: C:\Users\test22\AppData\Local\esb6asg\wsd.exe	1	1
SetFileAttributesW Aug. 14, 2021, 9:31 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\esb6asg\wsd.exe filepath: C:\Users\test22\AppData\Local\esb6asg\wsd.exe	1	1
SetFileAttributesW Aug. 14, 2021, 9:31 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\esb6asg\wsd.exe filepath: C:\Users\test22\AppData\Local\esb6asg\wsd.exe	1	1
SetFileAttributesW Aug. 14, 2021, 9:31 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\esb6asg\wsd.exe filepath: C:\Users\test22\AppData\Local\esb6asg\wsd.exe	1	1
SetFileAttributesW Aug. 14, 2021, 9:32 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\esb6asg\wsd.exe filepath: C:\Users\test22\AppData\Local\esb6asg\wsd.exe	1	1
SetFileAttributesW Aug. 14, 2021, 9:32 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\esb6asg\wsd.exe filepath: C:\Users\test22\AppData\Local\esb6asg\wsd.exe	1	1
SetFileAttributesW Aug. 14, 2021, 9:32 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\esb6asg\wsd.exe filepath: C:\Users\test22\AppData\Local\esb6asg\wsd.exe	1	1
SetFileAttributesW Aug. 14, 2021, 9:32 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\esb6asg\wsd.exe filepath: C:\Users\test22\AppData\Local\esb6asg\wsd.exe	1	1

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\esb6asg\wsd.exe

Moves the original executable to a new location (21 events)

Time & API	Arguments	Status	Return
MoveFileWithProgressW Aug. 14, 2021, 9:30 a.m.	newfilepath_r: C:\Users\test22\AppData\Local\esb6asg\wsd.exe flags: 3 oldfilepath_r: C:\Users\test22\AppData\Local\Temp\\wsd.exe newfilepath: C:\Users\test22\AppData\Local\esb6asg\wsd.exe oldfilepath: C:\Users\test22\AppData\Local\Temp\wsd.exe	1	1
MoveFileWithProgressW Aug. 14, 2021, 9:30 a.m.	newfilepath_r: C:\Users\test22\AppData\Local\esb6asg\wsd.exe flags: 3 oldfilepath_r: C:\Users\test22\AppData\Local\esb6asg\\wsd.exe newfilepath: C:\Users\test22\AppData\Local\esb6asg\wsd.exe oldfilepath: C:\Users\test22\AppData\Local\esb6asg\wsd.exe	1	1
MoveFileWithProgressW Aug. 14, 2021, 9:30 a.m.	newfilepath_r: C:\Users\test22\AppData\Local\esb6asg\wsd.exe flags: 3 oldfilepath_r: C:\Users\test22\AppData\Local\esb6asg\\wsd.exe newfilepath: C:\Users\test22\AppData\Local\esb6asg\wsd.exe oldfilepath: C:\Users\test22\AppData\Local\esb6asg\wsd.exe	1	1
MoveFileWithProgressW Aug. 14, 2021, 9:30 a.m.	newfilepath_r: C:\Users\test22\AppData\Local\esb6asg\wsd.exe flags: 3 oldfilepath_r: C:\Users\test22\AppData\Local\esb6asg\\wsd.exe newfilepath: C:\Users\test22\AppData\Local\esb6asg\wsd.exe oldfilepath: C:\Users\test22\AppData\Local\esb6asg\wsd.exe	1	1
MoveFileWithProgressW Aug. 14, 2021, 9:30 a.m.	newfilepath_r: C:\Users\test22\AppData\Local\esb6asg\wsd.exe flags: 3 oldfilepath_r: C:\Users\test22\AppData\Local\esb6asg\\wsd.exe newfilepath: C:\Users\test22\AppData\Local\esb6asg\wsd.exe oldfilepath: C:\Users\test22\AppData\Local\esb6asg\wsd.exe	1	1
MoveFileWithProgressW Aug. 14, 2021, 9:31 a.m.	newfilepath_r: C:\Users\test22\AppData\Local\esb6asg\wsd.exe flags: 3 oldfilepath_r: C:\Users\test22\AppData\Local\esb6asg\\wsd.exe newfilepath: C:\Users\test22\AppData\Local\esb6asg\wsd.exe oldfilepath: C:\Users\test22\AppData\Local\esb6asg\wsd.exe	1	1
MoveFileWithProgressW Aug. 14, 2021, 9:31 a.m.	newfilepath_r: C:\Users\test22\AppData\Local\esb6asg\wsd.exe flags: 3 oldfilepath_r: C:\Users\test22\AppData\Local\esb6asg\\wsd.exe newfilepath: C:\Users\test22\AppData\Local\esb6asg\wsd.exe oldfilepath: C:\Users\test22\AppData\Local\esb6asg\wsd.exe	1	1
MoveFileWithProgressW Aug. 14, 2021, 9:31 a.m.	newfilepath_r: C:\Users\test22\AppData\Local\esb6asg\wsd.exe flags: 3 oldfilepath_r: C:\Users\test22\AppData\Local\esb6asg\\wsd.exe newfilepath: C:\Users\test22\AppData\Local\esb6asg\wsd.exe oldfilepath: C:\Users\test22\AppData\Local\esb6asg\wsd.exe	1	1
MoveFileWithProgressW Aug. 14, 2021, 9:31 a.m.	newfilepath_r: C:\Users\test22\AppData\Local\esb6asg\wsd.exe flags: 3 oldfilepath_r: C:\Users\test22\AppData\Local\esb6asg\\wsd.exe newfilepath: C:\Users\test22\AppData\Local\esb6asg\wsd.exe oldfilepath: C:\Users\test22\AppData\Local\esb6asg\wsd.exe	1	1
MoveFileWithProgressW Aug. 14, 2021, 9:31 a.m.	newfilepath_r: C:\Users\test22\AppData\Local\esb6asg\wsd.exe flags: 3 oldfilepath_r: C:\Users\test22\AppData\Local\esb6asg\\wsd.exe newfilepath: C:\Users\test22\AppData\Local\esb6asg\wsd.exe oldfilepath: C:\Users\test22\AppData\Local\esb6asg\wsd.exe	1	1
MoveFileWithProgressW Aug. 14, 2021, 9:31 a.m.	newfilepath_r: C:\Users\test22\AppData\Local\esb6asg\wsd.exe flags: 3 oldfilepath_r: C:\Users\test22\AppData\Local\esb6asg\\wsd.exe newfilepath: C:\Users\test22\AppData\Local\esb6asg\wsd.exe oldfilepath: C:\Users\test22\AppData\Local\esb6asg\wsd.exe	1	1
MoveFileWithProgressW Aug. 14, 2021, 9:31 a.m.	newfilepath_r: C:\Users\test22\AppData\Local\esb6asg\wsd.exe flags: 3 oldfilepath_r: C:\Users\test22\AppData\Local\esb6asg\\wsd.exe newfilepath: C:\Users\test22\AppData\Local\esb6asg\wsd.exe oldfilepath: C:\Users\test22\AppData\Local\esb6asg\wsd.exe	1	1
MoveFileWithProgressW Aug. 14, 2021, 9:31 a.m.	newfilepath_r: C:\Users\test22\AppData\Local\esb6asg\wsd.exe flags: 3 oldfilepath_r: C:\Users\test22\AppData\Local\esb6asg\\wsd.exe newfilepath: C:\Users\test22\AppData\Local\esb6asg\wsd.exe oldfilepath: C:\Users\test22\AppData\Local\esb6asg\wsd.exe	1	1
MoveFileWithProgressW Aug. 14, 2021, 9:31 a.m.	newfilepath_r: C:\Users\test22\AppData\Local\esb6asg\wsd.exe flags: 3 oldfilepath_r: C:\Users\test22\AppData\Local\esb6asg\\wsd.exe newfilepath: C:\Users\test22\AppData\Local\esb6asg\wsd.exe oldfilepath: C:\Users\test22\AppData\Local\esb6asg\wsd.exe	1	1
MoveFileWithProgressW Aug. 14, 2021, 9:31 a.m.	newfilepath_r: C:\Users\test22\AppData\Local\esb6asg\wsd.exe flags: 3 oldfilepath_r: C:\Users\test22\AppData\Local\esb6asg\\wsd.exe newfilepath: C:\Users\test22\AppData\Local\esb6asg\wsd.exe oldfilepath: C:\Users\test22\AppData\Local\esb6asg\wsd.exe	1	1
MoveFileWithProgressW Aug. 14, 2021, 9:31 a.m.	newfilepath_r: C:\Users\test22\AppData\Local\esb6asg\wsd.exe flags: 3 oldfilepath_r: C:\Users\test22\AppData\Local\esb6asg\\wsd.exe newfilepath: C:\Users\test22\AppData\Local\esb6asg\wsd.exe oldfilepath: C:\Users\test22\AppData\Local\esb6asg\wsd.exe	1	1
MoveFileWithProgressW Aug. 14, 2021, 9:31 a.m.	newfilepath_r: C:\Users\test22\AppData\Local\esb6asg\wsd.exe flags: 3 oldfilepath_r: C:\Users\test22\AppData\Local\esb6asg\\wsd.exe newfilepath: C:\Users\test22\AppData\Local\esb6asg\wsd.exe oldfilepath: C:\Users\test22\AppData\Local\esb6asg\wsd.exe	1	1
MoveFileWithProgressW Aug. 14, 2021, 9:32 a.m.	newfilepath_r: C:\Users\test22\AppData\Local\esb6asg\wsd.exe flags: 3 oldfilepath_r: C:\Users\test22\AppData\Local\esb6asg\\wsd.exe newfilepath: C:\Users\test22\AppData\Local\esb6asg\wsd.exe oldfilepath: C:\Users\test22\AppData\Local\esb6asg\wsd.exe	1	1
MoveFileWithProgressW Aug. 14, 2021, 9:32 a.m.	newfilepath_r: C:\Users\test22\AppData\Local\esb6asg\wsd.exe flags: 3 oldfilepath_r: C:\Users\test22\AppData\Local\esb6asg\\wsd.exe newfilepath: C:\Users\test22\AppData\Local\esb6asg\wsd.exe oldfilepath: C:\Users\test22\AppData\Local\esb6asg\wsd.exe	1	1
MoveFileWithProgressW Aug. 14, 2021, 9:32 a.m.	newfilepath_r: C:\Users\test22\AppData\Local\esb6asg\wsd.exe flags: 3 oldfilepath_r: C:\Users\test22\AppData\Local\esb6asg\\wsd.exe newfilepath: C:\Users\test22\AppData\Local\esb6asg\wsd.exe oldfilepath: C:\Users\test22\AppData\Local\esb6asg\wsd.exe	1	1
MoveFileWithProgressW Aug. 14, 2021, 9:32 a.m.	newfilepath_r: C:\Users\test22\AppData\Local\esb6asg\wsd.exe flags: 3 oldfilepath_r: C:\Users\test22\AppData\Local\esb6asg\\wsd.exe newfilepath: C:\Users\test22\AppData\Local\esb6asg\wsd.exe oldfilepath: C:\Users\test22\AppData\Local\esb6asg\wsd.exe	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x001e5000', u'virtual_address': u'0x00033000', u'entropy': 7.998643980530308, u'name': u'.data', u'virtual_size': u'0x00698b68'}

entropy

7.99864398053

description

A section with a high entropy has been found

entropy

0.887465690759

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 14, 2021, 9:30 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Aug. 14, 2021, 9:30 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1	0

Potentially malicious URLs were found in the process memory dump (1 event)

url	https://curl.haxx.se/docs/http-cookies.html

Yara rule detected in process memory (22 events)

description	Communication using DGA	rule	Network_DGA
description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Create a windows service	rule	Create_Service
description	Communications smtp	rule	network_smtp_raw
description	Record Audio	rule	Sniff_Audio
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Take ScreenShot	rule	ScreenShot
description	File Downloader	rule	Network_Downloader
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook

Communicates with host for which no DNS query was performed (1 event)

host

45.153.241.244

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Aug. 14, 2021, 9:30 a.m.	process_identifier: 572 region_size: 3989504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1	0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Aug. 14, 2021, 9:30 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

wsd.exe tried to sleep 8184888 seconds, actually delayed analysis time by 8184888 seconds

Installs itself for autorun at Windows startup (21 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wsd	reg_value	C:\Users\test22\AppData\Local\esb6asg\wsd.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wsd	reg_value	C:\Users\test22\AppData\Local\esb6asg\wsd.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wsd	reg_value	C:\Users\test22\AppData\Local\esb6asg\wsd.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wsd	reg_value	C:\Users\test22\AppData\Local\esb6asg\wsd.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wsd	reg_value	C:\Users\test22\AppData\Local\esb6asg\wsd.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wsd	reg_value	C:\Users\test22\AppData\Local\esb6asg\wsd.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wsd	reg_value	C:\Users\test22\AppData\Local\esb6asg\wsd.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wsd	reg_value	C:\Users\test22\AppData\Local\esb6asg\wsd.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wsd	reg_value	C:\Users\test22\AppData\Local\esb6asg\wsd.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wsd	reg_value	C:\Users\test22\AppData\Local\esb6asg\wsd.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wsd	reg_value	C:\Users\test22\AppData\Local\esb6asg\wsd.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wsd	reg_value	C:\Users\test22\AppData\Local\esb6asg\wsd.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wsd	reg_value	C:\Users\test22\AppData\Local\esb6asg\wsd.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wsd	reg_value	C:\Users\test22\AppData\Local\esb6asg\wsd.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wsd	reg_value	C:\Users\test22\AppData\Local\esb6asg\wsd.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wsd	reg_value	C:\Users\test22\AppData\Local\esb6asg\wsd.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wsd	reg_value	C:\Users\test22\AppData\Local\esb6asg\wsd.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wsd	reg_value	C:\Users\test22\AppData\Local\esb6asg\wsd.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wsd	reg_value	C:\Users\test22\AppData\Local\esb6asg\wsd.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wsd	reg_value	C:\Users\test22\AppData\Local\esb6asg\wsd.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wsd	reg_value	C:\Users\test22\AppData\Local\esb6asg\wsd.exe

Installs an hook procedure to monitor for mouse events (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExW Aug. 14, 2021, 9:30 a.m.	thread_identifier: 0 callback_function: 0x0050f84a hook_identifier: 14 (WH_MOUSE_LL) module_address: 0x00000000	1	4391391	0

Potential code injection by writing to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Aug. 14, 2021, 9:30 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 572 process_handle: 0x00000080	1	1	0

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExW Aug. 14, 2021, 9:30 a.m.	thread_identifier: 0 callback_function: 0x004ca8cc hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00000000	1	1245491	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2528 called NtSetContextThread to modify thread in remote process 572
NtSetContextThread Aug. 14, 2021, 9:30 a.m.	registers.eip: 2007957956 registers.esp: 1638384 registers.edi: 0 registers.eax: 6857864 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 572	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2528 resumed a thread in remote process 572
NtResumeThread Aug. 14, 2021, 9:30 a.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 572	1	0	0

File has been identified by 25 AntiVirus engines on VirusTotal as malicious (25 events)

Bkav	W32.AIDetect.malware2
Elastic	malicious (high confidence)
FireEye	Generic.mg.898f0ec3d9588199
Cybereason	malicious.8a1e8f
BitDefenderTheta	Gen:NN.ZexaF.34058.iwW@aevH8xfH
Cyren	W32/Kryptik.EXR.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Kryptik.HMBT
APEX	Malicious
Kaspersky	HEUR:Trojan-PSW.Win32.Tepfer.gen
Rising	Malware.Obscure/Heur!1.A89F (CLASSIC)
DrWeb	Trojan.PWS.Siggen3.2068
McAfee-GW-Edition	BehavesLike.Win32.Generic.vc
Sophos	ML/PE-A
Ikarus	Trojan.Win32.Crypt
ZoneAlarm	HEUR:Trojan-PSW.Win32.Tepfer.gen
GData	Win32.Trojan.PSE.14RNW0M
Cynet	Malicious (score: 100)
Acronis	suspicious
VBA32	Trojan.Win32.Azorult.a
SentinelOne	Static AI - Suspicious PE
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/Kryptik.HMBK!tr
CrowdStrike	win/malicious_confidence_100% (D)
Qihoo-360	HEUR/QVM10.1.3D7B.Malware.Gen

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

45.153.241.244:5506

Executed a process and injected code into it, probably while unpacking (13 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Aug. 14, 2021, 9:30 a.m.	thread_identifier: 1148 thread_handle: 0x0000007c process_identifier: 572 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\wsd.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\wsd.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\wsd.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000080	1	1
NtGetContextThread Aug. 14, 2021, 9:30 a.m.	thread_handle: 0x0000007c	1	0
NtUnmapViewOfSection Aug. 14, 2021, 9:30 a.m.	base_address: 0x00400000 region_size: 4096 process_identifier: 572 process_handle: 0x00000080	1	0
NtAllocateVirtualMemory Aug. 14, 2021, 9:30 a.m.	process_identifier: 572 region_size: 3989504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1	0
WriteProcessMemory Aug. 14, 2021, 9:30 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 572 process_handle: 0x00000080	1	1
NtSetContextThread Aug. 14, 2021, 9:30 a.m.	registers.eip: 2007957956 registers.esp: 1638384 registers.edi: 0 registers.eax: 6857864 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 572	1	0
NtResumeThread Aug. 14, 2021, 9:30 a.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 572	1	0
NtResumeThread Aug. 14, 2021, 9:30 a.m.	thread_handle: 0x000001c4 suspend_count: 1 process_identifier: 572	1	0
NtResumeThread Aug. 14, 2021, 9:30 a.m.	thread_handle: 0x000002d0 suspend_count: 1 process_identifier: 572	1	0
NtResumeThread Aug. 14, 2021, 9:30 a.m.	thread_handle: 0x000002d8 suspend_count: 1 process_identifier: 572	1	0
NtResumeThread Aug. 14, 2021, 9:30 a.m.	thread_handle: 0x000002e0 suspend_count: 1 process_identifier: 572	1	0
NtResumeThread Aug. 14, 2021, 9:30 a.m.	thread_handle: 0x000002ec suspend_count: 1 process_identifier: 572	1	0
NtResumeThread Aug. 14, 2021, 9:30 a.m.	thread_handle: 0x000002f8 suspend_count: 1 process_identifier: 572	1	0

wsd.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All