Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 15, 2021, 12:30 p.m.	Aug. 15, 2021, 12:42 p.m.

Size	1.4MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`82e9bcd3cc8af226349d5f310b452213`
SHA256	`b466d51514613567a3e9ade723ae043ecb2a467ba4ae9756ed5fc1a1e9f8a96e`
CRC32	`9200A0E4`
ssdeep	`24576:TF4yHFRfgqfLp1ZEVTNxZVmVLw+uiB5SMcI+MlliJZ92/BHqYF5973:JhHFJPfd1ZqNxZcVUdO5SMQJZ4/9qYD5`
Yara	PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library IsPE32 - (no description)

lv.exe "C:\Users\test22\AppData\Local\Temp\lv.exe"
872
- vip.exe "C:\Users\test22\AppData\Local\Temp\arose\vip.exe"
  2244
  - dllhost.exe dllhost.exe
    2196
  - cmd.exe cmd /c cmd < Mutevole.mpeg
    1452
    - cmd.exe cmd
      2840
      - findstr.exe findstr /V /R "^ZjBkBlrXGaMyAonWqshKBiDGKtcSfrPtwCYMYOwqAWUScAJEuPNlFgHRJVAvPkIDCItXlLYkfhlFjLlpxQMmdFmMUurr$" Ingannaste.mpeg
        2908
      - Questa.exe.com Questa.exe.com v
        2524
        
        Questa.exe.com C:\Users\test22\AppData\Local\Temp\IXP000.TMP\Questa.exe.com v
        2612
      - PING.EXE ping TEST22-PC -n 30
        2668
- frs.exe "C:\Users\test22\AppData\Local\Temp\arose\frs.exe"
  1444

Name	Response	Post-Analysis Lookup
steFXKdeZnohWpsetIVYKrVdVcv.steFXKdeZnohWpsetIVYKrVdVcv

IP Address	Status	Action
131.153.76.130	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 15, 2021, 12:30 p.m.			0	0
IsDebuggerPresent Aug. 15, 2021, 12:30 p.m.			0	0
IsDebuggerPresent Aug. 15, 2021, 12:30 p.m.			0	0

Command line console output was observed (50 out of 89 events)

Time & API	Arguments	Status	Return
WriteConsoleW Aug. 15, 2021, 12:30 p.m.	buffer: Microsoft Windows [Version 6.1.7601] console_handle: 0x00000007	1	1
WriteConsoleW Aug. 15, 2021, 12:30 p.m.	buffer: Copyright (c) 2009 Microsoft Corporation. All rights reserved. console_handle: 0x00000007	1	1
WriteConsoleW Aug. 15, 2021, 12:30 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\IXP000.TMP> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 15, 2021, 12:30 p.m.	buffer: Set yaZDtLkUvENseERboNRSiIteMYhXt=DESKTOP- console_handle: 0x00000007	1	1
WriteConsoleW Aug. 15, 2021, 12:30 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\IXP000.TMP> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 15, 2021, 12:30 p.m.	buffer: Set GtYMmYeahLkamOUwlp=QO5QU33 console_handle: 0x00000007	1	1
WriteConsoleW Aug. 15, 2021, 12:30 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\IXP000.TMP> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 15, 2021, 12:30 p.m.	buffer: Set CvQkJVtmiHDLmMhXPuaxJhtxcmtrofhaRIhMmW=ping %computername% -n console_handle: 0x00000007	1	1
WriteConsoleW Aug. 15, 2021, 12:30 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\IXP000.TMP> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 15, 2021, 12:30 p.m.	buffer: if %computername%==%yaZDtLkUvENseERboNRSiIteMYhXt% %CvQkJVtmiHDLmMhXPuaxJhtxcmtrofhaRIhMmW% 300 console_handle: 0x00000007	1	1
WriteConsoleW Aug. 15, 2021, 12:30 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\IXP000.TMP> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 15, 2021, 12:30 p.m.	buffer: Set GpNEMNBTZ=MZ console_handle: 0x00000007	1	1
WriteConsoleW Aug. 15, 2021, 12:30 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\IXP000.TMP> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 15, 2021, 12:30 p.m.	buffer: <nul set /p = "%GpNEMNBTZ%" > Questa.exe.com console_handle: 0x00000007	1	1
WriteConsoleW Aug. 15, 2021, 12:30 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\IXP000.TMP> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 15, 2021, 12:30 p.m.	buffer: findstr /V /R "^ZjBkBlrXGaMyAonWqshKBiDGKtcSfrPtwCYMYOwqAWUScAJEuPNlFgHRJVAvPkIDCItXlLYkfhlFjLlpxQMmdFmMUurr$" Ingannaste.mpeg >> Questa.exe.com" console_handle: 0x00000007	1	1
WriteConsoleW Aug. 15, 2021, 12:30 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\IXP000.TMP> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 15, 2021, 12:30 p.m.	buffer: copy Quali.mpeg v console_handle: 0x00000007	1	1
WriteConsoleW Aug. 15, 2021, 12:30 p.m.	buffer: 1 file(s) copied. console_handle: 0x00000007	1	1
WriteConsoleW Aug. 15, 2021, 12:30 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\IXP000.TMP> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 15, 2021, 12:30 p.m.	buffer: start Questa.exe.com v console_handle: 0x00000007	1	1
WriteConsoleW Aug. 15, 2021, 12:30 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\IXP000.TMP> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 15, 2021, 12:30 p.m.	buffer: %CvQkJVtmiHDLmMhXPuaxJhtxcmtrofhaRIhMmW% 30 console_handle: 0x00000007	1	1
WriteConsoleW Aug. 15, 2021, 12:31 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\IXP000.TMP> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 15, 2021, 12:31 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\IXP000.TMP> console_handle: 0x00000007	1	1
WriteConsoleA Aug. 15, 2021, 12:30 p.m.	buffer: Pinging test22-PC [fe80::4cc:7185:d814:e56e%11] console_handle: 0x00000007	1	1
WriteConsoleA Aug. 15, 2021, 12:30 p.m.	buffer: with 32 bytes of data: console_handle: 0x00000007	1	1
WriteConsoleA Aug. 15, 2021, 12:30 p.m.	buffer: Reply from fe80::4cc:7185:d814:e56e%11: console_handle: 0x00000007	1	1
WriteConsoleA Aug. 15, 2021, 12:30 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA Aug. 15, 2021, 12:30 p.m.	buffer: Reply from fe80::4cc:7185:d814:e56e%11: console_handle: 0x00000007	1	1
WriteConsoleA Aug. 15, 2021, 12:30 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA Aug. 15, 2021, 12:30 p.m.	buffer: Reply from fe80::4cc:7185:d814:e56e%11: console_handle: 0x00000007	1	1
WriteConsoleA Aug. 15, 2021, 12:30 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA Aug. 15, 2021, 12:30 p.m.	buffer: Reply from fe80::4cc:7185:d814:e56e%11: console_handle: 0x00000007	1	1
WriteConsoleA Aug. 15, 2021, 12:30 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA Aug. 15, 2021, 12:30 p.m.	buffer: Reply from fe80::4cc:7185:d814:e56e%11: console_handle: 0x00000007	1	1
WriteConsoleA Aug. 15, 2021, 12:30 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA Aug. 15, 2021, 12:30 p.m.	buffer: Reply from fe80::4cc:7185:d814:e56e%11: console_handle: 0x00000007	1	1
WriteConsoleA Aug. 15, 2021, 12:30 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA Aug. 15, 2021, 12:30 p.m.	buffer: Reply from fe80::4cc:7185:d814:e56e%11: console_handle: 0x00000007	1	1
WriteConsoleA Aug. 15, 2021, 12:30 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA Aug. 15, 2021, 12:30 p.m.	buffer: Reply from fe80::4cc:7185:d814:e56e%11: console_handle: 0x00000007	1	1
WriteConsoleA Aug. 15, 2021, 12:30 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA Aug. 15, 2021, 12:30 p.m.	buffer: Reply from fe80::4cc:7185:d814:e56e%11: console_handle: 0x00000007	1	1
WriteConsoleA Aug. 15, 2021, 12:30 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA Aug. 15, 2021, 12:30 p.m.	buffer: Reply from fe80::4cc:7185:d814:e56e%11: console_handle: 0x00000007	1	1
WriteConsoleA Aug. 15, 2021, 12:30 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA Aug. 15, 2021, 12:30 p.m.	buffer: Reply from fe80::4cc:7185:d814:e56e%11: console_handle: 0x00000007	1	1
WriteConsoleA Aug. 15, 2021, 12:30 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA Aug. 15, 2021, 12:30 p.m.	buffer: Reply from fe80::4cc:7185:d814:e56e%11: console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 15, 2021, 12:30 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

Allocates read-write-execute memory (usually to unpack itself) (26 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 15, 2021, 12:30 p.m.	process_identifier: 872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73721000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 15, 2021, 12:30 p.m.	process_identifier: 872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74e51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 15, 2021, 12:30 p.m.	process_identifier: 872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 15, 2021, 12:30 p.m.	process_identifier: 872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73711000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 15, 2021, 12:30 p.m.	process_identifier: 872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 15, 2021, 12:30 p.m.	process_identifier: 872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72764000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 15, 2021, 12:30 p.m.	process_identifier: 872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 15, 2021, 12:30 p.m.	process_identifier: 2244 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73751000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 15, 2021, 12:30 p.m.	process_identifier: 2244 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72941000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 15, 2021, 12:30 p.m.	process_identifier: 2244 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72904000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 15, 2021, 12:30 p.m.	process_identifier: 2244 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72942000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 15, 2021, 12:30 p.m.	process_identifier: 2244 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73721000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 15, 2021, 12:30 p.m.	process_identifier: 1444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 90112 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009f1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 15, 2021, 12:30 p.m.	process_identifier: 1444 region_size: 155648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00900000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 15, 2021, 12:30 p.m.	process_identifier: 2524 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72941000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 15, 2021, 12:30 p.m.	process_identifier: 2524 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72904000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 15, 2021, 12:30 p.m.	process_identifier: 2524 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72942000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 15, 2021, 12:30 p.m.	process_identifier: 2612 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72941000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 15, 2021, 12:30 p.m.	process_identifier: 2612 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72904000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 15, 2021, 12:30 p.m.	process_identifier: 2612 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72942000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 15, 2021, 12:31 p.m.	process_identifier: 2612 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 15, 2021, 12:31 p.m.	process_identifier: 2612 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 102400 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03c11000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 15, 2021, 12:31 p.m.	process_identifier: 2612 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03c2a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 15, 2021, 12:31 p.m.	process_identifier: 2612 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03c32000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 15, 2021, 12:31 p.m.	process_identifier: 2612 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03c34000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 15, 2021, 12:31 p.m.	process_identifier: 2612 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03c35000 process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (2 events)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceW Aug. 15, 2021, 12:30 p.m.	number_of_free_clusters: 3350676 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1	0
GetDiskFreeSpaceW Aug. 15, 2021, 12:30 p.m.	number_of_free_clusters: 3350676 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1	0

Creates executable files on the filesystem (7 events)

file	C:\Users\test22\AppData\Local\Temp\arose\frs.exe
file	C:\Users\test22\AppData\Local\Temp\arose\vip.exe
file	C:\Users\test22\AppData\Local\Temp\nsq6413.tmp\UAC.dll
file	C:\Program Files (x86)\foler\olader\acppage.dll
file	C:\Program Files (x86)\foler\olader\acledit.dll
file	C:\Program Files (x86)\foler\olader\adprovider.dll
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\Questa.exe.com

Drops an executable to the user AppData folder (3 events)

file	C:\Users\test22\AppData\Local\Temp\nsq6413.tmp\UAC.dll
file	C:\Users\test22\AppData\Local\Temp\arose\vip.exe
file	C:\Users\test22\AppData\Local\Temp\arose\frs.exe

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x0004be00', u'virtual_address': u'0x00160000', u'entropy': 7.875628090590177, u'name': u'.rsrc', u'virtual_size': u'0x0004bc78'}

entropy

7.87562809059

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00001000', u'virtual_address': u'0x001ac000', u'entropy': 7.940247086965566, u'name': u'.reloc', u'virtual_size': u'0x00000fd6'}

entropy

7.94024708697

description

A section with a high entropy has been found

entropy

0.883620689655

description

Overall entropy of this PE file is high

Potentially malicious URLs were found in the process memory dump (3 events)

url	http://www.microsoft.com/schemas/ie8tldlistdescription/1.0
url	http://purl.org/rss/1.0/
url	http://www.passport.com

Yara rule detected in process memory (32 events)

description	Communication using DGA	rule	Network_DGA
description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Create a windows service	rule	Create_Service
description	Record Audio	rule	Sniff_Audio
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	Hijack network configuration	rule	Hijack_Network
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Steal credential	rule	local_credential_Steal
description	File Downloader	rule	Network_Downloader
description	Communications over P2P network	rule	Network_P2P_Win
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Install itself for autorun at Windows startup	rule	Persistence

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

ping TEST22-PC -n 30

Communicates with host for which no DNS query was performed (1 event)

host

131.153.76.130

Attempts to identify installed AV products by installation directory (2 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\AVG

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0

reg_value

rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP000.TMP\"

File has been identified by 19 AntiVirus engines on VirusTotal as malicious (19 events)

Elastic	malicious (high confidence)
CAT-QuickHeal	Trojandropper.Scrop
Zillya	Trojan.Coins.Win32.6551
BitDefenderTheta	Gen:NN.ZexaF.34058.sqW@aCGVAwfH
ESET-NOD32	a variant of Generik.CGNSEZO
APEX	Malicious
ClamAV	Win.Packed.Filerepmalware-9864117-0
Kaspersky	Backdoor.Win32.Agent.myucyf
Avast	Win32:Trojan-gen
Rising	Malware.Obscure/Heur!1.A89F (CLASSIC)
Emsisoft	Trojan.Crypt (A)
McAfee-GW-Edition	BehavesLike.Win32.SearchSuite.tc
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
GData	Win32.Trojan.BSE.HLJWVB
McAfee	GenericRXAA-FA!82E9BCD3CC8A
Malwarebytes	Malware.AI.1294164741
Ikarus	Malware.Win32.AVEvader
eGambit	Unsafe.AI_Score_99%
AVG	Win32:Trojan-gen

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2840 resumed a thread in remote process 2524
NtResumeThread Aug. 15, 2021, 12:30 p.m.	thread_handle: 0x00000134 suspend_count: 0 process_identifier: 2524	1	0	0

lv.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All