Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Aug. 24, 2021, 8:57 a.m.	Aug. 24, 2021, 9:01 a.m.

Size	697.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`00db430a07a7ebfe2dda4d10bffbde37`
SHA256	`38a7b50472d2fbc4d4d76ef0936ceafa31606153a36e7afa3d7952539dfa0c2f`
CRC32	`9C1225E2`
ssdeep	`12288:ZofB7UNifyuwDeZmWPebPYrn/4u3ig/+iATBfhEt4hWHs/O:ZoZOifylEm4er0ngmihi8Bfha4M`
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware Is_DotNET_EXE - (no description) IsPE32 - (no description)

warzx.exe "C:\Users\test22\AppData\Local\Temp\warzx.exe"
1092
- warzx.exe "C:\Users\test22\AppData\Local\Temp\warzx.exe"
  2320
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
Securedbag2021-48502.portmap.host	A 193.161.193.99	193.161.193.99

IP Address	Status	Action
164.124.101.2	Active	Moloch
193.161.193.99	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.102:52062 -> 164.124.101.2:53	2027941	ET POLICY DNS Query to a Reverse Proxy Service Observed	Potential Corporate Privacy Violation

Suricata TLS

No Suricata TLS

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 24, 2021, 9 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 24, 2021, 9 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 24, 2021, 9:01 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 24, 2021, 8:57 a.m.			0	0
IsDebuggerPresent Aug. 24, 2021, 8:57 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey Aug. 24, 2021, 8:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00666608 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2021, 8:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00666608 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2021, 8:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00666608 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (1 event)

registry

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 24, 2021, 8:57 a.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 24, 2021, 9 a.m.	stacktrace: warzx+0x3738 @ 0x403738 warzx+0x12a34 @ 0x412a34 warzx+0x1570a @ 0x41570a warzx+0x5ea7 @ 0x405ea7 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 0f b7 01 66 89 02 41 41 42 42 66 85 c0 75 f1 c7 exception.symbol: lstrcpyW+0x16 IsBadStringPtrA-0x5b kernel32+0x33118 exception.instruction: movzx eax, word ptr [ecx] exception.module: kernel32.dll exception.exception_code: 0xc0000005 exception.offset: 209176 exception.address: 0x76a63118 registers.esp: 1569416 registers.edi: 1569548 registers.eax: 1569440 registers.ebp: 1569456 registers.edx: 47448064 registers.ebx: 0 registers.esi: 1569712 registers.ecx: 0	1	0	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 52 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 24, 2021, 8:57 a.m.	process_identifier: 1092 region_size: 262144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00350000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 8:57 a.m.	process_identifier: 1092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00350000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 24, 2021, 8:57 a.m.	process_identifier: 1092 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x731a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 24, 2021, 8:57 a.m.	process_identifier: 1092 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x731a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 8:57 a.m.	process_identifier: 1092 region_size: 2162688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b90000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 8:57 a.m.	process_identifier: 1092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 8:57 a.m.	process_identifier: 1092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00422000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 8:57 a.m.	process_identifier: 1092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 8:57 a.m.	process_identifier: 1092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 8:57 a.m.	process_identifier: 1092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a81000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 8:57 a.m.	process_identifier: 1092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a82000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 8:57 a.m.	process_identifier: 1092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a83000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 8:57 a.m.	process_identifier: 1092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00455000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 8:57 a.m.	process_identifier: 1092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0045b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 8:57 a.m.	process_identifier: 1092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00457000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 8:57 a.m.	process_identifier: 1092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 8:57 a.m.	process_identifier: 1092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 8:57 a.m.	process_identifier: 1092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00447000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 8:57 a.m.	process_identifier: 1092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 8:57 a.m.	process_identifier: 1092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a84000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 8:57 a.m.	process_identifier: 1092 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 8:57 a.m.	process_identifier: 1092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 8:57 a.m.	process_identifier: 1092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 8:57 a.m.	process_identifier: 1092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 8:57 a.m.	process_identifier: 1092 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 8:57 a.m.	process_identifier: 1092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 8:57 a.m.	process_identifier: 1092 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a85000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 8:57 a.m.	process_identifier: 1092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00446000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 24, 2021, 8:57 a.m.	process_identifier: 1092 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fed2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 8:57 a.m.	process_identifier: 1092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a88000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 8:57 a.m.	process_identifier: 1092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a89000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 8:57 a.m.	process_identifier: 1092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 8:57 a.m.	process_identifier: 1092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a8a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 8:58 a.m.	process_identifier: 1092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 8:58 a.m.	process_identifier: 1092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 8:58 a.m.	process_identifier: 1092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 8:58 a.m.	process_identifier: 1092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a8b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 8:58 a.m.	process_identifier: 1092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a8c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 8:58 a.m.	process_identifier: 1092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a8d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 8:58 a.m.	process_identifier: 1092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a8e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 8:58 a.m.	process_identifier: 1092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a8f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 8:58 a.m.	process_identifier: 1092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01170000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 8:58 a.m.	process_identifier: 1092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01171000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 8:58 a.m.	process_identifier: 1092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01172000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 8:58 a.m.	process_identifier: 1092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01173000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 8:58 a.m.	process_identifier: 1092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01174000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 8:58 a.m.	process_identifier: 1092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01175000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 8:58 a.m.	process_identifier: 1092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01176000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 8:58 a.m.	process_identifier: 1092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01177000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 8:58 a.m.	process_identifier: 1092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01178000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (2 events)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceW Aug. 24, 2021, 9:01 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1	0
GetDiskFreeSpaceW Aug. 24, 2021, 9:01 a.m.	number_of_free_clusters: 2668497 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1	0

Steals private information from local Internet browsers (3 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Chromium\User Data\Default\Login Data

Creates executable files on the filesystem (2 events)

file	C:\Windows\System32\rfxvmt.dll
file	C:\Program Files\Microsoft DN1\sqlmap.dll

Executes one or more WMI queries (1 event)

wmi

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x000ada00', u'virtual_address': u'0x00002000', u'entropy': 7.913399701845522, u'name': u'.text', u'virtual_size': u'0x000ad914'}

entropy

7.91339970185

description

A section with a high entropy has been found

entropy

0.997128499641

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 24, 2021, 9 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (17 events)

description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	email clients info stealer	rule	infoStealer_emailClients_Zero
description	File Downloader	rule	Network_Downloader
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Install itself for autorun at Windows startup	rule	Persistence

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess Aug. 24, 2021, 9 a.m.	status_code: 0x00000000 process_identifier: 0 process_handle: 0x000002d0		0	0
NtTerminateProcess Aug. 24, 2021, 9 a.m.	status_code: 0x00000000 process_identifier: 0 process_handle: 0x000002d0	1	0	0

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Aug. 24, 2021, 8:58 a.m.	process_identifier: 2320 region_size: 1433600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000268	1	0	0

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDll

reg_value

%ProgramFiles%\Microsoft DN1\sqlmap.dll

Potential code injection by writing to the memory of another process (3 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Aug. 24, 2021, 8:58 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $n·ÇìäÇìäÇìäã_äÆìäÎäÆìäã]äÅìäàmäÆìäànäÄìäÂàäÆìäÎäÃìäÎäØìäÇìä5ìäT å°ìäTåÆìäRichÇìäPELrìE_àRP(^p@à@ª,°à0©p.textwPR `.rdata\|NpPV@@.dataÐíÀ¨¦@À.relocà°N@B.bssÐ`@@ base_address: 0x00400000 process_identifier: 2320 process_handle: 0x00000268	1	1
WriteProcessMemory Aug. 24, 2021, 8:58 a.m.	buffer: 2ÌÂqV]£ Ì~©íï'é4 wZ8½A*Kîj}#xCÁ\|/^é¬»cÁ¢JÂXúÁ®ä\|ªÓíg¯PÐ1èS±zå=oýÑ·ÄVêør2kF6À£:ýCå§a~Ì¯30-§¦Rú5YËF15È4v' vI ÿÝ ì¹¾/Qµ@1¶Ú²c_óºÉF#A.ú¦ÂNA1áe8&¾V(ò,2ì½ base_address: 0x0055d000 process_identifier: 2320 process_handle: 0x00000268	1	1
WriteProcessMemory Aug. 24, 2021, 8:58 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2320 process_handle: 0x00000268	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Aug. 24, 2021, 8:58 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $n·ÇìäÇìäÇìäã_äÆìäÎäÆìäã]äÅìäàmäÆìäànäÄìäÂàäÆìäÎäÃìäÎäØìäÇìä5ìäT å°ìäTåÆìäRichÇìäPELrìE_àRP(^p@à@ª,°à0©p.textwPR `.rdata\|NpPV@@.dataÐíÀ¨¦@À.relocà°N@B.bssÐ`@@ base_address: 0x00400000 process_identifier: 2320 process_handle: 0x00000268	1	1	0

Harvests credentials from local email clients (2 events)

file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1092 called NtSetContextThread to modify thread in remote process 2320
NtSetContextThread Aug. 24, 2021, 8:58 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4218408 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000264 process_identifier: 2320	1	0	0

Attempts to remove evidence of file being downloaded from the Internet (1 event)

file	C:\Users\test22\AppData\Local\Temp\:Zone.Identifier

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1092 resumed a thread in remote process 2320
NtResumeThread Aug. 24, 2021, 8:58 a.m.	thread_handle: 0x00000264 suspend_count: 1 process_identifier: 2320	1	0	0

Executed a process and injected code into it, probably while unpacking (22 events)

Time & API	Arguments	Status	Return
NtResumeThread Aug. 24, 2021, 8:57 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 1092	1	0
NtResumeThread Aug. 24, 2021, 8:57 a.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 1092	1	0
NtResumeThread Aug. 24, 2021, 8:57 a.m.	thread_handle: 0x00000188 suspend_count: 1 process_identifier: 1092	1	0
NtResumeThread Aug. 24, 2021, 8:57 a.m.	thread_handle: 0x000001f4 suspend_count: 1 process_identifier: 1092	1	0
NtGetContextThread Aug. 24, 2021, 8:57 a.m.	thread_handle: 0x000000e0	1	0
NtResumeThread Aug. 24, 2021, 8:57 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 1092	1	0
NtGetContextThread Aug. 24, 2021, 8:57 a.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread Aug. 24, 2021, 8:57 a.m.	thread_handle: 0x000000e0	1	0
NtResumeThread Aug. 24, 2021, 8:57 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 1092	1	0
NtResumeThread Aug. 24, 2021, 8:58 a.m.	thread_handle: 0x0000025c suspend_count: 1 process_identifier: 1092	1	0
CreateProcessInternalW Aug. 24, 2021, 8:58 a.m.	thread_identifier: 2316 thread_handle: 0x00000264 process_identifier: 2320 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\warzx.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\warzx.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000268	1	1
NtGetContextThread Aug. 24, 2021, 8:58 a.m.	thread_handle: 0x00000264	1	0
NtAllocateVirtualMemory Aug. 24, 2021, 8:58 a.m.	process_identifier: 2320 region_size: 1433600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000268	1	0
WriteProcessMemory Aug. 24, 2021, 8:58 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $n·ÇìäÇìäÇìäã_äÆìäÎäÆìäã]äÅìäàmäÆìäànäÄìäÂàäÆìäÎäÃìäÎäØìäÇìä5ìäT å°ìäTåÆìäRichÇìäPELrìE_àRP(^p@à@ª,°à0©p.textwPR `.rdata\|NpPV@@.dataÐíÀ¨¦@À.relocà°N@B.bssÐ`@@ base_address: 0x00400000 process_identifier: 2320 process_handle: 0x00000268	1	1
WriteProcessMemory Aug. 24, 2021, 8:58 a.m.	buffer: base_address: 0x00401000 process_identifier: 2320 process_handle: 0x00000268	1	1
WriteProcessMemory Aug. 24, 2021, 8:58 a.m.	buffer: base_address: 0x00417000 process_identifier: 2320 process_handle: 0x00000268	1	1
WriteProcessMemory Aug. 24, 2021, 8:58 a.m.	buffer: base_address: 0x0041c000 process_identifier: 2320 process_handle: 0x00000268	1	1
WriteProcessMemory Aug. 24, 2021, 8:58 a.m.	buffer: base_address: 0x0055b000 process_identifier: 2320 process_handle: 0x00000268	1	1
WriteProcessMemory Aug. 24, 2021, 8:58 a.m.	buffer: 2ÌÂqV]£ Ì~©íï'é4 wZ8½A*Kîj}#xCÁ\|/^é¬»cÁ¢JÂXúÁ®ä\|ªÓíg¯PÐ1èS±zå=oýÑ·ÄVêør2kF6À£:ýCå§a~Ì¯30-§¦Rú5YËF15È4v' vI ÿÝ ì¹¾/Qµ@1¶Ú²c_óºÉF#A.ú¦ÂNA1áe8&¾V(ò,2ì½ base_address: 0x0055d000 process_identifier: 2320 process_handle: 0x00000268	1	1
WriteProcessMemory Aug. 24, 2021, 8:58 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2320 process_handle: 0x00000268	1	1
NtSetContextThread Aug. 24, 2021, 8:58 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4218408 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000264 process_identifier: 2320	1	0
NtResumeThread Aug. 24, 2021, 8:58 a.m.	thread_handle: 0x00000264 suspend_count: 1 process_identifier: 2320	1	0

File has been identified by 39 AntiVirus engines on VirusTotal as malicious (39 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.MSILHeracles.24829
FireEye	Generic.mg.00db430a07a7ebfe
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
Alibaba	Backdoor:MSIL/Remcos.9b3d5e85
Cybereason	malicious.5debc3
BitDefenderTheta	Gen:NN.ZemsilF.34088.Rm0@aeJzVJo
Cyren	W32/MSIL_Kryptik.FHP.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/Kryptik.ACNV
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Backdoor.MSIL.Remcos.gen
BitDefender	Gen:Variant.MSILHeracles.24829
Avast	Win32:PWSX-gen [Trj]
Ad-Aware	Gen:Variant.MSILHeracles.24829
Sophos	Mal/Generic-S
TrendMicro	Backdoor.MSIL.REMCOS.USMANHN21
McAfee-GW-Edition	BehavesLike.Win32.Generic.jc
Emsisoft	Gen:Variant.MSILHeracles.24829 (B)
Ikarus	Win32.Outbreak
eGambit	Unsafe.AI_Score_100%
MAX	malware (ai score=99)
Kingsoft	Win32.Hack.Undef.(kcloud)
Gridinsoft	Trojan.Win32.Kryptik.oa!s1
Microsoft	Trojan:MSIL/AgentTesla.R!MTB
GData	MSIL.Malware.Injector.XLWEN9
Cynet	Malicious (score: 100)
McAfee	Artemis!00DB430A07A7
VBA32	Malware-Cryptor.MSIL.AgentTesla.Heur
Malwarebytes	MachineLearning/Anomalous.95%
TrendMicro-HouseCall	Backdoor.MSIL.REMCOS.USMANHN21
Tencent	Win32.Trojan.Inject.Auto
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/GenKryptik.FJEE!tr
AVG	Win32:PWSX-gen [Trj]
CrowdStrike	win/malicious_confidence_100% (W)

warzx.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All