Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Aug. 31, 2021, 11 a.m.	Aug. 31, 2021, 11:20 a.m.

Size	765.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`19dff3b73bcbdc7f040dcc6bb85f26fa`
SHA256	`9f149bab2028f43311d6b258432c22384abc80ec9f00fb0fa4f446b0825bd6bf`
CRC32	`3E496E29`
ssdeep	`12288:S1FUmTHWaRkoFpvl32ce1ASpWzpWDQc7R:SLUmT2aqoFXqAO7`
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware Is_DotNET_EXE - (no description) IsPE32 - (no description)

plugmanzx.exe "C:\Users\test22\AppData\Local\Temp\plugmanzx.exe"
2072
- schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sVIqAnAOzrP" /XML "C:\Users\test22\AppData\Local\Temp\tmp13AB.tmp"
  2544
- RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  2408
  - schtasks.exe "schtasks.exe" /create /f /tn "SMTP Host" /xml "C:\Users\test22\AppData\Local\Temp\tmp159F.tmp"
    3052
  - schtasks.exe "schtasks.exe" /create /f /tn "SMTP Host Task" /xml "C:\Users\test22\AppData\Local\Temp\tmp168A.tmp"
    1172

Name	Response	Post-Analysis Lookup
blackbladeinc52.ddns.net	A 103.147.185.89	103.147.185.89

IP Address	Status	Action
103.147.185.89	Active	Moloch
164.124.101.2	Active	Moloch
31.170.160.160	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.102:52062 -> 8.8.8.8:53	2028675	ET POLICY DNS Query to DynDNS Domain *.ddns .net	Potentially Bad Traffic
TCP 192.168.56.102:49173 -> 103.147.185.89:1664	2025019	ET MALWARE Possible NanoCore C2 60B	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Queries for the computername (8 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 31, 2021, 11:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 31, 2021, 11:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 31, 2021, 11:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 31, 2021, 11:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 31, 2021, 11:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 31, 2021, 11:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 31, 2021, 11:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 31, 2021, 11:19 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 31, 2021, 10:57 a.m.			0	0
IsDebuggerPresent Aug. 31, 2021, 11:19 a.m.			0	0

Command line console output was observed (4 events)

Time & API	Arguments	Status	Return
WriteConsoleW Aug. 31, 2021, 11:19 a.m.	buffer: ERROR: console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 31, 2021, 11:19 a.m.	buffer: The system cannot find the file specified. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 31, 2021, 11:19 a.m.	buffer: SUCCESS: The scheduled task "SMTP Host" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW Aug. 31, 2021, 11:19 a.m.	buffer: SUCCESS: The scheduled task "SMTP Host Task" has successfully been created. console_handle: 0x00000007	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 31, 2021, 10:58 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Connects to a Dynamic DNS Domain (1 event)

domain

blackbladeinc52.ddns.net

Allocates read-write-execute memory (usually to unpack itself) (50 out of 211 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2072 region_size: 1638400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73291000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73292000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00472000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00482000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00483000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00547000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00484000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00485000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00486000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00630000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0049a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00497000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00487000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00488000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00489000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00650000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00651000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00631000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00632000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e22000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00496000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00960000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00633000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00634000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00635000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00652000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00636000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2072 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2072 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:58 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:58 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00545000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:58 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a31000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:58 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00653000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:58 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00654000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:58 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:58 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00655000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:58 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00656000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:58 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00657000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:58 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00658000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

Creates a suspicious process (4 events)

cmdline	schtasks.exe /Create /TN "Updates\sVIqAnAOzrP" /XML "C:\Users\test22\AppData\Local\Temp\tmp13AB.tmp"
cmdline	"schtasks.exe" /create /f /tn "SMTP Host Task" /xml "C:\Users\test22\AppData\Local\Temp\tmp168A.tmp"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sVIqAnAOzrP" /XML "C:\Users\test22\AppData\Local\Temp\tmp13AB.tmp"
cmdline	"schtasks.exe" /create /f /tn "SMTP Host" /xml "C:\Users\test22\AppData\Local\Temp\tmp159F.tmp"

A process created a hidden window (3 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Aug. 31, 2021, 10:58 a.m.	show_type: 0 filepath_r: schtasks.exe parameters: /Create /TN "Updates\sVIqAnAOzrP" /XML "C:\Users\test22\AppData\Local\Temp\tmp13AB.tmp" filepath: schtasks.exe	1	1
CreateProcessInternalW Aug. 31, 2021, 11:19 a.m.	thread_identifier: 2448 thread_handle: 0x00000218 process_identifier: 3052 current_directory: C:\Windows\Microsoft.NET\Framework\v2.0.50727 filepath: track: 1 command_line: "schtasks.exe" /create /f /tn "SMTP Host" /xml "C:\Users\test22\AppData\Local\Temp\tmp159F.tmp" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000021c	1	1
CreateProcessInternalW Aug. 31, 2021, 11:19 a.m.	thread_identifier: 900 thread_handle: 0x00000218 process_identifier: 1172 current_directory: C:\Windows\Microsoft.NET\Framework\v2.0.50727 filepath: track: 1 command_line: "schtasks.exe" /create /f /tn "SMTP Host Task" /xml "C:\Users\test22\AppData\Local\Temp\tmp168A.tmp" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000290	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 31, 2021, 10:58 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Aug. 31, 2021, 11:19 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (9 events)

description	Communications use DNS	rule	Network_DNS
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (4 events)

cmdline	schtasks.exe /Create /TN "Updates\sVIqAnAOzrP" /XML "C:\Users\test22\AppData\Local\Temp\tmp13AB.tmp"
cmdline	"schtasks.exe" /create /f /tn "SMTP Host Task" /xml "C:\Users\test22\AppData\Local\Temp\tmp168A.tmp"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sVIqAnAOzrP" /XML "C:\Users\test22\AppData\Local\Temp\tmp13AB.tmp"
cmdline	"schtasks.exe" /create /f /tn "SMTP Host" /xml "C:\Users\test22\AppData\Local\Temp\tmp159F.tmp"

One or more of the buffers contains an embedded PE file (14 events)

buffer	Buffer with sha1: 9420a2004c14c4a5e31290936a07bd58dcaa15b3
buffer	Buffer with sha1: 636b8187f0cb59d43c9ee1eedf144043941b62d9
buffer	Buffer with sha1: a6768a050af81bc43490e349b5fb2dc91d2252f4
buffer	Buffer with sha1: 4380fb6de89a7776d52214359ce213d24a2239ad
buffer	Buffer with sha1: c19d9db351af75fec019fe76506a455eba7fd168
buffer	Buffer with sha1: c1ef2ca62189121934d1a7944ef1bdc1aa319877
buffer	Buffer with sha1: 063fb8b27c0872c54bff35e2b76d8f522e13f8b4
buffer	Buffer with sha1: 925c5236c59dd8f3efea4b3e091ef735b405a880
buffer	Buffer with sha1: c54e7c5cac5fac68dc564ce64355d948422bf1ce
buffer	Buffer with sha1: 0c6598a0a37eaf12ce188fa66bc6c5db394af8a4
buffer	Buffer with sha1: 874b7c3c97cc5b13b9dd172fec5a54bc1f258005
buffer	Buffer with sha1: efa4948abb218e47d809bedd1aff08cfb76d40e1
buffer	Buffer with sha1: 1b68e773e3522fa8edc7cb20d7c7f156b08ec73a
buffer	Buffer with sha1: 874f3caf663265f7dd18fb565d91b7d915031251

Communicates with host for which no DNS query was performed (1 event)

host

31.170.160.160

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Aug. 31, 2021, 10:58 a.m.	process_identifier: 2408 region_size: 229376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000338	1	0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Aug. 31, 2021, 11:19 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

RegSvcs.exe tried to sleep 5456574 seconds, actually delayed analysis time by 5456574 seconds

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Host

reg_value

C:\Program Files (x86)\SMTP Host\smtphost.exe

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\tmp168A.tmp

Executes one or more WMI queries (3 events)

wmi	SELECT DisplayName FROM AntiSpywareProduct
wmi	SELECT DisplayName FROM FirewallProduct
wmi	SELECT DisplayName FROM AntiVirusProduct

Potential code injection by writing to the memory of another process (3 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Aug. 31, 2021, 10:58 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¡'éTàÈbç @ 8çW Ð_ H.textÇ È `.relocÊ@B.rsrcÐ_ `Ì@@ base_address: 0x00400000 process_identifier: 2408 process_handle: 0x00000338	1	1
WriteProcessMemory Aug. 31, 2021, 10:58 a.m.	buffer: à7 base_address: 0x00420000 process_identifier: 2408 process_handle: 0x00000338	1	1
WriteProcessMemory Aug. 31, 2021, 10:58 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2408 process_handle: 0x00000338	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Aug. 31, 2021, 10:58 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¡'éTàÈbç @ 8çW Ð_ H.textÇ È `.relocÊ@B.rsrcÐ_ `Ì@@ base_address: 0x00400000 process_identifier: 2408 process_handle: 0x00000338	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2072 called NtSetContextThread to modify thread in remote process 2408
NtSetContextThread Aug. 31, 2021, 10:58 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4319122 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000334 process_identifier: 2408	1	0	0

Attempts to remove evidence of file being downloaded from the Internet (1 event)

file	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe:Zone.Identifier

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2072 resumed a thread in remote process 2408
NtResumeThread Aug. 31, 2021, 10:58 a.m.	thread_handle: 0x00000334 suspend_count: 1 process_identifier: 2408	1	0	0

File has been identified by 25 AntiVirus engines on VirusTotal as malicious (25 events)

Lionic	Trojan.MSIL.NanoBot.m!c
Elastic	malicious (high confidence)
McAfee	AgentTesla-FDBQ!19DFF3B73BCB
Alibaba	Trojan:Win32/starter.ali1000139
Cyren	W32/MSIL_Kryptik.FJT.gen!Eldorado
Symantec	Trojan.Gen.2
ESET-NOD32	a variant of MSIL/GenKryptik.FJTZ
APEX	Malicious
Paloalto	generic.ml
Kaspersky	UDS:DangerousObject.Multi.Generic
Avast	FileRepMalware
Sophos	Mal/Generic-S
McAfee-GW-Edition	Artemis!Trojan
FireEye	Generic.mg.19dff3b73bcbdc7f
SentinelOne	Static AI - Suspicious PE
Kingsoft	Win32.Troj.Generic_a.a.(kcloud)
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
GData	MSIL.Backdoor.Nancat.T8PWHQ
Cynet	Malicious (score: 100)
BitDefenderTheta	Gen:NN.ZemsilF.34110.Vm0@aWey@Hb
Malwarebytes	Malware.AI.17520956
MaxSecure	Trojan.Malware.300983.susgen
Webroot	W32.Malware.Gen
AVG	FileRepMalware
CrowdStrike	win/malicious_confidence_100% (W)

Executed a process and injected code into it, probably while unpacking (28 events)

Time & API	Arguments	Status	Return
NtResumeThread Aug. 31, 2021, 10:57 a.m.	thread_handle: 0x000000d0 suspend_count: 1 process_identifier: 2072	1	0
NtResumeThread Aug. 31, 2021, 10:57 a.m.	thread_handle: 0x00000160 suspend_count: 1 process_identifier: 2072	1	0
NtResumeThread Aug. 31, 2021, 10:58 a.m.	thread_handle: 0x00000218 suspend_count: 1 process_identifier: 2072	1	0
CreateProcessInternalW Aug. 31, 2021, 10:58 a.m.	thread_identifier: 2332 thread_handle: 0x000003d8 process_identifier: 2544 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sVIqAnAOzrP" /XML "C:\Users\test22\AppData\Local\Temp\tmp13AB.tmp" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003dc	1	1
CreateProcessInternalW Aug. 31, 2021, 10:58 a.m.	thread_identifier: 1784 thread_handle: 0x00000334 process_identifier: 2408 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000338	1	1
NtGetContextThread Aug. 31, 2021, 10:58 a.m.	thread_handle: 0x00000334	1	0
NtAllocateVirtualMemory Aug. 31, 2021, 10:58 a.m.	process_identifier: 2408 region_size: 229376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000338	1	0
WriteProcessMemory Aug. 31, 2021, 10:58 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¡'éTàÈbç @ 8çW Ð_ H.textÇ È `.relocÊ@B.rsrcÐ_ `Ì@@ base_address: 0x00400000 process_identifier: 2408 process_handle: 0x00000338	1	1
WriteProcessMemory Aug. 31, 2021, 10:58 a.m.	buffer: base_address: 0x00402000 process_identifier: 2408 process_handle: 0x00000338	1	1
WriteProcessMemory Aug. 31, 2021, 10:58 a.m.	buffer: à7 base_address: 0x00420000 process_identifier: 2408 process_handle: 0x00000338	1	1
WriteProcessMemory Aug. 31, 2021, 10:58 a.m.	buffer: base_address: 0x00422000 process_identifier: 2408 process_handle: 0x00000338	1	1
WriteProcessMemory Aug. 31, 2021, 10:58 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2408 process_handle: 0x00000338	1	1
NtSetContextThread Aug. 31, 2021, 10:58 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4319122 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000334 process_identifier: 2408	1	0
NtResumeThread Aug. 31, 2021, 10:58 a.m.	thread_handle: 0x00000334 suspend_count: 1 process_identifier: 2408	1	0
NtResumeThread Aug. 31, 2021, 10:58 a.m.	thread_handle: 0x000003d0 suspend_count: 1 process_identifier: 2072	1	0
NtResumeThread Aug. 31, 2021, 11:19 a.m.	thread_handle: 0x000000d0 suspend_count: 1 process_identifier: 2408	1	0
NtResumeThread Aug. 31, 2021, 11:19 a.m.	thread_handle: 0x00000158 suspend_count: 1 process_identifier: 2408	1	0
CreateProcessInternalW Aug. 31, 2021, 11:19 a.m.	thread_identifier: 2448 thread_handle: 0x00000218 process_identifier: 3052 current_directory: C:\Windows\Microsoft.NET\Framework\v2.0.50727 filepath: track: 1 command_line: "schtasks.exe" /create /f /tn "SMTP Host" /xml "C:\Users\test22\AppData\Local\Temp\tmp159F.tmp" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000021c	1	1
CreateProcessInternalW Aug. 31, 2021, 11:19 a.m.	thread_identifier: 900 thread_handle: 0x00000218 process_identifier: 1172 current_directory: C:\Windows\Microsoft.NET\Framework\v2.0.50727 filepath: track: 1 command_line: "schtasks.exe" /create /f /tn "SMTP Host Task" /xml "C:\Users\test22\AppData\Local\Temp\tmp168A.tmp" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000290	1	1
NtResumeThread Aug. 31, 2021, 11:19 a.m.	thread_handle: 0x000002b0 suspend_count: 1 process_identifier: 2408	1	0
NtResumeThread Aug. 31, 2021, 11:19 a.m.	thread_handle: 0x000002e0 suspend_count: 1 process_identifier: 2408	1	0
NtResumeThread Aug. 31, 2021, 11:19 a.m.	thread_handle: 0x000002ec suspend_count: 1 process_identifier: 2408	1	0
NtResumeThread Aug. 31, 2021, 11:19 a.m.	thread_handle: 0x00000360 suspend_count: 1 process_identifier: 2408	1	0
NtResumeThread Aug. 31, 2021, 11:19 a.m.	thread_handle: 0x00000374 suspend_count: 1 process_identifier: 2408	1	0
NtResumeThread Aug. 31, 2021, 11:19 a.m.	thread_handle: 0x000003a0 suspend_count: 1 process_identifier: 2408	1	0
NtResumeThread Aug. 31, 2021, 11:19 a.m.	thread_handle: 0x00000348 suspend_count: 1 process_identifier: 2408	1	0
NtResumeThread Aug. 31, 2021, 11:20 a.m.	thread_handle: 0x00000420 suspend_count: 1 process_identifier: 2408	1	0
NtResumeThread Aug. 31, 2021, 11:20 a.m.	thread_handle: 0x0000042c suspend_count: 1 process_identifier: 2408	1	0

plugmanzx.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All