Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 12, 2021, 2:46 p.m.	Sept. 12, 2021, 2:59 p.m.

Size	997.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`acd21a7406f672cff08dd839e32c996d`
SHA256	`8d255799a2ad2530d18df22d5d5a1ce951ac4189a17b15a2c95ebf20422f690b`
CRC32	`7623C0FB`
ssdeep	`24576:wFHG5irnFm8KL1gFY3te5wR3KnWJ1Qrbk:wsom8KyY3te50+WJub`
PDB Path	wextract.pdb
Yara	Win32_Trojan_Emotet_RL_Gen_Zero - Win32 Trojan Emotet PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet

1.exe "C:\Users\test22\AppData\Local\Temp\1.exe"
2648
- dllhost.exe dllhost.exe
  2680
- cmd.exe cmd /c cmd < Sta.docx
  2800
  - cmd.exe cmd
    1460
    - findstr.exe findstr /V /R "^cpRioVCHzxPARhqNKZxUSxSjBROxGBfdTAAnUmNDiQEXIwXcFphmhdHqsEGduiwRymHdMCSkkQNeQUEmUaPbhQeCTmufTbvZPMSpxGJrdehvDFpvquv$" Conduco.docx
      556
    - Tutti.exe.com Tutti.exe.com s
      668
      - Tutti.exe.com C:\Users\test22\AppData\Local\Temp\IXP000.TMP\Tutti.exe.com s
        2540
        
        RegAsm.exe C:\Users\test22\AppData\Local\Temp\IXP000.TMP\RegAsm.exe
        2056
    - PING.EXE ping localhost
      900

Name	Response	Post-Analysis Lookup
EpVldJKQEqP.EpVldJKQEqP

IP Address	Status	Action
164.124.101.2	Active	Moloch
77.232.36.56	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49216 -> 77.232.36.56:228	2028984	ET MALWARE Win32/1xxbot CnC Checkin	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Queries for the computername (5 events)

Time & API	Arguments	Status	Return
GetComputerNameW Sept. 12, 2021, 2:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 12, 2021, 2:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 12, 2021, 2:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 12, 2021, 2:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 12, 2021, 2:57 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (5 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 12, 2021, 2:46 p.m.			0	0
IsDebuggerPresent Sept. 12, 2021, 2:46 p.m.			0	0
IsDebuggerPresent Sept. 12, 2021, 2:46 p.m.			0	0
IsDebuggerPresent Sept. 12, 2021, 2:57 p.m.			0	0
IsDebuggerPresent Sept. 12, 2021, 2:57 p.m.			0	0

Command line console output was observed (37 events)

Time & API	Arguments	Status	Return
WriteConsoleW Sept. 12, 2021, 2:46 p.m.	buffer: Microsoft Windows [Version 6.1.7601] console_handle: 0x00000007	1	1
WriteConsoleW Sept. 12, 2021, 2:46 p.m.	buffer: Copyright (c) 2009 Microsoft Corporation. All rights reserved. console_handle: 0x00000007	1	1
WriteConsoleW Sept. 12, 2021, 2:46 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\IXP000.TMP> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 12, 2021, 2:46 p.m.	buffer: Set kqggRMlRRTnbwn=DESKTOP- console_handle: 0x00000007	1	1
WriteConsoleW Sept. 12, 2021, 2:46 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\IXP000.TMP> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 12, 2021, 2:46 p.m.	buffer: Set yvNZdsBTcxtemRvamOiwzTioQSQutiLOXTOxR=QO5QU33 console_handle: 0x00000007	1	1
WriteConsoleW Sept. 12, 2021, 2:46 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\IXP000.TMP> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 12, 2021, 2:46 p.m.	buffer: Set skwoeaJ=ping localhost console_handle: 0x00000007	1	1
WriteConsoleW Sept. 12, 2021, 2:46 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\IXP000.TMP> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 12, 2021, 2:46 p.m.	buffer: if %computername%==%kqggRMlRRTnbwn% cmd console_handle: 0x00000007	1	1
WriteConsoleW Sept. 12, 2021, 2:46 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\IXP000.TMP> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 12, 2021, 2:46 p.m.	buffer: Set EdalKrGnqDmOXywWHMHWmJnXanCPJFWYnHk=MZ console_handle: 0x00000007	1	1
WriteConsoleW Sept. 12, 2021, 2:46 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\IXP000.TMP> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 12, 2021, 2:46 p.m.	buffer: <nul set /p = "%EdalKrGnqDmOXywWHMHWmJnXanCPJFWYnHk%" > Tutti.exe.com console_handle: 0x00000007	1	1
WriteConsoleW Sept. 12, 2021, 2:46 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\IXP000.TMP> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 12, 2021, 2:46 p.m.	buffer: findstr /V /R "^cpRioVCHzxPARhqNKZxUSxSjBROxGBfdTAAnUmNDiQEXIwXcFphmhdHqsEGduiwRymHdMCSkkQNeQUEmUaPbhQeCTmufTbvZPMSpxGJrdehvDFpvquv$" Conduco.docx >> Tutti.exe.com console_handle: 0x00000007	1	1
WriteConsoleW Sept. 12, 2021, 2:46 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\IXP000.TMP> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 12, 2021, 2:46 p.m.	buffer: copy Impedire.docx s console_handle: 0x00000007	1	1
WriteConsoleW Sept. 12, 2021, 2:46 p.m.	buffer: 1 file(s) copied. console_handle: 0x00000007	1	1
WriteConsoleW Sept. 12, 2021, 2:46 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\IXP000.TMP> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 12, 2021, 2:46 p.m.	buffer: start Tutti.exe.com s console_handle: 0x00000007	1	1
WriteConsoleW Sept. 12, 2021, 2:46 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\IXP000.TMP> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 12, 2021, 2:46 p.m.	buffer: %skwoeaJ% console_handle: 0x00000007	1	1
WriteConsoleW Sept. 12, 2021, 2:46 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\IXP000.TMP> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 12, 2021, 2:46 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\IXP000.TMP> console_handle: 0x00000007	1	1
WriteConsoleA Sept. 12, 2021, 2:46 p.m.	buffer: Pinging test22-PC [::1] console_handle: 0x00000007	1	1
WriteConsoleA Sept. 12, 2021, 2:46 p.m.	buffer: with 32 bytes of data: console_handle: 0x00000007	1	1
WriteConsoleA Sept. 12, 2021, 2:46 p.m.	buffer: Reply from ::1: console_handle: 0x00000007	1	1
WriteConsoleA Sept. 12, 2021, 2:46 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA Sept. 12, 2021, 2:46 p.m.	buffer: Reply from ::1: console_handle: 0x00000007	1	1
WriteConsoleA Sept. 12, 2021, 2:46 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA Sept. 12, 2021, 2:46 p.m.	buffer: Reply from ::1: console_handle: 0x00000007	1	1
WriteConsoleA Sept. 12, 2021, 2:46 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA Sept. 12, 2021, 2:46 p.m.	buffer: Reply from ::1: console_handle: 0x00000007	1	1
WriteConsoleA Sept. 12, 2021, 2:46 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA Sept. 12, 2021, 2:46 p.m.	buffer: Ping statistics for ::1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), console_handle: 0x00000007	1	1
WriteConsoleA Sept. 12, 2021, 2:46 p.m.	buffer: Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms console_handle: 0x00000007	1	1

This executable has a PDB path (1 event)

pdb_path

wextract.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 12, 2021, 2:46 p.m.		1	1	0

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

AVI

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (43 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 12, 2021, 2:46 p.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73702000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 12, 2021, 2:46 p.m.	process_identifier: 668 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73702000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 12, 2021, 2:46 p.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73702000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 12, 2021, 2:46 p.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00730000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 12, 2021, 2:57 p.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72742000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 12, 2021, 2:57 p.m.	process_identifier: 2056 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 12, 2021, 2:57 p.m.	process_identifier: 2056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 12, 2021, 2:57 p.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72672000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 12, 2021, 2:57 p.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70beb000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 12, 2021, 2:57 p.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72031000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 12, 2021, 2:57 p.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72032000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 12, 2021, 2:57 p.m.	process_identifier: 2056 region_size: 917504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 12, 2021, 2:57 p.m.	process_identifier: 2056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 12, 2021, 2:57 p.m.	process_identifier: 2056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00952000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 12, 2021, 2:57 p.m.	process_identifier: 2056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00985000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 12, 2021, 2:57 p.m.	process_identifier: 2056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0098b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 12, 2021, 2:57 p.m.	process_identifier: 2056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00987000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 12, 2021, 2:57 p.m.	process_identifier: 2056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0096c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 12, 2021, 2:57 p.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7202a000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 12, 2021, 2:57 p.m.	process_identifier: 2056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00af0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 12, 2021, 2:57 p.m.	process_identifier: 2056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0095a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 12, 2021, 2:57 p.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e91000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 12, 2021, 2:57 p.m.	process_identifier: 2056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00976000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 12, 2021, 2:57 p.m.	process_identifier: 2056 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 12, 2021, 2:57 p.m.	process_identifier: 2056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 12, 2021, 2:57 p.m.	process_identifier: 2056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 12, 2021, 2:57 p.m.	process_identifier: 2056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 12, 2021, 2:57 p.m.	process_identifier: 2056 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 12, 2021, 2:57 p.m.	process_identifier: 2056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 12, 2021, 2:57 p.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73361000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 12, 2021, 2:57 p.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e3f000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 12, 2021, 2:57 p.m.	process_identifier: 2056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0097a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 12, 2021, 2:57 p.m.	process_identifier: 2056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00977000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 12, 2021, 2:57 p.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d66000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 12, 2021, 2:57 p.m.	process_identifier: 2056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00af1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 12, 2021, 2:57 p.m.	process_identifier: 2056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00af2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 12, 2021, 2:57 p.m.	process_identifier: 2056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00af3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 12, 2021, 2:57 p.m.	process_identifier: 2056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0095c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 12, 2021, 2:57 p.m.	process_identifier: 2056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00af4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 12, 2021, 2:57 p.m.	process_identifier: 2056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0096a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 12, 2021, 2:57 p.m.	process_identifier: 2056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00af5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 12, 2021, 2:57 p.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 12, 2021, 2:57 p.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d11000 process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (2 events)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceW Sept. 12, 2021, 2:46 p.m.	number_of_free_clusters: 3351069 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1	0
GetDiskFreeSpaceW Sept. 12, 2021, 2:46 p.m.	number_of_free_clusters: 3351069 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1	0

Creates (office) documents on the filesystem (5 events)

file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\Conduco.docx
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\Impedire.docx
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\Sta.docx
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\Appartiene.docx
file	C:\Users\test22\AppData\Roaming\xXxfXyagDb\Appartiene.docx

Creates executable files on the filesystem (3 events)

file	C:\Users\test22\AppData\Roaming\xXxfXyagDb\SQduBsfVQd.exe.com
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\Tutti.exe.com
file	C:\Users\test22\AppData\Roaming\xXxfXyagDb\fMqIHkoDMfpv.js

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\Tutti.exe.com

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\Tutti.exe.com

Executes one or more WMI queries (3 events)

wmi	SELECT * FROM Win32_VideoController
wmi	SELECT * FROM Win32_Processor
wmi	SELECT Caption FROM Win32_OperatingSystem

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x000f1000', u'virtual_address': u'0x0000c000', u'entropy': 7.779473831216745, u'name': u'.rsrc', u'virtual_size': u'0x000f0e2e'}

entropy

7.77947383122

description

A section with a high entropy has been found

entropy

0.967385850477

description

Overall entropy of this PE file is high

Potentially malicious URLs were found in the process memory dump (3 events)

url	http://www.microsoft.com/schemas/ie8tldlistdescription/1.0
url	http://purl.org/rss/1.0/
url	http://www.passport.com

Yara rule detected in process memory (32 events)

description	Communication using DGA	rule	Network_DGA
description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Create a windows service	rule	Create_Service
description	Record Audio	rule	Sniff_Audio
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	Hijack network configuration	rule	Hijack_Network
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Steal credential	rule	local_credential_Steal
description	File Downloader	rule	Network_Downloader
description	Communications over P2P network	rule	Network_P2P_Win
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Install itself for autorun at Windows startup	rule	Persistence

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

ping localhost

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	SELECT * FROM Win32_Processor

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: 8cfe6dad8710775ca1e35659a541d9d7c256adcb

Communicates with host for which no DNS query was performed (1 event)

host

77.232.36.56

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 12, 2021, 2:46 p.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 90112 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00100000 process_handle: 0x00000220	1	0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Sept. 12, 2021, 2:57 p.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

RegAsm.exe tried to sleep 2728384 seconds, actually delayed analysis time by 2728384 seconds

Installs itself for autorun at Windows startup (2 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0				reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP000.TMP\"
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SQduBsfVQd.url

Potential code injection by writing to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Sept. 12, 2021, 2:46 p.m.	buffer: ÿÿÿÿû~(ü~Pý~mèÿÿ jHâý~± base_address: 0x7efde000 process_identifier: 2056 process_handle: 0x00000220	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2540 called NtSetContextThread to modify thread in remote process 2056
NtSetContextThread Sept. 12, 2021, 2:46 p.m.	registers.eip: 2000355780 registers.esp: 3603856 registers.edi: 0 registers.eax: 1118190 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000214 process_identifier: 2056	1	0	0

A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations. (5 events)

Time & API	Arguments	Status	Return
CryptHashData Sept. 12, 2021, 2:57 p.m.	buffer: Intel(R) Core(TM) i5-8400 CPU @ 2.80GHztest22?? VGA ??? ???TEST22-PCMicrosoft Windows NT 6.1.7601 Service Pack 1test22-PC hash_handle: 0x0041aef8 flags: 0	1	1
CryptHashData Sept. 12, 2021, 2:57 p.m.	buffer: Intel(R) Core(TM) i5-8400 CPU @ 2.80GHztest22?? VGA ??? ???TEST22-PCMicrosoft Windows NT 6.1.7601 Service Pack 1test22-PC hash_handle: 0x0041aef8 flags: 0	1	1
CryptHashData Sept. 12, 2021, 2:57 p.m.	buffer: Intel(R) Core(TM) i5-8400 CPU @ 2.80GHztest22?? VGA ??? ???TEST22-PCMicrosoft Windows NT 6.1.7601 Service Pack 1test22-PC hash_handle: 0x0041aef8 flags: 0	1	1
CryptHashData Sept. 12, 2021, 2:57 p.m.	buffer: Intel(R) Core(TM) i5-8400 CPU @ 2.80GHztest22?? VGA ??? ???TEST22-PCMicrosoft Windows NT 6.1.7601 Service Pack 1test22-PC hash_handle: 0x0041aef8 flags: 0	1	1
CryptHashData Sept. 12, 2021, 2:57 p.m.	buffer: Intel(R) Core(TM) i5-8400 CPU @ 2.80GHztest22?? VGA ??? ???TEST22-PCMicrosoft Windows NT 6.1.7601 Service Pack 1test22-PC hash_handle: 0x0041aef8 flags: 0	1	1

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1460 resumed a thread in remote process 668
NtResumeThread Sept. 12, 2021, 2:46 p.m.	thread_handle: 0x00000090 suspend_count: 0 process_identifier: 668	1	0	0

File has been identified by 21 AntiVirus engines on VirusTotal as malicious (21 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Fragtor.16654
FireEye	Generic.mg.acd21a7406f672cf
McAfee	Artemis!ACD21A7406F6
Cylance	Unsafe
CrowdStrike	win/malicious_confidence_60% (W)
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Gen:Variant.Fragtor.16654
Ad-Aware	Gen:Variant.Fragtor.16654
Emsisoft	Gen:Variant.Fragtor.16654 (B)
McAfee-GW-Edition	BehavesLike.Win32.BadFile.dc
Sophos	ML/PE-A
SentinelOne	Static AI - Malicious PE
eGambit	Unsafe.AI_Score_97%
ZoneAlarm	UDS:DangerousObject.Multi.Generic
Cynet	Malicious (score: 100)
MAX	malware (ai score=83)
Malwarebytes	Trojan.Agent.HDC.Generic
Cybereason	malicious.2bd5f8

Executed a process and injected code into it, probably while unpacking (26 events)

Time & API	Arguments	Status	Return
NtResumeThread Sept. 12, 2021, 2:46 p.m.	thread_handle: 0x0000012c suspend_count: 1 process_identifier: 2648	1	0
CreateProcessInternalW Sept. 12, 2021, 2:46 p.m.	thread_identifier: 2208 thread_handle: 0x0000013c process_identifier: 2680 current_directory: filepath: track: 1 command_line: dllhost.exe filepath_r: stack_pivoted: 0 creation_flags: 32 (NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000138	1	1
CreateProcessInternalW Sept. 12, 2021, 2:46 p.m.	thread_identifier: 2252 thread_handle: 0x00000138 process_identifier: 2800 current_directory: filepath: track: 1 command_line: cmd /c cmd < Sta.docx filepath_r: stack_pivoted: 0 creation_flags: 32 (NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x0000013c	1	1
CreateProcessInternalW Sept. 12, 2021, 2:46 p.m.	thread_identifier: 1512 thread_handle: 0x00000088 process_identifier: 1460 current_directory: C:\Users\test22\AppData\Local\Temp\IXP000.TMP filepath: C:\Windows\System32\cmd.exe track: 1 command_line: cmd filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000008c	1	1
CreateProcessInternalW Sept. 12, 2021, 2:46 p.m.	thread_identifier: 2760 thread_handle: 0x0000008c process_identifier: 556 current_directory: C:\Users\test22\AppData\Local\Temp\IXP000.TMP filepath: C:\Windows\System32\findstr.exe track: 1 command_line: findstr /V /R "^cpRioVCHzxPARhqNKZxUSxSjBROxGBfdTAAnUmNDiQEXIwXcFphmhdHqsEGduiwRymHdMCSkkQNeQUEmUaPbhQeCTmufTbvZPMSpxGJrdehvDFpvquv$" Conduco.docx filepath_r: C:\Windows\system32\findstr.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000094	1	1
CreateProcessInternalW Sept. 12, 2021, 2:46 p.m.	thread_identifier: 2092 thread_handle: 0x00000090 process_identifier: 668 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\IXP000.TMP\Tutti.exe.com track: 1 command_line: Tutti.exe.com s filepath_r: C:\Users\test22\AppData\Local\Temp\IXP000.TMP\Tutti.exe.com stack_pivoted: 0 creation_flags: 525328 (CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000094	1	1
NtResumeThread Sept. 12, 2021, 2:46 p.m.	thread_handle: 0x00000090 suspend_count: 0 process_identifier: 668	1	0
CreateProcessInternalW Sept. 12, 2021, 2:46 p.m.	thread_identifier: 1276 thread_handle: 0x00000094 process_identifier: 900 current_directory: C:\Users\test22\AppData\Local\Temp\IXP000.TMP filepath: C:\Windows\System32\PING.EXE track: 1 command_line: ping localhost filepath_r: C:\Windows\system32\PING.EXE stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000090	1	1
CreateProcessInternalW Sept. 12, 2021, 2:46 p.m.	thread_identifier: 2492 thread_handle: 0x0000013c process_identifier: 2540 current_directory: C:\Users\test22\AppData\Local\Temp\IXP000.TMP filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP000.TMP\Tutti.exe.com s filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000140	1	1
CreateProcessInternalW Sept. 12, 2021, 2:46 p.m.	thread_identifier: 3016 thread_handle: 0x00000214 process_identifier: 2056 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP000.TMP\RegAsm.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000220	1	1
NtGetContextThread Sept. 12, 2021, 2:46 p.m.	thread_handle: 0x00000214	1	0
NtAllocateVirtualMemory Sept. 12, 2021, 2:46 p.m.	process_identifier: 2056 region_size: 90112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x00100000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000220	1	0
WriteProcessMemory Sept. 12, 2021, 2:46 p.m.	buffer: base_address: 0x00100000 process_identifier: 2056 process_handle: 0x00000220	1	1
WriteProcessMemory Sept. 12, 2021, 2:46 p.m.	buffer: ÿÿÿÿû~(ü~Pý~mèÿÿ jHâý~± base_address: 0x7efde000 process_identifier: 2056 process_handle: 0x00000220	1	1
NtSetContextThread Sept. 12, 2021, 2:46 p.m.	registers.eip: 2000355780 registers.esp: 3603856 registers.edi: 0 registers.eax: 1118190 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000214 process_identifier: 2056	1	0
NtResumeThread Sept. 12, 2021, 2:57 p.m.	thread_handle: 0x00000178 suspend_count: 1 process_identifier: 2056	1	0
NtResumeThread Sept. 12, 2021, 2:57 p.m.	thread_handle: 0x000001e8 suspend_count: 1 process_identifier: 2056	1	0
NtResumeThread Sept. 12, 2021, 2:57 p.m.	thread_handle: 0x00000224 suspend_count: 1 process_identifier: 2056	1	0
NtResumeThread Sept. 12, 2021, 2:57 p.m.	thread_handle: 0x0000028c suspend_count: 1 process_identifier: 2056	1	0
NtResumeThread Sept. 12, 2021, 2:57 p.m.	thread_handle: 0x000002f8 suspend_count: 1 process_identifier: 2056	1	0
NtResumeThread Sept. 12, 2021, 2:57 p.m.	thread_handle: 0x000003ac suspend_count: 1 process_identifier: 2056	1	0
NtResumeThread Sept. 12, 2021, 2:57 p.m.	thread_handle: 0x00000410 suspend_count: 1 process_identifier: 2056	1	0
NtResumeThread Sept. 12, 2021, 2:57 p.m.	thread_handle: 0x00000424 suspend_count: 1 process_identifier: 2056	1	0
NtResumeThread Sept. 12, 2021, 2:57 p.m.	thread_handle: 0x00000440 suspend_count: 1 process_identifier: 2056	1	0
NtResumeThread Sept. 12, 2021, 2:57 p.m.	thread_handle: 0x00000464 suspend_count: 1 process_identifier: 2056	1	0
NtResumeThread Sept. 12, 2021, 2:57 p.m.	thread_handle: 0x00000484 suspend_count: 1 process_identifier: 2056	1	0

1.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All