Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Sept. 28, 2021, 3:56 p.m.	Sept. 28, 2021, 4:01 p.m.

Size	651.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`b397c9903b6967ddf77f6d484a4b4d4b`
SHA256	`13d663f025043643b4e8acfc02a05cb2286acc064bb95fafd05dff473f38b438`
CRC32	`A9E4E9A1`
ssdeep	`12288:Fzhz/Ni+hBr7IUAGUIjbyCd2jxKYJl05Gynz4wgdLLyLfR:FBNi+hBr8UAGdzQ5Jl05G2El+`
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware Is_DotNET_EXE - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT IsPE32 - (no description) Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult

vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
2024
- schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UqrLdZUJVVXo" /XML "C:\Users\test22\AppData\Local\Temp\tmpE8A.tmp"
  2256
- vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
  456

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (5 events)

Time & API	Arguments	Status	Return
GetComputerNameW Sept. 28, 2021, 3:56 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 28, 2021, 3:56 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 28, 2021, 3:56 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 28, 2021, 3:56 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 28, 2021, 3:56 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 28, 2021, 3:56 p.m.			0	0
IsDebuggerPresent Sept. 28, 2021, 3:56 p.m.			0	0
IsDebuggerPresent Sept. 28, 2021, 3:56 p.m.			0	0
IsDebuggerPresent Sept. 28, 2021, 3:56 p.m.			0	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Sept. 28, 2021, 3:56 p.m.	buffer: ERROR: console_handle: 0x0000000b	1	1	0
WriteConsoleW Sept. 28, 2021, 3:56 p.m.	buffer: The system cannot find the file specified. console_handle: 0x0000000b	1	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 28, 2021, 3:56 p.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Sept. 28, 2021, 3:56 p.m.	stacktrace: 0x5117d8 0x511003 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72b02652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72b1264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72b12e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72bc74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72bc7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72c51dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72c51e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72c51f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72c5416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7405f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74d37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74d34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 e0 8b 4d dc e8 4b d7 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x511c4b registers.esp: 3928656 registers.edi: 3928680 registers.eax: 0 registers.ebp: 3928692 registers.edx: 195 registers.ebx: 3928948 registers.esi: 37226364 registers.ecx: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Sept. 28, 2021, 3:56 p.m.

stacktrace:

0x5117d8
0x511003
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72b02652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72b1264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72b12e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72bc74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72bc7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72c51dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72c51e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72c51f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72c5416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7405f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74d37f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74d34de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5

exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 e0 8b 4d dc e8 4b d7
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x511c4b
registers.esp: 3928656
registers.edi: 3928680
registers.eax: 0
registers.ebp: 3928692
registers.edx: 195
registers.ebx: 3928948
registers.esi: 37226364
registers.ecx: 0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 64 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 2024 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00650000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 2024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00790000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 2024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x731a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 2024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x731a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 2024 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00650000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 2024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00660000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 2024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00562000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 2024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00595000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 2024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0059b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 2024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00597000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 2024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 2024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00970000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 2024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 2024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 2024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00587000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 2024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 2024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00971000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 2024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fd02000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 2024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 2024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00972000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 2024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00973000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 2024 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00974000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 2024 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0097a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 2024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0097f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 2024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x044c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 2024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x044c1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 2024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x044c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 2024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x044c3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 2024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x044c4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 2024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x044c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 2024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00586000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 456 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00440000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 456 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00490000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b02000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 456 region_size: 851968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00800000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 456 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00890000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 456 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 456 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 456 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 456 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 456 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003cc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 456 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003cd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 456 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00510000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 456 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 456 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x735c2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 456 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00511000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 456 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 456 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a suspicious process (2 events)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UqrLdZUJVVXo" /XML "C:\Users\test22\AppData\Local\Temp\tmpE8A.tmp"
cmdline	schtasks.exe /Create /TN "Updates\UqrLdZUJVVXo" /XML "C:\Users\test22\AppData\Local\Temp\tmpE8A.tmp"

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Sept. 28, 2021, 3:56 p.m.	show_type: 0 filepath_r: schtasks.exe parameters: /Create /TN "Updates\UqrLdZUJVVXo" /XML "C:\Users\test22\AppData\Local\Temp\tmpE8A.tmp" filepath: schtasks.exe	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x000a2000', u'virtual_address': u'0x00002000', u'entropy': 7.2112615912688725, u'name': u'.text', u'virtual_size': u'0x000a1f2c'}

entropy

7.21126159127

description

A section with a high entropy has been found

entropy

0.99615680246

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Sept. 28, 2021, 3:56 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (10 events)

description	Communications smtp	rule	Network_SMTP_dotNet
description	Run a KeyLogger	rule	KeyLogger
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UqrLdZUJVVXo" /XML "C:\Users\test22\AppData\Local\Temp\tmpE8A.tmp"
cmdline	schtasks.exe /Create /TN "Updates\UqrLdZUJVVXo" /XML "C:\Users\test22\AppData\Local\Temp\tmpE8A.tmp"

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 456 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000031c	1	0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Sept. 28, 2021, 3:56 p.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

vbc.exe tried to sleep 10912886 seconds, actually delayed analysis time by 10912886 seconds

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Sept. 28, 2021, 3:56 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÐ¸HaàXv @ À@<vOP H.textV X `.rsrcPZ@@.reloc `@B base_address: 0x00400000 process_identifier: 456 process_handle: 0x0000031c	1	1
WriteProcessMemory Sept. 28, 2021, 3:56 p.m.	buffer: 8Ph ¼`ê¼4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoø000004b0,FileDescription 0FileVersion0.0.0.0t)InternalNameoVUwVNkOVZaHPfXfBSzldJXjsMEUYVguZqxo.exe(LegalCopyright \|)OriginalFilenameoVUwVNkOVZaHPfXfBSzldJXjsMEUYVguZqxo.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00438000 process_identifier: 456 process_handle: 0x0000031c	1	1
WriteProcessMemory Sept. 28, 2021, 3:56 p.m.	buffer: p6 base_address: 0x0043a000 process_identifier: 456 process_handle: 0x0000031c	1	1
WriteProcessMemory Sept. 28, 2021, 3:56 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 456 process_handle: 0x0000031c	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Sept. 28, 2021, 3:56 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÐ¸HaàXv @ À@<vOP H.textV X `.rsrcPZ@@.reloc `@B base_address: 0x00400000 process_identifier: 456 process_handle: 0x0000031c	1	1	0

File has been identified by 11 AntiVirus engines on VirusTotal as malicious (11 events)

Elastic	malicious (high confidence)
FireEye	Generic.mg.b397c9903b6967dd
Cylance	Unsafe
Symantec	Scr.Malcode!gdn30
APEX	Malicious
Paloalto	generic.ml
McAfee-GW-Edition	BehavesLike.Win32.Fareit.jc
Microsoft	Trojan:MSIL/AgentTesla.CXR!MTB
Cynet	Malicious (score: 100)
Malwarebytes	MachineLearning/Anomalous.95%
SentinelOne	Static AI - Malicious PE

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2024 called NtSetContextThread to modify thread in remote process 456
NtSetContextThread Sept. 28, 2021, 3:56 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4421262 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000320 process_identifier: 456	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2024 resumed a thread in remote process 456
NtResumeThread Sept. 28, 2021, 3:56 p.m.	thread_handle: 0x00000320 suspend_count: 1 process_identifier: 456	1	0	0

Executed a process and injected code into it, probably while unpacking (24 events)

Time & API	Arguments	Status	Return
NtResumeThread Sept. 28, 2021, 3:56 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2024	1	0
NtResumeThread Sept. 28, 2021, 3:56 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2024	1	0
NtResumeThread Sept. 28, 2021, 3:56 p.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 2024	1	0
CreateProcessInternalW Sept. 28, 2021, 3:56 p.m.	thread_identifier: 2312 thread_handle: 0x000003c0 process_identifier: 2256 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UqrLdZUJVVXo" /XML "C:\Users\test22\AppData\Local\Temp\tmpE8A.tmp" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003c4	1	1
CreateProcessInternalW Sept. 28, 2021, 3:56 p.m.	thread_identifier: 532 thread_handle: 0x00000320 process_identifier: 456 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\vbc.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\vbc.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000031c	1	1
NtGetContextThread Sept. 28, 2021, 3:56 p.m.	thread_handle: 0x00000320	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 456 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000031c	1	0
WriteProcessMemory Sept. 28, 2021, 3:56 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÐ¸HaàXv @ À@<vOP H.textV X `.rsrcPZ@@.reloc `@B base_address: 0x00400000 process_identifier: 456 process_handle: 0x0000031c	1	1
WriteProcessMemory Sept. 28, 2021, 3:56 p.m.	buffer: base_address: 0x00402000 process_identifier: 456 process_handle: 0x0000031c	1	1
WriteProcessMemory Sept. 28, 2021, 3:56 p.m.	buffer: 8Ph ¼`ê¼4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoø000004b0,FileDescription 0FileVersion0.0.0.0t)InternalNameoVUwVNkOVZaHPfXfBSzldJXjsMEUYVguZqxo.exe(LegalCopyright \|)OriginalFilenameoVUwVNkOVZaHPfXfBSzldJXjsMEUYVguZqxo.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00438000 process_identifier: 456 process_handle: 0x0000031c	1	1
WriteProcessMemory Sept. 28, 2021, 3:56 p.m.	buffer: p6 base_address: 0x0043a000 process_identifier: 456 process_handle: 0x0000031c	1	1
WriteProcessMemory Sept. 28, 2021, 3:56 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 456 process_handle: 0x0000031c	1	1
NtSetContextThread Sept. 28, 2021, 3:56 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4421262 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000320 process_identifier: 456	1	0
NtResumeThread Sept. 28, 2021, 3:56 p.m.	thread_handle: 0x00000320 suspend_count: 1 process_identifier: 456	1	0
NtResumeThread Sept. 28, 2021, 3:56 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 456	1	0
NtResumeThread Sept. 28, 2021, 3:56 p.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 456	1	0
NtResumeThread Sept. 28, 2021, 3:56 p.m.	thread_handle: 0x000001d0 suspend_count: 1 process_identifier: 456	1	0
NtResumeThread Sept. 28, 2021, 3:56 p.m.	thread_handle: 0x00000318 suspend_count: 1 process_identifier: 456	1	0
NtResumeThread Sept. 28, 2021, 3:56 p.m.	thread_handle: 0x00000338 suspend_count: 1 process_identifier: 456	1	0
NtResumeThread Sept. 28, 2021, 3:56 p.m.	thread_handle: 0x000003a0 suspend_count: 1 process_identifier: 456	1	0
NtResumeThread Sept. 28, 2021, 3:56 p.m.	thread_handle: 0x00000418 suspend_count: 1 process_identifier: 456	1	0
NtResumeThread Sept. 28, 2021, 3:57 p.m.	thread_handle: 0x0000035c suspend_count: 1 process_identifier: 456	1	0
NtResumeThread Sept. 28, 2021, 3:57 p.m.	thread_handle: 0x0000040c suspend_count: 1 process_identifier: 456	1	0
NtResumeThread Sept. 28, 2021, 3:57 p.m.	thread_handle: 0x0000040c suspend_count: 1 process_identifier: 456	1	0

vbc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All