Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Oct. 4, 2021, 5:51 p.m.	Oct. 4, 2021, 5:56 p.m.

Size	1.1MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`a3fb8baaebd4544f3eca7dd0d4da2ad0`
SHA256	`ef5d3bb04b07f1706fc16d4604555812f31bb57d885302fe3a7d6a92261dec29`
CRC32	`4AED727A`
ssdeep	`12288:tP7HXGP2iNh7QqoWB6xdxwXdwW/Kb/oZhKR1uyw10NzWMd:tPb2P1X7QA6/iXWWSbgjq1LwiNzNd`
Yara	Admin_Tool_IN_Zero - Admin Tool Sysinternals PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware Is_DotNET_EXE - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT IsPE32 - (no description) Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult

HTG~0000098765434567-098765432345678987654567.exe "C:\Users\test22\AppData\Local\Temp\HTG~0000098765434567-098765432345678987654567.exe"
1068
- schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fgsbCktCS" /XML "C:\Users\test22\AppData\Local\Temp\tmp161C.tmp"
  2812
- RegSvcs.exe "{path}"
  240
  - schtasks.exe "schtasks.exe" /create /f /tn "SMTP Host" /xml "C:\Users\test22\AppData\Local\Temp\tmp19D5.tmp"
    2712
  - schtasks.exe "schtasks.exe" /create /f /tn "SMTP Host Task" /xml "C:\Users\test22\AppData\Local\Temp\tmp1A92.tmp"
    2556

Name	Response	Post-Analysis Lookup
1116.hopto.org	A 185.140.53.9	185.140.53.9

IP Address	Status	Action
164.124.101.2	Active	Moloch
185.140.53.9	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.102:64034 -> 8.8.8.8:53	2028681	ET POLICY DNS Query to DynDNS Domain *.hopto .org	Potentially Bad Traffic
UDP 192.168.56.102:63780 -> 8.8.8.8:53	2028681	ET POLICY DNS Query to DynDNS Domain *.hopto .org	Potentially Bad Traffic
UDP 192.168.56.102:58838 -> 8.8.8.8:53	2028681	ET POLICY DNS Query to DynDNS Domain *.hopto .org	Potentially Bad Traffic
UDP 192.168.56.102:54322 -> 8.8.8.8:53	2028681	ET POLICY DNS Query to DynDNS Domain *.hopto .org	Potentially Bad Traffic
UDP 192.168.56.102:61115 -> 8.8.8.8:53	2028681	ET POLICY DNS Query to DynDNS Domain *.hopto .org	Potentially Bad Traffic
UDP 192.168.56.102:52062 -> 8.8.8.8:53	2028681	ET POLICY DNS Query to DynDNS Domain *.hopto .org	Potentially Bad Traffic
UDP 192.168.56.102:59731 -> 8.8.8.8:53	2028681	ET POLICY DNS Query to DynDNS Domain *.hopto .org	Potentially Bad Traffic
UDP 192.168.56.102:64472 -> 8.8.8.8:53	2028681	ET POLICY DNS Query to DynDNS Domain *.hopto .org	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameW Oct. 4, 2021, 5:54 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 4, 2021, 5:54 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 4, 2021, 5:54 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 4, 2021, 5:51 p.m.			0	0
IsDebuggerPresent Oct. 4, 2021, 5:51 p.m.			0	0
IsDebuggerPresent Oct. 4, 2021, 5:54 p.m.			0	0
IsDebuggerPresent Oct. 4, 2021, 5:54 p.m.			0	0

Command line console output was observed (3 events)

Time & API	Arguments	Status	Return
WriteConsoleW Oct. 4, 2021, 5:54 p.m.	buffer: SUCCESS: The scheduled task "Updates\fgsbCktCS" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW Oct. 4, 2021, 5:54 p.m.	buffer: SUCCESS: The scheduled task "SMTP Host" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW Oct. 4, 2021, 5:54 p.m.	buffer: SUCCESS: The scheduled task "SMTP Host Task" has successfully been created. console_handle: 0x00000007	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 4, 2021, 5:51 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Connects to a Dynamic DNS Domain (1 event)

domain

1116.hopto.org

Allocates read-write-execute memory (usually to unpack itself) (50 out of 130 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory Oct. 4, 2021, 5:51 p.m.	process_identifier: 1068 region_size: 2293760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 4, 2021, 5:51 p.m.	process_identifier: 1068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ae0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Oct. 4, 2021, 5:51 p.m.	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x731a1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Oct. 4, 2021, 5:51 p.m.	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x731a2000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 4, 2021, 5:51 p.m.	process_identifier: 1068 region_size: 1703936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cb0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 4, 2021, 5:51 p.m.	process_identifier: 1068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 4, 2021, 5:51 p.m.	process_identifier: 1068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00412000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 4, 2021, 5:51 p.m.	process_identifier: 1068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00445000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 4, 2021, 5:51 p.m.	process_identifier: 1068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 4, 2021, 5:51 p.m.	process_identifier: 1068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00447000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 4, 2021, 5:51 p.m.	process_identifier: 1068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 4, 2021, 5:51 p.m.	process_identifier: 1068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00710000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 4, 2021, 5:51 p.m.	process_identifier: 1068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 4, 2021, 5:51 p.m.	process_identifier: 1068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 4, 2021, 5:51 p.m.	process_identifier: 1068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00437000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 4, 2021, 5:51 p.m.	process_identifier: 1068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 4, 2021, 5:51 p.m.	process_identifier: 1068 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 4, 2021, 5:51 p.m.	process_identifier: 1068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 4, 2021, 5:51 p.m.	process_identifier: 1068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 4, 2021, 5:51 p.m.	process_identifier: 1068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 4, 2021, 5:51 p.m.	process_identifier: 1068 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 4, 2021, 5:51 p.m.	process_identifier: 1068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 4, 2021, 5:51 p.m.	process_identifier: 1068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00436000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 4, 2021, 5:51 p.m.	process_identifier: 1068 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00711000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 4, 2021, 5:51 p.m.	process_identifier: 1068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Oct. 4, 2021, 5:51 p.m.	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6f782000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 4, 2021, 5:51 p.m.	process_identifier: 1068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00717000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 4, 2021, 5:51 p.m.	process_identifier: 1068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00718000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 4, 2021, 5:51 p.m.	process_identifier: 1068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00719000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 4, 2021, 5:52 p.m.	process_identifier: 1068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0071a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 4, 2021, 5:52 p.m.	process_identifier: 1068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0071b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 4, 2021, 5:52 p.m.	process_identifier: 1068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06290000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 4, 2021, 5:52 p.m.	process_identifier: 1068 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06291000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 4, 2021, 5:52 p.m.	process_identifier: 1068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0563f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 4, 2021, 5:52 p.m.	process_identifier: 1068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05630000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 4, 2021, 5:52 p.m.	process_identifier: 1068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06297000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 4, 2021, 5:52 p.m.	process_identifier: 1068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06298000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 4, 2021, 5:52 p.m.	process_identifier: 1068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 4, 2021, 5:52 p.m.	process_identifier: 1068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06299000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 4, 2021, 5:52 p.m.	process_identifier: 1068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0629a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 4, 2021, 5:52 p.m.	process_identifier: 1068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0629b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 4, 2021, 5:52 p.m.	process_identifier: 1068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0629c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 4, 2021, 5:52 p.m.	process_identifier: 1068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0629d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 4, 2021, 5:52 p.m.	process_identifier: 1068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0629e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 4, 2021, 5:52 p.m.	process_identifier: 1068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x066d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 4, 2021, 5:52 p.m.	process_identifier: 1068 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x066d1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Oct. 4, 2021, 5:52 p.m.	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x064b0178 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory Oct. 4, 2021, 5:52 p.m.	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x064b01a0 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory Oct. 4, 2021, 5:52 p.m.	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x064b01c8 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory Oct. 4, 2021, 5:52 p.m.	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 11 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0653379e process_handle: 0xffffffff		3221225550

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Roaming\fgsbCktCS.exe

Creates a suspicious process (4 events)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fgsbCktCS" /XML "C:\Users\test22\AppData\Local\Temp\tmp161C.tmp"
cmdline	"schtasks.exe" /create /f /tn "SMTP Host" /xml "C:\Users\test22\AppData\Local\Temp\tmp19D5.tmp"
cmdline	schtasks.exe /Create /TN "Updates\fgsbCktCS" /XML "C:\Users\test22\AppData\Local\Temp\tmp161C.tmp"
cmdline	"schtasks.exe" /create /f /tn "SMTP Host Task" /xml "C:\Users\test22\AppData\Local\Temp\tmp1A92.tmp"

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Roaming\fgsbCktCS.exe

A process created a hidden window (3 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Oct. 4, 2021, 5:52 p.m.	show_type: 0 filepath_r: schtasks.exe parameters: /Create /TN "Updates\fgsbCktCS" /XML "C:\Users\test22\AppData\Local\Temp\tmp161C.tmp" filepath: schtasks.exe	1	1
CreateProcessInternalW Oct. 4, 2021, 5:54 p.m.	thread_identifier: 1464 thread_handle: 0x000002c8 process_identifier: 2712 current_directory: C:\Windows\Microsoft.NET\Framework\v4.0.30319 filepath: track: 1 command_line: "schtasks.exe" /create /f /tn "SMTP Host" /xml "C:\Users\test22\AppData\Local\Temp\tmp19D5.tmp" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000002cc	1	1
CreateProcessInternalW Oct. 4, 2021, 5:54 p.m.	thread_identifier: 2564 thread_handle: 0x000002c8 process_identifier: 2556 current_directory: C:\Windows\Microsoft.NET\Framework\v4.0.30319 filepath: track: 1 command_line: "schtasks.exe" /create /f /tn "SMTP Host Task" /xml "C:\Users\test22\AppData\Local\Temp\tmp1A92.tmp" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000002d4	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Oct. 4, 2021, 5:52 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Oct. 4, 2021, 5:54 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (9 events)

description	Communications use DNS	rule	Network_DNS
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (4 events)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fgsbCktCS" /XML "C:\Users\test22\AppData\Local\Temp\tmp161C.tmp"
cmdline	"schtasks.exe" /create /f /tn "SMTP Host" /xml "C:\Users\test22\AppData\Local\Temp\tmp19D5.tmp"
cmdline	schtasks.exe /Create /TN "Updates\fgsbCktCS" /XML "C:\Users\test22\AppData\Local\Temp\tmp161C.tmp"
cmdline	"schtasks.exe" /create /f /tn "SMTP Host Task" /xml "C:\Users\test22\AppData\Local\Temp\tmp1A92.tmp"

One or more of the buffers contains an embedded PE file (2 events)

buffer	Buffer with sha1: 874b7c3c97cc5b13b9dd172fec5a54bc1f258005
buffer	Buffer with sha1: 874f3caf663265f7dd18fb565d91b7d915031251

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Oct. 4, 2021, 5:52 p.m.	process_identifier: 240 region_size: 229376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000418	1	0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Oct. 4, 2021, 5:54 p.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

RegSvcs.exe tried to sleep 3402019794 seconds, actually delayed analysis time by 3402019794 seconds

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Host

reg_value

C:\Program Files (x86)\SMTP Host\smtphost.exe

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\tmp19D5.tmp

Potential code injection by writing to the memory of another process (3 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Oct. 4, 2021, 5:52 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¡'éTàÈbç @ 8çW Ð_ H.textÇ È `.relocÊ@B.rsrcÐ_ `Ì@@ base_address: 0x00400000 process_identifier: 240 process_handle: 0x00000418	1	1
WriteProcessMemory Oct. 4, 2021, 5:52 p.m.	buffer: à7 base_address: 0x00420000 process_identifier: 240 process_handle: 0x00000418	1	1
WriteProcessMemory Oct. 4, 2021, 5:52 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 240 process_handle: 0x00000418	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Oct. 4, 2021, 5:52 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¡'éTàÈbç @ 8çW Ð_ H.textÇ È `.relocÊ@B.rsrcÐ_ `Ì@@ base_address: 0x00400000 process_identifier: 240 process_handle: 0x00000418	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1068 called NtSetContextThread to modify thread in remote process 240
NtSetContextThread Oct. 4, 2021, 5:52 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4319122 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000041c process_identifier: 240	1	0	0

Attempts to remove evidence of file being downloaded from the Internet (1 event)

file	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe:Zone.Identifier

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1068 resumed a thread in remote process 240
NtResumeThread Oct. 4, 2021, 5:52 p.m.	thread_handle: 0x0000041c suspend_count: 1 process_identifier: 240	1	0	0

Executed a process and injected code into it, probably while unpacking (39 events)

Time & API	Arguments	Status	Return
NtResumeThread Oct. 4, 2021, 5:51 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 1068	1	0
NtResumeThread Oct. 4, 2021, 5:51 p.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 1068	1	0
NtResumeThread Oct. 4, 2021, 5:51 p.m.	thread_handle: 0x00000194 suspend_count: 1 process_identifier: 1068	1	0
NtResumeThread Oct. 4, 2021, 5:51 p.m.	thread_handle: 0x000003ac suspend_count: 1 process_identifier: 1068	1	0
NtGetContextThread Oct. 4, 2021, 5:51 p.m.	thread_handle: 0x000000e0	1	0
NtResumeThread Oct. 4, 2021, 5:51 p.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 1068	1	0
NtResumeThread Oct. 4, 2021, 5:52 p.m.	thread_handle: 0x000003ac suspend_count: 1 process_identifier: 1068	1	0
NtGetContextThread Oct. 4, 2021, 5:52 p.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread Oct. 4, 2021, 5:52 p.m.	thread_handle: 0x000000e0	1	0
NtResumeThread Oct. 4, 2021, 5:52 p.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 1068	1	0
CreateProcessInternalW Oct. 4, 2021, 5:52 p.m.	thread_identifier: 2412 thread_handle: 0x00000430 process_identifier: 2812 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fgsbCktCS" /XML "C:\Users\test22\AppData\Local\Temp\tmp161C.tmp" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000434	1	1
CreateProcessInternalW Oct. 4, 2021, 5:52 p.m.	thread_identifier: 424 thread_handle: 0x0000041c process_identifier: 240 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe track: 1 command_line: "{path}" filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000418	1	1
NtGetContextThread Oct. 4, 2021, 5:52 p.m.	thread_handle: 0x0000041c	1	0
NtAllocateVirtualMemory Oct. 4, 2021, 5:52 p.m.	process_identifier: 240 region_size: 229376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000418	1	0
WriteProcessMemory Oct. 4, 2021, 5:52 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¡'éTàÈbç @ 8çW Ð_ H.textÇ È `.relocÊ@B.rsrcÐ_ `Ì@@ base_address: 0x00400000 process_identifier: 240 process_handle: 0x00000418	1	1
WriteProcessMemory Oct. 4, 2021, 5:52 p.m.	buffer: base_address: 0x00402000 process_identifier: 240 process_handle: 0x00000418	1	1
WriteProcessMemory Oct. 4, 2021, 5:52 p.m.	buffer: à7 base_address: 0x00420000 process_identifier: 240 process_handle: 0x00000418	1	1
WriteProcessMemory Oct. 4, 2021, 5:52 p.m.	buffer: base_address: 0x00422000 process_identifier: 240 process_handle: 0x00000418	1	1
WriteProcessMemory Oct. 4, 2021, 5:52 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 240 process_handle: 0x00000418	1	1
NtSetContextThread Oct. 4, 2021, 5:52 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4319122 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000041c process_identifier: 240	1	0
NtResumeThread Oct. 4, 2021, 5:52 p.m.	thread_handle: 0x0000041c suspend_count: 1 process_identifier: 240	1	0
NtResumeThread Oct. 4, 2021, 5:52 p.m.	thread_handle: 0x0000043c suspend_count: 1 process_identifier: 1068	1	0
NtResumeThread Oct. 4, 2021, 5:54 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 240	1	0
NtResumeThread Oct. 4, 2021, 5:54 p.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 240	1	0
NtResumeThread Oct. 4, 2021, 5:54 p.m.	thread_handle: 0x000001c0 suspend_count: 1 process_identifier: 240	1	0
CreateProcessInternalW Oct. 4, 2021, 5:54 p.m.	thread_identifier: 1464 thread_handle: 0x000002c8 process_identifier: 2712 current_directory: C:\Windows\Microsoft.NET\Framework\v4.0.30319 filepath: track: 1 command_line: "schtasks.exe" /create /f /tn "SMTP Host" /xml "C:\Users\test22\AppData\Local\Temp\tmp19D5.tmp" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000002cc	1	1
CreateProcessInternalW Oct. 4, 2021, 5:54 p.m.	thread_identifier: 2564 thread_handle: 0x000002c8 process_identifier: 2556 current_directory: C:\Windows\Microsoft.NET\Framework\v4.0.30319 filepath: track: 1 command_line: "schtasks.exe" /create /f /tn "SMTP Host Task" /xml "C:\Users\test22\AppData\Local\Temp\tmp1A92.tmp" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000002d4	1	1
NtResumeThread Oct. 4, 2021, 5:54 p.m.	thread_handle: 0x000002f0 suspend_count: 1 process_identifier: 240	1	0
NtResumeThread Oct. 4, 2021, 5:54 p.m.	thread_handle: 0x00000308 suspend_count: 1 process_identifier: 240	1	0
NtResumeThread Oct. 4, 2021, 5:54 p.m.	thread_handle: 0x00000344 suspend_count: 1 process_identifier: 240	1	0
NtResumeThread Oct. 4, 2021, 5:54 p.m.	thread_handle: 0x000003b4 suspend_count: 1 process_identifier: 240	1	0
NtResumeThread Oct. 4, 2021, 5:54 p.m.	thread_handle: 0x000003c8 suspend_count: 1 process_identifier: 240	1	0
NtResumeThread Oct. 4, 2021, 5:54 p.m.	thread_handle: 0x000003e0 suspend_count: 1 process_identifier: 240	1	0
NtResumeThread Oct. 4, 2021, 5:54 p.m.	thread_handle: 0x000003f8 suspend_count: 1 process_identifier: 240	1	0
NtResumeThread Oct. 4, 2021, 5:55 p.m.	thread_handle: 0x00000418 suspend_count: 1 process_identifier: 240	1	0
NtResumeThread Oct. 4, 2021, 5:55 p.m.	thread_handle: 0x00000428 suspend_count: 1 process_identifier: 240	1	0
NtResumeThread Oct. 4, 2021, 5:55 p.m.	thread_handle: 0x00000444 suspend_count: 1 process_identifier: 240	1	0
NtResumeThread Oct. 4, 2021, 5:55 p.m.	thread_handle: 0x0000046c suspend_count: 1 process_identifier: 240	1	0
NtResumeThread Oct. 4, 2021, 5:55 p.m.	thread_handle: 0x00000460 suspend_count: 1 process_identifier: 240	1	0

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (14 events)

dead_host	192.168.56.102:49173
dead_host	192.168.56.102:49184
dead_host	192.168.56.102:49178
dead_host	192.168.56.102:49185
dead_host	192.168.56.102:49179
dead_host	192.168.56.102:49176
dead_host	192.168.56.102:49177
dead_host	192.168.56.102:49182
dead_host	192.168.56.102:49183
dead_host	192.168.56.102:49180
dead_host	192.168.56.102:49174
dead_host	192.168.56.102:49181
dead_host	192.168.56.102:49175
dead_host	185.140.53.9:1116

HTG~0000098765434567-098765432345678987654567.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All