Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 6, 2021, 1:23 p.m.	Oct. 6, 2021, 1:25 p.m.

Size	1.1MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`06d3c19201d5c4fd9d069605dd46c514`
SHA256	`1099a18ab2009c2817a70cb595718bf8a99ace8d8b6f90967a6becb8ef381f5b`
CRC32	`9DDE1C72`
ssdeep	`24576:Efxgfj9xaYk1yr8j6+1SmQZrOyK9tFik2dv9xq9qNnWPZPdE:E8kI667Ky0fik2dvu9a`
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware IsPE32 - (no description) Is_DotNET_EXE - (no description)

aeopmguywjffmigwnfbefrvgqg.exe "C:\Users\test22\AppData\Local\Temp\aeopmguywjffmigwnfbefrvgqg.exe"
112
- cmd.exe "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\test22\AppData\Local\Temp\aeopmguywjffmigwnfbefrvgqg.exe":ZONE.identifier & exit
  2236
- cssrr.exe "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\SubFolder\SubFolder\cssrr.exe"
  2364
  - cmd.exe "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\SubFolder\SubFolder\cssrr.exe":ZONE.identifier & exit
    668
  - cssrr.exe "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\SubFolder\SubFolder\cssrr.exe"
    2552

Name	Response	Post-Analysis Lookup
ommerishere.sytes.net
sommerishere.sytes.net	A 212.192.246.92	212.192.246.92

IP Address	Status	Action
164.124.101.2	Active	Moloch
212.192.246.92	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 6, 2021, 1:23 p.m.			0	0
IsDebuggerPresent Oct. 6, 2021, 1:23 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 6, 2021, 1:23 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Connects to a Dynamic DNS Domain (2 events)

domain	sommerishere.sytes.net
domain	ommerishere.sytes.net

Allocates read-write-execute memory (usually to unpack itself) (50 out of 61 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 6, 2021, 1:23 p.m.	process_identifier: 112 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00600000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:23 p.m.	process_identifier: 112 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00740000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 1:23 p.m.	process_identifier: 112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72831000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:23 p.m.	process_identifier: 112 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 1:23 p.m.	process_identifier: 112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72832000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:23 p.m.	process_identifier: 112 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00522000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:23 p.m.	process_identifier: 112 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00532000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:23 p.m.	process_identifier: 112 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00533000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:23 p.m.	process_identifier: 112 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:23 p.m.	process_identifier: 112 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00567000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:23 p.m.	process_identifier: 112 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:23 p.m.	process_identifier: 112 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00534000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:23 p.m.	process_identifier: 112 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00535000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:23 p.m.	process_identifier: 112 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00536000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:23 p.m.	process_identifier: 112 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:23 p.m.	process_identifier: 112 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:23 p.m.	process_identifier: 112 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00547000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:23 p.m.	process_identifier: 112 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0055a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:23 p.m.	process_identifier: 112 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 1:23 p.m.	process_identifier: 112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6f122000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:23 p.m.	process_identifier: 112 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00552000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:23 p.m.	process_identifier: 112 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00565000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:23 p.m.	process_identifier: 112 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02350000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:23 p.m.	process_identifier: 112 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00741000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:23 p.m.	process_identifier: 112 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00537000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:23 p.m.	process_identifier: 112 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0055c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:23 p.m.	process_identifier: 112 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007a1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:23 p.m.	process_identifier: 112 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:23 p.m.	process_identifier: 112 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00546000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:23 p.m.	process_identifier: 2364 region_size: 393216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00320000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:23 p.m.	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00340000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 1:23 p.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72281000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:23 p.m.	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 1:23 p.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72282000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:23 p.m.	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:23 p.m.	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:23 p.m.	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:23 p.m.	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:23 p.m.	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00427000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:23 p.m.	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:23 p.m.	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:23 p.m.	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:23 p.m.	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:23 p.m.	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00670000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:23 p.m.	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:23 p.m.	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:23 p.m.	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:23 p.m.	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:23 p.m.	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00402000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:23 p.m.	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00425000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a suspicious process (4 events)

cmdline	cmd.exe /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\test22\AppData\Local\Temp\aeopmguywjffmigwnfbefrvgqg.exe":ZONE.identifier & exit
cmdline	"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\SubFolder\SubFolder\cssrr.exe":ZONE.identifier & exit
cmdline	cmd.exe /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\SubFolder\SubFolder\cssrr.exe":ZONE.identifier & exit
cmdline	"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\test22\AppData\Local\Temp\aeopmguywjffmigwnfbefrvgqg.exe":ZONE.identifier & exit

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Oct. 6, 2021, 1:23 p.m.	show_type: 0 filepath_r: cmd.exe parameters: /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\test22\AppData\Local\Temp\aeopmguywjffmigwnfbefrvgqg.exe":ZONE.identifier & exit filepath: cmd.exe	1	1	0
ShellExecuteExW Oct. 6, 2021, 1:23 p.m.	show_type: 0 filepath_r: cmd.exe parameters: /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\SubFolder\SubFolder\cssrr.exe":ZONE.identifier & exit filepath: cmd.exe	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0011c000', u'virtual_address': u'0x00002000', u'entropy': 7.997381418791715, u'name': u'.text', u'virtual_size': u'0x0011b3a4'}

entropy

7.99738141879

description

A section with a high entropy has been found

entropy

0.986111111111

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (10 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Oct. 6, 2021, 1:23 p.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Oct. 6, 2021, 1:23 p.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW Oct. 6, 2021, 1:23 p.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW Oct. 6, 2021, 1:23 p.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW Oct. 6, 2021, 1:23 p.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Oct. 6, 2021, 1:23 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Oct. 6, 2021, 1:23 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 6, 2021, 1:23 p.m.	system_name: privilege_name: SeRemoteShutdownPrivilege	1	1
LookupPrivilegeValueW Oct. 6, 2021, 1:23 p.m.	system_name: privilege_name: SeManageVolumePrivilege	1	1
LookupPrivilegeValueW Oct. 6, 2021, 1:23 p.m.	system_name: privilege_name: SeCreateGlobalPrivilege	1	1

Yara rule detected in process memory (24 events)

description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Create a windows service	rule	Create_Service
description	Record Audio	rule	Sniff_Audio
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	Hijack network configuration	rule	Hijack_Network
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	File Downloader	rule	Network_Downloader
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Disable AntiVirus	rule	disable_antivirus
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Install itself for autorun at Windows startup	rule	Persistence

Modifies the ZoneTransfer.ZoneID in Zone.Identifier ADS, generally to disable security warnings (2 events)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile Oct. 6, 2021, 1:23 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000084 filepath: C:\Users\test22\AppData\Local\Temp\aeopmguywjffmigwnfbefrvgqg.exe:ZONE.identifier desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 128 (FILE_ATTRIBUTE_NORMAL) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\aeopmguywjffmigwnfbefrvgqg.exe:ZONE.identifier create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 1 (FILE_SHARE_READ)	1	0	0
NtWriteFile Oct. 6, 2021, 1:23 p.m.	buffer: [zoneTransfer]ZoneID = 2 offset: 0 file_handle: 0x00000084 filepath:	1	0	0

Creates an Alternate Data Stream (ADS) (2 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\SubFolder\SubFolder\cssrr.exe:ZONE.identifier
file	C:\Users\test22\AppData\Local\Temp\aeopmguywjffmigwnfbefrvgqg.exe:ZONE.identifier

Allocates execute permission to another process indicative of possible code injection (10 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 6, 2021, 1:23 p.m.	process_identifier: 2552 region_size: 729088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000380	1
NtProtectVirtualMemory Oct. 6, 2021, 1:23 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 581632 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0x00000380	1
NtProtectVirtualMemory Oct. 6, 2021, 1:23 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048f000 process_handle: 0x00000380	1
NtProtectVirtualMemory Oct. 6, 2021, 1:23 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 16384 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00491000 process_handle: 0x00000380	1
NtProtectVirtualMemory Oct. 6, 2021, 1:23 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00495000 process_handle: 0x00000380	1
NtProtectVirtualMemory Oct. 6, 2021, 1:23 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 20480 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0049d000 process_handle: 0x00000380	1
NtProtectVirtualMemory Oct. 6, 2021, 1:23 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a2000 process_handle: 0x00000380	1
NtProtectVirtualMemory Oct. 6, 2021, 1:23 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a3000 process_handle: 0x00000380	1
NtProtectVirtualMemory Oct. 6, 2021, 1:23 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 36864 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a4000 process_handle: 0x00000380	1
NtProtectVirtualMemory Oct. 6, 2021, 1:23 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 20480 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004ad000 process_handle: 0x00000380	1

Installs itself for autorun at Windows startup (2 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\cssrr				reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\SubFolder\SubFolder\cssrr.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cssrr				reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\SubFolder\SubFolder\cssrr.exe

Creates known Fynloski/DarkComet files, registry keys and/or mutexes (3 events)

mutex	DC_MUTEX-3YA4GBR
regkey	HKEY_CURRENT_USER\Software\DC3_FEXEC
regkey	HKEY_CURRENT_USER\Software\DC2_USERS

Potential code injection by writing to the memory of another process (3 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Oct. 6, 2021, 1:23 p.m.	buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL ùÏÐOàôRø @ @Ð @AÐ B@ Ü0 ¤Ü è .textðØÚ `.itextTðÞ `.data<= >ø@À.bsstP 6 À.idata@AÐ B6 @À.tls8 x À.rdata0 x @@.relocÜ@ z @B.rsrcBÐ D @@F @@ base_address: 0x00400000 process_identifier: 2552 process_handle: 0x00000380	1	1
WriteProcessMemory Oct. 6, 2021, 1:23 p.m.	buffer: J8 J¸I0J base_address: 0x004a3000 process_identifier: 2552 process_handle: 0x00000380	1	1
WriteProcessMemory Oct. 6, 2021, 1:23 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2552 process_handle: 0x00000380	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Oct. 6, 2021, 1:23 p.m.	buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL ùÏÐOàôRø @ @Ð @AÐ B@ Ü0 ¤Ü è .textðØÚ `.itextTðÞ `.data<= >ø@À.bsstP 6 À.idata@AÐ B6 @À.tls8 x À.rdata0 x @@.relocÜ@ z @B.rsrcBÐ D @@F @@ base_address: 0x00400000 process_identifier: 2552 process_handle: 0x00000380	1	1	0

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExA Oct. 6, 2021, 1:23 p.m.	thread_identifier: 0 callback_function: 0x004818f8 hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00400000	1	3015253	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2364 called NtSetContextThread to modify thread in remote process 2552
NtSetContextThread Oct. 6, 2021, 1:23 p.m.	registers.eip: 2000355780 registers.esp: 3144904 registers.edi: 0 registers.eax: 4782216 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000037c process_identifier: 2552	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2364 resumed a thread in remote process 2552
NtResumeThread Oct. 6, 2021, 1:23 p.m.	thread_handle: 0x0000037c suspend_count: 1 process_identifier: 2552	1	0	0

Executed a process and injected code into it, probably while unpacking (26 events)

Time & API	Arguments	Status	Return
NtResumeThread Oct. 6, 2021, 1:23 p.m.	thread_handle: 0x000000d0 suspend_count: 1 process_identifier: 112	1	0
NtResumeThread Oct. 6, 2021, 1:23 p.m.	thread_handle: 0x00000160 suspend_count: 1 process_identifier: 112	1	0
CreateProcessInternalW Oct. 6, 2021, 1:23 p.m.	thread_identifier: 1836 thread_handle: 0x00000360 process_identifier: 2236 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\test22\AppData\Local\Temp\aeopmguywjffmigwnfbefrvgqg.exe":ZONE.identifier & exit filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000358	1	1
CreateProcessInternalW Oct. 6, 2021, 1:23 p.m.	thread_identifier: 1460 thread_handle: 0x000003e0 process_identifier: 2364 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\SubFolder\SubFolder\cssrr.exe track: 1 command_line: "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\SubFolder\SubFolder\cssrr.exe" filepath_r: C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\SubFolder\SubFolder\cssrr.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003d4	1	1
NtResumeThread Oct. 6, 2021, 1:23 p.m.	thread_handle: 0x000000d0 suspend_count: 1 process_identifier: 2364	1	0
NtResumeThread Oct. 6, 2021, 1:23 p.m.	thread_handle: 0x0000015c suspend_count: 1 process_identifier: 2364	1	0
CreateProcessInternalW Oct. 6, 2021, 1:23 p.m.	thread_identifier: 2324 thread_handle: 0x00000368 process_identifier: 668 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\SubFolder\SubFolder\cssrr.exe":ZONE.identifier & exit filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000360	1	1
CreateProcessInternalW Oct. 6, 2021, 1:23 p.m.	thread_identifier: 1316 thread_handle: 0x0000037c process_identifier: 2552 current_directory: filepath: C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\SubFolder\SubFolder\cssrr.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\SubFolder\SubFolder\cssrr.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000380	1	1
NtUnmapViewOfSection Oct. 6, 2021, 1:23 p.m.	base_address: 0x00400000 region_size: 11927552 process_identifier: 2552 process_handle: 0x00000380		3221225497
NtAllocateVirtualMemory Oct. 6, 2021, 1:23 p.m.	process_identifier: 2552 region_size: 729088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000380	1	0
NtGetContextThread Oct. 6, 2021, 1:23 p.m.	thread_handle: 0x0000037c	1	0
WriteProcessMemory Oct. 6, 2021, 1:23 p.m.	buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL ùÏÐOàôRø @ @Ð @AÐ B@ Ü0 ¤Ü è .textðØÚ `.itextTðÞ `.data<= >ø@À.bsstP 6 À.idata@AÐ B6 @À.tls8 x À.rdata0 x @@.relocÜ@ z @B.rsrcBÐ D @@F @@ base_address: 0x00400000 process_identifier: 2552 process_handle: 0x00000380	1	1
WriteProcessMemory Oct. 6, 2021, 1:23 p.m.	buffer: base_address: 0x00401000 process_identifier: 2552 process_handle: 0x00000380	1	1
WriteProcessMemory Oct. 6, 2021, 1:23 p.m.	buffer: base_address: 0x0048f000 process_identifier: 2552 process_handle: 0x00000380	1	1
WriteProcessMemory Oct. 6, 2021, 1:23 p.m.	buffer: base_address: 0x00491000 process_identifier: 2552 process_handle: 0x00000380	1	1
WriteProcessMemory Oct. 6, 2021, 1:23 p.m.	buffer: base_address: 0x00495000 process_identifier: 2552 process_handle: 0x00000380		0
WriteProcessMemory Oct. 6, 2021, 1:23 p.m.	buffer: base_address: 0x0049d000 process_identifier: 2552 process_handle: 0x00000380	1	1
WriteProcessMemory Oct. 6, 2021, 1:23 p.m.	buffer: base_address: 0x004a2000 process_identifier: 2552 process_handle: 0x00000380		0
WriteProcessMemory Oct. 6, 2021, 1:23 p.m.	buffer: J8 J¸I0J base_address: 0x004a3000 process_identifier: 2552 process_handle: 0x00000380	1	1
WriteProcessMemory Oct. 6, 2021, 1:23 p.m.	buffer: base_address: 0x004a4000 process_identifier: 2552 process_handle: 0x00000380	1	1
WriteProcessMemory Oct. 6, 2021, 1:23 p.m.	buffer: base_address: 0x004ad000 process_identifier: 2552 process_handle: 0x00000380	1	1
WriteProcessMemory Oct. 6, 2021, 1:23 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2552 process_handle: 0x00000380	1	1
NtSetContextThread Oct. 6, 2021, 1:23 p.m.	registers.eip: 2000355780 registers.esp: 3144904 registers.edi: 0 registers.eax: 4782216 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000037c process_identifier: 2552	1	0
NtResumeThread Oct. 6, 2021, 1:23 p.m.	thread_handle: 0x0000037c suspend_count: 1 process_identifier: 2552	1	0
NtResumeThread Oct. 6, 2021, 1:23 p.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 2552	1	0
NtResumeThread Oct. 6, 2021, 1:23 p.m.	thread_handle: 0x000001c8 suspend_count: 1 process_identifier: 2552	1	0

File has been identified by 31 AntiVirus engines on VirusTotal as malicious (31 events)

Elastic	malicious (high confidence)
DrWeb	Trojan.DownLoader11.21841
MicroWorld-eScan	Gen:Trojan.Mardom.MN.9
FireEye	Generic.mg.06d3c19201d5c4fd
Cylance	Unsafe
Sangfor	Suspicious.Win32.Save.a
Cybereason	malicious.201d5c
BitDefenderTheta	Gen:NN.ZemsilF.34170.in0@aK42iom
Symantec	Packed.Generic.484
ESET-NOD32	a variant of MSIL/Injector.EIU
APEX	Malicious
Avast	MSIL:GenMalicious-CH [Trj]
Kaspersky	HEUR:Backdoor.Win32.Generic
BitDefender	Gen:Trojan.Mardom.MN.9
Ad-Aware	Gen:Trojan.Mardom.MN.9
Emsisoft	Gen:Trojan.Mardom.MN.9 (B)
VIPRE	Trojan.MSIL.Injector.eng (v)
Sophos	ML/PE-A + Troj/dnSauce-G
Avira	TR/Dropper.MSIL.Gen
MAX	malware (ai score=82)
Microsoft	Trojan:Win32/Sabsik.TE.B!ml
GData	Gen:Trojan.Mardom.MN.9
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.MDA.R108379
ALYac	Gen:Trojan.Mardom.MN.9
Malwarebytes	MachineLearning/Anomalous.96%
SentinelOne	Static AI - Malicious PE
eGambit	Unsafe.AI_Score_99%
Fortinet	MSIL/Injector.ENG!tr
AVG	MSIL:GenMalicious-CH [Trj]
CrowdStrike	win/malicious_confidence_100% (D)

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (48 events)

dead_host	192.168.56.101:49245
dead_host	192.168.56.101:49222
dead_host	192.168.56.101:49253
dead_host	192.168.56.101:49231
dead_host	192.168.56.101:49233
dead_host	192.168.56.101:49211
dead_host	192.168.56.101:49242
dead_host	212.192.246.92:1678
dead_host	192.168.56.101:49219
dead_host	192.168.56.101:49237
dead_host	192.168.56.101:49250
dead_host	192.168.56.101:49215
dead_host	192.168.56.101:49246
dead_host	192.168.56.101:49223
dead_host	192.168.56.101:49254
dead_host	192.168.56.101:49224
dead_host	192.168.56.101:49234
dead_host	192.168.56.101:49207
dead_host	192.168.56.101:49228
dead_host	192.168.56.101:49238
dead_host	192.168.56.101:49251
dead_host	192.168.56.101:49208
dead_host	192.168.56.101:49247
dead_host	192.168.56.101:49216
dead_host	192.168.56.101:49212
dead_host	192.168.56.101:49225
dead_host	192.168.56.101:49235
dead_host	192.168.56.101:49220
dead_host	192.168.56.101:49229
dead_host	192.168.56.101:49239
dead_host	192.168.56.101:49209
dead_host	192.168.56.101:49217
dead_host	192.168.56.101:49248
dead_host	192.168.56.101:49213
dead_host	192.168.56.101:49226
dead_host	192.168.56.101:49244
dead_host	192.168.56.101:49221
dead_host	192.168.56.101:49252
dead_host	192.168.56.101:49230
dead_host	192.168.56.101:49232
dead_host	192.168.56.101:49210
dead_host	192.168.56.101:49241
dead_host	192.168.56.101:49205
dead_host	192.168.56.101:49218
dead_host	192.168.56.101:49236
dead_host	192.168.56.101:49249
dead_host	192.168.56.101:49214
dead_host	192.168.56.101:49227

aeopmguywjffmigwnfbefrvgqg.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All