Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 7, 2021, 6:15 p.m.	Oct. 7, 2021, 6:20 p.m.

Size	741.2KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`168f3e8c4657a0fe90a2338f3971f6ed`
SHA256	`4516c9c0ddb065499deebd838a540453791e16aced69440affd2fae31c089262`
CRC32	`4AC2B38A`
ssdeep	`6144:d/QiQXCLg5m+ksmpk3U9j0I0KsoxvjFEOTb9WmZX/8shzdsY4CpHPhnC1B2Dxk:VQi3Uc6m6UR0IXp1hf39Wkv8xwJHK`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library

Sharefolder.exe "C:\Users\test22\AppData\Local\Temp\Sharefolder.exe"
620
- Sharefolder.tmp "C:\Users\test22\AppData\Local\Temp\is-BAPBB.tmp\Sharefolder.tmp" /SL5="$C0240,506127,422400,C:\Users\test22\AppData\Local\Temp\Sharefolder.exe"
  204
  - Adam.exe "C:\Users\test22\AppData\Local\Temp\is-ME5U6.tmp\Adam.exe" /S /UID=2709
    2876
    - foldershare.exe "C:\Program Files\Uninstall Information\ZPXEDYHKNM\foldershare.exe" /VERYSILENT
      1460
    - Sekykuvyga.exe "C:\Users\test22\AppData\Local\Temp\f7-e81b5-b12-928be-1eb40b84d7c26\Sekykuvyga.exe"
      200
      - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
        2064
        
        iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2064 CREDAT:145409
        2632
    - Bedikyriji.exe "C:\Users\test22\AppData\Local\Temp\37-9334e-c87-3408a-1544a83382ac3\Bedikyriji.exe"
      2088
explorer.exe C:\Windows\Explorer.EXE
1848

Name	Response	Post-Analysis Lookup
requestimedout.com	A 162.255.117.78	162.255.117.78
i.spesgrt.com	A 104.21.88.226 A 172.67.153.179	172.67.153.179
apps.identrust.com	CNAME apps.identrust.com.s3-website-us-east-1.amazonaws.com CNAME s3-website.us-east-1.amazonaws.com A 52.217.161.205 A 52.217.201.37	52.216.176.194
www.profitabletrustednetwork.com	A 192.243.59.12 A 192.243.59.13	192.243.59.12
www.google.com	A 142.250.204.36	172.217.175.4
connectini.net	A 162.0.210.44	162.0.210.44
source3.boys4dayz.com	A 172.67.148.61 A 104.21.33.188	104.21.33.188
google.com	A 142.250.66.46	216.58.220.110
storewebitems.tech	A 5.182.39.146	5.182.39.146
safialinks.com	A 162.0.214.42	162.0.214.42
fscloud.su	A 104.21.47.231 A 172.67.174.119	104.21.47.231

IP Address	Status	Action
142.250.204.36	Active	Moloch
142.250.66.46	Active	Moloch
162.0.210.44	Active	Moloch
162.0.214.42	Active	Moloch
162.255.117.78	Active	Moloch
164.124.101.2	Active	Moloch
192.243.59.13	Active	Moloch
194.145.227.159	Active	Moloch
52.217.161.205	Active	Moloch
52.217.201.37	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49204 -> 162.0.210.44:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 162.0.214.42:80 -> 192.168.56.101:49199	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 162.0.214.42:80 -> 192.168.56.101:49205	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 162.0.214.42:80 -> 192.168.56.101:49205	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 162.0.214.42:80 -> 192.168.56.101:49209	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 162.0.214.42:80 -> 192.168.56.101:49209	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 162.0.214.42:80 -> 192.168.56.101:49205	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.101:49225 -> 192.243.59.13:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.101:55629 -> 164.124.101.2:53	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	Potentially Bad Traffic
TCP 162.0.214.42:80 -> 192.168.56.101:49207	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.168.56.101:49226 -> 192.243.59.13:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 162.0.214.42:80 -> 192.168.56.101:49207	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.101:49218 -> 162.0.210.44:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49239 -> 162.0.210.44:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49204 162.0.210.44:443	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	68:49:fa:d2:40:0d:bd:3f:c0:6e:bf:50:6f:a8:1c:a3:3e:f4:40:cf
TLSv1 192.168.56.101:49225 192.243.59.13:443	C=US, O=Let's Encrypt, CN=R3	CN=profitabletrustednetwork.com	f6:6e:60:ea:2a:db:be:a8:de:83:15:6d:ed:6f:8a:17:77:20:36:46
TLSv1 192.168.56.101:49226 192.243.59.13:443	C=US, O=Let's Encrypt, CN=R3	CN=profitabletrustednetwork.com	f6:6e:60:ea:2a:db:be:a8:de:83:15:6d:ed:6f:8a:17:77:20:36:46
TLSv1 192.168.56.101:49218 162.0.210.44:443	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	68:49:fa:d2:40:0d:bd:3f:c0:6e:bf:50:6f:a8:1c:a3:3e:f4:40:cf
TLSv1 192.168.56.101:49239 162.0.210.44:443	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	68:49:fa:d2:40:0d:bd:3f:c0:6e:bf:50:6f:a8:1c:a3:3e:f4:40:cf

Queries for the computername (4 events)

Time & API	Arguments	Status	Return
GetComputerNameW Oct. 7, 2021, 6:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 7, 2021, 6:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 7, 2021, 6:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 7, 2021, 6:16 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (5 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 7, 2021, 6:15 p.m.			0	0
IsDebuggerPresent Oct. 7, 2021, 6:08 p.m.			0	0
IsDebuggerPresent Oct. 7, 2021, 6:09 p.m.			0	0
IsDebuggerPresent Oct. 7, 2021, 6:16 p.m.			0	0
IsDebuggerPresent Oct. 7, 2021, 6:16 p.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 7, 2021, 6:15 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Oct. 7, 2021, 6:16 p.m.	stacktrace: sharefolder+0x816a8 @ 0x4816a8 sharefolder+0x99c13 @ 0x499c13 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedface exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 1637924 registers.edi: 4523332 registers.eax: 1637924 registers.ebp: 1638004 registers.edx: 0 registers.ebx: 0 registers.esi: 2 registers.ecx: 7	1	0	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (16 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://safialinks.com/Widgets/FolderShare.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET http://safialinks.com/xJRtjaHLw25uhP75sj4j5SDQa3dAyG/BestCPM/Soft_Manager_Cpm.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET http://safialinks.com/xJRtjaHLw25uhP75sj4j5SDQa3dAyG/NetworkStreamer/UpdateStream_Provider.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET http://safialinks.com/xJRtjaHLw25uhP75sj4j5SDQa3dAyG/Elmet7adi/Hand_conductor.exe
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://requestimedout.com/xenocrates/zoroaster
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.google.com/
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST https://connectini.net/Series/SuperNitou.php
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST https://connectini.net/Series/Conumer4Publisher.php
suspicious_features	GET method with no useragent header	suspicious_request	GET https://connectini.net/Series/publisher/1/KR.json
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST https://connectini.net/Series/Conumer2kenpachi.php
suspicious_features	GET method with no useragent header	suspicious_request	GET https://connectini.net/Series/kenpachi/2/goodchannel/KR.json
suspicious_features	GET method with no useragent header	suspicious_request	GET https://connectini.net/Series/configPoduct/2/goodchannel.json
suspicious_features	GET method with no useragent header	suspicious_request	GET https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_slava_inlogsoftware
suspicious_features	GET method with no useragent header	suspicious_request	GET https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_installrox2_BumperWw
suspicious_features	GET method with no useragent header	suspicious_request	GET https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_piyyyyWW
suspicious_features	GET method with no useragent header	suspicious_request	GET https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_adxpertmedia_advancedmanager

Performs some HTTP requests (19 events)

request	HEAD http://safialinks.com/Installer_Provider/ShareFolder.exe
request	GET http://safialinks.com/Installer_Provider/ShareFolder.exe
request	GET http://safialinks.com/Widgets/FolderShare.exe
request	GET http://safialinks.com/xJRtjaHLw25uhP75sj4j5SDQa3dAyG/BestCPM/Soft_Manager_Cpm.exe
request	GET http://safialinks.com/xJRtjaHLw25uhP75sj4j5SDQa3dAyG/NetworkStreamer/UpdateStream_Provider.exe
request	GET http://safialinks.com/xJRtjaHLw25uhP75sj4j5SDQa3dAyG/Elmet7adi/Hand_conductor.exe
request	POST http://requestimedout.com/xenocrates/zoroaster
request	GET http://www.google.com/
request	GET http://apps.identrust.com/roots/dstrootcax3.p7c
request	POST https://connectini.net/Series/SuperNitou.php
request	POST https://connectini.net/Series/Conumer4Publisher.php
request	GET https://connectini.net/Series/publisher/1/KR.json
request	POST https://connectini.net/Series/Conumer2kenpachi.php
request	GET https://connectini.net/Series/kenpachi/2/goodchannel/KR.json
request	GET https://connectini.net/Series/configPoduct/2/goodchannel.json
request	GET https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_slava_inlogsoftware
request	GET https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_installrox2_BumperWw
request	GET https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_piyyyyWW
request	GET https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_adxpertmedia_advancedmanager

Sends data using the HTTP POST Method (4 events)

request	POST http://requestimedout.com/xenocrates/zoroaster
request	POST https://connectini.net/Series/SuperNitou.php
request	POST https://connectini.net/Series/Conumer4Publisher.php
request	POST https://connectini.net/Series/Conumer2kenpachi.php

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

fscloud.su

description

Soviet Union domain TLD

Allocates read-write-execute memory (usually to unpack itself) (50 out of 810 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Oct. 7, 2021, 6:15 p.m.	process_identifier: 620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 7, 2021, 6:15 p.m.	process_identifier: 620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 40960 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 7, 2021, 6:15 p.m.	process_identifier: 620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 385024 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 7, 2021, 6:15 p.m.	process_identifier: 620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73702000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 7, 2021, 6:15 p.m.	process_identifier: 204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00360000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 7, 2021, 6:15 p.m.	process_identifier: 204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73702000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 7, 2021, 6:08 p.m.	process_identifier: 2876 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000530000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 7, 2021, 6:08 p.m.	process_identifier: 2876 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000550000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 7, 2021, 6:08 p.m.	process_identifier: 2876 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1321000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 7, 2021, 6:08 p.m.	process_identifier: 2876 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef159e000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 7, 2021, 6:08 p.m.	process_identifier: 2876 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef159e000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 7, 2021, 6:08 p.m.	process_identifier: 2876 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef159f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 7, 2021, 6:08 p.m.	process_identifier: 2876 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef159f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 7, 2021, 6:08 p.m.	process_identifier: 2876 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef159f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 7, 2021, 6:08 p.m.	process_identifier: 2876 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef159f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 7, 2021, 6:08 p.m.	process_identifier: 2876 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef159f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 7, 2021, 6:08 p.m.	process_identifier: 2876 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef159f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 7, 2021, 6:08 p.m.	process_identifier: 2876 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef159f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 7, 2021, 6:08 p.m.	process_identifier: 2876 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef159f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 7, 2021, 6:08 p.m.	process_identifier: 2876 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef15a0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 7, 2021, 6:08 p.m.	process_identifier: 2876 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef15a0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 7, 2021, 6:08 p.m.	process_identifier: 2876 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef15a0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 7, 2021, 6:08 p.m.	process_identifier: 2876 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef15a0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 7, 2021, 6:08 p.m.	process_identifier: 2876 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef15a0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 7, 2021, 6:08 p.m.	process_identifier: 2876 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef15a1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 7, 2021, 6:08 p.m.	process_identifier: 2876 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef15a1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 7, 2021, 6:08 p.m.	process_identifier: 2876 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef15a1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 7, 2021, 6:08 p.m.	process_identifier: 2876 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef15a1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 7, 2021, 6:08 p.m.	process_identifier: 2876 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef159e000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 7, 2021, 6:08 p.m.	process_identifier: 2876 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00022000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 7, 2021, 6:08 p.m.	process_identifier: 2876 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 7, 2021, 6:08 p.m.	process_identifier: 2876 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 7, 2021, 6:08 p.m.	process_identifier: 2876 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 7, 2021, 6:08 p.m.	process_identifier: 2876 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 7, 2021, 6:08 p.m.	process_identifier: 2876 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 7, 2021, 6:08 p.m.	process_identifier: 2876 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff000da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 7, 2021, 6:08 p.m.	process_identifier: 2876 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00012000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 7, 2021, 6:08 p.m.	process_identifier: 2876 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00023000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 7, 2021, 6:08 p.m.	process_identifier: 2876 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff000ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 7, 2021, 6:08 p.m.	process_identifier: 2876 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00112000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 7, 2021, 6:08 p.m.	process_identifier: 2876 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff000ed000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 7, 2021, 6:08 p.m.	process_identifier: 2876 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff0002c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 7, 2021, 6:08 p.m.	process_identifier: 2876 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00160000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 7, 2021, 6:08 p.m.	process_identifier: 2876 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00024000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 7, 2021, 6:08 p.m.	process_identifier: 2876 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00161000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 7, 2021, 6:08 p.m.	process_identifier: 2876 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00162000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 7, 2021, 6:08 p.m.	process_identifier: 2876 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00163000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 7, 2021, 6:08 p.m.	process_identifier: 2876 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00164000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 7, 2021, 6:08 p.m.	process_identifier: 2876 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00025000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 7, 2021, 6:08 p.m.	process_identifier: 2876 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00165000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

A process attempted to delay the analysis task. (1 event)

description

Sekykuvyga.exe tried to sleep 237 seconds, actually delayed analysis time by 237 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Oct. 7, 2021, 6:09 p.m.	total_number_of_free_bytes: 13724483584 free_bytes_available: 13724483584 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Creates executable files on the filesystem (7 events)

file	C:\Users\test22\AppData\Local\Temp\is-ME5U6.tmp\idp.dll
file	C:\Users\test22\AppData\Local\Temp\is-ME5U6.tmp\Adam.exe
file	C:\Program Files\Uninstall Information\ZPXEDYHKNM\foldershare.exe
file	C:\Users\test22\AppData\Local\Temp\37-9334e-c87-3408a-1544a83382ac3\Bedikyriji.exe
file	C:\Users\test22\AppData\Local\Temp\f7-e81b5-b12-928be-1eb40b84d7c26\Sekykuvyga.exe
file	C:\Users\test22\AppData\Local\Temp\is-ME5U6.tmp\_isetup\_shfoldr.dll
file	C:\Program Files (x86)\Microsoft Visual Studio 8\Nicihixida.exe

Drops a binary and executes it (3 events)

file	C:\Program Files\Uninstall Information\ZPXEDYHKNM\foldershare.exe
file	C:\Users\test22\AppData\Local\Temp\f7-e81b5-b12-928be-1eb40b84d7c26\Sekykuvyga.exe
file	C:\Users\test22\AppData\Local\Temp\37-9334e-c87-3408a-1544a83382ac3\Bedikyriji.exe

Drops an executable to the user AppData folder (6 events)

file	C:\Users\test22\AppData\Local\Temp\is-BAPBB.tmp\Sharefolder.tmp
file	C:\Users\test22\AppData\Local\Temp\is-ME5U6.tmp\Adam.exe
file	C:\Users\test22\AppData\Local\Temp\37-9334e-c87-3408a-1544a83382ac3\Bedikyriji.exe
file	C:\Users\test22\AppData\Local\Temp\is-ME5U6.tmp\_isetup\_shfoldr.dll
file	C:\Users\test22\AppData\Local\Temp\is-ME5U6.tmp\idp.dll
file	C:\Users\test22\AppData\Local\Temp\f7-e81b5-b12-928be-1eb40b84d7c26\Sekykuvyga.exe

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Oct. 7, 2021, 6:17 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 16 (PAGE_EXECUTE) base_address: 0x05680000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Oct. 7, 2021, 6:08 p.m.	flags: 15 family: 0		111	0

An executable file was downloaded by the process sharefolder.tmp (1 event)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile Oct. 7, 2021, 6:15 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÐà"0¼7 @@ @L7O@¸¸ H.text¤ `.rsrc¸¸@º@@.reloc Ô @B7H¸³ËÙ×ÂâÒé+Òû&×Á-äd/ôyÎxäéxò Ì~©6@tÃÒP±ÑýÙült#9K(hÇpð}? hãb3£Ýah¼§Ðwêma[ävì'NÉ§f d_À=Çýñ¦Báêxî£^ ¢v¹îSÚ=» æ}Ò9Ðå¦À)Öã1L¼¯Ùñ>&.ù0 ø¸,ÍÎ-o7s@-0{+È´ ×°C)aN'·°èüoªH¡¾í-ß&hbÖ«äZþrÚîø¥ÀiÁqs¶¸Ø´Ì1Ò(y$GÂÇª^´iX]`¼Í½BÄ@óZmO,FX¹°J¨EÍÀ4ÞÆD_9c ±Ýwº$kD`gpãÇ,®êFqDK\Ð¸CîX,Ê øvÀ´a`ZÆª¹ï5e¼£`nBo)±¡¯PÁ5PJIøhÇçàüREb¨Á:î ÉÛ»SW-`ªjötµÑêPðJ6" request_handle: 0x00cc000c	1	1	0

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2064 CREDAT:145409
cmdline	C:\Program Files (x86)\Internet Explorer\iexplore.exe https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6

Communicates with host for which no DNS query was performed (1 event)

host

194.145.227.159

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Oct. 7, 2021, 6:17 p.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover

reg_value

"C:\Program Files (x86)\Microsoft Visual Studio 8\Nicihixida.exe"

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\is-ME5U6.tmp\Adam.exe

Network activity contains more than one unique useragent (2 events)

process	Sharefolder.tmp				useragent	InnoDownloadPlugin/1.5
process	iexplore.exe				useragent	Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2064 resumed a thread in remote process 2632
NtResumeThread Oct. 7, 2021, 6:17 p.m.	thread_handle: 0x00000358 suspend_count: 1 process_identifier: 2632	1	0	0

Generates some ICMP traffic

File has been identified by 24 AntiVirus engines on VirusTotal as malicious (24 events)

Bkav	W32.AIDetect.malware2
Elastic	malicious (high confidence)
MicroWorld-eScan	Application.DealAlpha.1.Gen
FireEye	Application.DealAlpha.1.Gen
Cybereason	malicious.c4657a
ESET-NOD32	multiple detections
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Malware.Passteal-9853623-0
Kaspersky	HEUR:Trojan-Downloader.Win32.Chebka.gen
BitDefender	Application.DealAlpha.1.Gen
Avast	FileRepMalware
Tencent	Win32.Trojan-downloader.Chebka.Dyhb
Emsisoft	Application.DealAlpha.1.Gen (B)
Zillya	Trojan.GenericKD.Win32.47197
Sophos	Generic ML PUA (PUA)
Ikarus	Trojan-Downloader.Win32.Agent
Avira	HEUR/AGEN.1142105
MAX	malware (ai score=83)
Microsoft	Trojan:Script/Phonzy.A!ml
GData	Application.DealAlpha.1.Gen
SentinelOne	Static AI - Suspicious PE
AVG	FileRepMalware
Panda	Trj/CI.A

Sharefolder.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All