Summary

Category	Machine	Started	Completed
ARCHIVE	s1_win7_x6403_us	Oct. 19, 2021, 10:42 a.m.	Oct. 19, 2021, 10:48 a.m.

Archive edjpx01/5f205bba58587_v.png @ edjpx01.zip

Size	128.0B
Type	PNG image data, 12 x 12, 8-bit/color RGB, non-interlaced
MD5	`0bb86caf792dd7d24731c18cd37bb68e`
SHA1	`dda1e433a0eaf785b2aa2c6214d5e48cb82a3a25`
SHA256	`2ac27821ba64d645f36e2ad197492d30c11b10a032cc474554679555f4604622`
SHA512	`596bb05f2926273d35c4245f87ea3c278a60562e16a5af3755bf686ba836e5ce74088de278dfe4dbe4ea87b986f8191589b109e590f2989ef4d28a14319d46a5`
CRC32	`F7AACB3F`
ssdeep	`3:yionv//thPll0ya/lHRthwkBDsTBZtHdEAEhTWT3RvIWitwFB1p:6v/lhPkd5nDspHmAE1WdAWOUp`
Yara	PNG_Format_Zero - PNG Format

iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\test22\AppData\Local\Temp\edjpx01/5f205bba58587_v.png.html
2568
- iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2568 CREDAT:145409
  2096

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
117.18.232.200	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49174 -> 117.18.232.200:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49175 -> 117.18.232.200:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49173 -> 117.18.232.200:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49176 -> 117.18.232.200:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 117.18.232.200:443 -> 192.168.56.103:49177	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 117.18.232.200:443 -> 192.168.56.103:49178	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Allocates read-write-execute memory (usually to unpack itself) (50 out of 51 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 19, 2021, 10:41 a.m.	process_identifier: 2568 region_size: 10162176 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002db0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 10:41 a.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000003760000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 10:41 a.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 10:41 a.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 10:41 a.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 10:41 a.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 10:41 a.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 10:41 a.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 10:41 a.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007727d000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 10:41 a.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 10:41 a.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077284000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 10:41 a.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 10:41 a.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc2a5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 10:41 a.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc2a5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 10:41 a.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007feff2d4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 10:41 a.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007feff101000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 10:41 a.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007726a000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 10:41 a.m.	process_identifier: 2568 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000033b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 10:41 a.m.	process_identifier: 2096 region_size: 3608576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002b00000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 10:41 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002e70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 10:41 a.m.	process_identifier: 2096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 10:41 a.m.	process_identifier: 2096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 10:41 a.m.	process_identifier: 2096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 10:41 a.m.	process_identifier: 2096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 10:41 a.m.	process_identifier: 2096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 10:41 a.m.	process_identifier: 2096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 10:41 a.m.	process_identifier: 2096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007727d000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 10:41 a.m.	process_identifier: 2096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 10:41 a.m.	process_identifier: 2096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077284000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 10:41 a.m.	process_identifier: 2096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 10:41 a.m.	process_identifier: 2096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc2a5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 10:41 a.m.	process_identifier: 2096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc2a5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 10:41 a.m.	process_identifier: 2096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007feff2d4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 10:41 a.m.	process_identifier: 2096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007feff101000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 10:41 a.m.	process_identifier: 2096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007726a000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 10:41 a.m.	process_identifier: 2096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007726f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 10:41 a.m.	process_identifier: 2096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007726d000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 10:41 a.m.	process_identifier: 2096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007726b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 10:41 a.m.	process_identifier: 2096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076dd6000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 10:41 a.m.	process_identifier: 2096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000773a6000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 10:41 a.m.	process_identifier: 2096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076dd1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 10:41 a.m.	process_identifier: 2096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077270000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 10:41 a.m.	process_identifier: 2096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007726a000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 10:41 a.m.	process_identifier: 2096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007737f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 10:41 a.m.	process_identifier: 2096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007738b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 10:41 a.m.	process_identifier: 2096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdce7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 10:41 a.m.	process_identifier: 2096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007feff274000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 10:41 a.m.	process_identifier: 2096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007feff271000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 10:41 a.m.	process_identifier: 2096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007feff276000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 10:41 a.m.	process_identifier: 2096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007feff271000 process_handle: 0xffffffffffffffff	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Oct. 19, 2021, 10:41 a.m.	process_identifier: 2096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x000007fffff80000 process_handle: 0xffffffffffffffff	1	0	0

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2568 CREDAT:145409

Communicates with host for which no DNS query was performed (1 event)

host

117.18.232.200

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2568 resumed a thread in remote process 2096
NtResumeThread Oct. 19, 2021, 10:41 a.m.	thread_handle: 0x0000000000000368 suspend_count: 1 process_identifier: 2096	1	0	0

Archive edjpx01/5f205bba58587_v.png @ edjpx01.zip

Summary

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All