Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Oct. 19, 2021, 4:37 p.m.	Oct. 19, 2021, 4:41 p.m.

Size	478.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`d5e15de49142f442f0932e1f0634675b`
SHA256	`10a96288de8785786b009b94ee858093999c9b690991474b95455192b7622e0b`
CRC32	`C703A70E`
ssdeep	`12288:DecAHyoOkNapEasXE8Q/Zd4+Fij+3G1x3DqumR9+LVizg1/X8dm6at1wuWpTx3ii:DeuaRnmRiV7pGGEj`
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware IsPE32 - (no description) Is_DotNET_EXE - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult

mon.exe "C:\Users\test22\AppData\Local\Temp\mon.exe"
1548
- mon.exe "C:\Users\test22\AppData\Local\Temp\mon.exe"
  2544

Name	Response	Post-Analysis Lookup
www.govusergroup.com	A 216.239.136.99	216.239.136.99
www.charlottewright.online
www.kidzgovroom.com	A 34.102.136.180 CNAME kidzgovroom.com	34.102.136.180
www.fis.photos	A 192.0.78.25 A 192.0.78.24 CNAME fis.photos	192.0.78.24
www.planetgreennetwork.com	CNAME planetgreennetwork.com A 34.102.136.180	34.102.136.180
www.arcflorals.com	A 198.71.233.83 CNAME arcflorals.com	198.71.233.83
www.levanttradegroup.com	A 34.102.136.180 CNAME levanttradegroup.com	34.102.136.180
www.eddytattoo.com	CNAME HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com A 3.223.115.185	3.223.115.185
www.lhznqyl.press
www.clf010.com	A 45.39.212.188	45.39.212.188
www.lafabriqueabeilleassurances.com	A 217.70.184.50 CNAME webredir.vip.gandi.net	217.70.184.50
www.goldsteelconstruction.com	A 63.250.43.7 A 63.250.43.8 CNAME goldsteelconstruction.com	63.250.43.8

IP Address	Status	Action
164.124.101.2	Active	Moloch
192.0.78.25	Active	Moloch
198.71.233.83	Active	Moloch
216.239.136.99	Active	Moloch
217.70.184.50	Active	Moloch
3.223.115.185	Active	Moloch
34.102.136.180	Active	Moloch
45.39.212.188	Active	Moloch
63.250.43.8	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49171 -> 34.102.136.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49171 -> 34.102.136.180:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49171 -> 34.102.136.180:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49175 -> 34.102.136.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49175 -> 34.102.136.180:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49175 -> 34.102.136.180:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49172 -> 217.70.184.50:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49172 -> 217.70.184.50:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49172 -> 217.70.184.50:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49173 -> 34.102.136.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49173 -> 34.102.136.180:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49173 -> 34.102.136.180:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49169 -> 192.0.78.25:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49169 -> 192.0.78.25:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49170 -> 45.39.212.188:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49169 -> 192.0.78.25:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49170 -> 45.39.212.188:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49170 -> 45.39.212.188:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49174 -> 198.71.233.83:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49167 -> 3.223.115.185:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49174 -> 198.71.233.83:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49167 -> 3.223.115.185:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49174 -> 198.71.233.83:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49167 -> 3.223.115.185:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49176 -> 216.239.136.99:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49176 -> 216.239.136.99:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49176 -> 216.239.136.99:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49168 -> 63.250.43.8:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49168 -> 63.250.43.8:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49168 -> 63.250.43.8:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 19, 2021, 4:37 p.m.			0	0
IsDebuggerPresent Oct. 19, 2021, 4:37 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 19, 2021, 4:37 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (10 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.eddytattoo.com/ef6c/?E48=wm8HtgYU6K5xBZHPsxi7+EX3qPsJdGwRxoT7oAVpurukD76RSgTu7ISzClKHz9CJah1eQNxC&BZO034=YrhH5rAP6J-TD2h0
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.goldsteelconstruction.com/ef6c/?E48=+ynMDYrLpnTu4DfE9YT4eJW6S19U/jXmPWBe5dZQ+v1t/rZPvFp+0gZRwCHmFKY3Fyif9Dcg&BZO034=YrhH5rAP6J-TD2h0
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.fis.photos/ef6c/?E48=iVGcxgJZg7dDdqnpGvHyDNlE3XmNDIFvU6VDaZ8nDL6WJmv+1asF/xEbeuA1UUYS6lydoag+&BZO034=YrhH5rAP6J-TD2h0
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.clf010.com/ef6c/?E48=Bd/A1B2Xlx1/VvyPmZy81MokZhoyKr0JLZIYHKA2ldK2bxVDj61bbzDCW/TjJZTPQA/hnmk/&BZO034=YrhH5rAP6J-TD2h0
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.kidzgovroom.com/ef6c/?E48=tzJrmRJzv3aPTlM/CF6MHo9U8s5+ZqDCvPfiw0R1aW0dhX7KrJSn+QKF8yUKGl3PwVlYeY7t&BZO034=YrhH5rAP6J-TD2h0
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.lafabriqueabeilleassurances.com/ef6c/?E48=2QYE7mkSl4x2jlZo54GRK50GO3C76nvR62kgjEMbDIxrMKFbsYZiIeVfmB5iSiZWlGlMGs/r&BZO034=YrhH5rAP6J-TD2h0
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.planetgreennetwork.com/ef6c/?E48=viiOdeoYufNRN60WkpfLEAw1fJ1OatCxqWV4tuVbpGnby6TfOu9tKnuCwWlJt5WAZl2p+p2R&BZO034=YrhH5rAP6J-TD2h0
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.arcflorals.com/ef6c/?E48=kGlMeYY5BdILFMvYVNR7bZ0Mn33Q8LI2mKSsuAJB2+8tGFV37lUpti1UFknkbAVSBI+8nqql&BZO034=YrhH5rAP6J-TD2h0
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.levanttradegroup.com/ef6c/?E48=9g8sfBGzWY6JJ+yJLDpPQys/8ShNqhTPTp4cpY8RvCwAQwKx0UrfmPEzoi+Z1D/DgpYog5qv&BZO034=YrhH5rAP6J-TD2h0
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.govusergroup.com/ef6c/?E48=N5yAIzzPvIdqoqJ3aV/wdndIILsjG1yD75IcTmUgg2IU59G+YJKqbdhtrw9qqSyAgMIiKVbn&BZO034=YrhH5rAP6J-TD2h0

Performs some HTTP requests (10 events)

request	GET http://www.eddytattoo.com/ef6c/?E48=wm8HtgYU6K5xBZHPsxi7+EX3qPsJdGwRxoT7oAVpurukD76RSgTu7ISzClKHz9CJah1eQNxC&BZO034=YrhH5rAP6J-TD2h0
request	GET http://www.goldsteelconstruction.com/ef6c/?E48=+ynMDYrLpnTu4DfE9YT4eJW6S19U/jXmPWBe5dZQ+v1t/rZPvFp+0gZRwCHmFKY3Fyif9Dcg&BZO034=YrhH5rAP6J-TD2h0
request	GET http://www.fis.photos/ef6c/?E48=iVGcxgJZg7dDdqnpGvHyDNlE3XmNDIFvU6VDaZ8nDL6WJmv+1asF/xEbeuA1UUYS6lydoag+&BZO034=YrhH5rAP6J-TD2h0
request	GET http://www.clf010.com/ef6c/?E48=Bd/A1B2Xlx1/VvyPmZy81MokZhoyKr0JLZIYHKA2ldK2bxVDj61bbzDCW/TjJZTPQA/hnmk/&BZO034=YrhH5rAP6J-TD2h0
request	GET http://www.kidzgovroom.com/ef6c/?E48=tzJrmRJzv3aPTlM/CF6MHo9U8s5+ZqDCvPfiw0R1aW0dhX7KrJSn+QKF8yUKGl3PwVlYeY7t&BZO034=YrhH5rAP6J-TD2h0
request	GET http://www.lafabriqueabeilleassurances.com/ef6c/?E48=2QYE7mkSl4x2jlZo54GRK50GO3C76nvR62kgjEMbDIxrMKFbsYZiIeVfmB5iSiZWlGlMGs/r&BZO034=YrhH5rAP6J-TD2h0
request	GET http://www.planetgreennetwork.com/ef6c/?E48=viiOdeoYufNRN60WkpfLEAw1fJ1OatCxqWV4tuVbpGnby6TfOu9tKnuCwWlJt5WAZl2p+p2R&BZO034=YrhH5rAP6J-TD2h0
request	GET http://www.arcflorals.com/ef6c/?E48=kGlMeYY5BdILFMvYVNR7bZ0Mn33Q8LI2mKSsuAJB2+8tGFV37lUpti1UFknkbAVSBI+8nqql&BZO034=YrhH5rAP6J-TD2h0
request	GET http://www.levanttradegroup.com/ef6c/?E48=9g8sfBGzWY6JJ+yJLDpPQys/8ShNqhTPTp4cpY8RvCwAQwKx0UrfmPEzoi+Z1D/DgpYog5qv&BZO034=YrhH5rAP6J-TD2h0
request	GET http://www.govusergroup.com/ef6c/?E48=N5yAIzzPvIdqoqJ3aV/wdndIILsjG1yD75IcTmUgg2IU59G+YJKqbdhtrw9qqSyAgMIiKVbn&BZO034=YrhH5rAP6J-TD2h0

Allocates read-write-execute memory (usually to unpack itself) (41 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 19, 2021, 4:37 p.m.	process_identifier: 1548 region_size: 1703936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00850000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 4:37 p.m.	process_identifier: 1548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 4:37 p.m.	process_identifier: 1548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x731a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 4:37 p.m.	process_identifier: 1548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x731a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 4:37 p.m.	process_identifier: 1548 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00710000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 4:37 p.m.	process_identifier: 1548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 4:37 p.m.	process_identifier: 1548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 4:37 p.m.	process_identifier: 1548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 4:37 p.m.	process_identifier: 1548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00540000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 4:37 p.m.	process_identifier: 1548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00541000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 4:37 p.m.	process_identifier: 1548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00542000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 4:37 p.m.	process_identifier: 1548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00543000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 4:37 p.m.	process_identifier: 1548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00544000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 4:37 p.m.	process_identifier: 1548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00545000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 4:37 p.m.	process_identifier: 1548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 4:37 p.m.	process_identifier: 1548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 4:37 p.m.	process_identifier: 1548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 4:37 p.m.	process_identifier: 1548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 4:37 p.m.	process_identifier: 1548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00546000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 4:37 p.m.	process_identifier: 1548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 4:37 p.m.	process_identifier: 1548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 4:37 p.m.	process_identifier: 1548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 4:37 p.m.	process_identifier: 1548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 4:37 p.m.	process_identifier: 1548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 4:37 p.m.	process_identifier: 1548 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b01000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 4:37 p.m.	process_identifier: 1548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70692000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 4:37 p.m.	process_identifier: 1548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b13000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 4:37 p.m.	process_identifier: 1548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003bd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 4:37 p.m.	process_identifier: 1548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b14000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 4:37 p.m.	process_identifier: 1548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0446f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 4:37 p.m.	process_identifier: 1548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04460000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 4:37 p.m.	process_identifier: 1548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b15000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 4:38 p.m.	process_identifier: 1548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b16000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 4:38 p.m.	process_identifier: 1548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003be000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 4:38 p.m.	process_identifier: 1548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b17000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 4:38 p.m.	process_identifier: 1548 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b18000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 4:38 p.m.	process_identifier: 1548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b1e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 4:38 p.m.	process_identifier: 1548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b1f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 4:38 p.m.	process_identifier: 1548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 4:38 p.m.	process_identifier: 1548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045f1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 4:40 p.m.	process_identifier: 2544 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00076e00', u'virtual_address': u'0x00002000', u'entropy': 7.643608938606049, u'name': u'.text', u'virtual_size': u'0x00076d24'}

entropy

7.64360893861

description

A section with a high entropy has been found

entropy

0.995811518325

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Oct. 19, 2021, 4:40 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (7 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Oct. 19, 2021, 4:38 p.m.	process_identifier: 2544 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001fc	1	0	0

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Oct. 19, 2021, 4:38 p.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPEL,+9Rà \|ÐÓ@@.textìz\| ` base_address: 0x00400000 process_identifier: 2544 process_handle: 0x000001fc	1	1	0
WriteProcessMemory Oct. 19, 2021, 4:38 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2544 process_handle: 0x000001fc	1	1	0

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Oct. 19, 2021, 4:38 p.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPEL,+9Rà \|ÐÓ@@.textìz\| ` base_address: 0x00400000 process_identifier: 2544 process_handle: 0x000001fc	1	1	0

File has been identified by 18 AntiVirus engines on VirusTotal as malicious (18 events)

Elastic	malicious (high confidence)
FireEye	Generic.mg.d5e15de49142f442
Cylance	Unsafe
Sangfor	Virus.Win32.Save.a
CrowdStrike	win/malicious_confidence_80% (D)
BitDefenderTheta	Gen:NN.ZemsilF.34218.Dm0@aaUFOfd
Cyren	W32/MSIL_Kryptik.DLB.gen!Eldorado
APEX	Malicious
Paloalto	generic.ml
Kaspersky	VHO:Backdoor.MSIL.NanoBot.gen
McAfee-GW-Edition	BehavesLike.Win32.Fareit.gc
Ikarus	Trojan-Spy.Keylogger.Snake
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
Cynet	Malicious (score: 100)
VBA32	CIL.StupidPInvoker-1.Heur
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/Kryptik.ADCZ!tr

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1548 called NtSetContextThread to modify thread in remote process 2544
NtSetContextThread Oct. 19, 2021, 4:38 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4314064 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000200 process_identifier: 2544	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1548 resumed a thread in remote process 2544
NtResumeThread Oct. 19, 2021, 4:38 p.m.	thread_handle: 0x00000200 suspend_count: 1 process_identifier: 2544	1	0	0

Executed a process and injected code into it, probably while unpacking (15 events)

Time & API	Arguments	Status	Return
NtResumeThread Oct. 19, 2021, 4:37 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 1548	1	0
NtResumeThread Oct. 19, 2021, 4:37 p.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 1548	1	0
NtResumeThread Oct. 19, 2021, 4:37 p.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 1548	1	0
NtResumeThread Oct. 19, 2021, 4:37 p.m.	thread_handle: 0x00000204 suspend_count: 1 process_identifier: 1548	1	0
NtGetContextThread Oct. 19, 2021, 4:37 p.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread Oct. 19, 2021, 4:37 p.m.	thread_handle: 0x000000e0	1	0
NtResumeThread Oct. 19, 2021, 4:37 p.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 1548	1	0
CreateProcessInternalW Oct. 19, 2021, 4:38 p.m.	thread_identifier: 2332 thread_handle: 0x00000200 process_identifier: 2544 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\mon.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\mon.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000001fc	1	1
NtGetContextThread Oct. 19, 2021, 4:38 p.m.	thread_handle: 0x00000200	1	0
NtAllocateVirtualMemory Oct. 19, 2021, 4:38 p.m.	process_identifier: 2544 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001fc	1	0
WriteProcessMemory Oct. 19, 2021, 4:38 p.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPEL,+9Rà \|ÐÓ@@.textìz\| ` base_address: 0x00400000 process_identifier: 2544 process_handle: 0x000001fc	1	1
WriteProcessMemory Oct. 19, 2021, 4:38 p.m.	buffer: base_address: 0x00401000 process_identifier: 2544 process_handle: 0x000001fc	1	1
WriteProcessMemory Oct. 19, 2021, 4:38 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2544 process_handle: 0x000001fc	1	1
NtSetContextThread Oct. 19, 2021, 4:38 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4314064 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000200 process_identifier: 2544	1	0
NtResumeThread Oct. 19, 2021, 4:38 p.m.	thread_handle: 0x00000200 suspend_count: 1 process_identifier: 2544	1	0

mon.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All