Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 1, 2021, 10:25 a.m.	Nov. 1, 2021, 10:38 a.m.

Size	570.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`91679f42cd3ba051b5c7ce37d45b222c`
SHA256	`e059ab9141d67e0b2e9eb83d34ba88e480f7091bcd97b78466386a17b44a235e`
CRC32	`AFDDE5D3`
ssdeep	`12288:wurQb81U+mN55X7Yshg4IeIZcDAVnxPjbpWCORt:wX++IMinxXpW`
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware IsPE32 - (no description) Is_DotNET_EXE - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult

systemdc.exe "C:\Users\test22\AppData\Local\Temp\systemdc.exe"
1896
- systemdc.exe "C:\Users\test22\AppData\Local\Temp\systemdc.exe"
  2792

Name	Response	Post-Analysis Lookup
www.theebook.guru	A 51.89.9.188	51.89.9.188
www.ndust.net	A 104.18.27.58 A 104.18.26.58 CNAME shops.myfunpinpin.com	104.18.26.58
www.donaldpowers.store	A 104.26.10.41 A 104.26.11.41 CNAME saspanel.com A 172.67.69.69	172.67.69.69
www.homestechs.com	CNAME homestechs.com A 5.79.71.161	5.79.71.161
www.rescueandrestoreministries.net	CNAME rescueandrestoreministries.net A 51.210.64.36	51.210.64.36
www.dailygossiping.com	A 74.220.199.6	74.220.199.6
www.zarazira.com	A 78.47.57.7 CNAME zarazira.com	78.47.57.7
www.northfacemall.online

IP Address	Status	Action
104.18.26.58	Active	Moloch
104.26.11.41	Active	Moloch
164.124.101.2	Active	Moloch
5.79.71.161	Active	Moloch
51.210.64.36	Active	Moloch
51.89.9.188	Active	Moloch
74.220.199.6	Active	Moloch
78.47.57.7	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49171 -> 104.18.26.58:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49171 -> 104.18.26.58:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49171 -> 104.18.26.58:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49176 -> 78.47.57.7:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49176 -> 78.47.57.7:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49176 -> 78.47.57.7:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49175 -> 51.89.9.188:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49175 -> 51.89.9.188:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49175 -> 51.89.9.188:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49174 -> 5.79.71.161:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49174 -> 5.79.71.161:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49174 -> 5.79.71.161:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49177 -> 74.220.199.6:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49177 -> 74.220.199.6:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49177 -> 74.220.199.6:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49170 -> 104.26.11.41:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49170 -> 104.26.11.41:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49170 -> 104.26.11.41:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 1, 2021, 10:25 a.m.			0	0
IsDebuggerPresent Nov. 1, 2021, 10:25 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 1, 2021, 10:25 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (6 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.donaldpowers.store/pufi/?2dp=nyHN3ANVlMAzfqaDgI1iNAQsgXcCValkrJwU6bpJcZrtEB2xC+87EoJfCKs3HzM0uPrvSfK0&CXL05P=YthDaVVxJrCHangP
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.ndust.net/pufi/?2dp=y124CMd3X80IKlF1ruJkpyWQk/ERSxpAry48nMXi4iIdJ9a4kPTCTgPsVWTUHiVYZjE0BVO6&CXL05P=YthDaVVxJrCHangP
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.homestechs.com/pufi/?2dp=J8l+crML0CFixOA74eEKVQ0DbEDp6umDNli43l94G4Hz10Bpex1w9bL3u7hc8KG05T5PfqbC&CXL05P=YthDaVVxJrCHangP
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.theebook.guru/pufi/?2dp=yZeAx72MwuebGnH7K2ntDPIyrjVMlRQpn3vr6r+H7IZJ74ho+aX1X9dYNRdxqYqzftYd8OGM&CXL05P=YthDaVVxJrCHangP
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.zarazira.com/pufi/?2dp=LNXC60SoBf7zTwHpn45Ux7MWrSY17JA4zzxkevpqeQDEjmNIxD8rKqPbbeup1JXySujJr6n8&CXL05P=YthDaVVxJrCHangP
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.dailygossiping.com/pufi/?2dp=GXvFuzK1bbdgitiLy2HfWnxGjRuymxDWMFylOe4VKkbB997oiWy8PH6Pu7w9CriLIOiICFqr&CXL05P=YthDaVVxJrCHangP

Performs some HTTP requests (6 events)

request	GET http://www.donaldpowers.store/pufi/?2dp=nyHN3ANVlMAzfqaDgI1iNAQsgXcCValkrJwU6bpJcZrtEB2xC+87EoJfCKs3HzM0uPrvSfK0&CXL05P=YthDaVVxJrCHangP
request	GET http://www.ndust.net/pufi/?2dp=y124CMd3X80IKlF1ruJkpyWQk/ERSxpAry48nMXi4iIdJ9a4kPTCTgPsVWTUHiVYZjE0BVO6&CXL05P=YthDaVVxJrCHangP
request	GET http://www.homestechs.com/pufi/?2dp=J8l+crML0CFixOA74eEKVQ0DbEDp6umDNli43l94G4Hz10Bpex1w9bL3u7hc8KG05T5PfqbC&CXL05P=YthDaVVxJrCHangP
request	GET http://www.theebook.guru/pufi/?2dp=yZeAx72MwuebGnH7K2ntDPIyrjVMlRQpn3vr6r+H7IZJ74ho+aX1X9dYNRdxqYqzftYd8OGM&CXL05P=YthDaVVxJrCHangP
request	GET http://www.zarazira.com/pufi/?2dp=LNXC60SoBf7zTwHpn45Ux7MWrSY17JA4zzxkevpqeQDEjmNIxD8rKqPbbeup1JXySujJr6n8&CXL05P=YthDaVVxJrCHangP
request	GET http://www.dailygossiping.com/pufi/?2dp=GXvFuzK1bbdgitiLy2HfWnxGjRuymxDWMFylOe4VKkbB997oiWy8PH6Pu7w9CriLIOiICFqr&CXL05P=YthDaVVxJrCHangP

Allocates read-write-execute memory (usually to unpack itself) (30 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Nov. 1, 2021, 10:25 a.m.	process_identifier: 1896 region_size: 2162688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:25 a.m.	process_identifier: 1896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 1, 2021, 10:25 a.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 1, 2021, 10:25 a.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bd2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:25 a.m.	process_identifier: 1896 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:25 a.m.	process_identifier: 1896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:25 a.m.	process_identifier: 1896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00422000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:25 a.m.	process_identifier: 1896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:25 a.m.	process_identifier: 1896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:25 a.m.	process_identifier: 1896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00455000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:25 a.m.	process_identifier: 1896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0045b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:25 a.m.	process_identifier: 1896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00457000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:25 a.m.	process_identifier: 1896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:25 a.m.	process_identifier: 1896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a61000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:25 a.m.	process_identifier: 1896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:25 a.m.	process_identifier: 1896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00447000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:25 a.m.	process_identifier: 1896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:25 a.m.	process_identifier: 1896 region_size: 40960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a62000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:25 a.m.	process_identifier: 1896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a6c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:25 a.m.	process_identifier: 1896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00446000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:25 a.m.	process_identifier: 1896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a6d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:26 a.m.	process_identifier: 1896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a6e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:26 a.m.	process_identifier: 1896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:26 a.m.	process_identifier: 1896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x053f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:26 a.m.	process_identifier: 1896 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x053f1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:26 a.m.	process_identifier: 1896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x053f6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:26 a.m.	process_identifier: 1896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x053f7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:26 a.m.	process_identifier: 1896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x053f8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:26 a.m.	process_identifier: 1896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x053f9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:26 a.m.	process_identifier: 2792 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00be0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00064c00', u'virtual_address': u'0x00002000', u'entropy': 7.7115112750407375, u'name': u'.text', u'virtual_size': u'0x00064a44'}

entropy

7.71151127504

description

A section with a high entropy has been found

entropy

0.70701754386

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Nov. 1, 2021, 10:26 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (8 events)

description	Communications use DNS	rule	Network_DNS
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Nov. 1, 2021, 10:26 a.m.	process_identifier: 2792 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000244	1	0	0

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Nov. 1, 2021, 10:26 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPELË®@à \|PÔ@@.textl{\| ` base_address: 0x00400000 process_identifier: 2792 process_handle: 0x00000244	1	1	0
WriteProcessMemory Nov. 1, 2021, 10:26 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2792 process_handle: 0x00000244	1	1	0

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Nov. 1, 2021, 10:26 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPELË®@à \|PÔ@@.textl{\| ` base_address: 0x00400000 process_identifier: 2792 process_handle: 0x00000244	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1896 called NtSetContextThread to modify thread in remote process 2792
NtSetContextThread Nov. 1, 2021, 10:26 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4314192 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000240 process_identifier: 2792	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1896 resumed a thread in remote process 2792
NtResumeThread Nov. 1, 2021, 10:26 a.m.	thread_handle: 0x00000240 suspend_count: 1 process_identifier: 2792	1	0	0

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

51.210.64.36:80

Executed a process and injected code into it, probably while unpacking (11 events)

Time & API	Arguments	Status	Return
NtResumeThread Nov. 1, 2021, 10:25 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 1896	1	0
NtResumeThread Nov. 1, 2021, 10:25 a.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 1896	1	0
NtResumeThread Nov. 1, 2021, 10:25 a.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 1896	1	0
CreateProcessInternalW Nov. 1, 2021, 10:26 a.m.	thread_identifier: 2780 thread_handle: 0x00000240 process_identifier: 2792 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\systemdc.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\systemdc.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000244	1	1
NtGetContextThread Nov. 1, 2021, 10:26 a.m.	thread_handle: 0x00000240	1	0
NtAllocateVirtualMemory Nov. 1, 2021, 10:26 a.m.	process_identifier: 2792 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000244	1	0
WriteProcessMemory Nov. 1, 2021, 10:26 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPELË®@à \|PÔ@@.textl{\| ` base_address: 0x00400000 process_identifier: 2792 process_handle: 0x00000244	1	1
WriteProcessMemory Nov. 1, 2021, 10:26 a.m.	buffer: base_address: 0x00401000 process_identifier: 2792 process_handle: 0x00000244	1	1
WriteProcessMemory Nov. 1, 2021, 10:26 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2792 process_handle: 0x00000244	1	1
NtSetContextThread Nov. 1, 2021, 10:26 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4314192 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000240 process_identifier: 2792	1	0
NtResumeThread Nov. 1, 2021, 10:26 a.m.	thread_handle: 0x00000240 suspend_count: 1 process_identifier: 2792	1	0

File has been identified by 41 AntiVirus engines on VirusTotal as malicious (41 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.47276909
FireEye	Generic.mg.91679f42cd3ba051
McAfee	RDN/Generic PWS.y
Cylance	Unsafe
Sangfor	Suspicious.Win32.Save.a
K7AntiVirus	Trojan ( 0058996e1 )
Alibaba	Trojan:Win32/Kryptik.ali2000016
K7GW	Trojan ( 0058996e1 )
Cybereason	malicious.894a29
BitDefenderTheta	Gen:NN.ZemsilF.34236.Jm0@ayuFd1f
Cyren	W32/MSIL_Troj.BRI.gen!Eldorado
Symantec	Trojan.Gen.9
ESET-NOD32	a variant of MSIL/Kryptik.ADIH
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan-Spy.MSIL.Noon.gen
BitDefender	Trojan.GenericKD.47276909
Avast	Win32:MalwareX-gen [Trj]
Ad-Aware	Trojan.GenericKD.47276909
Sophos	Mal/Generic-S
Comodo	Malware@#16g58119r5r92
McAfee-GW-Edition	BehavesLike.Win32.Generic.hh
Emsisoft	Trojan.Agent (A)
Ikarus	Trojan.MSIL.Krypt
eGambit	Unsafe.AI_Score_97%
Microsoft	Trojan:MSIL/AgentTesla.R!MTB
GData	Trojan.GenericKD.47276909
Cynet	Malicious (score: 100)
ALYac	Trojan.GenericKD.47276909
VBA32	CIL.HeapOverride.Heur
Malwarebytes	Trojan.Crypt.MSIL.Generic
TrendMicro-HouseCall	TROJ_GEN.F0D1C00JS21
Yandex	Trojan.Igent.bWQl5G.12
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/GenKryptik.FMSR!tr
Webroot	W32.Trojan.Dropper
AVG	Win32:MalwareX-gen [Trj]
Panda	Trj/CI.A
CrowdStrike	win/malicious_confidence_100% (W)

systemdc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All