Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Nov. 4, 2021, 10:12 a.m.	Nov. 4, 2021, 10:14 a.m.

Size	3.2MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`8b1011bf4b9dc38d8aececd4ed9e11c6`
SHA256	`5db7ad7b3b345ecb7da30349183fafaf4a7bbd4e566e4d7ea4c0e6d895d983d2`
CRC32	`15C1AEF4`
ssdeep	`98304:20NgMZkh23T8LiWi0agFmX/Hgj+Tig1PfSxl8w3WZCzK:9gmf3weWHvFifIRwX6fru`
PDB Path	D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb
Yara	PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file

svchost.exe "C:\Users\test22\AppData\Local\Temp\svchost.exe"
2128
- f1_prot.exe "C:\Users\test22\AppData\Local\Temp\RarSFX0\f1_prot.exe"
  2184
  - cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\test22\AppData\Local\Temp\services64.exe"' & exit
    2432
    - schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\test22\AppData\Local\Temp\services64.exe"'
      2516
  - services64.exe "C:\Users\test22\AppData\Local\Temp\services64.exe"
    2604
    - cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\test22\AppData\Local\Temp\services64.exe"' & exit
      2268
      - schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\test22\AppData\Local\Temp\services64.exe"'
        2504
    - sihost64.exe "C:\Users\test22\AppData\Roaming\Microsoft\Libs\sihost64.exe"
      2056
- f2_prot.exe "C:\Users\test22\AppData\Local\Temp\RarSFX0\f2_prot.exe"
  2732
  - cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\test22\AppData\Local\Temp\services32.exe"' & exit
    1164
    - schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\test22\AppData\Local\Temp\services32.exe"'
      2996
  - services32.exe "C:\Users\test22\AppData\Local\Temp\services32.exe"
    2404
    - cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\test22\AppData\Local\Temp\services32.exe"' & exit
      236
      - schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\test22\AppData\Local\Temp\services32.exe"'
        964
    - sihost32.exe "C:\Users\test22\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"
      2492
explorer.exe C:\Windows\Explorer.EXE
1388

Name	Response	Post-Analysis Lookup
sanctam.net
github.com	A 52.78.231.108	15.164.81.167

IP Address	Status	Action
164.124.101.2	Active	Moloch
52.78.231.108	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49180 -> 52.78.231.108:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.102:49180 52.78.231.108:443	C=US, O=DigiCert, Inc., CN=DigiCert High Assurance TLS Hybrid ECC SHA256 2020 CA1	C=US, ST=California, L=San Francisco, O=GitHub, Inc., CN=github.com	84:63:b3:a9:29:12:cc:fd:1d:31:47:05:98:9b:ec:13:99:37:d0:d7

Queries for the computername (16 events)

Time & API	Arguments	Status	Return
GetComputerNameA Nov. 4, 2021, 10:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 4, 2021, 10:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Nov. 4, 2021, 10:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 4, 2021, 10:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 4, 2021, 10:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Nov. 4, 2021, 10:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 4, 2021, 10:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 4, 2021, 10:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 4, 2021, 10:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 4, 2021, 10:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 4, 2021, 10:14 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 4, 2021, 10:14 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Nov. 4, 2021, 10:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 4, 2021, 10:14 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 4, 2021, 10:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 4, 2021, 10:14 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (12 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 4, 2021, 10:12 a.m.			0	0
IsDebuggerPresent Nov. 4, 2021, 10:12 a.m.			0	0
IsDebuggerPresent Nov. 4, 2021, 10:13 a.m.			0	0
IsDebuggerPresent Nov. 4, 2021, 10:13 a.m.			0	0
IsDebuggerPresent Nov. 4, 2021, 10:13 a.m.			0	0
IsDebuggerPresent Nov. 4, 2021, 10:13 a.m.			0	0
IsDebuggerPresent Nov. 4, 2021, 10:13 a.m.			0	0
IsDebuggerPresent Nov. 4, 2021, 10:13 a.m.			0	0
IsDebuggerPresent Nov. 4, 2021, 10:13 a.m.			0	0
IsDebuggerPresent Nov. 4, 2021, 10:13 a.m.			0	0
IsDebuggerPresent Nov. 4, 2021, 10:14 a.m.			0	0
IsDebuggerPresent Nov. 4, 2021, 10:14 a.m.			0	0

Command line console output was observed (4 events)

Time & API	Arguments	Status	Return
WriteConsoleW Nov. 4, 2021, 10:12 a.m.	buffer: SUCCESS: The scheduled task "services64" has successfully been created. console_handle: 0x0000000000000007	1	1
WriteConsoleW Nov. 4, 2021, 10:13 a.m.	buffer: SUCCESS: The scheduled task "services32" has successfully been created. console_handle: 0x0000000000000007	1	1
WriteConsoleW Nov. 4, 2021, 10:13 a.m.	buffer: SUCCESS: The scheduled task "services64" has successfully been created. console_handle: 0x0000000000000007	1	1
WriteConsoleW Nov. 4, 2021, 10:13 a.m.	buffer: SUCCESS: The scheduled task "services32" has successfully been created. console_handle: 0x0000000000000007	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 4, 2021, 10:12 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.didat

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

PNG

Allocates read-write-execute memory (usually to unpack itself) (50 out of 380 events)

Time & API	Arguments	Status	Return
NtProtectVirtualMemory Nov. 4, 2021, 10:12 a.m.	process_identifier: 2128 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021e2000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Nov. 4, 2021, 10:12 a.m.	process_identifier: 2128 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f23000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 4, 2021, 10:12 a.m.	process_identifier: 2184 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Nov. 4, 2021, 10:12 a.m.	process_identifier: 2184 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Nov. 4, 2021, 10:12 a.m.	process_identifier: 2184 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Nov. 4, 2021, 10:12 a.m.	process_identifier: 2184 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077300000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Nov. 4, 2021, 10:12 a.m.	process_identifier: 2184 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077310000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Nov. 4, 2021, 10:12 a.m.	process_identifier: 2184 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077320000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Nov. 4, 2021, 10:12 a.m.	process_identifier: 2184 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077330000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Nov. 4, 2021, 10:12 a.m.	process_identifier: 2184 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077340000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Nov. 4, 2021, 10:12 a.m.	process_identifier: 2184 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077350000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Nov. 4, 2021, 10:12 a.m.	process_identifier: 2184 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077360000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Nov. 4, 2021, 10:12 a.m.	process_identifier: 2184 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077370000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Nov. 4, 2021, 10:12 a.m.	process_identifier: 2184 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077380000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Nov. 4, 2021, 10:12 a.m.	process_identifier: 2184 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077390000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Nov. 4, 2021, 10:12 a.m.	process_identifier: 2184 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000773a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Nov. 4, 2021, 10:12 a.m.	process_identifier: 2184 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000773b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Nov. 4, 2021, 10:12 a.m.	process_identifier: 2184 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000773c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Nov. 4, 2021, 10:12 a.m.	process_identifier: 2184 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000773d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Nov. 4, 2021, 10:12 a.m.	process_identifier: 2184 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000773e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Nov. 4, 2021, 10:12 a.m.	process_identifier: 2184 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000773f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory Nov. 4, 2021, 10:12 a.m.	process_identifier: 2184 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000773f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory Nov. 4, 2021, 10:12 a.m.	process_identifier: 2184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000013f720000 process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory Nov. 4, 2021, 10:12 a.m.	process_identifier: 2184 region_size: 786432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002880000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory Nov. 4, 2021, 10:12 a.m.	process_identifier: 2184 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000028c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory Nov. 4, 2021, 10:12 a.m.	process_identifier: 2184 region_size: 1835008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002e50000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory Nov. 4, 2021, 10:12 a.m.	process_identifier: 2184 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002f90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory Nov. 4, 2021, 10:12 a.m.	process_identifier: 2184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2e61000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory Nov. 4, 2021, 10:12 a.m.	process_identifier: 2184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef34fb000 process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory Nov. 4, 2021, 10:12 a.m.	process_identifier: 2184 region_size: 2162688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000031c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory Nov. 4, 2021, 10:12 a.m.	process_identifier: 2184 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000003350000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory Nov. 4, 2021, 10:12 a.m.	process_identifier: 2184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2e62000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory Nov. 4, 2021, 10:12 a.m.	process_identifier: 2184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2e62000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory Nov. 4, 2021, 10:12 a.m.	process_identifier: 2184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2e62000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory Nov. 4, 2021, 10:12 a.m.	process_identifier: 2184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2e62000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory Nov. 4, 2021, 10:12 a.m.	process_identifier: 2184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2e62000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory Nov. 4, 2021, 10:12 a.m.	process_identifier: 2184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2e62000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory Nov. 4, 2021, 10:12 a.m.	process_identifier: 2184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2e62000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory Nov. 4, 2021, 10:12 a.m.	process_identifier: 2184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2e62000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory Nov. 4, 2021, 10:12 a.m.	process_identifier: 2184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2e62000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory Nov. 4, 2021, 10:12 a.m.	process_identifier: 2184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2e62000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory Nov. 4, 2021, 10:12 a.m.	process_identifier: 2184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2e62000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory Nov. 4, 2021, 10:12 a.m.	process_identifier: 2184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2e64000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory Nov. 4, 2021, 10:12 a.m.	process_identifier: 2184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2e64000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory Nov. 4, 2021, 10:12 a.m.	process_identifier: 2184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2e64000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory Nov. 4, 2021, 10:12 a.m.	process_identifier: 2184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2e64000 process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory Nov. 4, 2021, 10:12 a.m.	process_identifier: 2184 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory Nov. 4, 2021, 10:12 a.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory Nov. 4, 2021, 10:12 a.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory Nov. 4, 2021, 10:12 a.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0

Creates executable files on the filesystem (4 events)

file	C:\Users\test22\AppData\Local\Temp\RarSFX0\f2_prot.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Libs\sihost64.exe
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\f1_prot.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Telemetry\sihost32.exe

Creates a suspicious process (6 events)

cmdline	"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\test22\AppData\Local\Temp\services32.exe"' & exit
cmdline	cmd /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\test22\AppData\Local\Temp\services32.exe"' & exit
cmdline	"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\test22\AppData\Local\Temp\services64.exe"' & exit
cmdline	schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\test22\AppData\Local\Temp\services64.exe"'
cmdline	cmd /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\test22\AppData\Local\Temp\services64.exe"' & exit
cmdline	schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\test22\AppData\Local\Temp\services32.exe"'

Drops a binary and executes it (4 events)

file	C:\Users\test22\AppData\Local\Temp\RarSFX0\f1_prot.exe
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\f2_prot.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Libs\sihost64.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Telemetry\sihost32.exe

Executes one or more WMI queries (1 event)

wmi	Select CommandLine from Win32_Process where Name='explorer.exe'

A process created a hidden window (8 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Nov. 4, 2021, 10:12 a.m.	show_type: 0 filepath_r: cmd parameters: /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\test22\AppData\Local\Temp\services64.exe"' & exit filepath: cmd	1	1
ShellExecuteExW Nov. 4, 2021, 10:12 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\services64.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\services64.exe	1	1
ShellExecuteExW Nov. 4, 2021, 10:13 a.m.	show_type: 0 filepath_r: cmd parameters: /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\test22\AppData\Local\Temp\services64.exe"' & exit filepath: cmd	1	1
ShellExecuteExW Nov. 4, 2021, 10:13 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Roaming\Microsoft\Libs\sihost64.exe parameters: filepath: C:\Users\test22\AppData\Roaming\Microsoft\Libs\sihost64.exe	1	1
ShellExecuteExW Nov. 4, 2021, 10:13 a.m.	show_type: 0 filepath_r: cmd parameters: /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\test22\AppData\Local\Temp\services32.exe"' & exit filepath: cmd	1	1
ShellExecuteExW Nov. 4, 2021, 10:13 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\services32.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\services32.exe	1	1
ShellExecuteExW Nov. 4, 2021, 10:13 a.m.	show_type: 0 filepath_r: cmd parameters: /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\test22\AppData\Local\Temp\services32.exe"' & exit filepath: cmd	1	1
ShellExecuteExW Nov. 4, 2021, 10:14 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Roaming\Microsoft\Telemetry\sihost32.exe parameters: filepath: C:\Users\test22\AppData\Roaming\Microsoft\Telemetry\sihost32.exe	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Nov. 4, 2021, 10:13 a.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x0000e200', u'virtual_address': u'0x00063000', u'entropy': 6.802679828750322, u'name': u'.rsrc', u'virtual_size': u'0x0000e038'}

entropy

6.80267982875

description

A section with a high entropy has been found

Checks for the Locally Unique Identifier on the system for a suspicious privilege (4 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Nov. 4, 2021, 10:12 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 4, 2021, 10:13 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 4, 2021, 10:13 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 4, 2021, 10:13 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Uses Windows utilities for basic Windows functionality (6 events)

cmdline	"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\test22\AppData\Local\Temp\services32.exe"' & exit
cmdline	cmd /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\test22\AppData\Local\Temp\services32.exe"' & exit
cmdline	"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\test22\AppData\Local\Temp\services64.exe"' & exit
cmdline	schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\test22\AppData\Local\Temp\services64.exe"'
cmdline	cmd /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\test22\AppData\Local\Temp\services64.exe"' & exit
cmdline	schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\test22\AppData\Local\Temp\services32.exe"'

Installs itself for autorun at Windows startup (6 events)

cmdline	"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\test22\AppData\Local\Temp\services32.exe"' & exit
cmdline	cmd /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\test22\AppData\Local\Temp\services32.exe"' & exit
cmdline	"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\test22\AppData\Local\Temp\services64.exe"' & exit
cmdline	schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\test22\AppData\Local\Temp\services64.exe"'
cmdline	cmd /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\test22\AppData\Local\Temp\services64.exe"' & exit
cmdline	schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\test22\AppData\Local\Temp\services32.exe"'

File has been identified by 45 AntiVirus engines on VirusTotal as malicious (45 events)

Lionic	Trojan.Win32.Encoder.j!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.47150763
FireEye	Generic.mg.8b1011bf4b9dc38d
McAfee	Artemis!8B1011BF4B9D
Cylance	Unsafe
K7AntiVirus	Riskware ( 0040eff71 )
Alibaba	TrojanDropper:Win32/dropper.ali1003001
K7GW	Riskware ( 0040eff71 )
Cybereason	malicious.f4b9dc
Symantec	Trojan.Gen.2
ESET-NOD32	a variant of Win64/Packed.Enigma.CA
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Packed.Dorifel-9892630-0
Kaspersky	Trojan-Ransom.Win32.Encoder.oag
BitDefender	Trojan.GenericKD.47150763
Avast	Win64:Malware-gen
Ad-Aware	Trojan.GenericKD.47150763
Sophos	Generic PUA JN (PUA)
F-Secure	Trojan.TR/Tasker.csjup
DrWeb	Trojan.MulDrop18.43403
TrendMicro	TROJ_GEN.R002C0WJJ21
McAfee-GW-Edition	BehavesLike.Win32.Generic.wc
Emsisoft	Trojan.GenericKD.37941637 (B)
Ikarus	Trojan.Win32.CoinMiner
Webroot	W32.Trojan.Gen
Avira	TR/Tasker.csjup
MAX	malware (ai score=86)
Antiy-AVL	Trojan/Win32.Tasker
Gridinsoft	Trojan.Win32.Packed.ns
Arcabit	Trojan.Generic.D2CF76AB
ViRobot	Trojan.Win32.Z.Tasker.3323018
ZoneAlarm	Trojan-Ransom.Win32.Encoder.oag
GData	Trojan.GenericKD.37941637
Cynet	Malicious (score: 100)
ALYac	Trojan.GenericKD.47150763
VBA32	Trojan.Tasker
Malwarebytes	Trojan.Dropper
Zoner	Probably Heur.ExeHeaderH
SentinelOne	Static AI - Suspicious SFX
Fortinet	PossibleThreat.MU
AVG	Win64:Malware-gen
Panda	Trj/CI.A
Qihoo-360	Win32/Heur.Generic.HwYDhOcA

svchost.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All