Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 4, 2021, 2:41 p.m.	Nov. 4, 2021, 3:11 p.m.

Size	1.7MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`bab66a1efbd3c6e65c5a6e01deea8367`
SHA256	`e0f18444b40d78c65e1821586721760d303bb767093ea09642226abed4d1ad85`
CRC32	`6D58ACD1`
ssdeep	`49152:C9OKxz5eM8JvooqXrFzYA8hVU2AGm63yjpGIcLJjmXGpf8:MOm5eMOooqhomhjrcLT8`
Yara	Win32_Trojan_Emotet_2_Zero - Win32 Trojan Emotet PE_Header_Zero - PE File Signature IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file

setup.exe "C:\Users\test22\AppData\Local\Temp\setup.exe"
2372
- setup.tmp "C:\Users\test22\AppData\Local\Temp\is-IUK9L.tmp\setup.tmp" /SL5="$3002C,1570064,56832,C:\Users\test22\AppData\Local\Temp\setup.exe"
  2452
  - setup.exe "C:\Users\test22\AppData\Local\Temp\setup.exe" /SILENT
    2536
    - setup.tmp "C:\Users\test22\AppData\Local\Temp\is-4Q1E8.tmp\setup.tmp" /SL5="$4002C,1570064,56832,C:\Users\test22\AppData\Local\Temp\setup.exe" /SILENT
      2596
      - postback.exe "C:\Users\test22\AppData\Local\Temp\is-V3M4S.tmp\postback.exe" ss1
        2708
      - FarLabUninstaller.exe "C:\Program Files (x86)\FarLabUninstaller\FarLabUninstaller.exe" ss1
        2744
      - NDP472-KB4054531-Web.exe "C:\Program Files (x86)\FarLabUninstaller\NDP472-KB4054531-Web.exe" /q /norestart
        2784
        
        Setup.exe C:\a26b2ef62474b6e3da4af3\\Setup.exe /q /norestart /x86 /x64 /web
        2868
        
        SetupUtility.exe SetupUtility.exe /aupause
        2084
        
        SetupUtility.exe SetupUtility.exe /screboot
        2332
        
        TMPC2AA.tmp.exe TMPC2AA.tmp.exe /Q /X:C:\a26b2ef62474b6e3da4af3\TMPC2AA.tmp.exe.tmp
        2520
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
indug.com	A 47.254.184.183	47.254.184.183
download.microsoft.com	CNAME main.dl.ms.akadns.net CNAME download.microsoft.com.edgekey.net A 23.201.36.112 CNAME e3673.dscg.akamaiedge.net CNAME dlc-shim.trafficmanager.net	104.109.240.114
www.microsoft.com	CNAME www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net CNAME www.microsoft.com-c-3.edgekey.net CNAME e13678.dscb.akamaiedge.net A 23.201.37.168	23.201.37.168
download.visualstudio.microsoft.com	CNAME cs10.wpc.v0cdn.net CNAME 4316b.wpc.azureedge.net CNAME 2-01-5830-0005.cdx.cedexis.net A 192.229.232.200	192.229.232.200

IP Address	Status	Action
104.75.21.121	Active	Moloch
121.254.136.16	Active	Moloch
164.124.101.2	Active	Moloch
192.229.232.200	Active	Moloch
23.201.36.112	Active	Moloch
23.201.37.168	Active	Moloch
47.254.184.183	Active	Moloch
34.117.59.81	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49172 -> 47.254.184.183:80	2022482	ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01	A Network Trojan was detected
TCP 47.254.184.183:80 -> 192.168.56.103:49172	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 47.254.184.183:80 -> 192.168.56.103:49172	2021954	ET MALWARE JS/Nemucod.M.gen downloading EXE payload	A Network Trojan was detected
TCP 47.254.184.183:80 -> 192.168.56.103:49172	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 192.168.56.103:49188 -> 23.201.36.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49193 -> 192.229.232.200:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49188 23.201.36.112:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02	C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=download.microsoft.com	07:84:e3:73:a7:c0:23:a1:94:3b:48:8f:06:a3:1f:12:78:4a:73:99
TLSv1 192.168.56.103:49193 192.229.232.200:443	C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA	C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=*.vo.msecnd.net	43:64:16:4b:73:33:82:e8:0f:a9:73:e6:cc:d5:11:b5:ee:fe:e3:4b

Queries for the computername (5 events)

Time & API	Arguments	Status	Return
GetComputerNameA Nov. 4, 2021, 2:41 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Nov. 4, 2021, 2:41 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 4, 2021, 2:41 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 4, 2021, 2:41 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 4, 2021, 2:41 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (11 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 4, 2021, 2:41 p.m.			0	0
IsDebuggerPresent Nov. 4, 2021, 2:41 p.m.			0	0
IsDebuggerPresent Nov. 4, 2021, 2:34 p.m.			0	0
IsDebuggerPresent Nov. 4, 2021, 2:41 p.m.			0	0
IsDebuggerPresent Nov. 4, 2021, 2:41 p.m.			0	0
IsDebuggerPresent Nov. 4, 2021, 2:41 p.m.			0	0
IsDebuggerPresent Nov. 4, 2021, 2:41 p.m.			0	0
IsDebuggerPresent Nov. 4, 2021, 2:41 p.m.			0	0
IsDebuggerPresent Nov. 4, 2021, 2:41 p.m.			0	0
IsDebuggerPresent Nov. 4, 2021, 2:41 p.m.			0	0
IsDebuggerPresent Nov. 4, 2021, 2:41 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (22 events)

Time & API	Arguments	Status	Return
CryptExportKey Nov. 4, 2021, 2:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e33e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 4, 2021, 2:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e33e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 4, 2021, 2:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e33e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 4, 2021, 2:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e33e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 4, 2021, 2:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e3468 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 4, 2021, 2:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e3468 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 4, 2021, 2:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e3368 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 4, 2021, 2:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e3368 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 4, 2021, 2:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e3368 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 4, 2021, 2:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e3368 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 4, 2021, 2:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e3368 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 4, 2021, 2:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e3368 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 4, 2021, 2:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e3468 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 4, 2021, 2:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e33e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 4, 2021, 2:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e33e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 4, 2021, 2:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e33e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 4, 2021, 2:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e3428 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 4, 2021, 2:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e3428 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 4, 2021, 2:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e3428 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 4, 2021, 2:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e34e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 4, 2021, 2:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e34a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 4, 2021, 2:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e34a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 4, 2021, 2:41 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Nov. 4, 2021, 2:41 p.m.	stacktrace: setup+0x810b7 @ 0x4810b7 setup+0x9921b @ 0x49921b BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedface exception.offset: 46887 exception.address: 0x766fb727 registers.esp: 1637928 registers.edi: 4523216 registers.eax: 1637928 registers.ebp: 1638008 registers.edx: 0 registers.ebx: 0 registers.esi: 2 registers.ecx: 7	1	0	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (28 events)

request	HEAD http://indug.com/68.exe
request	GET http://indug.com/68.exe
request	GET http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl
request	GET http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl
request	GET http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl
request	HEAD http://go.microsoft.com/fwlink/?prd=11324&pver=netfx&sbp=Net472Rel1&plcid=0x409&clcid=0x409&ar=03062.00&sar=amd64&o1=netfx_Full.mzz
request	GET http://go.microsoft.com/fwlink/?prd=11324&pver=netfx&sbp=Net472Rel1&plcid=0x409&clcid=0x409&ar=03062.00&sar=amd64&o1=netfx_Full.mzz
request	HEAD http://go.microsoft.com/fwlink/?prd=11324&pver=netfx&sbp=Net472Rel1&plcid=0x409&clcid=0x409&ar=03062.00&sar=amd64&o1=netfx_Full_x64.msi
request	GET http://go.microsoft.com/fwlink/?prd=11324&pver=netfx&sbp=Net472Rel1&plcid=0x409&clcid=0x409&ar=03062.00&sar=amd64&o1=netfx_Full_x64.msi
request	GET http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
request	GET http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
request	GET http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
request	GET http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
request	HEAD http://go.microsoft.com/fwlink/?prd=11324&pver=netfx&sbp=Net472Rel1&plcid=0x409&clcid=0x409&ar=03081.00&sar=amd64&o1=netfx_Patch_x64.msp
request	GET http://go.microsoft.com/fwlink/?prd=11324&pver=netfx&sbp=Net472Rel1&plcid=0x409&clcid=0x409&ar=03081.00&sar=amd64&o1=netfx_Patch_x64.msp
request	HEAD http://go.microsoft.com/fwlink/?LinkId=862008
request	GET http://go.microsoft.com/fwlink/?LinkId=862008
request	HEAD http://go.microsoft.com/fwlink/?LinkId=249120&clcid=0x409
request	GET http://go.microsoft.com/fwlink/?LinkId=249120&clcid=0x409
request	HEAD https://download.microsoft.com/download/b/9/5/b95136c0-58a0-48df-821a-d05319a86852/enu_NETFX/amd64_netfx_full_mzz/netfx_full_cab.exe
request	HEAD https://download.visualstudio.microsoft.com/download/pr/7db06743-abf0-4a85-a9d3-5af54b6cabcc/cc8282475d16202c4dca707e83cf0ae0/netfx_full_x64.msi
request	GET https://download.visualstudio.microsoft.com/download/pr/7db06743-abf0-4a85-a9d3-5af54b6cabcc/cc8282475d16202c4dca707e83cf0ae0/netfx_full_x64.msi
request	HEAD https://download.visualstudio.microsoft.com/download/pr/887938c3-2a46-4069-a0b1-207035f1dd82/61ef25faf2ae00460f6a77e29327699a/netfx_patch_x64.msp
request	GET https://download.visualstudio.microsoft.com/download/pr/887938c3-2a46-4069-a0b1-207035f1dd82/61ef25faf2ae00460f6a77e29327699a/netfx_patch_x64.msp
request	HEAD https://download.visualstudio.microsoft.com/download/pr/887938c3-2a46-4069-a0b1-207035f1dd82/f0771dabc43ba46cfe9e3481840a7944/windows6.1-kb4019990-x64.cab
request	GET https://download.visualstudio.microsoft.com/download/pr/887938c3-2a46-4069-a0b1-207035f1dd82/f0771dabc43ba46cfe9e3481840a7944/windows6.1-kb4019990-x64.cab
request	HEAD https://download.visualstudio.microsoft.com/download/pr/375f6a02-34bc-4b7d-ad8b-957789cf81e8/e4abafc291524af6e2b478f5d4857f0a/netfx_full_x64.msi
request	GET https://download.visualstudio.microsoft.com/download/pr/375f6a02-34bc-4b7d-ad8b-957789cf81e8/e4abafc291524af6e2b478f5d4857f0a/netfx_full_x64.msi

Allocates read-write-execute memory (usually to unpack itself) (35 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Nov. 4, 2021, 2:41 p.m.	process_identifier: 2372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:41 p.m.	process_identifier: 2372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 40960 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:41 p.m.	process_identifier: 2372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 20480 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040f000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 4, 2021, 2:41 p.m.	process_identifier: 2452 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01dc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 4, 2021, 2:35 p.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004cf0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:41 p.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:41 p.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 40960 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:41 p.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 20480 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040f000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 4, 2021, 2:41 p.m.	process_identifier: 2596 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01dc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 4, 2021, 2:41 p.m.	process_identifier: 2744 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00470000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 4, 2021, 2:41 p.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00530000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:41 p.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x725c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:41 p.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x725c2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 4, 2021, 2:41 p.m.	process_identifier: 2744 region_size: 2228224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ee0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 4, 2021, 2:41 p.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 4, 2021, 2:41 p.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00482000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 4, 2021, 2:41 p.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0049c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 4, 2021, 2:41 p.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 4, 2021, 2:41 p.m.	process_identifier: 2744 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a01000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 4, 2021, 2:41 p.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 4, 2021, 2:41 p.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004bb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 4, 2021, 2:41 p.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 4, 2021, 2:41 p.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 4, 2021, 2:41 p.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 4, 2021, 2:41 p.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 4, 2021, 2:41 p.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 4, 2021, 2:41 p.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0049a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 4, 2021, 2:41 p.m.	process_identifier: 2744 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a06000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 4, 2021, 2:41 p.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a0b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 4, 2021, 2:41 p.m.	process_identifier: 2744 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a0c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 4, 2021, 2:41 p.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a0f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 4, 2021, 2:41 p.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 4, 2021, 2:41 p.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e7f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 4, 2021, 2:41 p.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 4, 2021, 2:41 p.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (4 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceExW Nov. 4, 2021, 2:35 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 8774316032 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW Nov. 4, 2021, 2:41 p.m.	total_number_of_free_bytes: 10228580352 free_bytes_available: 10228580352 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Nov. 4, 2021, 2:41 p.m.	total_number_of_free_bytes: 10212200448 free_bytes_available: 10212200448 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Nov. 4, 2021, 2:41 p.m.	total_number_of_free_bytes: 10211069952 free_bytes_available: 10211069952 root_path: C:\ total_number_of_bytes: 34252779520	1	1

Creates executable files on the filesystem (35 events)

file	C:\Users\test22\AppData\Local\Temp\is-T1SK8.tmp\idp.dll
file	C:\a26b2ef62474b6e3da4af3\1049\SetupResources.dll
file	C:\Users\test22\AppData\Local\Temp\is-V3M4S.tmp\_isetup\_shfoldr.dll
file	C:\Users\test22\AppData\Local\Temp\is-T1SK8.tmp\_isetup\_shfoldr.dll
file	C:\a26b2ef62474b6e3da4af3\1042\SetupResources.dll
file	C:\a26b2ef62474b6e3da4af3\1041\SetupResources.dll
file	C:\a26b2ef62474b6e3da4af3\1033\SetupResources.dll
file	C:\a26b2ef62474b6e3da4af3\1031\SetupResources.dll
file	C:\a26b2ef62474b6e3da4af3\1040\SetupResources.dll
file	C:\a26b2ef62474b6e3da4af3\Setup.exe
file	C:\a26b2ef62474b6e3da4af3\2070\SetupResources.dll
file	C:\a26b2ef62474b6e3da4af3\1055\SetupResources.dll
file	C:\a26b2ef62474b6e3da4af3\1044\SetupResources.dll
file	C:\a26b2ef62474b6e3da4af3\1043\SetupResources.dll
file	C:\a26b2ef62474b6e3da4af3\SetupEngine.dll
file	C:\a26b2ef62474b6e3da4af3\TMPC2AA.tmp.exe.tmp\netfx_fullcab.msi
file	C:\a26b2ef62474b6e3da4af3\1028\SetupResources.dll
file	C:\a26b2ef62474b6e3da4af3\1025\SetupResources.dll
file	C:\Users\test22\AppData\Local\Temp\is-V3M4S.tmp\idp.dll
file	C:\a26b2ef62474b6e3da4af3\1030\SetupResources.dll
file	C:\a26b2ef62474b6e3da4af3\1035\SetupResources.dll
file	C:\Users\test22\AppData\Local\Temp\is-V3M4S.tmp\postback.exe
file	C:\a26b2ef62474b6e3da4af3\2052\SetupResources.dll
file	C:\a26b2ef62474b6e3da4af3\1029\SetupResources.dll
file	C:\a26b2ef62474b6e3da4af3\1045\SetupResources.dll
file	C:\a26b2ef62474b6e3da4af3\1036\SetupResources.dll
file	C:\a26b2ef62474b6e3da4af3\1053\SetupResources.dll
file	C:\a26b2ef62474b6e3da4af3\1038\SetupResources.dll
file	C:\a26b2ef62474b6e3da4af3\SetupUi.dll
file	C:\a26b2ef62474b6e3da4af3\3082\SetupResources.dll
file	C:\a26b2ef62474b6e3da4af3\sqmapi.dll
file	C:\a26b2ef62474b6e3da4af3\1046\SetupResources.dll
file	C:\a26b2ef62474b6e3da4af3\SetupUtility.exe
file	C:\a26b2ef62474b6e3da4af3\1032\SetupResources.dll
file	C:\a26b2ef62474b6e3da4af3\1037\SetupResources.dll

Drops a binary and executes it (2 events)

file	C:\a26b2ef62474b6e3da4af3\SetupUtility.exe
file	C:\a26b2ef62474b6e3da4af3\TMPC2AA.tmp.exe

Drops an executable to the user AppData folder (3 events)

file	C:\Users\test22\AppData\Local\Temp\is-T1SK8.tmp\_isetup\_shfoldr.dll
file	C:\Users\test22\AppData\Local\Temp\is-IUK9L.tmp\setup.tmp
file	C:\Users\test22\AppData\Local\Temp\is-T1SK8.tmp\idp.dll

A process created a hidden window (3 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Nov. 4, 2021, 2:41 p.m.	thread_identifier: 2088 thread_handle: 0x00000478 process_identifier: 2084 current_directory: C:\a26b2ef62474b6e3da4af3 filepath: C:\a26b2ef62474b6e3da4af3\SetupUtility.exe track: 1 command_line: SetupUtility.exe /aupause filepath_r: C:\a26b2ef62474b6e3da4af3\SetupUtility.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000468	1	1
CreateProcessInternalW Nov. 4, 2021, 2:41 p.m.	thread_identifier: 2336 thread_handle: 0x00000478 process_identifier: 2332 current_directory: C:\a26b2ef62474b6e3da4af3 filepath: C:\a26b2ef62474b6e3da4af3\SetupUtility.exe track: 1 command_line: SetupUtility.exe /screboot filepath_r: C:\a26b2ef62474b6e3da4af3\SetupUtility.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000468	1	1
CreateProcessInternalW Nov. 4, 2021, 2:41 p.m.	thread_identifier: 2524 thread_handle: 0x00000424 process_identifier: 2520 current_directory: C:\a26b2ef62474b6e3da4af3 filepath: C:\a26b2ef62474b6e3da4af3\TMPC2AA.tmp.exe track: 1 command_line: TMPC2AA.tmp.exe /Q /X:C:\a26b2ef62474b6e3da4af3\TMPC2AA.tmp.exe.tmp filepath_r: C:\a26b2ef62474b6e3da4af3\TMPC2AA.tmp.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000464	1	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (2 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW Nov. 4, 2021, 2:41 p.m.	snapshot_handle: 0x0000013c process_name: setup.exe process_identifier: 2536	1	1	0
Process32NextW Nov. 4, 2021, 2:41 p.m.	snapshot_handle: 0x0000013c process_name: FarLabUninstaller.exe process_identifier: 2744	1	1	0

File has been identified by 6 AntiVirus engines on VirusTotal as malicious (6 events)

MicroWorld-eScan	Trojan.GenericKD.37941357
FireEye	Trojan.GenericKD.37941357
APEX	Malicious
Webroot	W32.Adware.Gen
GData	Trojan.GenericKD.37941357
MAX	malware (ai score=80)

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Nov. 4, 2021, 2:41 p.m.	flags: 15 family: 0		111	0

An executable file was downloaded by the process setup.tmp (1 event)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile Nov. 4, 2021, 2:41 p.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEd»mé`ð"j ¶@E@°\|E`(" ´P 7à _$èJÜ0Uh- .textfh j `.rdataõ ön @@.dataS d @À.pdata _à `r @@.00cfg@Ò @@.rsrc 7P8Ô @@.relocÜ@B request_handle: 0x00cc000c	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (17 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Nov. 4, 2021, 2:42 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Nov. 4, 2021, 2:42 p.m.	system_name: privilege_name: SeCreateTokenPrivilege	1	1
LookupPrivilegeValueW Nov. 4, 2021, 2:42 p.m.	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	1	1
LookupPrivilegeValueW Nov. 4, 2021, 2:42 p.m.	system_name: privilege_name: SeMachineAccountPrivilege	1	1
LookupPrivilegeValueW Nov. 4, 2021, 2:42 p.m.	system_name: privilege_name: SeTcbPrivilege	1	1
LookupPrivilegeValueW Nov. 4, 2021, 2:42 p.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Nov. 4, 2021, 2:42 p.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW Nov. 4, 2021, 2:42 p.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW Nov. 4, 2021, 2:42 p.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW Nov. 4, 2021, 2:42 p.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Nov. 4, 2021, 2:42 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Nov. 4, 2021, 2:42 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 4, 2021, 2:42 p.m.	system_name: privilege_name: SeRemoteShutdownPrivilege	1	1
LookupPrivilegeValueW Nov. 4, 2021, 2:42 p.m.	system_name: privilege_name: SeEnableDelegationPrivilege	1	1
LookupPrivilegeValueW Nov. 4, 2021, 2:42 p.m.	system_name: privilege_name: SeManageVolumePrivilege	1	1
LookupPrivilegeValueW Nov. 4, 2021, 2:42 p.m.	system_name: privilege_name: SeCreateGlobalPrivilege	1	1
LookupPrivilegeValueW Nov. 4, 2021, 2:42 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Expresses interest in specific running processes (2 events)

process	setup.exe
process	ndp472-kb4054531-web.exe

Queries for potentially installed applications (4 events)

Time & API	Arguments	Return
RegOpenKeyExA Nov. 4, 2021, 2:41 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\FarLabUninstaller.exe_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\FarLabUninstaller.exe_is1	2
RegOpenKeyExA Nov. 4, 2021, 2:41 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\FarLabUninstaller.exe_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\FarLabUninstaller.exe_is1	2
RegOpenKeyExA Nov. 4, 2021, 2:41 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\FarLabUninstaller.exe_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000008 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\FarLabUninstaller.exe_is1	2
RegOpenKeyExA Nov. 4, 2021, 2:41 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\FarLabUninstaller.exe_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000008 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\FarLabUninstaller.exe_is1	2

One or more of the buffers contains an embedded PE file (8 events)

buffer	Buffer with sha1: f0d9ee317bff2816035b8c4f3a022bdfb302d512
buffer	Buffer with sha1: f1711cd272f102b3372efe838f01b9aa6dcdc6c6
buffer	Buffer with sha1: f3ecb31a629a33aef8c95b785c110ac209a2ec6b
buffer	Buffer with sha1: 36da20bccaf2dc8b3c4da28914bbb25210ffd86c
buffer	Buffer with sha1: 27ffb8be57720393a1ce3f8c316642f579589d1d
buffer	Buffer with sha1: f8fc9041365eadb9ec289a307f5e5e9c948e11bd
buffer	Buffer with sha1: cb211eb831ca06d2929d3a5eb5b35e7dd7a0165a
buffer	Buffer with sha1: 6ce0c0cea7083d1cfeaad590c755b2b736c48d8a

Connects to an IRC server, possibly part of a botnet

Communicates with host for which no DNS query was performed (3 events)

host	104.75.21.121
host	121.254.136.16
host	34.117.59.81

Attempts to create or modify system certificates (2 events)

registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3B1EFD3A66EA28B16697394703A72CA340A05BD5\Blob
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8F43288AD272F3103B6FB1428485EA3014C0BCFE\Blob

Putty Files, Registry Keys and/or Mutexes Detected

setup.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All