Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 5, 2021, 9:07 a.m.	Nov. 5, 2021, 9:36 a.m.

Size	2.4MB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`82ec554886de723258094e5509e76556`
SHA256	`a317a113323b23a88ff7c1cf2feb4d66d3d68662c3f74192957a3bfc8133851d`
CRC32	`23C55FFD`
ssdeep	`49152:RGXcX9DSGcuKLl1ElcG/lQbJWojvhuam:ucNOGcuIYlj/4HjJJm`
PDB Path	wextract.pdb
Yara	IsPE64 - (no description) Win32_Trojan_Emotet_RL_Gen_Zero - Win32 Trojan Emotet PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet

clp_wsfmvg.exe "C:\Users\test22\AppData\Local\Temp\clp_wsfmvg.exe"
2768
- wsfmvg.exe C:\Users\test22\AppData\Local\Temp\IXP000.TMP\wsfmvg.exe
  2136
  - wsfmvg.exe "C:\Users\test22\AppData\Local\Temp\IXP000.TMP\wsfmvg.exe"
    2284
    - schtasks.exe /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\test22\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"
      196

Name	Response	Post-Analysis Lookup
www.google.com	A 216.58.200.68	172.217.31.132

IP Address	Status	Action
13.107.21.200	Active	Moloch
164.124.101.2	Active	Moloch
216.58.200.68	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49168 -> 13.107.21.200:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49167 -> 216.58.200.68:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49168 13.107.21.200:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02	CN=www.bing.com	af:e3:17:ed:18:4a:d9:1c:24:8a:89:d5:ac:11:b3:27:96:02:37:c8
TLSv1 192.168.56.101:49167 216.58.200.68:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=www.google.com	5e:4b:8f:b5:bf:60:fd:ba:f1:72:07:9b:d3:3a:35:d8:d0:3b:75:57

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Nov. 5, 2021, 9:07 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 5, 2021, 9:07 a.m.			0	0
IsDebuggerPresent Nov. 5, 2021, 9:07 a.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Nov. 5, 2021, 9:07 a.m.	buffer: SUCCESS: The scheduled task "Azure-Update-Task" has successfully been created. console_handle: 0x00000007	1	1	0

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey Nov. 5, 2021, 9:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x008dd888 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 5, 2021, 9:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x008dd708 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 5, 2021, 9:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x008dd708 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

This executable has a PDB path (1 event)

pdb_path

wextract.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 5, 2021, 9:07 a.m.		1	1	0

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

AVI

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	GET method with no useragent header				suspicious_request	GET https://www.google.com/
suspicious_features	GET method with no useragent header				suspicious_request	GET https://www.bing.com/

Performs some HTTP requests (2 events)

request	GET https://www.google.com/
request	GET https://www.bing.com/

Allocates read-write-execute memory (usually to unpack itself) (50 out of 116 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2136 region_size: 1769472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00980000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00af0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2136 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72e31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2136 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72e32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2136 region_size: 1638400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02250000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00810000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2136 region_size: 28672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00811000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006fb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006f7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00818000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00819000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006f5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0081a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0081b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0081c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0081d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0081e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0081f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006dd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2136 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 704512 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001f2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2136 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 372736 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0029e000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00860000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2136 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2136 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00861000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00862000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00863000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00864000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006de000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00865000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006e6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006df000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00866000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0499f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\wsfmvg.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\wsfmvg.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW Nov. 5, 2021, 9:07 a.m.	thread_identifier: 152 thread_handle: 0x000000ac process_identifier: 196 current_directory: filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\test22\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000000b0	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Nov. 5, 2021, 9:07 a.m.	flags: 1158 family: 0	1	0	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Nov. 5, 2021, 9:07 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (11 events)

description	task schedule	rule	schtasks_Zero
description	[m] Generic Malware	rule	Generic_Malware_Zero_m
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\test22\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"

Communicates with host for which no DNS query was performed (1 event)

host

13.107.21.200

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2284 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000680		3221225496	0
NtAllocateVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2284 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000680	1	0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Nov. 5, 2021, 9:07 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

wsfmvg.exe tried to sleep 5456334 seconds, actually delayed analysis time by 5456334 seconds

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0

reg_value

rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP000.TMP\"

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\wsfmvg.exe

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\wsfmvg.exe

Potential code injection by writing to the memory of another process (3 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Nov. 5, 2021, 9:07 a.m.	buffer: MZÿÿ¸@Ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $õvì±¿±¿±¿ê¾´¿±¿»¿é ¾µ¿é ¾°¿Rich±¿PELC÷Maà+ 0@`@=<Pp0<800.textæ `.rdata>0@@.data`@@À.relocpP(@B base_address: 0x000f0000 process_identifier: 2284 process_handle: 0x00000680	1	1
WriteProcessMemory Nov. 5, 2021, 9:07 a.m.	buffer: 0 0 0&0.030:0C0H0Q0V0^0c0k0p0y0~00000¤0©0¯0µ0º0À0Æ0Ë0Ñ0×0Ü0â0è0í0ó0ù0þ01 1111#1)1/141:1@1E1K1Q1V1]1b1i1n1t1z111111¡1¦1¬1²1·1½1Ã1È1Ï1×1Ý1ã1ë1ò1÷1ý122222 2%2+21262<2B2G2M2S2X2^2d2k222¨2µ2Â2Ô2Ù2æ2ú2!343Q3a3q3v333ª3Í3Ó3â3ñ3ú344±4/5H5T5³5À5Í5Ú5ï5N6[6h6u66(757B7O777£7°7¼7É7â7õ7 8/8=8J8W8c8p888À8Í8Ú8ó89-9:9G9`9r9999©9¶9Ï9ä9ò9ÿ9::%:>:J:}:::°:É:â:û:;-;F;_;x;;·;Ð;Ü;<<<+<8<Q<]<\|<<<¥<²<Ë<Ú<ö<===,=E=Z=h=u====´=È=Ö=ã=ð=ÿ=>%>1>u>>>ª>·>Ä>Ó>à>ù>?b?{??§?®?¸?À?Ê?Ó?Ù?à?õ? 4000"0:0D0J0Y0z00ð0&1O1j1s111H2U2f22¼204Ü;à;ä;è;ì;ð;ô;ø;ü;<<<<<<<< <$<(<,< base_address: 0x000f5000 process_identifier: 2284 process_handle: 0x00000680	1	1
WriteProcessMemory Nov. 5, 2021, 9:07 a.m.	buffer: base_address: 0x7efde008 process_identifier: 2284 process_handle: 0x00000680	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Nov. 5, 2021, 9:07 a.m.	buffer: MZÿÿ¸@Ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $õvì±¿±¿±¿ê¾´¿±¿»¿é ¾µ¿é ¾°¿Rich±¿PELC÷Maà+ 0@`@=<Pp0<800.textæ `.rdata>0@@.data`@@À.relocpP(@B base_address: 0x000f0000 process_identifier: 2284 process_handle: 0x00000680	1	1	0

File has been identified by 17 AntiVirus engines on VirusTotal as malicious (17 events)

Lionic	Trojan.Multi.GenericML.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.Heur.Crifi.Gen.1
FireEye	Generic.mg.82ec554886de7232
McAfee	Artemis!82EC554886DE
Cylance	Unsafe
Symantec	Trojan.Gen.2
ESET-NOD32	a variant of MSIL/Packed.VMProtect.C suspicious
Kaspersky	Trojan.Win32.Tasker.audg
Avast	FileRepMetagen [Malware]
Sophos	Mal/Generic-S
eGambit	Unsafe.AI_Score_99%
Antiy-AVL	Generic/Generic.APUnArc.1
Kingsoft	Win32.Troj.Tasker.au.(kcloud)
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
AVG	FileRepMetagen [Malware]
CrowdStrike	win/malicious_confidence_80% (W)

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2136 called NtSetContextThread to modify thread in remote process 2284
NtSetContextThread Nov. 5, 2021, 9:07 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4202539 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000067c process_identifier: 2284	1	0	0

Attempts to remove evidence of file being downloaded from the Internet (1 event)

file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\wsfmvg.exe\:Zone.Identifier

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2136 resumed a thread in remote process 2284
NtResumeThread Nov. 5, 2021, 9:07 a.m.	thread_handle: 0x0000067c suspend_count: 1 process_identifier: 2284	1	0	0

Executed a process and injected code into it, probably while unpacking (30 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Nov. 5, 2021, 9:07 a.m.	thread_identifier: 2132 thread_handle: 0x000000000000000c process_identifier: 2136 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP000.TMP\wsfmvg.exe filepath_r: stack_pivoted: 0 creation_flags: 32 (NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x0000000000000060	1	1
NtResumeThread Nov. 5, 2021, 9:07 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2136	1	0
NtResumeThread Nov. 5, 2021, 9:07 a.m.	thread_handle: 0x00000158 suspend_count: 1 process_identifier: 2136	1	0
NtResumeThread Nov. 5, 2021, 9:07 a.m.	thread_handle: 0x00000194 suspend_count: 1 process_identifier: 2136	1	0
NtResumeThread Nov. 5, 2021, 9:07 a.m.	thread_handle: 0x00000218 suspend_count: 1 process_identifier: 2136	1	0
NtGetContextThread Nov. 5, 2021, 9:07 a.m.	thread_handle: 0x000000ec	1	0
NtGetContextThread Nov. 5, 2021, 9:07 a.m.	thread_handle: 0x000000ec	1	0
NtResumeThread Nov. 5, 2021, 9:07 a.m.	thread_handle: 0x000000ec suspend_count: 1 process_identifier: 2136	1	0
NtResumeThread Nov. 5, 2021, 9:07 a.m.	thread_handle: 0x000003dc suspend_count: 1 process_identifier: 2136	1	0
NtResumeThread Nov. 5, 2021, 9:07 a.m.	thread_handle: 0x00000630 suspend_count: 1 process_identifier: 2136	1	0
NtGetContextThread Nov. 5, 2021, 9:07 a.m.	thread_handle: 0x000000ec	1	0
NtGetContextThread Nov. 5, 2021, 9:07 a.m.	thread_handle: 0x000000ec	1	0
NtResumeThread Nov. 5, 2021, 9:07 a.m.	thread_handle: 0x000000ec suspend_count: 1 process_identifier: 2136	1	0
NtGetContextThread Nov. 5, 2021, 9:07 a.m.	thread_handle: 0x000000ec	1	0
NtGetContextThread Nov. 5, 2021, 9:07 a.m.	thread_handle: 0x000000ec	1	0
NtResumeThread Nov. 5, 2021, 9:07 a.m.	thread_handle: 0x000000ec suspend_count: 1 process_identifier: 2136	1	0
NtResumeThread Nov. 5, 2021, 9:07 a.m.	thread_handle: 0x00000664 suspend_count: 1 process_identifier: 2136	1	0
NtResumeThread Nov. 5, 2021, 9:07 a.m.	thread_handle: 0x00000678 suspend_count: 1 process_identifier: 2136	1	0
CreateProcessInternalW Nov. 5, 2021, 9:07 a.m.	thread_identifier: 2304 thread_handle: 0x0000067c process_identifier: 2284 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\IXP000.TMP\wsfmvg.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\IXP000.TMP\wsfmvg.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\IXP000.TMP\wsfmvg.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000680	1	1
NtGetContextThread Nov. 5, 2021, 9:07 a.m.	thread_handle: 0x0000067c	1	0
NtAllocateVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2284 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000680		3221225496
NtAllocateVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2284 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000680	1	0
WriteProcessMemory Nov. 5, 2021, 9:07 a.m.	buffer: MZÿÿ¸@Ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $õvì±¿±¿±¿ê¾´¿±¿»¿é ¾µ¿é ¾°¿Rich±¿PELC÷Maà+ 0@`@=<Pp0<800.textæ `.rdata>0@@.data`@@À.relocpP(@B base_address: 0x000f0000 process_identifier: 2284 process_handle: 0x00000680	1	1
WriteProcessMemory Nov. 5, 2021, 9:07 a.m.	buffer: base_address: 0x000f1000 process_identifier: 2284 process_handle: 0x00000680	1	1
WriteProcessMemory Nov. 5, 2021, 9:07 a.m.	buffer: base_address: 0x000f3000 process_identifier: 2284 process_handle: 0x00000680	1	1
WriteProcessMemory Nov. 5, 2021, 9:07 a.m.	buffer: 0 0 0&0.030:0C0H0Q0V0^0c0k0p0y0~00000¤0©0¯0µ0º0À0Æ0Ë0Ñ0×0Ü0â0è0í0ó0ù0þ01 1111#1)1/141:1@1E1K1Q1V1]1b1i1n1t1z111111¡1¦1¬1²1·1½1Ã1È1Ï1×1Ý1ã1ë1ò1÷1ý122222 2%2+21262<2B2G2M2S2X2^2d2k222¨2µ2Â2Ô2Ù2æ2ú2!343Q3a3q3v333ª3Í3Ó3â3ñ3ú344±4/5H5T5³5À5Í5Ú5ï5N6[6h6u66(757B7O777£7°7¼7É7â7õ7 8/8=8J8W8c8p888À8Í8Ú8ó89-9:9G9`9r9999©9¶9Ï9ä9ò9ÿ9::%:>:J:}:::°:É:â:û:;-;F;_;x;;·;Ð;Ü;<<<+<8<Q<]<\|<<<¥<²<Ë<Ú<ö<===,=E=Z=h=u====´=È=Ö=ã=ð=ÿ=>%>1>u>>>ª>·>Ä>Ó>à>ù>?b?{??§?®?¸?À?Ê?Ó?Ù?à?õ? 4000"0:0D0J0Y0z00ð0&1O1j1s111H2U2f22¼204Ü;à;ä;è;ì;ð;ô;ø;ü;<<<<<<<< <$<(<,< base_address: 0x000f5000 process_identifier: 2284 process_handle: 0x00000680	1	1
WriteProcessMemory Nov. 5, 2021, 9:07 a.m.	buffer: base_address: 0x7efde008 process_identifier: 2284 process_handle: 0x00000680	1	1
NtSetContextThread Nov. 5, 2021, 9:07 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4202539 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000067c process_identifier: 2284	1	0
NtResumeThread Nov. 5, 2021, 9:07 a.m.	thread_handle: 0x0000067c suspend_count: 1 process_identifier: 2284	1	0
CreateProcessInternalW Nov. 5, 2021, 9:07 a.m.	thread_identifier: 152 thread_handle: 0x000000ac process_identifier: 196 current_directory: filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\test22\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000000b0	1	1

clp_wsfmvg.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All