Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 5, 2021, 9:11 a.m.	Nov. 5, 2021, 9:14 a.m.

Size	437.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`6af950e3c2e81254bbc9f33f84c919d7`
SHA256	`19e393a62338d6cc292c4aadeab10121a453635fdb5fe291d295a3a6fc6ef712`
CRC32	`771DE2DE`
ssdeep	`12288:6S2aLw2QOGNgExqBR/ZBpwvSkd6k18k1LL+E:H2aLNgKnC/J18k3`
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware IsPE32 - (no description) Is_DotNET_EXE - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult

rundll32.exe "C:\Users\test22\AppData\Local\Temp\rundll32.exe"
2756
- rundll32.exe "C:\Users\test22\AppData\Local\Temp\rundll32.exe"
  2228

Name	Response	Post-Analysis Lookup
www.wolmoda.com	A 75.2.115.196	75.2.115.196
www.esyscoloradosprings.com	CNAME websites076.homestead.com A 108.167.135.122	108.167.135.122
www.ipatchwork.today	CNAME cname.pwastore.com A 34.233.132.165	34.233.132.165
www.sanlifalan.com	A 104.165.34.6	104.165.34.6
www.sophiagunterman.art	A 34.225.31.148 A 35.169.40.107	35.169.40.107
www.tablescaperendezvous4two.com	CNAME tablescaperendezvous4two.com A 34.102.136.180	34.102.136.180
www.fleetton.com	A 44.227.76.166 A 44.227.65.245	44.227.76.166

IP Address	Status	Action
104.165.34.6	Active	Moloch
108.167.135.122	Active	Moloch
164.124.101.2	Active	Moloch
34.102.136.180	Active	Moloch
34.225.31.148	Active	Moloch
34.233.132.165	Active	Moloch
44.227.65.245	Active	Moloch
75.2.115.196	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 108.167.135.122:80 -> 192.168.56.101:49168	2221010	SURICATA HTTP unable to match response to request	Generic Protocol Command Decode
TCP 192.168.56.101:49168 -> 108.167.135.122:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49171 -> 75.2.115.196:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 108.167.135.122:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49171 -> 75.2.115.196:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 108.167.135.122:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49171 -> 75.2.115.196:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49166 -> 44.227.65.245:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49166 -> 44.227.65.245:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49166 -> 44.227.65.245:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 34.102.136.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 34.102.136.180:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 34.102.136.180:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49167 -> 104.165.34.6:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49167 -> 104.165.34.6:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49167 -> 104.165.34.6:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49170 -> 34.233.132.165:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49170 -> 34.233.132.165:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49170 -> 34.233.132.165:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49165 -> 34.225.31.148:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49165 -> 34.225.31.148:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49165 -> 34.225.31.148:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 5, 2021, 9:11 a.m.			0	0
IsDebuggerPresent Nov. 5, 2021, 9:11 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 5, 2021, 9:11 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (6 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.sophiagunterman.art/fqiq/?w2J=xr2hRkHSJ+UsXowxi6McaJRxgcInZTFjwe9eYARVx2PKFNYpXRh/IJY1HCqVtWxffV7QcJh9&tXU8=YP4D1t08
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.fleetton.com/fqiq/?w2J=3MX+rG6tAMAShknpmcjGUKQb8RZ/Wti45jKeFUgZ8Sp9kre80Lf7BCc9gfZkgofTO4Lhy2g7&tXU8=YP4D1t08
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.sanlifalan.com/fqiq/?w2J=prTEVkQv/aIuaJ5tknUsCYHPcHrUQSHWro/2zNHeF4wHPtFNVSB8ZmBi9ORqDWcgPylN7lnN&tXU8=YP4D1t08
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.tablescaperendezvous4two.com/fqiq/?w2J=6JOAu55ahQuW4nGm3x3zF3lJbu5eEm2HTNrnzqBc/qIL0noTMPzpzXdnuN9xnnUaregthFw6&tXU8=YP4D1t08
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.ipatchwork.today/fqiq/?w2J=4uUO9SnGhH7qrBLLau2QeKM25d/gV3/zp2Vn/jpTz6zTrds8IKqZgGZbt3S1nhaRXztFEuL7&tXU8=YP4D1t08
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.wolmoda.com/fqiq/?w2J=S+cpy0umECTwuTE52eQvldFGZ7uWQHdiwg92XpTlC9HPK4+x2Wa76IO+IolmVoAcN8bu+dPq&tXU8=YP4D1t08

Performs some HTTP requests (6 events)

request	GET http://www.sophiagunterman.art/fqiq/?w2J=xr2hRkHSJ+UsXowxi6McaJRxgcInZTFjwe9eYARVx2PKFNYpXRh/IJY1HCqVtWxffV7QcJh9&tXU8=YP4D1t08
request	GET http://www.fleetton.com/fqiq/?w2J=3MX+rG6tAMAShknpmcjGUKQb8RZ/Wti45jKeFUgZ8Sp9kre80Lf7BCc9gfZkgofTO4Lhy2g7&tXU8=YP4D1t08
request	GET http://www.sanlifalan.com/fqiq/?w2J=prTEVkQv/aIuaJ5tknUsCYHPcHrUQSHWro/2zNHeF4wHPtFNVSB8ZmBi9ORqDWcgPylN7lnN&tXU8=YP4D1t08
request	GET http://www.tablescaperendezvous4two.com/fqiq/?w2J=6JOAu55ahQuW4nGm3x3zF3lJbu5eEm2HTNrnzqBc/qIL0noTMPzpzXdnuN9xnnUaregthFw6&tXU8=YP4D1t08
request	GET http://www.ipatchwork.today/fqiq/?w2J=4uUO9SnGhH7qrBLLau2QeKM25d/gV3/zp2Vn/jpTz6zTrds8IKqZgGZbt3S1nhaRXztFEuL7&tXU8=YP4D1t08
request	GET http://www.wolmoda.com/fqiq/?w2J=S+cpy0umECTwuTE52eQvldFGZ7uWQHdiwg92XpTlC9HPK4+x2Wa76IO+IolmVoAcN8bu+dPq&tXU8=YP4D1t08

Allocates read-write-execute memory (usually to unpack itself) (45 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Nov. 5, 2021, 9:11 a.m.	process_identifier: 2756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e72000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:11 a.m.	process_identifier: 2756 region_size: 1769472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00750000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:11 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:11 a.m.	process_identifier: 2756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73472000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:11 a.m.	process_identifier: 2756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73deb000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:11 a.m.	process_identifier: 2756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72e31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:11 a.m.	process_identifier: 2756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72e32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:11 a.m.	process_identifier: 2756 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00900000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:11 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:11 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00472000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:11 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:11 a.m.	process_identifier: 2756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c9a000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:11 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:11 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:11 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:11 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:11 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:11 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0059a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:11 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00597000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:11 a.m.	process_identifier: 2756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73a01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:11 a.m.	process_identifier: 2756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70731000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:11 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:11 a.m.	process_identifier: 2756 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:11 a.m.	process_identifier: 2756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x706c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:11 a.m.	process_identifier: 2756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70684000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:11 a.m.	process_identifier: 2756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x706c2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:11 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00596000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:11 a.m.	process_identifier: 2756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70491000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:11 a.m.	process_identifier: 2756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70391000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:11 a.m.	process_identifier: 2756 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:11 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:12 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:12 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006bb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:12 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:12 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:12 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:12 a.m.	process_identifier: 2756 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bb1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:12 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bb6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:12 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bb7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:12 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bb8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:12 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bb9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:12 a.m.	process_identifier: 2756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x739c1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:12 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:12 a.m.	process_identifier: 2756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x735e1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:12 a.m.	process_identifier: 2228 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c80000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0006ca00', u'virtual_address': u'0x00002000', u'entropy': 7.815973377776827, u'name': u'.text', u'virtual_size': u'0x0006c994'}

entropy

7.81597337778

description

A section with a high entropy has been found

entropy

0.995418098511

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Nov. 5, 2021, 9:12 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Nov. 5, 2021, 9:12 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (7 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess Nov. 5, 2021, 9:12 a.m.	status_code: 0xffffffff process_identifier: 2192 process_handle: 0x00000290		0	0
NtTerminateProcess Nov. 5, 2021, 9:12 a.m.	status_code: 0xffffffff process_identifier: 2192 process_handle: 0x00000290	1	0	0

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Nov. 5, 2021, 9:12 a.m.	process_identifier: 2192 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000280		3221225496	0
NtAllocateVirtualMemory Nov. 5, 2021, 9:12 a.m.	process_identifier: 2228 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000294	1	0	0

Manipulates memory of a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2756 manipulating memory of non-child process 2192
NtAllocateVirtualMemory Nov. 5, 2021, 9:12 a.m.	process_identifier: 2192 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000280		3221225496	0

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Nov. 5, 2021, 9:12 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPELÕ¥R@à \|°Ô@@.textÌ{\| ` base_address: 0x00400000 process_identifier: 2228 process_handle: 0x00000294	1	1	0
WriteProcessMemory Nov. 5, 2021, 9:12 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2228 process_handle: 0x00000294	1	1	0

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Nov. 5, 2021, 9:12 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPELÕ¥R@à \|°Ô@@.textÌ{\| ` base_address: 0x00400000 process_identifier: 2228 process_handle: 0x00000294	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2756 called NtSetContextThread to modify thread in remote process 2228
NtSetContextThread Nov. 5, 2021, 9:12 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4314288 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000290 process_identifier: 2228	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2756 resumed a thread in remote process 2228
NtResumeThread Nov. 5, 2021, 9:12 a.m.	thread_handle: 0x00000290 suspend_count: 1 process_identifier: 2228	1	0	0

Executed a process and injected code into it, probably while unpacking (14 events)

Time & API	Arguments	Status	Return
NtResumeThread Nov. 5, 2021, 9:11 a.m.	thread_handle: 0x00000144 suspend_count: 1 process_identifier: 2756	1	0
NtResumeThread Nov. 5, 2021, 9:11 a.m.	thread_handle: 0x000001b8 suspend_count: 1 process_identifier: 2756	1	0
NtResumeThread Nov. 5, 2021, 9:11 a.m.	thread_handle: 0x000001f8 suspend_count: 1 process_identifier: 2756	1	0
CreateProcessInternalW Nov. 5, 2021, 9:12 a.m.	thread_identifier: 2196 thread_handle: 0x0000027c process_identifier: 2192 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\rundll32.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\rundll32.exe stack_pivoted: 0 creation_flags: 134742020 (CREATE_NO_WINDOW\|CREATE_SUSPENDED\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000280	1	1
NtGetContextThread Nov. 5, 2021, 9:12 a.m.	thread_handle: 0x0000027c	1	0
NtAllocateVirtualMemory Nov. 5, 2021, 9:12 a.m.	process_identifier: 2192 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000280		3221225496
CreateProcessInternalW Nov. 5, 2021, 9:12 a.m.	thread_identifier: 2232 thread_handle: 0x00000290 process_identifier: 2228 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\rundll32.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\rundll32.exe stack_pivoted: 0 creation_flags: 134742020 (CREATE_NO_WINDOW\|CREATE_SUSPENDED\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000294	1	1
NtGetContextThread Nov. 5, 2021, 9:12 a.m.	thread_handle: 0x00000290	1	0
NtAllocateVirtualMemory Nov. 5, 2021, 9:12 a.m.	process_identifier: 2228 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000294	1	0
WriteProcessMemory Nov. 5, 2021, 9:12 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPELÕ¥R@à \|°Ô@@.textÌ{\| ` base_address: 0x00400000 process_identifier: 2228 process_handle: 0x00000294	1	1
WriteProcessMemory Nov. 5, 2021, 9:12 a.m.	buffer: base_address: 0x00401000 process_identifier: 2228 process_handle: 0x00000294	1	1
WriteProcessMemory Nov. 5, 2021, 9:12 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2228 process_handle: 0x00000294	1	1
NtSetContextThread Nov. 5, 2021, 9:12 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4314288 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000290 process_identifier: 2228	1	0
NtResumeThread Nov. 5, 2021, 9:12 a.m.	thread_handle: 0x00000290 suspend_count: 1 process_identifier: 2228	1	0

rundll32.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All