Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 6, 2021, 5:34 a.m.	Nov. 6, 2021, 5:37 a.m.

Size	457.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`709e4bfe015ece74ba2f90752f1c1164`
SHA256	`9b330d7718e44c18fb3d5d131809e59b8d1fac3d9985fe0f1daae36ffaebae35`
CRC32	`C3DF6135`
ssdeep	`12288:ZMKDtd6b3Dmu2azldXhI7Rzf7KhUDllCPOg:iKWD/u7wUZUPOg`
Yara	Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware IsPE32 - (no description) Is_DotNET_EXE - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult

inCFxdZ2eOW7KAW.exe "C:\Users\test22\AppData\Local\Temp\inCFxdZ2eOW7KAW.exe"
2796
- schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BVCRBDjhUQcWc" /XML "C:\Users\test22\AppData\Local\Temp\tmp6107.tmp"
  2068

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
66.154.113.12	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Nov. 6, 2021, 5:35 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (5 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 6, 2021, 5:34 a.m.			0	0
IsDebuggerPresent Nov. 6, 2021, 5:34 a.m.			0	0
IsDebuggerPresent Nov. 6, 2021, 5:34 a.m.			0	0
IsDebuggerPresent Nov. 6, 2021, 5:34 a.m.			0	0
IsDebuggerPresent Nov. 6, 2021, 5:34 a.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Nov. 6, 2021, 5:35 a.m.	buffer: SUCCESS: The scheduled task "Updates\BVCRBDjhUQcWc" has successfully been created. console_handle: 0x00000007	1	1	0

Uses Windows APIs to generate a cryptographic key (12 events)

Time & API	Arguments	Status	Return
CryptExportKey Nov. 6, 2021, 5:34 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00515118 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 6, 2021, 5:34 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00515118 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 6, 2021, 5:34 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00515118 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 6, 2021, 5:34 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00515118 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 6, 2021, 5:34 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00515198 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 6, 2021, 5:34 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00515198 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 6, 2021, 5:34 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00515098 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 6, 2021, 5:34 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00515098 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 6, 2021, 5:34 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00515098 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 6, 2021, 5:34 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00515098 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 6, 2021, 5:34 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00515098 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 6, 2021, 5:34 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00515098 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 6, 2021, 5:34 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (31 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Nov. 6, 2021, 5:34 a.m.	process_identifier: 2796 region_size: 1835008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00780000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 6, 2021, 5:34 a.m.	process_identifier: 2796 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00900000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 6, 2021, 5:34 a.m.	process_identifier: 2796 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72e31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 6, 2021, 5:34 a.m.	process_identifier: 2796 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72e32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 6, 2021, 5:34 a.m.	process_identifier: 2796 region_size: 851968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00780000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 6, 2021, 5:34 a.m.	process_identifier: 2796 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00810000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 6, 2021, 5:34 a.m.	process_identifier: 2796 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00422000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 6, 2021, 5:34 a.m.	process_identifier: 2796 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00455000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 6, 2021, 5:34 a.m.	process_identifier: 2796 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0045b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 6, 2021, 5:34 a.m.	process_identifier: 2796 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00457000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 6, 2021, 5:34 a.m.	process_identifier: 2796 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 6, 2021, 5:34 a.m.	process_identifier: 2796 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 6, 2021, 5:34 a.m.	process_identifier: 2796 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00850000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 6, 2021, 5:34 a.m.	process_identifier: 2796 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00446000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 6, 2021, 5:34 a.m.	process_identifier: 2796 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 6, 2021, 5:34 a.m.	process_identifier: 2796 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00447000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 6, 2021, 5:34 a.m.	process_identifier: 2796 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 6, 2021, 5:34 a.m.	process_identifier: 2796 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6ebe2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 6, 2021, 5:35 a.m.	process_identifier: 2796 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00851000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 6, 2021, 5:35 a.m.	process_identifier: 2796 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00852000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 6, 2021, 5:35 a.m.	process_identifier: 2796 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00853000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 6, 2021, 5:35 a.m.	process_identifier: 2796 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00854000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 6, 2021, 5:35 a.m.	process_identifier: 2796 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00855000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 6, 2021, 5:35 a.m.	process_identifier: 2796 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00856000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 6, 2021, 5:35 a.m.	process_identifier: 2796 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00857000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 6, 2021, 5:35 a.m.	process_identifier: 2796 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00858000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 6, 2021, 5:35 a.m.	process_identifier: 2796 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00859000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 6, 2021, 5:35 a.m.	process_identifier: 2796 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0085a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 6, 2021, 5:35 a.m.	process_identifier: 2796 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0085b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 6, 2021, 5:35 a.m.	process_identifier: 2796 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0085c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 6, 2021, 5:35 a.m.	process_identifier: 2796 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0085e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Roaming\BVCRBDjhUQcWc.exe

Creates a suspicious process (2 events)

cmdline	schtasks.exe /Create /TN "Updates\BVCRBDjhUQcWc" /XML "C:\Users\test22\AppData\Local\Temp\tmp6107.tmp"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BVCRBDjhUQcWc" /XML "C:\Users\test22\AppData\Local\Temp\tmp6107.tmp"

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Roaming\BVCRBDjhUQcWc.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Nov. 6, 2021, 5:35 a.m.	show_type: 0 filepath_r: schtasks.exe parameters: /Create /TN "Updates\BVCRBDjhUQcWc" /XML "C:\Users\test22\AppData\Local\Temp\tmp6107.tmp" filepath: schtasks.exe	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00070800', u'virtual_address': u'0x00002000', u'entropy': 7.634662559302074, u'name': u'.text', u'virtual_size': u'0x00070618'}

entropy

7.6346625593

description

A section with a high entropy has been found

entropy

0.985761226725

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Nov. 6, 2021, 5:35 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Potentially malicious URLs were found in the process memory dump (1 event)

url	http://schemas.openxmlformats.org/markup-compatibility/2006

Yara rule detected in process memory (10 events)

description	task schedule	rule	schtasks_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Terminates another process (6 events)

Time & API	Arguments	Status
NtTerminateProcess Nov. 6, 2021, 5:35 a.m.	status_code: 0xffffffff process_identifier: 788 process_handle: 0x000003b8
NtTerminateProcess Nov. 6, 2021, 5:35 a.m.	status_code: 0xffffffff process_identifier: 788 process_handle: 0x000003b8	1
NtTerminateProcess Nov. 6, 2021, 5:35 a.m.	status_code: 0xffffffff process_identifier: 2160 process_handle: 0x000003f8
NtTerminateProcess Nov. 6, 2021, 5:35 a.m.	status_code: 0xffffffff process_identifier: 2160 process_handle: 0x000003f8	1
NtTerminateProcess Nov. 6, 2021, 5:35 a.m.	status_code: 0xffffffff process_identifier: 2196 process_handle: 0x000003fc
NtTerminateProcess Nov. 6, 2021, 5:35 a.m.	status_code: 0xffffffff process_identifier: 2196 process_handle: 0x000003fc	1

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	schtasks.exe /Create /TN "Updates\BVCRBDjhUQcWc" /XML "C:\Users\test22\AppData\Local\Temp\tmp6107.tmp"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BVCRBDjhUQcWc" /XML "C:\Users\test22\AppData\Local\Temp\tmp6107.tmp"

Communicates with host for which no DNS query was performed (1 event)

host

66.154.113.12

Allocates execute permission to another process indicative of possible code injection (4 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory Nov. 6, 2021, 5:35 a.m.	process_identifier: 788 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003b0		3221225496
NtAllocateVirtualMemory Nov. 6, 2021, 5:35 a.m.	process_identifier: 2160 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003a8		3221225496
NtAllocateVirtualMemory Nov. 6, 2021, 5:35 a.m.	process_identifier: 2196 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003f0		3221225496
NtAllocateVirtualMemory Nov. 6, 2021, 5:35 a.m.	process_identifier: 2232 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003e4	1	0

Manipulates memory of a non-child process indicative of process injection (8 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2796 manipulating memory of non-child process 788
Process injection	Process 2796 manipulating memory of non-child process 2160
Process injection	Process 2796 manipulating memory of non-child process 2196
Process injection	Process 2796 manipulating memory of non-child process 2232
NtAllocateVirtualMemory Nov. 6, 2021, 5:35 a.m.	process_identifier: 788 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003b0		3221225496	0
NtAllocateVirtualMemory Nov. 6, 2021, 5:35 a.m.	process_identifier: 2160 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003a8		3221225496	0
NtAllocateVirtualMemory Nov. 6, 2021, 5:35 a.m.	process_identifier: 2196 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003f0		3221225496	0
NtAllocateVirtualMemory Nov. 6, 2021, 5:35 a.m.	process_identifier: 2232 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003e4	1	0	0

Potential code injection by writing to the memory of another process (5 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2796 injected into non-child 2232
WriteProcessMemory Nov. 6, 2021, 5:35 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL#·^à¨ >Ç à@ @ìÆOàÿ H.textD§ ¨ `.rsrcÿàª@@.reloc²@B base_address: 0x00400000 process_identifier: 2232 process_handle: 0x000003e4	1	1	0
WriteProcessMemory Nov. 6, 2021, 5:35 a.m.	buffer: P8h àÌlãÌ4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°,StringFileInfo000004b0Comments"CompanyNameFileDescription0FileVersion1.0.0.02 InternalNameStub.exe&LegalCopyrightLegalTrademarks: OriginalFilenameStub.exe"ProductName4ProductVersion1.0.0.08Assembly Version1.0.0.0ï»¿<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false" /> </requestedPrivileges> </security> </trustInfo> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <!-- Windows Vista --> <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> <!-- Windows 7 --> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> <!-- Windows 8 --> <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/> <!-- Windows 8.1 --> <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/> <!-- Windows 10 --> <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/> </application> </compatibility> <asmv3:application xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" > <asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings"> <dpiAware>true</dpiAware> </asmv3:windowsSettings> </asmv3:application> </assembly> base_address: 0x0040e000 process_identifier: 2232 process_handle: 0x000003e4	1	1	0
WriteProcessMemory Nov. 6, 2021, 5:35 a.m.	buffer: À@7 base_address: 0x00410000 process_identifier: 2232 process_handle: 0x000003e4	1	1	0
WriteProcessMemory Nov. 6, 2021, 5:35 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2232 process_handle: 0x000003e4	1	1	0

Code injection by writing an executable or DLL to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2796 injected into non-child 2232
WriteProcessMemory Nov. 6, 2021, 5:35 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL#·^à¨ >Ç à@ @ìÆOàÿ H.textD§ ¨ `.rsrcÿàª@@.reloc²@B base_address: 0x00400000 process_identifier: 2232 process_handle: 0x000003e4	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2796 called NtSetContextThread to modify thread in remote process 2232
NtSetContextThread Nov. 6, 2021, 5:35 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4245310 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000003fc process_identifier: 2232	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2796 resumed a thread in remote process 2232
NtResumeThread Nov. 6, 2021, 5:35 a.m.	thread_handle: 0x000003fc suspend_count: 1 process_identifier: 2232	1	0	0

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

66.154.113.12:7707

Executed a process and injected code into it, probably while unpacking (25 events)

Time & API	Arguments	Status	Return
NtResumeThread Nov. 6, 2021, 5:34 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2796	1	0
NtResumeThread Nov. 6, 2021, 5:34 a.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2796	1	0
NtResumeThread Nov. 6, 2021, 5:34 a.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 2796	1	0
NtResumeThread Nov. 6, 2021, 5:35 a.m.	thread_handle: 0x000002a8 suspend_count: 1 process_identifier: 2796	1	0
CreateProcessInternalW Nov. 6, 2021, 5:35 a.m.	thread_identifier: 2076 thread_handle: 0x000003f0 process_identifier: 2068 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BVCRBDjhUQcWc" /XML "C:\Users\test22\AppData\Local\Temp\tmp6107.tmp" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003f8	1	1
CreateProcessInternalW Nov. 6, 2021, 5:35 a.m.	thread_identifier: 2148 thread_handle: 0x000003b4 process_identifier: 788 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\inCFxdZ2eOW7KAW.exe track: 1 command_line: "{path}" filepath_r: C:\Users\test22\AppData\Local\Temp\inCFxdZ2eOW7KAW.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000003b0	1	1
NtGetContextThread Nov. 6, 2021, 5:35 a.m.	thread_handle: 0x000003b4	1	0
NtAllocateVirtualMemory Nov. 6, 2021, 5:35 a.m.	process_identifier: 788 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003b0		3221225496
CreateProcessInternalW Nov. 6, 2021, 5:35 a.m.	thread_identifier: 900 thread_handle: 0x000003b8 process_identifier: 2160 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\inCFxdZ2eOW7KAW.exe track: 1 command_line: "{path}" filepath_r: C:\Users\test22\AppData\Local\Temp\inCFxdZ2eOW7KAW.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000003a8	1	1
NtGetContextThread Nov. 6, 2021, 5:35 a.m.	thread_handle: 0x000003b8	1	0
NtAllocateVirtualMemory Nov. 6, 2021, 5:35 a.m.	process_identifier: 2160 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003a8		3221225496
CreateProcessInternalW Nov. 6, 2021, 5:35 a.m.	thread_identifier: 2188 thread_handle: 0x000003f8 process_identifier: 2196 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\inCFxdZ2eOW7KAW.exe track: 1 command_line: "{path}" filepath_r: C:\Users\test22\AppData\Local\Temp\inCFxdZ2eOW7KAW.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000003f0	1	1
NtGetContextThread Nov. 6, 2021, 5:35 a.m.	thread_handle: 0x000003f8	1	0
NtAllocateVirtualMemory Nov. 6, 2021, 5:35 a.m.	process_identifier: 2196 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003f0		3221225496
CreateProcessInternalW Nov. 6, 2021, 5:35 a.m.	thread_identifier: 2236 thread_handle: 0x000003fc process_identifier: 2232 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\inCFxdZ2eOW7KAW.exe track: 1 command_line: "{path}" filepath_r: C:\Users\test22\AppData\Local\Temp\inCFxdZ2eOW7KAW.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000003e4	1	1
NtGetContextThread Nov. 6, 2021, 5:35 a.m.	thread_handle: 0x000003fc	1	0
NtAllocateVirtualMemory Nov. 6, 2021, 5:35 a.m.	process_identifier: 2232 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003e4	1	0
WriteProcessMemory Nov. 6, 2021, 5:35 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL#·^à¨ >Ç à@ @ìÆOàÿ H.textD§ ¨ `.rsrcÿàª@@.reloc²@B base_address: 0x00400000 process_identifier: 2232 process_handle: 0x000003e4	1	1
WriteProcessMemory Nov. 6, 2021, 5:35 a.m.	buffer: base_address: 0x00402000 process_identifier: 2232 process_handle: 0x000003e4	1	1
WriteProcessMemory Nov. 6, 2021, 5:35 a.m.	buffer: P8h àÌlãÌ4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°,StringFileInfo000004b0Comments"CompanyNameFileDescription0FileVersion1.0.0.02 InternalNameStub.exe&LegalCopyrightLegalTrademarks: OriginalFilenameStub.exe"ProductName4ProductVersion1.0.0.08Assembly Version1.0.0.0ï»¿<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false" /> </requestedPrivileges> </security> </trustInfo> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <!-- Windows Vista --> <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> <!-- Windows 7 --> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> <!-- Windows 8 --> <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/> <!-- Windows 8.1 --> <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/> <!-- Windows 10 --> <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/> </application> </compatibility> <asmv3:application xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" > <asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings"> <dpiAware>true</dpiAware> </asmv3:windowsSettings> </asmv3:application> </assembly> base_address: 0x0040e000 process_identifier: 2232 process_handle: 0x000003e4	1	1
WriteProcessMemory Nov. 6, 2021, 5:35 a.m.	buffer: À@7 base_address: 0x00410000 process_identifier: 2232 process_handle: 0x000003e4	1	1
WriteProcessMemory Nov. 6, 2021, 5:35 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2232 process_handle: 0x000003e4	1	1
NtSetContextThread Nov. 6, 2021, 5:35 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4245310 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000003fc process_identifier: 2232	1	0
NtResumeThread Nov. 6, 2021, 5:35 a.m.	thread_handle: 0x000003fc suspend_count: 1 process_identifier: 2232	1	0
NtResumeThread Nov. 6, 2021, 5:35 a.m.	thread_handle: 0x00000414 suspend_count: 1 process_identifier: 2796	1	0

File has been identified by 54 AntiVirus engines on VirusTotal as malicious (50 out of 54 events)

Lionic	Trojan.MSIL.Agensla.i!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 99)
FireEye	Trojan.GenericKDZ.75883
CAT-QuickHeal	Trojan.YakbeexMSIL.ZZ4
McAfee	AgentTesla-FCTJ!709E4BFE015E
Cylance	Unsafe
Zillya	Trojan.Kryptik.Win32.3334034
Sangfor	Riskware.Win32.Agent.ky
K7AntiVirus	Trojan ( 005690671 )
Alibaba	Trojan:Win32/starter.ali1000139
K7GW	Trojan ( 005690671 )
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	Trojan.Generic.D1286B
Cyren	W32/Trojan.GJV.gen!Eldorado
Symantec	Trojan.Gen.MBT
ESET-NOD32	a variant of MSIL/Kryptik.ABNI
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan-PSW.MSIL.Agensla.gen
BitDefender	Trojan.GenericKDZ.75883
NANO-Antivirus	Trojan.Win32.Agensla.ixibtx
MicroWorld-eScan	Trojan.GenericKDZ.75883
Avast	Win32:PWSX-gen [Trj]
Ad-Aware	Trojan.GenericKDZ.75883
Emsisoft	Trojan.Crypt (A)
Comodo	Malware@#njwikhoh6bnr
DrWeb	Trojan.Inject4.12655
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TROJ_GEN.R002C0DFG21
McAfee-GW-Edition	AgentTesla-FCTJ!709E4BFE015E
Sophos	Mal/Generic-S
Ikarus	Trojan.MSIL.Inject
Jiangmin	Trojan.PSW.MSIL.bscs
Webroot	W32.Malware.Gen
Avira	TR/Kryptik.ocqor
Antiy-AVL	Trojan/Generic.ASMalwS.33ADAD9
Kingsoft	Win32.PSWTroj.Undef.(kcloud)
Gridinsoft	Trojan.Win32.Downloader.oa!s1
Microsoft	Trojan:MSIL/AgentTesla.BFF!MTB
ZoneAlarm	HEUR:Trojan-PSW.MSIL.Agensla.gen
GData	MSIL.Trojan-Stealer.NegaSteal.A
AhnLab-V3	Trojan/Win.AgentTesla.C4528112
VBA32	TScope.Trojan.MSIL
ALYac	Trojan.GenericKDZ.75883
MAX	malware (ai score=100)
Malwarebytes	Trojan.MalPack.FVTN
TrendMicro-HouseCall	TROJ_GEN.R002C0DFG21
Yandex	Trojan.Kryptik!YJ+CGhJM66Q
SentinelOne	Static AI - Suspicious PE

inCFxdZ2eOW7KAW.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All