dzbg.exe

Queries for the computername (4 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Nov. 7, 2021, 10:16 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Nov. 7, 2021, 10:16 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Nov. 7, 2021, 10:16 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Nov. 7, 2021, 10:16 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 7, 2021, 10:16 a.m.			0	0

Command line console output was observed (6 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Nov. 7, 2021, 10:16 a.m.	buffer: processed file: C:\Users\test22\AppData\Roaming\x86_microsoft-windows-csrsrv.resources_31bf3856ad364e35_6.1.7601.17514_ru-ru_c920b87044297248 console_handle: 0x00000007	1	1	0
WriteConsoleW Nov. 7, 2021, 10:16 a.m.	buffer: Successfully processed 1 files; Failed processing 0 files console_handle: 0x00000007	1	1	0
WriteConsoleW Nov. 7, 2021, 10:16 a.m.	buffer: processed file: C:\Users\test22\AppData\Roaming\x86_microsoft-windows-csrsrv.resources_31bf3856ad364e35_6.1.7601.17514_ru-ru_c920b87044297248 console_handle: 0x00000007	1	1	0
WriteConsoleW Nov. 7, 2021, 10:16 a.m.	buffer: Successfully processed 1 files; Failed processing 0 files console_handle: 0x00000007	1	1	0
WriteConsoleW Nov. 7, 2021, 10:16 a.m.	buffer: processed file: C:\Users\test22\AppData\Roaming\x86_microsoft-windows-csrsrv.resources_31bf3856ad364e35_6.1.7601.17514_ru-ru_c920b87044297248 console_handle: 0x00000007	1	1	0
WriteConsoleW Nov. 7, 2021, 10:16 a.m.	buffer: Successfully processed 1 files; Failed processing 0 files console_handle: 0x00000007	1	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 7, 2021, 10:16 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (6 events)

section
section	.imports
section	.themida
section	.loadcon
section	.boot
section	.taggant

One or more processes crashed (3 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ Nov. 7, 2021, 10:16 a.m.	stacktrace: dzbg+0x2cd49f @ 0x117d49f dzbg+0x2edf6d @ 0x119df6d exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008e exception.offset: 46887 exception.address: 0x760cb727 registers.esp: 6225552 registers.edi: 16416768 registers.eax: 6225552 registers.ebp: 6225632 registers.edx: 4294826996 registers.ebx: 16762551 registers.esi: 2003530795 registers.ecx: 1892941824	1	0	0
__exception__ Nov. 7, 2021, 10:16 a.m.	stacktrace: exception.instruction_r: ed e9 0c a6 ff ff c3 e9 09 30 fd ff 90 17 8b 79 exception.symbol: dzbg+0x320e14 exception.instruction: in eax, dx exception.module: dzbg.exe exception.exception_code: 0xc0000096 exception.offset: 3280404 exception.address: 0x11d0e14 registers.esp: 6225672 registers.edi: 7679230 registers.eax: 1750617430 registers.ebp: 16416768 registers.edx: 22614 registers.ebx: 2147483650 registers.esi: 16457064 registers.ecx: 20	1	0	0
__exception__ Nov. 7, 2021, 10:16 a.m.	stacktrace: exception.instruction_r: ed e9 6c ee ff ff b4 0c 31 39 28 8c e7 bf 2f 04 exception.symbol: dzbg+0x2fa315 exception.instruction: in eax, dx exception.module: dzbg.exe exception.exception_code: 0xc0000096 exception.offset: 3121941 exception.address: 0x11aa315 registers.esp: 6225672 registers.edi: 7679230 registers.eax: 1447909480 registers.ebp: 16416768 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 16457064 registers.ecx: 10	1	0	0

Allocates read-write-execute memory (usually to unpack itself) (7 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Nov. 7, 2021, 10:16 a.m.	process_identifier: 2800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x776df000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Nov. 7, 2021, 10:16 a.m.	process_identifier: 2800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77650000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Nov. 7, 2021, 10:16 a.m.	process_identifier: 2800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f6c000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Nov. 7, 2021, 10:16 a.m.	process_identifier: 2800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f3f000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Nov. 7, 2021, 10:16 a.m.	process_identifier: 2800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f3f000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Nov. 7, 2021, 10:16 a.m.	process_identifier: 2800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 196608 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f3f000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Nov. 7, 2021, 10:16 a.m.	process_identifier: 2800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c02000 process_handle: 0xffffffff	1	0	0

Creates a suspicious process (1 event)

cmdline

C:\Windows\system32\cmd.exe /c icacls "C:\Users\test22\AppData\Roaming\x86_microsoft-windows-csrsrv.resources_31bf3856ad364e35_6.1.7601.17514_ru-ru_c920b87044297248" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)" & icacls "C:\Users\test22\AppData\Roaming\x86_microsoft-windows-csrsrv.resources_31bf3856ad364e35_6.1.7601.17514_ru-ru_c920b87044297248" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)" & icacls "C:\Users\test22\AppData\Roaming\x86_microsoft-windows-csrsrv.resources_31bf3856ad364e35_6.1.7601.17514_ru-ru_c920b87044297248" /inheritance:e /deny "test22:(R,REA,RA,RD)"

Moves the original executable to a new location (1 event)

Time & API	Arguments	Status	Return	Repeated
MoveFileWithProgressW Nov. 7, 2021, 10:16 a.m.	newfilepath_r: C:\Users\test22\AppData\Roaming\x86_microsoft-windows-csrsrv.resources_31bf3856ad364e35_6.1.7601.17514_ru-ru_c920b87044297248\WMVSDECD.exe flags: 2 oldfilepath_r: C:\Users\test22\AppData\Local\Temp\dzbg.exe newfilepath: C:\Users\test22\AppData\Roaming\x86_microsoft-windows-csrsrv.resources_31bf3856ad364e35_6.1.7601.17514_ru-ru_c920b87044297248\WMVSDECD.exe oldfilepath: C:\Users\test22\AppData\Local\Temp\dzbg.exe	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (7 events)

section	{u'size_of_data': u'0x0004ecdb', u'virtual_address': u'0x00001000', u'entropy': 7.983359871411453, u'name': u' ', u'virtual_size': u'0x0008dfdd'}				entropy	7.98335987141				description	A section with a high entropy has been found
section	{u'size_of_data': u'0x0000e622', u'virtual_address': u'0x0008f000', u'entropy': 7.959989070013559, u'name': u' ', u'virtual_size': u'0x0002fd8e'}				entropy	7.95998907001				description	A section with a high entropy has been found
section	{u'size_of_data': u'0x000007eb', u'virtual_address': u'0x000bf000', u'entropy': 7.847001716618583, u'name': u' ', u'virtual_size': u'0x00008f74'}				entropy	7.84700171662				description	A section with a high entropy has been found
section	{u'size_of_data': u'0x00025200', u'virtual_address': u'0x000c8000', u'entropy': 7.948768444610188, u'name': u' ', u'virtual_size': u'0x000251d7'}				entropy	7.94876844461				description	A section with a high entropy has been found
section	{u'size_of_data': u'0x00005d7d', u'virtual_address': u'0x000ee000', u'entropy': 7.954872938134222, u'name': u' ', u'virtual_size': u'0x00007134'}				entropy	7.95487293813				description	A section with a high entropy has been found
section	{u'size_of_data': u'0x001e3000', u'virtual_address': u'0x003e7000', u'entropy': 7.941164160185236, u'name': u'.boot', u'virtual_size': u'0x001e3000'}				entropy	7.94116416019				description	A section with a high entropy has been found
entropy	0.995174077093				description	Overall entropy of this PE file is high

Checks for the presence of known windows from debuggers and forensic tools (9 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA Nov. 7, 2021, 10:16 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Nov. 7, 2021, 10:16 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Nov. 7, 2021, 10:16 a.m.	class_name: File Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Nov. 7, 2021, 10:16 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Nov. 7, 2021, 10:16 a.m.	class_name: Process Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Nov. 7, 2021, 10:16 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Nov. 7, 2021, 10:16 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Nov. 7, 2021, 10:16 a.m.	class_name: Registry Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Nov. 7, 2021, 10:16 a.m.	class_name: 18467-41 window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Uses suspicious command line tools or Windows utilities (4 events)

cmdline	icacls "C:\Users\test22\AppData\Roaming\x86_microsoft-windows-csrsrv.resources_31bf3856ad364e35_6.1.7601.17514_ru-ru_c920b87044297248" /inheritance:e /deny "test22:(R,REA,RA,RD)"
cmdline	icacls "C:\Users\test22\AppData\Roaming\x86_microsoft-windows-csrsrv.resources_31bf3856ad364e35_6.1.7601.17514_ru-ru_c920b87044297248" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
cmdline	icacls "C:\Users\test22\AppData\Roaming\x86_microsoft-windows-csrsrv.resources_31bf3856ad364e35_6.1.7601.17514_ru-ru_c920b87044297248" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
cmdline	C:\Windows\system32\cmd.exe /c icacls "C:\Users\test22\AppData\Roaming\x86_microsoft-windows-csrsrv.resources_31bf3856ad364e35_6.1.7601.17514_ru-ru_c920b87044297248" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)" & icacls "C:\Users\test22\AppData\Roaming\x86_microsoft-windows-csrsrv.resources_31bf3856ad364e35_6.1.7601.17514_ru-ru_c920b87044297248" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)" & icacls "C:\Users\test22\AppData\Roaming\x86_microsoft-windows-csrsrv.resources_31bf3856ad364e35_6.1.7601.17514_ru-ru_c920b87044297248" /inheritance:e /deny "test22:(R,REA,RA,RD)"

Detects VirtualBox through the presence of a registry key (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Detects Virtual Machines through their custom firmware (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Nov. 7, 2021, 10:16 a.m.	information_class: 76 (SystemFirmwareTableInformation)		3221225507	0

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Nov. 7, 2021, 10:16 a.m.	stacktrace: exception.instruction_r: ed e9 6c ee ff ff b4 0c 31 39 28 8c e7 bf 2f 04 exception.symbol: dzbg+0x2fa315 exception.instruction: in eax, dx exception.module: dzbg.exe exception.exception_code: 0xc0000096 exception.offset: 3121941 exception.address: 0x11aa315 registers.esp: 6225672 registers.edi: 7679230 registers.eax: 1447909480 registers.ebp: 16416768 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 16457064 registers.ecx: 10	1	0	0

File has been identified by 25 AntiVirus engines on VirusTotal as malicious (25 events)

Elastic	malicious (high confidence)
McAfee	Artemis!5805AEC9385D
Cylance	Unsafe
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Packed.Themida.HJQ
APEX	Malicious
Avast	FileRepMalware
Kaspersky	UDS:Trojan.Win32.Bingoml
NANO-Antivirus	Virus.Win32.Gen-Crypt.ccnc
McAfee-GW-Edition	Artemis!Trojan
FireEye	Generic.mg.5805aec9385d2fac
Sophos	ML/PE-A
SentinelOne	Static AI - Malicious PE
eGambit	PE.Heur.InvalidSig
Gridinsoft	Trojan.Heur!.01212031
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
Cynet	Malicious (score: 100)
Acronis	suspicious
BitDefenderTheta	Gen:NN.ZexaF.34266.CYY@aey!3pei
VBA32	BScope.TrojanBanker.Banbra
Yandex	Trojan.GenAsa!IIuaU2lPQB8
MaxSecure	Trojan.Malware.300983.susgen
AVG	FileRepMalware
Cybereason	malicious.100ad3
Paloalto	generic.ml