Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	May 25, 2022, 9:28 a.m.	May 25, 2022, 9:30 a.m.

Size	869.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`1d43452837e9f7c03353b92a317fef5f`
SHA256	`dc5a63b06f0be5f96267b2ebfe28a4e7644de021cce402dd666f7454233bd96b`
CRC32	`71963EDB`
ssdeep	`12288:mB2NwpmtBTeVDpsBnCUzuVBf6Oz57p7WNvpUM3ak/NR:mQtBUsBnDzhOz57p7UpjnN`
PDB Path	C:\Users\Administrator\Desktop\Client\Temp\rotvdVyXdk\src\obj\x86\Debug\ContextF.pdb
Yara	IsPE32 - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature

XUY.exe "C:\Users\test22\AppData\Local\Temp\XUY.exe"
2324
- XUY.exe "C:\Users\test22\AppData\Local\Temp\XUY.exe"
  2720
  - schtasks.exe "schtasks.exe" /create /f /tn "SMTP Host" /xml "C:\Users\test22\AppData\Local\Temp\tmp19FB.tmp"
    2860
  - schtasks.exe "schtasks.exe" /create /f /tn "SMTP Host Task" /xml "C:\Users\test22\AppData\Local\Temp\tmp1B25.tmp"
    2932

Name	Response	Post-Analysis Lookup
xp230522.ddns.net	A 37.0.8.138	37.0.8.138

IP Address	Status	Action
37.0.8.138	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:60117 -> 8.8.8.8:53	2028675	ET POLICY DNS Query to DynDNS Domain *.ddns .net	Potentially Bad Traffic
TCP 192.168.56.103:49168 -> 37.0.8.138:1990	2025019	ET MALWARE Possible NanoCore C2 60B	Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 37.0.8.138:1990	2025019	ET MALWARE Possible NanoCore C2 60B	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW May 25, 2022, 9:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 25, 2022, 9:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 25, 2022, 9:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 25, 2022, 9:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 25, 2022, 9:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 25, 2022, 9:29 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 25, 2022, 9:28 a.m.			0	0
IsDebuggerPresent May 25, 2022, 9:28 a.m.			0	0
IsDebuggerPresent May 25, 2022, 9:29 a.m.			0	0
IsDebuggerPresent May 25, 2022, 9:29 a.m.			0	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW May 25, 2022, 9:29 a.m.	buffer: SUCCESS: The scheduled task "SMTP Host" has successfully been created. console_handle: 0x00000007	1	1	0
WriteConsoleW May 25, 2022, 9:29 a.m.	buffer: SUCCESS: The scheduled task "SMTP Host Task" has successfully been created. console_handle: 0x00000007	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

C:\Users\Administrator\Desktop\Client\Temp\rotvdVyXdk\src\obj\x86\Debug\ContextF.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 25, 2022, 9:28 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Connects to a Dynamic DNS Domain (1 event)

domain

xp230522.ddns.net

Allocates read-write-execute memory (usually to unpack itself) (50 out of 95 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 25, 2022, 9:28 a.m.	process_identifier: 2324 region_size: 1769472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00690000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2022, 9:28 a.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00800000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 25, 2022, 9:28 a.m.	process_identifier: 2324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73941000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 25, 2022, 9:28 a.m.	process_identifier: 2324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73942000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2022, 9:28 a.m.	process_identifier: 2324 region_size: 1966080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02130000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2022, 9:28 a.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2022, 9:28 a.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00622000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2022, 9:28 a.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00655000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2022, 9:28 a.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0065b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2022, 9:28 a.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00657000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2022, 9:28 a.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0063c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2022, 9:28 a.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00860000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2022, 9:28 a.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0062a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2022, 9:28 a.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0064a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2022, 9:28 a.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00647000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2022, 9:28 a.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0063a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2022, 9:28 a.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00646000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2022, 9:28 a.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00861000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2022, 9:29 a.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0063d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2022, 9:29 a.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0063e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2022, 9:29 a.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0063f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2022, 9:29 a.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2022, 9:29 a.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00862000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2022, 9:29 a.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00863000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2022, 9:29 a.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00864000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2022, 9:29 a.m.	process_identifier: 2324 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00865000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2022, 9:29 a.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0086b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2022, 9:29 a.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0086c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2022, 9:29 a.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0232f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2022, 9:29 a.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02320000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2022, 9:29 a.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x052b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2022, 9:29 a.m.	process_identifier: 2324 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x052b1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2022, 9:29 a.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x052b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2022, 9:29 a.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x052b8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2022, 9:29 a.m.	process_identifier: 2720 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00970000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2022, 9:29 a.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ab0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 25, 2022, 9:29 a.m.	process_identifier: 2720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x738c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 25, 2022, 9:29 a.m.	process_identifier: 2720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x738c2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2022, 9:29 a.m.	process_identifier: 2720 region_size: 1179648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00560000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2022, 9:29 a.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00640000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2022, 9:29 a.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00382000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2022, 9:29 a.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2022, 9:29 a.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003fb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2022, 9:29 a.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2022, 9:29 a.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0039c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2022, 9:29 a.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00620000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2022, 9:29 a.m.	process_identifier: 2720 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2022, 9:29 a.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2022, 9:29 a.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2022, 9:29 a.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

Creates a suspicious process (2 events)

cmdline	"schtasks.exe" /create /f /tn "SMTP Host" /xml "C:\Users\test22\AppData\Local\Temp\tmp19FB.tmp"
cmdline	"schtasks.exe" /create /f /tn "SMTP Host Task" /xml "C:\Users\test22\AppData\Local\Temp\tmp1B25.tmp"

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW May 25, 2022, 9:29 a.m.	thread_identifier: 2864 thread_handle: 0x0000028c process_identifier: 2860 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "schtasks.exe" /create /f /tn "SMTP Host" /xml "C:\Users\test22\AppData\Local\Temp\tmp19FB.tmp" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000290	1	1	0
CreateProcessInternalW May 25, 2022, 9:29 a.m.	thread_identifier: 2936 thread_handle: 0x0000028c process_identifier: 2932 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "schtasks.exe" /create /f /tn "SMTP Host Task" /xml "C:\Users\test22\AppData\Local\Temp\tmp1B25.tmp" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000002c0	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x000d8400', u'virtual_address': u'0x00002000', u'entropy': 7.456411253187155, u'name': u'.text', u'virtual_size': u'0x000d8060'}

entropy

7.45641125319

description

A section with a high entropy has been found

entropy

0.996543778802

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 25, 2022, 9:29 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW May 25, 2022, 9:29 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (9 events)

description	Communications use DNS	rule	Network_DNS
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Terminates another process (6 events)

Time & API	Arguments	Status
NtTerminateProcess May 25, 2022, 9:29 a.m.	status_code: 0xffffffff process_identifier: 2612 process_handle: 0x00000250
NtTerminateProcess May 25, 2022, 9:29 a.m.	status_code: 0xffffffff process_identifier: 2612 process_handle: 0x00000250	1
NtTerminateProcess May 25, 2022, 9:29 a.m.	status_code: 0xffffffff process_identifier: 2648 process_handle: 0x0000025c
NtTerminateProcess May 25, 2022, 9:29 a.m.	status_code: 0xffffffff process_identifier: 2648 process_handle: 0x0000025c	1
NtTerminateProcess May 25, 2022, 9:29 a.m.	status_code: 0xffffffff process_identifier: 2684 process_handle: 0x00000264
NtTerminateProcess May 25, 2022, 9:29 a.m.	status_code: 0xffffffff process_identifier: 2684 process_handle: 0x00000264	1

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	"schtasks.exe" /create /f /tn "SMTP Host" /xml "C:\Users\test22\AppData\Local\Temp\tmp19FB.tmp"
cmdline	"schtasks.exe" /create /f /tn "SMTP Host Task" /xml "C:\Users\test22\AppData\Local\Temp\tmp1B25.tmp"

One or more of the buffers contains an embedded PE file (14 events)

buffer	Buffer with sha1: 9420a2004c14c4a5e31290936a07bd58dcaa15b3
buffer	Buffer with sha1: 636b8187f0cb59d43c9ee1eedf144043941b62d9
buffer	Buffer with sha1: 4380fb6de89a7776d52214359ce213d24a2239ad
buffer	Buffer with sha1: c19d9db351af75fec019fe76506a455eba7fd168
buffer	Buffer with sha1: c1ef2ca62189121934d1a7944ef1bdc1aa319877
buffer	Buffer with sha1: 063fb8b27c0872c54bff35e2b76d8f522e13f8b4
buffer	Buffer with sha1: 925c5236c59dd8f3efea4b3e091ef735b405a880
buffer	Buffer with sha1: c54e7c5cac5fac68dc564ce64355d948422bf1ce
buffer	Buffer with sha1: dcdec0ea839844e977c1151d2eeedbb0788a34b1
buffer	Buffer with sha1: 0c6598a0a37eaf12ce188fa66bc6c5db394af8a4
buffer	Buffer with sha1: 874b7c3c97cc5b13b9dd172fec5a54bc1f258005
buffer	Buffer with sha1: efa4948abb218e47d809bedd1aff08cfb76d40e1
buffer	Buffer with sha1: 1b68e773e3522fa8edc7cb20d7c7f156b08ec73a
buffer	Buffer with sha1: 874f3caf663265f7dd18fb565d91b7d915031251

Allocates execute permission to another process indicative of possible code injection (4 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory May 25, 2022, 9:29 a.m.	process_identifier: 2612 region_size: 229376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000240		3221225496
NtAllocateVirtualMemory May 25, 2022, 9:29 a.m.	process_identifier: 2648 region_size: 229376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000254		3221225496
NtAllocateVirtualMemory May 25, 2022, 9:29 a.m.	process_identifier: 2684 region_size: 229376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000258		3221225496
NtAllocateVirtualMemory May 25, 2022, 9:29 a.m.	process_identifier: 2720 region_size: 229376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000260	1	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation May 25, 2022, 9:29 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

XUY.exe tried to sleep 3655738964 seconds, actually delayed analysis time by 3655738964 seconds

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Host

reg_value

C:\Program Files (x86)\SMTP Host\smtphost.exe

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\tmp19FB.tmp

Manipulates memory of a non-child process indicative of process injection (6 events)

Time & API	Arguments	Return	Repeated
Process injection	Process 2324 manipulating memory of non-child process 2612
Process injection	Process 2324 manipulating memory of non-child process 2648
Process injection	Process 2324 manipulating memory of non-child process 2684
NtAllocateVirtualMemory May 25, 2022, 9:29 a.m.	process_identifier: 2612 region_size: 229376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000240	3221225496	0
NtAllocateVirtualMemory May 25, 2022, 9:29 a.m.	process_identifier: 2648 region_size: 229376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000254	3221225496	0
NtAllocateVirtualMemory May 25, 2022, 9:29 a.m.	process_identifier: 2684 region_size: 229376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000258	3221225496	0

Potential code injection by writing to the memory of another process (3 events)

Time & API	Arguments	Status	Return
WriteProcessMemory May 25, 2022, 9:29 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¡'éTàÈbç @ 8çW À_ H.textÇ È `.relocÊ@B.rsrcÀ_ `Ì@@ base_address: 0x00400000 process_identifier: 2720 process_handle: 0x00000260	1	1
WriteProcessMemory May 25, 2022, 9:29 a.m.	buffer: à7 base_address: 0x00420000 process_identifier: 2720 process_handle: 0x00000260	1	1
WriteProcessMemory May 25, 2022, 9:29 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2720 process_handle: 0x00000260	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory May 25, 2022, 9:29 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¡'éTàÈbç @ 8çW À_ H.textÇ È `.relocÊ@B.rsrcÀ_ `Ì@@ base_address: 0x00400000 process_identifier: 2720 process_handle: 0x00000260	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2324 called NtSetContextThread to modify thread in remote process 2720
NtSetContextThread May 25, 2022, 9:29 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4319122 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000264 process_identifier: 2720	1	0	0

Attempts to remove evidence of file being downloaded from the Internet (1 event)

file	C:\Users\test22\AppData\Local\Temp\XUY.exe:Zone.Identifier

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2324 resumed a thread in remote process 2720
NtResumeThread May 25, 2022, 9:29 a.m.	thread_handle: 0x00000264 suspend_count: 1 process_identifier: 2720	1	0	0

Executed a process and injected code into it, probably while unpacking (40 events)

Time & API	Arguments	Status	Return
NtResumeThread May 25, 2022, 9:28 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2324	1	0
NtResumeThread May 25, 2022, 9:28 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2324	1	0
NtResumeThread May 25, 2022, 9:28 a.m.	thread_handle: 0x00000194 suspend_count: 1 process_identifier: 2324	1	0
CreateProcessInternalW May 25, 2022, 9:29 a.m.	thread_identifier: 2616 thread_handle: 0x0000023c process_identifier: 2612 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\XUY.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\XUY.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000240	1	1
NtGetContextThread May 25, 2022, 9:29 a.m.	thread_handle: 0x0000023c	1	0
NtAllocateVirtualMemory May 25, 2022, 9:29 a.m.	process_identifier: 2612 region_size: 229376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000240		3221225496
CreateProcessInternalW May 25, 2022, 9:29 a.m.	thread_identifier: 2652 thread_handle: 0x00000250 process_identifier: 2648 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\XUY.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\XUY.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000254	1	1
NtGetContextThread May 25, 2022, 9:29 a.m.	thread_handle: 0x00000250	1	0
NtAllocateVirtualMemory May 25, 2022, 9:29 a.m.	process_identifier: 2648 region_size: 229376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000254		3221225496
CreateProcessInternalW May 25, 2022, 9:29 a.m.	thread_identifier: 2688 thread_handle: 0x0000025c process_identifier: 2684 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\XUY.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\XUY.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000258	1	1
NtGetContextThread May 25, 2022, 9:29 a.m.	thread_handle: 0x0000025c	1	0
NtAllocateVirtualMemory May 25, 2022, 9:29 a.m.	process_identifier: 2684 region_size: 229376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000258		3221225496
CreateProcessInternalW May 25, 2022, 9:29 a.m.	thread_identifier: 2724 thread_handle: 0x00000264 process_identifier: 2720 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\XUY.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\XUY.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000260	1	1
NtGetContextThread May 25, 2022, 9:29 a.m.	thread_handle: 0x00000264	1	0
NtAllocateVirtualMemory May 25, 2022, 9:29 a.m.	process_identifier: 2720 region_size: 229376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000260	1	0
WriteProcessMemory May 25, 2022, 9:29 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¡'éTàÈbç @ 8çW À_ H.textÇ È `.relocÊ@B.rsrcÀ_ `Ì@@ base_address: 0x00400000 process_identifier: 2720 process_handle: 0x00000260	1	1
WriteProcessMemory May 25, 2022, 9:29 a.m.	buffer: base_address: 0x00402000 process_identifier: 2720 process_handle: 0x00000260	1	1
WriteProcessMemory May 25, 2022, 9:29 a.m.	buffer: à7 base_address: 0x00420000 process_identifier: 2720 process_handle: 0x00000260	1	1
WriteProcessMemory May 25, 2022, 9:29 a.m.	buffer: base_address: 0x00422000 process_identifier: 2720 process_handle: 0x00000260	1	1
WriteProcessMemory May 25, 2022, 9:29 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2720 process_handle: 0x00000260	1	1
NtSetContextThread May 25, 2022, 9:29 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4319122 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000264 process_identifier: 2720	1	0
NtResumeThread May 25, 2022, 9:29 a.m.	thread_handle: 0x00000264 suspend_count: 1 process_identifier: 2720	1	0
NtResumeThread May 25, 2022, 9:29 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2720	1	0
NtResumeThread May 25, 2022, 9:29 a.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 2720	1	0
NtResumeThread May 25, 2022, 9:29 a.m.	thread_handle: 0x000001c0 suspend_count: 1 process_identifier: 2720	1	0
CreateProcessInternalW May 25, 2022, 9:29 a.m.	thread_identifier: 2864 thread_handle: 0x0000028c process_identifier: 2860 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "schtasks.exe" /create /f /tn "SMTP Host" /xml "C:\Users\test22\AppData\Local\Temp\tmp19FB.tmp" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000290	1	1
CreateProcessInternalW May 25, 2022, 9:29 a.m.	thread_identifier: 2936 thread_handle: 0x0000028c process_identifier: 2932 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "schtasks.exe" /create /f /tn "SMTP Host Task" /xml "C:\Users\test22\AppData\Local\Temp\tmp1B25.tmp" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000002c0	1	1
NtResumeThread May 25, 2022, 9:29 a.m.	thread_handle: 0x000002e0 suspend_count: 1 process_identifier: 2720	1	0
NtResumeThread May 25, 2022, 9:29 a.m.	thread_handle: 0x000002f8 suspend_count: 1 process_identifier: 2720	1	0
NtResumeThread May 25, 2022, 9:29 a.m.	thread_handle: 0x00000338 suspend_count: 1 process_identifier: 2720	1	0
NtResumeThread May 25, 2022, 9:29 a.m.	thread_handle: 0x0000039c suspend_count: 1 process_identifier: 2720	1	0
NtResumeThread May 25, 2022, 9:29 a.m.	thread_handle: 0x000003b0 suspend_count: 1 process_identifier: 2720	1	0
NtResumeThread May 25, 2022, 9:29 a.m.	thread_handle: 0x000003d4 suspend_count: 1 process_identifier: 2720	1	0
NtResumeThread May 25, 2022, 9:29 a.m.	thread_handle: 0x000003f4 suspend_count: 1 process_identifier: 2720	1	0
NtResumeThread May 25, 2022, 9:29 a.m.	thread_handle: 0x00000354 suspend_count: 1 process_identifier: 2720	1	0
NtResumeThread May 25, 2022, 9:29 a.m.	thread_handle: 0x00000470 suspend_count: 1 process_identifier: 2720	1	0
NtResumeThread May 25, 2022, 9:29 a.m.	thread_handle: 0x00000494 suspend_count: 1 process_identifier: 2720	1	0
NtResumeThread May 25, 2022, 9:29 a.m.	thread_handle: 0x000004a8 suspend_count: 1 process_identifier: 2720	1	0
NtResumeThread May 25, 2022, 9:30 a.m.	thread_handle: 0x000003dc suspend_count: 1 process_identifier: 2720	1	0
NtResumeThread May 25, 2022, 9:30 a.m.	thread_handle: 0x00000478 suspend_count: 1 process_identifier: 2720	1	0

File has been identified by 34 AntiVirus engines on VirusTotal as malicious (34 events)

Bkav	W32.AIDetectNet.01
Lionic	Trojan.Win32.Sdum.4!c
MicroWorld-eScan	Gen:Variant.Lazy.187071
ALYac	Gen:Variant.Lazy.187071
Cylance	Unsafe
Alibaba	TrojanSpy:MSIL/Keylogger.01232db4
Arcabit	Trojan.Lazy.D2DABF
Symantec	Scr.Malcode!gdn30
Elastic	malicious (moderate confidence)
ESET-NOD32	a variant of MSIL/GenKryptik.FVAV
APEX	Malicious
Paloalto	generic.ml
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Gen:Variant.Lazy.187071
Avast	Win32:PWSX-gen [Trj]
Ad-Aware	Gen:Variant.Lazy.187071
Sophos	Mal/Generic-S
DrWeb	Trojan.Inject4.32383
TrendMicro	TrojanSpy.MSIL.NEGASTEAL.SMG
McAfee-GW-Edition	Artemis!Trojan
FireEye	Gen:Variant.Lazy.187071
Emsisoft	Gen:Variant.Lazy.187071 (B)
Kingsoft	Win32.Troj.Undef.(kcloud)
Microsoft	Trojan:Win32/Woreflint.A!cl
GData	Gen:Variant.Lazy.187071
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.NEGASTEAL.C5140957
McAfee	Artemis!1D43452837E9
MAX	malware (ai score=82)
Malwarebytes	Malware.AI.93142303
TrendMicro-HouseCall	TrojanSpy.MSIL.NEGASTEAL.SMG
Ikarus	Win32.Outbreak
AVG	Win32:PWSX-gen [Trj]
CrowdStrike	win/malicious_confidence_100% (W)

XUY.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All