Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Dec. 9, 2022, 9:46 a.m.	Dec. 9, 2022, 9:50 a.m.

Size	222.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`04eda26f8ffd07ed4a77cb13bb413154`
SHA256	`149a95862f10a14418b51f595cb28c9f80facdb4c21081661bfd490d3b46e857`
CRC32	`C31A7B32`
ssdeep	`3072:4in7bOa6XQhUQrO7Ab3/ZblF+EQeAhz/uxjluRLy:4i7bt6XQeluBh2Duxe+`
Yara	IsPE32 - (no description) OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file

k.exe "C:\Users\test22\AppData\Local\Temp\k.exe"
2576
- k.exe "C:\Users\test22\AppData\Local\Temp\k.exe"
  2704

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (5 events)

Time & API	Arguments	Status	Return
GetComputerNameW Dec. 9, 2022, 9:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 9, 2022, 9:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 9, 2022, 9:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 9, 2022, 9:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 9, 2022, 9:46 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Dec. 9, 2022, 9:46 a.m.			0	0
IsDebuggerPresent Dec. 9, 2022, 9:46 a.m.			0	0
IsDebuggerPresent Dec. 9, 2022, 9:46 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Dec. 9, 2022, 9:46 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.gicos
section	.sehiz

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

MAREYUH

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Dec. 9, 2022, 9:46 a.m.	stacktrace: 0x8458c5 0x8454f2 CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x722f8dde CoUninitializeEE-0x11ff1 mscorwks+0x193cb @ 0x722f93cb CoUninitializeEE-0x11fb0 mscorwks+0x1940c @ 0x722f940c CoUninitializeEE-0x11f43 mscorwks+0x19479 @ 0x722f9479 CoUninitializeEE-0x8c99 mscorwks+0x22723 @ 0x72302723 CoUninitializeEE-0x8db6 mscorwks+0x22606 @ 0x72302606 DllRegisterServerInternal+0x2560d GetPrivateContextsPerfCounters-0x3208c mscorwks+0x7b873 @ 0x7235b873 getJit+0x10040 mscorjit+0x55176 @ 0x73c25176 getJit-0x42f41 mscorjit+0x21f5 @ 0x73bd21f5 getJit-0x40d85 mscorjit+0x43b1 @ 0x73bd43b1 getJit-0x40c50 mscorjit+0x44e6 @ 0x73bd44e6 getJit-0x40aca mscorjit+0x466c @ 0x73bd466c getJit-0x3fc12 mscorjit+0x5524 @ 0x73bd5524 getJit-0x3fa6b mscorjit+0x56cb @ 0x73bd56cb getJit-0x3f356 mscorjit+0x5de0 @ 0x73bd5de0 CoUninitializeEE+0x8a14 CreateAssemblyNameObject-0x12373 mscorwks+0x33dd0 @ 0x72313dd0 CoUninitializeEE+0x8aa9 CreateAssemblyNameObject-0x122de mscorwks+0x33e65 @ 0x72313e65 CoUninitializeEE+0x8b1c CreateAssemblyNameObject-0x1226b mscorwks+0x33ed8 @ 0x72313ed8 CoUninitializeEE+0x8895 CreateAssemblyNameObject-0x124f2 mscorwks+0x33c51 @ 0x72313c51 CoUninitializeEE+0x8657 CreateAssemblyNameObject-0x12730 mscorwks+0x33a13 @ 0x72313a13 CoUninitializeEE-0x1b547 mscorwks+0xfe75 @ 0x722efe75 CoUninitializeEE-0x1b389 mscorwks+0x10033 @ 0x722f0033 0x5c083e CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x722e1b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x722f8dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x72306a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x72306a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x72306a7d StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x723a6a8d StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x723a69ad StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x723a6eca _CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x723a70b4 _CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x723a6fe4 _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7415f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 01 ff 50 28 89 45 d8 69 c6 33 62 71 d2 35 19 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x845ac8 registers.esp: 1629728 registers.edi: 36574176 registers.eax: 0 registers.ebp: 1629772 registers.edx: 158 registers.ebx: 36574128 registers.esi: 1235756485 registers.ecx: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Dec. 9, 2022, 9:46 a.m.

stacktrace:

0x8458c5
0x8454f2
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x722f8dde
CoUninitializeEE-0x11ff1 mscorwks+0x193cb @ 0x722f93cb
CoUninitializeEE-0x11fb0 mscorwks+0x1940c @ 0x722f940c
CoUninitializeEE-0x11f43 mscorwks+0x19479 @ 0x722f9479
CoUninitializeEE-0x8c99 mscorwks+0x22723 @ 0x72302723
CoUninitializeEE-0x8db6 mscorwks+0x22606 @ 0x72302606
DllRegisterServerInternal+0x2560d GetPrivateContextsPerfCounters-0x3208c mscorwks+0x7b873 @ 0x7235b873
getJit+0x10040 mscorjit+0x55176 @ 0x73c25176
getJit-0x42f41 mscorjit+0x21f5 @ 0x73bd21f5
getJit-0x40d85 mscorjit+0x43b1 @ 0x73bd43b1
getJit-0x40c50 mscorjit+0x44e6 @ 0x73bd44e6
getJit-0x40aca mscorjit+0x466c @ 0x73bd466c
getJit-0x3fc12 mscorjit+0x5524 @ 0x73bd5524
getJit-0x3fa6b mscorjit+0x56cb @ 0x73bd56cb
getJit-0x3f356 mscorjit+0x5de0 @ 0x73bd5de0
CoUninitializeEE+0x8a14 CreateAssemblyNameObject-0x12373 mscorwks+0x33dd0 @ 0x72313dd0
CoUninitializeEE+0x8aa9 CreateAssemblyNameObject-0x122de mscorwks+0x33e65 @ 0x72313e65
CoUninitializeEE+0x8b1c CreateAssemblyNameObject-0x1226b mscorwks+0x33ed8 @ 0x72313ed8
CoUninitializeEE+0x8895 CreateAssemblyNameObject-0x124f2 mscorwks+0x33c51 @ 0x72313c51
CoUninitializeEE+0x8657 CreateAssemblyNameObject-0x12730 mscorwks+0x33a13 @ 0x72313a13
CoUninitializeEE-0x1b547 mscorwks+0xfe75 @ 0x722efe75
CoUninitializeEE-0x1b389 mscorwks+0x10033 @ 0x722f0033
0x5c083e
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x722e1b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x722f8dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x72306a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x72306a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x72306a7d
StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x723a6a8d
StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x723a69ad
StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x723a6eca
_CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x723a70b4
_CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x723a6fe4
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7415f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 8b 01 ff 50 28 89 45 d8 69 c6 33 62 71 d2 35 19
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x845ac8
registers.esp: 1629728
registers.edi: 36574176
registers.eax: 0
registers.ebp: 1629772
registers.edx: 158
registers.ebx: 36574128
registers.esi: 1235756485
registers.ecx: 0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 84 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Dec. 9, 2022, 9:46 a.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72891000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 9, 2022, 9:46 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 9, 2022, 9:46 a.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72892000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 9, 2022, 9:46 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00522000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 9, 2022, 9:46 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00642000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 9, 2022, 9:46 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00643000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 9, 2022, 9:46 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0067b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 9, 2022, 9:46 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00677000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 9, 2022, 9:46 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0064c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 9, 2022, 9:46 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00644000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 9, 2022, 9:46 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04550000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 9, 2022, 9:46 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0064a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 9, 2022, 9:46 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04580000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 9, 2022, 9:46 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00645000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 9, 2022, 9:46 a.m.	process_identifier: 2576 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00646000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 9, 2022, 9:46 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00648000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 9, 2022, 9:46 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00649000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 9, 2022, 9:46 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04590000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 9, 2022, 9:46 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04591000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 9, 2022, 9:46 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04592000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 9, 2022, 9:46 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0064d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 9, 2022, 9:46 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 9, 2022, 9:46 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045a1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 9, 2022, 9:46 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0064b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 9, 2022, 9:46 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 9, 2022, 9:46 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04593000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 9, 2022, 9:46 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0064e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 9, 2022, 9:46 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04581000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 9, 2022, 9:46 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04582000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 9, 2022, 9:46 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04583000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 9, 2022, 9:46 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04584000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 9, 2022, 9:46 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04585000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 9, 2022, 9:46 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0064f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 9, 2022, 9:46 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04586000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 9, 2022, 9:46 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00656000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 9, 2022, 9:46 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04587000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 9, 2022, 9:46 a.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 110592 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b7000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 9, 2022, 9:46 a.m.	process_identifier: 2576 region_size: 188416 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04630000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 9, 2022, 9:46 a.m.	process_identifier: 2704 region_size: 1835008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00440000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 9, 2022, 9:46 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 9, 2022, 9:46 a.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x722e1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 9, 2022, 9:46 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 9, 2022, 9:46 a.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x722e2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 9, 2022, 9:46 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00442000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 9, 2022, 9:46 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00452000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 9, 2022, 9:46 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00453000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 9, 2022, 9:46 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 9, 2022, 9:46 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00487000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 9, 2022, 9:46 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0045c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 9, 2022, 9:46 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00840000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

k.exe tried to sleep 369 seconds, actually delayed analysis time by 369 seconds

Executes one or more WMI queries (2 events)

wmi	select * from Win32_OperatingSystem
wmi	select * from Win32_BaseBoard

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0001fe00', u'virtual_address': u'0x00003000', u'entropy': 7.851045089753564, u'name': u'.rdata', u'virtual_size': u'0x0001fcc0'}

entropy

7.85104508975

description

A section with a high entropy has been found

entropy

0.575620767494

description

Overall entropy of this PE file is high

Yara rule detected in process memory (9 events)

description	Communications use DNS	rule	Network_DNS
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Dec. 9, 2022, 9:46 a.m.	process_identifier: 2704 region_size: 204800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001b8	1	0	0

Potential code injection by writing to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Dec. 9, 2022, 9:46 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2704 process_handle: 0x000001b8	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2576 called NtSetContextThread to modify thread in remote process 2704
NtSetContextThread Dec. 9, 2022, 9:46 a.m.	registers.eip: 1995571652 registers.esp: 1638384 registers.edi: 0 registers.eax: 4379806 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000001b4 process_identifier: 2704	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2576 resumed a thread in remote process 2704
NtResumeThread Dec. 9, 2022, 9:46 a.m.	thread_handle: 0x000001b4 suspend_count: 1 process_identifier: 2704	1	0	0

Executed a process and injected code into it, probably while unpacking (19 events)

Time & API	Arguments	Status	Return
NtResumeThread Dec. 9, 2022, 9:46 a.m.	thread_handle: 0x0000010c suspend_count: 1 process_identifier: 2576	1	0
NtResumeThread Dec. 9, 2022, 9:46 a.m.	thread_handle: 0x00000164 suspend_count: 1 process_identifier: 2576	1	0
CreateProcessInternalW Dec. 9, 2022, 9:46 a.m.	thread_identifier: 2708 thread_handle: 0x000001b4 process_identifier: 2704 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\k.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\k.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\k.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000001b8	1	1
NtGetContextThread Dec. 9, 2022, 9:46 a.m.	thread_handle: 0x000001b4	1	0
NtUnmapViewOfSection Dec. 9, 2022, 9:46 a.m.	base_address: 0x00400000 region_size: 4096 process_identifier: 2704 process_handle: 0x000001b8	1	0
NtAllocateVirtualMemory Dec. 9, 2022, 9:46 a.m.	process_identifier: 2704 region_size: 204800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001b8	1	0
WriteProcessMemory Dec. 9, 2022, 9:46 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2704 process_handle: 0x000001b8	1	1
NtSetContextThread Dec. 9, 2022, 9:46 a.m.	registers.eip: 1995571652 registers.esp: 1638384 registers.edi: 0 registers.eax: 4379806 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000001b4 process_identifier: 2704	1	0
NtResumeThread Dec. 9, 2022, 9:46 a.m.	thread_handle: 0x000001b4 suspend_count: 1 process_identifier: 2704	1	0
NtResumeThread Dec. 9, 2022, 9:46 a.m.	thread_handle: 0x000000d0 suspend_count: 1 process_identifier: 2704	1	0
NtResumeThread Dec. 9, 2022, 9:46 a.m.	thread_handle: 0x00000158 suspend_count: 1 process_identifier: 2704	1	0
NtResumeThread Dec. 9, 2022, 9:46 a.m.	thread_handle: 0x000001a0 suspend_count: 1 process_identifier: 2704	1	0
NtResumeThread Dec. 9, 2022, 9:46 a.m.	thread_handle: 0x000001c8 suspend_count: 1 process_identifier: 2704	1	0
NtResumeThread Dec. 9, 2022, 9:46 a.m.	thread_handle: 0x00000200 suspend_count: 1 process_identifier: 2704	1	0
NtResumeThread Dec. 9, 2022, 9:46 a.m.	thread_handle: 0x000002cc suspend_count: 1 process_identifier: 2704	1	0
NtResumeThread Dec. 9, 2022, 9:46 a.m.	thread_handle: 0x00000368 suspend_count: 1 process_identifier: 2704	1	0
NtResumeThread Dec. 9, 2022, 9:46 a.m.	thread_handle: 0x00000384 suspend_count: 1 process_identifier: 2704	1	0
NtResumeThread Dec. 9, 2022, 9:46 a.m.	thread_handle: 0x000003a8 suspend_count: 1 process_identifier: 2704	1	0
NtResumeThread Dec. 9, 2022, 9:46 a.m.	thread_handle: 0x00000408 suspend_count: 1 process_identifier: 2704	1	0

File has been identified by 30 AntiVirus engines on VirusTotal as malicious (30 events)

Bkav	W32.AIDetectNet.01
Lionic	Trojan.Win32.Generic.4!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
Cylance	Unsafe
Sangfor	Suspicious.Win32.Save.a
Cybereason	malicious.915d9b
Symantec	ML.Attribute.HighConfidence
tehtris	Generic.Malware
APEX	Malicious
Kaspersky	UDS:DangerousObject.Multi.Generic
Rising	Trojan.CryptInject!8.F425 (CLOUD)
McAfee-GW-Edition	BehavesLike.Win32.Dropper.dh
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.04eda26f8ffd07ed
Sophos	ML/PE-A
GData	Win32.Packed.Kryptik.2KWNMG
Kingsoft	malware.kb.c.(kcloud)
Gridinsoft	Trojan.Win32.Downloader.sa
SUPERAntiSpyware	Trojan.Agent/Gen-Kryptik
ZoneAlarm	UDS:DangerousObject.Multi.Generic
Microsoft	Trojan:Win32/CryptInject.FB!MTB
McAfee	Artemis!04EDA26F8FFD
Malwarebytes	MachineLearning/Anomalous.100%
SentinelOne	Static AI - Suspicious PE
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	PossibleThreat
BitDefenderTheta	Gen:NN.ZemsilF.36106.ny0@a0Ph@EnO
AVG	Win32:CrypterX-gen [Trj]
Avast	Win32:CrypterX-gen [Trj]

k.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All