Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Feb. 2, 2023, 11:30 a.m.	Feb. 2, 2023, 11:33 a.m.

Size	570.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`49f8d26f22bbaaca363ae4e351b2e8e7`
SHA256	`d462ba9ff530b219011dd745158ae159dd42322ad2bfa13818689f738f4b6aab`
CRC32	`1A253F45`
ssdeep	`12288:UnFJkacArznQj3XaXXAE+gXw3OGsItH6JWWQ/N0huTW4N0:WixWD2zWZ`
Yara	IsPE32 - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file

git1.exe "C:\Users\test22\AppData\Local\Temp\git1.exe"
2536
- Viposhopami.exe "C:\Users\test22\AppData\Local\Temp\64-f4e04-c63-98d8d-23884bc27b79f\Viposhopami.exe"
  2896
  - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
    2836
    - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2836 CREDAT:145409
      604
- poweroff.exe "C:\Program Files\Windows Mail\IMRMEEDGJJ\poweroff.exe" /VERYSILENT
  2944
  - poweroff.tmp "C:\Users\test22\AppData\Local\Temp\is-NK702.tmp\poweroff.tmp" /SL5="$8012C,490199,350720,C:\Program Files\Windows Mail\IMRMEEDGJJ\poweroff.exe" /VERYSILENT
    2988
    - Power Off.exe "C:\Program Files (x86)\powerOff\Power Off.exe" -silent -desktopShortcut -programMenu
      800
- Lupisaeguwu.exe "C:\Users\test22\AppData\Local\Temp\85-2a844-436-38eb4-cee5932e512e3\Lupisaeguwu.exe"
  3028
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
apps.identrust.com	A 121.254.136.27 CNAME a1952.dscq.akamai.net CNAME identrust.edgesuite.net A 121.254.136.57	61.111.58.35
360devtracking.com	A 37.230.138.66	37.230.138.66
www.profitabletrustednetwork.com	A 173.233.137.36 A 173.233.139.164 A 192.243.61.227 A 192.243.61.225 A 173.233.137.60 A 192.243.59.12 A 192.243.59.20 A 192.243.59.13 A 173.233.137.52 A 173.233.137.44	173.233.137.36
www.google.com	A 142.250.207.36	142.250.206.228
connectini.net	A 37.230.138.123	37.230.138.123
wewewe.s3.eu-central-1.amazonaws.com	A 52.219.75.132 CNAME s3-r-w.eu-central-1.amazonaws.com	52.219.47.172
n8w5.c12.e2-1.dev	A 216.155.20.140 CNAME n1n0.fra.idrivee2-19.com	216.155.20.140
google.com	A 142.251.42.174	142.250.206.238

IP Address	Status	Action
121.254.136.57	Active	Moloch
142.250.207.36	Active	Moloch
142.251.42.174	Active	Moloch
164.124.101.2	Active	Moloch
192.243.59.20	Active	Moloch
216.155.20.140	Active	Moloch
37.230.138.123	Active	Moloch
37.230.138.66	Active	Moloch
52.219.75.132	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49165 -> 216.155.20.140:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49178 -> 37.230.138.123:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49164 -> 37.230.138.123:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49179 -> 142.250.207.36:80	2036303	ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check	A Network Trojan was detected
TCP 192.168.56.101:49166 -> 216.155.20.140:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49189 -> 192.243.59.20:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49167 -> 52.219.75.132:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49188 -> 192.243.59.20:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49180 -> 37.230.138.123:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.101:49165 216.155.20.140:443	C=US, O=Let's Encrypt, CN=R3	CN=*.c12.e2-1.dev	f4:2e:74:ce:19:13:4f:d4:b2:f4:6f:11:2a:21:4f:ac:1b:db:f1:48
TLSv1 192.168.56.101:49178 37.230.138.123:443	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	a9:58:92:78:d9:50:a8:fa:c0:a9:d2:11:99:c2:6d:53:0e:1f:6d:49
TLSv1 192.168.56.101:49164 37.230.138.123:443	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	a9:58:92:78:d9:50:a8:fa:c0:a9:d2:11:99:c2:6d:53:0e:1f:6d:49
TLS 1.2 192.168.56.101:49166 216.155.20.140:443	C=US, O=Let's Encrypt, CN=R3	CN=*.c12.e2-1.dev	f4:2e:74:ce:19:13:4f:d4:b2:f4:6f:11:2a:21:4f:ac:1b:db:f1:48
TLSv1 192.168.56.101:49189 192.243.59.20:443	C=US, O=Let's Encrypt, CN=R3	CN=profitabletrustednetwork.com	f7:40:fe:06:98:43:c6:e1:58:b9:b4:b8:6c:ec:bc:6b:d7:3a:c7:44
TLS 1.2 192.168.56.101:49167 52.219.75.132:443	C=US, O=Amazon, OU=Server CA 1B, CN=Amazon	CN=*.s3.eu-central-1.amazonaws.com	bc:92:6b:62:48:5f:c5:08:60:03:a9:1e:bc:29:58:79:d7:4b:94:fb
TLSv1 192.168.56.101:49188 192.243.59.20:443	C=US, O=Let's Encrypt, CN=R3	CN=profitabletrustednetwork.com	f7:40:fe:06:98:43:c6:e1:58:b9:b4:b8:6c:ec:bc:6b:d7:3a:c7:44
TLSv1 192.168.56.101:49180 37.230.138.123:443	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	a9:58:92:78:d9:50:a8:fa:c0:a9:d2:11:99:c2:6d:53:0e:1f:6d:49

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW Feb. 2, 2023, 11:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Feb. 2, 2023, 11:30 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 2, 2023, 11:30 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 2, 2023, 11:30 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 2, 2023, 11:30 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 2, 2023, 11:30 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (6 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Feb. 2, 2023, 11:29 a.m.			0	0
IsDebuggerPresent Feb. 2, 2023, 11:29 a.m.			0	0
IsDebuggerPresent Feb. 2, 2023, 11:30 a.m.			0	0
IsDebuggerPresent Feb. 2, 2023, 11:30 a.m.			0	0
IsDebuggerPresent Feb. 2, 2023, 11:30 a.m.			0	0
IsDebuggerPresent Feb. 2, 2023, 11:30 a.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Feb. 2, 2023, 11:29 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (14 events)

suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.google.com/
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST https://connectini.net/Series/SuperNitouDisc.php
suspicious_features	GET method with no useragent header	suspicious_request	GET https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://n8w5.c12.e2-1.dev/doma/Villains-Wiki/pub-LJWuMU9jpVNtx.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://n8w5.c12.e2-1.dev/doma/Villains-Wiki/hand-LJWuMU9jpVNtx.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://n8w5.c12.e2-1.dev/doma/widgets/powerOff.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://n8w5.c12.e2-1.dev/doma/Villains-Wiki/up-do-dat-LJWuMU9jpVNtx.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://connectini.net/S2S/Disc/Disc.php?ezok=power2off2&tesla=8
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST https://connectini.net/Series/Conumer2kenpachi.php
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST https://connectini.net/Series/Conumer4Publisher.php
suspicious_features	GET method with no useragent header	suspicious_request	GET https://connectini.net/Series/publisher/1/KR.json
suspicious_features	GET method with no useragent header	suspicious_request	GET https://connectini.net/Series/kenpachi/2/goodchannel/KR.json
suspicious_features	GET method with no useragent header	suspicious_request	GET https://connectini.net/Series/configPoduct/2/goodchannel.json

Performs some HTTP requests (15 events)

request	GET http://apps.identrust.com/roots/dstrootcax3.p7c
request	POST http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies
request	GET http://www.google.com/
request	POST https://connectini.net/Series/SuperNitouDisc.php
request	GET https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe
request	GET https://n8w5.c12.e2-1.dev/doma/Villains-Wiki/pub-LJWuMU9jpVNtx.exe
request	GET https://n8w5.c12.e2-1.dev/doma/Villains-Wiki/hand-LJWuMU9jpVNtx.exe
request	GET https://n8w5.c12.e2-1.dev/doma/widgets/powerOff.exe
request	GET https://n8w5.c12.e2-1.dev/doma/Villains-Wiki/up-do-dat-LJWuMU9jpVNtx.exe
request	GET https://connectini.net/S2S/Disc/Disc.php?ezok=power2off2&tesla=8
request	POST https://connectini.net/Series/Conumer2kenpachi.php
request	POST https://connectini.net/Series/Conumer4Publisher.php
request	GET https://connectini.net/Series/publisher/1/KR.json
request	GET https://connectini.net/Series/kenpachi/2/goodchannel/KR.json
request	GET https://connectini.net/Series/configPoduct/2/goodchannel.json

Sends data using the HTTP POST Method (4 events)

request	POST http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies
request	POST https://connectini.net/Series/SuperNitouDisc.php
request	POST https://connectini.net/Series/Conumer2kenpachi.php
request	POST https://connectini.net/Series/Conumer4Publisher.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 717 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Feb. 2, 2023, 11:29 a.m.	process_identifier: 2536 region_size: 2162688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000610000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Feb. 2, 2023, 11:29 a.m.	process_identifier: 2536 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000007a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 2, 2023, 11:29 a.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a31000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 2, 2023, 11:29 a.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef40cb000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Feb. 2, 2023, 11:29 a.m.	process_identifier: 2536 region_size: 1703936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000ad0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Feb. 2, 2023, 11:29 a.m.	process_identifier: 2536 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000bf0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 2, 2023, 11:29 a.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 2, 2023, 11:29 a.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 2, 2023, 11:29 a.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 2, 2023, 11:29 a.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 2, 2023, 11:29 a.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 2, 2023, 11:29 a.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 2, 2023, 11:29 a.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 2, 2023, 11:29 a.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 2, 2023, 11:29 a.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 2, 2023, 11:29 a.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 2, 2023, 11:29 a.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 2, 2023, 11:29 a.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a34000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 2, 2023, 11:29 a.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a34000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 2, 2023, 11:29 a.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a34000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 2, 2023, 11:29 a.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a34000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Feb. 2, 2023, 11:30 a.m.	process_identifier: 2536 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Feb. 2, 2023, 11:30 a.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Feb. 2, 2023, 11:30 a.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Feb. 2, 2023, 11:30 a.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Feb. 2, 2023, 11:30 a.m.	process_identifier: 2536 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Feb. 2, 2023, 11:30 a.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Feb. 2, 2023, 11:30 a.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe942aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Feb. 2, 2023, 11:30 a.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe942bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Feb. 2, 2023, 11:30 a.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Feb. 2, 2023, 11:30 a.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943d1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Feb. 2, 2023, 11:30 a.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Feb. 2, 2023, 11:30 a.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943d3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Feb. 2, 2023, 11:30 a.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943d4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Feb. 2, 2023, 11:30 a.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9435c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Feb. 2, 2023, 11:30 a.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94386000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Feb. 2, 2023, 11:30 a.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94360000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Feb. 2, 2023, 11:30 a.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe942ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Feb. 2, 2023, 11:30 a.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Feb. 2, 2023, 11:30 a.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943d6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Feb. 2, 2023, 11:30 a.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe942bd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Feb. 2, 2023, 11:30 a.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Feb. 2, 2023, 11:30 a.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943d8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Feb. 2, 2023, 11:30 a.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe942cb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Feb. 2, 2023, 11:30 a.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe942fc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Feb. 2, 2023, 11:30 a.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe942cd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Feb. 2, 2023, 11:30 a.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe942a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Feb. 2, 2023, 11:30 a.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943d9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Feb. 2, 2023, 11:30 a.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94440000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Feb. 2, 2023, 11:30 a.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94441000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

A process attempted to delay the analysis task. (2 events)

description	Viposhopami.exe tried to sleep 206 seconds, actually delayed analysis time by 206 seconds
description	Lupisaeguwu.exe tried to sleep 181 seconds, actually delayed analysis time by 181 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Feb. 2, 2023, 11:30 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13319409664 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer total_number_of_bytes: 0	1	1	0

Creates executable files on the filesystem (7 events)

file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\powerOff.lnk
file	C:\Users\Public\Desktop\powerOff.lnk
file	C:\Program Files\Windows Mail\IMRMEEDGJJ\poweroff.exe
file	C:\Program Files (x86)\Windows Sidebar\Lukyqypolo.exe
file	C:\Users\test22\AppData\Local\Temp\64-f4e04-c63-98d8d-23884bc27b79f\Viposhopami.exe
file	C:\Users\test22\AppData\Local\Temp\85-2a844-436-38eb4-cee5932e512e3\Lupisaeguwu.exe
file	C:\Users\test22\AppData\Local\Temp\is-UKO1T.tmp\_isetup\_shfoldr.dll

Creates a shortcut to an executable file (2 events)

file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\powerOff.lnk
file	C:\Users\Public\Desktop\powerOff.lnk

Drops a binary and executes it (3 events)

file	C:\Users\test22\AppData\Local\Temp\64-f4e04-c63-98d8d-23884bc27b79f\Viposhopami.exe
file	C:\Program Files\Windows Mail\IMRMEEDGJJ\poweroff.exe
file	C:\Users\test22\AppData\Local\Temp\85-2a844-436-38eb4-cee5932e512e3\Lupisaeguwu.exe

Drops an executable to the user AppData folder (4 events)

file	C:\Users\test22\AppData\Local\Temp\64-f4e04-c63-98d8d-23884bc27b79f\Viposhopami.exe
file	C:\Users\test22\AppData\Local\Temp\is-NK702.tmp\poweroff.tmp
file	C:\Users\test22\AppData\Local\Temp\85-2a844-436-38eb4-cee5932e512e3\Lupisaeguwu.exe
file	C:\Users\test22\AppData\Local\Temp\is-UKO1T.tmp\_isetup\_shfoldr.dll

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Feb. 2, 2023, 11:31 a.m.	process_identifier: 604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 16 (PAGE_EXECUTE) base_address: 0x07490000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Feb. 2, 2023, 11:30 a.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00044400', u'virtual_address': u'0x00002000', u'entropy': 6.956665632554608, u'name': u'.text', u'virtual_size': u'0x00044264'}

entropy

6.95666563255

description

A section with a high entropy has been found

entropy

0.47936786655

description

Overall entropy of this PE file is high

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (4 events)

Time & API	Arguments	Return
RegOpenKeyExA Feb. 2, 2023, 11:30 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{A99C48CB-3323-443F-88FB-F6FF96326429}_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{A99C48CB-3323-443F-88FB-F6FF96326429}_is1	2
RegOpenKeyExA Feb. 2, 2023, 11:30 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{A99C48CB-3323-443F-88FB-F6FF96326429}_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{A99C48CB-3323-443F-88FB-F6FF96326429}_is1	2
RegOpenKeyExA Feb. 2, 2023, 11:30 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{A99C48CB-3323-443F-88FB-F6FF96326429}_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000008 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{A99C48CB-3323-443F-88FB-F6FF96326429}_is1	2
RegOpenKeyExA Feb. 2, 2023, 11:30 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{A99C48CB-3323-443F-88FB-F6FF96326429}_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000008 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{A99C48CB-3323-443F-88FB-F6FF96326429}_is1	2

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2836 CREDAT:145409
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
cmdline	C:\Program Files (x86)\Internet Explorer\iexplore.exe https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover

reg_value

"C:\Program Files (x86)\Windows Sidebar\Lukyqypolo.exe"

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2836 resumed a thread in remote process 604
NtResumeThread Feb. 2, 2023, 11:31 a.m.	thread_handle: 0x0000035c suspend_count: 1 process_identifier: 604	1	0	0

Uses Sysinternals tools in order to add additional command line functionality (1 event)

cmdline

"C:\Program Files (x86)\powerOff\Power Off.exe" -silent -desktopShortcut -programMenu

Generates some ICMP traffic

git1.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All