Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 7, 2023, 7:44 a.m.	March 7, 2023, 7:46 a.m.

Size	567.8KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`526e66348d684c4f6cbf2b5c7defe69a`
SHA256	`2d9faf2c0c9c2c9b8abf6608cf7966b515ac9c4856f7b9dee69318b0d06a9f1d`
CRC32	`3E249965`
ssdeep	`12288:PgZXEAO/BUdG3gVdt7K7WX+t4bJYMrsL/9FAhzrhqK8vzS6:PgZXoZUTVdt7K7UbJYMIjLAdrh76`
PDB Path	D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb
Yara	OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature IsPE32 - (no description) Win32_WinRAR_SFX_Zero - Win32 WinRAR SFX

1234321.exe "C:\Users\test22\AppData\Local\Temp\1234321.exe"
2560
- cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\RarSFX0\1.bat" "
  2636
  - cmd.exe cmd /min /C "set __COMPAT_LAYER=RUNASINVOKER && start "" 3.exe"
    2704
    - 3.exe 3.exe
      2772
      - RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        2944
- WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
  2876
  - splwow64.exe C:\Windows\splwow64.exe 12288
    3028

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
51.142.75.94	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 7, 2023, 7:44 a.m.			0	0
IsDebuggerPresent March 7, 2023, 7:44 a.m.			0	0

Command line console output was observed (12 events)

Time & API	Arguments	Status	Return
WriteConsoleW March 7, 2023, 7:44 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\RarSFX0> console_handle: 0x00000007	1	1
WriteConsoleW March 7, 2023, 7:44 a.m.	buffer: cmd console_handle: 0x00000007	1	1
WriteConsoleW March 7, 2023, 7:44 a.m.	buffer: /min /C "set __COMPAT_LAYER=RUNASINVOKER && start "" 3.exe" console_handle: 0x00000007	1	1
WriteConsoleA March 7, 2023, 7:44 a.m.	buffer: H console_handle: 0x0000000b	1	1
WriteConsoleA March 7, 2023, 7:44 a.m.	buffer: a console_handle: 0x0000000b	1	1
WriteConsoleA March 7, 2023, 7:44 a.m.	buffer: r console_handle: 0x0000000b	1	1
WriteConsoleA March 7, 2023, 7:44 a.m.	buffer: d console_handle: 0x0000000b	1	1
WriteConsoleA March 7, 2023, 7:44 a.m.	buffer: D console_handle: 0x0000000b	1	1
WriteConsoleA March 7, 2023, 7:44 a.m.	buffer: r console_handle: 0x0000000b	1	1
WriteConsoleA March 7, 2023, 7:44 a.m.	buffer: i console_handle: 0x0000000b	1	1
WriteConsoleA March 7, 2023, 7:44 a.m.	buffer: v console_handle: 0x0000000b	1	1
WriteConsoleA March 7, 2023, 7:44 a.m.	buffer: e console_handle: 0x0000000b	1	1

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey March 7, 2023, 7:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00798d58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 7:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00798d58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 7:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00798dd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\12.0\Registration\{90120000-0030-0000-0000-0000000FF1CE}\DigitalProductID

This executable has a PDB path (1 event)

pdb_path

D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 7, 2023, 7:44 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.didat

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

PNG

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ March 7, 2023, 7:44 a.m.	stacktrace: 3+0x207b @ 0x9a207b 3+0x6731 @ 0x9a6731 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.esp: 1899360 registers.edi: 5332992 registers.eax: 2944 registers.ebp: 1899392 registers.edx: 2130566132 registers.ebx: 512 registers.esi: 10503792 registers.ecx: 2776	1	0	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 68 events)

Time & API	Arguments	Status
NtProtectVirtualMemory March 7, 2023, 7:44 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72d62000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 7, 2023, 7:44 a.m.	process_identifier: 2772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a04000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 7:44 a.m.	process_identifier: 2772 region_size: 229376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 7, 2023, 7:44 a.m.	process_identifier: 2876 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x2fd11000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 7, 2023, 7:44 a.m.	process_identifier: 2876 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71381000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 7, 2023, 7:44 a.m.	process_identifier: 2876 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70601000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 7, 2023, 7:44 a.m.	process_identifier: 2876 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7071e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 7, 2023, 7:44 a.m.	process_identifier: 2876 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x715ce000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 7, 2023, 7:44 a.m.	process_identifier: 2876 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6f5e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 7, 2023, 7:44 a.m.	process_identifier: 2876 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fb4a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 7, 2023, 7:44 a.m.	process_identifier: 2876 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755c8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 7, 2023, 7:44 a.m.	process_identifier: 2876 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6f3e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 7, 2023, 7:44 a.m.	process_identifier: 2876 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6f3e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 7, 2023, 7:44 a.m.	process_identifier: 2876 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x733a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 7, 2023, 7:44 a.m.	process_identifier: 2876 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72d61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 7, 2023, 7:44 a.m.	process_identifier: 2876 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72d62000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 7, 2023, 7:44 a.m.	process_identifier: 2876 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6f4a1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 7:44 a.m.	process_identifier: 2876 region_size: 2228224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02bc0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 7:44 a.m.	process_identifier: 2876 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02da0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 7, 2023, 7:44 a.m.	process_identifier: 2876 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e362000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 7:44 a.m.	process_identifier: 2876 region_size: 393216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b00000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 7:44 a.m.	process_identifier: 2876 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 7, 2023, 7:44 a.m.	process_identifier: 2876 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74211000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 7:44 a.m.	process_identifier: 2876 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 7:44 a.m.	process_identifier: 2876 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 7, 2023, 7:44 a.m.	process_identifier: 2876 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6db11000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 7, 2023, 7:44 a.m.	process_identifier: 2876 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x69751000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 7, 2023, 7:44 a.m.	process_identifier: 2876 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x697af000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 7, 2023, 7:44 a.m.	process_identifier: 2876 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x697af000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 7, 2023, 7:44 a.m.	process_identifier: 2876 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x69971000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 7, 2023, 7:44 a.m.	process_identifier: 2876 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73111000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 7, 2023, 7:44 a.m.	process_identifier: 2876 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72711000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 7, 2023, 7:44 a.m.	process_identifier: 2876 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x65001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 7, 2023, 7:44 a.m.	process_identifier: 2876 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x694e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 7, 2023, 7:44 a.m.	process_identifier: 2876 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x694e4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 7, 2023, 7:44 a.m.	process_identifier: 2876 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73921000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 7:44 a.m.	process_identifier: 2876 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05e60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 7:44 a.m.	process_identifier: 2876 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05e60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 7:44 a.m.	process_identifier: 2876 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05e70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 7:44 a.m.	process_identifier: 2876 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05e80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 7, 2023, 7:44 a.m.	process_identifier: 2876 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x507c1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 7:44 a.m.	process_identifier: 2944 region_size: 1703936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d00000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 7:44 a.m.	process_identifier: 2944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 7, 2023, 7:44 a.m.	process_identifier: 2944 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dc51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 7, 2023, 7:44 a.m.	process_identifier: 2944 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dc52000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 7:44 a.m.	process_identifier: 2944 region_size: 1310720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00600000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 7:44 a.m.	process_identifier: 2944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00700000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 7:44 a.m.	process_identifier: 2944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 7:44 a.m.	process_identifier: 2944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 7:44 a.m.	process_identifier: 2944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates (office) documents on the filesystem (3 events)

file	C:\Users\test22\AppData\Local\Temp\RarSFX0\~$tailed Recruitment Plan for Pet Product Advertising Agency in the US Market.docx
file	C:\Users\test22\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\Detailed Recruitment Plan for Pet Product Advertising Agency in the US Market.docx

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\RarSFX0\3.exe
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\1.bat

Creates hidden or system file (2 events)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile March 7, 2023, 7:44 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000002d0 filepath: C:\Users\test22\AppData\Roaming\Microsoft\Templates\~$Normal.dotm desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\Templates\~$Normal.dotm create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0
NtCreateFile March 7, 2023, 7:44 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000004d0 filepath: C:\Users\test22\AppData\Local\Temp\RarSFX0\~$tailed Recruitment Plan for Pet Product Advertising Agency in the US Market.docx desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\RarSFX0\~$tailed Recruitment Plan for Pet Product Advertising Agency in the US Market.docx create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

Drops a binary and executes it (3 events)

file	C:\Users\test22\AppData\Local\Temp\RarSFX0\1.bat
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\Detailed Recruitment Plan for Pet Product Advertising Agency in the US Market.docx
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\3.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\RarSFX0\3.exe

Yara rule detected in process memory (48 events)

description	Create a windows service	rule	Create_Service
description	Communication using DGA	rule	Network_DGA
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Take ScreenShot	rule	ScreenShot
description	Communications use DNS	rule	Network_DNS
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Steal credential	rule	local_credential_Steal
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win
description	File Downloader	rule	Network_Downloader
description	Escalate priviledges	rule	Escalate_priviledges
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Communications over FTP	rule	Network_FTP
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	RedLine stealer	rule	RedLine_Stealer_m_Zero

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

cmd /min /C "set __COMPAT_LAYER=RUNASINVOKER && start "" 3.exe"

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: f92b4b6d7fd34b566107320a5c98c1d191f72133

Communicates with host for which no DNS query was performed (1 event)

host

51.142.75.94

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory March 7, 2023, 7:44 a.m.	process_identifier: 2944 region_size: 229376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000070	1	0	0

Potential code injection by writing to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory March 7, 2023, 7:44 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2944 process_handle: 0x00000070	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2772 called NtSetContextThread to modify thread in remote process 2944
NtSetContextThread March 7, 2023, 7:44 a.m.	registers.eip: 1995571652 registers.esp: 3144060 registers.edi: 0 registers.eax: 4294574 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000006c process_identifier: 2944	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (6 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2560 resumed a thread in remote process 2876
Process injection	Process 2704 resumed a thread in remote process 2772
Process injection	Process 2772 resumed a thread in remote process 2944
NtResumeThread March 7, 2023, 7:44 a.m.	thread_handle: 0x00000328 suspend_count: 1 process_identifier: 2876	1	0	0
NtResumeThread March 7, 2023, 7:44 a.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2772	1	0	0
NtResumeThread March 7, 2023, 7:44 a.m.	thread_handle: 0x0000006c suspend_count: 1 process_identifier: 2944	1	0	0

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

51.142.75.94:58172

Executed a process and injected code into it, probably while unpacking (25 events)

Time & API	Arguments	Status	Return
NtResumeThread March 7, 2023, 7:44 a.m.	thread_handle: 0x00000180 suspend_count: 1 process_identifier: 2560	1	0
CreateProcessInternalW March 7, 2023, 7:44 a.m.	thread_identifier: 2640 thread_handle: 0x000002dc process_identifier: 2636 current_directory: C:\Users\test22\AppData\Local\Temp\RarSFX0 filepath: track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\RarSFX0\1.bat" filepath_r: stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002d0	1	1
CreateProcessInternalW March 7, 2023, 7:44 a.m.	thread_identifier: 2880 thread_handle: 0x00000328 process_identifier: 2876 current_directory: C:\Users\test22\AppData\Local\Temp\RarSFX0 filepath: C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE track: 1 command_line: "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde filepath_r: C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000334	1	1
NtResumeThread March 7, 2023, 7:44 a.m.	thread_handle: 0x00000328 suspend_count: 1 process_identifier: 2876	1	0
CreateProcessInternalW March 7, 2023, 7:44 a.m.	thread_identifier: 2708 thread_handle: 0x00000088 process_identifier: 2704 current_directory: C:\Users\test22\AppData\Local\Temp\RarSFX0 filepath: C:\Windows\System32\cmd.exe track: 1 command_line: cmd /min /C "set __COMPAT_LAYER=RUNASINVOKER && start "" 3.exe" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1
CreateProcessInternalW March 7, 2023, 7:44 a.m.	thread_identifier: 2776 thread_handle: 0x00000084 process_identifier: 2772 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\RarSFX0\3.exe track: 1 command_line: 3.exe filepath_r: C:\Users\test22\AppData\Local\Temp\RarSFX0\3.exe stack_pivoted: 0 creation_flags: 525328 (CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1
NtResumeThread March 7, 2023, 7:44 a.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2772	1	0
CreateProcessInternalW March 7, 2023, 7:44 a.m.	thread_identifier: 2948 thread_handle: 0x0000006c process_identifier: 2944 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000070	1	1
NtGetContextThread March 7, 2023, 7:44 a.m.	thread_handle: 0x0000006c	1	0
NtAllocateVirtualMemory March 7, 2023, 7:44 a.m.	process_identifier: 2944 region_size: 229376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000070	1	0
WriteProcessMemory March 7, 2023, 7:44 a.m.	buffer: base_address: 0x00400000 process_identifier: 2944 process_handle: 0x00000070	1	1
WriteProcessMemory March 7, 2023, 7:44 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2944 process_handle: 0x00000070	1	1
NtSetContextThread March 7, 2023, 7:44 a.m.	registers.eip: 1995571652 registers.esp: 3144060 registers.edi: 0 registers.eax: 4294574 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000006c process_identifier: 2944	1	0
NtResumeThread March 7, 2023, 7:44 a.m.	thread_handle: 0x0000006c suspend_count: 1 process_identifier: 2944	1	0
NtResumeThread March 7, 2023, 7:44 a.m.	thread_handle: 0x00000248 suspend_count: 1 process_identifier: 2876	1	0
CreateProcessInternalW March 7, 2023, 7:44 a.m.	thread_identifier: 3032 thread_handle: 0x0000026c process_identifier: 3028 current_directory: C:\Windows filepath: C:\Windows\splwow64.exe track: 1 command_line: C:\Windows\splwow64.exe 12288 filepath_r: C:\Windows\splwow64.exe stack_pivoted: 0 creation_flags: 201326600 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NO_WINDOW\|DETACHED_PROCESS) inherit_handles: 0 process_handle: 0x00000270	1	1
NtResumeThread March 7, 2023, 7:44 a.m.	thread_handle: 0x000004bc suspend_count: 1 process_identifier: 2876	1	0
NtResumeThread March 7, 2023, 7:44 a.m.	thread_handle: 0x00000534 suspend_count: 1 process_identifier: 2876	1	0
NtResumeThread March 7, 2023, 7:44 a.m.	thread_handle: 0x0000054c suspend_count: 1 process_identifier: 2876	1	0
NtResumeThread March 7, 2023, 7:44 a.m.	thread_handle: 0x000005d0 suspend_count: 1 process_identifier: 2876	1	0
NtResumeThread March 7, 2023, 7:44 a.m.	thread_handle: 0x000005d8 suspend_count: 1 process_identifier: 2876	1	0
NtResumeThread March 7, 2023, 7:44 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2944	1	0
NtResumeThread March 7, 2023, 7:44 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2944	1	0
NtResumeThread March 7, 2023, 7:44 a.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 2944	1	0
NtResumeThread March 7, 2023, 7:44 a.m.	thread_handle: 0x0000000000000064 suspend_count: 1 process_identifier: 3028	1	0

File has been identified by 43 AntiVirus engines on VirusTotal as malicious (43 events)

Lionic	Trojan.Win32.Stealer.12!c
MicroWorld-eScan	Trojan.Rasftuby.Gen.14
FireEye	Generic.mg.526e66348d684c4f
ALYac	Trojan.Rasftuby.Gen.14
Cylance	unsafe
Zillya	Trojan.Generic.Win32.1693826
Sangfor	Suspicious.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
Alibaba	TrojanSpy:Win32/Stealer.2351ab0f
K7GW	Trojan ( 0059edfb1 )
Arcabit	Trojan.Rasftuby.Gen.14
Symantec	Trojan.Gen.MBT
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Kryptik.HSQQ
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	UDS:Trojan-Spy.Win32.Stealer.gen
BitDefender	Trojan.Rasftuby.Gen.14
Avast	Win32:Evo-gen [Trj]
Sophos	Generic ML PUA (PUA)
DrWeb	Trojan.Inject4.53464
VIPRE	Trojan.Rasftuby.Gen.14
TrendMicro	TrojanSpy.Win32.REDLINE.YXDCFZ
McAfee-GW-Edition	BehavesLike.Win32.Generic.hc
Emsisoft	Trojan.Rasftuby.Gen.14 (B)
SentinelOne	Static AI - Suspicious SFX
Avira	TR/Crypt.XPACK.Gen3
Microsoft	Trojan:Win32/RedLine.RDAK!MTB
ViRobot	Trojan.Win.Z.Rasftuby.581414
ZoneAlarm	HEUR:Trojan-Spy.Win32.Stealer.gen
GData	Trojan.Rasftuby.Gen.14
Google	Detected
McAfee	Artemis!526E66348D68
MAX	malware (ai score=89)
VBA32	BScope.Trojan.VBS.Agent
Malwarebytes	Spyware.PasswordStealer
TrendMicro-HouseCall	TrojanSpy.Win32.REDLINE.YXDCFZ
Rising	Stealer.Agent!8.C2 (TFE:5:eBzAvx40xUE)
Ikarus	Trojan.Win32.Crypt
Fortinet	W32/Kryptik.HSIR!tr
BitDefenderTheta	Gen:NN.ZexaF.36308.vzY@aWziI4li
AVG	Win32:Evo-gen [Trj]
Cybereason	malicious.48d684

1234321.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All