Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 15, 2023, 12:05 p.m.	March 15, 2023, 12:09 p.m.

Size	702.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`ab8f0580cc0d74e0215e7de19515c8a6`
SHA256	`7177160e81c4ed90b8e6551d1dcb1877f697cbc9faa6b66f85976e2a4179154f`
CRC32	`F3B2B6ED`
ssdeep	`12288:U4LGLJtHUGH3HV3y9dsrlHMg2i6lqHIAkIdV2:YxHV3g2HmlPM`
PDB Path	NWzsgh.pdb
Yara	Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult Is_DotNET_EXE - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT IsPE32 - (no description) Admin_Tool_IN_Zero - Admin Tool Sysinternals PE_Header_Zero - PE File Signature

501.exe "C:\Users\test22\AppData\Local\Temp\501.exe"
2560
- 501.exe "{path}"
  2860

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 15, 2023, 12:05 p.m.			0	0
IsDebuggerPresent March 15, 2023, 12:05 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey March 15, 2023, 12:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ab7a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 15, 2023, 12:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ab868 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 15, 2023, 12:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ab868 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

This executable has a PDB path (1 event)

pdb_path

NWzsgh.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 15, 2023, 12:05 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 77 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory March 15, 2023, 12:05 p.m.	process_identifier: 2560 region_size: 917504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00590000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 15, 2023, 12:05 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00630000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory March 15, 2023, 12:05 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory March 15, 2023, 12:05 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a2000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 15, 2023, 12:05 p.m.	process_identifier: 2560 region_size: 1245184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00af0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 15, 2023, 12:05 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00be0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 15, 2023, 12:05 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00412000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 15, 2023, 12:05 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00485000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 15, 2023, 12:05 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 15, 2023, 12:05 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00487000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 15, 2023, 12:05 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0046c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 15, 2023, 12:05 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00750000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 15, 2023, 12:05 p.m.	process_identifier: 2560 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 15, 2023, 12:05 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 15, 2023, 12:05 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 15, 2023, 12:05 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 15, 2023, 12:05 p.m.	process_identifier: 2560 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 15, 2023, 12:05 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 15, 2023, 12:05 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 15, 2023, 12:05 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 15, 2023, 12:05 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00477000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 15, 2023, 12:05 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0046a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 15, 2023, 12:05 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00751000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory March 15, 2023, 12:05 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fa22000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 15, 2023, 12:05 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00476000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 15, 2023, 12:05 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00752000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 15, 2023, 12:05 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 15, 2023, 12:06 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00753000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 15, 2023, 12:06 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00754000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 15, 2023, 12:06 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00755000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 15, 2023, 12:06 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00756000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 15, 2023, 12:06 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00757000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 15, 2023, 12:06 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00758000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 15, 2023, 12:06 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00759000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 15, 2023, 12:06 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0075a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 15, 2023, 12:06 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0075b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 15, 2023, 12:06 p.m.	process_identifier: 2560 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0075c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory March 15, 2023, 12:06 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05e10178 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory March 15, 2023, 12:06 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05e101a0 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory March 15, 2023, 12:06 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05e101c8 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory March 15, 2023, 12:06 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 11 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05ea133e process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory March 15, 2023, 12:06 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 11 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05ea1332 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory March 15, 2023, 12:06 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 72 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05e10208 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory March 15, 2023, 12:06 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05e6ce18 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory March 15, 2023, 12:06 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05e6ce3c process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory March 15, 2023, 12:06 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05e6ce44 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory March 15, 2023, 12:06 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05e6ce48 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory March 15, 2023, 12:06 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05e6ce50 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory March 15, 2023, 12:06 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05e6ce54 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory March 15, 2023, 12:06 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05e6ce58 process_handle: 0xffffffff		3221225550

Creates executable files on the filesystem (1 event)

file	C:\MSOCache\All Users\{90120000-0015-0412-0000-0000000FF1CE}-C\AccessMUI.msi

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x000aec00', u'virtual_address': u'0x00002000', u'entropy': 7.534924482839788, u'name': u'.text', u'virtual_size': u'0x000aeb30'}

entropy

7.53492448284

description

A section with a high entropy has been found

entropy

0.996436208125

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW March 15, 2023, 12:06 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Potentially malicious URLs were found in the process memory dump (3 events)

url	https://yip.su/2QstD5
url	http://34vm2smykaqtzzzm4bgycfzg5fwyhhksrkpahdbiswmmuwuu7hmvuvqd.onion/?501%s
url	https://www.torproject.org/

Yara rule detected in process memory (9 events)

description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess March 15, 2023, 12:06 p.m.	status_code: 0xffffffff process_identifier: 2824 process_handle: 0x000002a8		0	0
NtTerminateProcess March 15, 2023, 12:06 p.m.	status_code: 0xffffffff process_identifier: 2824 process_handle: 0x000002a8	1	0	0

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory March 15, 2023, 12:06 p.m.	process_identifier: 2824 region_size: 122880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002a0		3221225496	0
NtAllocateVirtualMemory March 15, 2023, 12:06 p.m.	process_identifier: 2860 region_size: 122880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002a4	1	0	0

Creates known Hupigon files, registry keys and/or mutexes (1 event)

file	M:\Boot\BOOTSTAT.DAT

Manipulates memory of a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2560 manipulating memory of non-child process 2824
NtAllocateVirtualMemory March 15, 2023, 12:06 p.m.	process_identifier: 2824 region_size: 122880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002a0		3221225496	0

Potential code injection by writing to the memory of another process (3 events)

Time & API	Arguments	Status	Return
WriteProcessMemory March 15, 2023, 12:06 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $8\|)7\|Gd\|Gd\|Gd'uDevGd'uBeðGd'uCenGd·rBeYGd·rCemGd·rDemGd'uFemGd\|FdüGd'uAe}GdúmOevGdúmEe}GdRich\|GdPELV_9cà \|0@à@ä´ÀP8@0à.text `.rdata b0d$@@.data @À.relocÀ@B base_address: 0x00400000 process_identifier: 2860 process_handle: 0x000002a4	1	1
WriteProcessMemory March 15, 2023, 12:06 p.m.	buffer: ±¿DNæ@»ÿÿÿÿÿÿÿÿ ÿÿÿÿèEA ¡A ¡A ¡A ¡A ¡AH¦AhHAèIAè?A` A(¡AC abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ¦AðµAðµAðµAðµAðµAðµAðµAðµAðµA¦AôµAôµAôµAôµAôµAôµAôµA..þÿÿÿ $þÿÿÿuº[$B´4¿Ï«)Ý¹Òï ÈÕ=ù&<¼°ñW3CRYPTO LOCKER Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://34vm2smykaqtzzzm4bgycfzg5fwyhhksrkpahdbiswmmuwuu7hmvuvqd.onion/?501%s 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5 expand 32-byte k base_address: 0x0041a000 process_identifier: 2860 process_handle: 0x000002a4	1	1
WriteProcessMemory March 15, 2023, 12:06 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2860 process_handle: 0x000002a4	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory March 15, 2023, 12:06 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $8\|)7\|Gd\|Gd\|Gd'uDevGd'uBeðGd'uCenGd·rBeYGd·rCemGd·rDemGd'uFemGd\|FdüGd'uAe}GdúmOevGdúmEe}GdRich\|GdPELV_9cà \|0@à@ä´ÀP8@0à.text `.rdata b0d$@@.data @À.relocÀ@B base_address: 0x00400000 process_identifier: 2860 process_handle: 0x000002a4	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2560 called NtSetContextThread to modify thread in remote process 2860
NtSetContextThread March 15, 2023, 12:06 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4226208 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002a8 process_identifier: 2860	1	0	0

url	http://34vm2smykaqtzzzm4bgycfzg5fwyhhksrkpahdbiswmmuwuu7hmvuvqd.onion/?501%s
url	https://www.torproject.org/

Writes a potential ransom message to disk (3 events)

Time & API	Arguments	Status
NtWriteFile March 15, 2023, 12:06 p.m.	buffer: Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://34vm2smykaqtzzzm4bgycfzg5fwyhhksrkpahdbiswmmuwuu7hmvuvqd.onion/?501PRSUWXZB 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5 offset: 0 file_handle: 0x00000124 filepath: C:\GPKI\ReadMe.txt	1
NtWriteFile March 15, 2023, 12:06 p.m.	buffer: Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://34vm2smykaqtzzzm4bgycfzg5fwyhhksrkpahdbiswmmuwuu7hmvuvqd.onion/?501PRSUWXZB 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5 offset: 0 file_handle: 0x00000160 filepath: \Device\HarddiskVolume1\Boot\cs-CZ\ReadMe.txt	1
NtWriteFile March 15, 2023, 12:06 p.m.	buffer: Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://34vm2smykaqtzzzm4bgycfzg5fwyhhksrkpahdbiswmmuwuu7hmvuvqd.onion/?501PRSUWXZB 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5 offset: 0 file_handle: 0x00000234 filepath: C:\MSOCache\All Users\{90120000-0015-0412-0000-0000000FF1CE}-C\ReadMe.txt	1

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2560 resumed a thread in remote process 2860
NtResumeThread March 15, 2023, 12:06 p.m.	thread_handle: 0x000002a8 suspend_count: 1 process_identifier: 2860	1	0	0

File has been identified by 21 AntiVirus engines on VirusTotal as malicious (21 events)

Bkav	W32.AIDetectNet.01
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.MSILHeracles.59836
FireEye	Generic.mg.ab8f0580cc0d74e0
VIPRE	Gen:Variant.MSILHeracles.59836
CrowdStrike	win/malicious_confidence_100% (D)
Arcabit	Trojan.MSILHeracles.DE9BC
Symantec	Scr.Malcode!gdn30
Cynet	Malicious (score: 100)
APEX	Malicious
Kaspersky	VHO:Backdoor.MSIL.Mokes.gen
BitDefender	Gen:Variant.MSILHeracles.59836
Trapmine	malicious.moderate.ml.score
Emsisoft	Gen:Variant.MSILHeracles.59836 (B)
GData	Gen:Variant.MSILHeracles.59836
Acronis	suspicious
ALYac	Gen:Variant.MSILHeracles.59836
MAX	malware (ai score=89)
Rising	Malware.Obfus/MSIL@AI.83 (RDM.MSIL2:M0fXK71vK1XIOv2pD5glTw)
SentinelOne	Static AI - Suspicious PE
Fortinet	MSIL/GenKryptik.GHGF!tr

Executed a process and injected code into it, probably while unpacking (21 events)

Time & API	Arguments	Status	Return
NtResumeThread March 15, 2023, 12:05 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2560	1	0
NtResumeThread March 15, 2023, 12:05 p.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2560	1	0
NtResumeThread March 15, 2023, 12:05 p.m.	thread_handle: 0x00000194 suspend_count: 1 process_identifier: 2560	1	0
NtResumeThread March 15, 2023, 12:06 p.m.	thread_handle: 0x00000258 suspend_count: 1 process_identifier: 2560	1	0
NtGetContextThread March 15, 2023, 12:06 p.m.	thread_handle: 0x000000e8	1	0
NtGetContextThread March 15, 2023, 12:06 p.m.	thread_handle: 0x000000e8	1	0
NtResumeThread March 15, 2023, 12:06 p.m.	thread_handle: 0x000000e8 suspend_count: 1 process_identifier: 2560	1	0
CreateProcessInternalW March 15, 2023, 12:06 p.m.	thread_identifier: 2828 thread_handle: 0x0000029c process_identifier: 2824 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\501.exe track: 1 command_line: "{path}" filepath_r: C:\Users\test22\AppData\Local\Temp\501.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000002a0	1	1
NtGetContextThread March 15, 2023, 12:06 p.m.	thread_handle: 0x0000029c	1	0
NtAllocateVirtualMemory March 15, 2023, 12:06 p.m.	process_identifier: 2824 region_size: 122880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002a0		3221225496
CreateProcessInternalW March 15, 2023, 12:06 p.m.	thread_identifier: 2864 thread_handle: 0x000002a8 process_identifier: 2860 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\501.exe track: 1 command_line: "{path}" filepath_r: C:\Users\test22\AppData\Local\Temp\501.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000002a4	1	1
NtGetContextThread March 15, 2023, 12:06 p.m.	thread_handle: 0x000002a8	1	0
NtAllocateVirtualMemory March 15, 2023, 12:06 p.m.	process_identifier: 2860 region_size: 122880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002a4	1	0
WriteProcessMemory March 15, 2023, 12:06 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $8\|)7\|Gd\|Gd\|Gd'uDevGd'uBeðGd'uCenGd·rBeYGd·rCemGd·rDemGd'uFemGd\|FdüGd'uAe}GdúmOevGdúmEe}GdRich\|GdPELV_9cà \|0@à@ä´ÀP8@0à.text `.rdata b0d$@@.data @À.relocÀ@B base_address: 0x00400000 process_identifier: 2860 process_handle: 0x000002a4	1	1
WriteProcessMemory March 15, 2023, 12:06 p.m.	buffer: base_address: 0x00401000 process_identifier: 2860 process_handle: 0x000002a4	1	1
WriteProcessMemory March 15, 2023, 12:06 p.m.	buffer: base_address: 0x00413000 process_identifier: 2860 process_handle: 0x000002a4	1	1
WriteProcessMemory March 15, 2023, 12:06 p.m.	buffer: ±¿DNæ@»ÿÿÿÿÿÿÿÿ ÿÿÿÿèEA ¡A ¡A ¡A ¡A ¡AH¦AhHAèIAè?A` A(¡AC abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ¦AðµAðµAðµAðµAðµAðµAðµAðµAðµA¦AôµAôµAôµAôµAôµAôµAôµA..þÿÿÿ $þÿÿÿuº[$B´4¿Ï«)Ý¹Òï ÈÕ=ù&<¼°ñW3CRYPTO LOCKER Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://34vm2smykaqtzzzm4bgycfzg5fwyhhksrkpahdbiswmmuwuu7hmvuvqd.onion/?501%s 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5 expand 32-byte k base_address: 0x0041a000 process_identifier: 2860 process_handle: 0x000002a4	1	1
WriteProcessMemory March 15, 2023, 12:06 p.m.	buffer: base_address: 0x0041c000 process_identifier: 2860 process_handle: 0x000002a4	1	1
WriteProcessMemory March 15, 2023, 12:06 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2860 process_handle: 0x000002a4	1	1
NtSetContextThread March 15, 2023, 12:06 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4226208 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002a8 process_identifier: 2860	1	0
NtResumeThread March 15, 2023, 12:06 p.m.	thread_handle: 0x000002a8 suspend_count: 1 process_identifier: 2860	1	0

501.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All