Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	April 13, 2023, 4:52 p.m.	April 13, 2023, 4:57 p.m.

Size	381.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`65f8ca11d9a18baf3fecf7797b9ba867`
SHA256	`d4e843d98c28ecc04d58b6369ddcf5cc4e61357a02a15edb6fc26cd039d7c9c8`
CRC32	`296E713C`
ssdeep	`6144:x/QiQXCFkm+ksmpk3U9j0I99OGBfj/WUplm6zIOYQNd28pTXdAmpCLVRZoglM7LT:pQi3FP6m6UR0IPlL//plmW9bTXeVhDrE`
Yara	mzp_file_format - MZP(Delphi) file format UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library Win32_Trojan_Emotet_2_Zero - Win32 Trojan Emotet IsPE32 - (no description) PE_Header_Zero - PE File Signature

FL2.exe "C:\Users\test22\AppData\Local\Temp\FL2.exe"
508
- FL2.tmp "C:\Users\test22\AppData\Local\Temp\is-1I5D8.tmp\FL2.tmp" /SL5="$30028,140559,56832,C:\Users\test22\AppData\Local\Temp\FL2.exe"
  2100
  - mosaLAh.exe "C:\Users\test22\AppData\Local\Temp\is-CLI02.tmp\mosaLAh.exe" /S /UID=flabs2
    2248
    - Vizhupafofu.exe "C:\Users\test22\AppData\Local\Temp\35-7c53d-b23-72c85-e2b0f6beff66f\Vizhupafofu.exe"
      2872
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
360devtracking.com	A 37.230.138.66	37.230.138.66
www.google.com	A 142.250.66.68	142.250.206.228
connectini.net	A 37.230.138.123	37.230.138.123
wewewe.s3.eu-central-1.amazonaws.com	CNAME s3-r-w.eu-central-1.amazonaws.com A 52.219.170.26	3.5.137.175
n8w5.c12.e2-1.dev
google.com	A 172.217.25.14	172.217.25.174
s3.eu-central-2.wasabisys.com	CNAME eu-central-2.wasabisys.com A 154.49.215.101 A 154.49.215.100 A 154.49.215.103 A 154.49.215.102 A 154.49.215.12 A 154.49.215.13 A 154.49.215.10 A 154.49.215.11	154.49.215.10

IP Address	Status	Action
142.250.66.68	Active	Moloch
154.49.215.100	Active	Moloch
154.49.215.102	Active	Moloch
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
37.230.138.123	Active	Moloch
37.230.138.66	Active	Moloch
52.219.170.26	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49166 -> 37.230.138.123:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49169 -> 154.49.215.102:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49168 -> 142.250.66.68:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49170 -> 154.49.215.102:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49179 -> 37.230.138.123:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49171 -> 52.219.170.26:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 154.49.215.100:80 -> 192.168.56.103:49164	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49166 37.230.138.123:443	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	a9:58:92:78:d9:50:a8:fa:c0:a9:d2:11:99:c2:6d:53:0e:1f:6d:49
TLS 1.2 192.168.56.103:49169 154.49.215.102:443	C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1	C=US, ST=Massachusetts, L=Boston, O=Wasabi Technologies LLC, CN=*.s3.eu-central-2.wasabisys.com	ba:39:86:54:fe:51:d0:8a:00:57:c5:dc:dd:11:62:4e:6e:dd:28:84
TLS 1.2 192.168.56.103:49168 142.250.66.68:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=www.google.com	3e:43:00:13:2a:5d:12:97:9e:3a:1c:62:f3:7e:d1:c4:fb:db:b7:73
TLS 1.2 192.168.56.103:49170 154.49.215.102:443	C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1	C=US, ST=Massachusetts, L=Boston, O=Wasabi Technologies LLC, CN=*.s3.eu-central-2.wasabisys.com	ba:39:86:54:fe:51:d0:8a:00:57:c5:dc:dd:11:62:4e:6e:dd:28:84
TLSv1 192.168.56.103:49179 37.230.138.123:443	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	a9:58:92:78:d9:50:a8:fa:c0:a9:d2:11:99:c2:6d:53:0e:1f:6d:49
TLS 1.2 192.168.56.103:49171 52.219.170.26:443	C=US, O=Amazon, OU=Server CA 1B, CN=Amazon	CN=*.s3.eu-central-1.amazonaws.com	bc:92:6b:62:48:5f:c5:08:60:03:a9:1e:bc:29:58:79:d7:4b:94:fb

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW April 13, 2023, 4:55 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 13, 2023, 4:52 p.m.			0	0
IsDebuggerPresent April 13, 2023, 4:45 p.m.			0	0
IsDebuggerPresent April 13, 2023, 4:45 p.m.			0	0
IsDebuggerPresent April 13, 2023, 4:55 p.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 13, 2023, 4:45 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ April 13, 2023, 4:53 p.m.	stacktrace: fl2+0x816a8 @ 0x4816a8 fl2+0x99c13 @ 0x499c13 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedface exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 1637924 registers.edi: 4523332 registers.eax: 1637924 registers.ebp: 1638004 registers.edx: 0 registers.ebx: 0 registers.esi: 2 registers.ecx: 7	1	0	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (7 events)

suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST https://connectini.net/Series/SuperNitouDisc.php
suspicious_features	GET method with no useragent header	suspicious_request	GET https://connectini.net/S2S/Disc/Disc.php?ezok=flabs2&tesla=8
suspicious_features	GET method with no useragent header	suspicious_request	GET https://s3.eu-central-2.wasabisys.com/melody-tata7ada-elmallal/shakira/up-do-dat-TRURNfy8CgzSgm9K.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://www.google.com/
suspicious_features	GET method with no useragent header	suspicious_request	GET https://s3.eu-central-2.wasabisys.com/melody-tata7ada-elmallal/shakira/hand-TRURNfy8CgzSgm9K.exe

Performs some HTTP requests (9 events)

request	HEAD http://s3.eu-central-2.wasabisys.com/melody-tata7ada-elmallal/50cent/poweroff.exe
request	GET http://s3.eu-central-2.wasabisys.com/melody-tata7ada-elmallal/50cent/poweroff.exe
request	POST http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies
request	POST https://connectini.net/Series/SuperNitouDisc.php
request	GET https://connectini.net/S2S/Disc/Disc.php?ezok=flabs2&tesla=8
request	GET https://s3.eu-central-2.wasabisys.com/melody-tata7ada-elmallal/shakira/up-do-dat-TRURNfy8CgzSgm9K.exe
request	GET https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe
request	GET https://www.google.com/
request	GET https://s3.eu-central-2.wasabisys.com/melody-tata7ada-elmallal/shakira/hand-TRURNfy8CgzSgm9K.exe

Sends data using the HTTP POST Method (2 events)

request	POST http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies
request	POST https://connectini.net/Series/SuperNitouDisc.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 219 events)

Time & API	Arguments	Status
NtProtectVirtualMemory April 13, 2023, 4:52 p.m.	process_identifier: 508 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2023, 4:52 p.m.	process_identifier: 508 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 40960 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2023, 4:52 p.m.	process_identifier: 508 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 20480 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040f000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2023, 4:52 p.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2023, 4:45 p.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000006af0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 13, 2023, 4:45 p.m.	process_identifier: 2248 region_size: 2359296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000007e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 13, 2023, 4:45 p.m.	process_identifier: 2248 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000009a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 13, 2023, 4:45 p.m.	process_identifier: 2248 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3591000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 13, 2023, 4:45 p.m.	process_identifier: 2248 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3c2b000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 13, 2023, 4:45 p.m.	process_identifier: 2248 region_size: 2162688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000b60000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 13, 2023, 4:45 p.m.	process_identifier: 2248 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000cf0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 13, 2023, 4:45 p.m.	process_identifier: 2248 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3592000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 13, 2023, 4:45 p.m.	process_identifier: 2248 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3592000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 13, 2023, 4:45 p.m.	process_identifier: 2248 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3592000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 13, 2023, 4:45 p.m.	process_identifier: 2248 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3592000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 13, 2023, 4:45 p.m.	process_identifier: 2248 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3592000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 13, 2023, 4:45 p.m.	process_identifier: 2248 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3592000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 13, 2023, 4:45 p.m.	process_identifier: 2248 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3592000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 13, 2023, 4:45 p.m.	process_identifier: 2248 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3592000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 13, 2023, 4:45 p.m.	process_identifier: 2248 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3592000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 13, 2023, 4:45 p.m.	process_identifier: 2248 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3592000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 13, 2023, 4:45 p.m.	process_identifier: 2248 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3592000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 13, 2023, 4:45 p.m.	process_identifier: 2248 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3594000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 13, 2023, 4:45 p.m.	process_identifier: 2248 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3594000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 13, 2023, 4:45 p.m.	process_identifier: 2248 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3594000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 13, 2023, 4:45 p.m.	process_identifier: 2248 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3594000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 13, 2023, 4:45 p.m.	process_identifier: 2248 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 13, 2023, 4:45 p.m.	process_identifier: 2248 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 13, 2023, 4:45 p.m.	process_identifier: 2248 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 13, 2023, 4:45 p.m.	process_identifier: 2248 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 13, 2023, 4:45 p.m.	process_identifier: 2248 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 13, 2023, 4:45 p.m.	process_identifier: 2248 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 13, 2023, 4:45 p.m.	process_identifier: 2248 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93dfa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 13, 2023, 4:45 p.m.	process_identifier: 2248 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e0c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 13, 2023, 4:45 p.m.	process_identifier: 2248 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 13, 2023, 4:45 p.m.	process_identifier: 2248 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f21000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 13, 2023, 4:45 p.m.	process_identifier: 2248 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f22000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 13, 2023, 4:45 p.m.	process_identifier: 2248 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f23000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 13, 2023, 4:45 p.m.	process_identifier: 2248 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f24000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 13, 2023, 4:45 p.m.	process_identifier: 2248 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93eac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 13, 2023, 4:45 p.m.	process_identifier: 2248 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93ed6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 13, 2023, 4:45 p.m.	process_identifier: 2248 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93eb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 13, 2023, 4:45 p.m.	process_identifier: 2248 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93dfb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 13, 2023, 4:45 p.m.	process_identifier: 2248 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f25000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 13, 2023, 4:45 p.m.	process_identifier: 2248 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f26000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 13, 2023, 4:45 p.m.	process_identifier: 2248 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e0d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 13, 2023, 4:45 p.m.	process_identifier: 2248 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f27000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 13, 2023, 4:45 p.m.	process_identifier: 2248 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f28000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 13, 2023, 4:45 p.m.	process_identifier: 2248 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f29000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 13, 2023, 4:45 p.m.	process_identifier: 2248 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e1b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Creates executable files on the filesystem (6 events)

file	C:\Users\test22\AppData\Local\Temp\is-CLI02.tmp\_isetup\_shfoldr.dll
file	C:\Users\test22\AppData\Local\Temp\92-cd0b8-895-66388-eb2f320d0689f\Mavevytepa.exe
file	C:\Program Files (x86)\MSBuild\Saegumubowe.exe
file	C:\Users\test22\AppData\Local\Temp\is-CLI02.tmp\mosaLAh.exe
file	C:\Users\test22\AppData\Local\Temp\is-CLI02.tmp\idp.dll
file	C:\Users\test22\AppData\Local\Temp\35-7c53d-b23-72c85-e2b0f6beff66f\Vizhupafofu.exe

Drops an executable to the user AppData folder (4 events)

file	C:\Users\test22\AppData\Local\Temp\is-CLI02.tmp\_isetup\_shfoldr.dll
file	C:\Users\test22\AppData\Local\Temp\is-CLI02.tmp\idp.dll
file	C:\Users\test22\AppData\Local\Temp\is-CLI02.tmp\mosaLAh.exe
file	C:\Users\test22\AppData\Local\Temp\is-1I5D8.tmp\FL2.tmp

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses April 13, 2023, 4:45 p.m.	flags: 15 family: 0		111	0

An executable file was downloaded by the process fl2.tmp (1 event)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile April 13, 2023, 4:52 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÁ¿à"0R¢~p @ @ @$pW H.textP R `.rsrc T@@.reloc ô@B`pHÇ©,dª¯× Ê'» âþX:a¿/±$¿ñ½ãáRDò3<ª³3¡àØáTk+0ª»ÍMþÃ.ù[Rô«¿@E:À´YOô)A\®ºErÛX;r å.åJ¢¨qÅo«ÁO6\|¸U+ÌØf;D®¦eôÌëÎ-íT» O jsñü0¡,5§6Èùñ¿[Ëópo~u·¶H&Î/eõdM¡)ÊLø"¼åëéu¾+"ßþÿÇïÌ@ %,ð´.¤:BoÖÈ.ò°)V]Kìö yF'láDMÝÏ?ñpHÜæ,7à[Þ ±]0,ßé.C£ö">ñR§¤0ëvÐµw6Oòí)ê8Ëâ`V3ñEú¿.ò¿ãÊÙ3D$]¦wÝyÏáqï ÷®ùµÆÂ=PdÞó6p«ÉsÉF»2Eeé7áÑ,J¢'ÃôÂ½Ï+´¾ëdV+J×NÇã\Íz,)DÒ&h]^¶Ic_}îoK¢ùrm¦ Wç request_handle: 0x00cc000c	1	1	0

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover

reg_value

"C:\Program Files (x86)\MSBuild\Saegumubowe.exe"

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Generates some ICMP traffic

File has been identified by 27 AntiVirus engines on VirusTotal as malicious (27 events)

Lionic	Trojan.Win32.Agent.Y!c
Elastic	malicious (high confidence)
Malwarebytes	Generic.Trojan.Malicious.DDS
Sangfor	Downloader.Win32.Agent.Vwws
Symantec	Trojan.Gen.MBT
ESET-NOD32	a variant of Win32/TrojanDownloader.Adload.NVT
Cynet	Malicious (score: 99)
APEX	Malicious
Paloalto	generic.ml
Kaspersky	Trojan-Downloader.MSIL.Csdi.hh
Avast	FileRepMalware [Pws]
Tencent	Win32.Trojan.Agen.Uimw
F-Secure	Heuristic.HEUR/AGEN.1338864
McAfee-GW-Edition	BehavesLike.Win32.Ransomware.fc
Sophos	Mal/Generic-S
Avira	HEUR/AGEN.1338864
Gridinsoft	Trojan.Win32.Downloader.sa
Microsoft	Trojan:Win32/Wacatac.B!ml
ZoneAlarm	Trojan-Downloader.MSIL.Csdi.hh
Google	Detected
McAfee	Artemis!65F8CA11D9A1
Cylance	unsafe
TrendMicro-HouseCall	TROJ_GEN.R002H0DDB23
Ikarus	Win32.Outbreak
Fortinet	PossibleThreat.ZDS
AVG	FileRepMalware [Pws]
DeepInstinct	MALICIOUS

FL2.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All