Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 1, 2023, 7:40 a.m.	May 1, 2023, 7:42 a.m.

Size	979.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`40be18ff344e38f80cec056f5bd97f21`
SHA256	`a2cdd57742b2a5b76d9b385c249e3f267f049b8029a39f3aad4110ac7b9fd9c4`
CRC32	`7A853CA8`
ssdeep	`12288:So4ElIFsZW3jPtGWrP6gbheNeP8KwwzZl29Nf:SonZW3b7Zbhws5O/f`
Yara	UPX_Zero - UPX packed file Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult Is_DotNET_EXE - (no description) IsPE32 - (no description) Admin_Tool_IN_Zero - Admin Tool Sysinternals PE_Header_Zero - PE File Signature

PNe5J9o1XCKpHYk.exe "C:\Users\test22\AppData\Local\Temp\PNe5J9o1XCKpHYk.exe"
2556
- schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mjjdyrBSegcUL" /XML "C:\Users\test22\AppData\Local\Temp\tmp7797.tmp"
  2500
- RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2596

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
194.5.98.250	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW May 1, 2023, 7:42 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 1, 2023, 7:40 a.m.			0	0
IsDebuggerPresent May 1, 2023, 7:40 a.m.			0	0
IsDebuggerPresent May 1, 2023, 7:42 a.m.			0	0
IsDebuggerPresent May 1, 2023, 7:42 a.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW May 1, 2023, 7:42 a.m.	buffer: SUCCESS: The scheduled task "Updates\mjjdyrBSegcUL" has successfully been created. console_handle: 0x00000007	1	1	0

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey May 1, 2023, 7:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0054b108 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 1, 2023, 7:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0054b388 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 1, 2023, 7:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0054b388 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 1, 2023, 7:40 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 78 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 1, 2023, 7:40 a.m.	process_identifier: 2556 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2023, 7:40 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 1, 2023, 7:40 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 1, 2023, 7:40 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2023, 7:40 a.m.	process_identifier: 2556 region_size: 1441792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ab0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2023, 7:40 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2023, 7:40 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00492000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2023, 7:40 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2023, 7:40 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004cb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2023, 7:40 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2023, 7:40 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2023, 7:40 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ac0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2023, 7:40 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0049a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2023, 7:40 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2023, 7:40 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2023, 7:40 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2023, 7:40 a.m.	process_identifier: 2556 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2023, 7:40 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2023, 7:40 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2023, 7:40 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2023, 7:40 a.m.	process_identifier: 2556 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2023, 7:40 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2023, 7:40 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ac1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2023, 7:40 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0049c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2023, 7:42 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ac2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 1, 2023, 7:42 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6f682000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2023, 7:42 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004ad000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2023, 7:42 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ac3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2023, 7:42 a.m.	process_identifier: 2556 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ac4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2023, 7:42 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00aca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2023, 7:42 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00acb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2023, 7:42 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00acc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2023, 7:42 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00acd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2023, 7:42 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ace000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2023, 7:42 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2023, 7:42 a.m.	process_identifier: 2596 region_size: 2031616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00900000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2023, 7:42 a.m.	process_identifier: 2596 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ab0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 1, 2023, 7:42 a.m.	process_identifier: 2596 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72101000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 1, 2023, 7:42 a.m.	process_identifier: 2596 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72102000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2023, 7:42 a.m.	process_identifier: 2596 region_size: 1835008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ef0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2023, 7:42 a.m.	process_identifier: 2596 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02070000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2023, 7:42 a.m.	process_identifier: 2596 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2023, 7:42 a.m.	process_identifier: 2596 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00925000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2023, 7:42 a.m.	process_identifier: 2596 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0092b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2023, 7:42 a.m.	process_identifier: 2596 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00927000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2023, 7:42 a.m.	process_identifier: 2596 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0090c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2023, 7:42 a.m.	process_identifier: 2596 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2023, 7:42 a.m.	process_identifier: 2596 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2023, 7:42 a.m.	process_identifier: 2596 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2023, 7:42 a.m.	process_identifier: 2596 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

Creates a suspicious process (2 events)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mjjdyrBSegcUL" /XML "C:\Users\test22\AppData\Local\Temp\tmp7797.tmp"
cmdline	schtasks.exe /Create /TN "Updates\mjjdyrBSegcUL" /XML "C:\Users\test22\AppData\Local\Temp\tmp7797.tmp"

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW May 1, 2023, 7:42 a.m.	show_type: 0 filepath_r: schtasks.exe parameters: /Create /TN "Updates\mjjdyrBSegcUL" /XML "C:\Users\test22\AppData\Local\Temp\tmp7797.tmp" filepath: schtasks.exe	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x000f3600', u'virtual_address': u'0x00002000', u'entropy': 6.875827015906506, u'name': u'.text', u'virtual_size': u'0x000f3588'}

entropy

6.87582701591

description

A section with a high entropy has been found

entropy

0.994890137966

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 1, 2023, 7:42 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW May 1, 2023, 7:42 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (9 events)

description	Communications use DNS	rule	Network_DNS
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mjjdyrBSegcUL" /XML "C:\Users\test22\AppData\Local\Temp\tmp7797.tmp"
cmdline	schtasks.exe /Create /TN "Updates\mjjdyrBSegcUL" /XML "C:\Users\test22\AppData\Local\Temp\tmp7797.tmp"

One or more of the buffers contains an embedded PE file (3 events)

buffer	Buffer with sha1: 0c6598a0a37eaf12ce188fa66bc6c5db394af8a4
buffer	Buffer with sha1: 874b7c3c97cc5b13b9dd172fec5a54bc1f258005
buffer	Buffer with sha1: 874f3caf663265f7dd18fb565d91b7d915031251

Communicates with host for which no DNS query was performed (1 event)

host

194.5.98.250

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory May 1, 2023, 7:42 a.m.	process_identifier: 2596 region_size: 262144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000368	1	0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation May 1, 2023, 7:42 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

RegSvcs.exe tried to sleep 758429404 seconds, actually delayed analysis time by 758429404 seconds

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\tmp7797.tmp

Potential code injection by writing to the memory of another process (3 events)

Time & API	Arguments	Status	Return
WriteProcessMemory May 1, 2023, 7:42 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¡'éTàÈØç @ 8çW Ô H.textÇ È `.relocÊ@B.rsrcÔ ÖÌ@@ base_address: 0x00400000 process_identifier: 2596 process_handle: 0x00000368	1	1
WriteProcessMemory May 1, 2023, 7:42 a.m.	buffer: à7 base_address: 0x00420000 process_identifier: 2596 process_handle: 0x00000368	1	1
WriteProcessMemory May 1, 2023, 7:42 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2596 process_handle: 0x00000368	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory May 1, 2023, 7:42 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¡'éTàÈØç @ 8çW Ô H.textÇ È `.relocÊ@B.rsrcÔ ÖÌ@@ base_address: 0x00400000 process_identifier: 2596 process_handle: 0x00000368	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2556 called NtSetContextThread to modify thread in remote process 2596
NtSetContextThread May 1, 2023, 7:42 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4319122 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000036c process_identifier: 2596	1	0	0

Attempts to remove evidence of file being downloaded from the Internet (1 event)

file	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe:Zone.Identifier

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2556 resumed a thread in remote process 2596
NtResumeThread May 1, 2023, 7:42 a.m.	thread_handle: 0x0000036c suspend_count: 1 process_identifier: 2596	1	0	0

Generates some ICMP traffic

Executed a process and injected code into it, probably while unpacking (28 events)

Time & API	Arguments	Status	Return
NtResumeThread May 1, 2023, 7:40 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2556	1	0
NtResumeThread May 1, 2023, 7:40 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2556	1	0
NtResumeThread May 1, 2023, 7:40 a.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 2556	1	0
CreateProcessInternalW May 1, 2023, 7:42 a.m.	thread_identifier: 2528 thread_handle: 0x000003a4 process_identifier: 2500 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mjjdyrBSegcUL" /XML "C:\Users\test22\AppData\Local\Temp\tmp7797.tmp" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003ac	1	1
CreateProcessInternalW May 1, 2023, 7:42 a.m.	thread_identifier: 2592 thread_handle: 0x0000036c process_identifier: 2596 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000368	1	1
NtGetContextThread May 1, 2023, 7:42 a.m.	thread_handle: 0x0000036c	1	0
NtAllocateVirtualMemory May 1, 2023, 7:42 a.m.	process_identifier: 2596 region_size: 262144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000368	1	0
WriteProcessMemory May 1, 2023, 7:42 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¡'éTàÈØç @ 8çW Ô H.textÇ È `.relocÊ@B.rsrcÔ ÖÌ@@ base_address: 0x00400000 process_identifier: 2596 process_handle: 0x00000368	1	1
WriteProcessMemory May 1, 2023, 7:42 a.m.	buffer: base_address: 0x00402000 process_identifier: 2596 process_handle: 0x00000368	1	1
WriteProcessMemory May 1, 2023, 7:42 a.m.	buffer: à7 base_address: 0x00420000 process_identifier: 2596 process_handle: 0x00000368	1	1
WriteProcessMemory May 1, 2023, 7:42 a.m.	buffer: base_address: 0x00422000 process_identifier: 2596 process_handle: 0x00000368	1	1
WriteProcessMemory May 1, 2023, 7:42 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2596 process_handle: 0x00000368	1	1
NtSetContextThread May 1, 2023, 7:42 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4319122 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000036c process_identifier: 2596	1	0
NtResumeThread May 1, 2023, 7:42 a.m.	thread_handle: 0x0000036c suspend_count: 1 process_identifier: 2596	1	0
NtResumeThread May 1, 2023, 7:42 a.m.	thread_handle: 0x00000398 suspend_count: 1 process_identifier: 2556	1	0
NtResumeThread May 1, 2023, 7:42 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2596	1	0
NtResumeThread May 1, 2023, 7:42 a.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2596	1	0
NtResumeThread May 1, 2023, 7:42 a.m.	thread_handle: 0x00000194 suspend_count: 1 process_identifier: 2596	1	0
NtResumeThread May 1, 2023, 7:42 a.m.	thread_handle: 0x00000290 suspend_count: 1 process_identifier: 2596	1	0
NtResumeThread May 1, 2023, 7:42 a.m.	thread_handle: 0x000002a8 suspend_count: 1 process_identifier: 2596	1	0
NtResumeThread May 1, 2023, 7:42 a.m.	thread_handle: 0x00000330 suspend_count: 1 process_identifier: 2596	1	0
NtGetContextThread May 1, 2023, 7:42 a.m.	thread_handle: 0x000000e8	1	0
NtResumeThread May 1, 2023, 7:42 a.m.	thread_handle: 0x000000e8 suspend_count: 1 process_identifier: 2596	1	0
NtResumeThread May 1, 2023, 7:42 a.m.	thread_handle: 0x00000394 suspend_count: 1 process_identifier: 2596	1	0
NtResumeThread May 1, 2023, 7:42 a.m.	thread_handle: 0x000003a4 suspend_count: 1 process_identifier: 2596	1	0
NtResumeThread May 1, 2023, 7:42 a.m.	thread_handle: 0x000003bc suspend_count: 1 process_identifier: 2596	1	0
NtResumeThread May 1, 2023, 7:42 a.m.	thread_handle: 0x000003d4 suspend_count: 1 process_identifier: 2596	1	0
NtResumeThread May 1, 2023, 7:42 a.m.	thread_handle: 0x000003f0 suspend_count: 1 process_identifier: 2596	1	0

File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 events)

Bkav	W32.AIDetectNet.01
Lionic	Trojan.MSIL.Taskun.4!c
tehtris	Generic.Malware
MicroWorld-eScan	Trojan.GenericKD.45994580
ClamAV	Win.Packed.Generic-9865070-0
CAT-QuickHeal	Trojan.YakbeexMSIL.ZZ4
McAfee	GenericRXOE-FK!40BE18FF344E
Cylance	Unsafe
VIPRE	Trojan.GenericKD.45994580
Sangfor	Suspicious.Win32.Save.a
K7AntiVirus	Trojan ( 00579de61 )
Alibaba	Trojan:Win32/starter.ali1000139
K7GW	Trojan ( 00579de61 )
Cybereason	malicious.f344e3
Cyren	W32/MSIL_Kryptik.CYQ.gen!Eldorado
Symantec	Trojan.Gen.2
Elastic	malicious (high confidence)
ESET-NOD32	a variant of MSIL/Kryptik.AAFC
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	HEUR:Trojan.MSIL.Taskun.gen
BitDefender	Trojan.GenericKD.45994580
Avast	Win32:PWSX-gen [Trj]
Emsisoft	Trojan.Crypt (A)
F-Secure	Heuristic.HEUR/AGEN.1221865
DrWeb	Trojan.PackedNET.576
Zillya	Trojan.Kryptik.Win32.3002174
TrendMicro	TROJ_GEN.R06EC0DAB23
McAfee-GW-Edition	BehavesLike.Win32.AgentTesla.dh
FireEye	Generic.mg.40be18ff344e38f8
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
GData	Trojan.GenericKD.45994580
Jiangmin	Trojan.MSIL.abctr
Avira	HEUR/AGEN.1221865
Antiy-AVL	Trojan/MSIL.Taskun
Gridinsoft	Trojan.Win32.Agent.oa!s1
Xcitium	Malware@#12mtx8ghkg8i5
Arcabit	Trojan.Generic.D2BDD254
ZoneAlarm	HEUR:Trojan.MSIL.Taskun.gen
Microsoft	Trojan:MSIL/AgentTesla.AM!MTB
Google	Detected
AhnLab-V3	Suspicious/Win.MSILKrypt.X2104
ALYac	Trojan.GenericKD.45994580
MAX	malware (ai score=87)
VBA32	Malware-Cryptor.MSIL.AgentTesla.Heur
Malwarebytes	Floxif.Virus.FileInfector.DDS
TrendMicro-HouseCall	TROJ_GEN.R06EC0DAB23
Rising	Backdoor.Nanocore!8.F894 (CLOUD)
Yandex	Trojan.Taskun!ydC2nrzNNWM

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (3 events)

dead_host	192.168.56.101:49170
dead_host	194.5.98.250:1012
dead_host	192.168.56.101:49168

PNe5J9o1XCKpHYk.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All