Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 25, 2023, 5:35 p.m.	May 25, 2023, 5:46 p.m.

Size	381.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`0b79fbf16b76bd0ff14e9d079e40e889`
SHA256	`e99574f67e511e9b940c788de58592b02542972981f69ebe2806d876e01135fb`
CRC32	`42E1A2FE`
ssdeep	`6144:x/QiQXCfkm+ksmpk3U9j0IT2OGBfj/WUplm6zIOYQNd28pTXdAmpCLVRZoglM7LT:pQi3fP6m6UR0IT2lL//plmW9bTXeVhD4`
Yara	UPX_Zero - UPX packed file Win32_Trojan_Emotet_2_Zero - Win32 Trojan Emotet mzp_file_format - MZP(Delphi) file format Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description)

PEP2.exe "C:\Users\test22\AppData\Local\Temp\PEP2.exe"
2552
- PEP2.tmp "C:\Users\test22\AppData\Local\Temp\is-196DR.tmp\PEP2.tmp" /SL5="$80178,140559,56832,C:\Users\test22\AppData\Local\Temp\PEP2.exe"
  2604
  - GABRIEL.exe "C:\Users\test22\AppData\Local\Temp\is-AP389.tmp\GABRIEL.exe" /S /UID=flabs2
    2776
    - Kobonewuju.exe "C:\Users\test22\AppData\Local\Temp\ed-57f66-9e7-d698d-a6c0312e1dca6\Kobonewuju.exe"
      2080
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
360devtracking.com	A 37.230.138.66	37.230.138.66
www.google.com	A 172.217.31.4	142.250.76.132
connectini.net	A 37.230.138.123	37.230.138.123
wewewe.s3.eu-central-1.amazonaws.com	A 52.219.140.16 CNAME s3-r-w.eu-central-1.amazonaws.com	3.5.138.115
n8w5.c12.e2-1.dev
google.com	A 142.251.220.78	142.250.206.206
link.storjshare.io	A 185.244.226.4	185.244.226.4

IP Address	Status	Action
142.251.220.78	Active	Moloch
164.124.101.2	Active	Moloch
172.217.31.4	Active	Moloch
185.244.226.4	Active	Moloch
37.230.138.123	Active	Moloch
37.230.138.66	Active	Moloch
52.219.140.16	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:59002 -> 164.124.101.2:53	2038505	ET INFO File Sharing Service Domain in DNS Lookup (link .storjshare .io)	Potentially Bad Traffic
TCP 192.168.56.101:49170 -> 185.244.226.4:443	2038506	ET INFO Observed File Sharing Service Domain (link .storjshare .io in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.101:49170 -> 185.244.226.4:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.101:61950 -> 164.124.101.2:53	2038505	ET INFO File Sharing Service Domain in DNS Lookup (link .storjshare .io)	Potentially Bad Traffic
TCP 192.168.56.101:49169 -> 52.219.140.16:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 185.244.226.4:80 -> 192.168.56.101:49165	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.244.226.4:80 -> 192.168.56.101:49165	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 192.168.56.101:49168 -> 172.217.31.4:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49179 -> 37.230.138.123:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49167 -> 37.230.138.123:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.101:53004 -> 164.124.101.2:53	2038505	ET INFO File Sharing Service Domain in DNS Lookup (link .storjshare .io)	Potentially Bad Traffic
TCP 192.168.56.101:49171 -> 185.244.226.4:443	2038506	ET INFO Observed File Sharing Service Domain (link .storjshare .io in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.101:49171 -> 185.244.226.4:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 185.244.226.4:80 -> 192.168.56.101:49163	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.244.226.4:80 -> 192.168.56.101:49163	2014520	ET INFO EXE - Served Attached HTTP	Misc activity

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.101:49170 185.244.226.4:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=link.storjshare.io	ef:8c:1d:0f:34:70:c2:fe:82:ba:2e:e4:b1:d3:10:79:a3:e4:9b:84
TLS 1.2 192.168.56.101:49169 52.219.140.16:443	C=US, O=Amazon, CN=Amazon RSA 2048 M01	CN=*.s3.eu-central-1.amazonaws.com	0a:60:dd:74:9f:3c:a8:45:07:d7:82:2d:33:8b:29:e1:53:36:f8:c3
TLS 1.2 192.168.56.101:49168 172.217.31.4:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=www.google.com	48:e3:15:66:fc:ea:15:bf:d2:34:c1:dd:60:d4:23:a3:63:57:89:8d
TLSv1 192.168.56.101:49179 37.230.138.123:443	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	a9:58:92:78:d9:50:a8:fa:c0:a9:d2:11:99:c2:6d:53:0e:1f:6d:49
TLSv1 192.168.56.101:49167 37.230.138.123:443	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	a9:58:92:78:d9:50:a8:fa:c0:a9:d2:11:99:c2:6d:53:0e:1f:6d:49
TLS 1.2 192.168.56.101:49171 185.244.226.4:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=link.storjshare.io	ef:8c:1d:0f:34:70:c2:fe:82:ba:2e:e4:b1:d3:10:79:a3:e4:9b:84

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW May 25, 2023, 5:29 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 25, 2023, 5:35 p.m.			0	0
IsDebuggerPresent May 25, 2023, 5:28 p.m.			0	0
IsDebuggerPresent May 25, 2023, 5:28 p.m.			0	0
IsDebuggerPresent May 25, 2023, 5:29 p.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 25, 2023, 5:35 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ May 25, 2023, 5:36 p.m.	stacktrace: pep2+0x816a8 @ 0x4816a8 pep2+0x99c13 @ 0x499c13 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedface exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 1637924 registers.edi: 4523332 registers.eax: 1637924 registers.ebp: 1638004 registers.edx: 0 registers.ebx: 0 registers.esi: 2 registers.ecx: 7	1	0	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (11 events)

suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST https://connectini.net/Series/SuperNitouDisc.php
suspicious_features	GET method with no useragent header	suspicious_request	GET https://link.storjshare.io/s/jxjnpyegksik26mz4wqismdyexpq/yokoso/fullham/enel/hand-M2u7HcEuL9S7AFLW.exe?download=1
suspicious_features	GET method with no useragent header	suspicious_request	GET https://link.storjshare.io/jx573tmlnr5wf7adrak4haxbcyra/yokoso/fullham/enel/up-do-dat-M2u7HcEuL9S7AFLW.exe?download=1
suspicious_features	GET method with no useragent header	suspicious_request	GET https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://link.storjshare.io/s/jx573tmlnr5wf7adrak4haxbcyra/yokoso/fullham/enel/up-do-dat-M2u7HcEuL9S7AFLW.exe?download=1
suspicious_features	GET method with no useragent header	suspicious_request	GET https://www.google.com/
suspicious_features	GET method with no useragent header	suspicious_request	GET https://connectini.net/S2S/Disc/Disc.php?ezok=flabs2&tesla=7
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST https://connectini.net/Series/Conumer2kenpachi.php
suspicious_features	GET method with no useragent header	suspicious_request	GET https://connectini.net/Series/kenpachi/2/goodchannel/KR.json
suspicious_features	GET method with no useragent header	suspicious_request	GET https://connectini.net/Series/configPoduct/2/goodchannel.json

Performs some HTTP requests (14 events)

request	HEAD http://link.storjshare.io/juwxjm5rlewtkplox6e4e3btskgq/yokoso%2Ffullham%2Fmanatara%2Fpoweroff.exe?download=1
request	GET http://link.storjshare.io/s/juwxjm5rlewtkplox6e4e3btskgq/yokoso/fullham/manatara/poweroff.exe?download=1
request	GET http://link.storjshare.io/juwxjm5rlewtkplox6e4e3btskgq/yokoso%2Ffullham%2Fmanatara%2Fpoweroff.exe?download=1
request	POST http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies
request	POST https://connectini.net/Series/SuperNitouDisc.php
request	GET https://link.storjshare.io/s/jxjnpyegksik26mz4wqismdyexpq/yokoso/fullham/enel/hand-M2u7HcEuL9S7AFLW.exe?download=1
request	GET https://link.storjshare.io/jx573tmlnr5wf7adrak4haxbcyra/yokoso/fullham/enel/up-do-dat-M2u7HcEuL9S7AFLW.exe?download=1
request	GET https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe
request	GET https://link.storjshare.io/s/jx573tmlnr5wf7adrak4haxbcyra/yokoso/fullham/enel/up-do-dat-M2u7HcEuL9S7AFLW.exe?download=1
request	GET https://www.google.com/
request	GET https://connectini.net/S2S/Disc/Disc.php?ezok=flabs2&tesla=7
request	POST https://connectini.net/Series/Conumer2kenpachi.php
request	GET https://connectini.net/Series/kenpachi/2/goodchannel/KR.json
request	GET https://connectini.net/Series/configPoduct/2/goodchannel.json

Sends data using the HTTP POST Method (3 events)

request	POST http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies
request	POST https://connectini.net/Series/SuperNitouDisc.php
request	POST https://connectini.net/Series/Conumer2kenpachi.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 357 events)

Time & API	Arguments	Status
NtProtectVirtualMemory May 25, 2023, 5:35 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 25, 2023, 5:35 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 40960 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 25, 2023, 5:35 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 20480 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 25, 2023, 5:35 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 5:35 p.m.	process_identifier: 2604 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 25, 2023, 5:35 p.m.	process_identifier: 2604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 5:29 p.m.	process_identifier: 1452 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000046d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 25, 2023, 5:28 p.m.	process_identifier: 2776 region_size: 2490368 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000770000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 25, 2023, 5:28 p.m.	process_identifier: 2776 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000950000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 25, 2023, 5:28 p.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3ba1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 25, 2023, 5:28 p.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef423b000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 25, 2023, 5:28 p.m.	process_identifier: 2776 region_size: 2162688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002290000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 25, 2023, 5:28 p.m.	process_identifier: 2776 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002420000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 25, 2023, 5:28 p.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3ba2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 25, 2023, 5:28 p.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3ba2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 25, 2023, 5:28 p.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3ba2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 25, 2023, 5:28 p.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3ba2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 25, 2023, 5:28 p.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3ba2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 25, 2023, 5:28 p.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3ba2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 25, 2023, 5:28 p.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3ba2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 25, 2023, 5:28 p.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3ba2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 25, 2023, 5:28 p.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3ba2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 25, 2023, 5:28 p.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3ba2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 25, 2023, 5:28 p.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3ba2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 25, 2023, 5:28 p.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3ba4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 25, 2023, 5:28 p.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3ba4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 25, 2023, 5:28 p.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3ba4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 25, 2023, 5:28 p.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3ba4000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 25, 2023, 5:28 p.m.	process_identifier: 2776 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 25, 2023, 5:28 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 25, 2023, 5:28 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 25, 2023, 5:28 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 25, 2023, 5:28 p.m.	process_identifier: 2776 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 25, 2023, 5:28 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 25, 2023, 5:28 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 25, 2023, 5:28 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe944ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 25, 2023, 5:28 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe944d6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 25, 2023, 5:28 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe944b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 25, 2023, 5:28 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9440c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 25, 2023, 5:28 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943fb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 25, 2023, 5:28 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9440d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 25, 2023, 5:28 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94520000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 25, 2023, 5:28 p.m.	process_identifier: 2776 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94521000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 25, 2023, 5:28 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 25, 2023, 5:28 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94526000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 25, 2023, 5:28 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94527000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 25, 2023, 5:28 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94528000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 25, 2023, 5:28 p.m.	process_identifier: 2776 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94529000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 25, 2023, 5:28 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9452d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 25, 2023, 5:28 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9441b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Creates executable files on the filesystem (6 events)

file	C:\Users\test22\AppData\Local\Temp\88-504c6-392-927b3-57722369cb9ad\Qunyjaxory.exe
file	C:\Users\test22\AppData\Local\Temp\ed-57f66-9e7-d698d-a6c0312e1dca6\Kobonewuju.exe
file	C:\Users\test22\AppData\Local\Temp\is-AP389.tmp\GABRIEL.exe
file	C:\Program Files (x86)\Hnc\Waebilopity.exe
file	C:\Users\test22\AppData\Local\Temp\is-AP389.tmp\_isetup\_shfoldr.dll
file	C:\Users\test22\AppData\Local\Temp\is-AP389.tmp\idp.dll

Drops a binary and executes it (2 events)

file	C:\Users\test22\AppData\Local\Temp\ed-57f66-9e7-d698d-a6c0312e1dca6\Kobonewuju.exe
file	C:\Users\test22\AppData\Local\Temp\88-504c6-392-927b3-57722369cb9ad\Qunyjaxory.exe

Drops an executable to the user AppData folder (5 events)

file	C:\Users\test22\AppData\Local\Temp\is-AP389.tmp\GABRIEL.exe
file	C:\Users\test22\AppData\Local\Temp\is-196DR.tmp\PEP2.tmp
file	C:\Users\test22\AppData\Local\Temp\is-AP389.tmp\_isetup\_shfoldr.dll
file	C:\Users\test22\AppData\Local\Temp\ed-57f66-9e7-d698d-a6c0312e1dca6\Kobonewuju.exe
file	C:\Users\test22\AppData\Local\Temp\is-AP389.tmp\idp.dll

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses May 25, 2023, 5:28 p.m.	flags: 15 family: 0		111	0

An executable file was downloaded by the process pep2.tmp (1 event)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile May 25, 2023, 5:35 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÚA\Ùà.P¤>o @ ` @ðnK @ £n H.textDO P `.sdataøT@À.rsrc V@@.reloc@ ö @B request_handle: 0x00cc000c	1	1	0

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover

reg_value

"C:\Program Files (x86)\Hnc\Waebilopity.exe"

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\is-AP389.tmp\GABRIEL.exe

Generates some ICMP traffic

File has been identified by 39 AntiVirus engines on VirusTotal as malicious (39 events)

Lionic	Trojan.Win32.Csdi.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Babar.139346
McAfee	Artemis!0B79FBF16B76
Cylance	unsafe
VIPRE	Gen:Variant.Babar.139346
Sangfor	Downloader.Win32.Agent.Vdl8
K7AntiVirus	Adware ( 0054654b1 )
K7GW	Adware ( 0054654b1 )
Cybereason	malicious.292f34
Arcabit	Trojan.Babar.D22052
Symantec	Trojan.Gen.MBT
ESET-NOD32	a variant of Win32/TrojanDownloader.Adload.NVT
Cynet	Malicious (score: 99)
APEX	Malicious
Kaspersky	UDS:Trojan-Downloader.MSIL.Csdi.hs
BitDefender	Gen:Variant.Babar.139346
Avast	FileRepMalware [Drp]
Tencent	Win32.Trojan.Agen.Vsmw
Sophos	Mal/Generic-S
F-Secure	Heuristic.HEUR/AGEN.1338864
DrWeb	Trojan.Siggen16.39632
McAfee-GW-Edition	BehavesLike.Win32.AdwareFileTour.fc
FireEye	Gen:Variant.Babar.139346
Emsisoft	Gen:Variant.Babar.139346 (B)
Avira	HEUR/AGEN.1338864
Gridinsoft	Malware.Win32.Gen.bot
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
ZoneAlarm	UDS:Trojan-Downloader.MSIL.Csdi.hs
GData	Gen:Variant.Babar.139346
Google	Detected
AhnLab-V3	Trojan/Win.Tnega.C5245603
ALYac	Gen:Variant.Babar.139346
MAX	malware (ai score=88)
Ikarus	Win32.Outbreak
MaxSecure	Trojan.Malware.124227219.susgen
AVG	FileRepMalware [Drp]
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_60% (W)

PEP2.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All