Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 29, 2023, 1:21 p.m.	May 29, 2023, 1:28 p.m.

Size	6.0MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`820241820224a5c7eed0ca74b7420361`
SHA256	`7740df954417683f1614403a7fa6607e7b9002ae045e25a07c8fd4e67f0b3c3f`
CRC32	`72AD8249`
ssdeep	`98304:x4S0clXTS9EIv1281Ey0l6iEz0JzA3+rBAlrHC3dNtCLChB:v/lX3I9R1EFlnxJzVA1ALI+hB`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) Malicious_Packer_Zero - Malicious Packer VMProtect_Zero - VMProtect packed file Raccoon_Stealer_1_Zero - Raccoon Stealer

a02.exe "C:\Users\test22\AppData\Local\Temp\a02.exe"
2556
- 2.1.1.exe C:\Users\test22\AppData\Local\Temp\2.1.1.exe
  2680
- wfplwfs.exe C:\Users\test22\AppData\Local\Temp\wfplwfs.exe
  1964
  - rundll32.exe C:\Windows\system32\rundll32.exe
    2448
- cmd.exe cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\test22\AppData\Local\Temp\a02.exe"
  800
  - PING.EXE ping 127.0.0.1 -n 3
    1400
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
iplogger.com	A 148.251.234.93	148.251.234.93
14mmf.za.com	A 104.21.54.36 A 172.67.223.30	104.21.54.36

IP Address	Status	Action
104.21.54.36	Active	Moloch
148.251.234.93	Active	Moloch
164.124.101.2	Active	Moloch
45.144.28.189	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49163 -> 148.251.234.93:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 148.251.234.93:443 -> 192.168.56.101:49164	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49161 -> 104.21.54.36:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49161 104.21.54.36:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=14mmf.za.com	aa:41:3d:d8:cf:f6:f8:cf:3e:b5:c5:dd:03:65:99:87:f3:4f:f5:36

Command line console output was observed (16 events)

Time & API	Arguments	Status	Return
WriteConsoleA May 29, 2023, 1:22 p.m.	buffer: Pinging 127.0.0.1 console_handle: 0x00000007	1	1
WriteConsoleA May 29, 2023, 1:22 p.m.	buffer: with 32 bytes of data: console_handle: 0x00000007	1	1
WriteConsoleA May 29, 2023, 1:22 p.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA May 29, 2023, 1:22 p.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA May 29, 2023, 1:22 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA May 29, 2023, 1:22 p.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA May 29, 2023, 1:22 p.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA May 29, 2023, 1:22 p.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA May 29, 2023, 1:22 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA May 29, 2023, 1:22 p.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA May 29, 2023, 1:22 p.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA May 29, 2023, 1:22 p.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA May 29, 2023, 1:22 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA May 29, 2023, 1:22 p.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA May 29, 2023, 1:22 p.m.	buffer: Ping statistics for 127.0.0.1: Packets: Sent = 3, Received = 3, Lost = 0 (0% loss), console_handle: 0x00000007	1	1
WriteConsoleA May 29, 2023, 1:22 p.m.	buffer: Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms console_handle: 0x00000007	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 29, 2023, 1:21 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (1 event)

request

GET https://14mmf.za.com/analytics.php?pub=a02&guid=017bd04f-b3bf-45b6-8167-9e8f41ff87bf&sign=178004f0465ebfb5

Allocates read-write-execute memory (usually to unpack itself) (30 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 29, 2023, 1:22 p.m.	process_identifier: 1964 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02530000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 29, 2023, 1:22 p.m.	process_identifier: 1964 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02540000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 29, 2023, 1:22 p.m.	process_identifier: 1964 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02650000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 29, 2023, 1:22 p.m.	process_identifier: 1964 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02660000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 29, 2023, 1:22 p.m.	process_identifier: 1964 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02670000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 29, 2023, 1:22 p.m.	process_identifier: 1964 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02680000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 29, 2023, 1:22 p.m.	process_identifier: 1964 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02690000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 29, 2023, 1:23 p.m.	process_identifier: 1452 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004970000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 29, 2023, 1:22 p.m.	process_identifier: 2448 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73361000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 29, 2023, 1:22 p.m.	process_identifier: 2448 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73281000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 29, 2023, 1:22 p.m.	process_identifier: 2448 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72db1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 29, 2023, 1:22 p.m.	process_identifier: 2448 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72d74000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 29, 2023, 1:22 p.m.	process_identifier: 2448 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73282000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 29, 2023, 1:22 p.m.	process_identifier: 2448 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 29, 2023, 1:22 p.m.	process_identifier: 2448 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 29, 2023, 1:22 p.m.	process_identifier: 2448 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72231000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 29, 2023, 1:22 p.m.	process_identifier: 2448 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76281000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 29, 2023, 1:22 p.m.	process_identifier: 2448 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75bc1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 29, 2023, 1:22 p.m.	process_identifier: 2448 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75d21000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 29, 2023, 1:22 p.m.	process_identifier: 2448 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76161000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 29, 2023, 1:22 p.m.	process_identifier: 2448 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75d41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 29, 2023, 1:22 p.m.	process_identifier: 2448 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bb1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 29, 2023, 1:22 p.m.	process_identifier: 2448 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x712d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 29, 2023, 1:22 p.m.	process_identifier: 2448 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x711c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 29, 2023, 1:22 p.m.	process_identifier: 2448 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71131000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 29, 2023, 1:22 p.m.	process_identifier: 2448 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75941000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 29, 2023, 1:22 p.m.	process_identifier: 2448 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x764b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 29, 2023, 1:22 p.m.	process_identifier: 2448 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73331000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 29, 2023, 1:22 p.m.	process_identifier: 2448 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 29, 2023, 1:22 p.m.	process_identifier: 2448 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70ef1000 process_handle: 0xffffffff	1

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\2.1.1.exe
file	C:\Users\test22\AppData\Local\Temp\wfplwfs.exe

Creates hidden or system file (15 events)

Time & API	Arguments	Status	Return
NtCreateFile May 29, 2023, 1:21 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000000c4 filepath: C:\Users\test22\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\D8C5E4A16C2BEA0E36BAA2D018275111FF62FD09 desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\D8C5E4A16C2BEA0E36BAA2D018275111FF62FD09 create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0
NtCreateFile May 29, 2023, 1:21 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\D8C5E4A16C2BEA0E36BAA2D018275111FF62FD09 desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\D8C5E4A16C2BEA0E36BAA2D018275111FF62FD09 create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 4294967295 () share_access: 0 ()		3221225539
NtCreateFile May 29, 2023, 1:21 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\D8C5E4A16C2BEA0E36BAA2D018275111FF62FD09 desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\D8C5E4A16C2BEA0E36BAA2D018275111FF62FD09 create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 4294967295 () share_access: 0 ()		3221225539
NtCreateFile May 29, 2023, 1:21 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\D8C5E4A16C2BEA0E36BAA2D018275111FF62FD09 desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\D8C5E4A16C2BEA0E36BAA2D018275111FF62FD09 create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 4294967295 () share_access: 0 ()		3221225539
NtCreateFile May 29, 2023, 1:21 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\D8C5E4A16C2BEA0E36BAA2D018275111FF62FD09 desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\D8C5E4A16C2BEA0E36BAA2D018275111FF62FD09 create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 4294967295 () share_access: 0 ()		3221225539
NtCreateFile May 29, 2023, 1:21 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\D8C5E4A16C2BEA0E36BAA2D018275111FF62FD09 desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\D8C5E4A16C2BEA0E36BAA2D018275111FF62FD09 create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 4294967295 () share_access: 0 ()		3221225539
NtCreateFile May 29, 2023, 1:21 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\D8C5E4A16C2BEA0E36BAA2D018275111FF62FD09 desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\D8C5E4A16C2BEA0E36BAA2D018275111FF62FD09 create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 4294967295 () share_access: 0 ()		3221225539
NtCreateFile May 29, 2023, 1:21 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\D8C5E4A16C2BEA0E36BAA2D018275111FF62FD09 desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\D8C5E4A16C2BEA0E36BAA2D018275111FF62FD09 create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 4294967295 () share_access: 0 ()		3221225539
NtCreateFile May 29, 2023, 1:21 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\D8C5E4A16C2BEA0E36BAA2D018275111FF62FD09 desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\D8C5E4A16C2BEA0E36BAA2D018275111FF62FD09 create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 4294967295 () share_access: 0 ()		3221225539
NtCreateFile May 29, 2023, 1:21 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\D8C5E4A16C2BEA0E36BAA2D018275111FF62FD09 desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\D8C5E4A16C2BEA0E36BAA2D018275111FF62FD09 create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 4294967295 () share_access: 0 ()		3221225539
NtCreateFile May 29, 2023, 1:21 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\D8C5E4A16C2BEA0E36BAA2D018275111FF62FD09 desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\D8C5E4A16C2BEA0E36BAA2D018275111FF62FD09 create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 4294967295 () share_access: 0 ()		3221225539
NtCreateFile May 29, 2023, 1:21 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\D8C5E4A16C2BEA0E36BAA2D018275111FF62FD09 desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\D8C5E4A16C2BEA0E36BAA2D018275111FF62FD09 create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 4294967295 () share_access: 0 ()		3221225539
NtCreateFile May 29, 2023, 1:21 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\D8C5E4A16C2BEA0E36BAA2D018275111FF62FD09 desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\D8C5E4A16C2BEA0E36BAA2D018275111FF62FD09 create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 4294967295 () share_access: 0 ()		3221225539
NtCreateFile May 29, 2023, 1:21 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\D8C5E4A16C2BEA0E36BAA2D018275111FF62FD09 desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\D8C5E4A16C2BEA0E36BAA2D018275111FF62FD09 create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 4294967295 () share_access: 0 ()		3221225539
NtCreateFile May 29, 2023, 1:21 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\D8C5E4A16C2BEA0E36BAA2D018275111FF62FD09 desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\D8C5E4A16C2BEA0E36BAA2D018275111FF62FD09 create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 4294967295 () share_access: 0 ()		3221225539

Drops an executable to the user AppData folder (3 events)

file	C:\Users\test22\AppData\Local\Temp\wfplwfs.exe
file	C:\Users\test22\AppData\Local\Temp\2.1.1.exe
file	C:\Users\test22\AppData\Local\Temp\a02.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW May 29, 2023, 1:22 p.m.	thread_identifier: 908 thread_handle: 0x00000124 process_identifier: 1964 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\wfplwfs.exe filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000120	1	1	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory May 29, 2023, 1:22 p.m.	process_identifier: 1964 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x02530000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0056f000', u'virtual_address': u'0x0000f000', u'entropy': 7.954696798275584, u'name': u'.rdata', u'virtual_size': u'0x0056ec80'}

entropy

7.95469679828

description

A section with a high entropy has been found

entropy

0.910936476752

description

Overall entropy of this PE file is high

Yara rule detected in process memory (9 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vba
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	ping 127.0.0.1 -n 3
cmdline	cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\test22\AppData\Local\Temp\a02.exe"

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: 2df9037fb29129ad27a4f2cf88cee132e272e28e

Communicates with host for which no DNS query was performed (1 event)

host

45.144.28.189

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory May 29, 2023, 1:22 p.m.	process_identifier: 2448 region_size: 28672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000015c	1	0	0

Checks for the presence of known windows from debuggers and forensic tools (6 events)

Time & API	Arguments	Status	Return
FindWindowA May 29, 2023, 1:22 p.m.	class_name: ThunderRT6FormDC window_name: Operators Network Error Check		0
FindWindowA May 29, 2023, 1:23 p.m.	class_name: ThunderRT6FormDC window_name: Operators Network Error Check	1	262526
FindWindowA May 29, 2023, 1:23 p.m.	class_name: ThunderRT6FormDC window_name: Operators Network Error Check	1	262526
FindWindowA May 29, 2023, 1:23 p.m.	class_name: ThunderRT6FormDC window_name: Operators Network Error Check	1	262526
FindWindowA May 29, 2023, 1:23 p.m.	class_name: ThunderRT6FormDC window_name: Operators Network Error Check	1	262526
FindWindowA May 29, 2023, 1:23 p.m.	class_name: ThunderRT6FormDC window_name: Operators Network Error Check	1	262526

Installs itself for autorun at Windows startup (1 event)

file	C:\Windows\Tasks\1d896d6f4de8430f.job

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1964 called NtSetContextThread to modify thread in remote process 2448
NtSetContextThread May 29, 2023, 1:22 p.m.	registers.eip: 1995571652 registers.esp: 1834468 registers.edi: 0 registers.eax: 4199668 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000158 process_identifier: 2448	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1964 resumed a thread in remote process 2448
NtResumeThread May 29, 2023, 1:22 p.m.	thread_handle: 0x00000158 suspend_count: 1 process_identifier: 2448	1	0	0

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

45.144.28.189:80

Executed a process and injected code into it, probably while unpacking (13 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW May 29, 2023, 1:21 p.m.	thread_identifier: 2684 thread_handle: 0x000000f4 process_identifier: 2680 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\2.1.1.exe filepath_r: stack_pivoted: 0 creation_flags: 16 (CREATE_NEW_CONSOLE) inherit_handles: 0 process_handle: 0x00000390	1	1
CreateProcessInternalW May 29, 2023, 1:22 p.m.	thread_identifier: 908 thread_handle: 0x00000124 process_identifier: 1964 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\wfplwfs.exe filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000120	1	1
CreateProcessInternalW May 29, 2023, 1:22 p.m.	thread_identifier: 1728 thread_handle: 0x00000120 process_identifier: 800 current_directory: filepath: track: 1 command_line: cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\test22\AppData\Local\Temp\a02.exe" filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000124	1	1
NtResumeThread May 29, 2023, 1:22 p.m.	thread_handle: 0x000000f4 suspend_count: 1 process_identifier: 1964	1	0
CreateProcessInternalW May 29, 2023, 1:22 p.m.	thread_identifier: 2444 thread_handle: 0x00000158 process_identifier: 2448 current_directory: filepath: track: 1 command_line: C:\Windows\system32\rundll32.exe filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000015c	1	1
NtGetContextThread May 29, 2023, 1:22 p.m.	thread_handle: 0x00000158	1	0
NtAllocateVirtualMemory May 29, 2023, 1:22 p.m.	process_identifier: 2448 region_size: 28672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000015c	1	0
NtSetContextThread May 29, 2023, 1:22 p.m.	registers.eip: 1995571652 registers.esp: 1834468 registers.edi: 0 registers.eax: 4199668 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000158 process_identifier: 2448	1	0
NtResumeThread May 29, 2023, 1:22 p.m.	thread_handle: 0x00000158 suspend_count: 1 process_identifier: 2448	1	0
CreateProcessInternalW May 29, 2023, 1:22 p.m.	thread_identifier: 2164 thread_handle: 0x00000084 process_identifier: 1400 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\PING.EXE track: 1 command_line: ping 127.0.0.1 -n 3 filepath_r: C:\Windows\system32\PING.EXE stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1
NtResumeThread May 29, 2023, 1:22 p.m.	thread_handle: 0x000000d8 suspend_count: 1 process_identifier: 1400	1	0
NtResumeThread May 29, 2023, 1:22 p.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 2448	1	0
NtResumeThread May 29, 2023, 1:22 p.m.	thread_handle: 0x00000324 suspend_count: 1 process_identifier: 2448	1	0

File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 events)

Bkav	W32.AIDetectMalware
DrWeb	Trojan.DownLoader45.55795
MicroWorld-eScan	Trojan.GenericKD.67257664
FireEye	Generic.mg.820241820224a5c7
McAfee	Artemis!820241820224
Malwarebytes	Malware.AI.3065879201
VIPRE	Trojan.GenericKD.67257664
Sangfor	Infostealer.Win32.Raccoon.V2hh
K7AntiVirus	Trojan ( 0056e5201 )
Alibaba	TrojanPSW:Win32/Raccoon.faa5aa24
K7GW	Trojan ( 0056e5201 )
Cybereason	malicious.ecd226
BitDefenderTheta	Gen:NN.ZexaF.36196.@tW@aaOmYHli
VirIT	Trojan.Win32.Genus.QVT
Cyren	W32/ABRisk.ZFDM-3693
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	multiple detections
APEX	Malicious
Cynet	Malicious (score: 99)
Kaspersky	HEUR:Trojan-PSW.Win32.Raccoon.gen
BitDefender	Trojan.GenericKD.67257664
ViRobot	Trojan.Win.Z.Raccoon.6258688
Avast	Win32:Evo-gen [Trj]
Rising	Stealer.Raccoon!8.12279 (TFE:5:N6dZUwGRupJ)
Sophos	Mal/Generic-S
F-Secure	Trojan.TR/AD.Nekark.lfcoo
TrendMicro	TROJ_GEN.R014C0DER23
McAfee-GW-Edition	BehavesLike.Win32.Dropper.tc
Emsisoft	Trojan.GenericKD.67257664 (B)
SentinelOne	Static AI - Malicious PE
Avira	TR/AD.Nekark.lfcoo
MAX	malware (ai score=82)
Antiy-AVL	Trojan[PSW]/Win32.Raccoon
Microsoft	Trojan:Win32/Raccoon.CREC!MTB
Gridinsoft	Trojan.Win32.Packed.oa!s1
Arcabit	Trojan.Generic.D4024540
ZoneAlarm	HEUR:Trojan-PSW.Win32.Raccoon.gen
GData	Trojan.GenericKD.67257664
Google	Detected
AhnLab-V3	Trojan/Win.Raccoon.C5432015
VBA32	BScope.TrojanDownloader.Agent
ALYac	Trojan.GenericKD.67257664
TACHYON	Trojan-PWS/W32.Raccoon.6258688
Cylance	unsafe
Panda	Trj/GdSda.A
TrendMicro-HouseCall	TROJ_GEN.R014C0DER23
Tencent	Malware.Win32.Gencirc.11a29ca3
Ikarus	Trojan.Win32.VMProtect
Fortinet	W32/NDAoF
AVG	Win32:Evo-gen [Trj]

a02.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All