Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 26, 2023, 10:15 a.m.	June 26, 2023, 10:18 a.m.

Size	1.3MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`ae935cda1e1db321d41cdd7e6431d1af`
SHA256	`77279199e6df6ccb5c1e1b1c0a94f8ecf518db2223b9c737a0af564a41cf27cb`
CRC32	`108CA398`
ssdeep	`12288:1BvQdL9pBjzyHjDkU8BC6vxfU9Zz5HPhL9+Sl/FK2lpeuy:E8/9+AFD`
Yara	UPX_Zero - UPX packed file Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature IsPE32 - (no description)

setup1.exe "C:\Users\test22\AppData\Local\Temp\setup1.exe"
2548
- setup1.exe "C:\Users\test22\AppData\Local\Temp\setup1.exe"
  2744

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 26, 2023, 10:15 a.m.			0	0
IsDebuggerPresent June 26, 2023, 10:15 a.m.			0	0
IsDebuggerPresent June 26, 2023, 10:16 a.m.			0	0
IsDebuggerPresent June 26, 2023, 10:16 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey June 26, 2023, 10:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005eb108 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 26, 2023, 10:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005eb208 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 26, 2023, 10:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005eb208 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 26, 2023, 10:15 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 107 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory June 26, 2023, 10:15 a.m.	process_identifier: 2548 region_size: 2097152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00850000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 26, 2023, 10:15 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory June 26, 2023, 10:15 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory June 26, 2023, 10:15 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a2000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 26, 2023, 10:15 a.m.	process_identifier: 2548 region_size: 393216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 26, 2023, 10:15 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 26, 2023, 10:15 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00472000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 26, 2023, 10:15 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 26, 2023, 10:15 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 26, 2023, 10:15 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 26, 2023, 10:15 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 26, 2023, 10:15 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 26, 2023, 10:15 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 26, 2023, 10:15 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 26, 2023, 10:15 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00496000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 26, 2023, 10:15 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0049a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 26, 2023, 10:15 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00497000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 26, 2023, 10:15 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 26, 2023, 10:15 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 26, 2023, 10:15 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 26, 2023, 10:15 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 26, 2023, 10:15 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 26, 2023, 10:15 a.m.	process_identifier: 2548 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 26, 2023, 10:15 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory June 26, 2023, 10:15 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6f852000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 26, 2023, 10:15 a.m.	process_identifier: 2548 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 26, 2023, 10:15 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005ce000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 26, 2023, 10:15 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005cf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 26, 2023, 10:15 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 26, 2023, 10:15 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049f1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 26, 2023, 10:15 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a11000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 26, 2023, 10:15 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 26, 2023, 10:15 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049f3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 26, 2023, 10:15 a.m.	process_identifier: 2548 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049f4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 26, 2023, 10:15 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 26, 2023, 10:15 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049fb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 26, 2023, 10:15 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049fc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 26, 2023, 10:15 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049fd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 26, 2023, 10:15 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049fe000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 26, 2023, 10:15 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05580000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 26, 2023, 10:15 a.m.	process_identifier: 2548 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05581000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 26, 2023, 10:15 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05584000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 26, 2023, 10:15 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05585000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 26, 2023, 10:15 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05586000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory June 26, 2023, 10:15 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 38400 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x052f0400 process_handle: 0xffffffff		3221225550
NtAllocateVirtualMemory June 26, 2023, 10:15 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 26, 2023, 10:15 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05587000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 26, 2023, 10:15 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05588000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 26, 2023, 10:15 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05589000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 26, 2023, 10:15 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0558a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 26, 2023, 10:15 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (11 events)

description	Communications use DNS	rule	Network_DNS
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	RedLine stealer	rule	RedLine_Stealer_m_Zero

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory June 26, 2023, 10:15 a.m.	process_identifier: 2744 region_size: 196608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000354	1	0	0
NtProtectVirtualMemory June 26, 2023, 10:16 a.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 196608 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0x00000354	1	0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation June 26, 2023, 10:15 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

setup1.exe tried to sleep 5456394 seconds, actually delayed analysis time by 5456394 seconds

Potential code injection by writing to the memory of another process (3 events)

Time & API	Arguments	Status	Return
WriteProcessMemory June 26, 2023, 10:15 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¼8Äà00 @@ @P0K@Nà H.text¤ `.rsrcN@@@.relocà°@B base_address: 0x00400000 process_identifier: 2744 process_handle: 0x00000354	1	1
WriteProcessMemory June 26, 2023, 10:15 a.m.	buffer: 0 0 base_address: 0x0042e000 process_identifier: 2744 process_handle: 0x00000354	1	1
WriteProcessMemory June 26, 2023, 10:15 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2744 process_handle: 0x00000354	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory June 26, 2023, 10:15 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¼8Äà00 @@ @P0K@Nà H.text¤ `.rsrcN@@@.relocà°@B base_address: 0x00400000 process_identifier: 2744 process_handle: 0x00000354	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2548 called NtSetContextThread to modify thread in remote process 2744
NtSetContextThread June 26, 2023, 10:16 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4337822 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000350 process_identifier: 2744	1	0	0

Attempts to remove evidence of file being downloaded from the Internet (1 event)

file	C:\Users\test22\AppData\Local\Temp\setup1.exe\:Zone.Identifier

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2548 resumed a thread in remote process 2744
NtResumeThread June 26, 2023, 10:16 a.m.	thread_handle: 0x00000350 suspend_count: 1 process_identifier: 2744	1	0	0

Executed a process and injected code into it, probably while unpacking (22 events)

Time & API	Arguments	Status	Return
NtResumeThread June 26, 2023, 10:15 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2548	1	0
NtResumeThread June 26, 2023, 10:15 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2548	1	0
NtResumeThread June 26, 2023, 10:15 a.m.	thread_handle: 0x00000194 suspend_count: 1 process_identifier: 2548	1	0
NtResumeThread June 26, 2023, 10:15 a.m.	thread_handle: 0x00000218 suspend_count: 1 process_identifier: 2548	1	0
NtGetContextThread June 26, 2023, 10:15 a.m.	thread_handle: 0x000000e4	1	0
NtResumeThread June 26, 2023, 10:15 a.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 2548	1	0
NtResumeThread June 26, 2023, 10:15 a.m.	thread_handle: 0x000002f8 suspend_count: 1 process_identifier: 2548	1	0
NtResumeThread June 26, 2023, 10:15 a.m.	thread_handle: 0x00000320 suspend_count: 1 process_identifier: 2548	1	0
NtResumeThread June 26, 2023, 10:15 a.m.	thread_handle: 0x00000334 suspend_count: 1 process_identifier: 2548	1	0
CreateProcessInternalW June 26, 2023, 10:15 a.m.	thread_identifier: 2748 thread_handle: 0x00000350 process_identifier: 2744 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\setup1.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\setup1.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\setup1.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000354	1	1
NtGetContextThread June 26, 2023, 10:15 a.m.	thread_handle: 0x00000350	1	0
NtAllocateVirtualMemory June 26, 2023, 10:15 a.m.	process_identifier: 2744 region_size: 196608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000354	1	0
WriteProcessMemory June 26, 2023, 10:15 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¼8Äà00 @@ @P0K@Nà H.text¤ `.rsrcN@@@.relocà°@B base_address: 0x00400000 process_identifier: 2744 process_handle: 0x00000354	1	1
WriteProcessMemory June 26, 2023, 10:15 a.m.	buffer: base_address: 0x00402000 process_identifier: 2744 process_handle: 0x00000354	1	1
WriteProcessMemory June 26, 2023, 10:15 a.m.	buffer: base_address: 0x00424000 process_identifier: 2744 process_handle: 0x00000354	1	1
WriteProcessMemory June 26, 2023, 10:15 a.m.	buffer: 0 0 base_address: 0x0042e000 process_identifier: 2744 process_handle: 0x00000354	1	1
WriteProcessMemory June 26, 2023, 10:15 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2744 process_handle: 0x00000354	1	1
NtSetContextThread June 26, 2023, 10:16 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4337822 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000350 process_identifier: 2744	1	0
NtResumeThread June 26, 2023, 10:16 a.m.	thread_handle: 0x00000350 suspend_count: 1 process_identifier: 2744	1	0
NtResumeThread June 26, 2023, 10:16 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2744	1	0
NtResumeThread June 26, 2023, 10:16 a.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2744	1	0
NtResumeThread June 26, 2023, 10:16 a.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 2744	1	0

File has been identified by 51 AntiVirus engines on VirusTotal as malicious (50 out of 51 events)

Lionic	Trojan.Win32.Zilla.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	IL:Trojan.MSILZilla.28568
McAfee	Artemis!AE935CDA1E1D
Cylance	unsafe
Sangfor	Suspicious.Win32.Save.a
K7AntiVirus	Trojan ( 005a77a41 )
Alibaba	TrojanSpy:MSIL/Stealer.b4b420c8
K7GW	Trojan ( 005a77a41 )
Arcabit	IL:Trojan.MSILZilla.D6F98
BitDefenderTheta	Gen:NN.ZemsilF.36270.rn0@a0NTg9
Cyren	W32/MSIL_Troj.BPP.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/Kryptik.AJCJ
Cynet	Malicious (score: 100)
APEX	Malicious
Kaspersky	HEUR:Trojan-Spy.MSIL.Stealer.gen
BitDefender	IL:Trojan.MSILZilla.28568
Avast	Win32:Trojan-gen
Tencent	Malware.Win32.Gencirc.13db0dcc
Emsisoft	IL:Trojan.MSILZilla.28568 (B)
F-Secure	Heuristic.HEUR/AGEN.1307342
DrWeb	Trojan.PWS.RedLineNET.7
VIPRE	IL:Trojan.MSILZilla.28568
TrendMicro	TrojanSpy.Win32.REDLINE.YXDFVZ
McAfee-GW-Edition	BehavesLike.Win32.Downloader.tt
FireEye	Generic.mg.ae935cda1e1db321
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
Avira	HEUR/AGEN.1307342
Antiy-AVL	Trojan/MSIL.Kryptik
Gridinsoft	Trojan.Win32.Kryptik.cl
Microsoft	Trojan:MSIL/RedLineStealer.EM!MTB
ViRobot	Trojan.Win.Z.Kryptik.1340416.F
ZoneAlarm	HEUR:Trojan-Spy.MSIL.Stealer.gen
GData	Win32.Trojan-Stealer.Cordimik.OE7B7A
Google	Detected
AhnLab-V3	Trojan/Win.MSILZilla.C5443411
Acronis	suspicious
ALYac	IL:Trojan.MSILZilla.28568
MAX	malware (ai score=87)
Malwarebytes	Crypt.Trojan.MSIL.DDS
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TrojanSpy.Win32.REDLINE.YXDFVZ
Rising	Malware.Obfus/MSIL@AI.90 (RDM.MSIL2:M2I0Wcj7C1OBZ2ICe3mCTQ)
Ikarus	Trojan-Spy.HawkEye
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/Kryptik.AJCJ!tr
AVG	Win32:Trojan-gen
DeepInstinct	MALICIOUS

setup1.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All