Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 18, 2023, 7:16 a.m.	July 18, 2023, 7:29 a.m.

Size	589.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`a147b043c9bf220c3f7c30e5fab35414`
SHA256	`8bb4dbfeb12ea6c27f6a4bf9ba8188cc231208519e0d7c42bb48c1d75062c76d`
CRC32	`39B1248E`
ssdeep	`12288:VyL9Vhs97dycOswymWm4bdJJFKeSDNjKkqTrQaSejL8Z:Iri7dLl1/bT7KeSDbqTrQaSejL8Z`
PDB Path	rAUB.pdb
Yara	Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature IsPE32 - (no description)

wininit.exe "C:\Users\test22\AppData\Local\Temp\wininit.exe"
2548
- wininit.exe "C:\Users\test22\AppData\Local\Temp\wininit.exe"
  2924

Name	Response	Post-Analysis Lookup
www.sisbom.online	CNAME sisbom.online A 162.240.81.18	162.240.81.18
www.playcups.life	A 203.161.58.192	203.161.58.192
www.maytag36.com	CNAME 342284.parkingcrew.net A 13.248.148.254 A 76.223.26.96	76.223.26.96
www.cosmicearthgoddess.com	A 74.208.236.61	74.208.236.61
www.yh66985.com	A 154.215.247.58	154.215.247.58
www.promptyum.com		52.20.84.62
www.selfstorage.koeln	CNAME selfstorage.koeln A 81.169.145.157	81.169.145.157
www.sqlite.org	A 45.33.6.223	45.33.6.223

IP Address	Status	Action
13.248.148.254	Active	Moloch
154.215.247.58	Active	Moloch
162.240.81.18	Active	Moloch
164.124.101.2	Active	Moloch
203.161.58.192	Active	Moloch
45.33.6.223	Active	Moloch
74.208.236.61	Active	Moloch
81.169.145.157	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:54883 -> 164.124.101.2:53	2027867	ET INFO Observed DNS Query to .life TLD	Potentially Bad Traffic
TCP 192.168.56.101:49176 -> 203.161.58.192:80	2027876	ET INFO HTTP Request to Suspicious *.life Domain	Potentially Bad Traffic
TCP 192.168.56.101:49177 -> 203.161.58.192:80	2027876	ET INFO HTTP Request to Suspicious *.life Domain	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 18, 2023, 7:16 a.m.			0	0
IsDebuggerPresent July 18, 2023, 7:16 a.m.			0	0

This executable has a PDB path (1 event)

pdb_path

rAUB.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 18, 2023, 7:16 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (6 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.sisbom.online/pta7/?UZ=9K+XUf37kaVDuc0IEb/en1sQBc6oG59LX1JpxUbzLe92mNGRZFlQ32afb7pO3FMoswo/Nr7Bt7+lgxXjhaaHcK0lGMXqPnmX0dOCo/8=&E5x3=-G8E_Sw
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.maytag36.com/pta7/?UZ=I+8B7hWWd8/aZc0LyOI98FU2kxxJYUgzWPkNKI3Xu1M4KTmr5ikbSLVEKd5DC7LZ6l0Rcp22A4fkoHEesbNwOWp7sSOEDutN8WpeiG4=&E5x3=-G8E_Sw
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.selfstorage.koeln/pta7/?UZ=nRxaeJY0qwDQ0+6frQxSN5E2QFq7X4AyNJuuilycF0k/wVU2rXenu/JIKS0/EAOQo/d8R3vVu9XtC/4/t+jNl01+sEHp/xYpCFlSqjU=&E5x3=-G8E_Sw
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.cosmicearthgoddess.com/pta7/?UZ=13fhjxEBwouEnUsG2Zptbc3oT5vv/DEuG4iFtfSUwau/qJ9Hv2KIb5nyZ/MG0WCg1U40rxerqpJjqyPhopVWfuMIqg+QB/xDsz3LaOk=&E5x3=-G8E_Sw
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.yh66985.com/pta7/?UZ=r0Znjcl108fWq3DW2uMZlKkUpEOS0il4WTIwHqnkDlhXNTmyDe2k/moWxs1adkJw8OOtkgeu00hRWSJDuXN3qGN9obJjMdXlYosByRw=&E5x3=-G8E_Sw
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.playcups.life/pta7/?UZ=owQQ/LdvYhr1hQA44RH9bUiltN1V9/nW3nzbuZ7AnukoApd9+FtfvWC4rKSj4oUCaFCHPCKOWRRPvWiBpKGkSpFpDTHalZsc88EWemY=&E5x3=-G8E_Sw

Performs some HTTP requests (13 events)

request	POST http://www.sisbom.online/pta7/
request	GET http://www.sisbom.online/pta7/?UZ=9K+XUf37kaVDuc0IEb/en1sQBc6oG59LX1JpxUbzLe92mNGRZFlQ32afb7pO3FMoswo/Nr7Bt7+lgxXjhaaHcK0lGMXqPnmX0dOCo/8=&E5x3=-G8E_Sw
request	GET http://www.sqlite.org/2020/sqlite-dll-win32-x86-3320000.zip
request	POST http://www.maytag36.com/pta7/
request	GET http://www.maytag36.com/pta7/?UZ=I+8B7hWWd8/aZc0LyOI98FU2kxxJYUgzWPkNKI3Xu1M4KTmr5ikbSLVEKd5DC7LZ6l0Rcp22A4fkoHEesbNwOWp7sSOEDutN8WpeiG4=&E5x3=-G8E_Sw
request	POST http://www.selfstorage.koeln/pta7/
request	GET http://www.selfstorage.koeln/pta7/?UZ=nRxaeJY0qwDQ0+6frQxSN5E2QFq7X4AyNJuuilycF0k/wVU2rXenu/JIKS0/EAOQo/d8R3vVu9XtC/4/t+jNl01+sEHp/xYpCFlSqjU=&E5x3=-G8E_Sw
request	POST http://www.cosmicearthgoddess.com/pta7/
request	GET http://www.cosmicearthgoddess.com/pta7/?UZ=13fhjxEBwouEnUsG2Zptbc3oT5vv/DEuG4iFtfSUwau/qJ9Hv2KIb5nyZ/MG0WCg1U40rxerqpJjqyPhopVWfuMIqg+QB/xDsz3LaOk=&E5x3=-G8E_Sw
request	POST http://www.yh66985.com/pta7/
request	GET http://www.yh66985.com/pta7/?UZ=r0Znjcl108fWq3DW2uMZlKkUpEOS0il4WTIwHqnkDlhXNTmyDe2k/moWxs1adkJw8OOtkgeu00hRWSJDuXN3qGN9obJjMdXlYosByRw=&E5x3=-G8E_Sw
request	POST http://www.playcups.life/pta7/
request	GET http://www.playcups.life/pta7/?UZ=owQQ/LdvYhr1hQA44RH9bUiltN1V9/nW3nzbuZ7AnukoApd9+FtfvWC4rKSj4oUCaFCHPCKOWRRPvWiBpKGkSpFpDTHalZsc88EWemY=&E5x3=-G8E_Sw

Sends data using the HTTP POST Method (6 events)

request	POST http://www.sisbom.online/pta7/
request	POST http://www.maytag36.com/pta7/
request	POST http://www.selfstorage.koeln/pta7/
request	POST http://www.cosmicearthgoddess.com/pta7/
request	POST http://www.yh66985.com/pta7/
request	POST http://www.playcups.life/pta7/

Allocates read-write-execute memory (usually to unpack itself) (29 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 18, 2023, 7:16 a.m.	process_identifier: 2548 region_size: 2228224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00820000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 7:16 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 18, 2023, 7:16 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 18, 2023, 7:16 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 7:16 a.m.	process_identifier: 2548 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00610000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 7:16 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00660000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 7:16 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00442000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 7:16 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00485000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 7:16 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 7:16 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00487000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 7:16 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0045c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 7:16 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 7:16 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 7:16 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 7:16 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00477000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 7:16 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0045a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 7:16 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00476000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 7:16 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006a1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 18, 2023, 7:16 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732e2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 7:17 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 7:17 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 7:17 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0045d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 7:17 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006a3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 7:17 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006a4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 7:17 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0045e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 7:17 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 7:17 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006a6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 7:17 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006a7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 7:17 a.m.	process_identifier: 2924 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00092a00', u'virtual_address': u'0x00002000', u'entropy': 7.812224327608316, u'name': u'.text', u'virtual_size': u'0x000929e4'}

entropy

7.81222432761

description

A section with a high entropy has been found

entropy

0.996601529312

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 18, 2023, 7:17 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (8 events)

description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory July 18, 2023, 7:17 a.m.	process_identifier: 2924 region_size: 200704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000268	1	0	0

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory July 18, 2023, 7:17 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $y =`gó=`gó=`gó¦¨ó:`gó¦ªó<`gó¦«ó<`góRich=`góPELüöFàöÐ@@.texttõö ` base_address: 0x00400000 process_identifier: 2924 process_handle: 0x00000268	1	1	0
WriteProcessMemory July 18, 2023, 7:17 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2924 process_handle: 0x00000268	1	1	0

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory July 18, 2023, 7:17 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $y =`gó=`gó=`gó¦¨ó:`gó¦ªó<`gó¦«ó<`góRich=`góPELüöFàöÐ@@.texttõö ` base_address: 0x00400000 process_identifier: 2924 process_handle: 0x00000268	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2548 called NtSetContextThread to modify thread in remote process 2924
NtSetContextThread July 18, 2023, 7:17 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4199888 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000264 process_identifier: 2924	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2548 resumed a thread in remote process 2924
NtResumeThread July 18, 2023, 7:17 a.m.	thread_handle: 0x00000264 suspend_count: 1 process_identifier: 2924	1	0	0

File has been identified by 24 AntiVirus engines on VirusTotal as malicious (24 events)

Lionic	Trojan.Win32.Noon.4!c
Elastic	malicious (high confidence)
McAfee	Artemis!A147B043C9BF
Malwarebytes	MachineLearning/Anomalous.94%
Sangfor	Suspicious.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (D)
Cyren	W32/MSIL_Kryptik.IUH.gen!Eldorado
Symantec	MSIL.Packed.38
ESET-NOD32	a variant of MSIL/GenKryptik.GLXC
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	UDS:DangerousObject.Multi.Generic
Avast	Win32:PWSX-gen [Trj]
McAfee-GW-Edition	BehavesLike.Win32.Generic.hc
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
ZoneAlarm	UDS:DangerousObject.Multi.Generic
Google	Detected
Rising	Malware.Obfus/MSIL@AI.80 (RDM.MSIL2:Rpz4xVHdxmhgkmCPQjsgHQ)
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/Kryptik.AMX!tr
AVG	Win32:PWSX-gen [Trj]
Cybereason	malicious.4313fc
DeepInstinct	MALICIOUS

Executed a process and injected code into it, probably while unpacking (18 events)

Time & API	Arguments	Status	Return
NtResumeThread July 18, 2023, 7:16 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2548	1	0
NtResumeThread July 18, 2023, 7:16 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2548	1	0
NtResumeThread July 18, 2023, 7:16 a.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 2548	1	0
NtResumeThread July 18, 2023, 7:17 a.m.	thread_handle: 0x0000025c suspend_count: 1 process_identifier: 2548	1	0
NtGetContextThread July 18, 2023, 7:17 a.m.	thread_handle: 0x000000e4	1	0
NtGetContextThread July 18, 2023, 7:17 a.m.	thread_handle: 0x000000e4	1	0
NtResumeThread July 18, 2023, 7:17 a.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 2548	1	0
NtGetContextThread July 18, 2023, 7:17 a.m.	thread_handle: 0x000000e4	1	0
NtGetContextThread July 18, 2023, 7:17 a.m.	thread_handle: 0x000000e4	1	0
NtResumeThread July 18, 2023, 7:17 a.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 2548	1	0
CreateProcessInternalW July 18, 2023, 7:17 a.m.	thread_identifier: 2928 thread_handle: 0x00000264 process_identifier: 2924 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\wininit.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\wininit.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000268	1	1
NtGetContextThread July 18, 2023, 7:17 a.m.	thread_handle: 0x00000264	1	0
NtAllocateVirtualMemory July 18, 2023, 7:17 a.m.	process_identifier: 2924 region_size: 200704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000268	1	0
WriteProcessMemory July 18, 2023, 7:17 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $y =`gó=`gó=`gó¦¨ó:`gó¦ªó<`gó¦«ó<`góRich=`góPELüöFàöÐ@@.texttõö ` base_address: 0x00400000 process_identifier: 2924 process_handle: 0x00000268	1	1
WriteProcessMemory July 18, 2023, 7:17 a.m.	buffer: base_address: 0x00401000 process_identifier: 2924 process_handle: 0x00000268	1	1
WriteProcessMemory July 18, 2023, 7:17 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2924 process_handle: 0x00000268	1	1
NtSetContextThread July 18, 2023, 7:17 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4199888 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000264 process_identifier: 2924	1	0
NtResumeThread July 18, 2023, 7:17 a.m.	thread_handle: 0x00000264 suspend_count: 1 process_identifier: 2924	1	0

wininit.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All