Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	July 25, 2023, 7:31 a.m.	July 25, 2023, 7:57 a.m.

Size	771.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`682fbd7115e44f2d2cdac467072a0e24`
SHA256	`fed8358d2eb6cd687bb6f6a88b4f8bc01bd5dcf355535532718a0f04f1eff674`
CRC32	`D38AAAE6`
ssdeep	`24576:fFua+tagsCz/Dh/9BWcmRsuC55pOVn2D:fVCtKcmRsH55p3`
PDB Path	khSt.pdb
Yara	Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature IsPE32 - (no description)

wininit.exe "C:\Users\test22\AppData\Local\Temp\wininit.exe"
800
- wininit.exe "C:\Users\test22\AppData\Local\Temp\wininit.exe"
  2580

Name	Response	Post-Analysis Lookup
www.sisbom.online	CNAME sisbom.online A 162.240.81.18	162.240.81.18
www.maytag36.com	CNAME 342284.parkingcrew.net A 13.248.148.254 A 76.223.26.96	76.223.26.96
www.cosmicearthgoddess.com	A 74.208.236.61	74.208.236.61
www.selfstorage.koeln	CNAME selfstorage.koeln A 81.169.145.157	81.169.145.157
www.yh66985.com	A 154.215.247.58	154.215.247.58
www.sqlite.org	A 45.33.6.223	45.33.6.223

IP Address	Status	Action
154.215.247.58	Active	Moloch
162.240.81.18	Active	Moloch
164.124.101.2	Active	Moloch
45.33.6.223	Active	Moloch
74.208.236.61	Active	Moloch
76.223.26.96	Active	Moloch
81.169.145.157	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 25, 2023, 7:31 a.m.			0	0
IsDebuggerPresent July 25, 2023, 7:31 a.m.			0	0

This executable has a PDB path (1 event)

pdb_path

khSt.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 25, 2023, 7:31 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (5 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.sisbom.online/pta7/?DwSq=9K+XUf37kaVDuc0IEb/en1sQBc6oG59LX1JpxUbzLe92mNGRZFlQ32afb7pO3FMoswo/Nr7Bt7+lgxXjhaaHcK0lGMXqPnmX0dOCo/8=&w07om4=jGcI-wh
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.maytag36.com/pta7/?DwSq=I+8B7hWWd8/aZc0LyOI98FU2kxxJYUgzWPkNKI3Xu1M4KTmr5ikbSLVEKd5DC7LZ6l0Rcp22A4fkoHEesbNwOWp7sSOEDutN8WpeiG4=&w07om4=jGcI-wh
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.selfstorage.koeln/pta7/?DwSq=nRxaeJY0qwDQ0+6frQxSN5E2QFq7X4AyNJuuilycF0k/wVU2rXenu/JIKS0/EAOQo/d8R3vVu9XtC/4/t+jNl01+sEHp/xYpCFlSqjU=&w07om4=jGcI-wh
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.cosmicearthgoddess.com/pta7/?DwSq=13fhjxEBwouEnUsG2Zptbc3oT5vv/DEuG4iFtfSUwau/qJ9Hv2KIb5nyZ/MG0WCg1U40rxerqpJjqyPhopVWfuMIqg+QB/xDsz3LaOk=&w07om4=jGcI-wh
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.yh66985.com/pta7/?DwSq=r0Znjcl108fWq3DW2uMZlKkUpEOS0il4WTIwHqnkDlhXNTmyDe2k/moWxs1adkJw8OOtkgeu00hRWSJDuXN3qGN9obJjMdXlYosByRw=&w07om4=jGcI-wh

Performs some HTTP requests (11 events)

request	POST http://www.sisbom.online/pta7/
request	GET http://www.sisbom.online/pta7/?DwSq=9K+XUf37kaVDuc0IEb/en1sQBc6oG59LX1JpxUbzLe92mNGRZFlQ32afb7pO3FMoswo/Nr7Bt7+lgxXjhaaHcK0lGMXqPnmX0dOCo/8=&w07om4=jGcI-wh
request	GET http://www.sqlite.org/2016/sqlite-dll-win32-x86-3110000.zip
request	POST http://www.maytag36.com/pta7/
request	GET http://www.maytag36.com/pta7/?DwSq=I+8B7hWWd8/aZc0LyOI98FU2kxxJYUgzWPkNKI3Xu1M4KTmr5ikbSLVEKd5DC7LZ6l0Rcp22A4fkoHEesbNwOWp7sSOEDutN8WpeiG4=&w07om4=jGcI-wh
request	POST http://www.selfstorage.koeln/pta7/
request	GET http://www.selfstorage.koeln/pta7/?DwSq=nRxaeJY0qwDQ0+6frQxSN5E2QFq7X4AyNJuuilycF0k/wVU2rXenu/JIKS0/EAOQo/d8R3vVu9XtC/4/t+jNl01+sEHp/xYpCFlSqjU=&w07om4=jGcI-wh
request	POST http://www.cosmicearthgoddess.com/pta7/
request	GET http://www.cosmicearthgoddess.com/pta7/?DwSq=13fhjxEBwouEnUsG2Zptbc3oT5vv/DEuG4iFtfSUwau/qJ9Hv2KIb5nyZ/MG0WCg1U40rxerqpJjqyPhopVWfuMIqg+QB/xDsz3LaOk=&w07om4=jGcI-wh
request	POST http://www.yh66985.com/pta7/
request	GET http://www.yh66985.com/pta7/?DwSq=r0Znjcl108fWq3DW2uMZlKkUpEOS0il4WTIwHqnkDlhXNTmyDe2k/moWxs1adkJw8OOtkgeu00hRWSJDuXN3qGN9obJjMdXlYosByRw=&w07om4=jGcI-wh

Sends data using the HTTP POST Method (5 events)

request	POST http://www.sisbom.online/pta7/
request	POST http://www.maytag36.com/pta7/
request	POST http://www.selfstorage.koeln/pta7/
request	POST http://www.cosmicearthgoddess.com/pta7/
request	POST http://www.yh66985.com/pta7/

Allocates read-write-execute memory (usually to unpack itself) (33 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 25, 2023, 7:31 a.m.	process_identifier: 800 region_size: 1376256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00670000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 7:31 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00780000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 25, 2023, 7:31 a.m.	process_identifier: 800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 25, 2023, 7:31 a.m.	process_identifier: 800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 7:31 a.m.	process_identifier: 800 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 7:31 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02220000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 7:31 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00522000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 7:31 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00555000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 7:31 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0055b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 7:31 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00557000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 7:31 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 7:31 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00760000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 7:31 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 7:31 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 7:31 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00547000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 7:31 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 7:31 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00546000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 7:31 a.m.	process_identifier: 800 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00761000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 7:31 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00764000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 7:32 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00765000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 7:32 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0438f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 7:32 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04380000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 7:32 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 7:32 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00766000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 7:32 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 7:32 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00767000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 7:32 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 7:32 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00768000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 7:32 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00769000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 7:32 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0076a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 7:32 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0076b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 7:32 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0076c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 7:32 a.m.	process_identifier: 2580 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c70000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x000c0200', u'virtual_address': u'0x00002000', u'entropy': 7.651146398622941, u'name': u'.text', u'virtual_size': u'0x000c01d8'}

entropy

7.65114639862

description

A section with a high entropy has been found

entropy

0.997404282933

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 25, 2023, 7:32 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW July 25, 2023, 7:32 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (8 events)

description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess July 25, 2023, 7:32 a.m.	status_code: 0xffffffff process_identifier: 2544 process_handle: 0x00000260		0	0
NtTerminateProcess July 25, 2023, 7:32 a.m.	status_code: 0xffffffff process_identifier: 2544 process_handle: 0x00000260	1	0	0

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory July 25, 2023, 7:32 a.m.	process_identifier: 2544 region_size: 200704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000250		3221225496	0
NtAllocateVirtualMemory July 25, 2023, 7:32 a.m.	process_identifier: 2580 region_size: 200704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000264	1	0	0

Manipulates memory of a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 800 manipulating memory of non-child process 2544
NtAllocateVirtualMemory July 25, 2023, 7:32 a.m.	process_identifier: 2544 region_size: 200704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000250		3221225496	0

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory July 25, 2023, 7:32 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $y =`gó=`gó=`gó¦¨ó:`gó¦ªó<`gó¦«ó<`góRich=`góPELüöFàöÐ@@.texttõö ` base_address: 0x00400000 process_identifier: 2580 process_handle: 0x00000264	1	1	0
WriteProcessMemory July 25, 2023, 7:32 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2580 process_handle: 0x00000264	1	1	0

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory July 25, 2023, 7:32 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $y =`gó=`gó=`gó¦¨ó:`gó¦ªó<`gó¦«ó<`góRich=`góPELüöFàöÐ@@.texttõö ` base_address: 0x00400000 process_identifier: 2580 process_handle: 0x00000264	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 800 called NtSetContextThread to modify thread in remote process 2580
NtSetContextThread July 25, 2023, 7:32 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4199888 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000260 process_identifier: 2580	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 800 resumed a thread in remote process 2580
NtResumeThread July 25, 2023, 7:32 a.m.	thread_handle: 0x00000260 suspend_count: 1 process_identifier: 2580	1	0	0

Executed a process and injected code into it, probably while unpacking (15 events)

Time & API	Arguments	Status	Return
NtResumeThread July 25, 2023, 7:31 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 800	1	0
NtResumeThread July 25, 2023, 7:31 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 800	1	0
NtResumeThread July 25, 2023, 7:31 a.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 800	1	0
NtResumeThread July 25, 2023, 7:32 a.m.	thread_handle: 0x00000240 suspend_count: 1 process_identifier: 800	1	0
CreateProcessInternalW July 25, 2023, 7:32 a.m.	thread_identifier: 2548 thread_handle: 0x0000024c process_identifier: 2544 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\wininit.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\wininit.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000250	1	1
NtGetContextThread July 25, 2023, 7:32 a.m.	thread_handle: 0x0000024c	1	0
NtAllocateVirtualMemory July 25, 2023, 7:32 a.m.	process_identifier: 2544 region_size: 200704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000250		3221225496
CreateProcessInternalW July 25, 2023, 7:32 a.m.	thread_identifier: 2584 thread_handle: 0x00000260 process_identifier: 2580 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\wininit.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\wininit.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000264	1	1
NtGetContextThread July 25, 2023, 7:32 a.m.	thread_handle: 0x00000260	1	0
NtAllocateVirtualMemory July 25, 2023, 7:32 a.m.	process_identifier: 2580 region_size: 200704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000264	1	0
WriteProcessMemory July 25, 2023, 7:32 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $y =`gó=`gó=`gó¦¨ó:`gó¦ªó<`gó¦«ó<`góRich=`góPELüöFàöÐ@@.texttõö ` base_address: 0x00400000 process_identifier: 2580 process_handle: 0x00000264	1	1
WriteProcessMemory July 25, 2023, 7:32 a.m.	buffer: base_address: 0x00401000 process_identifier: 2580 process_handle: 0x00000264	1	1
WriteProcessMemory July 25, 2023, 7:32 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2580 process_handle: 0x00000264	1	1
NtSetContextThread July 25, 2023, 7:32 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4199888 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000260 process_identifier: 2580	1	0
NtResumeThread July 25, 2023, 7:32 a.m.	thread_handle: 0x00000260 suspend_count: 1 process_identifier: 2580	1	0

wininit.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All