Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Sept. 5, 2023, 8:38 a.m.	Sept. 5, 2023, 8:40 a.m.

Size	912.9KB
Type	ASCII text, with very long lines, with CRLF line terminators
MD5	`70e483ab51c94cd2318fb5cb0de989fd`
SHA256	`a0041aa69a92b8a85e020dcf6424960e466c4e2f315a556bed9e06d870dddf47`
CRC32	`9111E1D4`
ssdeep	`1536:j21Ax5SP/rgoMp633kUFPyHqVfxkCx1UE8o1TQ5CAiaRgd6W0NQHMpgac+0rOMzc:Uh+vek3mUQKN`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\ORDER.js
3032
- javaw.exe "C:\Program Files (x86)\Java\jre1.8.0_131\bin\javaw.exe" -jar "C:\Users\test22\AppData\Roaming\cvzsodrwgw.txt"
  2192
  - java.exe "C:\Program Files (x86)\Java\jre1.8.0_131\bin\java.exe" -jar "C:\Users\test22\cvzsodrwgw.txt"
    2396
    - cmd.exe cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\cvzsodrwgw.txt"
      1632
      - schtasks.exe schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\cvzsodrwgw.txt"
        564
    - java.exe "C:\Program Files (x86)\Java\jre1.8.0_131\bin\java.exe" -jar "C:\Users\test22\AppData\Roaming\cvzsodrwgw.txt"
      1568

Name	Response	Post-Analysis Lookup
objects.githubusercontent.com	A 185.199.109.133 A 185.199.111.133 A 185.199.110.133 A 185.199.108.133	185.199.111.133
repo1.maven.org	A 151.101.40.209 CNAME dualstack.sonatype.map.fastly.net	199.232.196.209
str-master.pw	A 142.93.110.250	142.93.110.250
github.com	A 20.200.245.247	20.200.245.247

IP Address	Status	Action
109.206.242.32	Active	Moloch
142.93.110.250	Active	Moloch
151.101.40.209	Active	Moloch
164.124.101.2	Active	Moloch
185.199.109.133	Active	Moloch
20.200.245.247	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.102:51405 -> 164.124.101.2:53	2016778	ET DNS Query to a *.pw domain - Likely Hostile	Potentially Bad Traffic
TCP 192.168.56.102:49176 -> 142.93.110.250:80	2019401	ET POLICY Vulnerable Java Version 1.8.x Detected	Potentially Bad Traffic
TCP 192.168.56.102:49176 -> 142.93.110.250:80	2016777	ET INFO HTTP Request to a *.pw domain	Misc activity

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.102:49164 151.101.40.209:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Atlas R3 DV TLS CA 2023 Q1	CN=repo1.maven.org	94:bc:2a:d0:1a:cf:41:94:d4:9a:de:44:ab:b4:42:39:8a:f6:bf:f3
TLS 1.2 192.168.56.102:49165 151.101.40.209:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Atlas R3 DV TLS CA 2023 Q1	CN=repo1.maven.org	94:bc:2a:d0:1a:cf:41:94:d4:9a:de:44:ab:b4:42:39:8a:f6:bf:f3
TLS 1.2 192.168.56.102:49166 151.101.40.209:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Atlas R3 DV TLS CA 2023 Q1	CN=repo1.maven.org	94:bc:2a:d0:1a:cf:41:94:d4:9a:de:44:ab:b4:42:39:8a:f6:bf:f3
TLS 1.2 192.168.56.102:49167 20.200.245.247:443	C=US, O=DigiCert Inc, CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1	C=US, ST=California, L=San Francisco, O=GitHub, Inc., CN=github.com	a3:b5:9e:5f:e8:84:ee:1f:34:d9:8e:ef:85:8e:3f:b6:62:ac:10:4a
TLS 1.2 192.168.56.102:49168 185.199.109.133:443	C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1	C=US, ST=California, L=San Francisco, O=GitHub, Inc., CN=*.github.io	a1:46:14:c7:2a:1d:52:79:f6:aa:2b:b2:c5:0a:3b:d3:f5:02:06:75

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Sept. 5, 2023, 8:38 a.m.	computer_name: TEST22-PC	1	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 5, 2023, 8:38 a.m.		1	1	0

One or more processes crashed (4 events)

Time & API	Arguments	Status
__exception__ Sept. 5, 2023, 8:38 a.m.	stacktrace: exception.instruction_r: 8b 06 8d b5 f8 00 00 00 c5 fe 7f 06 c5 fe 7f 7e exception.instruction: mov eax, dword ptr [esi] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x2700202 registers.esp: 12580716 registers.edi: 1 registers.eax: 6 registers.ebp: 1950471360 registers.edx: 0 registers.ebx: 16910336 registers.esi: 0 registers.ecx: 3405691582	1
__exception__ Sept. 5, 2023, 8:38 a.m.	stacktrace: 0x284c168 0x27044e0 0x27044e0 0x27044e0 0x27044e0 0x27044e0 0x2704854 0x2704854 0x2704854 0x284b1e4 0x27044e0 0x27044e0 0x27044e0 0x284b184 0x2704854 0x2704889 0x2700697 JVM_GetThreadStateNames+0x4d395 _JVM_EnqueueOperation@20-0x6191b jvm+0x15af45 @ 0x741eaf45 _JVM_FindSignal@4+0x6402e ??_7DCmdFactory@@6B@-0xa2d06 jvm+0x2213ae @ 0x742b13ae JVM_GetThreadStateNames+0x4d42e _JVM_EnqueueOperation@20-0x61882 jvm+0x15afde @ 0x741eafde JVM_GetThreadStateNames+0x4d5b6 _JVM_EnqueueOperation@20-0x616fa jvm+0x15b166 @ 0x741eb166 JVM_GetThreadStateNames+0x4d627 _JVM_EnqueueOperation@20-0x61689 jvm+0x15b1d7 @ 0x741eb1d7 jio_printf+0x9f _JVM_StartThread@8-0x11 jvm+0xff36f @ 0x7418f36f JVM_GetThreadStateNames+0x70080 _JVM_EnqueueOperation@20-0x3ec30 jvm+0x17dc30 @ 0x7420dc30 JVM_GetThreadStateNames+0x708fa _JVM_EnqueueOperation@20-0x3e3b6 jvm+0x17e4aa @ 0x7420e4aa _JVM_FindSignal@4+0x5b46 ??_7DCmdFactory@@6B@-0x1011ee jvm+0x1c2ec6 @ 0x74252ec6 _endthreadex+0x3a _beginthreadex-0xab msvcr100+0x5c556 @ 0x744bc556 _endthreadex+0xe4 _beginthreadex-0x1 msvcr100+0x5c600 @ 0x744bc600 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: 85 05 00 01 5f 00 8b ca 89 7c 24 70 89 5c 24 74 exception.instruction: test eax, dword ptr [0x5f0100] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x283eb4d registers.esp: 366014464 registers.edi: 956229726 registers.eax: 6 registers.ebp: 366014876 registers.edx: 3054334834 registers.ebx: 3832310284 registers.esi: 4257515456 registers.ecx: 1	1
__exception__ Sept. 5, 2023, 8:38 a.m.	stacktrace: exception.instruction_r: 8b 06 8d b5 f8 00 00 00 c5 fe 7f 06 c5 fe 7f 7e exception.instruction: mov eax, dword ptr [esi] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x2710202 registers.esp: 38008816 registers.edi: 1 registers.eax: 6 registers.ebp: 1948832960 registers.edx: 0 registers.ebx: 16910336 registers.esi: 0 registers.ecx: 3405691582	1
__exception__ Sept. 5, 2023, 8:38 a.m.	stacktrace: exception.instruction_r: 8b 06 8d b5 f8 00 00 00 c5 fe 7f 06 c5 fe 7f 7e exception.instruction: mov eax, dword ptr [esi] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x27b0202 registers.esp: 38140548 registers.edi: 1 registers.eax: 6 registers.ebp: 1947915456 registers.edx: 0 registers.ebx: 133120 registers.esi: 0 registers.ecx: 3405691582	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (1 event)

request

GET http://str-master.pw/strigoi/server/ping.php?lid=khonsari

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

str-master.pw

description

Palau domain TLD

Allocates read-write-execute memory (usually to unpack itself) (50 out of 102 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 5, 2023, 8:38 a.m.	process_identifier: 2192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 163840 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02700000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 5, 2023, 8:38 a.m.	process_identifier: 2192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02728000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 5, 2023, 8:38 a.m.	process_identifier: 2192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02730000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 5, 2023, 8:38 a.m.	process_identifier: 2192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02738000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 5, 2023, 8:38 a.m.	process_identifier: 2192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02740000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 5, 2023, 8:38 a.m.	process_identifier: 2192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02748000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 5, 2023, 8:38 a.m.	process_identifier: 2192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02750000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 5, 2023, 8:38 a.m.	process_identifier: 2192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02758000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 5, 2023, 8:38 a.m.	process_identifier: 2192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02760000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 5, 2023, 8:38 a.m.	process_identifier: 2192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02768000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 5, 2023, 8:38 a.m.	process_identifier: 2192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02770000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 5, 2023, 8:38 a.m.	process_identifier: 2192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02778000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 5, 2023, 8:38 a.m.	process_identifier: 2192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02780000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 5, 2023, 8:38 a.m.	process_identifier: 2192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02788000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 5, 2023, 8:38 a.m.	process_identifier: 2192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02790000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 5, 2023, 8:38 a.m.	process_identifier: 2192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02798000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 5, 2023, 8:38 a.m.	process_identifier: 2192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027a0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 5, 2023, 8:38 a.m.	process_identifier: 2192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027a8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 5, 2023, 8:38 a.m.	process_identifier: 2192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 5, 2023, 8:38 a.m.	process_identifier: 2192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027b8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 5, 2023, 8:38 a.m.	process_identifier: 2192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027c0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 5, 2023, 8:38 a.m.	process_identifier: 2192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027c8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 5, 2023, 8:38 a.m.	process_identifier: 2192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 5, 2023, 8:38 a.m.	process_identifier: 2192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 5, 2023, 8:38 a.m.	process_identifier: 2192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027e0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 5, 2023, 8:38 a.m.	process_identifier: 2192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027e8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 5, 2023, 8:38 a.m.	process_identifier: 2192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027f0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 5, 2023, 8:38 a.m.	process_identifier: 2192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027f8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 5, 2023, 8:38 a.m.	process_identifier: 2192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02800000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 5, 2023, 8:38 a.m.	process_identifier: 2192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02808000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 5, 2023, 8:38 a.m.	process_identifier: 2192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02810000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 5, 2023, 8:38 a.m.	process_identifier: 2192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02818000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 5, 2023, 8:38 a.m.	process_identifier: 2192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02820000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 5, 2023, 8:38 a.m.	process_identifier: 2192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02828000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 5, 2023, 8:38 a.m.	process_identifier: 2192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02830000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 5, 2023, 8:38 a.m.	process_identifier: 2192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02838000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 5, 2023, 8:38 a.m.	process_identifier: 2192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02840000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 5, 2023, 8:38 a.m.	process_identifier: 2192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02848000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 5, 2023, 8:38 a.m.	process_identifier: 2192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02850000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 5, 2023, 8:38 a.m.	process_identifier: 2396 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 163840 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02710000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 5, 2023, 8:38 a.m.	process_identifier: 2396 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02738000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 5, 2023, 8:38 a.m.	process_identifier: 2396 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02740000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 5, 2023, 8:38 a.m.	process_identifier: 2396 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02748000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 5, 2023, 8:38 a.m.	process_identifier: 2396 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02750000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 5, 2023, 8:38 a.m.	process_identifier: 2396 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02758000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 5, 2023, 8:38 a.m.	process_identifier: 2396 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02760000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 5, 2023, 8:38 a.m.	process_identifier: 2396 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02768000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 5, 2023, 8:38 a.m.	process_identifier: 2396 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02770000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 5, 2023, 8:38 a.m.	process_identifier: 2396 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02778000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 5, 2023, 8:38 a.m.	process_identifier: 2396 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02780000 process_handle: 0xffffffff	1

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\jna--877171118\jna7226672496507895181.dll
file	C:\Users\test22\AppData\Local\Temp\jna--877171118\jna4113371539711832396.dll

Creates a suspicious process (2 events)

cmdline	cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\cvzsodrwgw.txt"
cmdline	schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\cvzsodrwgw.txt"

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\jna--877171118\jna4115874404283386990.dll
file	C:\Users\test22\AppData\Local\Temp\jna--877171118\jna4113371539711832396.dll

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 5, 2023, 8:38 a.m.	process_identifier: 2192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 65536 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x16200000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Sept. 5, 2023, 8:38 a.m.	flags: 28 family: 0	1	0	0

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\cvzsodrwgw.txt"
cmdline	schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\cvzsodrwgw.txt"

Communicates with host for which no DNS query was performed (1 event)

host

109.206.242.32

Installs itself for autorun at Windows startup (6 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\cvzsodrwgw	reg_value	"C:\Users\test22\AppData\Roaming\cvzsodrwgw.txt"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cvzsodrwgw	reg_value	"C:\Users\test22\AppData\Roaming\cvzsodrwgw.txt"
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\cvzsodrwgw.txt
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvzsodrwgw.txt
cmdline	cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\cvzsodrwgw.txt"
cmdline	schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\cvzsodrwgw.txt"

One or more non-whitelisted processes were created (2 events)

parent_process	wscript.exe				martian_process	"C:\Program Files (x86)\Java\jre1.8.0_131\bin\javaw.exe" -jar "C:\Users\test22\AppData\Roaming\cvzsodrwgw.txt"
parent_process	wscript.exe				martian_process	C:\Program Files (x86)\Java\jre1.8.0_131\bin\javaw.exe -jar "C:\Users\test22\AppData\Roaming\cvzsodrwgw.txt"

File has been identified by 28 AntiVirus engines on VirusTotal as malicious (28 events)

Lionic	Trojan.Script.Generic.4!c
DrWeb	Trojan.DownLoader45.60079
FireEye	Trojan.GenericKD.67942769
ALYac	Trojan.GenericKD.67942769
Arcabit	Trojan.Generic.D40CB971
VirIT	Trojan.JS.Agent.BBC
Cyren	JS/Agent.BWB
Symantec	ISB.Dropper!gen12
ESET-NOD32	JS/Kryptik.COH
Avast	Other:Malware-gen [Trj]
Kaspersky	HEUR:Trojan.Script.Generic
BitDefender	Trojan.GenericKD.67942769
NANO-Antivirus	Trojan.Script.Heuristic-js.iacgm
MicroWorld-eScan	Trojan.GenericKD.67942769
Rising	Trojan.Obfuse/JS!8.13444 (TOPIS:E0:HfrZ6uiR1WH)
VIPRE	Trojan.GenericKD.67942769
Emsisoft	Trojan.GenericKD.67942769 (B)
MAX	malware (ai score=86)
Antiy-AVL	Trojan/JS.Kryptik
Gridinsoft	Ransom.U.Gen.bot
Microsoft	Trojan:JS/Obfuse.RV!MTB
GData	Trojan.GenericKD.67942769
Google	Detected
Tencent	Script.Trojan.Generic.Cflw
Yandex	Trojan.Etecer.b0qS40.5
Ikarus	Trojan-Downloader.JS.Agent
Fortinet	JS/Kryptik.CNJ!tr
AVG	Other:Malware-gen [Trj]

The processes wscript.exe, java.exe wrote an executable file to disk which it then attempted to execute (3 events)

file	C:\Program Files (x86)\Java\jre1.8.0_131\bin\javaw.exe
file	C:\Users\test22\AppData\Local\Temp\jna--877171118\jna4113371539711832396.dll
file	C:\Users\test22\AppData\Local\Temp\jna--877171118\jna7226672496507895181.dll

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (14 events)

dead_host	109.206.242.32:3078
dead_host	192.168.56.102:49184
dead_host	192.168.56.102:49199
dead_host	192.168.56.102:49179
dead_host	192.168.56.102:49197
dead_host	192.168.56.102:49191
dead_host	192.168.56.102:49177
dead_host	192.168.56.102:49203
dead_host	192.168.56.102:49182
dead_host	192.168.56.102:49189
dead_host	192.168.56.102:49201
dead_host	192.168.56.102:49195
dead_host	192.168.56.102:49186
dead_host	192.168.56.102:49193

ORDER.js

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All