Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 5, 2023, 7:40 a.m.	Oct. 5, 2023, 7:55 a.m.

Size	923.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`4d8037262c4cfb2fee106c9ae7d36428`
SHA256	`baed3d0dbb532abea5eb01c8e65d9cd4e9eb789b901e2615f68ad9c097087e68`
CRC32	`1297DD50`
ssdeep	`24576:+6WQvcczg6QxKzL9ue/V4OfBMQZBFSt9fP3qSe:+6WQzzIMLPt4IMQZBsVP`
Yara	UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature IsPE32 - (no description) Is_DotNET_EXE - (no description)

server1.exe "C:\Users\test22\AppData\Local\Temp\server1.exe"
1440
schtasks.exe "schtasks" /create /tn "fim" /sc ONLOGON /tr "C:\Users\test22\AppData\Local\Temp\server1.exe" /rl HIGHEST /f
2840
fim.exe "C:\Users\test22\AppData\Roaming\frm\fim.exe"
2900
schtasks.exe "schtasks" /create /tn "fim" /sc ONLOGON /tr "C:\Users\test22\AppData\Roaming\frm\fim.exe" /rl HIGHEST /f
1668

Name	Response	Post-Analysis Lookup
fronpeatcam.publicvm.com	A 45.12.253.94	45.12.253.94
ip-api.com	A 208.95.112.1	208.95.112.1
qpurrybeatmecamtest.ddns.net	A 45.12.253.94	45.12.253.94

IP Address	Status	Action
182.162.106.32	Active	Moloch
164.124.101.2	Active	Moloch
208.95.112.1	Active	Moloch
45.12.253.94	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49172 -> 208.95.112.1:80	2036383	ET MALWARE Common RAT Connectivity Check Observed	A Network Trojan was detected
TCP 192.168.56.103:49172 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49166 -> 208.95.112.1:80	2036383	ET MALWARE Common RAT Connectivity Check Observed	A Network Trojan was detected
TCP 192.168.56.103:49166 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected
UDP 192.168.56.103:64894 -> 164.124.101.2:53	2034457	ET POLICY Observed DNS Query to DynDNS Domain (publicvm .com)	Potentially Bad Traffic
UDP 192.168.56.103:50800 -> 164.124.101.2:53	2028675	ET POLICY DNS Query to DynDNS Domain *.ddns .net	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Oct. 5, 2023, 7:40 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Oct. 5, 2023, 7:41 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 5, 2023, 7:40 a.m.			0	0
IsDebuggerPresent Oct. 5, 2023, 7:40 a.m.			0	0
IsDebuggerPresent Oct. 5, 2023, 7:40 a.m.			0	0
IsDebuggerPresent Oct. 5, 2023, 7:40 a.m.			0	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Oct. 5, 2023, 7:40 a.m.	buffer: SUCCESS: The scheduled task "fim" has successfully been created. console_handle: 0x00000007	1	1	0
WriteConsoleW Oct. 5, 2023, 7:41 a.m.	buffer: SUCCESS: The scheduled task "fim" has successfully been created. console_handle: 0x00000007	1	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 5, 2023, 7:40 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	I(j.lg4W
section

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Connects to a Dynamic DNS Domain (2 events)

domain	qpurrybeatmecamtest.ddns.net
domain	fronpeatcam.publicvm.com

Performs some HTTP requests (1 event)

request

GET http://ip-api.com/json/

Allocates read-write-execute memory (usually to unpack itself) (50 out of 192 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 5, 2023, 7:40 a.m.	process_identifier: 1440 region_size: 1900544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00640000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:40 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 5, 2023, 7:40 a.m.	process_identifier: 1440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 5, 2023, 7:40 a.m.	process_identifier: 1440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:40 a.m.	process_identifier: 1440 region_size: 1441792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02100000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:40 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02220000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:40 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00552000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:40 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:40 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fa0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:40 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fa1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:40 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0055a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:40 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:40 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00587000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 5, 2023, 7:40 a.m.	process_identifier: 1440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 897024 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00aa2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:40 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fa2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:40 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fa3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:40 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fa4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:40 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fa5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:40 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fa6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:40 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00585000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:40 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fa7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:40 a.m.	process_identifier: 1440 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fa8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 5, 2023, 7:40 a.m.	process_identifier: 1440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b7e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 5, 2023, 7:40 a.m.	process_identifier: 1440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b7e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 5, 2023, 7:40 a.m.	process_identifier: 1440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00aa0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 5, 2023, 7:40 a.m.	process_identifier: 1440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00aa0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 5, 2023, 7:40 a.m.	process_identifier: 1440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00aa0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 5, 2023, 7:40 a.m.	process_identifier: 1440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00aa0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 5, 2023, 7:40 a.m.	process_identifier: 1440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00aa0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 5, 2023, 7:40 a.m.	process_identifier: 1440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b7e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 5, 2023, 7:40 a.m.	process_identifier: 1440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b7e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 5, 2023, 7:40 a.m.	process_identifier: 1440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b7e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 5, 2023, 7:40 a.m.	process_identifier: 1440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b7e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 5, 2023, 7:40 a.m.	process_identifier: 1440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b7e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 5, 2023, 7:40 a.m.	process_identifier: 1440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b7e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 5, 2023, 7:40 a.m.	process_identifier: 1440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b7e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 5, 2023, 7:40 a.m.	process_identifier: 1440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b7e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 5, 2023, 7:40 a.m.	process_identifier: 1440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b7e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 5, 2023, 7:40 a.m.	process_identifier: 1440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b7e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 5, 2023, 7:40 a.m.	process_identifier: 1440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b7e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 5, 2023, 7:40 a.m.	process_identifier: 1440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b7e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 5, 2023, 7:40 a.m.	process_identifier: 1440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b7e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 5, 2023, 7:40 a.m.	process_identifier: 1440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b7e000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:40 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01faa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:40 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:40 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:40 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fad000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:40 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fae000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:40 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01faf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:40 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02270000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Looks up the external IP address (1 event)

domain

ip-api.com

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x000da800', u'virtual_address': u'0x00002000', u'entropy': 7.999819459884193, u'name': u'I(j.lg4W', u'virtual_size': u'0x000da640'}

entropy

7.99981945988

description

A section with a high entropy has been found

entropy

0.947939262473

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Oct. 5, 2023, 7:40 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Oct. 5, 2023, 7:40 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (46 events)

description	Take ScreenShot	rule	ScreenShot
description	task schedule	rule	schtasks_Zero
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Communications use DNS	rule	Network_DNS
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Win32 PWS Loki	rule	Win32_PWS_Loki_m_Zero
description	Run a KeyLogger	rule	KeyLogger
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Take ScreenShot	rule	ScreenShot
description	task schedule	rule	schtasks_Zero
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Communications use DNS	rule	Network_DNS
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Win32 PWS Loki	rule	Win32_PWS_Loki_m_Zero
description	Run a KeyLogger	rule	KeyLogger
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Communicates with host for which no DNS query was performed (1 event)

host

182.162.106.32

Allocates execute permission to another process indicative of possible code injection (4 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory Oct. 5, 2023, 7:40 a.m.	process_identifier: 2072 region_size: 385024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000290	1	0
NtAllocateVirtualMemory Oct. 5, 2023, 7:40 a.m.	process_identifier: 2132 region_size: 385024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002b0		3221225496
NtAllocateVirtualMemory Oct. 5, 2023, 7:40 a.m.	process_identifier: 2988 region_size: 385024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000294	1	0
NtAllocateVirtualMemory Oct. 5, 2023, 7:40 a.m.	process_identifier: 3048 region_size: 385024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002bc		3221225496

Manipulates memory of a non-child process indicative of process injection (12 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1440 manipulating memory of non-child process 2072
Process injection	Process 1440 manipulating memory of non-child process 2132
Process injection	Process 2900 manipulating memory of non-child process 2988
Process injection	Process 2900 manipulating memory of non-child process 3048
NtUnmapViewOfSection Oct. 5, 2023, 7:40 a.m.	base_address: 0x00400000 region_size: 6946816 process_identifier: 2072 process_handle: 0x00000290		3221225497	0
NtAllocateVirtualMemory Oct. 5, 2023, 7:40 a.m.	process_identifier: 2072 region_size: 385024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000290	1	0	0
NtUnmapViewOfSection Oct. 5, 2023, 7:40 a.m.	base_address: 0x00400000 region_size: 315392 process_identifier: 2132 process_handle: 0x000002b0		3221225497	0
NtAllocateVirtualMemory Oct. 5, 2023, 7:40 a.m.	process_identifier: 2132 region_size: 385024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002b0		3221225496	0
NtUnmapViewOfSection Oct. 5, 2023, 7:40 a.m.	base_address: 0x00400000 region_size: 7536640 process_identifier: 2988 process_handle: 0x00000294		3221225497	0
NtAllocateVirtualMemory Oct. 5, 2023, 7:40 a.m.	process_identifier: 2988 region_size: 385024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000294	1	0	0
NtUnmapViewOfSection Oct. 5, 2023, 7:40 a.m.	base_address: 0x00400000 region_size: 315392 process_identifier: 3048 process_handle: 0x000002bc		3221225497	0
NtAllocateVirtualMemory Oct. 5, 2023, 7:40 a.m.	process_identifier: 3048 region_size: 385024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002bc		3221225496	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (8 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1440 called NtSetContextThread to modify thread in remote process 2072
Process injection	Process 1440 called NtSetContextThread to modify thread in remote process 2132
Process injection	Process 2900 called NtSetContextThread to modify thread in remote process 2988
Process injection	Process 2900 called NtSetContextThread to modify thread in remote process 3048
NtSetContextThread Oct. 5, 2023, 7:40 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4555342 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000028c process_identifier: 2072	1	0	0
NtSetContextThread Oct. 5, 2023, 7:40 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4555342 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002ac process_identifier: 2132	1	0	0
NtSetContextThread Oct. 5, 2023, 7:40 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4555342 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000290 process_identifier: 2988	1	0	0
NtSetContextThread Oct. 5, 2023, 7:40 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4555342 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002b8 process_identifier: 3048	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (8 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1440 resumed a thread in remote process 2072
Process injection	Process 1440 resumed a thread in remote process 2132
Process injection	Process 2900 resumed a thread in remote process 2988
Process injection	Process 2900 resumed a thread in remote process 3048
NtResumeThread Oct. 5, 2023, 7:40 a.m.	thread_handle: 0x0000028c suspend_count: 1 process_identifier: 2072	1	0	0
NtResumeThread Oct. 5, 2023, 7:40 a.m.	thread_handle: 0x000002ac suspend_count: 1 process_identifier: 2132	1	0	0
NtResumeThread Oct. 5, 2023, 7:40 a.m.	thread_handle: 0x00000290 suspend_count: 1 process_identifier: 2988	1	0	0
NtResumeThread Oct. 5, 2023, 7:40 a.m.	thread_handle: 0x000002b8 suspend_count: 1 process_identifier: 3048	1	0	0

Executed a process and injected code into it, probably while unpacking (40 events)

Time & API	Arguments	Status	Return
NtResumeThread Oct. 5, 2023, 7:40 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 1440	1	0
NtResumeThread Oct. 5, 2023, 7:40 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 1440	1	0
NtResumeThread Oct. 5, 2023, 7:40 a.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 1440	1	0
NtResumeThread Oct. 5, 2023, 7:40 a.m.	thread_handle: 0x000001fc suspend_count: 1 process_identifier: 1440	1	0
NtResumeThread Oct. 5, 2023, 7:40 a.m.	thread_handle: 0x00000210 suspend_count: 1 process_identifier: 1440	1	0
NtResumeThread Oct. 5, 2023, 7:40 a.m.	thread_handle: 0x00000224 suspend_count: 1 process_identifier: 1440	1	0
NtResumeThread Oct. 5, 2023, 7:40 a.m.	thread_handle: 0x00000258 suspend_count: 1 process_identifier: 1440	1	0
NtResumeThread Oct. 5, 2023, 7:40 a.m.	thread_handle: 0x0000026c suspend_count: 1 process_identifier: 1440	1	0
CreateProcessInternalW Oct. 5, 2023, 7:40 a.m.	thread_identifier: 2076 thread_handle: 0x0000028c process_identifier: 2072 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\server1.exe filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000290	1	1
NtUnmapViewOfSection Oct. 5, 2023, 7:40 a.m.	base_address: 0x00400000 region_size: 6946816 process_identifier: 2072 process_handle: 0x00000290		3221225497
NtAllocateVirtualMemory Oct. 5, 2023, 7:40 a.m.	process_identifier: 2072 region_size: 385024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000290	1	0
NtGetContextThread Oct. 5, 2023, 7:40 a.m.	thread_handle: 0x0000028c	1	0
NtSetContextThread Oct. 5, 2023, 7:40 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4555342 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000028c process_identifier: 2072	1	0
NtResumeThread Oct. 5, 2023, 7:40 a.m.	thread_handle: 0x0000028c suspend_count: 1 process_identifier: 2072	1	0
CreateProcessInternalW Oct. 5, 2023, 7:40 a.m.	thread_identifier: 2136 thread_handle: 0x000002ac process_identifier: 2132 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\server1.exe filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000002b0	1	1
NtUnmapViewOfSection Oct. 5, 2023, 7:40 a.m.	base_address: 0x00400000 region_size: 315392 process_identifier: 2132 process_handle: 0x000002b0		3221225497
NtAllocateVirtualMemory Oct. 5, 2023, 7:40 a.m.	process_identifier: 2132 region_size: 385024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002b0		3221225496
NtGetContextThread Oct. 5, 2023, 7:40 a.m.	thread_handle: 0x000002ac	1	0
NtSetContextThread Oct. 5, 2023, 7:40 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4555342 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002ac process_identifier: 2132	1	0
NtResumeThread Oct. 5, 2023, 7:40 a.m.	thread_handle: 0x000002ac suspend_count: 1 process_identifier: 2132	1	0
NtResumeThread Oct. 5, 2023, 7:40 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2900	1	0
NtResumeThread Oct. 5, 2023, 7:40 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2900	1	0
NtResumeThread Oct. 5, 2023, 7:40 a.m.	thread_handle: 0x000001c4 suspend_count: 1 process_identifier: 2900	1	0
NtResumeThread Oct. 5, 2023, 7:40 a.m.	thread_handle: 0x000001fc suspend_count: 1 process_identifier: 2900	1	0
NtResumeThread Oct. 5, 2023, 7:40 a.m.	thread_handle: 0x00000210 suspend_count: 1 process_identifier: 2900	1	0
NtResumeThread Oct. 5, 2023, 7:40 a.m.	thread_handle: 0x00000228 suspend_count: 1 process_identifier: 2900	1	0
NtResumeThread Oct. 5, 2023, 7:40 a.m.	thread_handle: 0x0000025c suspend_count: 1 process_identifier: 2900	1	0
NtResumeThread Oct. 5, 2023, 7:40 a.m.	thread_handle: 0x00000284 suspend_count: 1 process_identifier: 2900	1	0
CreateProcessInternalW Oct. 5, 2023, 7:40 a.m.	thread_identifier: 2992 thread_handle: 0x00000290 process_identifier: 2988 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Roaming\frm\fim.exe filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000294	1	1
NtUnmapViewOfSection Oct. 5, 2023, 7:40 a.m.	base_address: 0x00400000 region_size: 7536640 process_identifier: 2988 process_handle: 0x00000294		3221225497
NtAllocateVirtualMemory Oct. 5, 2023, 7:40 a.m.	process_identifier: 2988 region_size: 385024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000294	1	0
NtGetContextThread Oct. 5, 2023, 7:40 a.m.	thread_handle: 0x00000290	1	0
NtSetContextThread Oct. 5, 2023, 7:40 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4555342 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000290 process_identifier: 2988	1	0
NtResumeThread Oct. 5, 2023, 7:40 a.m.	thread_handle: 0x00000290 suspend_count: 1 process_identifier: 2988	1	0
CreateProcessInternalW Oct. 5, 2023, 7:40 a.m.	thread_identifier: 3052 thread_handle: 0x000002b8 process_identifier: 3048 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Roaming\frm\fim.exe filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000002bc	1	1
NtUnmapViewOfSection Oct. 5, 2023, 7:40 a.m.	base_address: 0x00400000 region_size: 315392 process_identifier: 3048 process_handle: 0x000002bc		3221225497
NtAllocateVirtualMemory Oct. 5, 2023, 7:40 a.m.	process_identifier: 3048 region_size: 385024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002bc		3221225496
NtGetContextThread Oct. 5, 2023, 7:40 a.m.	thread_handle: 0x000002b8	1	0
NtSetContextThread Oct. 5, 2023, 7:40 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4555342 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002b8 process_identifier: 3048	1	0
NtResumeThread Oct. 5, 2023, 7:40 a.m.	thread_handle: 0x000002b8 suspend_count: 1 process_identifier: 3048	1	0

File has been identified by 37 AntiVirus engines on VirusTotal as malicious (37 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Ursu.131015
Malwarebytes	Trojan.Crypt.MSIL.Generic
VIPRE	Gen:Variant.Ursu.131015
K7AntiVirus	Trojan ( 004b957f1 )
K7GW	Trojan ( 004b957f1 )
CrowdStrike	win/malicious_confidence_70% (D)
Arcabit	Trojan.Ursu.D1FFC7
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	multiple detections
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	HEUR:Trojan.MSIL.Hesv.gen
BitDefender	Gen:Variant.Ursu.131015
Emsisoft	Gen:Variant.Ursu.131015 (B)
F-Secure	Heuristic.HEUR/AGEN.1312344
TrendMicro	Trojan.Win32.Boilod.SM.hp
McAfee-GW-Edition	BehavesLike.Win32.PWSZbot.dc
FireEye	Generic.mg.4d8037262c4cfb2f
Sophos	Generic ML PUA (PUA)
SentinelOne	Static AI - Malicious PE
Avira	HEUR/AGEN.1312344
MAX	malware (ai score=80)
Gridinsoft	Trojan.Heur!.030124A1
ZoneAlarm	HEUR:Trojan.MSIL.Hesv.gen
GData	Gen:Variant.Ursu.131015
AhnLab-V3	Trojan/Win32.Gen
BitDefenderTheta	Gen:NN.ZemsilF.36738.5u0@a0UJKqk
ALYac	Gen:Variant.Ursu.131015
Cylance	unsafe
Zoner	Probably Heur.ExeHeaderL
TrendMicro-HouseCall	Trojan.Win32.Boilod.SM.hp
Rising	Malware.Obfus/MSIL@AI.94 (RDM.MSIL2:Y/VueYWvU4pnhonDnjNsGA)
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/GenericKD.64199134!tr
Cybereason	malicious.d9c85c
DeepInstinct	MALICIOUS

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (6 events)

dead_host	45.12.253.94:63535
dead_host	45.12.253.94:62535
dead_host	192.168.56.103:49175
dead_host	192.168.56.103:49176
dead_host	192.168.56.103:49174
dead_host	45.12.253.94:65535

server1.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All