Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 10, 2023, 7:41 a.m.	Oct. 10, 2023, 7:43 a.m.

Size	220.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`0e0b669d90c80cea6398e81d139d7d29`
SHA256	`80f3aa803d69a8a11cd9d625340f9cf1e759c2c23cfab97752c8ac76e74fdfb7`
CRC32	`09B7C768`
ssdeep	`3072:H3grKG6eriEss8/8qJqXuN/QR+InqJ0m1fVMaeLnpvAsWtV9Jp:XgfricQ8qJqXuN/QUInxYfaeftV`
PDB Path	C:\Users\Administrator\Desktop\2023CryptsDone\3931 Project windows forms\obj\Debug\1712.pdb
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) Is_DotNET_EXE - (no description)

1712.exe "C:\Users\test22\AppData\Local\Temp\1712.exe"
1880
- cmd.exe cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "1712" /t REG_SZ /F /D "C:\Users\test22\Documents\1712.pif"
  2280
  - reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "1712" /t REG_SZ /F /D "C:\Users\test22\Documents\1712.pif"
    2384
- cmd.exe cmd /c Copy "C:\Users\test22\AppData\Local\Temp\1712.exe" "C:\Users\test22\Documents\1712.pif"
  2560

Name	Response	Post-Analysis Lookup
amm.mine.nu	A 194.169.175.43	194.169.175.43

IP Address	Status	Action
104.21.46.148	Active	Moloch
104.21.73.149	Active	Moloch
108.170.12.50	Active	Moloch
13.248.169.48	Active	Moloch
13.56.33.8	Active	Moloch
133.125.38.187	Active	Moloch
145.239.5.159	Active	Moloch
15.197.142.173	Active	Moloch
153.120.34.73	Active	Moloch
153.122.24.177	Active	Moloch
153.126.211.112	Active	Moloch
157.7.107.88	Active	Moloch
172.67.135.11	Active	Moloch
18.197.121.220	Active	Moloch
185.151.30.147	Active	Moloch
185.230.63.107	Active	Moloch
192.124.249.12	Active	Moloch
192.124.249.14	Active	Moloch
192.124.249.9	Active	Moloch
164.124.101.2	Active	Moloch
194.169.175.43	Active	Moloch
192.169.149.78	Active	Moloch
194.143.194.23	Active	Moloch
195.128.140.29	Active	Moloch
195.5.116.23	Active	Moloch
198.185.159.144	Active	Moloch
198.185.159.145	Active	Moloch
199.34.228.78	Active	Moloch
204.15.134.44	Active	Moloch
205.149.134.32	Active	Moloch
207.180.198.201	Active	Moloch
211.1.226.67	Active	Moloch
216.177.137.32	Active	Moloch
23.236.62.147	Active	Moloch
3.33.130.190	Active	Moloch
35.172.94.1	Active	Moloch
35.214.171.193	Active	Moloch
35.231.13.148	Active	Moloch
49.12.155.123	Active	Moloch
49.212.235.59	Active	Moloch
5.134.13.210	Active	Moloch
51.159.3.117	Active	Moloch
61.200.81.21	Active	Moloch
75.2.70.75	Active	Moloch
77.78.104.3	Active	Moloch
83.223.113.46	Active	Moloch
86.105.245.69	Active	Moloch
87.98.236.253	Active	Moloch
89.161.136.188	Active	Moloch
91.220.211.163	Active	Moloch
92.42.191.40	Active	Moloch
93.188.2.51	Active	Moloch
99.83.190.102	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2042513	ET INFO DYNAMIC_DNS Query to a *.mine .nu Domain	Potentially Bad Traffic
TCP 194.169.175.43:1335 -> 192.168.56.103:49168	2030673	ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)	Domain Observed Used for C2 Detected
TCP 194.169.175.43:1335 -> 192.168.56.103:49168	2035595	ET MALWARE Generic AsyncRAT Style SSL Cert	Domain Observed Used for C2 Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49168 194.169.175.43:1335	CN=AsyncRAT Server	CN=AsyncRAT Server	c0:74:2f:cf:ac:08:26:95:4d:1f:b6:6f:1e:ab:22:b3:91:b1:75:90

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Oct. 10, 2023, 7:41 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 10, 2023, 7:41 a.m.			0	0
IsDebuggerPresent Oct. 10, 2023, 7:41 a.m.			0	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Oct. 10, 2023, 7:41 a.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1	0
WriteConsoleW Oct. 10, 2023, 7:41 a.m.	buffer: 1 file(s) copied. console_handle: 0x00000007	1	1	0

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey Oct. 10, 2023, 7:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x008b34d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 10, 2023, 7:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x008b34d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 10, 2023, 7:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x008b2f10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

This executable has a PDB path (1 event)

pdb_path

C:\Users\Administrator\Desktop\2023CryptsDone\3931 Project windows forms\obj\Debug\1712.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 10, 2023, 7:41 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (44 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 10, 2023, 7:41 a.m.	process_identifier: 1880 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00230000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2023, 7:41 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00260000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 10, 2023, 7:41 a.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 10, 2023, 7:41 a.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2023, 7:41 a.m.	process_identifier: 1880 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00960000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2023, 7:41 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00aa0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2023, 7:41 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2023, 7:41 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2023, 7:41 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2023, 7:41 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2023, 7:41 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2023, 7:41 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2023, 7:41 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2023, 7:41 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2023, 7:41 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002f7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2023, 7:41 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2023, 7:41 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002f6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2023, 7:41 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002ed000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2023, 7:41 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a81000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2023, 7:41 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b0f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2023, 7:41 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2023, 7:41 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a82000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2023, 7:41 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a83000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2023, 7:41 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a84000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2023, 7:41 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a85000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2023, 7:41 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a86000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2023, 7:41 a.m.	process_identifier: 1880 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2023, 7:41 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2023, 7:41 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2023, 7:41 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2023, 7:41 a.m.	process_identifier: 1880 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2023, 7:41 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2023, 7:41 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a87000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2023, 7:41 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a88000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2023, 7:41 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a89000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2023, 7:41 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002fb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2023, 7:41 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a8a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2023, 7:41 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a8b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2023, 7:41 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002ee000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2023, 7:41 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a8c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2023, 7:41 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a8d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2023, 7:41 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a8e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2023, 7:41 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04fb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2023, 7:41 a.m.	process_identifier: 1880 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04fb1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Oct. 10, 2023, 7:41 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (12 events)

description	task schedule	rule	schtasks_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Run a KeyLogger	rule	KeyLogger

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "1712" /t REG_SZ /F /D "C:\Users\test22\Documents\1712.pif"
cmdline	REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "1712" /t REG_SZ /F /D "C:\Users\test22\Documents\1712.pif"

Communicates with host for which no DNS query was performed (50 out of 51 events)

host	104.21.46.148
host	104.21.73.149
host	108.170.12.50
host	13.248.169.48
host	13.56.33.8
host	133.125.38.187
host	145.239.5.159
host	15.197.142.173
host	153.120.34.73
host	153.122.24.177
host	153.126.211.112
host	157.7.107.88
host	172.67.135.11
host	18.197.121.220
host	185.151.30.147
host	185.230.63.107
host	192.124.249.12
host	192.124.249.14
host	192.124.249.9
host	192.169.149.78
host	194.143.194.23
host	195.128.140.29
host	195.5.116.23
host	198.185.159.144
host	198.185.159.145
host	199.34.228.78
host	204.15.134.44
host	205.149.134.32
host	207.180.198.201
host	211.1.226.67
host	216.177.137.32
host	23.236.62.147
host	3.33.130.190
host	35.172.94.1
host	35.214.171.193
host	35.231.13.148
host	49.12.155.123
host	49.212.235.59
host	5.134.13.210
host	51.159.3.117
host	61.200.81.21
host	75.2.70.75
host	77.78.104.3
host	83.223.113.46
host	86.105.245.69
host	87.98.236.253
host	89.161.136.188
host	91.220.211.163
host	92.42.191.40
host	93.188.2.51

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Oct. 10, 2023, 7:41 a.m.	process_identifier: 2624 region_size: 90112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000348	1	0	0

Attempts to identify installed AV products by installation directory (9 events)

file	C:\Program Files\AVAST Software\Avast\avastUI.exe
file	C:\Program Files (x86)\AVAST Software\Avast\avastUI.exe
file	C:\Program Files\Kaspersky Lab
file	C:\Program Files (x86)\Kaspersky Lab
file	C:\Program Files\McAfee\Agent
file	C:\Program Files\Trend Micro
file	C:\Program Files (x86)\Trend Micro
file	C:\Program Files\AVG\Antivirus\AVGUI.exe
file	C:\Program Files (x86)\AVG\Antivirus\AVGUI.exe

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\1712

reg_value

C:\Users\test22\Documents\1712.pif

Manipulates memory of a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1880 manipulating memory of non-child process 2624
NtAllocateVirtualMemory Oct. 10, 2023, 7:41 a.m.	process_identifier: 2624 region_size: 90112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000348	1	0	0

Potential code injection by writing to the memory of another process (5 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1880 injected into non-child 2624
WriteProcessMemory Oct. 10, 2023, 7:41 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELö¦dàð ^ @ ``S ÿ@ H.textdî ð `.rsrcÿ ò@@.reloc@ú@B base_address: 0x00400000 process_identifier: 2624 process_handle: 0x00000348	1	1	0
WriteProcessMemory Oct. 10, 2023, 7:41 a.m.	buffer: P8h Ìl#Ì4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°,StringFileInfo000004b0Comments"CompanyNameFileDescription0FileVersion1.0.0.02 InternalNameStub.exe&LegalCopyrightLegalTrademarks: OriginalFilenameStub.exe"ProductName4ProductVersion1.0.0.08Assembly Version1.0.0.0ï»¿<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false" /> </requestedPrivileges> </security> </trustInfo> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <!-- Windows Vista --> <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> <!-- Windows 7 --> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> <!-- Windows 8 --> <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/> <!-- Windows 8.1 --> <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/> <!-- Windows 10 --> <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/> </application> </compatibility> <asmv3:application xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" > <asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings"> <dpiAware>true</dpiAware> </asmv3:windowsSettings> </asmv3:application> </assembly> base_address: 0x00412000 process_identifier: 2624 process_handle: 0x00000348	1	1	0
WriteProcessMemory Oct. 10, 2023, 7:41 a.m.	buffer: `> base_address: 0x00414000 process_identifier: 2624 process_handle: 0x00000348	1	1	0
WriteProcessMemory Oct. 10, 2023, 7:41 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2624 process_handle: 0x00000348	1	1	0

Code injection by writing an executable or DLL to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1880 injected into non-child 2624
WriteProcessMemory Oct. 10, 2023, 7:41 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELö¦dàð ^ @ ``S ÿ@ H.textdî ð `.rsrcÿ ò@@.reloc@ú@B base_address: 0x00400000 process_identifier: 2624 process_handle: 0x00000348	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1880 called NtSetContextThread to modify thread in remote process 2624
NtSetContextThread Oct. 10, 2023, 7:41 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4263518 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000344 process_identifier: 2624	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1880 resumed a thread in remote process 2624
NtResumeThread Oct. 10, 2023, 7:41 a.m.	thread_handle: 0x00000344 suspend_count: 1 process_identifier: 2624	1	0	0

Executed a process and injected code into it, probably while unpacking (18 events)

Time & API	Arguments	Status	Return
NtResumeThread Oct. 10, 2023, 7:41 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 1880	1	0
NtResumeThread Oct. 10, 2023, 7:41 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 1880	1	0
NtResumeThread Oct. 10, 2023, 7:41 a.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 1880	1	0
NtResumeThread Oct. 10, 2023, 7:41 a.m.	thread_handle: 0x00000280 suspend_count: 1 process_identifier: 1880	1	0
NtResumeThread Oct. 10, 2023, 7:41 a.m.	thread_handle: 0x000002e0 suspend_count: 1 process_identifier: 1880	1	0
CreateProcessInternalW Oct. 10, 2023, 7:41 a.m.	thread_identifier: 2284 thread_handle: 0x00000340 process_identifier: 2280 current_directory: filepath: track: 1 command_line: cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "1712" /t REG_SZ /F /D "C:\Users\test22\Documents\1712.pif" filepath_r: stack_pivoted: 0 creation_flags: 32 (NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x0000033c	1	1
CreateProcessInternalW Oct. 10, 2023, 7:41 a.m.	thread_identifier: 2564 thread_handle: 0x00000340 process_identifier: 2560 current_directory: filepath: track: 1 command_line: cmd /c Copy "C:\Users\test22\AppData\Local\Temp\1712.exe" "C:\Users\test22\Documents\1712.pif" filepath_r: stack_pivoted: 0 creation_flags: 32 (NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x0000033c	1	1
CreateProcessInternalW Oct. 10, 2023, 7:41 a.m.	thread_identifier: 2628 thread_handle: 0x00000344 process_identifier: 2624 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\1712.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\1712.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000348	1	1
NtGetContextThread Oct. 10, 2023, 7:41 a.m.	thread_handle: 0x00000344	1	0
NtAllocateVirtualMemory Oct. 10, 2023, 7:41 a.m.	process_identifier: 2624 region_size: 90112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000348	1	0
WriteProcessMemory Oct. 10, 2023, 7:41 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELö¦dàð ^ @ ``S ÿ@ H.textdî ð `.rsrcÿ ò@@.reloc@ú@B base_address: 0x00400000 process_identifier: 2624 process_handle: 0x00000348	1	1
WriteProcessMemory Oct. 10, 2023, 7:41 a.m.	buffer: base_address: 0x00402000 process_identifier: 2624 process_handle: 0x00000348	1	1
WriteProcessMemory Oct. 10, 2023, 7:41 a.m.	buffer: P8h Ìl#Ì4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°,StringFileInfo000004b0Comments"CompanyNameFileDescription0FileVersion1.0.0.02 InternalNameStub.exe&LegalCopyrightLegalTrademarks: OriginalFilenameStub.exe"ProductName4ProductVersion1.0.0.08Assembly Version1.0.0.0ï»¿<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false" /> </requestedPrivileges> </security> </trustInfo> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <!-- Windows Vista --> <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> <!-- Windows 7 --> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> <!-- Windows 8 --> <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/> <!-- Windows 8.1 --> <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/> <!-- Windows 10 --> <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/> </application> </compatibility> <asmv3:application xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" > <asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings"> <dpiAware>true</dpiAware> </asmv3:windowsSettings> </asmv3:application> </assembly> base_address: 0x00412000 process_identifier: 2624 process_handle: 0x00000348	1	1
WriteProcessMemory Oct. 10, 2023, 7:41 a.m.	buffer: `> base_address: 0x00414000 process_identifier: 2624 process_handle: 0x00000348	1	1
WriteProcessMemory Oct. 10, 2023, 7:41 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2624 process_handle: 0x00000348	1	1
NtSetContextThread Oct. 10, 2023, 7:41 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4263518 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000344 process_identifier: 2624	1	0
NtResumeThread Oct. 10, 2023, 7:41 a.m.	thread_handle: 0x00000344 suspend_count: 1 process_identifier: 2624	1	0
CreateProcessInternalW Oct. 10, 2023, 7:41 a.m.	thread_identifier: 2388 thread_handle: 0x00000084 process_identifier: 2384 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\reg.exe track: 1 command_line: REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "1712" /t REG_SZ /F /D "C:\Users\test22\Documents\1712.pif" filepath_r: C:\Windows\system32\reg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1

File has been identified by 49 AntiVirus engines on VirusTotal as malicious (49 events)

Bkav	W32.Common.A6F0E809
Lionic	Trojan.Win32.Androm.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Marsilia.77633
FireEye	Generic.mg.0e0b669d90c80cea
Skyhigh	BehavesLike.Win32.Generic.dh
ALYac	Gen:Variant.Marsilia.77633
Cylance	unsafe
Sangfor	Backdoor.Msil.Injector.V2bj
CrowdStrike	win/malicious_confidence_100% (W)
Alibaba	Backdoor:MSIL/Androm.febcb641
K7GW	Trojan ( 005ac3ad1 )
K7AntiVirus	Trojan ( 005ac3ad1 )
Arcabit	Trojan.Marsilia.D12F41
BitDefenderTheta	Gen:NN.ZemsilCO.36738.nm0@amx@Vtp
VirIT	Trojan.Win32.MSIL_Heur.A
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/Injector.WHJ
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	HEUR:Backdoor.MSIL.Androm.gen
BitDefender	Gen:Variant.Marsilia.77633
Avast	Win32:TrojanX-gen [Trj]
Emsisoft	Gen:Variant.Marsilia.77633 (B)
F-Secure	Trojan.TR/Injector.xlrfu
VIPRE	Gen:Variant.Marsilia.77633
TrendMicro	Backdoor.Win32.ASYNCRAT.YXDJGZ
Sophos	Mal/Generic-S
Ikarus	Win32.Outbreak
Webroot	W32.Trojan.Gen
Google	Detected
Avira	TR/Injector.xlrfu
Antiy-AVL	Trojan/MSIL.Injector
Gridinsoft	Ransom.Win32.Wacatac.sa
Microsoft	Trojan:MSIL/AgentTesla.LQL!MTB
ViRobot	Trojan.Win.Z.Marsilia.225280.A
ZoneAlarm	HEUR:Backdoor.MSIL.Androm.gen
GData	Gen:Variant.Marsilia.77633
Varist	W32/ABRisk.JHKN-3727
AhnLab-V3	Trojan/Win.Generic.C5501036
MAX	malware (ai score=89)
Malwarebytes	Trojan.Crypt.MSIL
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	Backdoor.Win32.ASYNCRAT.YXDJGZ
Tencent	Malware.Win32.Gencirc.13f17714
Fortinet	PossibleThreat.MU
AVG	Win32:TrojanX-gen [Trj]
Cybereason	malicious.4c916a
DeepInstinct	MALICIOUS

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (10 events)

dead_host	192.168.56.103:49619
dead_host	192.168.56.103:49284
dead_host	192.168.56.103:49643
dead_host	192.168.56.103:49249
dead_host	192.168.56.103:49823
dead_host	192.168.56.103:49827
dead_host	192.168.56.103:49861
dead_host	192.168.56.103:49692
dead_host	192.168.56.103:49393
dead_host	192.168.56.103:49765

1712.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All