build.exe

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA Oct. 11, 2023, 6:26 p.m.	computer_name: TEST22-PC	1	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 11, 2023, 6:26 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (4 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Oct. 11, 2023, 6:26 p.m.	process_identifier: 2556 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001cd0000 allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE) process_handle: 0xffffffffffffffff	1	0	0
NtAllocateVirtualMemory Oct. 11, 2023, 6:26 p.m.	process_identifier: 2556 region_size: 262144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000020da0000 allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE) process_handle: 0xffffffffffffffff	1	0	0
NtAllocateVirtualMemory Oct. 11, 2023, 6:26 p.m.	process_identifier: 2556 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000020fb0000 allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE) process_handle: 0xffffffffffffffff	1	0	0
NtAllocateVirtualMemory Oct. 11, 2023, 6:26 p.m.	process_identifier: 2556 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000020fd0000 allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE) process_handle: 0xffffffffffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Oct. 11, 2023, 6:26 p.m.	flags: 14 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section	{u'size_of_data': u'0x00181c00', u'virtual_address': u'0x005f1000', u'entropy': 7.999820371673271, u'name': u'UPX1', u'virtual_size': u'0x00182000'}				entropy	7.99982037167				description	A section with a high entropy has been found
entropy	0.999028811913				description	Overall entropy of this PE file is high

The executable is compressed using UPX (2 events)

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

Communicates with host for which no DNS query was performed (1 event)

host	185.225.75.8

Created a service where a service was also not started (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceW Oct. 11, 2023, 6:26 p.m.	service_start_name: start_type: 3 password: display_name: WinRing0_1_2_0 filepath: C:\Users\test22\AppData\Local\Temp\WinRing0x64.sys service_name: WinRing0_1_2_0 filepath_r: C:\Users\test22\AppData\Local\Temp\WinRing0x64.sys desired_access: 983551 service_handle: 0x0000000020ea0570 error_control: 1 service_type: 1 service_manager_handle: 0x0000000020ea0540	1	552207728	0

Detects Virtual Machines through their custom firmware (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Oct. 11, 2023, 6:26 p.m.	information_class: 76 (SystemFirmwareTableInformation)		-1073741789	0

File has been identified by 35 AntiVirus engines on VirusTotal as malicious (35 events)

Bkav	W64.AIDetectMalware
MicroWorld-eScan	Generic.Application.CoinMiner.1.A01B3E1B
FireEye	Generic.mg.71535cb29a844c48
Skyhigh	BehavesLike.Win64.Trojan.tc
Malwarebytes	Trojan.BitCoinMiner
VIPRE	Generic.Application.CoinMiner.1.A01B3E1B
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	CryptoMiner ( 005a85891 )
K7GW	CryptoMiner ( 005a85891 )
Cybereason	malicious.ca7454
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win64/CoinMiner.PQ potentially unwanted
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	VHO:Trojan.Win64.Miner.likx
BitDefender	Generic.Application.CoinMiner.1.A01B3E1B
Emsisoft	Generic.Application.CoinMiner.1.A01B3E1B (B)
F-Secure	PotentialRisk.PUA/CoinMiner.Gen
Trapmine	malicious.moderate.ml.score
SentinelOne	Static AI - Malicious PE
Avira	PUA/CoinMiner.Gen
MAX	malware (ai score=89)
Antiy-AVL	Trojan/Win64.CoinMiner
Kingsoft	malware.kb.b.832
Microsoft	Program:Win32/Wacapew.C!ml
Arcabit	Generic.Application.CoinMiner.1.A01B3E1B
ZoneAlarm	VHO:Trojan.Win32.Miner.gen
GData	Generic.Application.CoinMiner.1.A01B3E1B
AhnLab-V3	Trojan/Win.Miner3.R531330
ALYac	Generic.Application.CoinMiner.1.A01B3E1B
Rising	Trojan.DisguisedXMRigMiner!8.12EF7 (TFE:5:HQz6cHWySWC)
Ikarus	PUA.CoinMiner
Fortinet	Riskware/CoinMiner
DeepInstinct	MALICIOUS
CrowdStrike	win/grayware_confidence_60% (D)