Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 16, 2023, 1:22 p.m.	Nov. 16, 2023, 1:32 p.m.

Size	3.0MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`20475c809f00840b49f662de6c9216ff`
SHA256	`4be5f0cbc0f19546855afc9e8af0eafea9f10fb751ec9c1dea7ab88fb4543c21`
CRC32	`65D00204`
ssdeep	`49152:6yOj97Sf/eW0mKCvJXRdvnkh2U+zTDZm7iDnrWWQfZVq0Xd0mjY/kQbF1Bdtv:6a/nxJXHvnkh2ncifWWQ6m0/ZHBd9`
Yara	IsPE32 - (no description) PE_Header_Zero - PE File Signature anti_vm_detect - Possibly employs anti-virtualization techniques UPX_Zero - UPX packed file themida_packer - themida packer Generic_Malware_Zero - Generic Malware

amd.exe "C:\Users\test22\AppData\Local\Temp\amd.exe"
1460
- Utsysc.exe "C:\Users\test22\AppData\Local\Temp\b64c58644b\Utsysc.exe"
  2196
  - schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\b64c58644b\Utsysc.exe" /F
    2332
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
185.172.128.100	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Nov. 16, 2023, 1:22 p.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Nov. 16, 2023, 1:22 p.m.	buffer: SUCCESS: The scheduled task "Utsysc.exe" has successfully been created. console_handle: 0x00000007	1	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 16, 2023, 1:22 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section
section	.themida
section	.boot

One or more processes crashed (6 events)

Time & API	Arguments	Status
__exception__ Nov. 16, 2023, 1:22 p.m.	stacktrace: amd+0x36b576 @ 0x102b576 amd+0x3e466c @ 0x10a466c exception.instruction_r: c9 c2 10 00 cc cc cc cc cc e9 b1 05 91 8b 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008e exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 1768776 registers.edi: 14065664 registers.eax: 1768776 registers.ebp: 1768856 registers.edx: 2130566132 registers.ebx: 1969225702 registers.esi: 2006021163 registers.ecx: 1576009728	1
__exception__ Nov. 16, 2023, 1:22 p.m.	stacktrace: exception.instruction_r: ed e9 87 e2 00 00 c3 e9 f7 5b 02 00 60 33 9d 1c exception.symbol: amd+0x4009ce exception.instruction: in eax, dx exception.module: amd.exe exception.exception_code: 0xc0000096 exception.offset: 4196814 exception.address: 0x10c09ce registers.esp: 1768896 registers.edi: 15882589 registers.eax: 1750617430 registers.ebp: 14065664 registers.edx: 22614 registers.ebx: 13369344 registers.esi: 13 registers.ecx: 20	1
__exception__ Nov. 16, 2023, 1:22 p.m.	stacktrace: exception.instruction_r: ed e9 f9 5a 06 00 5e 99 d2 40 0a 00 00 00 4a 00 exception.symbol: amd+0x3c08c6 exception.instruction: in eax, dx exception.module: amd.exe exception.exception_code: 0xc0000096 exception.offset: 3934406 exception.address: 0x10808c6 registers.esp: 1768896 registers.edi: 15882589 registers.eax: 1447909480 registers.ebp: 14065664 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 13 registers.ecx: 10	1
__exception__ Nov. 16, 2023, 1:22 p.m.	stacktrace: utsysc+0x36b576 @ 0xf8b576 utsysc+0x3e466c @ 0x100466c exception.instruction_r: c9 c2 10 00 cc cc cc cc cc e9 b1 05 87 8b 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008e exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 3407324 registers.edi: 13410304 registers.eax: 3407324 registers.ebp: 3407404 registers.edx: 2130566132 registers.ebx: 1969225702 registers.esi: 2006021163 registers.ecx: 1170210816	1
__exception__ Nov. 16, 2023, 1:22 p.m.	stacktrace: exception.instruction_r: ed e9 87 e2 00 00 c3 e9 f7 5b 02 00 60 33 9d 1c exception.symbol: utsysc+0x4009ce exception.instruction: in eax, dx exception.module: Utsysc.exe exception.exception_code: 0xc0000096 exception.offset: 4196814 exception.address: 0x10209ce registers.esp: 3407444 registers.edi: 15227229 registers.eax: 1750617430 registers.ebp: 13410304 registers.edx: 22614 registers.ebx: 12713984 registers.esi: 13 registers.ecx: 20	1
__exception__ Nov. 16, 2023, 1:22 p.m.	stacktrace: exception.instruction_r: ed e9 f9 5a 06 00 5e 99 d2 40 0a 00 00 00 4a 00 exception.symbol: utsysc+0x3c08c6 exception.instruction: in eax, dx exception.module: Utsysc.exe exception.exception_code: 0xc0000096 exception.offset: 3934406 exception.address: 0xfe08c6 registers.esp: 3407444 registers.edi: 15227229 registers.eax: 1447909480 registers.ebp: 13410304 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 13 registers.ecx: 10	1

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header, POST method with no useragent header, Connection to IP address

suspicious_request

POST http://185.172.128.100/u6vhSc3PPq/index.php

Performs some HTTP requests (1 event)

request

POST http://185.172.128.100/u6vhSc3PPq/index.php

Sends data using the HTTP POST Method (1 event)

request

POST http://185.172.128.100/u6vhSc3PPq/index.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 275 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Nov. 16, 2023, 1:22 p.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7581c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 16, 2023, 1:22 p.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7559b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 16, 2023, 1:22 p.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7581d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 16, 2023, 1:22 p.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7559c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 16, 2023, 1:22 p.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 16, 2023, 1:22 p.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 16, 2023, 1:22 p.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7580c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 16, 2023, 1:22 p.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 16, 2023, 1:22 p.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 16, 2023, 1:22 p.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 16, 2023, 1:22 p.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 16, 2023, 1:22 p.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 16, 2023, 1:22 p.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f5000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 16, 2023, 1:22 p.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7559b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 16, 2023, 1:22 p.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75443000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 16, 2023, 1:22 p.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 16, 2023, 1:22 p.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 16, 2023, 1:22 p.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 16, 2023, 1:22 p.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7559d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 16, 2023, 1:22 p.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 16, 2023, 1:22 p.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 16, 2023, 1:22 p.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7559c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 16, 2023, 1:22 p.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 16, 2023, 1:22 p.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7559d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 16, 2023, 1:22 p.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f5000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 16, 2023, 1:22 p.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7559c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 16, 2023, 1:22 p.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7580c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 16, 2023, 1:22 p.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755a4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 16, 2023, 1:22 p.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7580a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 16, 2023, 1:22 p.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 16, 2023, 1:22 p.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 16, 2023, 1:22 p.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 16, 2023, 1:22 p.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 16, 2023, 1:22 p.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 16, 2023, 1:22 p.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 16, 2023, 1:22 p.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7580a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 16, 2023, 1:22 p.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7586f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 16, 2023, 1:22 p.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f7000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 16, 2023, 1:22 p.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7559e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 16, 2023, 1:22 p.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755ff000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 16, 2023, 1:22 p.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75608000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 16, 2023, 1:22 p.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f5000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 16, 2023, 1:22 p.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 16, 2023, 1:22 p.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755a8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 16, 2023, 1:22 p.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 16, 2023, 1:22 p.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755a8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 16, 2023, 1:22 p.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7581c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 16, 2023, 1:22 p.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755a8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 16, 2023, 1:22 p.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f5000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 16, 2023, 1:22 p.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755a8000 process_handle: 0xffffffff	1

Foreign language identified in PE resource (6 events)

name

RT_ICON

language

LANG_CHINESE

filetype

PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000a2ea0

size

0x00006899

name

RT_ICON

language

LANG_CHINESE

filetype

PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000a2ea0

size

0x00006899

name

RT_ICON

language

LANG_CHINESE

filetype

PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000a2ea0

size

0x00006899

name

RT_ICON

language

LANG_CHINESE

filetype

PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000a2ea0

size

0x00006899

name

RT_ICON

language

LANG_CHINESE

filetype

PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000a2ea0

size

0x00006899

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000a974c

size

0x0000004c

Creates a suspicious process (2 events)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\b64c58644b\Utsysc.exe" /F
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\b64c58644b\Utsysc.exe" /F

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\b64c58644b\Utsysc.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\b64c58644b\Utsysc.exe

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Nov. 16, 2023, 1:22 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\b64c58644b\Utsysc.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\b64c58644b\Utsysc.exe	1	1	0
ShellExecuteExW Nov. 16, 2023, 1:22 p.m.	show_type: 0 filepath_r: SCHTASKS parameters: /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\b64c58644b\Utsysc.exe" /F filepath: SCHTASKS	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (7 events)

section

{u'size_of_data': u'0x00024a00', u'virtual_address': u'0x00001000', u'entropy': 7.984009869256504, u'name': u' ', u'virtual_size': u'0x00049212'}

entropy

7.98400986926

description