Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Jan. 29, 2024, 7:55 a.m.	Jan. 29, 2024, 7:59 a.m.

Size	1.1MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`b999d160106e9c1cc130e81cb65cb6c1`
SHA256	`2d00cfe8948856043ce000945771608575508d8e30c8dfcaaa3eef6965feb01d`
CRC32	`ADBDC17A`
ssdeep	`12288:pXSDlAR+M1QZZWPnPYSrWgKNJK/PdBMp0dYrko7YNQELPxez8dFlZqBUgG9y9vQi:UDKR+MmZ40gPIW4dwQHz+8Bv+8W5U`
Yara	IsPE32 - (no description) Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature anti_vm_detect - Possibly employs anti-virtualization techniques

vinu.exe "C:\Users\test22\AppData\Local\Temp\vinu.exe"
2544
- schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
  2672
- schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
  2756

Name	Response	Post-Analysis Lookup
ipinfo.io	A 34.117.186.192	34.117.186.192
www.maxmind.com	A 104.18.145.235 A 104.18.146.235	104.18.145.235
db-ip.com	A 104.26.5.15 A 104.26.4.15 A 172.67.75.166	172.67.75.166

IP Address	Status	Action
109.107.182.3	Active	Moloch
125.253.92.50	Active	Moloch
154.92.15.189	Active	Moloch
185.172.128.19	Active	Moloch
185.215.113.68	Active	Moloch
104.18.146.235	Active	Moloch
164.124.101.2	Active	Moloch
172.67.75.166	Active	Moloch
193.233.132.62	Active	Moloch
34.117.186.192	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 185.215.113.68:80 -> 192.168.56.101:49191	2400020	ET DROP Spamhaus DROP Listed Traffic Inbound group 21	Misc Attack
TCP 192.168.56.101:49166 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49166 -> 34.117.186.192:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49166 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 193.233.132.62:50500 -> 192.168.56.101:49165	2046266	ET MALWARE [ANY.RUN] RisePro TCP (Token)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49165 -> 193.233.132.62:50500	2049060	ET MALWARE Suspected RisePro TCP Heartbeat Packet	A Network Trojan was detected
TCP 192.168.56.101:49165 -> 193.233.132.62:50500	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 172.67.75.166:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49166 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49168 172.67.75.166:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameA Jan. 29, 2024, 7:54 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 29, 2024, 7:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 29, 2024, 7:55 a.m.	computer_name: TEST22-PC	1	1

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Jan. 29, 2024, 7:55 a.m.	buffer: SUCCESS: The scheduled task "MPGPH131 HR" has successfully been created. console_handle: 0x00000007	1	1	0
WriteConsoleW Jan. 29, 2024, 7:55 a.m.	buffer: SUCCESS: The scheduled task "MPGPH131 LG" has successfully been created. console_handle: 0x00000007	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section
section	.data\x00Th

One or more processes crashed (38 events)

Time & API	Arguments	Status
__exception__ Jan. 29, 2024, 7:54 a.m.	stacktrace: vinu+0x296d87 @ 0x566d87 vinu+0x21e8dc @ 0x4ee8dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: vinu+0x1fb1d9 exception.instruction: div eax exception.module: vinu.exe exception.exception_code: 0xc0000094 exception.offset: 2077145 exception.address: 0x4cb1d9 registers.esp: 10614848 registers.edi: 5615756 registers.eax: 0 registers.ebp: 10614876 registers.edx: 0 registers.ebx: 45495216 registers.esi: 5 registers.ecx: 45495216	1
__exception__ Jan. 29, 2024, 7:54 a.m.	stacktrace: vinu+0x296d87 @ 0x566d87 vinu+0x21e8dc @ 0x4ee8dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: vinu+0x1fb204 exception.instruction: ud2 exception.module: vinu.exe exception.exception_code: 0xc000001d exception.offset: 2077188 exception.address: 0x4cb204 registers.esp: 10614848 registers.edi: 10614848 registers.eax: 0 registers.ebp: 10614876 registers.edx: 2 registers.ebx: 5026287 registers.esi: 0 registers.ecx: 10615056	1
__exception__ Jan. 29, 2024, 7:54 a.m.	stacktrace: vinu+0x296d87 @ 0x566d87 vinu+0x21e8dc @ 0x4ee8dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: vinu+0x1fb1d9 exception.instruction: div eax exception.module: vinu.exe exception.exception_code: 0xc0000094 exception.offset: 2077145 exception.address: 0x4cb1d9 registers.esp: 10614848 registers.edi: 10614848 registers.eax: 0 registers.ebp: 10614876 registers.edx: 0 registers.ebx: 5026330 registers.esi: 0 registers.ecx: 10615056	1
__exception__ Jan. 29, 2024, 7:54 a.m.	stacktrace: vinu+0x296d87 @ 0x566d87 vinu+0x21e8dc @ 0x4ee8dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: vinu+0x1fb204 exception.instruction: ud2 exception.module: vinu.exe exception.exception_code: 0xc000001d exception.offset: 2077188 exception.address: 0x4cb204 registers.esp: 10614848 registers.edi: 10614848 registers.eax: 0 registers.ebp: 10614876 registers.edx: 2 registers.ebx: 5026287 registers.esi: 0 registers.ecx: 10615056	1
__exception__ Jan. 29, 2024, 7:54 a.m.	stacktrace: vinu+0x296d87 @ 0x566d87 vinu+0x21e8dc @ 0x4ee8dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: vinu+0x1fb1d9 exception.instruction: div eax exception.module: vinu.exe exception.exception_code: 0xc0000094 exception.offset: 2077145 exception.address: 0x4cb1d9 registers.esp: 10614848 registers.edi: 10614848 registers.eax: 0 registers.ebp: 10614876 registers.edx: 0 registers.ebx: 5026330 registers.esi: 0 registers.ecx: 10615056	1
__exception__ Jan. 29, 2024, 7:54 a.m.	stacktrace: vinu+0x296d87 @ 0x566d87 vinu+0x21e8dc @ 0x4ee8dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: vinu+0x1fb1d9 exception.instruction: div eax exception.module: vinu.exe exception.exception_code: 0xc0000094 exception.offset: 2077145 exception.address: 0x4cb1d9 registers.esp: 10614848 registers.edi: 10614848 registers.eax: 0 registers.ebp: 10614876 registers.edx: 0 registers.ebx: 5026287 registers.esi: 0 registers.ecx: 10615056	1
__exception__ Jan. 29, 2024, 7:54 a.m.	stacktrace: vinu+0x296d87 @ 0x566d87 vinu+0x21e8dc @ 0x4ee8dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: vinu+0x1fb1d9 exception.instruction: div eax exception.module: vinu.exe exception.exception_code: 0xc0000094 exception.offset: 2077145 exception.address: 0x4cb1d9 registers.esp: 10614848 registers.edi: 10614848 registers.eax: 0 registers.ebp: 10614876 registers.edx: 0 registers.ebx: 5026287 registers.esi: 0 registers.ecx: 10615056	1
__exception__ Jan. 29, 2024, 7:54 a.m.	stacktrace: vinu+0x28f04a @ 0x55f04a vinu+0x291650 @ 0x561650 vinu+0x21e8dc @ 0x4ee8dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: vinu+0x1fb1d9 exception.instruction: div eax exception.module: vinu.exe exception.exception_code: 0xc0000094 exception.offset: 2077145 exception.address: 0x4cb1d9 registers.esp: 10614800 registers.edi: 5615756 registers.eax: 0 registers.ebp: 10614828 registers.edx: 0 registers.ebx: 86016 registers.esi: 4280320 registers.ecx: 4280320	1
__exception__ Jan. 29, 2024, 7:54 a.m.	stacktrace: vinu+0x28f04a @ 0x55f04a vinu+0x291650 @ 0x561650 vinu+0x21e8dc @ 0x4ee8dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: vinu+0x1fb204 exception.instruction: ud2 exception.module: vinu.exe exception.exception_code: 0xc000001d exception.offset: 2077188 exception.address: 0x4cb204 registers.esp: 10614800 registers.edi: 10614800 registers.eax: 0 registers.ebp: 10614828 registers.edx: 2 registers.ebx: 5026287 registers.esi: 0 registers.ecx: 10614836	1
__exception__ Jan. 29, 2024, 7:54 a.m.	stacktrace: vinu+0x28f04a @ 0x55f04a vinu+0x291650 @ 0x561650 vinu+0x21e8dc @ 0x4ee8dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: vinu+0x1fb204 exception.instruction: ud2 exception.module: vinu.exe exception.exception_code: 0xc000001d exception.offset: 2077188 exception.address: 0x4cb204 registers.esp: 10614800 registers.edi: 10614800 registers.eax: 0 registers.ebp: 10614828 registers.edx: 2 registers.ebx: 5026330 registers.esi: 0 registers.ecx: 10614836	1
__exception__ Jan. 29, 2024, 7:54 a.m.	stacktrace: vinu+0x28f04a @ 0x55f04a vinu+0x291650 @ 0x561650 vinu+0x21e8dc @ 0x4ee8dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: vinu+0x1fb1d9 exception.instruction: div eax exception.module: vinu.exe exception.exception_code: 0xc0000094 exception.offset: 2077145 exception.address: 0x4cb1d9 registers.esp: 10614800 registers.edi: 10614800 registers.eax: 0 registers.ebp: 10614828 registers.edx: 0 registers.ebx: 5026330 registers.esi: 0 registers.ecx: 10614836	1
__exception__ Jan. 29, 2024, 7:54 a.m.	stacktrace: vinu+0x28f04a @ 0x55f04a vinu+0x291650 @ 0x561650 vinu+0x21e8dc @ 0x4ee8dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: vinu+0x1fb1d9 exception.instruction: div eax exception.module: vinu.exe exception.exception_code: 0xc0000094 exception.offset: 2077145 exception.address: 0x4cb1d9 registers.esp: 10614800 registers.edi: 10614800 registers.eax: 0 registers.ebp: 10614828 registers.edx: 0 registers.ebx: 5026287 registers.esi: 0 registers.ecx: 10614836	1
__exception__ Jan. 29, 2024, 7:54 a.m.	stacktrace: vinu+0x28f04a @ 0x55f04a vinu+0x291650 @ 0x561650 vinu+0x21e8dc @ 0x4ee8dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: vinu+0x1fb204 exception.instruction: ud2 exception.module: vinu.exe exception.exception_code: 0xc000001d exception.offset: 2077188 exception.address: 0x4cb204 registers.esp: 10614800 registers.edi: 10614800 registers.eax: 0 registers.ebp: 10614828 registers.edx: 2 registers.ebx: 5026287 registers.esi: 0 registers.ecx: 10614836	1
__exception__ Jan. 29, 2024, 7:54 a.m.	stacktrace: vinu+0x28f126 @ 0x55f126 vinu+0x291650 @ 0x561650 vinu+0x21e8dc @ 0x4ee8dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: vinu+0x1fb204 exception.instruction: ud2 exception.module: vinu.exe exception.exception_code: 0xc000001d exception.offset: 2077188 exception.address: 0x4cb204 registers.esp: 10614800 registers.edi: 5615756 registers.eax: 0 registers.ebp: 10614828 registers.edx: 2 registers.ebx: 86016 registers.esi: 4280320 registers.ecx: 3594024093	1
__exception__ Jan. 29, 2024, 7:54 a.m.	stacktrace: vinu+0x28f126 @ 0x55f126 vinu+0x291650 @ 0x561650 vinu+0x21e8dc @ 0x4ee8dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: vinu+0x1fb204 exception.instruction: ud2 exception.module: vinu.exe exception.exception_code: 0xc000001d exception.offset: 2077188 exception.address: 0x4cb204 registers.esp: 10614800 registers.edi: 10614800 registers.eax: 0 registers.ebp: 10614828 registers.edx: 2 registers.ebx: 5026330 registers.esi: 0 registers.ecx: 10614836	1
__exception__ Jan. 29, 2024, 7:54 a.m.	stacktrace: vinu+0x28f126 @ 0x55f126 vinu+0x291650 @ 0x561650 vinu+0x21e8dc @ 0x4ee8dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: vinu+0x1fb1d9 exception.instruction: div eax exception.module: vinu.exe exception.exception_code: 0xc0000094 exception.offset: 2077145 exception.address: 0x4cb1d9 registers.esp: 10614800 registers.edi: 10614800 registers.eax: 0 registers.ebp: 10614828 registers.edx: 0 registers.ebx: 5026330 registers.esi: 0 registers.ecx: 10614836	1
__exception__ Jan. 29, 2024, 7:54 a.m.	stacktrace: vinu+0x28f1f8 @ 0x55f1f8 vinu+0x291650 @ 0x561650 vinu+0x21e8dc @ 0x4ee8dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: vinu+0x1fb204 exception.instruction: ud2 exception.module: vinu.exe exception.exception_code: 0xc000001d exception.offset: 2077188 exception.address: 0x4cb204 registers.esp: 10614800 registers.edi: 5615756 registers.eax: 0 registers.ebp: 10614828 registers.edx: 2 registers.ebx: 86016 registers.esi: 4280320 registers.ecx: 10614828	1
__exception__ Jan. 29, 2024, 7:54 a.m.	stacktrace: vinu+0x28f1f8 @ 0x55f1f8 vinu+0x291650 @ 0x561650 vinu+0x21e8dc @ 0x4ee8dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: vinu+0x1fb1d9 exception.instruction: div eax exception.module: vinu.exe exception.exception_code: 0xc0000094 exception.offset: 2077145 exception.address: 0x4cb1d9 registers.esp: 10614800 registers.edi: 10614800 registers.eax: 0 registers.ebp: 10614828 registers.edx: 0 registers.ebx: 5026330 registers.esi: 0 registers.ecx: 10614836	1
__exception__ Jan. 29, 2024, 7:54 a.m.	stacktrace: vinu+0x28f1f8 @ 0x55f1f8 vinu+0x291650 @ 0x561650 vinu+0x21e8dc @ 0x4ee8dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: vinu+0x1fb204 exception.instruction: ud2 exception.module: vinu.exe exception.exception_code: 0xc000001d exception.offset: 2077188 exception.address: 0x4cb204 registers.esp: 10614800 registers.edi: 10614800 registers.eax: 0 registers.ebp: 10614828 registers.edx: 2 registers.ebx: 5026287 registers.esi: 0 registers.ecx: 10614836	1
__exception__ Jan. 29, 2024, 7:54 a.m.	stacktrace: vinu+0x28f1f8 @ 0x55f1f8 vinu+0x291650 @ 0x561650 vinu+0x21e8dc @ 0x4ee8dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: vinu+0x1fb1d9 exception.instruction: div eax exception.module: vinu.exe exception.exception_code: 0xc0000094 exception.offset: 2077145 exception.address: 0x4cb1d9 registers.esp: 10614800 registers.edi: 10614800 registers.eax: 0 registers.ebp: 10614828 registers.edx: 0 registers.ebx: 5026330 registers.esi: 0 registers.ecx: 10614836	1
__exception__ Jan. 29, 2024, 7:54 a.m.	stacktrace: vinu+0x28f1f8 @ 0x55f1f8 vinu+0x291650 @ 0x561650 vinu+0x21e8dc @ 0x4ee8dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: vinu+0x1fb1d9 exception.instruction: div eax exception.module: vinu.exe exception.exception_code: 0xc0000094 exception.offset: 2077145 exception.address: 0x4cb1d9 registers.esp: 10614800 registers.edi: 10614800 registers.eax: 0 registers.ebp: 10614828 registers.edx: 0 registers.ebx: 5026287 registers.esi: 0 registers.ecx: 10614836	1
__exception__ Jan. 29, 2024, 7:54 a.m.	stacktrace: vinu+0x28f1f8 @ 0x55f1f8 vinu+0x291650 @ 0x561650 vinu+0x21e8dc @ 0x4ee8dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: vinu+0x1fb1d9 exception.instruction: div eax exception.module: vinu.exe exception.exception_code: 0xc0000094 exception.offset: 2077145 exception.address: 0x4cb1d9 registers.esp: 10614800 registers.edi: 10614800 registers.eax: 0 registers.ebp: 10614828 registers.edx: 0 registers.ebx: 5026287 registers.esi: 0 registers.ecx: 10614836	1
__exception__ Jan. 29, 2024, 7:54 a.m.	stacktrace: vinu+0x28f2f2 @ 0x55f2f2 vinu+0x291650 @ 0x561650 vinu+0x21e8dc @ 0x4ee8dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: vinu+0x1fb204 exception.instruction: ud2 exception.module: vinu.exe exception.exception_code: 0xc000001d exception.offset: 2077188 exception.address: 0x4cb204 registers.esp: 10614800 registers.edi: 5615756 registers.eax: 0 registers.ebp: 10614828 registers.edx: 2 registers.ebx: 86016 registers.esi: 4280320 registers.ecx: 0	1
__exception__ Jan. 29, 2024, 7:54 a.m.	stacktrace: vinu+0x28f2f2 @ 0x55f2f2 vinu+0x291650 @ 0x561650 vinu+0x21e8dc @ 0x4ee8dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: vinu+0x1fb1d9 exception.instruction: div eax exception.module: vinu.exe exception.exception_code: 0xc0000094 exception.offset: 2077145 exception.address: 0x4cb1d9 registers.esp: 10614800 registers.edi: 10614800 registers.eax: 0 registers.ebp: 10614828 registers.edx: 0 registers.ebx: 5026330 registers.esi: 0 registers.ecx: 10614836	1
__exception__ Jan. 29, 2024, 7:54 a.m.	stacktrace: vinu+0x28f2f2 @ 0x55f2f2 vinu+0x291650 @ 0x561650 vinu+0x21e8dc @ 0x4ee8dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: vinu+0x1fb1d9 exception.instruction: div eax exception.module: vinu.exe exception.exception_code: 0xc0000094 exception.offset: 2077145 exception.address: 0x4cb1d9 registers.esp: 10614800 registers.edi: 10614800 registers.eax: 0 registers.ebp: 10614828 registers.edx: 0 registers.ebx: 5026287 registers.esi: 0 registers.ecx: 10614836	1
__exception__ Jan. 29, 2024, 7:54 a.m.	stacktrace: vinu+0x28f2f2 @ 0x55f2f2 vinu+0x291650 @ 0x561650 vinu+0x21e8dc @ 0x4ee8dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: vinu+0x1fb1d9 exception.instruction: div eax exception.module: vinu.exe exception.exception_code: 0xc0000094 exception.offset: 2077145 exception.address: 0x4cb1d9 registers.esp: 10614800 registers.edi: 10614800 registers.eax: 0 registers.ebp: 10614828 registers.edx: 0 registers.ebx: 5026287 registers.esi: 0 registers.ecx: 10614836	1
__exception__ Jan. 29, 2024, 7:54 a.m.	stacktrace: vinu+0x28f2f2 @ 0x55f2f2 vinu+0x291650 @ 0x561650 vinu+0x21e8dc @ 0x4ee8dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: vinu+0x1fb204 exception.instruction: ud2 exception.module: vinu.exe exception.exception_code: 0xc000001d exception.offset: 2077188 exception.address: 0x4cb204 registers.esp: 10614800 registers.edi: 10614800 registers.eax: 0 registers.ebp: 10614828 registers.edx: 2 registers.ebx: 5026287 registers.esi: 0 registers.ecx: 10614836	1
__exception__ Jan. 29, 2024, 7:54 a.m.	stacktrace: vinu+0x28f2f2 @ 0x55f2f2 vinu+0x291650 @ 0x561650 vinu+0x21e8dc @ 0x4ee8dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: vinu+0x1fb204 exception.instruction: ud2 exception.module: vinu.exe exception.exception_code: 0xc000001d exception.offset: 2077188 exception.address: 0x4cb204 registers.esp: 10614800 registers.edi: 10614800 registers.eax: 0 registers.ebp: 10614828 registers.edx: 2 registers.ebx: 5026330 registers.esi: 0 registers.ecx: 10614836	1
__exception__ Jan. 29, 2024, 7:54 a.m.	stacktrace: vinu+0x28f2f2 @ 0x55f2f2 vinu+0x291650 @ 0x561650 vinu+0x21e8dc @ 0x4ee8dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: vinu+0x1fb204 exception.instruction: ud2 exception.module: vinu.exe exception.exception_code: 0xc000001d exception.offset: 2077188 exception.address: 0x4cb204 registers.esp: 10614800 registers.edi: 10614800 registers.eax: 0 registers.ebp: 10614828 registers.edx: 2 registers.ebx: 5026330 registers.esi: 0 registers.ecx: 10614836	1
__exception__ Jan. 29, 2024, 7:54 a.m.	stacktrace: vinu+0x28f2f2 @ 0x55f2f2 vinu+0x291650 @ 0x561650 vinu+0x21e8dc @ 0x4ee8dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: vinu+0x1fb1d9 exception.instruction: div eax exception.module: vinu.exe exception.exception_code: 0xc0000094 exception.offset: 2077145 exception.address: 0x4cb1d9 registers.esp: 10614800 registers.edi: 10614800 registers.eax: 0 registers.ebp: 10614828 registers.edx: 0 registers.ebx: 5026330 registers.esi: 0 registers.ecx: 10614836	1
__exception__ Jan. 29, 2024, 7:54 a.m.	stacktrace: vinu+0x28f388 @ 0x55f388 vinu+0x291650 @ 0x561650 vinu+0x21e8dc @ 0x4ee8dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: vinu+0x1fb204 exception.instruction: ud2 exception.module: vinu.exe exception.exception_code: 0xc000001d exception.offset: 2077188 exception.address: 0x4cb204 registers.esp: 10614800 registers.edi: 5615756 registers.eax: 0 registers.ebp: 10614828 registers.edx: 2 registers.ebx: 86016 registers.esi: 4280320 registers.ecx: 1054308480	1
__exception__ Jan. 29, 2024, 7:54 a.m.	stacktrace: vinu+0x28f388 @ 0x55f388 vinu+0x291650 @ 0x561650 vinu+0x21e8dc @ 0x4ee8dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: vinu+0x1fb204 exception.instruction: ud2 exception.module: vinu.exe exception.exception_code: 0xc000001d exception.offset: 2077188 exception.address: 0x4cb204 registers.esp: 10614800 registers.edi: 10614800 registers.eax: 0 registers.ebp: 10614828 registers.edx: 2 registers.ebx: 5026330 registers.esi: 0 registers.ecx: 10614836	1
__exception__ Jan. 29, 2024, 7:54 a.m.	stacktrace: vinu+0x28f388 @ 0x55f388 vinu+0x291650 @ 0x561650 vinu+0x21e8dc @ 0x4ee8dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: vinu+0x1fb1d9 exception.instruction: div eax exception.module: vinu.exe exception.exception_code: 0xc0000094 exception.offset: 2077145 exception.address: 0x4cb1d9 registers.esp: 10614800 registers.edi: 10614800 registers.eax: 0 registers.ebp: 10614828 registers.edx: 0 registers.ebx: 5026330 registers.esi: 0 registers.ecx: 10614836	1
__exception__ Jan. 29, 2024, 7:54 a.m.	stacktrace: vinu+0x28f388 @ 0x55f388 vinu+0x291650 @ 0x561650 vinu+0x21e8dc @ 0x4ee8dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: vinu+0x1fb1d9 exception.instruction: div eax exception.module: vinu.exe exception.exception_code: 0xc0000094 exception.offset: 2077145 exception.address: 0x4cb1d9 registers.esp: 10614800 registers.edi: 10614800 registers.eax: 0 registers.ebp: 10614828 registers.edx: 0 registers.ebx: 5026287 registers.esi: 0 registers.ecx: 10614836	1
__exception__ Jan. 29, 2024, 7:54 a.m.	stacktrace: vinu+0x28f388 @ 0x55f388 vinu+0x291650 @ 0x561650 vinu+0x21e8dc @ 0x4ee8dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: vinu+0x1fb204 exception.instruction: ud2 exception.module: vinu.exe exception.exception_code: 0xc000001d exception.offset: 2077188 exception.address: 0x4cb204 registers.esp: 10614800 registers.edi: 10614800 registers.eax: 0 registers.ebp: 10614828 registers.edx: 2 registers.ebx: 5026287 registers.esi: 0 registers.ecx: 10614836	1
__exception__ Jan. 29, 2024, 7:54 a.m.	stacktrace: vinu+0x28f388 @ 0x55f388 vinu+0x291650 @ 0x561650 vinu+0x21e8dc @ 0x4ee8dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: vinu+0x1fb1d9 exception.instruction: div eax exception.module: vinu.exe exception.exception_code: 0xc0000094 exception.offset: 2077145 exception.address: 0x4cb1d9 registers.esp: 10614800 registers.edi: 10614800 registers.eax: 0 registers.ebp: 10614828 registers.edx: 0 registers.ebx: 5026330 registers.esi: 0 registers.ecx: 10614836	1
__exception__ Jan. 29, 2024, 7:54 a.m.	stacktrace: vinu+0x28f388 @ 0x55f388 vinu+0x291650 @ 0x561650 vinu+0x21e8dc @ 0x4ee8dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: vinu+0x1fb204 exception.instruction: ud2 exception.module: vinu.exe exception.exception_code: 0xc000001d exception.offset: 2077188 exception.address: 0x4cb204 registers.esp: 10614800 registers.edi: 10614800 registers.eax: 0 registers.ebp: 10614828 registers.edx: 2 registers.ebx: 5026287 registers.esi: 0 registers.ecx: 10614836	1
__exception__ Jan. 29, 2024, 7:54 a.m.	stacktrace: vinu+0x28f388 @ 0x55f388 vinu+0x291650 @ 0x561650 vinu+0x21e8dc @ 0x4ee8dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: vinu+0x1fb204 exception.instruction: ud2 exception.module: vinu.exe exception.exception_code: 0xc000001d exception.offset: 2077188 exception.address: 0x4cb204 registers.esp: 10614800 registers.edi: 10614800 registers.eax: 0 registers.ebp: 10614828 registers.edx: 2 registers.ebx: 5026330 registers.esi: 0 registers.ecx: 10614836	1

Performs some HTTP requests (2 events)

request	GET http://www.maxmind.com/geoip/v2.1/city/me
request	GET https://db-ip.com/demo/home.php?s=175.208.134.152

Allocates read-write-execute memory (usually to unpack itself) (15 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Jan. 29, 2024, 7:54 a.m.	process_identifier: 2544 region_size: 2936832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02630000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 29, 2024, 7:54 a.m.	process_identifier: 2544 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 29, 2024, 7:54 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 29, 2024, 7:54 a.m.	process_identifier: 2544 region_size: 81920 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b44000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 29, 2024, 7:54 a.m.	process_identifier: 2544 region_size: 147456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b44000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 29, 2024, 7:54 a.m.	process_identifier: 2544 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b64000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 29, 2024, 7:54 a.m.	process_identifier: 2544 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b74000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 29, 2024, 7:54 a.m.	process_identifier: 2544 region_size: 81920 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b74000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 29, 2024, 7:54 a.m.	process_identifier: 2544 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b84000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 29, 2024, 7:54 a.m.	process_identifier: 2544 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b88000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 29, 2024, 7:54 a.m.	process_identifier: 2544 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b88000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 29, 2024, 7:54 a.m.	process_identifier: 2544 region_size: 475136 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b88000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 29, 2024, 7:54 a.m.	process_identifier: 2544 region_size: 81920 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b88000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 29, 2024, 7:54 a.m.	process_identifier: 2544 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b88000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 29, 2024, 7:54 a.m.	process_identifier: 2544 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b88000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Looks up the external IP address (1 event)

domain

ipinfo.io

Creates a suspicious process (2 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW Jan. 29, 2024, 7:55 a.m.	thread_identifier: 2676 thread_handle: 0x00000138 process_identifier: 2672 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x0000013c	1	1	0
CreateProcessInternalW Jan. 29, 2024, 7:55 a.m.	thread_identifier: 2760 thread_handle: 0x00000144 process_identifier: 2756 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000140	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (6 events)

section

{u'size_of_data': u'0x00072a00', u'virtual_address': u'0x00001000', u'entropy': 7.999604071574984, u'name': u'', u'virtual_size': u'0x0010a000'}

entropy

7.99960407157

description