Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 21, 2024, 7:13 a.m.	March 21, 2024, 7:18 a.m.

Size	3.0MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`2e9936ceff7cb899d72ae573cb8ca876`
SHA256	`9cdac837bb014f812c15de2b223cde273f6f20cfdb337a559300349889c3e02d`
CRC32	`FF477775`
ssdeep	`49152:vuYjleUSup/qTySQokzOQvVboSHnkcnuVxM2kpFZM9QsS:vuYjcUSOSTyakzOQvVbXkZg2kpFn`
Yara	CryptBot_IN - CryptBot PE_Header_Zero - PE File Signature IsPE32 - (no description)

random.exe "C:\Users\test22\AppData\Local\Temp\random.exe"
2548
- schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
  2768
- schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
  2852

Name	Response	Post-Analysis Lookup
ipinfo.io	A 34.117.186.192	34.117.186.192
www.maxmind.com	A 104.18.145.235 A 104.18.146.235	104.18.146.235
db-ip.com	A 104.26.5.15 A 104.26.4.15 A 172.67.75.166	104.26.5.15

IP Address	Status	Action
104.18.145.235	Active	Moloch
104.26.4.15	Active	Moloch
164.124.101.2	Active	Moloch
193.233.132.62	Active	Moloch
34.117.186.192	Active	Moloch
193.233.132.56	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49168 -> 104.26.4.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49165 -> 193.233.132.62:58709	2049060	ET MALWARE RisePro TCP Heartbeat Packet	A Network Trojan was detected
TCP 193.233.132.62:58709 -> 192.168.56.101:49165	2046266	ET MALWARE [ANY.RUN] RisePro TCP (Token)	A Network Trojan was detected
TCP 192.168.56.101:49166 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49166 -> 34.117.186.192:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49166 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49166 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49168 104.26.4.15:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=db-ip.com	65:b1:27:2e:35:d2:f7:1f:20:04:c5:ca:ea:4e:7a:b4:69:6a:83:00

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW March 21, 2024, 7:13 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW March 21, 2024, 7:13 a.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW March 21, 2024, 7:13 a.m.	buffer: SUCCESS: The scheduled task "MPGPH131 HR" has successfully been created. console_handle: 0x00000007	1	1	0
WriteConsoleW March 21, 2024, 7:13 a.m.	buffer: SUCCESS: The scheduled task "MPGPH131 LG" has successfully been created. console_handle: 0x00000007	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

The executable contains unknown PE section names indicative of a packer (could be a false positive) (5 events)

section	\x00
section	.idata
section	imcjfspo
section	ezbuajyk
section	.taggant

One or more processes crashed (50 out of 123 events)

Time & API	Arguments	Status
__exception__ March 21, 2024, 7:13 a.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: fb 60 bd 14 b0 9b ee e9 00 02 00 00 52 a3 be 88 exception.symbol: Start+0xda6af random+0x13cc4f exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 1297487 exception.address: 0xc8cc4f registers.esp: 1441484 registers.edi: 0 registers.eax: 1441500 registers.ebp: 1441500 registers.edx: 1441492 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ March 21, 2024, 7:13 a.m.	stacktrace: exception.instruction_r: fb e9 1f f7 ff ff 8b 3c 24 e9 00 00 00 00 81 c4 exception.symbol: Start+0xdb4aa random+0x13da4a exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 1301066 exception.address: 0xc8da4a registers.esp: 1441448 registers.edi: 0 registers.eax: 29605 registers.ebp: 4003180564 registers.edx: 13160335 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ March 21, 2024, 7:13 a.m.	stacktrace: exception.instruction_r: fb 56 be c1 0f f0 4e 87 fe 57 f7 1c 24 e9 ea 00 exception.symbol: Start+0xdb38e random+0x13d92e exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 1300782 exception.address: 0xc8d92e registers.esp: 1441452 registers.edi: 0 registers.eax: 29605 registers.ebp: 4003180564 registers.edx: 13189940 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ March 21, 2024, 7:13 a.m.	stacktrace: exception.instruction_r: fb 51 e9 2c 03 00 00 ba 28 74 dc 6d 01 d1 5a e9 exception.symbol: Start+0xdaa96 random+0x13d036 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 1298486 exception.address: 0xc8d036 registers.esp: 1441452 registers.edi: 0 registers.eax: 2942850645 registers.ebp: 4003180564 registers.edx: 13163348 registers.ebx: 0 registers.esi: 0 registers.ecx: 0	1
__exception__ March 21, 2024, 7:13 a.m.	stacktrace: exception.instruction_r: fb 52 e9 ec 00 00 00 8b 14 24 83 c4 04 81 c6 d2 exception.symbol: Start+0xdbd58 random+0x13e2f8 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 1303288 exception.address: 0xc8e2f8 registers.esp: 1441448 registers.edi: 0 registers.eax: 30334 registers.ebp: 4003180564 registers.edx: 13163348 registers.ebx: 119532987 registers.esi: 0 registers.ecx: 13163736	1
__exception__ March 21, 2024, 7:13 a.m.	stacktrace: exception.instruction_r: fb e9 3f fc ff ff 81 e9 c0 96 37 00 29 c8 59 29 exception.symbol: Start+0xdbdae random+0x13e34e exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 1303374 exception.address: 0xc8e34e registers.esp: 1441452 registers.edi: 236777 registers.eax: 30334 registers.ebp: 4003180564 registers.edx: 13163348 registers.ebx: 119532987 registers.esi: 4294939320 registers.ecx: 13194070	1
__exception__ March 21, 2024, 7:13 a.m.	stacktrace: exception.instruction_r: fb 55 53 54 e9 19 02 00 00 83 c4 04 81 f1 a9 5b exception.symbol: Start+0x2531bf random+0x2b575f exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2840415 exception.address: 0xe0575f registers.esp: 1441448 registers.edi: 13198944 registers.eax: 30346 registers.ebp: 4003180564 registers.edx: 2130566132 registers.ebx: 49152750 registers.esi: 14701916 registers.ecx: 750	1
__exception__ March 21, 2024, 7:13 a.m.	stacktrace: exception.instruction_r: fb e9 cb fc ff ff 5b 81 f3 f2 a8 52 5b 8b 34 24 exception.symbol: Start+0x253ad8 random+0x2b6078 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2842744 exception.address: 0xe06078 registers.esp: 1441452 registers.edi: 13198944 registers.eax: 30346 registers.ebp: 4003180564 registers.edx: 2130566132 registers.ebx: 49152750 registers.esi: 14732262 registers.ecx: 750	1
__exception__ March 21, 2024, 7:13 a.m.	stacktrace: exception.instruction_r: fb 56 c7 04 24 e2 12 30 19 89 1c 24 89 04 24 c7 exception.symbol: Start+0x253635 random+0x2b5bd5 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2841557 exception.address: 0xe05bd5 registers.esp: 1441452 registers.edi: 13198944 registers.eax: 721129 registers.ebp: 4003180564 registers.edx: 2130566132 registers.ebx: 4294939972 registers.esi: 14732262 registers.ecx: 750	1
__exception__ March 21, 2024, 7:13 a.m.	stacktrace: exception.instruction_r: fb 53 89 2c 24 bd da bf ff 7d 81 e5 74 2e 7f 7f exception.symbol: Start+0x255642 random+0x2b7be2 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2849762 exception.address: 0xe07be2 registers.esp: 1441448 registers.edi: 14710436 registers.eax: 27349 registers.ebp: 4003180564 registers.edx: 2130566132 registers.ebx: 1827651947 registers.esi: 14732262 registers.ecx: 2093273475	1
__exception__ March 21, 2024, 7:13 a.m.	stacktrace: exception.instruction_r: fb e9 bb 02 00 00 b8 b6 d2 fe 16 0d c1 95 ee 2f exception.symbol: Start+0x2556c3 random+0x2b7c63 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2849891 exception.address: 0xe07c63 registers.esp: 1441452 registers.edi: 14737785 registers.eax: 27349 registers.ebp: 4003180564 registers.edx: 2130566132 registers.ebx: 1827651947 registers.esi: 14732262 registers.ecx: 2093273475	1
__exception__ March 21, 2024, 7:13 a.m.	stacktrace: exception.instruction_r: fb 57 89 e7 81 c7 04 00 00 00 e9 f8 f9 ff ff 58 exception.symbol: Start+0x255c67 random+0x2b8207 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2851335 exception.address: 0xe08207 registers.esp: 1441452 registers.edi: 14713433 registers.eax: 27349 registers.ebp: 4003180564 registers.edx: 0 registers.ebx: 1827651947 registers.esi: 202985 registers.ecx: 2093273475	1
__exception__ March 21, 2024, 7:13 a.m.	stacktrace: exception.instruction_r: fb e9 00 00 00 00 52 52 89 04 24 51 e9 80 00 00 exception.symbol: Start+0x25a4e6 random+0x2bca86 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2869894 exception.address: 0xe0ca86 registers.esp: 1441452 registers.edi: 3157408 registers.eax: 27707 registers.ebp: 4003180564 registers.edx: 0 registers.ebx: 1827651947 registers.esi: 202985 registers.ecx: 14758835	1
__exception__ March 21, 2024, 7:13 a.m.	stacktrace: exception.instruction_r: fb 51 89 04 24 57 89 2c 24 68 3e 53 f2 0d e9 8c exception.symbol: Start+0x25a20f random+0x2bc7af exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2869167 exception.address: 0xe0c7af registers.esp: 1441452 registers.edi: 3157408 registers.eax: 27707 registers.ebp: 4003180564 registers.edx: 1259 registers.ebx: 1827651947 registers.esi: 0 registers.ecx: 14733791	1
__exception__ March 21, 2024, 7:13 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 e9 0e 31 00 00 83 c4 04 exception.symbol: Start+0x25ff7c random+0x2c251c exception.instruction: in eax, dx exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2893084 exception.address: 0xe1251c registers.esp: 1441444 registers.edi: 3157408 registers.eax: 1447909480 registers.ebp: 4003180564 registers.edx: 22104 registers.ebx: 1969033397 registers.esi: 14745531 registers.ecx: 20	1
__exception__ March 21, 2024, 7:13 a.m.	stacktrace: exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: Start+0x26076f random+0x2c2d0f exception.address: 0xe12d0f exception.module: random.exe exception.exception_code: 0xc000001d exception.offset: 2895119 registers.esp: 1441444 registers.edi: 3157408 registers.eax: 1 registers.ebp: 4003180564 registers.edx: 22104 registers.ebx: 0 registers.esi: 14745531 registers.ecx: 20	1
__exception__ March 21, 2024, 7:13 a.m.	stacktrace: exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 77 36 2d 12 01 exception.symbol: Start+0x261f6b random+0x2c450b exception.instruction: in eax, dx exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2901259 exception.address: 0xe1450b registers.esp: 1441444 registers.edi: 3157408 registers.eax: 1447909480 registers.ebp: 4003180564 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 14745531 registers.ecx: 10	1
__exception__ March 21, 2024, 7:13 a.m.	stacktrace: exception.instruction_r: fb e9 ff 02 00 00 8b 14 24 e9 39 02 00 00 89 cf exception.symbol: Start+0x2666a1 random+0x2c8c41 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2919489 exception.address: 0xe18c41 registers.esp: 1441452 registers.edi: 3157408 registers.eax: 30454 registers.ebp: 4003180564 registers.edx: 2130566132 registers.ebx: 50460734 registers.esi: 10 registers.ecx: 14810396	1
__exception__ March 21, 2024, 7:13 a.m.	stacktrace: exception.instruction_r: fb 55 89 e5 81 c5 04 00 00 00 52 ba 3e 7c fe 72 exception.symbol: Start+0x266a92 random+0x2c9032 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2920498 exception.address: 0xe19032 registers.esp: 1441452 registers.edi: 4294939524 registers.eax: 30454 registers.ebp: 4003180564 registers.edx: 2130566132 registers.ebx: 6379 registers.esi: 10 registers.ecx: 14810396	1
__exception__ March 21, 2024, 7:13 a.m.	stacktrace: exception.instruction_r: fb 57 c7 04 24 23 e1 87 2e 89 04 24 c7 04 24 50 exception.symbol: Start+0x2749fb random+0x2d6f9b exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2977691 exception.address: 0xe26f9b registers.esp: 1441452 registers.edi: 13156486 registers.eax: 25738 registers.ebp: 4003180564 registers.edx: 6 registers.ebx: 50460956 registers.esi: 14865087 registers.ecx: 0	1
__exception__ March 21, 2024, 7:13 a.m.	stacktrace: exception.instruction_r: fb 50 e9 00 00 00 00 c7 04 24 21 a3 56 02 e9 1d exception.symbol: Start+0x2750e6 random+0x2d7686 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2979462 exception.address: 0xe27686 registers.esp: 1441452 registers.edi: 13156486 registers.eax: 1179202795 registers.ebp: 4003180564 registers.edx: 4294944564 registers.ebx: 50460956 registers.esi: 14865087 registers.ecx: 0	1
__exception__ March 21, 2024, 7:13 a.m.	stacktrace: exception.instruction_r: fb 29 c0 ff 34 38 8b 34 24 56 89 e6 81 c6 04 00 exception.symbol: Start+0x27611d random+0x2d86bd exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2983613 exception.address: 0xe286bd registers.esp: 1441452 registers.edi: 14869903 registers.eax: 25275 registers.ebp: 4003180564 registers.edx: 532292844 registers.ebx: 50460956 registers.esi: 14865087 registers.ecx: 1428016630	1
__exception__ March 21, 2024, 7:13 a.m.	stacktrace: exception.instruction_r: fb bb 4b 23 f4 35 e9 3b 01 00 00 31 c3 8b 04 24 exception.symbol: Start+0x275f42 random+0x2d84e2 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2983138 exception.address: 0xe284e2 registers.esp: 1441452 registers.edi: 14869903 registers.eax: 4294944692 registers.ebp: 4003180564 registers.edx: 532292844 registers.ebx: 50460956 registers.esi: 2298801283 registers.ecx: 1428016630	1
__exception__ March 21, 2024, 7:13 a.m.	stacktrace: exception.instruction_r: fb 68 d1 5f d7 62 e9 25 fb ff ff c1 e0 01 55 bd exception.symbol: Start+0x276fe4 random+0x2d9584 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2987396 exception.address: 0xe29584 registers.esp: 1441452 registers.edi: 4294938504 registers.eax: 31848 registers.ebp: 4003180564 registers.edx: 607947090 registers.ebx: 14879706 registers.esi: 2298801283 registers.ecx: 1428016630	1
__exception__ March 21, 2024, 7:13 a.m.	stacktrace: exception.instruction_r: fb 51 55 e9 37 ff ff ff be 8f 39 ef 7d 52 ba ab exception.symbol: Start+0x27d534 random+0x2dfad4 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 3013332 exception.address: 0xe2fad4 registers.esp: 1441440 registers.edi: 4294938504 registers.eax: 25802 registers.ebp: 4003180564 registers.edx: 43929390 registers.ebx: 14872926 registers.esi: 2298801283 registers.ecx: 43929390	1
__exception__ March 21, 2024, 7:13 a.m.	stacktrace: exception.instruction_r: fb e9 13 00 00 00 68 c3 c7 7d 7f 5b 81 c3 41 38 exception.symbol: Start+0x27d340 random+0x2df8e0 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 3012832 exception.address: 0xe2f8e0 registers.esp: 1441444 registers.edi: 0 registers.eax: 25802 registers.ebp: 4003180564 registers.edx: 43929390 registers.ebx: 14875888 registers.esi: 2298801283 registers.ecx: 30185	1
__exception__ March 21, 2024, 7:13 a.m.	stacktrace: exception.instruction_r: fb 51 c7 04 24 f1 36 58 3e 89 34 24 57 bf a6 6b exception.symbol: Start+0x29e2b3 random+0x300853 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 3147859 exception.address: 0xe50853 registers.esp: 1441412 registers.edi: 15011965 registers.eax: 33107 registers.ebp: 4003180564 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 15003246 registers.ecx: 606898513	1
__exception__ March 21, 2024, 7:13 a.m.	stacktrace: exception.instruction_r: fb ba 07 fa f6 5f 57 bf c1 aa de 5d e9 1f 00 00 exception.symbol: Start+0x29f6da random+0x301c7a exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 3153018 exception.address: 0xe51c7a registers.esp: 1441412 registers.edi: 15045427 registers.eax: 32963 registers.ebp: 4003180564 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 15003246 registers.ecx: 1654031483	1
__exception__ March 21, 2024, 7:13 a.m.	stacktrace: exception.instruction_r: fb 56 be 7a 8f 7f 7c 81 f6 18 6f 76 77 e9 18 03 exception.symbol: Start+0x29f215 random+0x3017b5 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 3151797 exception.address: 0xe517b5 registers.esp: 1441412 registers.edi: 15045427 registers.eax: 32963 registers.ebp: 4003180564 registers.edx: 4294937352 registers.ebx: 0 registers.esi: 322689 registers.ecx: 1654031483	1
__exception__ March 21, 2024, 7:13 a.m.	stacktrace: exception.instruction_r: fb 57 50 55 bd d2 7e f7 5f 81 c5 bd da 07 10 e9 exception.symbol: Start+0x2a0590 random+0x302b30 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 3156784 exception.address: 0xe52b30 registers.esp: 1441412 registers.edi: 15045427 registers.eax: 1853748072 registers.ebp: 4003180564 registers.edx: 2056038804 registers.ebx: 0 registers.esi: 15042063 registers.ecx: 4294944160	1
__exception__ March 21, 2024, 7:13 a.m.	stacktrace: exception.instruction_r: fb 29 f6 ff 34 33 ff 34 24 ff 34 24 e9 98 01 00 exception.symbol: Start+0x2a0d34 random+0x3032d4 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 3158740 exception.address: 0xe532d4 registers.esp: 1441412 registers.edi: 15045427 registers.eax: 28407 registers.ebp: 4003180564 registers.edx: 1846453614 registers.ebx: 15047813 registers.esi: 15042063 registers.ecx: 417704672	1
__exception__ March 21, 2024, 7:13 a.m.	stacktrace: exception.instruction_r: fb e9 59 03 00 00 89 0c 24 53 bb a5 16 77 7f 56 exception.symbol: Start+0x2a0c02 random+0x3031a2 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 3158434 exception.address: 0xe531a2 registers.esp: 1441412 registers.edi: 15045427 registers.eax: 44777 registers.ebp: 4003180564 registers.edx: 1846453614 registers.ebx: 15047813 registers.esi: 4294941532 registers.ecx: 417704672	1
__exception__ March 21, 2024, 7:13 a.m.	stacktrace: exception.instruction_r: fb 68 08 b4 a1 2e 89 34 24 be d8 ee 7d 7d 57 e9 exception.symbol: Start+0x2a1c94 random+0x304234 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 3162676 exception.address: 0xe54234 registers.esp: 1441408 registers.edi: 15022611 registers.eax: 30830 registers.ebp: 4003180564 registers.edx: 2128605182 registers.ebx: 15047813 registers.esi: 4294941532 registers.ecx: 417704672	1
__exception__ March 21, 2024, 7:13 a.m.	stacktrace: exception.instruction_r: fb 56 e9 b5 00 00 00 81 eb c4 59 e6 7d e9 b4 03 exception.symbol: Start+0x2a18e2 random+0x303e82 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 3161730 exception.address: 0xe53e82 registers.esp: 1441412 registers.edi: 15025617 registers.eax: 940023181 registers.ebp: 4003180564 registers.edx: 2128605182 registers.ebx: 15047813 registers.esi: 4294941532 registers.ecx: 0	1
__exception__ March 21, 2024, 7:13 a.m.	stacktrace: exception.instruction_r: fb e9 79 ff ff ff 89 34 24 c7 04 24 70 9c 57 5d exception.symbol: Start+0x2a3ab5 random+0x306055 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 3170389 exception.address: 0xe56055 registers.esp: 1441408 registers.edi: 15025617 registers.eax: 15031879 registers.ebp: 4003180564 registers.edx: 2128605182 registers.ebx: 4279946379 registers.esi: 4294946210 registers.ecx: 2143635349	1
__exception__ March 21, 2024, 7:13 a.m.	stacktrace: exception.instruction_r: fb 29 c9 ff 34 01 ff 34 24 8b 1c 24 81 c4 04 00 exception.symbol: Start+0x2a404b random+0x3065eb exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 3171819 exception.address: 0xe565eb registers.esp: 1441412 registers.edi: 15025617 registers.eax: 15062912 registers.ebp: 4003180564 registers.edx: 2128605182 registers.ebx: 4279946379 registers.esi: 4294946210 registers.ecx: 2143635349	1
__exception__ March 21, 2024, 7:13 a.m.	stacktrace: exception.instruction_r: fb 56 68 21 e8 aa 49 89 1c 24 52 e9 57 01 00 00 exception.symbol: Start+0x2a3a24 random+0x305fc4 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 3170244 exception.address: 0xe55fc4 registers.esp: 1441412 registers.edi: 15025617 registers.eax: 15062912 registers.ebp: 4003180564 registers.edx: 2128605182 registers.ebx: 24811 registers.esi: 4294946210 registers.ecx: 4294938948	1
__exception__ March 21, 2024, 7:13 a.m.	stacktrace: exception.instruction_r: fb 68 80 fa 97 74 89 2c 24 68 56 48 79 12 5d 29 exception.symbol: Start+0x2a5dc4 random+0x308364 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 3179364 exception.address: 0xe58364 registers.esp: 1441408 registers.edi: 15025617 registers.eax: 25544 registers.ebp: 4003180564 registers.edx: 2113337013 registers.ebx: 1141770669 registers.esi: 15041153 registers.ecx: 4294938948	1
__exception__ March 21, 2024, 7:13 a.m.	stacktrace: exception.instruction_r: fb 31 c0 e9 a0 01 00 00 56 e9 81 ff ff ff 53 bb exception.symbol: Start+0x2a6175 random+0x308715 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 3180309 exception.address: 0xe58715 registers.esp: 1441412 registers.edi: 15025617 registers.eax: 25544 registers.ebp: 4003180564 registers.edx: 2113337013 registers.ebx: 1141770669 registers.esi: 15066697 registers.ecx: 4294938948	1
__exception__ March 21, 2024, 7:13 a.m.	stacktrace: exception.instruction_r: fb 55 89 e5 81 c5 04 00 00 00 81 ed 04 00 00 00 exception.symbol: Start+0x2a5ec2 random+0x308462 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 3179618 exception.address: 0xe58462 registers.esp: 1441412 registers.edi: 15025617 registers.eax: 4294944080 registers.ebp: 4003180564 registers.edx: 1309718376 registers.ebx: 1141770669 registers.esi: 15066697 registers.ecx: 4294938948	1
__exception__ March 21, 2024, 7:13 a.m.	stacktrace: exception.instruction_r: fb 51 b9 07 f9 12 7f 81 f1 fb 2a ba 72 53 e9 7d exception.symbol: Start+0x2a6ff7 random+0x309597 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 3184023 exception.address: 0xe59597 registers.esp: 1441408 registers.edi: 15025617 registers.eax: 15043868 registers.ebp: 4003180564 registers.edx: 108172750 registers.ebx: 1141770669 registers.esi: 15066697 registers.ecx: 424139185	1
__exception__ March 21, 2024, 7:13 a.m.	stacktrace: exception.instruction_r: fb 68 71 e2 40 6b 89 34 24 89 2c 24 89 0c 24 c7 exception.symbol: Start+0x2a6ee3 random+0x309483 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 3183747 exception.address: 0xe59483 registers.esp: 1441412 registers.edi: 15025617 registers.eax: 15072626 registers.ebp: 4003180564 registers.edx: 108172750 registers.ebx: 1141770669 registers.esi: 15066697 registers.ecx: 424139185	1
__exception__ March 21, 2024, 7:13 a.m.	stacktrace: exception.instruction_r: fb 52 56 89 04 24 89 3c 24 68 59 4c 3a 5d e9 df exception.symbol: Start+0x2a6a55 random+0x308ff5 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 3182581 exception.address: 0xe58ff5 registers.esp: 1441412 registers.edi: 157417 registers.eax: 15072626 registers.ebp: 4003180564 registers.edx: 108172750 registers.ebx: 4294941836 registers.esi: 15066697 registers.ecx: 424139185	1
__exception__ March 21, 2024, 7:13 a.m.	stacktrace: exception.instruction_r: fb 53 89 e3 81 c3 04 00 00 00 81 eb 04 00 00 00 exception.symbol: Start+0x2ac94b random+0x30eeeb exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 3206891 exception.address: 0xe5eeeb registers.esp: 1441412 registers.edi: 4294938368 registers.eax: 31726 registers.ebp: 4003180564 registers.edx: 15099519 registers.ebx: 2147483650 registers.esi: 4194836584 registers.ecx: 2098528256	1
__exception__ March 21, 2024, 7:13 a.m.	stacktrace: exception.instruction_r: fb 68 e9 eb 88 17 e9 77 f7 ff ff 5d 57 bf 45 83 exception.symbol: Start+0x2adb1a random+0x3100ba exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 3211450 exception.address: 0xe600ba registers.esp: 1441412 registers.edi: 4294938368 registers.eax: 26201 registers.ebp: 4003180564 registers.edx: 657853283 registers.ebx: 2147483650 registers.esi: 15097165 registers.ecx: 1011834881	1
__exception__ March 21, 2024, 7:13 a.m.	stacktrace: exception.instruction_r: fb 55 89 34 24 be 71 3c ff 7f 52 89 0c 24 b9 1b exception.symbol: Start+0x2ad961 random+0x30ff01 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 3211009 exception.address: 0xe5ff01 registers.esp: 1441412 registers.edi: 4294938368 registers.eax: 9451 registers.ebp: 4003180564 registers.edx: 0 registers.ebx: 2147483650 registers.esi: 15074133 registers.ecx: 1011834881	1
__exception__ March 21, 2024, 7:13 a.m.	stacktrace: exception.instruction_r: fb 56 be 3d 9e fd 57 51 b9 18 3b 92 6e 52 ba 55 exception.symbol: Start+0x2aebfe random+0x31119e exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 3215774 exception.address: 0xe6119e registers.esp: 1441412 registers.edi: 4294938368 registers.eax: 26727 registers.ebp: 4003180564 registers.edx: 0 registers.ebx: 15077838 registers.esi: 0 registers.ecx: 2537273681	1
__exception__ March 21, 2024, 7:13 a.m.	stacktrace: exception.instruction_r: fb e9 00 00 00 00 31 db ff 34 1a e9 75 f9 ff ff exception.symbol: Start+0x2af684 random+0x311c24 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 3218468 exception.address: 0xe61c24 registers.esp: 1441412 registers.edi: 4294938368 registers.eax: 29580 registers.ebp: 4003180564 registers.edx: 15107818 registers.ebx: 2137159742 registers.esi: 0 registers.ecx: 2537273681	1
__exception__ March 21, 2024, 7:13 a.m.	stacktrace: exception.instruction_r: fb e9 e2 fa ff ff 57 e9 38 00 00 00 05 84 fb ba exception.symbol: Start+0x2af2f8 random+0x311898 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 3217560 exception.address: 0xe61898 registers.esp: 1441412 registers.edi: 4294938368 registers.eax: 3661995112 registers.ebp: 4003180564 registers.edx: 15107818 registers.ebx: 4294940096 registers.esi: 0 registers.ecx: 2537273681	1
__exception__ March 21, 2024, 7:13 a.m.	stacktrace: exception.instruction_r: fb 29 db ff 34 13 ff 34 24 ff 34 24 e9 0e 05 00 exception.symbol: Start+0x2afdb8 random+0x312358 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 3220312 exception.address: 0xe62358 registers.esp: 1441412 registers.edi: 4294938368 registers.eax: 29866 registers.ebp: 4003180564 registers.edx: 15110913 registers.ebx: 4294940096 registers.esi: 0 registers.ecx: 842533299	1

Performs some HTTP requests (2 events)

request	GET http://www.maxmind.com/geoip/v2.1/city/me
request	GET https://db-ip.com/demo/home.php?s=175.208.134.152

Allocates read-write-execute memory (usually to unpack itself) (18 events)

Time & API	Arguments	Status
NtProtectVirtualMemory March 21, 2024, 7:13 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 589824 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b51000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2024, 7:13 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02300000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2024, 7:13 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02490000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2024, 7:13 a.m.	process_identifier: 2548 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2024, 7:13 a.m.	process_identifier: 2548 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2024, 7:13 a.m.	process_identifier: 2548 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02600000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2024, 7:13 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02600000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2024, 7:13 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02600000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2024, 7:13 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02600000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2024, 7:13 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02600000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2024, 7:13 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02600000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2024, 7:13 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02600000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2024, 7:13 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02600000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2024, 7:13 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02600000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2024, 7:13 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02600000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2024, 7:13 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02600000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2024, 7:13 a.m.	process_identifier: 2548 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02600000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2024, 7:13 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02600000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

random.exe tried to sleep 121 seconds, actually delayed analysis time by 121 seconds

Looks up the external IP address (1 event)

domain

ipinfo.io

Creates a suspicious process (2 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW March 21, 2024, 7:13 a.m.	thread_identifier: 2772 thread_handle: 0x000001a8 process_identifier: 2768 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000001ac	1	1	0
CreateProcessInternalW March 21, 2024, 7:13 a.m.	thread_identifier: 2856 thread_handle: 0x000001b4 process_identifier: 2852 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000001b0	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x0008fe00', u'virtual_address': u'0x00001000', u'entropy': 7.984597646860602, u'name': u' \\x00 ', u'virtual_size': u'0x00138000'}

entropy

7.98459764686

description

A section with a high entropy has been found

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

Communicates with host for which no DNS query was performed (2 events)

host	193.233.132.62
host	193.233.132.56

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Installs itself for autorun at Windows startup (3 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\RageMP131	reg_value	C:\Users\test22\AppData\Local\RageMP131\RageMP131.exe
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

Uses Sysinternals tools in order to add additional command line functionality (2 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

Detects VirtualBox through the presence of a registry key (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ March 21, 2024, 7:13 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 e9 0e 31 00 00 83 c4 04 exception.symbol: Start+0x25ff7c random+0x2c251c exception.instruction: in eax, dx exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2893084 exception.address: 0xe1251c registers.esp: 1441444 registers.edi: 3157408 registers.eax: 1447909480 registers.ebp: 4003180564 registers.edx: 22104 registers.ebx: 1969033397 registers.esi: 14745531 registers.ecx: 20	1	0	0

Detects the presence of Wine emulator (1 event)

registry

HKEY_CURRENT_USER\Software\Wine

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 events)

dead_host	192.168.56.101:49233
dead_host	192.168.56.101:49216

random.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All