Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	May 3, 2024, 3:44 p.m.	May 3, 2024, 3:53 p.m.

Size	3.1MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`89614bcd95a77224939391e14e6a45d4`
SHA256	`8f2d99ca04db3fc50810158be6f60f4df8df819dd30227d58287f71b220fbfb8`
CRC32	`7F35706E`
ssdeep	`98304:ELczzk0Gqz5w0oagqMl293keG0X3ojOIML:EIfkGYnqMi3k3tj`
Yara	PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer IsPE32 - (no description) EnigmaProtector_IN - EnigmaProtector

buben.exe "C:\Users\test22\AppData\Local\Temp\buben.exe"
2064
- schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
  2532
- schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
  2640

Name	Response	Post-Analysis Lookup
ipinfo.io	A 34.117.186.192	34.117.186.192
db-ip.com	A 104.26.5.15 A 104.26.4.15 A 172.67.75.166	104.26.4.15

IP Address	Status	Action
104.26.4.15	Active	Moloch
147.45.47.93	Active	Moloch
164.124.101.2	Active	Moloch
34.117.186.192	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49167 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49167 -> 34.117.186.192:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49167 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49167 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49166 -> 147.45.47.93:58709	2049060	ET MALWARE RisePro TCP Heartbeat Packet	A Network Trojan was detected
TCP 147.45.47.93:58709 -> 192.168.56.103:49166	2046266	ET MALWARE [ANY.RUN] RisePro TCP (Token)	A Network Trojan was detected
TCP 192.168.56.103:49166 -> 147.45.47.93:58709	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	A Network Trojan was detected
TCP 192.168.56.103:49166 -> 147.45.47.93:58709	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	A Network Trojan was detected
TCP 192.168.56.103:49166 -> 147.45.47.93:58709	2049060	ET MALWARE RisePro TCP Heartbeat Packet	A Network Trojan was detected
TCP 147.45.47.93:58709 -> 192.168.56.103:49166	2046267	ET MALWARE [ANY.RUN] RisePro TCP (External IP)	A Network Trojan was detected
TCP 192.168.56.103:49169 -> 104.26.4.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49166 -> 147.45.47.93:58709	2049060	ET MALWARE RisePro TCP Heartbeat Packet	A Network Trojan was detected
TCP 192.168.56.103:49167 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49169 104.26.4.15:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=db-ip.com	65:b1:27:2e:35:d2:f7:1f:20:04:c5:ca:ea:4e:7a:b4:69:6a:83:00

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameA May 3, 2024, 3:44 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 3, 2024, 3:51 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 3, 2024, 3:52 p.m.	computer_name: TEST22-PC	1	1

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW May 3, 2024, 3:51 p.m.	buffer: SUCCESS: The scheduled task "MPGPH131 HR" has successfully been created. console_handle: 0x00000007	1	1	0
WriteConsoleW May 3, 2024, 3:52 p.m.	buffer: SUCCESS: The scheduled task "MPGPH131 LG" has successfully been created. console_handle: 0x00000007	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

One or more processes crashed (30 events)

Time & API	Arguments	Status
__exception__ May 3, 2024, 3:44 p.m.	stacktrace: 0x7ebd0e50 0x7ebd0d00 exception.instruction_r: f7 f0 e8 dc 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: div eax exception.module: buben.exe exception.exception_code: 0xc0000094 exception.offset: 2696285 exception.address: 0xf1245d registers.esp: 4390360 registers.edi: 22692080 registers.eax: 0 registers.ebp: 4390388 registers.edx: 0 registers.ebx: 229603846 registers.esi: 14839808 registers.ecx: 51590784	1
__exception__ May 3, 2024, 3:44 p.m.	stacktrace: 0x7ebd0e50 0x7ebd0d00 exception.instruction_r: 0f 0b e8 b1 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: ud2 exception.module: buben.exe exception.exception_code: 0xc000001d exception.offset: 2696328 exception.address: 0xf12488 registers.esp: 4390360 registers.edi: 4390360 registers.eax: 0 registers.ebp: 4390388 registers.edx: 2 registers.ebx: 15803507 registers.esi: 0 registers.ecx: 4390396	1
__exception__ May 3, 2024, 3:44 p.m.	stacktrace: 0x7ebd0e50 0x7ebd0d00 exception.instruction_r: f7 f0 e8 dc 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: div eax exception.module: buben.exe exception.exception_code: 0xc0000094 exception.offset: 2696285 exception.address: 0xf1245d registers.esp: 4390360 registers.edi: 4390360 registers.eax: 0 registers.ebp: 4390388 registers.edx: 0 registers.ebx: 15803550 registers.esi: 0 registers.ecx: 4390396	1
__exception__ May 3, 2024, 3:44 p.m.	stacktrace: 0x7ebd0e50 0x7ebd0d00 exception.instruction_r: 0f 0b e8 b1 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: ud2 exception.module: buben.exe exception.exception_code: 0xc000001d exception.offset: 2696328 exception.address: 0xf12488 registers.esp: 4390360 registers.edi: 4390360 registers.eax: 0 registers.ebp: 4390388 registers.edx: 2 registers.ebx: 15803507 registers.esi: 0 registers.ecx: 4390396	1
__exception__ May 3, 2024, 3:44 p.m.	stacktrace: 0x7ebd0e50 0x7ebd0d00 exception.instruction_r: 0f 0b e8 b1 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: ud2 exception.module: buben.exe exception.exception_code: 0xc000001d exception.offset: 2696328 exception.address: 0xf12488 registers.esp: 4390360 registers.edi: 4390360 registers.eax: 0 registers.ebp: 4390388 registers.edx: 2 registers.ebx: 15803550 registers.esi: 0 registers.ecx: 4390396	1
__exception__ May 3, 2024, 3:44 p.m.	stacktrace: 0x7ebd0e50 0x7ebd0d00 exception.instruction_r: f7 f0 e8 dc 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: div eax exception.module: buben.exe exception.exception_code: 0xc0000094 exception.offset: 2696285 exception.address: 0xf1245d registers.esp: 4390360 registers.edi: 4390360 registers.eax: 0 registers.ebp: 4390388 registers.edx: 0 registers.ebx: 15803550 registers.esi: 0 registers.ecx: 4390396	1
__exception__ May 3, 2024, 3:44 p.m.	stacktrace: 0x7ebd0e50 0x7ebd0d00 exception.instruction_r: 0f 0b e8 b1 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: ud2 exception.module: buben.exe exception.exception_code: 0xc000001d exception.offset: 2696328 exception.address: 0xf12488 registers.esp: 4390360 registers.edi: 4390360 registers.eax: 0 registers.ebp: 4390388 registers.edx: 2 registers.ebx: 15803507 registers.esi: 0 registers.ecx: 4390396	1
__exception__ May 3, 2024, 3:44 p.m.	stacktrace: 0x7ebd0e50 0x7ebd0d00 exception.instruction_r: f7 f0 e8 dc 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: div eax exception.module: buben.exe exception.exception_code: 0xc0000094 exception.offset: 2696285 exception.address: 0xf1245d registers.esp: 4390360 registers.edi: 4390360 registers.eax: 0 registers.ebp: 4390388 registers.edx: 0 registers.ebx: 15803550 registers.esi: 0 registers.ecx: 4390396	1
__exception__ May 3, 2024, 3:44 p.m.	stacktrace: 0x7ebd0e50 0x7ebd0d00 exception.instruction_r: f7 f0 e8 dc 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: div eax exception.module: buben.exe exception.exception_code: 0xc0000094 exception.offset: 2696285 exception.address: 0xf1245d registers.esp: 4390360 registers.edi: 4390360 registers.eax: 0 registers.ebp: 4390388 registers.edx: 0 registers.ebx: 15803507 registers.esi: 0 registers.ecx: 4390396	1
__exception__ May 3, 2024, 3:44 p.m.	stacktrace: 0x7ebd0e50 0x7ebd0d00 exception.instruction_r: f7 f0 e8 dc 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: div eax exception.module: buben.exe exception.exception_code: 0xc0000094 exception.offset: 2696285 exception.address: 0xf1245d registers.esp: 4390360 registers.edi: 4390360 registers.eax: 0 registers.ebp: 4390388 registers.edx: 0 registers.ebx: 15803507 registers.esi: 0 registers.ecx: 4390396	1
__exception__ May 3, 2024, 3:44 p.m.	stacktrace: 0x7ebd19f0 0x7ebd1630 exception.instruction_r: 0f 0b e8 b1 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: ud2 exception.module: buben.exe exception.exception_code: 0xc000001d exception.offset: 2696328 exception.address: 0xf12488 registers.esp: 4390232 registers.edi: 16063144 registers.eax: 0 registers.ebp: 4390260 registers.edx: 2 registers.ebx: 10645504 registers.esi: 14839808 registers.ecx: 14839808	1
__exception__ May 3, 2024, 3:44 p.m.	stacktrace: 0x7ebd19f0 0x7ebd1630 exception.instruction_r: f7 f0 e8 dc 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: div eax exception.module: buben.exe exception.exception_code: 0xc0000094 exception.offset: 2696285 exception.address: 0xf1245d registers.esp: 4390232 registers.edi: 4390232 registers.eax: 0 registers.ebp: 4390260 registers.edx: 0 registers.ebx: 15803550 registers.esi: 0 registers.ecx: 4390268	1
__exception__ May 3, 2024, 3:44 p.m.	stacktrace: 0x7ebd1e70 0x7ebd1630 exception.instruction_r: f7 f0 e8 dc 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: div eax exception.module: buben.exe exception.exception_code: 0xc0000094 exception.offset: 2696285 exception.address: 0xf1245d registers.esp: 4390232 registers.edi: 16063144 registers.eax: 0 registers.ebp: 4390260 registers.edx: 0 registers.ebx: 10645504 registers.esi: 14839808 registers.ecx: 0	1
__exception__ May 3, 2024, 3:44 p.m.	stacktrace: 0x7ebd1e70 0x7ebd1630 exception.instruction_r: 0f 0b e8 b1 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: ud2 exception.module: buben.exe exception.exception_code: 0xc000001d exception.offset: 2696328 exception.address: 0xf12488 registers.esp: 4390232 registers.edi: 4390232 registers.eax: 0 registers.ebp: 4390260 registers.edx: 2 registers.ebx: 15803507 registers.esi: 0 registers.ecx: 4390268	1
__exception__ May 3, 2024, 3:44 p.m.	stacktrace: 0x7ebd1e70 0x7ebd1630 exception.instruction_r: 0f 0b e8 b1 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: ud2 exception.module: buben.exe exception.exception_code: 0xc000001d exception.offset: 2696328 exception.address: 0xf12488 registers.esp: 4390232 registers.edi: 4390232 registers.eax: 0 registers.ebp: 4390260 registers.edx: 2 registers.ebx: 15803550 registers.esi: 0 registers.ecx: 4390268	1
__exception__ May 3, 2024, 3:44 p.m.	stacktrace: 0x7ebd1e70 0x7ebd1630 exception.instruction_r: 0f 0b e8 b1 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: ud2 exception.module: buben.exe exception.exception_code: 0xc000001d exception.offset: 2696328 exception.address: 0xf12488 registers.esp: 4390232 registers.edi: 4390232 registers.eax: 0 registers.ebp: 4390260 registers.edx: 2 registers.ebx: 15803550 registers.esi: 0 registers.ecx: 4390268	1
__exception__ May 3, 2024, 3:44 p.m.	stacktrace: 0x7ebd1e70 0x7ebd1630 exception.instruction_r: f7 f0 e8 dc 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: div eax exception.module: buben.exe exception.exception_code: 0xc0000094 exception.offset: 2696285 exception.address: 0xf1245d registers.esp: 4390232 registers.edi: 4390232 registers.eax: 0 registers.ebp: 4390260 registers.edx: 0 registers.ebx: 15803550 registers.esi: 0 registers.ecx: 4390268	1
__exception__ May 3, 2024, 3:44 p.m.	stacktrace: 0x7ebd1fc0 0x7ebd1630 exception.instruction_r: 0f 0b e8 b1 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: ud2 exception.module: buben.exe exception.exception_code: 0xc000001d exception.offset: 2696328 exception.address: 0xf12488 registers.esp: 4390232 registers.edi: 16063144 registers.eax: 0 registers.ebp: 4390260 registers.edx: 2 registers.ebx: 10645504 registers.esi: 14839808 registers.ecx: 4390252	1
__exception__ May 3, 2024, 3:44 p.m.	stacktrace: 0x7ebd1fc0 0x7ebd1630 exception.instruction_r: 0f 0b e8 b1 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: ud2 exception.module: buben.exe exception.exception_code: 0xc000001d exception.offset: 2696328 exception.address: 0xf12488 registers.esp: 4390232 registers.edi: 4390232 registers.eax: 0 registers.ebp: 4390260 registers.edx: 2 registers.ebx: 15803550 registers.esi: 0 registers.ecx: 4390268	1
__exception__ May 3, 2024, 3:44 p.m.	stacktrace: 0x7ebd1fc0 0x7ebd1630 exception.instruction_r: 0f 0b e8 b1 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: ud2 exception.module: buben.exe exception.exception_code: 0xc000001d exception.offset: 2696328 exception.address: 0xf12488 registers.esp: 4390232 registers.edi: 4390232 registers.eax: 0 registers.ebp: 4390260 registers.edx: 2 registers.ebx: 15803550 registers.esi: 0 registers.ecx: 4390268	1
__exception__ May 3, 2024, 3:44 p.m.	stacktrace: 0x7ebd1fc0 0x7ebd1630 exception.instruction_r: 0f 0b e8 b1 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: ud2 exception.module: buben.exe exception.exception_code: 0xc000001d exception.offset: 2696328 exception.address: 0xf12488 registers.esp: 4390232 registers.edi: 4390232 registers.eax: 0 registers.ebp: 4390260 registers.edx: 2 registers.ebx: 15803550 registers.esi: 0 registers.ecx: 4390268	1
__exception__ May 3, 2024, 3:44 p.m.	stacktrace: 0x7ebd24d0 0x7ebd1630 exception.instruction_r: 0f 0b e8 b1 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: ud2 exception.module: buben.exe exception.exception_code: 0xc000001d exception.offset: 2696328 exception.address: 0xf12488 registers.esp: 4390232 registers.edi: 16063144 registers.eax: 0 registers.ebp: 4390260 registers.edx: 2 registers.ebx: 0 registers.esi: 14839808 registers.ecx: 0	1
__exception__ May 3, 2024, 3:44 p.m.	stacktrace: 0x7ebd24d0 0x7ebd1630 exception.instruction_r: 0f 0b e8 b1 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: ud2 exception.module: buben.exe exception.exception_code: 0xc000001d exception.offset: 2696328 exception.address: 0xf12488 registers.esp: 4390232 registers.edi: 4390232 registers.eax: 0 registers.ebp: 4390260 registers.edx: 2 registers.ebx: 15803550 registers.esi: 0 registers.ecx: 4390268	1
__exception__ May 3, 2024, 3:44 p.m.	stacktrace: 0x7ebd24d0 0x7ebd1630 exception.instruction_r: f7 f0 e8 dc 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: div eax exception.module: buben.exe exception.exception_code: 0xc0000094 exception.offset: 2696285 exception.address: 0xf1245d registers.esp: 4390232 registers.edi: 4390232 registers.eax: 0 registers.ebp: 4390260 registers.edx: 0 registers.ebx: 15803550 registers.esi: 0 registers.ecx: 4390268	1
__exception__ May 3, 2024, 3:44 p.m.	stacktrace: 0x7ebd24d0 0x7ebd1630 exception.instruction_r: 0f 0b e8 b1 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: ud2 exception.module: buben.exe exception.exception_code: 0xc000001d exception.offset: 2696328 exception.address: 0xf12488 registers.esp: 4390232 registers.edi: 4390232 registers.eax: 0 registers.ebp: 4390260 registers.edx: 2 registers.ebx: 15803507 registers.esi: 0 registers.ecx: 4390268	1
__exception__ May 3, 2024, 3:44 p.m.	stacktrace: 0x7ebd24d0 0x7ebd1630 exception.instruction_r: 0f 0b e8 b1 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: ud2 exception.module: buben.exe exception.exception_code: 0xc000001d exception.offset: 2696328 exception.address: 0xf12488 registers.esp: 4390232 registers.edi: 4390232 registers.eax: 0 registers.ebp: 4390260 registers.edx: 2 registers.ebx: 15803550 registers.esi: 0 registers.ecx: 4390268	1
__exception__ May 3, 2024, 3:44 p.m.	stacktrace: 0x7ebd2710 0x7ebd1630 exception.instruction_r: f7 f0 e8 dc 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: div eax exception.module: buben.exe exception.exception_code: 0xc0000094 exception.offset: 2696285 exception.address: 0xf1245d registers.esp: 4390232 registers.edi: 16063144 registers.eax: 0 registers.ebp: 4390260 registers.edx: 0 registers.ebx: 0 registers.esi: 14839808 registers.ecx: 2022427275	1
__exception__ May 3, 2024, 3:44 p.m.	stacktrace: 0x7ebd2710 0x7ebd1630 exception.instruction_r: f7 f0 e8 dc 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: div eax exception.module: buben.exe exception.exception_code: 0xc0000094 exception.offset: 2696285 exception.address: 0xf1245d registers.esp: 4390232 registers.edi: 4390232 registers.eax: 0 registers.ebp: 4390260 registers.edx: 0 registers.ebx: 15803507 registers.esi: 0 registers.ecx: 4390268	1
__exception__ May 3, 2024, 3:44 p.m.	stacktrace: 0x7ebd2710 0x7ebd1630 exception.instruction_r: f7 f0 e8 dc 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: div eax exception.module: buben.exe exception.exception_code: 0xc0000094 exception.offset: 2696285 exception.address: 0xf1245d registers.esp: 4390232 registers.edi: 4390232 registers.eax: 0 registers.ebp: 4390260 registers.edx: 0 registers.ebx: 15803507 registers.esi: 0 registers.ecx: 4390268	1
__exception__ May 3, 2024, 3:44 p.m.	stacktrace: 0x7ebd2710 0x7ebd1630 exception.instruction_r: 0f 0b e8 b1 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: ud2 exception.module: buben.exe exception.exception_code: 0xc000001d exception.offset: 2696328 exception.address: 0xf12488 registers.esp: 4390232 registers.edi: 4390232 registers.eax: 0 registers.ebp: 4390260 registers.edx: 2 registers.ebx: 15803507 registers.esi: 0 registers.ecx: 4390268	1

Performs some HTTP requests (1 event)

request

GET https://db-ip.com/demo/home.php?s=175.208.134.152

Allocates read-write-execute memory (usually to unpack itself) (50 out of 100 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 3, 2024, 3:44 p.m.	process_identifier: 2064 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02d70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:44 p.m.	process_identifier: 2064 region_size: 32768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02d74000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:44 p.m.	process_identifier: 2064 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02d7c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:44 p.m.	process_identifier: 2064 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02d9c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:44 p.m.	process_identifier: 2064 region_size: 196608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02da0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:44 p.m.	process_identifier: 2064 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02dd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:44 p.m.	process_identifier: 2064 region_size: 32768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02dd4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:44 p.m.	process_identifier: 2064 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ddc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:44 p.m.	process_identifier: 2064 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02de0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:44 p.m.	process_identifier: 2064 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02de4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:44 p.m.	process_identifier: 2064 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02de8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:44 p.m.	process_identifier: 2064 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02dec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:44 p.m.	process_identifier: 2064 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02df0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:44 p.m.	process_identifier: 2064 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02df4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:44 p.m.	process_identifier: 2064 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02df8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:44 p.m.	process_identifier: 2064 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02dfc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:44 p.m.	process_identifier: 2064 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:44 p.m.	process_identifier: 2064 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e04000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:44 p.m.	process_identifier: 2064 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e08000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:44 p.m.	process_identifier: 2064 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e0c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:44 p.m.	process_identifier: 2064 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:44 p.m.	process_identifier: 2064 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e14000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:44 p.m.	process_identifier: 2064 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e18000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:44 p.m.	process_identifier: 2064 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e1c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:44 p.m.	process_identifier: 2064 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:44 p.m.	process_identifier: 2064 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e24000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:44 p.m.	process_identifier: 2064 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e28000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:44 p.m.	process_identifier: 2064 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e2c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:44 p.m.	process_identifier: 2064 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:44 p.m.	process_identifier: 2064 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e34000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:44 p.m.	process_identifier: 2064 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e38000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:44 p.m.	process_identifier: 2064 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e3c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:44 p.m.	process_identifier: 2064 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:44 p.m.	process_identifier: 2064 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e44000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:44 p.m.	process_identifier: 2064 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e48000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:44 p.m.	process_identifier: 2064 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e4c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:44 p.m.	process_identifier: 2064 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:44 p.m.	process_identifier: 2064 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e54000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:44 p.m.	process_identifier: 2064 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:44 p.m.	process_identifier: 2064 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e5c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:44 p.m.	process_identifier: 2064 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:44 p.m.	process_identifier: 2064 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e64000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:44 p.m.	process_identifier: 2064 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e68000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:44 p.m.	process_identifier: 2064 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e6c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:44 p.m.	process_identifier: 2064 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ef0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:44 p.m.	process_identifier: 2064 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ef4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:44 p.m.	process_identifier: 2064 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ef8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:44 p.m.	process_identifier: 2064 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02efc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:44 p.m.	process_identifier: 2064 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:44 p.m.	process_identifier: 2064 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f04000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

buben.exe tried to sleep 262 seconds, actually delayed analysis time by 262 seconds

Looks up the external IP address (1 event)

domain

ipinfo.io

Creates a suspicious process (2 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW May 3, 2024, 3:45 p.m.	thread_identifier: 2536 thread_handle: 0x00000164 process_identifier: 2532 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000168	1	1	0
CreateProcessInternalW May 3, 2024, 3:45 p.m.	thread_identifier: 2644 thread_handle: 0x00000170 process_identifier: 2640 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x0000016c	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (7 events)

section

{u'size_of_data': u'0x00092a00', u'virtual_address': u'0x00001000', u'entropy': 7.999630025295813, u'name': u'', u'virtual_size': u'0x00159000'}

entropy

7.9996300253

description