random.exe

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW May 14, 2024, 8:08 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW May 14, 2024, 8:08 a.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW May 14, 2024, 8:08 a.m.	buffer: SUCCESS: The scheduled task "MPGPH131 HR" has successfully been created. console_handle: 0x00000007	1	1	0
WriteConsoleW May 14, 2024, 8:08 a.m.	buffer: SUCCESS: The scheduled task "MPGPH131 LG" has successfully been created. console_handle: 0x00000007	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

The executable contains unknown PE section names indicative of a packer (could be a false positive) (4 events)

section
section	.vm_sec
section	.themida
section	.boot

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ May 14, 2024, 8:07 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 83 c4 04 e9 98 bc f0 ff exception.symbol: random+0x4a2875 exception.instruction: in eax, dx exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4860021 exception.address: 0x1382875 registers.esp: 2947368 registers.edi: 6630936 registers.eax: 1750617430 registers.ebp: 17383424 registers.edx: 22614 registers.ebx: 15597568 registers.esi: 13 registers.ecx: 20	1	0	0
__exception__ May 14, 2024, 8:07 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 83 c4 04 81 fb 68 58 4d exception.symbol: random+0x4a28e9 exception.instruction: in eax, dx exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4860137 exception.address: 0x13828e9 registers.esp: 2947368 registers.edi: 6630936 registers.eax: 1447909480 registers.ebp: 17383424 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 13 registers.ecx: 10	1	0	0

Performs some HTTP requests (1 event)

request

GET https://db-ip.com/demo/home.php?s=175.208.134.152

Allocates read-write-execute memory (usually to unpack itself) (5 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory May 14, 2024, 8:07 a.m.	process_identifier: 908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01063000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory May 14, 2024, 8:07 a.m.	process_identifier: 908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0103d000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory May 14, 2024, 8:07 a.m.	process_identifier: 908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0103d000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory May 14, 2024, 8:07 a.m.	process_identifier: 908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 163840 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0103d000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory May 14, 2024, 8:07 a.m.	process_identifier: 908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0103d000 process_handle: 0xffffffff	1	0	0

Looks up the external IP address (1 event)

domain

ipinfo.io

Creates a suspicious process (2 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW May 14, 2024, 8:08 a.m.	thread_identifier: 2236 thread_handle: 0x00000114 process_identifier: 2240 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x0000010c	1	1	0
CreateProcessInternalW May 14, 2024, 8:08 a.m.	thread_identifier: 416 thread_handle: 0x0000011c process_identifier: 776 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000118	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (7 events)

section	{u'size_of_data': u'0x00080000', u'virtual_address': u'0x00001000', u'entropy': 7.999563636568724, u'name': u' ', u'virtual_size': u'0x0015bae8'}				entropy	7.99956363657				description	A section with a high entropy has been found
section	{u'size_of_data': u'0x0000c600', u'virtual_address': u'0x0015d000', u'entropy': 7.995659060728957, u'name': u' ', u'virtual_size': u'0x00027e32'}				entropy	7.99565906073				description	A section with a high entropy has been found
section	{u'size_of_data': u'0x00000800', u'virtual_address': u'0x00185000', u'entropy': 7.381162332644007, u'name': u' ', u'virtual_size': u'0x00004930'}				entropy	7.38116233264				description	A section with a high entropy has been found
section	{u'size_of_data': u'0x00007200', u'virtual_address': u'0x0018a000', u'entropy': 7.981397743898315, u'name': u' ', u'virtual_size': u'0x0000c8c0'}				entropy	7.9813977439				description	A section with a high entropy has been found
section	{u'size_of_data': u'0x00004c00', u'virtual_address': u'0x00197000', u'entropy': 7.978273846938975, u'name': u' ', u'virtual_size': u'0x00009858'}				entropy	7.97827384694				description	A section with a high entropy has been found
section	{u'size_of_data': u'0x0016ee00', u'virtual_address': u'0x00506000', u'entropy': 7.954421185542796, u'name': u'.boot', u'virtual_size': u'0x0016ee00'}				entropy	7.95442118554				description	A section with a high entropy has been found
entropy	0.968313473143				description	Overall entropy of this PE file is high

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

Communicates with host for which no DNS query was performed (1 event)

host	147.45.47.126

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Installs itself for autorun at Windows startup (3 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\RageMP131				reg_value	C:\Users\test22\AppData\Local\RageMP131\RageMP131.exe
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

Uses Sysinternals tools in order to add additional command line functionality (2 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

Detects VirtualBox through the presence of a registry key (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Detects Virtual Machines through their custom firmware (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation May 14, 2024, 8:07 a.m.	information_class: 76 (SystemFirmwareTableInformation)		3221225507	0

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ May 14, 2024, 8:07 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 83 c4 04 81 fb 68 58 4d exception.symbol: random+0x4a28e9 exception.instruction: in eax, dx exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4860137 exception.address: 0x13828e9 registers.esp: 2947368 registers.edi: 6630936 registers.eax: 1447909480 registers.ebp: 17383424 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 13 registers.ecx: 10	1	0	0