Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 7, 2024, 9:37 a.m.	June 7, 2024, 9:58 a.m.

Size	1.3MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`e6f6123ba522419ec38f54fb447fcd5e`
SHA256	`8f5caf044dd5d81e06d806e4148720ca2b11b48e3f67bfc449b973d6737f0e32`
CRC32	`794033BB`
ssdeep	`24576:TUdolgqrhrPYg1T1p7Cgz+VfiwrMy5GMFH2wQIyEvOpOoLs1vCVL:TFgGr51T1bEi0n5GMFH2lX7LslCV`
Yara	PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer anti_vm_detect - Possibly employs anti-virtualization techniques IsPE32 - (no description)

lana.exe "C:\Users\test22\AppData\Local\Temp\lana.exe"
2652
- schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
  2792
- schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
  2876

Name	Response	Post-Analysis Lookup
ipinfo.io	A 34.117.186.192	34.117.186.192
db-ip.com	A 104.26.5.15 A 104.26.4.15 A 172.67.75.166	104.26.5.15

IP Address	Status	Action
104.26.4.15	Active	Moloch
147.45.47.126	Active	Moloch
164.124.101.2	Active	Moloch
34.117.186.192	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 147.45.47.126:58709 -> 192.168.56.101:49165	2400022	ET DROP Spamhaus DROP Listed Traffic Inbound group 23	Misc Attack
TCP 192.168.56.101:49165 -> 147.45.47.126:58709	2049060	ET MALWARE RisePro TCP Heartbeat Packet	A Network Trojan was detected
TCP 192.168.56.101:49166 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 147.45.47.126:58709 -> 192.168.56.101:49165	2046266	ET MALWARE [ANY.RUN] RisePro TCP (Token)	A Network Trojan was detected
TCP 192.168.56.101:49166 -> 34.117.186.192:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49165 -> 147.45.47.126:58709	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	A Network Trojan was detected
TCP 192.168.56.101:49166 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49165 -> 147.45.47.126:58709	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	A Network Trojan was detected
TCP 192.168.56.101:49168 -> 104.26.4.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49166 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49168 104.26.4.15:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=db-ip.com	1f:af:15:cd:f8:f8:ee:30:f9:6e:6e:54:bc:9a:a7:c7:77:70:6d:25

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameA June 7, 2024, 9:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 7, 2024, 9:38 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 7, 2024, 9:38 a.m.	computer_name: TEST22-PC	1	1

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW June 7, 2024, 9:38 a.m.	buffer: SUCCESS: The scheduled task "MPGPH131 HR" has successfully been created. console_handle: 0x00000007	1	1	0
WriteConsoleW June 7, 2024, 9:38 a.m.	buffer: SUCCESS: The scheduled task "MPGPH131 LG" has successfully been created. console_handle: 0x00000007	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section
section	.data\x00Th

One or more processes crashed (21 events)

Time & API	Arguments	Status
__exception__ June 7, 2024, 9:37 a.m.	stacktrace: lana+0x2e88a6 @ 0xca88a6 lana+0x2708dc @ 0xc308dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: lana+0x24d1d9 exception.instruction: div eax exception.module: lana.exe exception.exception_code: 0xc0000094 exception.offset: 2413017 exception.address: 0xc0d1d9 registers.esp: 3734816 registers.edi: 13226124 registers.eax: 0 registers.ebp: 3734844 registers.edx: 0 registers.ebx: 38482864 registers.esi: 5 registers.ecx: 38482864	1
__exception__ June 7, 2024, 9:37 a.m.	stacktrace: lana+0x2e88a6 @ 0xca88a6 lana+0x2708dc @ 0xc308dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: lana+0x24d204 exception.instruction: ud2 exception.module: lana.exe exception.exception_code: 0xc000001d exception.offset: 2413060 exception.address: 0xc0d204 registers.esp: 3734816 registers.edi: 3734816 registers.eax: 0 registers.ebp: 3734844 registers.edx: 2 registers.ebx: 12636655 registers.esi: 0 registers.ecx: 3735024	1
__exception__ June 7, 2024, 9:37 a.m.	stacktrace: lana+0x2e88a6 @ 0xca88a6 lana+0x2708dc @ 0xc308dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: lana+0x24d1d9 exception.instruction: div eax exception.module: lana.exe exception.exception_code: 0xc0000094 exception.offset: 2413017 exception.address: 0xc0d1d9 registers.esp: 3734816 registers.edi: 3734816 registers.eax: 0 registers.ebp: 3734844 registers.edx: 0 registers.ebx: 12636698 registers.esi: 0 registers.ecx: 3735024	1
__exception__ June 7, 2024, 9:37 a.m.	stacktrace: lana+0x2e88a6 @ 0xca88a6 lana+0x2708dc @ 0xc308dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: lana+0x24d204 exception.instruction: ud2 exception.module: lana.exe exception.exception_code: 0xc000001d exception.offset: 2413060 exception.address: 0xc0d204 registers.esp: 3734816 registers.edi: 3734816 registers.eax: 0 registers.ebp: 3734844 registers.edx: 2 registers.ebx: 12636655 registers.esi: 0 registers.ecx: 3735024	1
__exception__ June 7, 2024, 9:37 a.m.	stacktrace: lana+0x2e60a9 @ 0xca60a9 lana+0x2e7717 @ 0xca7717 lana+0x2708dc @ 0xc308dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: lana+0x24d1d9 exception.instruction: div eax exception.module: lana.exe exception.exception_code: 0xc0000094 exception.offset: 2413017 exception.address: 0xc0d1d9 registers.esp: 3734768 registers.edi: 13226124 registers.eax: 0 registers.ebp: 3734796 registers.edx: 0 registers.ebx: 7696384 registers.esi: 11890688 registers.ecx: 0	1
__exception__ June 7, 2024, 9:37 a.m.	stacktrace: lana+0x2e60a9 @ 0xca60a9 lana+0x2e7717 @ 0xca7717 lana+0x2708dc @ 0xc308dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: lana+0x24d204 exception.instruction: ud2 exception.module: lana.exe exception.exception_code: 0xc000001d exception.offset: 2413060 exception.address: 0xc0d204 registers.esp: 3734768 registers.edi: 3734768 registers.eax: 0 registers.ebp: 3734796 registers.edx: 2 registers.ebx: 12636655 registers.esi: 0 registers.ecx: 3734804	1
__exception__ June 7, 2024, 9:37 a.m.	stacktrace: lana+0x2e60a9 @ 0xca60a9 lana+0x2e7717 @ 0xca7717 lana+0x2708dc @ 0xc308dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: lana+0x24d1d9 exception.instruction: div eax exception.module: lana.exe exception.exception_code: 0xc0000094 exception.offset: 2413017 exception.address: 0xc0d1d9 registers.esp: 3734768 registers.edi: 3734768 registers.eax: 0 registers.ebp: 3734796 registers.edx: 0 registers.ebx: 12636698 registers.esi: 0 registers.ecx: 3734804	1
__exception__ June 7, 2024, 9:37 a.m.	stacktrace: lana+0x2e60a9 @ 0xca60a9 lana+0x2e7717 @ 0xca7717 lana+0x2708dc @ 0xc308dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: lana+0x24d204 exception.instruction: ud2 exception.module: lana.exe exception.exception_code: 0xc000001d exception.offset: 2413060 exception.address: 0xc0d204 registers.esp: 3734768 registers.edi: 3734768 registers.eax: 0 registers.ebp: 3734796 registers.edx: 2 registers.ebx: 12636655 registers.esi: 0 registers.ecx: 3734804	1
__exception__ June 7, 2024, 9:37 a.m.	stacktrace: lana+0x2e60a9 @ 0xca60a9 lana+0x2e7717 @ 0xca7717 lana+0x2708dc @ 0xc308dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: lana+0x24d1d9 exception.instruction: div eax exception.module: lana.exe exception.exception_code: 0xc0000094 exception.offset: 2413017 exception.address: 0xc0d1d9 registers.esp: 3734768 registers.edi: 3734768 registers.eax: 0 registers.ebp: 3734796 registers.edx: 0 registers.ebx: 12636698 registers.esi: 0 registers.ecx: 3734804	1
__exception__ June 7, 2024, 9:37 a.m.	stacktrace: lana+0x2e60a9 @ 0xca60a9 lana+0x2e7717 @ 0xca7717 lana+0x2708dc @ 0xc308dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: lana+0x24d204 exception.instruction: ud2 exception.module: lana.exe exception.exception_code: 0xc000001d exception.offset: 2413060 exception.address: 0xc0d204 registers.esp: 3734768 registers.edi: 3734768 registers.eax: 0 registers.ebp: 3734796 registers.edx: 2 registers.ebx: 12636655 registers.esi: 0 registers.ecx: 3734804	1
__exception__ June 7, 2024, 9:37 a.m.	stacktrace: lana+0x2e60a9 @ 0xca60a9 lana+0x2e7717 @ 0xca7717 lana+0x2708dc @ 0xc308dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: lana+0x24d204 exception.instruction: ud2 exception.module: lana.exe exception.exception_code: 0xc000001d exception.offset: 2413060 exception.address: 0xc0d204 registers.esp: 3734768 registers.edi: 3734768 registers.eax: 0 registers.ebp: 3734796 registers.edx: 2 registers.ebx: 12636698 registers.esi: 0 registers.ecx: 3734804	1
__exception__ June 7, 2024, 9:37 a.m.	stacktrace: lana+0x2e617b @ 0xca617b lana+0x2e7717 @ 0xca7717 lana+0x2708dc @ 0xc308dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: lana+0x24d204 exception.instruction: ud2 exception.module: lana.exe exception.exception_code: 0xc000001d exception.offset: 2413060 exception.address: 0xc0d204 registers.esp: 3734768 registers.edi: 13226124 registers.eax: 0 registers.ebp: 3734796 registers.edx: 2 registers.ebx: 7696384 registers.esi: 11890688 registers.ecx: 3734796	1
__exception__ June 7, 2024, 9:37 a.m.	stacktrace: lana+0x2e617b @ 0xca617b lana+0x2e7717 @ 0xca7717 lana+0x2708dc @ 0xc308dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: lana+0x24d204 exception.instruction: ud2 exception.module: lana.exe exception.exception_code: 0xc000001d exception.offset: 2413060 exception.address: 0xc0d204 registers.esp: 3734768 registers.edi: 3734768 registers.eax: 0 registers.ebp: 3734796 registers.edx: 2 registers.ebx: 12636698 registers.esi: 0 registers.ecx: 3734804	1
__exception__ June 7, 2024, 9:37 a.m.	stacktrace: lana+0x2e6275 @ 0xca6275 lana+0x2e7717 @ 0xca7717 lana+0x2708dc @ 0xc308dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: lana+0x24d1d9 exception.instruction: div eax exception.module: lana.exe exception.exception_code: 0xc0000094 exception.offset: 2413017 exception.address: 0xc0d1d9 registers.esp: 3734768 registers.edi: 13226124 registers.eax: 0 registers.ebp: 3734796 registers.edx: 0 registers.ebx: 7696384 registers.esi: 11890688 registers.ecx: 2761554153	1
__exception__ June 7, 2024, 9:37 a.m.	stacktrace: lana+0x2e6275 @ 0xca6275 lana+0x2e7717 @ 0xca7717 lana+0x2708dc @ 0xc308dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: lana+0x24d204 exception.instruction: ud2 exception.module: lana.exe exception.exception_code: 0xc000001d exception.offset: 2413060 exception.address: 0xc0d204 registers.esp: 3734768 registers.edi: 3734768 registers.eax: 0 registers.ebp: 3734796 registers.edx: 2 registers.ebx: 12636655 registers.esi: 0 registers.ecx: 3734804	1
__exception__ June 7, 2024, 9:37 a.m.	stacktrace: lana+0x2e6275 @ 0xca6275 lana+0x2e7717 @ 0xca7717 lana+0x2708dc @ 0xc308dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: lana+0x24d204 exception.instruction: ud2 exception.module: lana.exe exception.exception_code: 0xc000001d exception.offset: 2413060 exception.address: 0xc0d204 registers.esp: 3734768 registers.edi: 3734768 registers.eax: 0 registers.ebp: 3734796 registers.edx: 2 registers.ebx: 12636698 registers.esi: 0 registers.ecx: 3734804	1
__exception__ June 7, 2024, 9:37 a.m.	stacktrace: lana+0x2e6275 @ 0xca6275 lana+0x2e7717 @ 0xca7717 lana+0x2708dc @ 0xc308dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: lana+0x24d204 exception.instruction: ud2 exception.module: lana.exe exception.exception_code: 0xc000001d exception.offset: 2413060 exception.address: 0xc0d204 registers.esp: 3734768 registers.edi: 3734768 registers.eax: 0 registers.ebp: 3734796 registers.edx: 2 registers.ebx: 12636698 registers.esi: 0 registers.ecx: 3734804	1
__exception__ June 7, 2024, 9:37 a.m.	stacktrace: lana+0x2e6275 @ 0xca6275 lana+0x2e7717 @ 0xca7717 lana+0x2708dc @ 0xc308dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: lana+0x24d1d9 exception.instruction: div eax exception.module: lana.exe exception.exception_code: 0xc0000094 exception.offset: 2413017 exception.address: 0xc0d1d9 registers.esp: 3734768 registers.edi: 3734768 registers.eax: 0 registers.ebp: 3734796 registers.edx: 0 registers.ebx: 12636698 registers.esi: 0 registers.ecx: 3734804	1
__exception__ June 7, 2024, 9:37 a.m.	stacktrace: lana+0x2e6275 @ 0xca6275 lana+0x2e7717 @ 0xca7717 lana+0x2708dc @ 0xc308dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: lana+0x24d204 exception.instruction: ud2 exception.module: lana.exe exception.exception_code: 0xc000001d exception.offset: 2413060 exception.address: 0xc0d204 registers.esp: 3734768 registers.edi: 3734768 registers.eax: 0 registers.ebp: 3734796 registers.edx: 2 registers.ebx: 12636655 registers.esi: 0 registers.ecx: 3734804	1
__exception__ June 7, 2024, 9:37 a.m.	stacktrace: lana+0x2e6275 @ 0xca6275 lana+0x2e7717 @ 0xca7717 lana+0x2708dc @ 0xc308dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: lana+0x24d204 exception.instruction: ud2 exception.module: lana.exe exception.exception_code: 0xc000001d exception.offset: 2413060 exception.address: 0xc0d204 registers.esp: 3734768 registers.edi: 3734768 registers.eax: 0 registers.ebp: 3734796 registers.edx: 2 registers.ebx: 12636698 registers.esi: 0 registers.ecx: 3734804	1
__exception__ June 7, 2024, 9:37 a.m.	stacktrace: lana+0x2e630b @ 0xca630b lana+0x2e7717 @ 0xca7717 lana+0x2708dc @ 0xc308dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: lana+0x24d204 exception.instruction: ud2 exception.module: lana.exe exception.exception_code: 0xc000001d exception.offset: 2413060 exception.address: 0xc0d204 registers.esp: 3734768 registers.edi: 13226124 registers.eax: 0 registers.ebp: 3734796 registers.edx: 2 registers.ebx: 7696384 registers.esi: 11890688 registers.ecx: 2232352832	1

Performs some HTTP requests (1 event)

request

GET https://db-ip.com/demo/home.php?s=175.208.134.152

Allocates read-write-execute memory (usually to unpack itself) (15 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory June 7, 2024, 9:37 a.m.	process_identifier: 2652 region_size: 2936832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02920000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:37 a.m.	process_identifier: 2652 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02490000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:37 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00560000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:37 a.m.	process_identifier: 2652 region_size: 81920 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02494000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:37 a.m.	process_identifier: 2652 region_size: 147456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02494000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:37 a.m.	process_identifier: 2652 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024b4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:37 a.m.	process_identifier: 2652 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:37 a.m.	process_identifier: 2652 region_size: 81920 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:37 a.m.	process_identifier: 2652 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024d4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:37 a.m.	process_identifier: 2652 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024d8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:37 a.m.	process_identifier: 2652 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024d8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:37 a.m.	process_identifier: 2652 region_size: 606208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024d8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:37 a.m.	process_identifier: 2652 region_size: 81920 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024d8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:37 a.m.	process_identifier: 2652 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024d8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:37 a.m.	process_identifier: 2652 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024d8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Looks up the external IP address (1 event)

domain

ipinfo.io

Creates a suspicious process (2 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW June 7, 2024, 9:38 a.m.	thread_identifier: 2796 thread_handle: 0x0000015c process_identifier: 2792 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000160	1	1	0
CreateProcessInternalW June 7, 2024, 9:38 a.m.	thread_identifier: 2880 thread_handle: 0x00000168 process_identifier: 2876 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000164	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (6 events)

section

{u'size_of_data': u'0x00093c00', u'virtual_address': u'0x00001000', u'entropy': 7.999529966948939, u'name': u'', u'virtual_size': u'0x0015c000'}

entropy

7.99952996695

description