Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 30, 2024, 1:54 p.m.	July 30, 2024, 1:56 p.m.

Size	3.4MB
Type	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5	`81e9262f4a1fb09caf782d12339c4b9d`
SHA256	`cb2d14cc82e19f4cc17d52e84083ef2e83ad5d271f33a493e98f13e87166550a`
CRC32	`90D56B15`
ssdeep	`98304:Q7BfZzoU5Kjj5zfsKOs8PJbdAYmDFyoD:Q7BfZkwKjJsxPJ6HR`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer IsDLL - (no description) IsPE64 - (no description) UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ms2.bin_dec.dll,in
3036
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ms2.bin_dec.dll,in
  2396
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ms2.bin_dec.dll,out
2208
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ms2.bin_dec.dll,out
  2376
  - WsatConfig.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe"
    2124
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ms2.bin_dec.dll,
2272

Name	Response	Post-Analysis Lookup
ownqs.com-info.bid	A 5.189.175.70	5.189.175.70

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 30, 2024, 1:47 p.m.			0	0
IsDebuggerPresent July 30, 2024, 1:47 p.m.			0	0
IsDebuggerPresent July 30, 2024, 1:47 p.m.			0	0
IsDebuggerPresent July 30, 2024, 1:47 p.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 30, 2024, 1:47 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.gfids

The file contains an unknown PE resource name possibly indicative of a packer (2 events)

resource name	DB
resource name	DLL

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 57 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 30, 2024, 1:47 p.m.	process_identifier: 2376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa1b7000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2024, 1:47 p.m.	process_identifier: 2376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001fd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 30, 2024, 1:47 p.m.	process_identifier: 2396 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa1b7000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2024, 1:47 p.m.	process_identifier: 2396 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2024, 1:47 p.m.	process_identifier: 2124 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000aa0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2024, 1:47 p.m.	process_identifier: 2124 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000ab0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 30, 2024, 1:47 p.m.	process_identifier: 2124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1e61000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 30, 2024, 1:47 p.m.	process_identifier: 2124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef24fb000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2024, 1:47 p.m.	process_identifier: 2124 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002a20000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2024, 1:47 p.m.	process_identifier: 2124 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002b20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 30, 2024, 1:47 p.m.	process_identifier: 2124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1e62000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 30, 2024, 1:47 p.m.	process_identifier: 2124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1e62000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 30, 2024, 1:47 p.m.	process_identifier: 2124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1e62000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 30, 2024, 1:47 p.m.	process_identifier: 2124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1e62000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 30, 2024, 1:47 p.m.	process_identifier: 2124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1e62000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 30, 2024, 1:47 p.m.	process_identifier: 2124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1e62000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 30, 2024, 1:47 p.m.	process_identifier: 2124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1e62000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 30, 2024, 1:47 p.m.	process_identifier: 2124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1e62000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 30, 2024, 1:47 p.m.	process_identifier: 2124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1e62000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 30, 2024, 1:47 p.m.	process_identifier: 2124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1e62000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 30, 2024, 1:47 p.m.	process_identifier: 2124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1e62000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 30, 2024, 1:47 p.m.	process_identifier: 2124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1e64000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 30, 2024, 1:47 p.m.	process_identifier: 2124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1e64000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 30, 2024, 1:47 p.m.	process_identifier: 2124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1e64000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 30, 2024, 1:47 p.m.	process_identifier: 2124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1e64000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2024, 1:47 p.m.	process_identifier: 2124 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2024, 1:47 p.m.	process_identifier: 2124 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2024, 1:47 p.m.	process_identifier: 2124 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2024, 1:47 p.m.	process_identifier: 2124 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2024, 1:47 p.m.	process_identifier: 2124 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2024, 1:47 p.m.	process_identifier: 2124 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2024, 1:47 p.m.	process_identifier: 2124 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe926ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2024, 1:47 p.m.	process_identifier: 2124 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9276c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2024, 1:47 p.m.	process_identifier: 2124 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92796000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2024, 1:47 p.m.	process_identifier: 2124 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92770000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2024, 1:47 p.m.	process_identifier: 2124 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe926cc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2024, 1:47 p.m.	process_identifier: 2124 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92850000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2024, 1:47 p.m.	process_identifier: 2124 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe926db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2024, 1:47 p.m.	process_identifier: 2124 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe926bb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2024, 1:47 p.m.	process_identifier: 2124 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9270c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2024, 1:47 p.m.	process_identifier: 2124 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe926dd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2024, 1:47 p.m.	process_identifier: 2124 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe928a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2024, 1:47 p.m.	process_identifier: 2124 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe926b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2024, 1:47 p.m.	process_identifier: 2124 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe926ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2024, 1:47 p.m.	process_identifier: 2124 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe928a1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2024, 1:47 p.m.	process_identifier: 2124 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe926cb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2024, 1:47 p.m.	process_identifier: 2124 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe928b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2024, 1:47 p.m.	process_identifier: 2124 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe928b1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2024, 1:47 p.m.	process_identifier: 2124 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9270d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2024, 1:47 p.m.	process_identifier: 2124 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe928b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Foreign language identified in PE resource (2 events)

name

language

LANG_KOREAN

filetype

data

sublanguage

SUBLANG_KOREAN

offset

0x0004e700

size

0x00312dd7

name

DLL

language

LANG_KOREAN

filetype

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

sublanguage

SUBLANG_KOREAN

offset

0x0002a100

size

0x00024600

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\0029.bat
file	C:\ProgramData\Microsoft\Windows\msort.dll

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00337800', u'virtual_address': u'0x0002a000', u'entropy': 7.958767619455067, u'name': u'.rsrc', u'virtual_size': u'0x00337658'}

entropy

7.95876761946

description

A section with a high entropy has been found

entropy

0.95769733973

description

Overall entropy of this PE file is high

Yara rule detected in process memory (14 events)

description	Take ScreenShot	rule	ScreenShot
description	task schedule	rule	schtasks_Zero
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Communications use DNS	rule	Network_DNS
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Run a KeyLogger	rule	KeyLogger

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess July 30, 2024, 1:47 p.m.	status_code: 0x00000001 process_identifier: 1680 process_handle: 0x0000000000000168		0	0
NtTerminateProcess July 30, 2024, 1:47 p.m.	status_code: 0x00000001 process_identifier: 1680 process_handle: 0x0000000000000168	1	0	0

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory July 30, 2024, 1:47 p.m.	process_identifier: 2124 region_size: 4096000 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000174	1	0	0
NtAllocateVirtualMemory July 30, 2024, 1:47 p.m.	process_identifier: 1680 region_size: 4096000 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000168		-1073741800	0

Installs itself for autorun at Windows startup (2 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs				reg_value	C:\ProgramData\Microsoft\Windows\msort.dll
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs				reg_value	C:\ProgramData\Microsoft\Windows\msort.dll

Manipulates memory of a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2396 manipulating memory of non-child process 1680
NtAllocateVirtualMemory July 30, 2024, 1:47 p.m.	process_identifier: 1680 region_size: 4096000 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000168		-1073741800	0

Installs itself in AppInit to inject into new processes (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2376 called NtSetContextThread to modify thread in remote process 2124
NtSetContextThread July 30, 2024, 1:47 p.m.	registers.r14: 0 registers.r15: 0 registers.rcx: 4194304 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 2752312 registers.r11: 0 registers.r8: 0 registers.r9: 0 registers.rip: 1999357184 registers.rdx: 8796092841984 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 0 registers.r13: 0 thread_handle: 0x0000000000000170 process_identifier: 2124	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2376 resumed a thread in remote process 2124
NtResumeThread July 30, 2024, 1:47 p.m.	thread_handle: 0x0000000000000170 suspend_count: 1 process_identifier: 2124	1	0	0

Executed a process and injected code into it, probably while unpacking (13 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW July 30, 2024, 1:54 p.m.	thread_identifier: 2372 thread_handle: 0x000000dc process_identifier: 2396 current_directory: filepath: C:\Windows\System32\rundll32.exe track: 1 command_line: "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ms2.bin_dec.dll,in filepath_r: C:\Windows\system32\rundll32.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x000000d8	1	1
CreateProcessInternalW July 30, 2024, 1:54 p.m.	thread_identifier: 2380 thread_handle: 0x000000dc process_identifier: 2376 current_directory: filepath: C:\Windows\System32\rundll32.exe track: 1 command_line: "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ms2.bin_dec.dll,out filepath_r: C:\Windows\system32\rundll32.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x000000d8	1	1
CreateProcessInternalW July 30, 2024, 1:47 p.m.	thread_identifier: 2120 thread_handle: 0x0000000000000170 process_identifier: 2124 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000000000000174	1	1
NtGetContextThread July 30, 2024, 1:47 p.m.	thread_handle: 0x0000000000000170	1	0
NtAllocateVirtualMemory July 30, 2024, 1:47 p.m.	process_identifier: 2124 region_size: 4096000 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000174	1	0
NtSetContextThread July 30, 2024, 1:47 p.m.	registers.r14: 0 registers.r15: 0 registers.rcx: 4194304 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 2752312 registers.r11: 0 registers.r8: 0 registers.r9: 0 registers.rip: 1999357184 registers.rdx: 8796092841984 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 0 registers.r13: 0 thread_handle: 0x0000000000000170 process_identifier: 2124	1	0
NtResumeThread July 30, 2024, 1:47 p.m.	thread_handle: 0x0000000000000170 suspend_count: 1 process_identifier: 2124	1	0
CreateProcessInternalW July 30, 2024, 1:47 p.m.	thread_identifier: 1392 thread_handle: 0x0000000000000164 process_identifier: 1680 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000000000000168	1	1
NtGetContextThread July 30, 2024, 1:47 p.m.	thread_handle: 0x0000000000000164	1	0
NtAllocateVirtualMemory July 30, 2024, 1:47 p.m.	process_identifier: 1680 region_size: 4096000 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000168		-1073741800
NtResumeThread July 30, 2024, 1:47 p.m.	thread_handle: 0x00000000000000fc suspend_count: 1 process_identifier: 2124	1	0
NtResumeThread July 30, 2024, 1:47 p.m.	thread_handle: 0x000000000000016c suspend_count: 1 process_identifier: 2124	1	0
NtResumeThread July 30, 2024, 1:47 p.m.	thread_handle: 0x00000000000001b0 suspend_count: 1 process_identifier: 2124	1	0

File has been identified by 36 AntiVirus engines on VirusTotal as malicious (36 events)

Bkav	W64.AIDetectMalware
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
ALYac	Trojan.GenericKD.73272252
Cylance	Unsafe
VIPRE	Trojan.GenericKD.73272252
BitDefender	Trojan.GenericKD.73272252
K7GW	Trojan ( 005b7a591 )
Arcabit	Trojan.Generic.D45E0BBC
ESET-NOD32	a variant of Win64/Agent.EBC
APEX	Malicious
McAfee	Artemis!81E9262F4A1F
Avast	Win64:MalwareX-gen [Trj]
Kaspersky	Trojan.MSIL.Quasar.crf
MicroWorld-eScan	Trojan.GenericKD.73272252
Rising	Trojan.Agent!8.B1E (CLOUD)
Emsisoft	Trojan.GenericKD.73272252 (B)
F-Secure	Trojan.TR/Agent.pmtbl
TrendMicro	TROJ_GEN.R014C0XGQ24
Trapmine	suspicious.low.ml.score
FireEye	Generic.mg.81e9262f4a1fb09c
Google	Detected
Avira	TR/Agent.pmtbl
MAX	malware (ai score=82)
Antiy-AVL	Trojan/Win64.Agent
Microsoft	Program:Win32/Wacapew.C!ml
ZoneAlarm	Trojan.MSIL.Quasar.crf
GData	Trojan.GenericKD.73272252
Varist	W64/ABTrojan.OSWN-2006
DeepInstinct	MALICIOUS
Ikarus	Trojan.Win64.Agent
Tencent	Malware.Win32.Gencirc.1411c606
MaxSecure	Trojan.Malware.8426628.susgen
Fortinet	W64/Agent.EBC!tr
AVG	Win64:MalwareX-gen [Trj]
CrowdStrike	win/malicious_confidence_90% (W)

ms2.bin_dec.dll

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All