Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 11, 2024, 2:21 p.m.	Aug. 11, 2024, 2:31 p.m.

Size	6.5MB
Type	MS-DOS executable, MZ for MS-DOS
MD5	`f2908c73543719738bea99c02fdafe00`
SHA256	`be9862ad765af7e71a322549640747a6952c4e8bc18b6568c4781df33f0bbfd6`
CRC32	`EF4D266A`
ssdeep	`196608:HSpxdHp8lQbLfamxV06mpg2fsT0A0F+kuwN9:4HamxVBmpdfsT0q4`
Yara	PE_Header_Zero - PE File Signature MPRESS_Zero - MPRESS packed file IsPE32 - (no description)

66b382f122c02_stk.exe "C:\Users\test22\AppData\Local\Temp\66b382f122c02_stk.exe"
1572
- schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf HR" /sc HOURLY /rl HIGHEST
  2148
- schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf LG" /sc ONLOGON /rl HIGHEST
  2212
- 66b382f122c02_stk.exe "C:\Users\test22\AppData\Local\Temp\66b382f122c02_stk.exe"
  2344
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
77.105.164.24	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 77.105.164.24:50505 -> 192.168.56.103:49163	2046266	ET MALWARE [ANY.RUN] RisePro TCP (Token)	A Network Trojan was detected
TCP 192.168.56.103:49163 -> 77.105.164.24:50505	2049060	ET MALWARE RisePro TCP Heartbeat Packet	A Network Trojan was detected
TCP 77.105.164.24:50505 -> 192.168.56.103:49169	2046266	ET MALWARE [ANY.RUN] RisePro TCP (Token)	A Network Trojan was detected
TCP 192.168.56.103:49169 -> 77.105.164.24:50505	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	A Network Trojan was detected

Suricata TLS

No Suricata TLS

Queries for the computername (4 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 11, 2024, 2:21 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 11, 2024, 2:21 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 11, 2024, 2:21 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 11, 2024, 2:21 p.m.	computer_name: TEST22-PC	1	1

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Aug. 11, 2024, 2:21 p.m.	buffer: SUCCESS: The scheduled task "jewkkwnf HR" has successfully been created. console_handle: 0x00000007	1	1	0
WriteConsoleW Aug. 11, 2024, 2:21 p.m.	buffer: SUCCESS: The scheduled task "jewkkwnf LG" has successfully been created. console_handle: 0x00000007	1	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 11, 2024, 2:21 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.MPRESS1
section	.MPRESS2

One or more processes crashed (4 events)

Time & API	Arguments	Status
__exception__ Aug. 11, 2024, 2:21 p.m.	stacktrace: 66b382f122c02_stk+0xcc4a86 @ 0x10c4a86 66b382f122c02_stk+0xcb8847 @ 0x10b8847 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc e9 5a 84 f8 8a 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008e exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 1638148 registers.edi: 5353472 registers.eax: 1638148 registers.ebp: 1638228 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 2006021163 registers.ecx: 1349910528	1
__exception__ Aug. 11, 2024, 2:21 p.m.	stacktrace: exception.instruction_r: ed e9 07 4b ff ff c3 e9 48 6b 01 00 db 67 0a 00 exception.symbol: 66b382f122c02_stk+0xce6bbf exception.instruction: in eax, dx exception.module: 66b382f122c02_stk.exe exception.exception_code: 0xc0000096 exception.offset: 13527999 exception.address: 0x10e6bbf registers.esp: 1638268 registers.edi: 15997661 registers.eax: 1750617430 registers.ebp: 5353472 registers.edx: 2130532438 registers.ebx: 2147483650 registers.esi: 14663540 registers.ecx: 20	1
__exception__ Aug. 11, 2024, 2:21 p.m.	stacktrace: exception.instruction_r: ed e9 3a e1 ff ff 4f 7e a2 c1 e2 08 8b 4c 24 0c exception.symbol: 66b382f122c02_stk+0xcff5e3 exception.instruction: in eax, dx exception.module: 66b382f122c02_stk.exe exception.exception_code: 0xc0000096 exception.offset: 13628899 exception.address: 0x10ff5e3 registers.esp: 1638268 registers.edi: 15997661 registers.eax: 1447909480 registers.ebp: 5353472 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 14663540 registers.ecx: 10	1
__exception__ Aug. 11, 2024, 2:22 p.m.	stacktrace: RtlUnhandledExceptionFilter+0x2d2 LdrQueryModuleServiceTags-0x6e ntdll+0xc40f2 @ 0x777840f2 EtwEnumerateProcessRegGuids+0x216 RtlTraceDatabaseLock-0x2a ntdll+0xc4736 @ 0x77784736 RtlQueryProcessLockInformation+0x972 RtlTraceDatabaseEnumerate-0xe ntdll+0xc5942 @ 0x77785942 RtlLogStackBackTrace+0x444 RtlTraceDatabaseCreate-0x4ec ntdll+0xc75f4 @ 0x777875f4 RtlLogStackBackTrace+0x828 RtlTraceDatabaseCreate-0x108 ntdll+0xc79d8 @ 0x777879d8 MD5Final+0x9cb0 TpDbgSetLogRoutine-0x6920 ntdll+0x9c280 @ 0x7775c280 RtlSubAuthorityCountSid+0xcc8 RtlCompareUnicodeStrings-0x4b8 ntdll+0x31df8 @ 0x776f1df8 RtlSubAuthorityCountSid+0xb50 RtlCompareUnicodeStrings-0x630 ntdll+0x31c80 @ 0x776f1c80 RtlAllocateHeap+0x178 AlpcGetMessageAttribute-0x14e8 ntdll+0x53518 @ 0x77713518 RtlUpcaseUnicodeChar+0x342 EtwEventEnabled-0x12e ntdll+0x2bf82 @ 0x776ebf82 RtlQueryEnvironmentVariable+0x70c _wcsicmp-0x744 ntdll+0x2623c @ 0x776e623c RtlAllocateHeap+0xe8 AlpcGetMessageAttribute-0x1578 ntdll+0x53488 @ 0x77713488 I_RpcGetBufferWithObject+0x2cf I_RpcNegotiateTransferSyntax-0x1241 rpcrt4+0x4868f @ 0x7fefdf6868f NdrConformantStringUnmarshall+0x80a NdrConformantArrayUnmarshall-0x196 rpcrt4+0x4091a @ 0x7fefdf6091a I_RpcBindingCopy+0x55 I_RpcClearMutex-0x6ab rpcrt4+0x4e9e5 @ 0x7fefdf6e9e5 NDRCContextBinding+0x146b I_RpcBindingCopy-0x45 rpcrt4+0x4e94b @ 0x7fefdf6e94b NDRCContextBinding+0x1034 I_RpcBindingCopy-0x47c rpcrt4+0x4e514 @ 0x7fefdf6e514 Ndr64AsyncClientCall+0x49e NdrClientCall3-0xb32 rpcrt4+0xdc2fe @ 0x7fefdffc2fe Ndr64AsyncClientCall+0xe76 NdrClientCall3-0x15a rpcrt4+0xdccd6 @ 0x7fefdffccd6 NdrClientCall3+0xf5 Ndr64AsyncServerCall64-0x1c9b rpcrt4+0xdcf25 @ 0x7fefdffcf25 NdrFullPointerQueryPointer+0x2e2 NdrDllCanUnloadNow-0x5fe rpcrt4+0x22852 @ 0x7fefdf42852 RpcBindingInqAuthInfoExW+0x1216 TowerConstruct-0x45a rpcrt4+0x377b6 @ 0x7fefdf577b6 RpcBindingInqAuthInfoExW+0x1059 TowerConstruct-0x617 rpcrt4+0x375f9 @ 0x7fefdf575f9 RpcBindingInqAuthInfoExW+0xf9b TowerConstruct-0x6d5 rpcrt4+0x3753b @ 0x7fefdf5753b RpcBindingInqAuthInfoExW+0xea9 TowerConstruct-0x7c7 rpcrt4+0x37449 @ 0x7fefdf57449 RpcBindingInqAuthInfoExW+0xd17 TowerConstruct-0x959 rpcrt4+0x372b7 @ 0x7fefdf572b7 RpcMgmtSetComTimeout+0xae NdrConformantStringMemorySize-0x682 rpcrt4+0x3804e @ 0x7fefdf5804e NdrByteCountPointerUnmarshall+0xa0c RpcStringFreeW-0xa4 rpcrt4+0x3941c @ 0x7fefdf5941c I_RpcNegotiateTransferSyntax+0xab RpcAsyncRegisterInfo-0x1995 rpcrt4+0x4997b @ 0x7fefdf6997b Ndr64AsyncClientCall+0xa23 NdrClientCall3-0x5ad rpcrt4+0xdc883 @ 0x7fefdffc883 Ndr64AsyncClientCall+0xc9b NdrClientCall3-0x335 rpcrt4+0xdcafb @ 0x7fefdffcafb NdrClientCall3+0xf5 Ndr64AsyncServerCall64-0x1c9b rpcrt4+0xdcf25 @ 0x7fefdffcf25 WscGetSecurityProviderHealth+0x903 wscapi+0x704b @ 0x7fef380704b RtlLookupEntryHashTable+0x341 RtlDeregisterWaitEx-0x1bf ntdll+0xc271 @ 0x776cc271 TpReleaseIoCompletion+0x84c TpDisassociateCallback-0x374 ntdll+0x1656c @ 0x776d656c RtlRealSuccessor+0x136 TpCallbackMayRunLong-0x65a ntdll+0x20c26 @ 0x776e0c26 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76fd652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x776ec521 exception.instruction_r: eb 00 48 8b 9c 24 d0 00 00 00 48 81 c4 c0 00 00 exception.symbol: RtlUnhandledExceptionFilter+0x2d2 LdrQueryModuleServiceTags-0x6e ntdll+0xc40f2 exception.instruction: jmp 0x777840f4 exception.module: ntdll.dll exception.exception_code: 0xc0000374 exception.offset: 803058 exception.address: 0x777840f2 registers.r14: 0 registers.r15: 0 registers.rcx: 73913664 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 73924512 registers.r11: 646 registers.r8: 3668801806742034531 registers.r9: 1460712879 registers.rdx: 2004857936 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 1930982254 registers.r13: 0	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 195 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 11, 2024, 2:21 p.m.	process_identifier: 1572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f5000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 11, 2024, 2:21 p.m.	process_identifier: 1572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 11, 2024, 2:21 p.m.	process_identifier: 1572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7559d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 11, 2024, 2:21 p.m.	process_identifier: 1572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f5000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 11, 2024, 2:21 p.m.	process_identifier: 1572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7559c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 11, 2024, 2:21 p.m.	process_identifier: 1572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f5000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 11, 2024, 2:21 p.m.	process_identifier: 1572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 11, 2024, 2:21 p.m.	process_identifier: 1572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7559d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 11, 2024, 2:21 p.m.	process_identifier: 1572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7580c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 11, 2024, 2:21 p.m.	process_identifier: 1572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7580c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 11, 2024, 2:21 p.m.	process_identifier: 1572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7559b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 11, 2024, 2:21 p.m.	process_identifier: 1572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 11, 2024, 2:21 p.m.	process_identifier: 1572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7559b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 11, 2024, 2:21 p.m.	process_identifier: 1572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f5000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 11, 2024, 2:21 p.m.	process_identifier: 1572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7559b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 11, 2024, 2:21 p.m.	process_identifier: 1572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 11, 2024, 2:21 p.m.	process_identifier: 1572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7559b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 11, 2024, 2:21 p.m.	process_identifier: 1572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 11, 2024, 2:21 p.m.	process_identifier: 1572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7559b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 11, 2024, 2:21 p.m.	process_identifier: 1572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 11, 2024, 2:21 p.m.	process_identifier: 1572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7559d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 11, 2024, 2:21 p.m.	process_identifier: 1572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 11, 2024, 2:21 p.m.	process_identifier: 1572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7559d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 11, 2024, 2:21 p.m.	process_identifier: 1572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 11, 2024, 2:21 p.m.	process_identifier: 1572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755ab000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 11, 2024, 2:21 p.m.	process_identifier: 1572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f5000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 11, 2024, 2:21 p.m.	process_identifier: 1572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755ab000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 11, 2024, 2:21 p.m.	process_identifier: 1572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7586f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 11, 2024, 2:21 p.m.	process_identifier: 1572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 11, 2024, 2:21 p.m.	process_identifier: 1572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 11, 2024, 2:21 p.m.	process_identifier: 1572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7580c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 11, 2024, 2:21 p.m.	process_identifier: 1572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 11, 2024, 2:21 p.m.	process_identifier: 1572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 11, 2024, 2:21 p.m.	process_identifier: 1572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 11, 2024, 2:21 p.m.	process_identifier: 1572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 11, 2024, 2:21 p.m.	process_identifier: 1572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 11, 2024, 2:21 p.m.	process_identifier: 1572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 11, 2024, 2:21 p.m.	process_identifier: 1572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755a0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 11, 2024, 2:21 p.m.	process_identifier: 1572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 11, 2024, 2:21 p.m.	process_identifier: 1572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 11, 2024, 2:21 p.m.	process_identifier: 1572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755ff000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 11, 2024, 2:21 p.m.	process_identifier: 1572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75608000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 11, 2024, 2:21 p.m.	process_identifier: 1572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7580a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 11, 2024, 2:21 p.m.	process_identifier: 1572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7580c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 11, 2024, 2:21 p.m.	process_identifier: 1572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755a4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 11, 2024, 2:21 p.m.	process_identifier: 1572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7580a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 11, 2024, 2:21 p.m.	process_identifier: 1572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 11, 2024, 2:21 p.m.	process_identifier: 1572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7559c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 11, 2024, 2:21 p.m.	process_identifier: 1572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 11, 2024, 2:21 p.m.	process_identifier: 1572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755a1000 process_handle: 0xffffffff	1

Creates executable files on the filesystem (5 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNNT.lnk
file	C:\Users\test22\AppData\Local\Temp\PowerExpertNNT\PowerExpertNNT.exe
file	C:\Users\test22\AppData\Local\Temp\66b382f122c02_stk.exe
file	C:\Users\test22\AppData\Local\ExtreamFanV6\ExtreamFanV6.exe
file	C:\ProgramData\jewkkwnf\jewkkwnf.exe

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNNT.lnk

Creates a suspicious process (2 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf HR" /sc HOURLY /rl HIGHEST

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\PowerExpertNNT\PowerExpertNNT.exe

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW Aug. 11, 2024, 2:21 p.m.	thread_identifier: 2152 thread_handle: 0x000000f0 process_identifier: 2148 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf HR" /sc HOURLY /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000000fc	1	1	0
CreateProcessInternalW Aug. 11, 2024, 2:21 p.m.	thread_identifier: 2216 thread_handle: 0x00000268 process_identifier: 2212 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf LG" /sc ONLOGON /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000270	1	1	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 11, 2024, 2:21 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x00280000 process_handle: 0xffffffff	1	0	0

Moves the original executable to a new location (1 event)

Time & API	Arguments	Status	Return	Repeated
MoveFileWithProgressW Aug. 11, 2024, 2:21 p.m.	newfilepath_r: C:\Users\test22\AppData\Local\Temp\66b382f122c02_stk.exeffrsUDFNx8CBJehT flags: 2 oldfilepath_r: C:\Users\test22\AppData\Local\Temp\66b382f122c02_stk.exe newfilepath: C:\Users\test22\AppData\Local\Temp\66b382f122c02_stk.exeffrsUDFNx8CBJehT oldfilepath: C:\Users\test22\AppData\Local\Temp\66b382f122c02_stk.exe	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00663600', u'virtual_address': u'0x00001000', u'entropy': 7.999974647863129, u'name': u'.MPRESS1', u'virtual_size': u'0x01367000'}

entropy

7.99997464786

description

A section with a high entropy has been found

entropy

0.978607225671

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 event)

process

system

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf HR" /sc HOURLY /rl HIGHEST

Communicates with host for which no DNS query was performed (1 event)

host

77.105.164.24

Checks for the presence of known windows from debuggers and forensic tools (12 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA Aug. 11, 2024, 2:21 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Aug. 11, 2024, 2:21 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Aug. 11, 2024, 2:21 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Aug. 11, 2024, 2:21 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Aug. 11, 2024, 2:21 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Aug. 11, 2024, 2:21 p.m.	class_name: Registry Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Aug. 11, 2024, 2:21 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Aug. 11, 2024, 2:21 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 11, 2024, 2:21 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 11, 2024, 2:21 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 11, 2024, 2:21 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Aug. 11, 2024, 2:21 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Installs itself for autorun at Windows startup (4 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ExtreamFanV6	reg_value	C:\Users\test22\AppData\Local\ExtreamFanV6\ExtreamFanV6.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNNT.lnk
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf HR" /sc HOURLY /rl HIGHEST

Creates an executable file in a user folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\66b382f122c02_stk.exe

Deletes executed files from disk (1 event)

file	C:\ProgramData\jewkkwnf\jewkkwnf.exe

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\66b382f122c02_stk.exe

Uses Sysinternals tools in order to add additional command line functionality (2 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf HR" /sc HOURLY /rl HIGHEST

Detects VirtualBox through the presence of a registry key (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Detects Virtual Machines through their custom firmware (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Aug. 11, 2024, 2:21 p.m.	information_class: 76 (SystemFirmwareTableInformation)		3221225507	0

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 11, 2024, 2:21 p.m.	stacktrace: exception.instruction_r: ed e9 3a e1 ff ff 4f 7e a2 c1 e2 08 8b 4c 24 0c exception.symbol: 66b382f122c02_stk+0xcff5e3 exception.instruction: in eax, dx exception.module: 66b382f122c02_stk.exe exception.exception_code: 0xc0000096 exception.offset: 13628899 exception.address: 0x10ff5e3 registers.esp: 1638268 registers.edi: 15997661 registers.eax: 1447909480 registers.ebp: 5353472 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 14663540 registers.ecx: 10	1	0	0

File has been identified by 43 AntiVirus engines on VirusTotal as malicious (43 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.GenericCryptor.m5oU
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win32.Generic.vc
ALYac	Trojan.GenericKD.73807381
Cylance	Unsafe
VIPRE	Trojan.GenericKD.73807381
Sangfor	Trojan.Win32.Save.ShadowBrokersC
BitDefender	Trojan.GenericKD.73807381
Symantec	ML.Attribute.HighConfidence
tehtris	Generic.Malware
ESET-NOD32	a variant of Generik.GPBUSP
Avast	Win32:Malware-gen
Kaspersky	Trojan-PSW.Win32.RisePro.sfe
MicroWorld-eScan	Trojan.GenericKD.73807381
Rising	Stealer.RisePro!8.176E1 (C64:YzY0Om1k7nEo0OPn)
Emsisoft	Trojan.GenericKD.73807381 (B)
DrWeb	Trojan.MulDrop28.3097
TrendMicro	Trojan.Win32.PRIVATELOADER.YXEHGZ
McAfeeD	Real Protect-LS!F2908C735437
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.f2908c7354371973
Sophos	Mal/Generic-S
SentinelOne	Static AI - Suspicious PE
Google	Detected
MAX	malware (ai score=88)
Antiy-AVL	Trojan/Win32.Convagent
Gridinsoft	Ransom.Win32.Wacatac.cl
ZoneAlarm	Trojan-PSW.Win32.RisePro.sfe
GData	Trojan.GenericKD.73807381
BitDefenderTheta	Gen:NN.ZexaF.36810.@pqaaSAl2rni
DeepInstinct	MALICIOUS
Malwarebytes	Malware.Heuristic.2022
Ikarus	Trojan.Win32.Krypt
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	Trojan.Win32.PRIVATELOADER.YXEHGZ
Tencent	Win32.Trojan-QQPass.QQRob.Rsmw
Yandex	Trojan.PWS.RisePro!gIbsCTjq974
Fortinet	PossibleThreat.MU
AVG	Win32:Malware-gen
Paloalto	generic.ml
CrowdStrike	win/malicious_confidence_70% (W)

66b382f122c02_stk.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All