66ebb3bf78bd6_Send.exe#111us300

This executable has a PDB path (1 event)

pdb_path

d:\a42sr32\win32_x86\release\pdb\UniverseDesigner\designer.pdb

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.gfids

The file contains an unknown PE resource name possibly indicative of a packer (2 events)

resource name	REGISTRY
resource name	TYPELIB

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header, POST method with no useragent header, Connection to IP address

suspicious_request

POST http://45.202.35.101/pLQvfD4d/index.php

Performs some HTTP requests (1 event)

request

POST http://45.202.35.101/pLQvfD4d/index.php

Sends data using the HTTP POST Method (1 event)

request

POST http://45.202.35.101/pLQvfD4d/index.php

Allocates read-write-execute memory (usually to unpack itself) (15 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 21, 2024, 1:47 p.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 98304 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040b000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Sept. 21, 2024, 1:47 p.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 53248 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00664000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Sept. 21, 2024, 1:47 p.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 28672 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0066a000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Sept. 21, 2024, 1:47 p.m.	process_identifier: 2004 region_size: 100003840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02140000 allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE) process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Sept. 21, 2024, 1:47 p.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 40960 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00670000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Sept. 21, 2024, 1:47 p.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 16384 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00676000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Sept. 21, 2024, 1:47 p.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 49152 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00679000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Sept. 21, 2024, 1:47 p.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 20480 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00680000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Sept. 21, 2024, 1:47 p.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 221184 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00684000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Sept. 21, 2024, 1:47 p.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 184320 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0068d000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Sept. 21, 2024, 1:47 p.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 430080 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005ca000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Sept. 21, 2024, 1:47 p.m.	process_identifier: 2004 region_size: 454656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006f0000 allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE) process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Sept. 21, 2024, 1:47 p.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 196608 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b9000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Sept. 21, 2024, 1:47 p.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 167936 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006c0000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Sept. 21, 2024, 1:47 p.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 430080 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005ca000 process_handle: 0xffffffff	1	0	0

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\Pictures\DreamifyCorp\ClientSecureUpdater.exe

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section	{u'size_of_data': u'0x00136800', u'virtual_address': u'0x001b2000', u'entropy': 6.891243887150608, u'name': u'.rsrc', u'virtual_size': u'0x001366d8'}				entropy	6.89124388715				description	A section with a high entropy has been found
entropy	0.419807334798				description	Overall entropy of this PE file is high

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: f8ad1fdb0c158551e2efd59df1487e5b53c4bb77

Communicates with host for which no DNS query was performed (1 event)

host	45.202.35.101

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Sept. 21, 2024, 1:47 p.m.	process_identifier: 2204 region_size: 454656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001f0000 allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE) process_handle: 0x000000b0	1	0	0

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Dell

reg_value

C:\Users\test22\Pictures\DreamifyCorp\ClientSecureUpdater.exe

Manipulates memory of a non-child process indicative of process injection (2 events)

Process injection	Process 2004 manipulating memory of non-child process 2204
Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Sept. 21, 2024, 1:47 p.m.	process_identifier: 2204 region_size: 454656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001f0000 allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE) process_handle: 0x000000b0	1	0	0

Potential code injection by writing to the memory of another process (2 events)

Process injection	Process 2004 injected into non-child 2204
Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Sept. 21, 2024, 1:47 p.m.	buffer:  base_address: 0x7efde008 process_identifier: 2204 process_handle: 0x000000b0	1	1	0

Executed a process and injected code into it, probably while unpacking (5 events)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW Sept. 21, 2024, 1:47 p.m.	thread_identifier: 2208 thread_handle: 0x000000ac process_identifier: 2204 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\66ebb3bf78bd6_Send.exe#111us300 track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\66ebb3bf78bd6_Send.exe#111us300 stack_pivoted: 0 creation_flags: 2 (DEBUG_ONLY_THIS_PROCESS) inherit_handles: 0 process_handle: 0x000000b0	1	1	0
NtGetContextThread Sept. 21, 2024, 1:47 p.m.	thread_handle: 0x000000ac	1	0	0
NtAllocateVirtualMemory Sept. 21, 2024, 1:47 p.m.	process_identifier: 2204 region_size: 454656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001f0000 allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE) process_handle: 0x000000b0	1	0	0
WriteProcessMemory Sept. 21, 2024, 1:47 p.m.	buffer: base_address: 0x001f0000 process_identifier: 2204 process_handle: 0x000000b0	1	1	0
WriteProcessMemory Sept. 21, 2024, 1:47 p.m.	buffer:  base_address: 0x7efde008 process_identifier: 2204 process_handle: 0x000000b0	1	1	0

File has been identified by 36 AntiVirus engines on VirusTotal as malicious (36 events)

Lionic	Trojan.Win32.Generic.4!c
Cynet	Malicious (score: 99)
Skyhigh	Artemis!Trojan
ALYac	Trojan.GenericKD.74160259
VIPRE	Trojan.GenericKD.74160259
BitDefender	Trojan.GenericKD.74160259
Arcabit	Trojan.Generic.D46B9883
Symantec	Trojan.Gen.MBT
ESET-NOD32	a variant of Win32/GenKryptik.HBVT
Avast	Win32:Malware-gen
MicroWorld-eScan	Trojan.GenericKD.74160259
Emsisoft	Trojan.GenericKD.74160259 (B)
F-Secure	Trojan.TR/AVI.Agent.yqzgd
TrendMicro	Trojan.Win32.AMADEY.YXEISZ
McAfeeD	ti!6B89CDFE0D3E
CTX	exe.trojan.amadey
Sophos	Mal/Generic-S
Ikarus	Trojan.Win32.Krypt
FireEye	Trojan.GenericKD.74160259
Webroot	W32.Trojan.Gen
Google	Detected
Avira	TR/AVI.Agent.yqzgd
Kingsoft	Win32.Hack.Androm.gen
Gridinsoft	Trojan.Win32.Amadey.tr
Xcitium	Malware@#szfp2b8day44
Microsoft	Trojan:Win32/Acll
GData	Trojan.GenericKD.74160259
Varist	W32/ABTrojan.IJKI-3578
DeepInstinct	MALICIOUS
Malwarebytes	Trojan.Dropper.SFX
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	Trojan.Win32.AMADEY.YXEISZ
Tencent	Win32.Trojan.FalseSign.Ckjl
Fortinet	W32/GenKryptik.HBUB!tr
AVG	Win32:Malware-gen
Paloalto	generic.ml