Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Oct. 2, 2024, 2:33 p.m.	Oct. 2, 2024, 2:38 p.m.

Size	1.6MB
Type	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
MD5	`c63888086e1646654a1e162fde69c0ff`
SHA256	`262fb2e45f9b66956236f89f4cbeac22ee3d011832263a28ed7f632a22ae87d7`
CRC32	`0A70B1F7`
ssdeep	`1536:Cz87aBaU8MENpImB8g0fCSjkXCR6cidzXXeF/LeKCO+RiboFN+LQ81fIgOz2ABPA:s87awfM2B85CSQSsXZXSeKGo7BvOiGI`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\cc.js
3036
- GeUT.exe "C:\Users\test22\AppData\Local\Temp\GeUT.exe"
  1376
  - GeUT.exe "C:\Users\test22\AppData\Local\Temp\GeUT.exe"
    156

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
117.18.232.200	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameW Oct. 2, 2024, 2:33 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 2, 2024, 2:33 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 2, 2024, 2:33 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (6 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 2, 2024, 2:33 p.m.			0	0
IsDebuggerPresent Oct. 2, 2024, 2:33 p.m.			0	0
IsDebuggerPresent Oct. 2, 2024, 2:33 p.m.			0	0
IsDebuggerPresent Oct. 2, 2024, 2:33 p.m.			0	0
IsDebuggerPresent Oct. 2, 2024, 2:33 p.m.			0	0
IsDebuggerPresent Oct. 2, 2024, 2:33 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 2, 2024, 2:33 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (42 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 2, 2024, 2:33 p.m.	process_identifier: 1376 region_size: 1507328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 2, 2024, 2:33 p.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 2, 2024, 2:33 p.m.	process_identifier: 1376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73de1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 2, 2024, 2:33 p.m.	process_identifier: 1376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73de2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 2, 2024, 2:33 p.m.	process_identifier: 1376 region_size: 2228224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e90000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 2, 2024, 2:33 p.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02070000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 2, 2024, 2:33 p.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00402000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 2, 2024, 2:33 p.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00435000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 2, 2024, 2:33 p.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 2, 2024, 2:33 p.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00437000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 2, 2024, 2:33 p.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 2, 2024, 2:33 p.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00790000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 2, 2024, 2:33 p.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00426000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 2, 2024, 2:33 p.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 2, 2024, 2:33 p.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00427000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 2, 2024, 2:33 p.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 2, 2024, 2:33 p.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00791000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 2, 2024, 2:33 p.m.	process_identifier: 156 region_size: 1441792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00670000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 2, 2024, 2:33 p.m.	process_identifier: 156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00790000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 2, 2024, 2:33 p.m.	process_identifier: 156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 2, 2024, 2:33 p.m.	process_identifier: 156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d62000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 2, 2024, 2:33 p.m.	process_identifier: 156 region_size: 1310720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02010000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 2, 2024, 2:33 p.m.	process_identifier: 156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02110000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 2, 2024, 2:33 p.m.	process_identifier: 156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00352000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 2, 2024, 2:33 p.m.	process_identifier: 156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00385000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 2, 2024, 2:33 p.m.	process_identifier: 156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0038b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 2, 2024, 2:33 p.m.	process_identifier: 156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00387000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 2, 2024, 2:33 p.m.	process_identifier: 156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0036c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 2, 2024, 2:33 p.m.	process_identifier: 156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00670000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 2, 2024, 2:33 p.m.	process_identifier: 156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00376000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 2, 2024, 2:33 p.m.	process_identifier: 156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0037a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 2, 2024, 2:33 p.m.	process_identifier: 156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00377000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 2, 2024, 2:33 p.m.	process_identifier: 156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0035a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 2, 2024, 2:33 p.m.	process_identifier: 156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0036a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 2, 2024, 2:33 p.m.	process_identifier: 156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00671000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 2, 2024, 2:33 p.m.	process_identifier: 156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00672000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 2, 2024, 2:33 p.m.	process_identifier: 156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72582000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 2, 2024, 2:33 p.m.	process_identifier: 156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0035c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 2, 2024, 2:33 p.m.	process_identifier: 156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x723a3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 2, 2024, 2:33 p.m.	process_identifier: 156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x722f2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 2, 2024, 2:33 p.m.	process_identifier: 156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72633000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 2, 2024, 2:33 p.m.	process_identifier: 156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72603000 process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Oct. 2, 2024, 2:33 p.m.	total_number_of_free_bytes: 9119096832 free_bytes_available: 9119096832 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\GeUT.exe

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Oct. 2, 2024, 2:33 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Oct. 2, 2024, 2:33 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (13 events)

description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Win XWorm V3.1	rule	Win_XWorm_3_M_Zero
description	Run a KeyLogger	rule	KeyLogger
description	Remote Administration toolkit using webcam	rule	RAT_WebCam

Communicates with host for which no DNS query was performed (1 event)

host

117.18.232.200

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Oct. 2, 2024, 2:33 p.m.	process_identifier: 156 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000238		3221225496	0
NtAllocateVirtualMemory Oct. 2, 2024, 2:33 p.m.	process_identifier: 156 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000238	1	0	0

Installs itself for autorun at Windows startup (2 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows				reg_value	C:\Users\test22\AppData\Local\Temp\GeUT.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate				reg_value	C:\Users\test22\AppData\Roaming\Service.exe

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Oct. 2, 2024, 2:33 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¯èúfà¨îÆ à@ @ÆWàà H.textô¦ ¨ `.rsrcààª@@.reloc°@B base_address: 0x000e0000 process_identifier: 156 process_handle: 0x00000238	1	1
WriteProcessMemory Oct. 2, 2024, 2:33 p.m.	buffer: 8Ph àLðâêL4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°¬StringFileInfo000004b0,FileDescription 0FileVersion1.0.0.0< InternalName3XClient.exe(LegalCopyright D OriginalFilename3XClient.exe4ProductVersion1.0.0.08Assembly Version1.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x000ee000 process_identifier: 156 process_handle: 0x00000238	1	1
WriteProcessMemory Oct. 2, 2024, 2:33 p.m.	buffer: Àð6 base_address: 0x000f0000 process_identifier: 156 process_handle: 0x00000238	1	1
WriteProcessMemory Oct. 2, 2024, 2:33 p.m.	buffer: base_address: 0x7efde008 process_identifier: 156 process_handle: 0x00000238	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Oct. 2, 2024, 2:33 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¯èúfà¨îÆ à@ @ÆWàà H.textô¦ ¨ `.rsrcààª@@.reloc°@B base_address: 0x000e0000 process_identifier: 156 process_handle: 0x00000238	1	1	0

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExW Oct. 2, 2024, 2:33 p.m.	thread_identifier: 0 callback_function: 0x00790852 hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00000000	1	786793	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1376 called NtSetContextThread to modify thread in remote process 156
NtSetContextThread Oct. 2, 2024, 2:33 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4245230 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000023c process_identifier: 156	1	0	0

One or more non-whitelisted processes were created (2 events)

parent_process	wscript.exe				martian_process	"C:\Users\test22\AppData\Local\Temp\GeUT.exe"
parent_process	wscript.exe				martian_process	C:\Users\test22\AppData\Local\Temp\GeUT.exe

A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations. (1 event)

Time & API	Arguments	Status	Return	Repeated
CryptHashData Oct. 2, 2024, 2:33 p.m.	buffer: 2test22TEST22-PCMicrosoft Windows NT 6.1.7601 Service Pack 134252779520 hash_handle: 0x005c1ea8 flags: 0	1	1	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1376 resumed a thread in remote process 156
NtResumeThread Oct. 2, 2024, 2:33 p.m.	thread_handle: 0x0000023c suspend_count: 1 process_identifier: 156	1	0	0

File has been identified by 21 AntiVirus engines on VirusTotal as malicious (21 events)

Lionic	Trojan.Media.Tnega.m!c
Cynet	Malicious (score: 99)
CTX	mp3.trojan.dldr
Skyhigh	JS/Vjw0rm.b
Symantec	ISB.Dropper!gen1
Avast	JS:Skiddo-A [Trj]
Kaspersky	Backdoor.Script.Agent.d
Rising	Trojan.Tnega/JS!8.13356 (TOPIS:E0:GZLV9koidTT)
F-Secure	Malware.JS/Dldr.G17
DrWeb	JS.DownLoader.5752
Ikarus	Trojan.JS.Agent
Google	Detected
Avira	JS/Dldr.G17
Microsoft	Trojan:JS/Tnega.SMK!MTB
ZoneAlarm	Backdoor.Script.Agent.d
Varist	JS/Agent.BBJ
McAfee	JS/Vjw0rm.b
Tencent	Script.Backdoor.Agent.Itgl
Fortinet	JS/AutoRun.NAM!tr
AVG	JS:Skiddo-A [Trj]
alibabacloud	Backdoor:Javascript/Tnega.SZJ2XJC

Executed a process and injected code into it, probably while unpacking (24 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Oct. 2, 2024, 2:33 p.m.	thread_identifier: 1188 thread_handle: 0x000003a0 process_identifier: 1376 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\GeUT.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\GeUT.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\GeUT.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003a8	1	1
NtResumeThread Oct. 2, 2024, 2:33 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 1376	1	0
NtResumeThread Oct. 2, 2024, 2:33 p.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 1376	1	0
NtResumeThread Oct. 2, 2024, 2:33 p.m.	thread_handle: 0x00000188 suspend_count: 1 process_identifier: 1376	1	0
CreateProcessInternalW Oct. 2, 2024, 2:33 p.m.	thread_identifier: 2312 thread_handle: 0x0000023c process_identifier: 156 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\GeUT.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\GeUT.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\GeUT.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000238	1	1
NtGetContextThread Oct. 2, 2024, 2:33 p.m.	thread_handle: 0x0000023c	1	0
NtAllocateVirtualMemory Oct. 2, 2024, 2:33 p.m.	process_identifier: 156 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000238		3221225496
NtAllocateVirtualMemory Oct. 2, 2024, 2:33 p.m.	process_identifier: 156 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000238	1	0
WriteProcessMemory Oct. 2, 2024, 2:33 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¯èúfà¨îÆ à@ @ÆWàà H.textô¦ ¨ `.rsrcààª@@.reloc°@B base_address: 0x000e0000 process_identifier: 156 process_handle: 0x00000238	1	1
WriteProcessMemory Oct. 2, 2024, 2:33 p.m.	buffer: base_address: 0x000e2000 process_identifier: 156 process_handle: 0x00000238	1	1
WriteProcessMemory Oct. 2, 2024, 2:33 p.m.	buffer: 8Ph àLðâêL4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°¬StringFileInfo000004b0,FileDescription 0FileVersion1.0.0.0< InternalName3XClient.exe(LegalCopyright D OriginalFilename3XClient.exe4ProductVersion1.0.0.08Assembly Version1.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x000ee000 process_identifier: 156 process_handle: 0x00000238	1	1
WriteProcessMemory Oct. 2, 2024, 2:33 p.m.	buffer: Àð6 base_address: 0x000f0000 process_identifier: 156 process_handle: 0x00000238	1	1
WriteProcessMemory Oct. 2, 2024, 2:33 p.m.	buffer: base_address: 0x7efde008 process_identifier: 156 process_handle: 0x00000238	1	1
NtSetContextThread Oct. 2, 2024, 2:33 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4245230 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000023c process_identifier: 156	1	0
NtResumeThread Oct. 2, 2024, 2:33 p.m.	thread_handle: 0x0000023c suspend_count: 1 process_identifier: 156	1	0
NtResumeThread Oct. 2, 2024, 2:33 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 156	1	0
NtResumeThread Oct. 2, 2024, 2:33 p.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 156	1	0
NtResumeThread Oct. 2, 2024, 2:33 p.m.	thread_handle: 0x000001c8 suspend_count: 1 process_identifier: 156	1	0
NtResumeThread Oct. 2, 2024, 2:33 p.m.	thread_handle: 0x0000023c suspend_count: 1 process_identifier: 156	1	0
NtResumeThread Oct. 2, 2024, 2:33 p.m.	thread_handle: 0x00000250 suspend_count: 1 process_identifier: 156	1	0
NtResumeThread Oct. 2, 2024, 2:33 p.m.	thread_handle: 0x00000264 suspend_count: 1 process_identifier: 156	1	0
NtResumeThread Oct. 2, 2024, 2:33 p.m.	thread_handle: 0x0000031c suspend_count: 1 process_identifier: 156	1	0
NtResumeThread Oct. 2, 2024, 2:33 p.m.	thread_handle: 0x00000330 suspend_count: 1 process_identifier: 156	1	0
NtResumeThread Oct. 2, 2024, 2:33 p.m.	thread_handle: 0x00000354 suspend_count: 1 process_identifier: 156	1	0

The process wscript.exe wrote an executable file to disk which it then attempted to execute (1 event)

file	C:\Users\test22\AppData\Local\Temp\GeUT.exe

cc.js

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All