Summary

Category	Machine	Started	Completed
ARCHIVE	s1_win7_x6401	Nov. 3, 2024, 1:39 p.m.	Nov. 3, 2024, 1:40 p.m.

Archive DocTromTinNhan.exe @ DocTromTinNhan.exe.zip

Size	8.2MB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`25dd80dc8b9c5e1afc5afb8c47253681`
SHA1	`f81e4c630035dfff854fb0a2907297efa33c9545`
SHA256	`82fe9fea0b7043c668a9bf291248035c3bdc75496ca0fbaf10be4e1e138a55a5`
SHA512	`d7a6312e79e6271baec373e7726f62998a810648276d0f7b4c5ef1f76886b742c107633a81548976e40cef9c8c4472feb93c185054656c6a5ffdfaf4ae810749`
CRC32	`30DA4F3F`
ssdeep	`196608:giEk6XeI0H9onJ5hrZERoyiU8AdZYJERMEzsDyrTaup:BEk6n29c5hlER0AdZYy+0tr/`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature ASPack_Zero - ASPack packed file IsPE64 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

DocTromTinNhan.exe "C:\Users\test22\AppData\Local\Temp\DocTromTinNhan.exe"
2540
- DocTromTinNhan.exe "C:\Users\test22\AppData\Local\Temp\DocTromTinNhan.exe"
  2684

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 3, 2024, 1:39 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 3, 2024, 1:39 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Nov. 3, 2024, 1:39 p.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1	0	0

Creates executable files on the filesystem (8 events)

file	C:\Users\test22\AppData\Local\Temp\_MEI25402\VCRUNTIME140_1.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25402\pywin32_system32\pywintypes39.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25402\VCRUNTIME140.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25402\python39.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25402\libffi-7.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25402\libcrypto-1_1.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25402\sqlite3.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25402\libssl-1_1.dll

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x0000f600', u'virtual_address': u'0x00047000', u'entropy': 7.554976062358976, u'name': u'.rsrc', u'virtual_size': u'0x0000f41c'}

entropy

7.55497606236

description

A section with a high entropy has been found

Yara rule detected in process memory (50 out of 64 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Install itself for autorun at Windows startup	rule	Persistence
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win
description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl

Archive DocTromTinNhan.exe @ DocTromTinNhan.exe.zip

Summary

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All