Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Feb. 5, 2025, 11:02 a.m.	Feb. 5, 2025, 11:11 a.m.

Size	27.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`eee37f6f66eafa13d9555dfc9ccb3805`
SHA256	`ca569ad2e113c57c5ddeb1770ae4d63f579df3504306097ff8a16b1cb37dcaa9`
CRC32	`A0A49D93`
ssdeep	`384:fL1M2XwBNOaLNOFE/Av2yeCP1BBvMl7AQk93vmhm7UMKmIEecKdbXTzm9bVhcaM4:Te220M0Wl7A/vMHTi9bD`
Yara	PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description) IsPE32 - (no description)

winX32.exe "C:\Users\test22\AppData\Local\Temp\winX32.exe"
1280
- winX32.exe "C:\Users\test22\AppData\Roaming\winX32.exe"
  2260
- attrib.exe attrib +h +r +s "C:\Users\test22\AppData\Roaming\winX32.exe"
  2336
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
sosomyhestor.ddns.net	A 46.153.112.54	46.153.112.54

IP Address	Status	Action
164.124.101.2	Active	Moloch
46.153.112.54	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49170 -> 46.153.112.54:443	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 46.153.112.54:443	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	Malware Command and Control Activity Detected
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2028675	ET POLICY DNS Query to DynDNS Domain *.ddns .net	Potentially Bad Traffic
TCP 192.168.56.103:49172 -> 46.153.112.54:443	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49169 -> 46.153.112.54:443	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 46.153.112.54:443	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49171 -> 46.153.112.54:443	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49167 -> 46.153.112.54:443	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	Malware Command and Control Activity Detected
UDP 192.168.56.103:50800 -> 164.124.101.2:53	2028675	ET POLICY DNS Query to DynDNS Domain *.ddns .net	Potentially Bad Traffic
TCP 192.168.56.103:49173 -> 46.153.112.54:443	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameW Feb. 5, 2025, 10:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 5, 2025, 11:02 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 5, 2025, 11:02 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Feb. 5, 2025, 11:02 a.m.			0	0
IsDebuggerPresent Feb. 5, 2025, 11:02 a.m.			0	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Feb. 5, 2025, 11:02 a.m.	stacktrace: 0x6c1d98 0x6c1a01 0x6c182d mscorlib+0x216e76 @ 0x72196e76 mscorlib+0x2202ff @ 0x721a02ff mscorlib+0x216df4 @ 0x72196df4 CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73fa1b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73fb8dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73fc6a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73fc6a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73fc6a7d DllRegisterServerInternal+0x4cf2b GetPrivateContextsPerfCounters-0xa76e mscorwks+0xa3191 @ 0x74043191 CreateAssemblyNameObject+0xb7ec DllRegisterServerInternal-0x4937 mscorwks+0x5192f @ 0x73ff192f CreateAssemblyNameObject+0xb788 DllRegisterServerInternal-0x499b mscorwks+0x518cb @ 0x73ff18cb CreateAssemblyNameObject+0xb6ae DllRegisterServerInternal-0x4a75 mscorwks+0x517f1 @ 0x73ff17f1 CreateAssemblyNameObject+0xb83a DllRegisterServerInternal-0x48e9 mscorwks+0x5197d @ 0x73ff197d DllRegisterServerInternal+0x4ccfc GetPrivateContextsPerfCounters-0xa99d mscorwks+0xa2f62 @ 0x74042f62 DllRegisterServerInternal+0x4cdd6 GetPrivateContextsPerfCounters-0xa8c3 mscorwks+0xa303c @ 0x7404303c GetMetaDataInternalInterface+0xcf27 _CorDllMain-0x9ae mscorwks+0x16805a @ 0x7410805a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 39 09 e8 26 23 a4 71 8b c8 e8 df 27 97 73 8b f0 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6c2517 registers.esp: 84930476 registers.edi: 38150192 registers.eax: 38015384 registers.ebp: 84930516 registers.edx: 38150192 registers.ebx: 38150132 registers.esi: 0 registers.ecx: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Feb. 5, 2025, 11:02 a.m.

stacktrace:

0x6c1d98
0x6c1a01
0x6c182d
mscorlib+0x216e76 @ 0x72196e76
mscorlib+0x2202ff @ 0x721a02ff
mscorlib+0x216df4 @ 0x72196df4
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73fa1b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73fb8dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73fc6a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73fc6a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73fc6a7d
DllRegisterServerInternal+0x4cf2b GetPrivateContextsPerfCounters-0xa76e mscorwks+0xa3191 @ 0x74043191
CreateAssemblyNameObject+0xb7ec DllRegisterServerInternal-0x4937 mscorwks+0x5192f @ 0x73ff192f
CreateAssemblyNameObject+0xb788 DllRegisterServerInternal-0x499b mscorwks+0x518cb @ 0x73ff18cb
CreateAssemblyNameObject+0xb6ae DllRegisterServerInternal-0x4a75 mscorwks+0x517f1 @ 0x73ff17f1
CreateAssemblyNameObject+0xb83a DllRegisterServerInternal-0x48e9 mscorwks+0x5197d @ 0x73ff197d
DllRegisterServerInternal+0x4ccfc GetPrivateContextsPerfCounters-0xa99d mscorwks+0xa2f62 @ 0x74042f62
DllRegisterServerInternal+0x4cdd6 GetPrivateContextsPerfCounters-0xa8c3 mscorwks+0xa303c @ 0x7404303c
GetMetaDataInternalInterface+0xcf27 _CorDllMain-0x9ae mscorwks+0x16805a @ 0x7410805a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: 39 09 e8 26 23 a4 71 8b c8 e8 df 27 97 73 8b f0
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x6c2517
registers.esp: 84930476
registers.edi: 38150192
registers.eax: 38015384
registers.ebp: 84930516
registers.edx: 38150192
registers.ebx: 38150132
registers.esi: 0
registers.ecx: 0

Connects to a Dynamic DNS Domain (1 event)

domain

sosomyhestor.ddns.net

Allocates read-write-execute memory (usually to unpack itself) (50 out of 61 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Feb. 5, 2025, 11:02 a.m.	process_identifier: 1280 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:02 a.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 5, 2025, 11:02 a.m.	process_identifier: 1280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74021000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:02 a.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01cfa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 5, 2025, 11:02 a.m.	process_identifier: 1280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74022000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:02 a.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01cf2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:02 a.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d02000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:02 a.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d03000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:02 a.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d3b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:02 a.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d37000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:02 a.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d0c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:02 a.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d04000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:02 a.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ef0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:02 a.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d2a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:02 a.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d22000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:02 a.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d1a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:02 a.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d17000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:02 a.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d05000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:02 a.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d06000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:02 a.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01cfb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:02 a.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ef1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:02 a.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d0a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 10:55 a.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000045c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:02 a.m.	process_identifier: 2260 region_size: 2031616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00780000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:02 a.m.	process_identifier: 2260 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00930000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 5, 2025, 11:02 a.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fa1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:02 a.m.	process_identifier: 2260 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 5, 2025, 11:02 a.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fa2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:02 a.m.	process_identifier: 2260 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00442000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:02 a.m.	process_identifier: 2260 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00452000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:02 a.m.	process_identifier: 2260 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00453000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:02 a.m.	process_identifier: 2260 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:02 a.m.	process_identifier: 2260 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00487000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:02 a.m.	process_identifier: 2260 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0045c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:02 a.m.	process_identifier: 2260 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00454000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:02 a.m.	process_identifier: 2260 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:02 a.m.	process_identifier: 2260 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:02 a.m.	process_identifier: 2260 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00472000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:02 a.m.	process_identifier: 2260 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0046a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:02 a.m.	process_identifier: 2260 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00467000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:02 a.m.	process_identifier: 2260 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00455000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:02 a.m.	process_identifier: 2260 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00456000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:02 a.m.	process_identifier: 2260 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:02 a.m.	process_identifier: 2260 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006c1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:02 a.m.	process_identifier: 2260 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00485000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:02 a.m.	process_identifier: 2260 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05140000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:02 a.m.	process_identifier: 2260 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0045a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:02 a.m.	process_identifier: 2260 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00443000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:02 a.m.	process_identifier: 2260 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05141000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:02 a.m.	process_identifier: 2260 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

A process attempted to delay the analysis task. (1 event)

description

winX32.exe tried to sleep 180 seconds, actually delayed analysis time by 180 seconds

Creates executable files on the filesystem (3 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk
file	C:\Users\test22\AppData\Roaming\winX32.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk

Creates a shortcut to an executable file (2 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Roaming\winX32.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Roaming\winX32.exe

Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Feb. 5, 2025, 10:55 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Feb. 5, 2025, 10:55 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Feb. 5, 2025, 11:02 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

attrib +h +r +s "C:\Users\test22\AppData\Roaming\winX32.exe"

Installs itself for autorun at Windows startup (50 out of 180 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows2	reg_value	C:\Users\test22\AppData\Roaming\winX32.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows2	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL

File has been identified by 57 AntiVirus engines on VirusTotal as malicious (50 out of 57 events)

Bkav	W32.AIDetectMalware.CS
Lionic	Trojan.Win32.Generic.lWjm
CAT-QuickHeal	Trojan.GenericFC.S17873958
Skyhigh	BehavesLike.Win32.BackdoorNJRat.mm
ALYac	Generic.MSIL.Bladabindi.C7664687
Cylance	Unsafe
VIPRE	Generic.MSIL.Bladabindi.C7664687
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Generic.MSIL.Bladabindi.C7664687
K7GW	Trojan ( 004915961 )
K7AntiVirus	Trojan ( 004915961 )
Arcabit	Generic.MSIL.Bladabindi.CD74F42F
VirIT	Backdoor.Win32.BladabindiNET.J
Symantec	Backdoor.Ratenjay
Elastic	Windows.Trojan.Njrat
ESET-NOD32	a variant of MSIL/Bladabindi.AS
APEX	Malicious
Avast	Win32:KeyloggerX-gen [Trj]
ClamAV	Win.Dropper.Nanocore-10030076-0
Kaspersky	HEUR:Trojan.Win32.Generic
Alibaba	Backdoor:MSIL/AsyncRat.e955479e
NANO-Antivirus	Trojan.Win32.Bladabindi.kvmqvs
MicroWorld-eScan	Generic.MSIL.Bladabindi.C7664687
Rising	Backdoor.njRAT!1.D4D6 (CLASSIC)
Emsisoft	Generic.MSIL.Bladabindi.C7664687 (B)
F-Secure	Trojan.TR/Dropper.Gen7
DrWeb	BackDoor.BladabindiNET.9
Zillya	Trojan.Bladabindi.Win32.23092
TrendMicro	BKDR_BLADABI.SMC
McAfeeD	Real Protect-LS!EEE37F6F66EA
Trapmine	malicious.moderate.ml.score
CTX	exe.trojan.bladabindi
Sophos	Mal/AsyncRat-B
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.eee37f6f66eafa13
Jiangmin	AdWare.Amonetize.ammc
Google	Detected
Avira	TR/Dropper.Gen7
Kingsoft	malware.kb.c.1000
Gridinsoft	Ransom.Win32.Bladabindi.sa
Microsoft	Backdoor:MSIL/AsyncRat!atmn
GData	MSIL.Trojan.Bladabindi.BW
Varist	W32/MSIL_Bladabindi.GD.gen!Eldorado
AhnLab-V3	Backdoor/Win32.Bladabindi.R137413
McAfee	BackDoor-NJRat!EEE37F6F66EA
DeepInstinct	MALICIOUS
VBA32	Trojan.MSIL.Autorave.Heur
Malwarebytes	Bladabindi.Backdoor.Bot.DDS
Ikarus	Trojan.MSIL.Agent
Panda	Trj/GdSda.A

winX32.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All