simo_exe_ws1011706983.exe

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory March 9, 2021, 3:13 p.m.	process_identifier: 2332 region_size: 77824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10000000 allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE) process_handle: 0xffffffff	1	0	0

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW March 9, 2021, 3:14 p.m.	total_number_of_free_bytes: 13728862208 free_bytes_available: 13728862208 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (3 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW March 9, 2021, 3:13 p.m.	snapshot_handle: 0x000000b4 process_name: mobsync.exe process_identifier: 1068	1	1	0
Process32NextW March 9, 2021, 3:13 p.m.	snapshot_handle: 0x000000b4 process_name: taskhost.exe process_identifier: 2524	1	1	0
Process32NextW March 9, 2021, 3:13 p.m.	snapshot_handle: 0x000000b4 process_name: simo_exe_ws1011706983.exe process_identifier: 2332	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section	{u'size_of_data': u'0x00007000', u'virtual_address': u'0x00001000', u'entropy': 7.737310953984403, u'name': u'.text', u'virtual_size': u'0x00006ea6'}				entropy	7.73731095398				description	A section with a high entropy has been found
entropy	0.918032786885				description	Overall entropy of this PE file is high

Potentially malicious URLs were found in the process memory dump (3 events)

url	http://www.microsoft.com/schemas/ie8tldlistdescription/1.0
url	http://purl.org/rss/1.0/
url	http://www.passport.com

Yara rule detected in process memory (46 events)

description	Code injection with CreateRemoteThread in a remote process				rule	inject_thread
description	Hijack network configuration				rule	hijack_network
description	Create a windows service				rule	create_service
description	Create a COM server				rule	create_com_service
description	Communications over UDP network				rule	network_udp_sock
description	Listen for incoming communication				rule	network_tcp_listen
description	Communications dyndns network				rule	network_dyndns
description	Communications over P2P network				rule	network_p2p_win
description	Communications over HTTP				rule	network_http
description	File downloader/dropper				rule	network_dropper
description	Communications over FTP				rule	network_ftp
description	Communications over RAW socket				rule	network_tcp_socket
description	Communications use DNS				rule	network_dns
description	Communication using dga				rule	network_dga
description	Escalade priviledges				rule	escalate_priv
description	Take screenshot				rule	screenshot
description	Run a keylogger				rule	keylogger
description	Steal credential				rule	cred_local
description	Record Audio				rule	sniff_audio
description	APC queue tasks migration				rule	migrate_apc
description	Malware can spread east-west file				rule	spreading_file
description	Malware can spread east-west using share drive				rule	spreading_share
description	Remote Administration toolkit using webcam				rule	rat_webcam
description	Create or check mutex				rule	win_mutex
description	Affect system registries				rule	win_registry
description	Affect system token				rule	win_token
description	Affect private profile				rule	win_private_profile
description	Affect private profile				rule	win_files_operation
description	Match Winsock 2 API library declaration				rule	Str_Win32_Winsock2_Library
description	Match Windows Inet API library declaration				rule	Str_Win32_Wininet_Library
description	Match Windows Inet API call				rule	Str_Win32_Internet_API
description	Match Windows Http API call				rule	Str_Win32_Http_API
description	(no description)				rule	DebuggerCheck__GlobalFlags
description	(no description)				rule	DebuggerCheck__QueryInfo
description	(no description)				rule	DebuggerCheck__RemoteAPI
description	(no description)				rule	DebuggerHiding__Thread
description	(no description)				rule	DebuggerHiding__Active
description	(no description)				rule	DebuggerException__ConsoleCtrl
description	(no description)				rule	DebuggerException__SetConsoleCtrl
description	(no description)				rule	ThreadControl__Context
description	(no description)				rule	SEH__vectored
description	(no description)				rule	Check_Dlls
description	Checks if being debugged				rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert				rule	antisb_threatExpert
description	Bypass DEP				rule	disable_dep
description	Affect hook table				rule	win_hook

Allocates execute permission to another process indicative of possible code injection (8 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory March 9, 2021, 3:13 p.m.	process_identifier: 1848 region_size: 28672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7fff0000 allocation_type: 1052672 (MEM_COMMIT|MEM_TOP_DOWN) process_handle: 0x000000bc	1	0	0
NtProtectVirtualMemory March 9, 2021, 3:13 p.m.	process_identifier: 1848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 28672 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7fff0000 process_handle: 0x000000bc	1	0	0
NtAllocateVirtualMemory March 9, 2021, 3:13 p.m.	process_identifier: 1848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7efd0000 allocation_type: 1052672 (MEM_COMMIT|MEM_TOP_DOWN) process_handle: 0x000000bc	1	0	0
NtProtectVirtualMemory March 9, 2021, 3:13 p.m.	process_identifier: 1848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7efd0000 process_handle: 0x000000bc	1	0	0
NtAllocateVirtualMemory March 9, 2021, 3:13 p.m.	process_identifier: 1848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7efc0000 allocation_type: 1052672 (MEM_COMMIT|MEM_TOP_DOWN) process_handle: 0x000000bc	1	0	0
NtProtectVirtualMemory March 9, 2021, 3:13 p.m.	process_identifier: 1848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7efc0000 process_handle: 0x000000bc	1	0	0
NtAllocateVirtualMemory March 9, 2021, 3:13 p.m.	process_identifier: 1848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7efb0000 allocation_type: 1052672 (MEM_COMMIT|MEM_TOP_DOWN) process_handle: 0x000000bc	1	0	0
NtProtectVirtualMemory March 9, 2021, 3:13 p.m.	process_identifier: 1848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7efb0000 process_handle: 0x000000bc	1	0	0

Creates a thread using CreateRemoteThread in a non-child process indicative of process injection (2 events)

Process injection	Process 2332 created a remote thread in non-child process 1848
Time & API	Arguments	Status	Return	Repeated
CreateRemoteThread March 9, 2021, 3:13 p.m.	thread_identifier: 0 process_identifier: 1848 function_address: 0x7efd0000 flags: 0 stack_size: 65535 parameter: 0x7efb0000 process_handle: 0x000000bc		0	0

Manipulates memory of a non-child process indicative of process injection (9 events)

Process injection	Process 2332 manipulating memory of non-child process 1848
Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory March 9, 2021, 3:13 p.m.	process_identifier: 1848 region_size: 28672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7fff0000 allocation_type: 1052672 (MEM_COMMIT|MEM_TOP_DOWN) process_handle: 0x000000bc	1	0	0
NtProtectVirtualMemory March 9, 2021, 3:13 p.m.	process_identifier: 1848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 28672 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7fff0000 process_handle: 0x000000bc	1	0	0
NtAllocateVirtualMemory March 9, 2021, 3:13 p.m.	process_identifier: 1848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7efd0000 allocation_type: 1052672 (MEM_COMMIT|MEM_TOP_DOWN) process_handle: 0x000000bc	1	0	0
NtProtectVirtualMemory March 9, 2021, 3:13 p.m.	process_identifier: 1848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7efd0000 process_handle: 0x000000bc	1	0	0
NtAllocateVirtualMemory March 9, 2021, 3:13 p.m.	process_identifier: 1848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7efc0000 allocation_type: 1052672 (MEM_COMMIT|MEM_TOP_DOWN) process_handle: 0x000000bc	1	0	0
NtProtectVirtualMemory March 9, 2021, 3:13 p.m.	process_identifier: 1848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7efc0000 process_handle: 0x000000bc	1	0	0
NtAllocateVirtualMemory March 9, 2021, 3:13 p.m.	process_identifier: 1848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7efb0000 allocation_type: 1052672 (MEM_COMMIT|MEM_TOP_DOWN) process_handle: 0x000000bc	1	0	0
NtProtectVirtualMemory March 9, 2021, 3:13 p.m.	process_identifier: 1848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7efb0000 process_handle: 0x000000bc	1	0	0

Potential code injection by writing to the memory of another process (4 events)

Process injection	Process 2332 injected into non-child 1848
Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory March 9, 2021, 3:13 p.m.	buffer: U‹ìƒì,SVWèY‰MäëBVirtualAllocKernel32.dllVirtualFreeLoadLibraryAVirtualProtect‹uä‹]FPÿS‹øFPWÿS‰EôF PWÿS‰EäF,PWÿSƒÆ9‰EàVWÿS‰Eԋ¿0j@‹H<W4 ‰uð·F‹NP‰Eì‹F4QP‰MøÿUô À‰Euj@WÿuøPÿUô À‰E„q‹NT‹3‹}‹ÁÁéó¥‹Èƒá󤋋H<„ ø‹Mì ɉEô~0‰Mô‹H‹x‹p}3‰M܋щ}ØÁéó¥‹ÊƒÀ(ƒáÿMôó¤u։Eô‹}ðƒtŒø ƒ¿„„­‹·€uƒ~„š‹}~WÿS À‰EøuWÿUà À‰Eø„¸ ‹Eø‹M‹~‰F‹ù ÀÇF0„‰Uüu‰}ü‹Eü‹ Àt:ë‹M©€t‹Eü·ëÁƒÀPÿuøÿS À„c ƒEü‰‹EüƒÇ‹ Àuȃƃ~ lÿÿÿ‹}ð‹Eô‹K Éu‹M+O4 ɉMü„ă¿¤„·‹ Mƒ9„¥‹QƒeøƒêqÑê ÒŽ†f‹>‹Ççð%ÿ Ef ÿt\fÿu‹}üÁïf 8ëJfÿ uf‹}üëîfÿ0u‹}ü 8ë/fÿ@ ž·8ƒÆ‰uà·6Áçþ‹uü´7€Áîf‰0‹uàFFÿEø9Uø|€‹Eô‹}ðIéRÿÿÿ‹Mì É~*p$‰MìöFjXt¸MèQPÿuÜÿuØÿUԃÆ(ÿMìu܋G(‹U€{ u‹K Ét‰‘D ÿsj RÿЃ{u‹E‰Cëh€jÿuÿUäƒ#3Àëh€jSÿUäj X_^[É base_address: 0x7efd0000 process_identifier: 1848 process_handle: 0x000000bc	1	1	0
WriteProcessMemory March 9, 2021, 3:13 p.m.	buffer: £x&5W2-`´<*^34rQ!0!server.exeHuBifrost ÷‡u {C335C370-BF51-C680-16B0-01213B6F9121}0BifrostfDÌuaddons.dat!logg.dat ! msnmsgr.exe–Œ!Default$ !Bif1234 wuæx5 ¤ –_ HZCt€u 45 ¤ –_5 Í«ºÜ ìxZ%¸Ðuì !C:\Users\test22\AppData\Roaming\Ë)  Ö È«)œ"¾ ?<w€òœ"¾Ë) €A;wè¹)è¹)ã¹)› =(\ò Ðð[u÷ÍAw»‰~þÿÿÿ£<=wÎ<=wPXâ¹)à¹)$õTò”ôZuèñ@èèZuÀñhåtØòAw”ôZuZuŽòèZuH¨=wð¹)@òɑ>wð¹)(·"tF$õN¨ô@wˆòHõ$õ3¨=wtÿÿZu~Z¨ôher˜8(NP ·"tHõWindowsHookE”ó(à¹)”ót<=w£<=wO²Zw|ôÐòüòhåtÍAwP (þÿÿÿ~tÐøÿ <ô5>t ó@¨ôlã<whåt5>tàÚt4¶¨v¦?suŠ’t‚“tt~t(à¹)& 8 (z8=w˜}(è¹)¨†)ˆz( {(ð­)€~(Ë) óþÿÿÿXôÍAw““~þÿÿÿlã<wÒà<w(à¹) ì@º)Ë)È«)H(à¹)Ìôž8=w8 (z8=wµZw(è¹)°ôáª=wË)P (<ô(P (P (œ"¾hõ€ÀPõ€œ"¾Ë)x>(h=(è¹)Ë)tìô'tC¹"tÝô ›‰~þÿÿÿ tõ'tQ¹"t õ ´õ21 1 P¹"t=õ0Lõhtäõ12,32 tÜõ¡täõmõÿÿÿÿ \132‡tŒõ€ÀÕ¾ t\ÈõÀ@¹"t@¹"t  tö9”t·"t@¹"t@¹"t (ögÁOv<ött ~tt \÷ˆº)  ö\÷¬ö#t™ÛAwð tt Ë@wo·Zw\÷0™=wt \÷ˆº)8÷©Ø=wt ÷Ù=wôØ=w{¶Zw ˆº)8÷ $÷`¸)Ôö0C:\Users\test22\AppData\Local\Temp\simo_exe_ws1011706983.exepÿÿÿÿÿÿÿÿˆØ=wÙ=wJw`¸) tÔö8¬) (÷ Äöüø ù4Ä=w’á<wÄ=w׸ZwÚ)<wTù÷ø  Jw@Bø Ø÷ˆº){(FÀ©)C:\Windows\system32\IMM32.DLLâ<w´(( ((À©)SOFTWARE\Bifrost(ð(À©)lã<w߸Zw€4Kulã<w˸ZwÀ3Ku¬ ((f ó¸Zw \ "Ra ÄĘ}(P ( ˜}( ˆz(ˆ†)ˆz(¨{(kC@wkC@wû¸ZwSOFTWARE\Microsoft\Active Setup\Installed Components\{C335C370-BF51-C680-16B0-01213B6F9121}ˆº)dùù(àý~Ìù±tAwtAw¸ZwO2((àý~l Jw$ ý~_ÿf€ù yns418.no-ip.orgoÌuÔ\  \41.250.142.1888Š:hhýþNJBÔ|œ127.0.0.1!nFgoÌuÔ\  \àý~ base_address: 0x7efc0000 process_identifier: 1848 process_handle: 0x000000bc	1	1	0
WriteProcessMemory March 9, 2021, 3:13 p.m.	buffer: ÿü~ Esu"su base_address: 0x7efb0000 process_identifier: 1848 process_handle: 0x000000bc	1	1	0

Expresses interest in specific running processes (1 event)

process: potential process injection target

explorer.exe

File has been identified by 68 AntiVirus engines on VirusTotal as malicious (50 out of 68 events)

Bkav	W32.AIDetect.malware1
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.40578665
FireEye	Generic.mg.6021e09784d4b8ca
CAT-QuickHeal	Backdoor.Bifrose.AE
McAfee	BackDoor-CEP.gen.g
Cylance	Unsafe
Zillya	Virus.Bitforse.Win32.1
SUPERAntiSpyware	Trojan.Agent/Gen-FraudAlert
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Backdoor ( 0040f49a1 )
Alibaba	Backdoor:Win32/Bifrose.db9d49a8
K7GW	Backdoor ( 0040f49a1 )
Cybereason	malicious.784d4b
Arcabit	Trojan.Generic.D26B2E69
Baidu	Win32.Backdoor.Bifrose.a
Cyren	W32/Backdoor.XKFY-2198
Symantec	Backdoor.Trojan
TotalDefense	Win32/Backdrop.D
APEX	Malicious
Avast	Win32:BackDoor-ZR [Trj]
ClamAV	Win.Trojan.Bifrose-28231
Kaspersky	Backdoor.Win32.Bifrose.fxv
BitDefender	Trojan.GenericKD.40578665
NANO-Antivirus	Trojan.Win32.Bifrose.enscfe
Paloalto	generic.ml
ViRobot	Backdoor.Win32.A.Bifrose.32637.KZ
Tencent	Trojan.Win32.Refroso.dejg
Ad-Aware	Trojan.GenericKD.40578665
TACHYON	Backdoor/W32.Bifrose.57953
Sophos	Mal/Generic-R + Mal/Bifrose-X
Comodo	Backdoor.Win32.Bifrost.~Q@7opw
F-Secure	Backdoor:W32/Bifrose.gen!E
DrWeb	Trojan.Inject2.26734
VIPRE	Backdoor.Win32.Bifrose.ae (v)
TrendMicro	BKDR_BIFROSE.SMA
McAfee-GW-Edition	BehavesLike.Win32.Generic.qc
MaxSecure	Backdoor.W32.Refroso.djjg
Emsisoft	Trojan.GenericKD.40578665 (B)
SentinelOne	Static AI - Malicious PE
Jiangmin	Backdoor/Bifrose.fzf
Webroot	W32.Trojan.Bifrose
Avira	BDS/Bifrose.aec
Antiy-AVL	Trojan/Win32.Bifrose.gic
Gridinsoft	Trojan.Win32.Downloader.oa!s1
Microsoft	Backdoor:Win32/Bifrose.AE
ZoneAlarm	Backdoor.Win32.Bifrose.fxv
GData	Trojan.GenericKD.40578665
Cynet	Malicious (score: 100)
AhnLab-V3	Win-Trojan/Bifrose.Gen