Practical2.exe

This executable has a PDB path (1 event)

pdb_path

C:\Users\W7H64\Desktop\VCSamples-master\VC2010Samples\ATL\General\AtlCon\bitcoin coinjoin op.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 10, 2021, 5:30 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.00cfg

The executable uses a known packer (1 event)

packer

Microsoft Visual C++ V8.0 (Debug)

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ March 10, 2021, 5:30 p.m.	stacktrace: 0x993626 0x9a145b 0x9a366b 0x995d61 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 0f b7 01 66 89 02 41 41 42 42 66 85 c0 75 f1 c7 exception.symbol: lstrcpyW+0x16 IsBadStringPtrA-0x5b kernel32+0x33118 exception.instruction: movzx eax, word ptr [ecx] exception.module: kernel32.dll exception.exception_code: 0xc0000005 exception.offset: 209176 exception.address: 0x75753118 registers.esp: 15201512 registers.edi: 15201652 registers.eax: 15201536 registers.ebp: 15201552 registers.edx: 62324736 registers.ebx: 15201792 registers.esi: 15201808 registers.ecx: 0	1	0	0

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory March 10, 2021, 5:30 p.m.	process_identifier: 2212 region_size: 12582912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02420000 allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE) process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory March 10, 2021, 5:30 p.m.	process_identifier: 2212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7560f000 process_handle: 0xffffffff	1	0	0

A process attempted to delay the analysis task. (1 event)

description

Practical2.exe tried to sleep 127 seconds, actually delayed analysis time by 127 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW March 10, 2021, 5:24 p.m.	total_number_of_free_bytes: 13725724672 free_bytes_available: 13725724672 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Potentially malicious URLs were found in the process memory dump (50 out of 1373 events)

url	https://nid.naver.com/login/css/global/desktop/w_20190509.css?dt=20190509
url	http://www.expedia.com/favicon.ico
url	http://uk.ask.com/favicon.ico
url	http://www.priceminister.com/
url	http://google.com/
url	http://blogimgs.naver.com/nblog/skins/wholebox/0126_f982.gif
url	https://s.pstatic.net/dthumb.phinf/?src=%22http%3A%2F%2Fstatic.naver.net%2Fwww%2Fmobile%2Fedit%2F2020%2F0805%2FcropImg_339x222_38528621599152653.jpeg%22
url	http://www.iask.com/favicon.ico
url	https://s.pstatic.net/static/www/mobile/edit/2020/0804/cropImg_728x360_38481254551659019.jpeg
url	https://s.pstatic.net/shopping.phinf/20200805_10/f1e83251-9248-4d4e-8d2e-d1505a55bc83.jpg?type=f214_292
url	http://www.merlin.com.pl/favicon.ico
url	http://www.cnet.com/favicon.ico
url	https://ssl.pstatic.net/tveta/libs/assets/js/common/min/probe.min.js
url	https://s.pstatic.net/dthumb.phinf/?src=%22http%3A%2F%2Fstatic1.naver.net%2Fwww%2Fmobile%2Fedit%2F2020%2F0806%2FcropImg_222x145_38626953912837677.png%22
url	https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
url	http://fpdownload.macromedia.com/pub/flashplayer/masterversion/crossdomain.xml
url	https://ssl.pstatic.net/static/pwe/common/img_use_mobile_version.png
url	http://www.snee.com/xml/xslt/sample.doc
url	http://www.yceml.net/0559/10408495-1499411010011
url	https://s.pstatic.net/static/www/mobile/edit/2018/0206/cropImg_166x108_118371466370743504.jpeg
url	https://s.pstatic.net/static/newsstand/up/2020/0615/nsd10319824.png
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/529.png
url	https://s.pstatic.net/dthumb.phinf/?src=%22http%3A%2F%2Fstatic.naver.net%2Fwww%2Fmobile%2Fedit%2F2020%2F0805%2FcropImg_339x222_38552809772500435.jpeg%22
url	http://blogimgs.naver.net/nblog/mylog/post/btn_cancel3.gif
url	https://t1.daumcdn.net/tistory_admin/blogs/plugins/tatterDesk/js/src/controls.js?_version_=9024c9023ed6ab26b00b4f2905e46ffa08aeb336
url	https://ssl.pstatic.net/static/pwe/nm/b.gif
url	http://search.nifty.com/
url	https://castbox.shopping.naver.com/js/lazyload.js
url	http://ns.adobe.com/exif/1.0/
url	https://s.pstatic.net/shopping.phinf/20200729_1/2931dd60-1842-4048-a39c-1e3389db4a0e.jpg
url	https://ssl.pstatic.net/static/pwe/nm/spr_vertical_0d25bb77f8.png
url	https://s.pstatic.net/dthumb.phinf/?src=%22http%3A%2F%2Fstatic.naver.net%2Fwww%2Fmobile%2Fedit%2F2020%2F0805%2Fmobile_17061525298c.jpg%22
url	http://www.etmall.com.tw/
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/042.png
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/955.png
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/056.png
url	https://s.pstatic.net/dthumb.phinf/?src=%22http%3A%2F%2Fstatic.naver.net%2Fwww%2Fmobile%2Fedit%2F2020%2F0804%2Fmobile_212629657646c.jpg%22
url	http://search.goo.ne.jp/
url	http://fr.wikipedia.org/favicon.ico
url	https://t1.daumcdn.net/tistory_admin/blogs/plugins/PreventCopyContents/js/functions.js?_version_=9024c9023ed6ab26b00b4f2905e46ffa08aeb336
url	http://busca.estadao.com.br/favicon.ico
url	http://search.hanafos.com/favicon.ico
url	https://ssl.pstatic.net/tveta/libs/1298/1298853/743c01d46e807a376d99_20200730182507675.png
url	https://tistory3.daumcdn.net/tistory/807805/skin/images/footerbg.jpg
url	http://search.chol.com/favicon.ico
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/820.png
url	http://search.livedoor.com/favicon.ico
url	https://file-examples-com.github.io/uploads/2017/02/file-sample_1MB.doc
url	https://ssl.pstatic.net/static/common/myarea/myInfo.gif
url	http://amazon.fr/

Yara rule detected in process memory (48 events)

description	Listen for incoming communication				rule	network_tcp_listen
description	Malware can spread east-west file				rule	spreading_file
description	email clients info stealer				rule	infoStealer_emailClients_Zero
description	Code injection with CreateRemoteThread in a remote process				rule	inject_thread
description	Hijack network configuration				rule	hijack_network
description	Create a windows service				rule	create_service
description	Create a COM server				rule	create_com_service
description	Communications over UDP network				rule	network_udp_sock
description	Listen for incoming communication				rule	network_tcp_listen
description	Communications over P2P network				rule	network_p2p_win
description	Communications over HTTP				rule	network_http
description	File downloader/dropper				rule	network_dropper
description	Communications over FTP				rule	network_ftp
description	Communications over RAW socket				rule	network_tcp_socket
description	Communications use DNS				rule	network_dns
description	Communication using dga				rule	network_dga
description	Perform crypto currency mining				rule	bitcoin
description	Escalade priviledges				rule	escalate_priv
description	Take screenshot				rule	screenshot
description	Run a keylogger				rule	keylogger
description	Steal credential				rule	cred_local
description	Record Audio				rule	sniff_audio
description	APC queue tasks migration				rule	migrate_apc
description	Malware can spread east-west file				rule	spreading_file
description	Malware can spread east-west using share drive				rule	spreading_share
description	Create or check mutex				rule	win_mutex
description	Affect system registries				rule	win_registry
description	Affect system token				rule	win_token
description	Affect private profile				rule	win_private_profile
description	Affect private profile				rule	win_files_operation
description	Match Winsock 2 API library declaration				rule	Str_Win32_Winsock2_Library
description	Match Windows Inet API library declaration				rule	Str_Win32_Wininet_Library
description	Match Windows Inet API call				rule	Str_Win32_Internet_API
description	Match Windows Http API call				rule	Str_Win32_Http_API
description	(no description)				rule	DebuggerCheck__GlobalFlags
description	(no description)				rule	DebuggerCheck__QueryInfo
description	(no description)				rule	DebuggerCheck__RemoteAPI
description	(no description)				rule	DebuggerHiding__Thread
description	(no description)				rule	DebuggerHiding__Active
description	(no description)				rule	DebuggerException__ConsoleCtrl
description	(no description)				rule	DebuggerException__SetConsoleCtrl
description	(no description)				rule	ThreadControl__Context
description	(no description)				rule	SEH__vectored
description	(no description)				rule	Check_Dlls
description	Checks if being debugged				rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert				rule	antisb_threatExpert
description	Bypass DEP				rule	disable_dep
description	Affect hook table				rule	win_hook

Communicates with host for which no DNS query was performed (1 event)

host	195.140.214.82

Attempts to remove evidence of file being downloaded from the Internet (1 event)

file	C:\Users\test22\AppData\Local\Temp\:Zone.Identifier

Generates some ICMP traffic

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

195.140.214.82:6703

File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 events)

Bkav	W32.AIDetect.malware2
Elastic	malicious (high confidence)
DrWeb	Trojan.DownLoader36.27489
MicroWorld-eScan	Gen:Variant.Razy.804171
ALYac	Gen:Variant.Razy.804171
Cylance	Unsafe
VIPRE	Trojan.Win32.Generic!BT
Sangfor	Trojan.Win32.AveMaria.AM
K7AntiVirus	Trojan ( 005747701 )
BitDefender	Gen:Variant.Razy.804171
K7GW	Trojan ( 005747701 )
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	Trojan.Razy.DC454B
Cyren	W32/Kryptik.BKJ.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Kryptik.HIDW
APEX	Malicious
Kaspersky	Trojan-Spy.Win32.AveMaria.dqa
Alibaba	TrojanSpy:Win32/AveMaria.86389254
NANO-Antivirus	Trojan.Win32.AveMaria.idremq
Tencent	Malware.Win32.Gencirc.10ce2ecb
Ad-Aware	Gen:Variant.Razy.804171
Sophos	Mal/Generic-S
F-Secure	Trojan.TR/AD.MortyStealer.njjtp
Zillya	Trojan.Kryptik.Win32.2738973
McAfee-GW-Edition	Artemis!Trojan
FireEye	Gen:Variant.Razy.804171
Emsisoft	Trojan.Crypt (A)
Jiangmin	TrojanSpy.AveMaria.ml
Avira	TR/AD.MortyStealer.njjtp
MAX	malware (ai score=88)
Antiy-AVL	Trojan/Win32.Kryptik
Gridinsoft	Trojan.Win32.Kryptik.oa!s1
ZoneAlarm	Trojan-Spy.Win32.AveMaria.dqa
GData	Gen:Variant.Razy.804171
Cynet	Malicious (score: 85)
AhnLab-V3	Malware/Win32.RL_Generic.R357891
McAfee	GenericRXAA-AA!971A3320179E
TACHYON	Trojan-Spy/W32.AveMaria.1446912
VBA32	BScope.TrojanSpy.AveMaria
Malwarebytes	Backdoor.AveMaria
Panda	Trj/GdSda.A
Zoner	Trojan.Win32.99616
TrendMicro-HouseCall	TROJ_GEN.R002C0DBO21
Rising	Spyware.AveMaria!8.108C2 (CLOUD)
Yandex	TrojanSpy.AveMaria!Vjki3TH2T+g
Ikarus	Trojan.Win32.Crypt
Fortinet	W32/Kryptik.HIDW!tr
AVG	Win32:RATX-gen [Trj]
Cybereason	malicious.0179e0