Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	March 15, 2021, 12:21 p.m.	March 15, 2021, 12:23 p.m.

Size	3.3MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`ebfe3cc196712a6c4b09fcc2c9790fd0`
SHA256	`a9ec6aa98e4855c955d1d2f8be710c2de52ab574fe1a3748b43bea75ea37a881`
CRC32	`5B31F2F8`
ssdeep	`98304:S4H4DAQUO0GkALWUzDdfWISzjhGTdPi1TRJ:kDAQUO0Gk0WC5Wp2MTH`
Yara	PE_Header_Zero - PE File Signature Zero Win32_Trojan_Emotet_2_Zero - Win32 Trojan Emotet escalate_priv - Escalade priviledges screenshot - Take screenshot win_registry - Affect system registries win_token - Affect system token win_private_profile - Affect private profile win_files_operation - Affect private profile IsPE32 - (no description) IsWindowsGUI - (no description) IsPacked - Entropy Check HasOverlay - Overlay Check HasRichSignature - Rich Signature Check

PkgV01.00.00.exe "C:\Users\test22\AppData\Local\Temp\PkgV01.00.00.exe"
900
- twus.exe C:\Windows\system32\PluginManager\twus.exe /verysilent
  5192
  - twus.tmp "C:\Users\test22\AppData\Local\Temp\is-NSKIE.tmp\twus.tmp" /SL5="$8201C8,2920145,58368,C:\Windows\SysWOW64\PluginManager\twus.exe" /verysilent
    4888
    - taskkill.exe "taskkill.exe" /f /im "twustwus.exe"
      2848
    - taskkill.exe "taskkill.exe" /f /im "jsjkjsjk.exe"
      2268
    - twustwus.exe "C:\Program Files (x86)\twus\twustwus.exe"
      8300
    - jsjkjsjk.exe "C:\Windows\system32\Mornitor32\jsjkjsjk.exe"
      6844
- explorer.exe explorer.exe
  6928
explorer.exe C:\Windows\Explorer.EXE
1848

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
172.217.25.14	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameA March 15, 2021, 12:21 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 15, 2021, 12:21 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 15, 2021, 12:21 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 15, 2021, 12:21 p.m.			0	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW March 15, 2021, 12:21 p.m.	buffer: ERROR: The process "twustwus.exe" not found. console_handle: 0x0000000b	1	1	0
WriteConsoleW March 15, 2021, 12:21 p.m.	buffer: ERROR: The process "jsjkjsjk.exe" not found. console_handle: 0x0000000b	1	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 15, 2021, 12:21 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

Allocates read-write-execute memory (usually to unpack itself) (12 events)

Time & API	Arguments	Status
NtProtectVirtualMemory March 15, 2021, 12:21 p.m.	process_identifier: 5192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 15, 2021, 12:21 p.m.	process_identifier: 5192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 45056 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 15, 2021, 12:21 p.m.	process_identifier: 5192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 20480 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00410000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 15, 2021, 12:21 p.m.	process_identifier: 5192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 15, 2021, 12:21 p.m.	process_identifier: 4888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 15, 2021, 12:21 p.m.	process_identifier: 4888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 15, 2021, 12:21 p.m.	process_identifier: 8300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 237568 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 15, 2021, 12:21 p.m.	process_identifier: 8300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77530000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 15, 2021, 12:21 p.m.	process_identifier: 8300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76ac0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 15, 2021, 12:21 p.m.	process_identifier: 8300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 15, 2021, 12:21 p.m.	process_identifier: 8300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 364544 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 15, 2021, 12:21 p.m.	process_identifier: 6844 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1

Creates executable files on the filesystem (4 events)

file	C:\Windows\System32\PluginManager\twus.exe
file	C:\Users\test22\AppData\Local\Temp\nslC0.tmp\processwork.dll
file	C:\Windows\System32\PluginManager\uninstall.exe
file	C:\Users\test22\AppData\Local\Temp\nslC0.tmp\SelfDel.dll

Drops an executable to the user AppData folder (4 events)

file	C:\Users\test22\AppData\Local\Temp\nslC0.tmp\processwork.dll
file	C:\Users\test22\AppData\Local\Temp\PkgV01.00.00.exe
file	C:\Users\test22\AppData\Local\Temp\is-NSKIE.tmp\twus.tmp
file	C:\Users\test22\AppData\Local\Temp\nslC0.tmp\SelfDel.dll

Executes one or more WMI queries (2 events)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "twustwus.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "jsjkjsjk.exe")

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (50 events)

Time & API	Arguments	Status	Return
Process32NextW March 15, 2021, 12:21 p.m.	snapshot_handle: 0x0000027c process_name: SearchIndexer.exe process_identifier: 2548	1	1
Process32NextW March 15, 2021, 12:21 p.m.	snapshot_handle: 0x0000027c process_name: thunderbird.exe process_identifier: 3960	1	1
Process32NextW March 15, 2021, 12:21 p.m.	snapshot_handle: 0x0000027c process_name: pw.exe process_identifier: 5008	1	1
Process32NextW March 15, 2021, 12:21 p.m.	snapshot_handle: 0x0000027c process_name: audiodg.exe process_identifier: 7936	1	1
Process32NextW March 15, 2021, 12:21 p.m.	snapshot_handle: 0x0000027c process_name: splwow64.exe process_identifier: 3928	1	1
Process32NextW March 15, 2021, 12:21 p.m.	snapshot_handle: 0x0000027c process_name: SearchProtocolHost.exe process_identifier: 3816	1	1
Process32NextW March 15, 2021, 12:21 p.m.	snapshot_handle: 0x0000027c process_name: SearchFilterHost.exe process_identifier: 7776	1	1
Process32NextW March 15, 2021, 12:21 p.m.	snapshot_handle: 0x0000027c process_name: mobsync.exe process_identifier: 3488	1	1
Process32NextW March 15, 2021, 12:21 p.m.	snapshot_handle: 0x0000027c process_name: taskhost.exe process_identifier: 5568	1	1
Process32NextW March 15, 2021, 12:21 p.m.	snapshot_handle: 0x0000027c process_name: slui.exe process_identifier: 7748	1	1
Process32NextW March 15, 2021, 12:21 p.m.	snapshot_handle: 0x0000027c process_name: WmiPrvSE.exe process_identifier: 8704	1	1
Process32NextW March 15, 2021, 12:21 p.m.	snapshot_handle: 0x0000027c process_name: twustwus.exe process_identifier: 8300	1	1
Process32NextW March 15, 2021, 12:21 p.m.	snapshot_handle: 0x0000027c process_name: jsjkjsjk.exe process_identifier: 6844	1	1
Process32NextW March 15, 2021, 12:21 p.m.	snapshot_handle: 0x0000027c process_name: process_identifier: 47708637		0
Process32NextW March 15, 2021, 12:21 p.m.	snapshot_handle: 0x0000027c process_name: cmd.exe process_identifier: 5352	1	1
Process32NextW March 15, 2021, 12:21 p.m.	snapshot_handle: 0x0000027c process_name: conhost.exe process_identifier: 2340	1	1
Process32NextW March 15, 2021, 12:21 p.m.	snapshot_handle: 0x0000027c process_name: pw.exe process_identifier: 4440	1	1
Process32NextW March 15, 2021, 12:21 p.m.	snapshot_handle: 0x0000027c process_name: cmd.exe process_identifier: 3632	1	1
Process32NextW March 15, 2021, 12:21 p.m.	snapshot_handle: 0x0000027c process_name: conhost.exe process_identifier: 2224	1	1
Process32NextW March 15, 2021, 12:21 p.m.	snapshot_handle: 0x0000023c process_name: cmd.exe process_identifier: 7804	1	1
Process32NextW March 15, 2021, 12:21 p.m.	snapshot_handle: 0x0000023c process_name: conhost.exe process_identifier: 6956	1	1
Process32NextW March 15, 2021, 12:21 p.m.	snapshot_handle: 0x0000023c process_name: pw.exe process_identifier: 6688	1	1
Process32NextW March 15, 2021, 12:22 p.m.	snapshot_handle: 0x0000023c process_name: cmd.exe process_identifier: 8156	1	1
Process32NextW March 15, 2021, 12:22 p.m.	snapshot_handle: 0x0000023c process_name: conhost.exe process_identifier: 7352	1	1
Process32NextW March 15, 2021, 12:22 p.m.	snapshot_handle: 0x0000023c process_name: pw.exe process_identifier: 2000	1	1
Process32NextW March 15, 2021, 12:22 p.m.	snapshot_handle: 0x0000023c process_name: cmd.exe process_identifier: 3012	1	1
Process32NextW March 15, 2021, 12:22 p.m.	snapshot_handle: 0x0000023c process_name: conhost.exe process_identifier: 3252	1	1
Process32NextW March 15, 2021, 12:22 p.m.	snapshot_handle: 0x0000023c process_name: pw.exe process_identifier: 7276	1	1
Process32NextW March 15, 2021, 12:22 p.m.	snapshot_handle: 0x000001f4 process_name: cmd.exe process_identifier: 3468	1	1
Process32NextW March 15, 2021, 12:22 p.m.	snapshot_handle: 0x000001f4 process_name: conhost.exe process_identifier: 3716	1	1
Process32NextW March 15, 2021, 12:22 p.m.	snapshot_handle: 0x000001f4 process_name: pw.exe process_identifier: 7656	1	1
Process32NextW March 15, 2021, 12:22 p.m.	snapshot_handle: 0x000001f4 process_name: cmd.exe process_identifier: 6960	1	1
Process32NextW March 15, 2021, 12:22 p.m.	snapshot_handle: 0x000001f4 process_name: conhost.exe process_identifier: 8936	1	1
Process32NextW March 15, 2021, 12:22 p.m.	snapshot_handle: 0x000001f4 process_name: pw.exe process_identifier: 1348	1	1
Process32NextW March 15, 2021, 12:22 p.m.	snapshot_handle: 0x000001f4 process_name: cmd.exe process_identifier: 7496	1	1
Process32NextW March 15, 2021, 12:22 p.m.	snapshot_handle: 0x000001f4 process_name: conhost.exe process_identifier: 3448	1	1
Process32NextW March 15, 2021, 12:22 p.m.	snapshot_handle: 0x000001f4 process_name: pw.exe process_identifier: 7280	1	1
Process32NextW March 15, 2021, 12:23 p.m.	snapshot_handle: 0x000001f4 process_name: cmd.exe process_identifier: 4468	1	1
Process32NextW March 15, 2021, 12:23 p.m.	snapshot_handle: 0x000001f4 process_name: conhost.exe process_identifier: 4828	1	1
Process32NextW March 15, 2021, 12:23 p.m.	snapshot_handle: 0x000001f4 process_name: pw.exe process_identifier: 4684	1	1
Process32NextW March 15, 2021, 12:23 p.m.	snapshot_handle: 0x0000027c process_name: cmd.exe process_identifier: 4832	1	1
Process32NextW March 15, 2021, 12:23 p.m.	snapshot_handle: 0x0000027c process_name: conhost.exe process_identifier: 1388	1	1
Process32NextW March 15, 2021, 12:23 p.m.	snapshot_handle: 0x0000027c process_name: pw.exe process_identifier: 1536	1	1
Process32NextW March 15, 2021, 12:23 p.m.	snapshot_handle: 0x0000027c process_name: inject-x64.exe process_identifier: 296	1	1
Process32NextW March 15, 2021, 12:21 p.m.	snapshot_handle: 0x000001a4 process_name: cmd.exe process_identifier: 9068	1	1
Process32NextW March 15, 2021, 12:21 p.m.	snapshot_handle: 0x000001a4 process_name: conhost.exe process_identifier: 4656	1	1
Process32NextW March 15, 2021, 12:21 p.m.	snapshot_handle: 0x000001a4 process_name: pw.exe process_identifier: 2864	1	1
Process32NextW March 15, 2021, 12:21 p.m.	snapshot_handle: 0x000001a4 process_name: twus.exe process_identifier: 5192	1	1
Process32NextW March 15, 2021, 12:21 p.m.	snapshot_handle: 0x000001a4 process_name: twus.tmp process_identifier: 4888	1	1
Process32NextW March 15, 2021, 12:21 p.m.	snapshot_handle: 0x000001a4 process_name: inject-x86.exe process_identifier: 2600	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW March 15, 2021, 12:21 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW March 15, 2021, 12:21 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Expresses interest in specific running processes (1 event)

process

twustwus.exe

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (50 out of 465 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW March 15, 2021, 12:21 p.m.	snapshot_handle: 0x0000027c process_name: process_identifier: 47708637		0	0
Process32NextW March 15, 2021, 12:21 p.m.	snapshot_handle: 0x0000027c process_name: process_identifier: 47708637		0	0
Process32NextW March 15, 2021, 12:21 p.m.	snapshot_handle: 0x0000027c process_name: process_identifier: 47708637		0	0
Process32NextW March 15, 2021, 12:21 p.m.	snapshot_handle: 0x0000027c process_name: process_identifier: 47708637		0	0
Process32NextW March 15, 2021, 12:21 p.m.	snapshot_handle: 0x0000027c process_name: process_identifier: 47708637		0	0
Process32NextW March 15, 2021, 12:21 p.m.	snapshot_handle: 0x0000027c process_name: process_identifier: 47708637		0	0
Process32NextW March 15, 2021, 12:21 p.m.	snapshot_handle: 0x0000027c process_name: process_identifier: 47708637		0	0
Process32NextW March 15, 2021, 12:21 p.m.	snapshot_handle: 0x0000027c process_name: process_identifier: 47708637		0	0
Process32NextW March 15, 2021, 12:21 p.m.	snapshot_handle: 0x0000027c process_name: process_identifier: 47708637		0	0
Process32NextW March 15, 2021, 12:21 p.m.	snapshot_handle: 0x0000027c process_name: process_identifier: 47708637		0	0
Process32NextW March 15, 2021, 12:21 p.m.	snapshot_handle: 0x0000027c process_name: process_identifier: 47708637		0	0
Process32NextW March 15, 2021, 12:21 p.m.	snapshot_handle: 0x0000027c process_name: process_identifier: 47708637		0	0
Process32NextW March 15, 2021, 12:21 p.m.	snapshot_handle: 0x0000027c process_name: process_identifier: 47708637		0	0
Process32NextW March 15, 2021, 12:21 p.m.	snapshot_handle: 0x0000027c process_name: process_identifier: 47708637		0	0
Process32NextW March 15, 2021, 12:21 p.m.	snapshot_handle: 0x0000027c process_name: process_identifier: 47708637		0	0
Process32NextW March 15, 2021, 12:21 p.m.	snapshot_handle: 0x0000027c process_name: process_identifier: 47708637		0	0
Process32NextW March 15, 2021, 12:21 p.m.	snapshot_handle: 0x0000027c process_name: process_identifier: 47708637		0	0
Process32NextW March 15, 2021, 12:21 p.m.	snapshot_handle: 0x0000027c process_name: process_identifier: 47708637		0	0
Process32NextW March 15, 2021, 12:21 p.m.	snapshot_handle: 0x0000027c process_name: process_identifier: 47708637		0	0
Process32NextW March 15, 2021, 12:21 p.m.	snapshot_handle: 0x0000027c process_name: pw.exe process_identifier: 3064		0	0
Process32NextW March 15, 2021, 12:21 p.m.	snapshot_handle: 0x0000027c process_name: process_identifier: 47708637		0	0
Process32NextW March 15, 2021, 12:21 p.m.	snapshot_handle: 0x0000027c process_name: process_identifier: 47708637		0	0
Process32NextW March 15, 2021, 12:21 p.m.	snapshot_handle: 0x0000027c process_name: process_identifier: 47708637		0	0
Process32NextW March 15, 2021, 12:21 p.m.	snapshot_handle: 0x0000027c process_name: process_identifier: 47708637		0	0
Process32NextW March 15, 2021, 12:21 p.m.	snapshot_handle: 0x0000027c process_name: process_identifier: 47708637		0	0
Process32NextW March 15, 2021, 12:21 p.m.	snapshot_handle: 0x0000027c process_name: process_identifier: 47708637		0	0
Process32NextW March 15, 2021, 12:21 p.m.	snapshot_handle: 0x0000027c process_name: process_identifier: 47708637		0	0
Process32NextW March 15, 2021, 12:21 p.m.	snapshot_handle: 0x0000027c process_name: process_identifier: 47708637		0	0
Process32NextW March 15, 2021, 12:21 p.m.	snapshot_handle: 0x0000027c process_name: process_identifier: 47708637		0	0
Process32NextW March 15, 2021, 12:21 p.m.	snapshot_handle: 0x0000023c process_name: process_identifier: 47708637		0	0
Process32NextW March 15, 2021, 12:22 p.m.	snapshot_handle: 0x0000023c process_name: process_identifier: 47708637		0	0
Process32NextW March 15, 2021, 12:22 p.m.	snapshot_handle: 0x0000023c process_name: process_identifier: 47708637		0	0
Process32NextW March 15, 2021, 12:22 p.m.	snapshot_handle: 0x0000023c process_name: process_identifier: 47708637		0	0
Process32NextW March 15, 2021, 12:22 p.m.	snapshot_handle: 0x0000023c process_name: process_identifier: 47708637		0	0
Process32NextW March 15, 2021, 12:22 p.m.	snapshot_handle: 0x0000023c process_name: process_identifier: 47708637		0	0
Process32NextW March 15, 2021, 12:22 p.m.	snapshot_handle: 0x0000023c process_name: process_identifier: 47708637		0	0
Process32NextW March 15, 2021, 12:22 p.m.	snapshot_handle: 0x0000023c process_name: process_identifier: 47708637		0	0
Process32NextW March 15, 2021, 12:22 p.m.	snapshot_handle: 0x0000023c process_name: process_identifier: 47708637		0	0
Process32NextW March 15, 2021, 12:22 p.m.	snapshot_handle: 0x0000023c process_name: process_identifier: 47708637		0	0
Process32NextW March 15, 2021, 12:22 p.m.	snapshot_handle: 0x0000023c process_name: process_identifier: 47708637		0	0
Process32NextW March 15, 2021, 12:22 p.m.	snapshot_handle: 0x0000023c process_name: jsjkjsjk.exe process_identifier: 6844		0	0
Process32NextW March 15, 2021, 12:22 p.m.	snapshot_handle: 0x0000023c process_name: process_identifier: 47708637		0	0
Process32NextW March 15, 2021, 12:22 p.m.	snapshot_handle: 0x0000023c process_name: process_identifier: 47708637		0	0
Process32NextW March 15, 2021, 12:22 p.m.	snapshot_handle: 0x0000023c process_name: process_identifier: 47708637		0	0
Process32NextW March 15, 2021, 12:22 p.m.	snapshot_handle: 0x0000023c process_name: process_identifier: 47708637		0	0
Process32NextW March 15, 2021, 12:22 p.m.	snapshot_handle: 0x0000023c process_name: process_identifier: 47708637		0	0
Process32NextW March 15, 2021, 12:22 p.m.	snapshot_handle: 0x0000023c process_name: process_identifier: 47708637		0	0
Process32NextW March 15, 2021, 12:22 p.m.	snapshot_handle: 0x0000023c process_name: process_identifier: 47708637		0	0
Process32NextW March 15, 2021, 12:22 p.m.	snapshot_handle: 0x0000023c process_name: process_identifier: 47708637		0	0
Process32NextW March 15, 2021, 12:22 p.m.	snapshot_handle: 0x0000023c process_name: process_identifier: 47708637		0	0

Potentially malicious URLs were found in the process memory dump (50 out of 1339 events)

url	http://nsis.sf.net/NSIS_Error
url	http://www.expedia.com/favicon.ico
url	http://uk.ask.com/favicon.ico
url	http://www.priceminister.com/
url	https://ssl.pstatic.net/static/pwe/common/img_use_mobile_version.png
url	https://t1.daumcdn.net/tistory_admin/blogs/plugins/tatterDesk/image/img_delete_module.gif?_version_=9024c9023ed6ab26b00b4f2905e46ffa08aeb336
url	https://s.pstatic.net/dthumb.phinf/?src=%22http%3A%2F%2Fstatic.naver.net%2Fwww%2Fmobile%2Fedit%2F2020%2F0805%2FcropImg_339x222_38528621599152653.jpeg%22
url	https://s.pstatic.net/dthumb.phinf/?src=%22https%3A%2F%2Fs.pstatic.net%2Fstatic%2Fwww%2Fmobile%2Fedit%2F2020%2F1031%2Fupload_20063893240744871RiJjV.jpg%22
url	http://175.208.134.150:8282/test/test.eml
url	http://ru.wikipedia.org/
url	http://blog.naver.com/versioning//common/lib/ajax.flash/ajax-885363e.swf
url	https://search.pstatic.net/common/?src=http%3A%2F%2Fimgnews.naver.net%2Fimage%2Forigin%2F5016%2F2018%2F02%2F08%2F60861.jpg
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/905.png
url	http://www.merlin.com.pl/favicon.ico
url	http://www.cnet.com/favicon.ico
url	https://ssl.pstatic.net/tveta/libs/assets/js/common/min/probe.min.js
url	http://blogimgs.naver.net/nblog/guestbook/btn_close2.gif
url	https://ssl.pstatic.net/static/nid/login/rw_captcha01.png
url	http://www.snee.com/xml/xslt/sample.doc
url	http://www.yceml.net/0559/10408495-1499411010011
url	https://s.pstatic.net/static/www/mobile/edit/2018/0206/cropImg_166x108_118371466370743504.jpeg
url	https://s.pstatic.net/static/newsstand/up/2020/0615/nsd10319824.png
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/529.png
url	https://s.pstatic.net/dthumb.phinf/?src=%22http%3A%2F%2Fstatic.naver.net%2Fwww%2Fmobile%2Fedit%2F2020%2F0805%2FcropImg_339x222_38552809772500435.jpeg%22
url	http://blogimgs.naver.net/nblog/mylog/post/btn_cancel3.gif
url	https://t1.daumcdn.net/tistory_admin/blogs/plugins/tatterDesk/js/src/controls.js?_version_=9024c9023ed6ab26b00b4f2905e46ffa08aeb336
url	https://ssl.pstatic.net/static/pwe/nm/b.gif
url	http://search.nifty.com/
url	https://castbox.shopping.naver.com/js/lazyload.js
url	http://ns.adobe.com/exif/1.0/
url	https://s.pstatic.net/shopping.phinf/20200729_1/2931dd60-1842-4048-a39c-1e3389db4a0e.jpg
url	https://s.pstatic.net/shopping.phinf/20201030_5/435a8fe5-a825-42c6-ae9b-cf42801458dc.jpg?type=f214_292
url	https://ssl.pstatic.net/static/pwe/nm/spr_vertical_0d25bb77f8.png
url	https://s.pstatic.net/dthumb.phinf/?src=%22http%3A%2F%2Fstatic.naver.net%2Fwww%2Fmobile%2Fedit%2F2020%2F0805%2Fmobile_17061525298c.jpg%22
url	http://www.etmall.com.tw/
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/042.png
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/955.png
url	https://s.pstatic.net/dthumb.phinf/?src=%22https%3A%2F%2Fs.pstatic.net%2Fstatic%2Fwww%2Fmobile%2Fedit%2F2020%2F1021%2Fupload_19201541624342101mWI1T.jpg%22
url	https://s.pstatic.net/shopping.phinf/20200723_14/1830ea29-778a-47c7-9367-e34230fa46cc.jpg
url	http://search.goo.ne.jp/
url	http://fr.wikipedia.org/favicon.ico
url	https://t1.daumcdn.net/tistory_admin/blogs/plugins/PreventCopyContents/js/functions.js?_version_=9024c9023ed6ab26b00b4f2905e46ffa08aeb336
url	http://busca.estadao.com.br/favicon.ico
url	http://search.hanafos.com/favicon.ico
url	https://s.pstatic.net/shopping.phinf/20201103_21/701f9083-a72b-4ef6-ac1c-0daf1907c51d.jpg?type=f214_292
url	https://ssl.pstatic.net/tveta/libs/1298/1298853/743c01d46e807a376d99_20200730182507675.png
url	https://tistory3.daumcdn.net/tistory/807805/skin/images/footerbg.jpg
url	http://search.chol.com/favicon.ico
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/820.png
url	http://search.livedoor.com/favicon.ico

Yara rule detected in process memory (50 out of 363 events)

description	Code injection with CreateRemoteThread in a remote process	rule	inject_thread
description	Create a windows service	rule	create_service
description	Create a COM server	rule	create_com_service
description	Communications over UDP network	rule	network_udp_sock
description	Listen for incoming communication	rule	network_tcp_listen
description	Communications over P2P network	rule	network_p2p_win
description	Communications over HTTP	rule	network_http
description	File downloader/dropper	rule	network_dropper
description	Communications over FTP	rule	network_ftp
description	Communications over RAW socket	rule	network_tcp_socket
description	Communications use DNS	rule	network_dns
description	Communication using dga	rule	network_dga
description	Escalade priviledges	rule	escalate_priv
description	Take screenshot	rule	screenshot
description	Run a keylogger	rule	keylogger
description	Steal credential	rule	cred_local
description	Record Audio	rule	sniff_audio
description	APC queue tasks migration	rule	migrate_apc
description	Malware can spread east-west file	rule	spreading_file
description	Malware can spread east-west using share drive	rule	spreading_share
description	Create or check mutex	rule	win_mutex
description	Affect system registries	rule	win_registry
description	Affect system token	rule	win_token
description	Affect private profile	rule	win_private_profile
description	Affect private profile	rule	win_files_operation
description	Match Winsock 2 API library declaration	rule	Str_Win32_Winsock2_Library
description	Match Windows Inet API library declaration	rule	Str_Win32_Wininet_Library
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Listen for incoming communication	rule	network_tcp_listen
description	Malware can spread east-west file	rule	spreading_file
description	Code injection with CreateRemoteThread in a remote process	rule	inject_thread
description	Create a windows service	rule	create_service
description	Communications over UDP network	rule	network_udp_sock
description	Listen for incoming communication	rule	network_tcp_listen
description	Communications over P2P network	rule	network_p2p_win

Queries for potentially installed applications (4 events)

Time & API	Arguments	Return
RegOpenKeyExA March 15, 2021, 12:21 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{5DA66C9F-47AE-4D1D-BD52-99580569B661}_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{5DA66C9F-47AE-4D1D-BD52-99580569B661}_is1	2
RegOpenKeyExA March 15, 2021, 12:21 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{5DA66C9F-47AE-4D1D-BD52-99580569B661}_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{5DA66C9F-47AE-4D1D-BD52-99580569B661}_is1	2
RegOpenKeyExA March 15, 2021, 12:21 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{5DA66C9F-47AE-4D1D-BD52-99580569B661}_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000008 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{5DA66C9F-47AE-4D1D-BD52-99580569B661}_is1	2
RegOpenKeyExA March 15, 2021, 12:21 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{5DA66C9F-47AE-4D1D-BD52-99580569B661}_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000008 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{5DA66C9F-47AE-4D1D-BD52-99580569B661}_is1	2

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	"taskkill.exe" /f /im "twustwus.exe"
cmdline	"taskkill.exe" /f /im "jsjkjsjk.exe"

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory March 15, 2021, 12:21 p.m.	process_identifier: 6928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0008f000 process_handle: 0x0000001c	1	0	0

Installs itself for autorun at Windows startup (2 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aisinocertreg				reg_value	C:\Program Files (x86)\twus\twustwus.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aisinocertreg1				reg_value	C:\Windows\system32\Mornitor32\jsjkjsjk.exe

Potential code injection by writing to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory March 15, 2021, 12:21 p.m.	buffer: @õUìSVuWjÿÿ¶¾(ÿÿ7ÿ¾(WÿÀu hèÿëè¾$t$CCÀt <\uô]ëïE (Pÿjÿ_^[]ÃjXÂ6susuDTsuÿsuzsu¿D{uÀsuC:\Users\test22\AppData\Local\Temp\PkgV01.00.00.exe base_address: 0x0008f540 process_identifier: 6928 process_handle: 0x0000001c	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 900 called NtSetContextThread to modify thread in remote process 6928
NtSetContextThread March 15, 2021, 12:21 p.m.	registers.eip: 587076 registers.esp: 587068 registers.edi: 0 registers.eax: 8392442 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000001cc process_identifier: 6928	1	0	0

Found URLs in memory pointing to an IP address rather than a domain (potentially indicative of Command & Control traffic) (9 events)

url	http://175.208.134.150:8282/test/test.eml
url	http://175.208.134.150:8282/favicon.ico
url	http://175.208.134.150:8282/test/exe1.zip
url	http://114.113.235.51:20080/SSCAService.aspx?OP=getDownloadFile
url	https://114.113.235.45:20080/SSCAService.aspx?OP
url	http://114.113.235.51:20080/SSCAService.aspx?OP=getEncode
url	http://114.113.235.51:20080/SSCAService.aspx?OP=getCmd
url	https://114.113.235.45:20080/SSCAService.aspx?OP=getTaxPin
url	http://114.113.235.51:20080/SSCAService.aspx?OP=list

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 900 resumed a thread in remote process 6928
NtResumeThread March 15, 2021, 12:21 p.m.	thread_handle: 0x000001cc suspend_count: 1 process_identifier: 6928	1	0	0

Zeus P2P (Banking Trojan) (10 events)

mutex	Local\RstrMgr3887CAB8-533F-4C85-B0DC-3E5639F8D511
mutex	Local\RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0000
mutex	Global\F4184954-2BC5-41F3-900E-01234567890E_MUTEX_
mutex	Global\WT-NSMUTEX850D0028-B304-498f-A0DE-433C27242B1F
mutex	{08586C4E-62C4-4a4e-8271-C2A20530AF62}_M_S-1-5-21-3832866432-4053218753-3017428901-1001
udp	{u'src': u'192.168.56.102', u'dst': u'239.255.255.250', u'offset': 16009, u'time': 4.021553039550781, u'dport': 3702, u'sport': 49152}
udp	{u'src': u'192.168.56.102', u'dst': u'239.255.255.250', u'offset': 24409, u'time': 4.752303123474121, u'dport': 1900, u'sport': 56752}
udp	{u'src': u'192.168.56.102', u'dst': u'239.255.255.250', u'offset': 30145, u'time': 4.501190900802612, u'dport': 3702, u'sport': 56754}
udp	{u'src': u'192.168.56.102', u'dst': u'239.255.255.250', u'offset': 33001, u'time': 4.985924005508423, u'dport': 3702, u'sport': 56756}
udp	{u'src': u'192.168.56.102', u'dst': u'239.255.255.250', u'offset': 35729, u'time': 8.816553115844727, u'dport': 3702, u'sport': 56758}

Executed a process and injected code into it, probably while unpacking (15 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW March 15, 2021, 12:21 p.m.	thread_identifier: 6204 thread_handle: 0x0000001c process_identifier: 5192 current_directory: filepath: track: 1 command_line: C:\Windows\system32\PluginManager\twus.exe /verysilent filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x000001cc	1	1
CreateProcessInternalW March 15, 2021, 12:21 p.m.	thread_identifier: 7636 thread_handle: 0x000001cc process_identifier: 6928 current_directory: filepath: track: 1 command_line: explorer.exe filepath_r: stack_pivoted: 0 creation_flags: 68 (CREATE_SUSPENDED\|IDLE_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x0000001c	1	1
NtGetContextThread March 15, 2021, 12:21 p.m.	thread_handle: 0x000001cc	1	0
WriteProcessMemory March 15, 2021, 12:21 p.m.	buffer: @õUìSVuWjÿÿ¶¾(ÿÿ7ÿ¾(WÿÀu hèÿëè¾$t$CCÀt <\uô]ëïE (Pÿjÿ_^[]ÃjXÂ6susuDTsuÿsuzsu¿D{uÀsuC:\Users\test22\AppData\Local\Temp\PkgV01.00.00.exe base_address: 0x0008f540 process_identifier: 6928 process_handle: 0x0000001c	1	1
NtSetContextThread March 15, 2021, 12:21 p.m.	registers.eip: 587076 registers.esp: 587068 registers.edi: 0 registers.eax: 8392442 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000001cc process_identifier: 6928	1	0
NtResumeThread March 15, 2021, 12:21 p.m.	thread_handle: 0x000001cc suspend_count: 1 process_identifier: 6928	1	0
CreateProcessInternalW March 15, 2021, 12:21 p.m.	thread_identifier: 6676 thread_handle: 0x00000134 process_identifier: 4888 current_directory: filepath: track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\is-NSKIE.tmp\twus.tmp" /SL5="$8201C8,2920145,58368,C:\Windows\SysWOW64\PluginManager\twus.exe" /verysilent filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x0000012c	1	1
NtResumeThread March 15, 2021, 12:21 p.m.	thread_handle: 0x000001a8 suspend_count: 1 process_identifier: 4888	1	0
CreateProcessInternalW March 15, 2021, 12:21 p.m.	thread_identifier: 7236 thread_handle: 0x00000238 process_identifier: 2848 current_directory: C:\Windows\system32 filepath: track: 1 command_line: "taskkill.exe" /f /im "twustwus.exe" filepath_r: stack_pivoted: 0 creation_flags: 67108864 (CREATE_DEFAULT_ERROR_MODE) inherit_handles: 0 process_handle: 0x0000023c	1	1
CreateProcessInternalW March 15, 2021, 12:21 p.m.	thread_identifier: 9168 thread_handle: 0x0000023c process_identifier: 2268 current_directory: C:\Windows\system32 filepath: track: 1 command_line: "taskkill.exe" /f /im "jsjkjsjk.exe" filepath_r: stack_pivoted: 0 creation_flags: 67108864 (CREATE_DEFAULT_ERROR_MODE) inherit_handles: 0 process_handle: 0x00000244	1	1
CreateProcessInternalW March 15, 2021, 12:21 p.m.	thread_identifier: 5272 thread_handle: 0x00000244 process_identifier: 8300 current_directory: C:\Program Files (x86)\twus filepath: track: 1 command_line: "C:\Program Files (x86)\twus\twustwus.exe" filepath_r: stack_pivoted: 0 creation_flags: 67108864 (CREATE_DEFAULT_ERROR_MODE) inherit_handles: 0 process_handle: 0x0000023c	1	1
CreateProcessInternalW March 15, 2021, 12:21 p.m.	thread_identifier: 2060 thread_handle: 0x0000023c process_identifier: 6844 current_directory: C:\Windows\system32\Mornitor32 filepath: track: 1 command_line: "C:\Windows\system32\Mornitor32\jsjkjsjk.exe" filepath_r: stack_pivoted: 0 creation_flags: 67108864 (CREATE_DEFAULT_ERROR_MODE) inherit_handles: 0 process_handle: 0x00000244	1	1
NtResumeThread March 15, 2021, 12:21 p.m.	thread_handle: 0x00000210 suspend_count: 1 process_identifier: 8300	1	0
CreateProcessInternalW March 15, 2021, 12:21 p.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: filepath: track: 0 command_line: C:\Program Files (x86)\twus\usbksvr.exe filepath_r: stack_pivoted: 0 creation_flags: 32 (NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000000		0
CreateProcessInternalW March 15, 2021, 12:22 p.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: filepath: track: 0 command_line: C:\Program Files (x86)\twus\usbksvr.exe filepath_r: stack_pivoted: 0 creation_flags: 32 (NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000000		0

File has been identified by 44 AntiVirus engines on VirusTotal as malicious (44 events)

Bkav	W32.AIDetect.malware2
Elastic	malicious (high confidence)
MicroWorld-eScan	Dropped:Trojan.GenericKD.45764732
CAT-QuickHeal	Trojan.Woreflint
ALYac	Dropped:Trojan.GenericKD.45764732
Cylance	Unsafe
VIPRE	Trojan.Win32.Generic!BT
Sangfor	Trojan.Win32.Ymacco.AAF0
BitDefender	Dropped:Trojan.GenericKD.45764732
K7GW	Riskware ( 0040eff71 )
K7AntiVirus	Riskware ( 0040eff71 )
Cyren	W32/Trojan.XLMK-7448
APEX	Malicious
Avast	Win32:Trojan-gen
Alibaba	Packed:Win32/VMProtect.3d977b5e
NANO-Antivirus	Trojan.Win32.Black.imbmwe
ViRobot	Trojan.Win32.Z.Vmprotect.3438092
AegisLab	Trojan.Win32.Generic.4!c
Ad-Aware	Dropped:Trojan.GenericKD.45764732
Comodo	Malware@#1cofkqo84j8dq
DrWeb	Trojan.Siggen12.25943
TrendMicro	TROJ_GEN.R06CC0RAV21
FireEye	Dropped:Trojan.GenericKD.45764732
Emsisoft	Dropped:Trojan.GenericKD.45764732 (B)
Ikarus	Trojan.Win32.VMProtect
GData	Dropped:Trojan.GenericKD.45764732
Avira	TR/Dropper.Gen
Gridinsoft	Trojan.Win32.Packed.oa
Arcabit	Trojan.Generic.D2BA507C
Microsoft	Trojan:Script/Phonzy.A!ml
Cynet	Malicious (score: 90)
ESET-NOD32	a variant of Win32/Packed.VMProtect.ABO
McAfee	Artemis!EBFE3CC19671
VBA32	BScope.Trojan.LowZones
Malwarebytes	Trojan.MalPack
TrendMicro-HouseCall	TROJ_GEN.R06CC0RAV21
Rising	Trojan.Generic@ML.88 (RDMK:amKpSEs6FAIofOXpU4YjBQ)
Yandex	Trojan.VMProtect!GiwOGh2GuNk
SentinelOne	Static AI - Suspicious PE
Fortinet	W32/VMProtBad.A!tr
BitDefenderTheta	Gen:NN.ZexaF.34608.iD0@aK@x0Cej
AVG	Win32:Trojan-gen
Cybereason	malicious.196712
Paloalto	generic.ml

PkgV01.00.00.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All