Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 15, 2021, 1:21 p.m.	March 15, 2021, 1:24 p.m.

Size	3.3MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`ebfe3cc196712a6c4b09fcc2c9790fd0`
SHA256	`a9ec6aa98e4855c955d1d2f8be710c2de52ab574fe1a3748b43bea75ea37a881`
CRC32	`5B31F2F8`
ssdeep	`98304:S4H4DAQUO0GkALWUzDdfWISzjhGTdPi1TRJ:kDAQUO0Gk0WC5Wp2MTH`
Yara	PE_Header_Zero - PE File Signature Zero Win32_Trojan_Emotet_2_Zero - Win32 Trojan Emotet escalate_priv - Escalade priviledges screenshot - Take screenshot win_registry - Affect system registries win_token - Affect system token win_private_profile - Affect private profile win_files_operation - Affect private profile IsPE32 - (no description) IsWindowsGUI - (no description) IsPacked - Entropy Check HasOverlay - Overlay Check HasRichSignature - Rich Signature Check

PkgV01.00.00.exe "C:\Users\test22\AppData\Local\Temp\PkgV01.00.00.exe"
1896
- twus.exe C:\Windows\system32\PluginManager\twus.exe /verysilent
  1556
  - twus.tmp "C:\Users\test22\AppData\Local\Temp\is-2QRA2.tmp\twus.tmp" /SL5="$E0240,2920145,58368,C:\Windows\SysWOW64\PluginManager\twus.exe" /verysilent
    2552
    - taskkill.exe "taskkill.exe" /f /im "twustwus.exe"
      2408
    - taskkill.exe "taskkill.exe" /f /im "jsjkjsjk.exe"
      1572
    - twustwus.exe "C:\Program Files (x86)\twus\twustwus.exe"
      2232
    - jsjkjsjk.exe "C:\Windows\system32\Mornitor32\jsjkjsjk.exe"
      2852
- explorer.exe explorer.exe
  2800
explorer.exe C:\Windows\Explorer.EXE
1848

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameA March 15, 2021, 1:21 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 15, 2021, 1:21 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 15, 2021, 1:22 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 15, 2021, 1:21 p.m.			0	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW March 15, 2021, 1:21 p.m.	buffer: ERROR: The process "twustwus.exe" not found. console_handle: 0x0000000b	1	1	0
WriteConsoleW March 15, 2021, 1:22 p.m.	buffer: ERROR: The process "jsjkjsjk.exe" not found. console_handle: 0x0000000b	1	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 15, 2021, 1:21 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

Allocates read-write-execute memory (usually to unpack itself) (12 events)

Time & API	Arguments	Status
NtProtectVirtualMemory March 15, 2021, 1:21 p.m.	process_identifier: 1556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 15, 2021, 1:21 p.m.	process_identifier: 1556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 45056 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 15, 2021, 1:21 p.m.	process_identifier: 1556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 20480 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00410000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 15, 2021, 1:21 p.m.	process_identifier: 1556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72452000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 15, 2021, 1:21 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00500000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 15, 2021, 1:21 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72452000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 15, 2021, 1:22 p.m.	process_identifier: 2232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 237568 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 15, 2021, 1:22 p.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77530000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 15, 2021, 1:22 p.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76ac0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 15, 2021, 1:22 p.m.	process_identifier: 2232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72452000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 15, 2021, 1:22 p.m.	process_identifier: 2232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 364544 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 15, 2021, 1:22 p.m.	process_identifier: 2852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72452000 process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW March 15, 2021, 1:15 p.m.	total_number_of_free_bytes: 13718048768 free_bytes_available: 13718048768 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Creates executable files on the filesystem (4 events)

file	C:\Windows\System32\PluginManager\twus.exe
file	C:\Users\test22\AppData\Local\Temp\nsk6471.tmp\SelfDel.dll
file	C:\Users\test22\AppData\Local\Temp\nsk6471.tmp\processwork.dll
file	C:\Windows\System32\PluginManager\uninstall.exe

Drops an executable to the user AppData folder (4 events)

file	C:\Users\test22\AppData\Local\Temp\nsk6471.tmp\processwork.dll
file	C:\Users\test22\AppData\Local\Temp\PkgV01.00.00.exe
file	C:\Users\test22\AppData\Local\Temp\is-2QRA2.tmp\twus.tmp
file	C:\Users\test22\AppData\Local\Temp\nsk6471.tmp\SelfDel.dll

Executes one or more WMI queries (2 events)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "jsjkjsjk.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "twustwus.exe")

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (9 events)

Time & API	Arguments	Status	Return
Process32NextW March 15, 2021, 1:22 p.m.	snapshot_handle: 0x0000029c process_name: mobsync.exe process_identifier: 844	1	1
Process32NextW March 15, 2021, 1:22 p.m.	snapshot_handle: 0x0000029c process_name: pw.exe process_identifier: 1552	1	1
Process32NextW March 15, 2021, 1:22 p.m.	snapshot_handle: 0x0000029c process_name: WmiPrvSE.exe process_identifier: 1340	1	1
Process32NextW March 15, 2021, 1:22 p.m.	snapshot_handle: 0x0000029c process_name: jsjkjsjk.exe process_identifier: 2852	1	1
Process32NextW March 15, 2021, 1:22 p.m.	snapshot_handle: 0x0000029c process_name: process_identifier: 59177437		0
Process32NextW March 15, 2021, 1:23 p.m.	snapshot_handle: 0x000001f4 process_name: cmd.exe process_identifier: 2680	1	1
Process32NextW March 15, 2021, 1:23 p.m.	snapshot_handle: 0x000001f4 process_name: conhost.exe process_identifier: 2668	1	1
Process32NextW March 15, 2021, 1:22 p.m.	snapshot_handle: 0x0000019c process_name: twus.exe process_identifier: 1556	1	1
Process32NextW March 15, 2021, 1:22 p.m.	snapshot_handle: 0x0000019c process_name: twus.tmp process_identifier: 2552	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW March 15, 2021, 1:21 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW March 15, 2021, 1:22 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Expresses interest in specific running processes (1 event)

process

twustwus.exe

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (50 out of 457 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW March 15, 2021, 1:22 p.m.	snapshot_handle: 0x0000029c process_name: process_identifier: 59177437		0	0
Process32NextW March 15, 2021, 1:22 p.m.	snapshot_handle: 0x0000029c process_name: process_identifier: 59177437		0	0
Process32NextW March 15, 2021, 1:22 p.m.	snapshot_handle: 0x0000029c process_name: process_identifier: 59177437		0	0
Process32NextW March 15, 2021, 1:22 p.m.	snapshot_handle: 0x0000029c process_name: process_identifier: 59177437		0	0
Process32NextW March 15, 2021, 1:22 p.m.	snapshot_handle: 0x0000029c process_name: process_identifier: 59177437		0	0
Process32NextW March 15, 2021, 1:22 p.m.	snapshot_handle: 0x0000029c process_name: process_identifier: 59177437		0	0
Process32NextW March 15, 2021, 1:22 p.m.	snapshot_handle: 0x0000029c process_name: process_identifier: 59177437		0	0
Process32NextW March 15, 2021, 1:22 p.m.	snapshot_handle: 0x0000029c process_name: process_identifier: 59177437		0	0
Process32NextW March 15, 2021, 1:22 p.m.	snapshot_handle: 0x0000029c process_name: process_identifier: 59177437		0	0
Process32NextW March 15, 2021, 1:22 p.m.	snapshot_handle: 0x0000029c process_name: process_identifier: 59177437		0	0
Process32NextW March 15, 2021, 1:22 p.m.	snapshot_handle: 0x0000029c process_name: process_identifier: 59177437		0	0
Process32NextW March 15, 2021, 1:22 p.m.	snapshot_handle: 0x0000029c process_name: process_identifier: 59177437		0	0
Process32NextW March 15, 2021, 1:22 p.m.	snapshot_handle: 0x0000029c process_name: process_identifier: 59177437		0	0
Process32NextW March 15, 2021, 1:22 p.m.	snapshot_handle: 0x0000029c process_name: process_identifier: 59177437		0	0
Process32NextW March 15, 2021, 1:22 p.m.	snapshot_handle: 0x0000029c process_name: process_identifier: 59177437		0	0
Process32NextW March 15, 2021, 1:22 p.m.	snapshot_handle: 0x0000029c process_name: process_identifier: 59177437		0	0
Process32NextW March 15, 2021, 1:22 p.m.	snapshot_handle: 0x0000029c process_name: process_identifier: 59177437		0	0
Process32NextW March 15, 2021, 1:22 p.m.	snapshot_handle: 0x0000029c process_name: process_identifier: 59177437		0	0
Process32NextW March 15, 2021, 1:22 p.m.	snapshot_handle: 0x0000029c process_name: jsjkjsjk.exe process_identifier: 2852		0	0
Process32NextW March 15, 2021, 1:22 p.m.	snapshot_handle: 0x000002a8 process_name: process_identifier: 59177437		0	0
Process32NextW March 15, 2021, 1:22 p.m.	snapshot_handle: 0x0000029c process_name: process_identifier: 59177437		0	0
Process32NextW March 15, 2021, 1:22 p.m.	snapshot_handle: 0x0000029c process_name: process_identifier: 59177437		0	0
Process32NextW March 15, 2021, 1:22 p.m.	snapshot_handle: 0x0000029c process_name: process_identifier: 59177437		0	0
Process32NextW March 15, 2021, 1:22 p.m.	snapshot_handle: 0x0000029c process_name: process_identifier: 59177437		0	0
Process32NextW March 15, 2021, 1:22 p.m.	snapshot_handle: 0x0000029c process_name: process_identifier: 59177437		0	0
Process32NextW March 15, 2021, 1:22 p.m.	snapshot_handle: 0x0000029c process_name: process_identifier: 59177437		0	0
Process32NextW March 15, 2021, 1:22 p.m.	snapshot_handle: 0x0000029c process_name: process_identifier: 59177437		0	0
Process32NextW March 15, 2021, 1:22 p.m.	snapshot_handle: 0x0000029c process_name: process_identifier: 59177437		0	0
Process32NextW March 15, 2021, 1:22 p.m.	snapshot_handle: 0x0000029c process_name: process_identifier: 59177437		0	0
Process32NextW March 15, 2021, 1:22 p.m.	snapshot_handle: 0x000002b4 process_name: process_identifier: 59177437		0	0
Process32NextW March 15, 2021, 1:22 p.m.	snapshot_handle: 0x000002b4 process_name: process_identifier: 59177437		0	0
Process32NextW March 15, 2021, 1:22 p.m.	snapshot_handle: 0x000002b4 process_name: process_identifier: 59177437		0	0
Process32NextW March 15, 2021, 1:22 p.m.	snapshot_handle: 0x000002b4 process_name: process_identifier: 59177437		0	0
Process32NextW March 15, 2021, 1:22 p.m.	snapshot_handle: 0x000002b4 process_name: process_identifier: 59177437		0	0
Process32NextW March 15, 2021, 1:22 p.m.	snapshot_handle: 0x000002b4 process_name: process_identifier: 59177437		0	0
Process32NextW March 15, 2021, 1:22 p.m.	snapshot_handle: 0x000002b4 process_name: process_identifier: 59177437		0	0
Process32NextW March 15, 2021, 1:22 p.m.	snapshot_handle: 0x000002b4 process_name: process_identifier: 59177437		0	0
Process32NextW March 15, 2021, 1:22 p.m.	snapshot_handle: 0x000002b4 process_name: process_identifier: 59177437		0	0
Process32NextW March 15, 2021, 1:22 p.m.	snapshot_handle: 0x000002b4 process_name: process_identifier: 59177437		0	0
Process32NextW March 15, 2021, 1:22 p.m.	snapshot_handle: 0x000002b4 process_name: jsjkjsjk.exe process_identifier: 2852		0	0
Process32NextW March 15, 2021, 1:22 p.m.	snapshot_handle: 0x000002bc process_name: process_identifier: 59177437		0	0
Process32NextW March 15, 2021, 1:22 p.m.	snapshot_handle: 0x000002b4 process_name: process_identifier: 59177437		0	0
Process32NextW March 15, 2021, 1:22 p.m.	snapshot_handle: 0x000002b4 process_name: process_identifier: 59177437		0	0
Process32NextW March 15, 2021, 1:22 p.m.	snapshot_handle: 0x000002b4 process_name: process_identifier: 59177437		0	0
Process32NextW March 15, 2021, 1:22 p.m.	snapshot_handle: 0x000002b4 process_name: process_identifier: 59177437		0	0
Process32NextW March 15, 2021, 1:22 p.m.	snapshot_handle: 0x000002b4 process_name: process_identifier: 59177437		0	0
Process32NextW March 15, 2021, 1:22 p.m.	snapshot_handle: 0x000002b4 process_name: process_identifier: 59177437		0	0
Process32NextW March 15, 2021, 1:22 p.m.	snapshot_handle: 0x000002b4 process_name: process_identifier: 59177437		0	0
Process32NextW March 15, 2021, 1:22 p.m.	snapshot_handle: 0x000002b4 process_name: process_identifier: 59177437		0	0
Process32NextW March 15, 2021, 1:22 p.m.	snapshot_handle: 0x000002b4 process_name: process_identifier: 59177437		0	0

Potentially malicious URLs were found in the process memory dump (4 events)

url	http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
url	http://nsis.sf.net/NSIS_Error
url	http://www.remobjects.com/ps
url	http://www.innosetup.com/

Yara rule detected in process memory (50 out of 272 events)

description	Code injection with CreateRemoteThread in a remote process	rule	inject_thread
description	Create a windows service	rule	create_service
description	Create a COM server	rule	create_com_service
description	Communications over UDP network	rule	network_udp_sock
description	Listen for incoming communication	rule	network_tcp_listen
description	Communications over P2P network	rule	network_p2p_win
description	Communications over HTTP	rule	network_http
description	File downloader/dropper	rule	network_dropper
description	Communications over FTP	rule	network_ftp
description	Communications over RAW socket	rule	network_tcp_socket
description	Communications use DNS	rule	network_dns
description	Communication using dga	rule	network_dga
description	Escalade priviledges	rule	escalate_priv
description	Take screenshot	rule	screenshot
description	Run a keylogger	rule	keylogger
description	Steal credential	rule	cred_local
description	Record Audio	rule	sniff_audio
description	APC queue tasks migration	rule	migrate_apc
description	Malware can spread east-west file	rule	spreading_file
description	Malware can spread east-west using share drive	rule	spreading_share
description	Create or check mutex	rule	win_mutex
description	Affect system registries	rule	win_registry
description	Affect system token	rule	win_token
description	Affect private profile	rule	win_private_profile
description	Affect private profile	rule	win_files_operation
description	Match Winsock 2 API library declaration	rule	Str_Win32_Winsock2_Library
description	Match Windows Inet API library declaration	rule	Str_Win32_Wininet_Library
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Code injection with CreateRemoteThread in a remote process	rule	inject_thread
description	Create a windows service	rule	create_service
description	Communications over UDP network	rule	network_udp_sock
description	Listen for incoming communication	rule	network_tcp_listen
description	Communications over P2P network	rule	network_p2p_win
description	Communications over HTTP	rule	network_http
description	File downloader/dropper	rule	network_dropper

Queries for potentially installed applications (4 events)

Time & API	Arguments	Return
RegOpenKeyExA March 15, 2021, 1:21 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{5DA66C9F-47AE-4D1D-BD52-99580569B661}_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{5DA66C9F-47AE-4D1D-BD52-99580569B661}_is1	2
RegOpenKeyExA March 15, 2021, 1:21 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{5DA66C9F-47AE-4D1D-BD52-99580569B661}_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{5DA66C9F-47AE-4D1D-BD52-99580569B661}_is1	2
RegOpenKeyExA March 15, 2021, 1:22 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{5DA66C9F-47AE-4D1D-BD52-99580569B661}_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000008 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{5DA66C9F-47AE-4D1D-BD52-99580569B661}_is1	2
RegOpenKeyExA March 15, 2021, 1:22 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{5DA66C9F-47AE-4D1D-BD52-99580569B661}_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000008 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{5DA66C9F-47AE-4D1D-BD52-99580569B661}_is1	2

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	"taskkill.exe" /f /im "twustwus.exe"
cmdline	"taskkill.exe" /f /im "jsjkjsjk.exe"

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory March 15, 2021, 1:21 p.m.	process_identifier: 2800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0021f000 process_handle: 0x0000001c	1	0	0

Installs itself for autorun at Windows startup (2 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aisinocertreg				reg_value	C:\Program Files (x86)\twus\twustwus.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aisinocertreg1				reg_value	C:\Windows\system32\Mornitor32\jsjkjsjk.exe

Potential code injection by writing to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory March 15, 2021, 1:21 p.m.	buffer: `÷!UìSVuWjÿÿ¶¾(ÿÿ7ÿ¾(WÿÀu hèÿëè¾$t$CCÀt <\uô]ëïE (Pÿjÿ_^[]ÃjXÂ6susuDTsuÿsuzsu¿D{uÀsuC:\Users\test22\AppData\Local\Temp\PkgV01.00.00.exe base_address: 0x0021f760 process_identifier: 2800 process_handle: 0x0000001c	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1896 called NtSetContextThread to modify thread in remote process 2800
NtSetContextThread March 15, 2021, 1:21 p.m.	registers.eip: 2226020 registers.esp: 2226012 registers.edi: 0 registers.eax: 3346170 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000001d4 process_identifier: 2800	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1896 resumed a thread in remote process 2800
NtResumeThread March 15, 2021, 1:21 p.m.	thread_handle: 0x000001d4 suspend_count: 1 process_identifier: 2800	1	0	0

Zeus P2P (Banking Trojan) (10 events)

mutex	Global\F4184954-2BC5-41F3-900E-01234567890E_MUTEX_
mutex	Local\RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0000
mutex	Local\RstrMgr3887CAB8-533F-4C85-B0DC-3E5639F8D511
mutex	Global\WT-NSMUTEX850D0028-B304-498f-A0DE-433C27242B1F
mutex	{08586C4E-62C4-4a4e-8271-C2A20530AF62}_M_S-1-5-21-3832866432-4053218753-3017428901-1001
udp	{u'src': u'192.168.56.101', u'dst': u'239.255.255.250', u'offset': 16587, u'time': 4.210639953613281, u'dport': 3702, u'sport': 49152}
udp	{u'src': u'192.168.56.101', u'dst': u'239.255.255.250', u'offset': 24979, u'time': 8.977360963821411, u'dport': 3702, u'sport': 62325}
udp	{u'src': u'192.168.56.101', u'dst': u'239.255.255.250', u'offset': 27835, u'time': 4.933121919631958, u'dport': 1900, u'sport': 62445}
udp	{u'src': u'192.168.56.101', u'dst': u'239.255.255.250', u'offset': 33571, u'time': 4.743573904037476, u'dport': 3702, u'sport': 62447}
udp	{u'src': u'192.168.56.101', u'dst': u'239.255.255.250', u'offset': 36427, u'time': 4.941629886627197, u'dport': 3702, u'sport': 62449}

Executed a process and injected code into it, probably while unpacking (15 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW March 15, 2021, 1:21 p.m.	thread_identifier: 1756 thread_handle: 0x0000001c process_identifier: 1556 current_directory: filepath: track: 1 command_line: C:\Windows\system32\PluginManager\twus.exe /verysilent filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x000001d4	1	1
CreateProcessInternalW March 15, 2021, 1:21 p.m.	thread_identifier: 2252 thread_handle: 0x000001d4 process_identifier: 2800 current_directory: filepath: track: 1 command_line: explorer.exe filepath_r: stack_pivoted: 0 creation_flags: 68 (CREATE_SUSPENDED\|IDLE_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x0000001c	1	1
NtGetContextThread March 15, 2021, 1:21 p.m.	thread_handle: 0x000001d4	1	0
WriteProcessMemory March 15, 2021, 1:21 p.m.	buffer: `÷!UìSVuWjÿÿ¶¾(ÿÿ7ÿ¾(WÿÀu hèÿëè¾$t$CCÀt <\uô]ëïE (Pÿjÿ_^[]ÃjXÂ6susuDTsuÿsuzsu¿D{uÀsuC:\Users\test22\AppData\Local\Temp\PkgV01.00.00.exe base_address: 0x0021f760 process_identifier: 2800 process_handle: 0x0000001c	1	1
NtSetContextThread March 15, 2021, 1:21 p.m.	registers.eip: 2226020 registers.esp: 2226012 registers.edi: 0 registers.eax: 3346170 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000001d4 process_identifier: 2800	1	0
NtResumeThread March 15, 2021, 1:21 p.m.	thread_handle: 0x000001d4 suspend_count: 1 process_identifier: 2800	1	0
CreateProcessInternalW March 15, 2021, 1:21 p.m.	thread_identifier: 2988 thread_handle: 0x00000134 process_identifier: 2552 current_directory: filepath: track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\is-2QRA2.tmp\twus.tmp" /SL5="$E0240,2920145,58368,C:\Windows\SysWOW64\PluginManager\twus.exe" /verysilent filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x0000012c	1	1
NtResumeThread March 15, 2021, 1:21 p.m.	thread_handle: 0x000001a8 suspend_count: 1 process_identifier: 2552	1	0
CreateProcessInternalW March 15, 2021, 1:21 p.m.	thread_identifier: 1808 thread_handle: 0x00000250 process_identifier: 2408 current_directory: C:\Windows\system32 filepath: track: 1 command_line: "taskkill.exe" /f /im "twustwus.exe" filepath_r: stack_pivoted: 0 creation_flags: 67108864 (CREATE_DEFAULT_ERROR_MODE) inherit_handles: 0 process_handle: 0x00000254	1	1
CreateProcessInternalW March 15, 2021, 1:21 p.m.	thread_identifier: 2564 thread_handle: 0x00000254 process_identifier: 1572 current_directory: C:\Windows\system32 filepath: track: 1 command_line: "taskkill.exe" /f /im "jsjkjsjk.exe" filepath_r: stack_pivoted: 0 creation_flags: 67108864 (CREATE_DEFAULT_ERROR_MODE) inherit_handles: 0 process_handle: 0x0000025c	1	1
CreateProcessInternalW March 15, 2021, 1:22 p.m.	thread_identifier: 2388 thread_handle: 0x0000025c process_identifier: 2232 current_directory: C:\Program Files (x86)\twus filepath: track: 1 command_line: "C:\Program Files (x86)\twus\twustwus.exe" filepath_r: stack_pivoted: 0 creation_flags: 67108864 (CREATE_DEFAULT_ERROR_MODE) inherit_handles: 0 process_handle: 0x00000254	1	1
CreateProcessInternalW March 15, 2021, 1:22 p.m.	thread_identifier: 2076 thread_handle: 0x00000254 process_identifier: 2852 current_directory: C:\Windows\system32\Mornitor32 filepath: track: 1 command_line: "C:\Windows\system32\Mornitor32\jsjkjsjk.exe" filepath_r: stack_pivoted: 0 creation_flags: 67108864 (CREATE_DEFAULT_ERROR_MODE) inherit_handles: 0 process_handle: 0x0000025c	1	1
NtResumeThread March 15, 2021, 1:22 p.m.	thread_handle: 0x00000210 suspend_count: 1 process_identifier: 2232	1	0
CreateProcessInternalW March 15, 2021, 1:22 p.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: filepath: track: 0 command_line: C:\Program Files (x86)\twus\usbksvr.exe filepath_r: stack_pivoted: 0 creation_flags: 32 (NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000000		0
CreateProcessInternalW March 15, 2021, 1:22 p.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: filepath: track: 0 command_line: C:\Program Files (x86)\twus\usbksvr.exe filepath_r: stack_pivoted: 0 creation_flags: 32 (NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000000		0

File has been identified by 44 AntiVirus engines on VirusTotal as malicious (44 events)

Bkav	W32.AIDetect.malware2
Elastic	malicious (high confidence)
MicroWorld-eScan	Dropped:Trojan.GenericKD.45764732
CAT-QuickHeal	Trojan.Woreflint
ALYac	Dropped:Trojan.GenericKD.45764732
Cylance	Unsafe
VIPRE	Trojan.Win32.Generic!BT
Sangfor	Trojan.Win32.Ymacco.AAF0
BitDefender	Dropped:Trojan.GenericKD.45764732
K7GW	Riskware ( 0040eff71 )
K7AntiVirus	Riskware ( 0040eff71 )
Cyren	W32/Trojan.XLMK-7448
APEX	Malicious
Avast	Win32:Trojan-gen
Alibaba	Packed:Win32/VMProtect.3d977b5e
NANO-Antivirus	Trojan.Win32.Black.imbmwe
ViRobot	Trojan.Win32.Z.Vmprotect.3438092
AegisLab	Trojan.Win32.Generic.4!c
Ad-Aware	Dropped:Trojan.GenericKD.45764732
Comodo	Malware@#1cofkqo84j8dq
DrWeb	Trojan.Siggen12.25943
TrendMicro	TROJ_GEN.R06CC0RAV21
FireEye	Dropped:Trojan.GenericKD.45764732
Emsisoft	Dropped:Trojan.GenericKD.45764732 (B)
Ikarus	Trojan.Win32.VMProtect
GData	Dropped:Trojan.GenericKD.45764732
Avira	TR/Dropper.Gen
Gridinsoft	Trojan.Win32.Packed.oa
Arcabit	Trojan.Generic.D2BA507C
Microsoft	Trojan:Script/Phonzy.A!ml
Cynet	Malicious (score: 90)
ESET-NOD32	a variant of Win32/Packed.VMProtect.ABO
McAfee	Artemis!EBFE3CC19671
VBA32	BScope.Trojan.LowZones
Malwarebytes	Trojan.MalPack
TrendMicro-HouseCall	TROJ_GEN.R06CC0RAV21
Rising	Trojan.Generic@ML.88 (RDMK:amKpSEs6FAIofOXpU4YjBQ)
Yandex	Trojan.VMProtect!GiwOGh2GuNk
SentinelOne	Static AI - Suspicious PE
Fortinet	W32/VMProtBad.A!tr
BitDefenderTheta	Gen:NN.ZexaF.34608.iD0@aK@x0Cej
AVG	Win32:Trojan-gen
Cybereason	malicious.196712
Paloalto	generic.ml

PkgV01.00.00.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All