popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

winlog.exe

  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 March 17, 2021, 7:48 a.m. March 17, 2021, 7:51 a.m.
Size 212.0KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 3d3c42f1e8978a60cdf179841d6734ad
SHA256 f02213dd373e6d5d9bea4f366b2cfd983e278731be7d59171de6be27a482becf
CRC32 89E2731A
ssdeep 3072:JPA6jXFN2Mc+xDcJgigngtZDs/aIV8OcBwb4CZddBEL9Do/VuEpVj+vBf:Jhjm2dcJgfYoSIrbvLEx2XjC
Yara
  • PE_Header_Zero - PE File Signature Zero
  • escalate_priv - Escalade priviledges
  • screenshot - Take screenshot
  • win_registry - Affect system registries
  • win_token - Affect system token
  • win_private_profile - Affect private profile
  • win_files_operation - Affect private profile
  • IsPE32 - (no description)
  • IsWindowsGUI - (no description)
  • IsPacked - Entropy Check
  • HasOverlay - Overlay Check
  • HasRichSignature - Rich Signature Check

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49207 -> 184.168.131.241:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49207 -> 184.168.131.241:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49207 -> 184.168.131.241:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49217 -> 23.227.38.74:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49217 -> 23.227.38.74:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49217 -> 23.227.38.74:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49213 -> 3.138.83.135:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49213 -> 3.138.83.135:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49213 -> 3.138.83.135:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49209 -> 68.66.224.49:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49211 -> 13.251.254.29:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49209 -> 68.66.224.49:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49211 -> 13.251.254.29:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49209 -> 68.66.224.49:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49211 -> 13.251.254.29:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49215 -> 185.2.4.20:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49215 -> 185.2.4.20:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49215 -> 185.2.4.20:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
suspicious_features GET method with no useragent header suspicious_request GET http://www.hikayemedya.com/smd0/?2dp=GOmwBBTkN+4Rw04hXmNjyqcLvSsgQS1p0LkYyDLRUFzBiGCdWpAuZHWozxzGfk8WgE6AjVgS&CXL05P=YthDaVVxJrCHangP
suspicious_features GET method with no useragent header suspicious_request GET http://www.vivajaliscotaquerias.com/smd0/?2dp=QCqClmwpqAuk83b59kimQbG6d9v4Lnfk03pkGM9vcNoObJQ+Gt/3KMMYxKboUXrEFktYskXS&CXL05P=YthDaVVxJrCHangP
suspicious_features GET method with no useragent header suspicious_request GET http://www.elewintool.com/smd0/?2dp=hh1uAoVXDYhM30MQbZq9QYsUK4Li6BrHnZwH/68ddtcp6X6qYjT4G4sTvEEDAqDFNoniJYiN&CXL05P=YthDaVVxJrCHangP
suspicious_features GET method with no useragent header suspicious_request GET http://www.vib7.com/smd0/?2dp=2oX2te/XThlzXghBLIAyxOCdxdHV5qrDZoKEsk56yLlCCIXzS1/kBcCyJ6/9LZBjqWBTl1cJ&CXL05P=YthDaVVxJrCHangP
suspicious_features GET method with no useragent header suspicious_request GET http://www.theretailbusinessschool.com/smd0/?2dp=x0ARnFhqih1AMTBencp6aS1OFOsc4427B5e3gyH8BWKg2mzEdg6Z9coriXhASpHgfowQCaAN&CXL05P=YthDaVVxJrCHangP
suspicious_features GET method with no useragent header suspicious_request GET http://www.urbanprintstudio.com/smd0/?2dp=2RPibDEW/y1L8TujXIAacnTzW3vWkIzvKhZecjn/yDJGHtUubFibRJzdr2hqXa+ucK2LzJRn&CXL05P=YthDaVVxJrCHangP
request POST http://www.hikayemedya.com/smd0/
request GET http://www.hikayemedya.com/smd0/?2dp=GOmwBBTkN+4Rw04hXmNjyqcLvSsgQS1p0LkYyDLRUFzBiGCdWpAuZHWozxzGfk8WgE6AjVgS&CXL05P=YthDaVVxJrCHangP
request POST http://www.vivajaliscotaquerias.com/smd0/
request GET http://www.vivajaliscotaquerias.com/smd0/?2dp=QCqClmwpqAuk83b59kimQbG6d9v4Lnfk03pkGM9vcNoObJQ+Gt/3KMMYxKboUXrEFktYskXS&CXL05P=YthDaVVxJrCHangP
request POST http://www.elewintool.com/smd0/
request GET http://www.elewintool.com/smd0/?2dp=hh1uAoVXDYhM30MQbZq9QYsUK4Li6BrHnZwH/68ddtcp6X6qYjT4G4sTvEEDAqDFNoniJYiN&CXL05P=YthDaVVxJrCHangP
request POST http://www.vib7.com/smd0/
request GET http://www.vib7.com/smd0/?2dp=2oX2te/XThlzXghBLIAyxOCdxdHV5qrDZoKEsk56yLlCCIXzS1/kBcCyJ6/9LZBjqWBTl1cJ&CXL05P=YthDaVVxJrCHangP
request POST http://www.theretailbusinessschool.com/smd0/
request GET http://www.theretailbusinessschool.com/smd0/?2dp=x0ARnFhqih1AMTBencp6aS1OFOsc4427B5e3gyH8BWKg2mzEdg6Z9coriXhASpHgfowQCaAN&CXL05P=YthDaVVxJrCHangP
request POST http://www.urbanprintstudio.com/smd0/
request GET http://www.urbanprintstudio.com/smd0/?2dp=2RPibDEW/y1L8TujXIAacnTzW3vWkIzvKhZecjn/yDJGHtUubFibRJzdr2hqXa+ucK2LzJRn&CXL05P=YthDaVVxJrCHangP
request POST http://www.hikayemedya.com/smd0/
request POST http://www.vivajaliscotaquerias.com/smd0/
request POST http://www.elewintool.com/smd0/
request POST http://www.vib7.com/smd0/
request POST http://www.theretailbusinessschool.com/smd0/
request POST http://www.urbanprintstudio.com/smd0/
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 1772
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x009c0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 556
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01fe0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\nst6339.tmp\06eouuxdi0s.dll
file C:\Users\test22\AppData\Local\Temp\winlog.exe
file C:\Users\test22\AppData\Local\Temp\nst6339.tmp\06eouuxdi0s.dll
file C:\Users\test22\AppData\Local\Temp\winlog.exe
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2772
thread_handle: 0x000000ac
process_identifier: 2672
current_directory:
filepath: C:\Windows\SysWOW64\cmd.exe
track: 1
command_line: /c del "C:\Users\test22\AppData\Local\Temp\winlog.exe"
filepath_r: C:\Windows\SysWOW64\cmd.exe
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 1
process_handle: 0x00000104
1 1 0
Time & API Arguments Status Return Repeated

Process32FirstW

 snapshot_handle: 0x000001fc
process_name: [System Process]
process_identifier: 0
1 1 0

Process32NextW

 snapshot_handle: 0x000001fc
process_name: System
process_identifier: 4
1 1 0

Process32NextW

 snapshot_handle: 0x000001fc
process_name: smss.exe
process_identifier: 224
1 1 0

Process32NextW

 snapshot_handle: 0x000001fc
process_name: csrss.exe
process_identifier: 300
1 1 0

Process32NextW

 snapshot_handle: 0x000001fc
process_name: wininit.exe
process_identifier: 348
1 1 0

Process32NextW

 snapshot_handle: 0x000001fc
process_name: csrss.exe
process_identifier: 364
1 1 0

Process32NextW

 snapshot_handle: 0x000001fc
process_name: winlogon.exe
process_identifier: 396
1 1 0

Process32NextW

 snapshot_handle: 0x000001fc
process_name: services.exe
process_identifier: 440
1 1 0

Process32NextW

 snapshot_handle: 0x000001fc
process_name: lsass.exe
process_identifier: 456
1 1 0

Process32NextW

 snapshot_handle: 0x000001fc
process_name: lsm.exe
process_identifier: 464
1 1 0

Process32NextW

 snapshot_handle: 0x000001fc
process_name: svchost.exe
process_identifier: 568
1 1 0

Process32NextW

 snapshot_handle: 0x000001fc
process_name: svchost.exe
process_identifier: 640
1 1 0

Process32NextW

 snapshot_handle: 0x000001fc
process_name: svchost.exe
process_identifier: 700
1 1 0

Process32NextW

 snapshot_handle: 0x000001fc
process_name: svchost.exe
process_identifier: 776
1 1 0

Process32NextW

 snapshot_handle: 0x000001fc
process_name: svchost.exe
process_identifier: 824
1 1 0

Process32NextW

 snapshot_handle: 0x000001fc
process_name: audiodg.exe
process_identifier: 892
1 1 0

Process32NextW

 snapshot_handle: 0x000001fc
process_name: svchost.exe
process_identifier: 968
1 1 0

Process32NextW

 snapshot_handle: 0x000001fc
process_name: svchost.exe
process_identifier: 264
1 1 0

Process32NextW

 snapshot_handle: 0x000001fc
process_name: spoolsv.exe
process_identifier: 820
1 1 0

Process32NextW

 snapshot_handle: 0x000001fc
process_name: svchost.exe
process_identifier: 292
1 1 0

Process32NextW

 snapshot_handle: 0x000001fc
process_name: svchost.exe
process_identifier: 1192
1 1 0

Process32NextW

 snapshot_handle: 0x000001fc
process_name: srvany.exe
process_identifier: 1244
1 1 0

Process32NextW

 snapshot_handle: 0x000001fc
process_name: taskhost.exe
process_identifier: 1284
1 1 0

Process32NextW

 snapshot_handle: 0x000001fc
process_name: KMService.exe
process_identifier: 1324
1 1 0

Process32NextW

 snapshot_handle: 0x000001fc
process_name: conhost.exe
process_identifier: 1376
1 1 0

Process32NextW

 snapshot_handle: 0x000001fc
process_name: sppsvc.exe
process_identifier: 1800
1 1 0

Process32NextW

 snapshot_handle: 0x000001fc
process_name: svchost.exe
process_identifier: 1876
1 1 0

Process32NextW

 snapshot_handle: 0x000001fc
process_name: dwm.exe
process_identifier: 1496
1 1 0

Process32NextW

 snapshot_handle: 0x000001fc
process_name: explorer.exe
process_identifier: 1848
1 1 0

Process32NextW

 snapshot_handle: 0x000001fc
process_name: WmiPrvSE.exe
process_identifier: 1916
1 1 0

Process32NextW

 snapshot_handle: 0x000001fc
process_name: pw.exe
process_identifier: 2816
1 1 0

Process32NextW

 snapshot_handle: 0x000001fc
process_name: SearchIndexer.exe
process_identifier: 2940
1 1 0

Process32NextW

 snapshot_handle: 0x000001fc
process_name: SearchProtocolHost.exe
process_identifier: 1480
1 1 0

Process32NextW

 snapshot_handle: 0x000001fc
process_name: SearchFilterHost.exe
process_identifier: 3040
1 1 0

Process32NextW

 snapshot_handle: 0x000001fc
process_name: SearchProtocolHost.exe
process_identifier: 2120
1 1 0

Process32NextW

 snapshot_handle: 0x000001fc
process_name: mobsync.exe
process_identifier: 2064
1 1 0

Process32NextW

 snapshot_handle: 0x000001fc
process_name: pw.exe
process_identifier: 3064
1 1 0

Process32NextW

 snapshot_handle: 0x000001fc
process_name: taskhost.exe
process_identifier: 1276
1 1 0

Process32NextW

 snapshot_handle: 0x000001fc
process_name: winlog.exe
process_identifier: 2232
1 1 0
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
cmdline /c del "C:\Users\test22\AppData\Local\Temp\winlog.exe"
file C:\Users\test22\AppData\Local\Temp\winlog.exe
Cylance Unsafe
Sangfor Trojan.Win32.Save.a
Cyren W32/Injector.AFV.gen!Eldorado
APEX Malicious
FireEye Generic.mg.3d3c42f1e8978a60
SentinelOne Static AI - Suspicious PE
Microsoft Program:Win32/Wacapew.C!ml
Malwarebytes Malware.Heuristic.1001
Ikarus Trojan.NSIS.Agent
Fortinet W32/Injector.EOWC!tr
Process injection Process 2232 called NtSetContextThread to modify thread in remote process 1772
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 2000355780
registers.esp: 1638384
registers.edi: 0
registers.eax: 4313104
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000210
process_identifier: 1772
1 0 0
dead_host 209.145.58.97:80