update.exe

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 17, 2021, 1:48 p.m.			0	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory March 17, 2021, 1:48 p.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b62000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory March 17, 2021, 1:48 p.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00fc0000 allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory March 17, 2021, 1:48 p.m.	process_identifier: 1116 region_size: 2596864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e90000 allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE) process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section	{u'size_of_data': u'0x00056400', u'virtual_address': u'0x00091000', u'entropy': 7.9351011024761124, u'name': u'UPX1', u'virtual_size': u'0x00057000'}				entropy	7.93510110248				description	A section with a high entropy has been found
entropy	0.855018587361				description	Overall entropy of this PE file is high

Potentially malicious URLs were found in the process memory dump (24 events)

url	http://www.microsoft.com/schemas/ie8tldlistdescription/1.0
url	http://purl.org/rss/1.0/
url	http://www.passport.com
url	http://www.genieo.com/webfilter.html)
url	http://webmeup-crawler.com/)
url	http://www.scoutjet.com/)
url	http://www.veooz.com/veoozbot.html
url	http://W.f
url	http://www.linkedin.com
url	http://code.google.com/appengine
url	https://api.slack.com/robots)
url	http://sdbot.n3.net/
url	http://www.feedly.com/fetcher.html
url	http://superfeedr.com
url	http://www.google.com/bot.html)
url	http://www.matuschek.net/jobo.html)
url	http://megaindex.com/crawler)
url	http://support.paper.li/entries/20023257-what-is-paper-li)
url	http://help.yahoo.com/help/us/ysearch/slurp)
url	https://api.ipify.org/
url	http://www.smartbrief.com
url	http://www.facebook.com/externalhit_uatext.php)
url	http://feedparser.org/
url	http://web.toutiao.com/media_cooperation/

Yara rule detected in process memory (50 out of 72 events)

description	Code injection with CreateRemoteThread in a remote process				rule	inject_thread
description	Hijack network configuration				rule	hijack_network
description	Create a windows service				rule	create_service
description	Create a COM server				rule	create_com_service
description	Communications over UDP network				rule	network_udp_sock
description	Listen for incoming communication				rule	network_tcp_listen
description	Communications over Toredo network				rule	network_toredo
description	Communications over P2P network				rule	network_p2p_win
description	Communications over HTTP				rule	network_http
description	File downloader/dropper				rule	network_dropper
description	Communications over FTP				rule	network_ftp
description	Communications over RAW socket				rule	network_tcp_socket
description	Communications use DNS				rule	network_dns
description	Communication using dga				rule	network_dga
description	Escalade priviledges				rule	escalate_priv
description	Take screenshot				rule	screenshot
description	Run a keylogger				rule	keylogger
description	Steal credential				rule	cred_local
description	Record Audio				rule	sniff_audio
description	APC queue tasks migration				rule	migrate_apc
description	Malware can spread east-west file				rule	spreading_file
description	Malware can spread east-west using share drive				rule	spreading_share
description	Create or check mutex				rule	win_mutex
description	Affect system registries				rule	win_registry
description	Affect system token				rule	win_token
description	Affect private profile				rule	win_private_profile
description	Affect private profile				rule	win_files_operation
description	Match Winsock 2 API library declaration				rule	Str_Win32_Winsock2_Library
description	Match Windows Inet API library declaration				rule	Str_Win32_Wininet_Library
description	Match Windows Inet API call				rule	Str_Win32_Internet_API
description	Match Windows Http API call				rule	Str_Win32_Http_API
description	(no description)				rule	DebuggerCheck__GlobalFlags
description	(no description)				rule	DebuggerCheck__QueryInfo
description	(no description)				rule	DebuggerCheck__RemoteAPI
description	(no description)				rule	DebuggerHiding__Thread
description	(no description)				rule	DebuggerHiding__Active
description	(no description)				rule	DebuggerException__ConsoleCtrl
description	(no description)				rule	DebuggerException__SetConsoleCtrl
description	(no description)				rule	ThreadControl__Context
description	(no description)				rule	SEH__vectored
description	(no description)				rule	Check_Dlls
description	Checks if being debugged				rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert				rule	antisb_threatExpert
description	Bypass DEP				rule	disable_dep
description	Affect hook table				rule	win_hook
description	Code injection with CreateRemoteThread in a remote process				rule	inject_thread
description	Hijack network configuration				rule	hijack_network
description	Listen for incoming communication				rule	network_tcp_listen
description	Communications over IRC network				rule	network_irc
description	Communications over HTTP				rule	network_http

The executable is compressed using UPX (2 events)

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

One or more of the buffers contains an embedded PE file (2 events)

buffer	Buffer with sha1: 3d1741b7260b14dbec004b713851e755ece05312
buffer	Buffer with sha1: 928595a385c8ae5dee032046e94777761c128a8a

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory March 17, 2021, 1:48 p.m.	process_identifier: 1972 region_size: 2596864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE) process_handle: 0x00000128		3221225496	0
NtAllocateVirtualMemory March 17, 2021, 1:48 p.m.	process_identifier: 1972 region_size: 2596864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00790000 allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE) process_handle: 0x00000128	1	0	0

Installs itself for autorun at Windows startup (2 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Registry Services				reg_value	C:\Users\test22\AppData\Roaming\Registry Services\svchost.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Services				reg_value	C:\Users\test22\AppData\Roaming\Registry Services\svchost.exe

Manipulates memory of a non-child process indicative of process injection (8 events)

Process injection	Process 1116 manipulating memory of non-child process 1972
Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory March 17, 2021, 1:48 p.m.	process_identifier: 1972 region_size: 2596864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE) process_handle: 0x00000128		3221225496	0
NtAllocateVirtualMemory March 17, 2021, 1:48 p.m.	process_identifier: 1972 region_size: 2596864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00790000 allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE) process_handle: 0x00000128	1	0	0
NtProtectVirtualMemory March 17, 2021, 1:48 p.m.	process_identifier: 1972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 2 (PAGE_READONLY) base_address: 0x00790000 process_handle: 0x00000128	1	0	0
NtProtectVirtualMemory March 17, 2021, 1:48 p.m.	process_identifier: 1972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 204800 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x00791000 process_handle: 0x00000128	1	0	0
NtProtectVirtualMemory March 17, 2021, 1:48 p.m.	process_identifier: 1972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 69632 protection: 2 (PAGE_READONLY) base_address: 0x007c3000 process_handle: 0x00000128	1	0	0
NtProtectVirtualMemory March 17, 2021, 1:48 p.m.	process_identifier: 1972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 2301952 protection: 4 (PAGE_READWRITE) base_address: 0x007d4000 process_handle: 0x00000128	1	0	0
NtProtectVirtualMemory March 17, 2021, 1:48 p.m.	process_identifier: 1972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 16384 protection: 2 (PAGE_READONLY) base_address: 0x00a06000 process_handle: 0x00000128	1	0	0

Potential code injection by writing to the memory of another process (2 events)

Process injection	Process 1116 injected into non-child 1972
Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory March 17, 2021, 1:48 p.m.	buffer: y base_address: 0xfffde008 process_identifier: 1972 process_handle: 0x00000128	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Process injection	Process 1116 called NtSetContextThread to modify thread in remote process 1972
Time & API	Arguments	Status	Return	Repeated
NtSetContextThread March 17, 2021, 1:48 p.m.	registers.eip: 2000355780 registers.esp: 7929484 registers.edi: 0 registers.eax: 8035959 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000134 process_identifier: 1972	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Process injection	Process 1116 resumed a thread in remote process 1972
Time & API	Arguments	Status	Return	Repeated
NtResumeThread March 17, 2021, 1:48 p.m.	thread_handle: 0x00000134 suspend_count: 1 process_identifier: 1972	1	0	0

Executed a process and injected code into it, probably while unpacking (8 events)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW March 17, 2021, 1:48 p.m.	thread_identifier: 540 thread_handle: 0x00000134 process_identifier: 1972 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\update.exe track: 1 command_line: C:\Users\test22\AppData\Local\Temp\update.exe filepath_r: C:\Users\test22\AppData\Local\Temp\update.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000128	1	1	0
NtGetContextThread March 17, 2021, 1:48 p.m.	thread_handle: 0x00000134	1	0	0
NtAllocateVirtualMemory March 17, 2021, 1:48 p.m.	process_identifier: 1972 region_size: 2596864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE) process_handle: 0x00000128		3221225496	0
NtAllocateVirtualMemory March 17, 2021, 1:48 p.m.	process_identifier: 1972 region_size: 2596864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00790000 allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE) process_handle: 0x00000128	1	0	0
WriteProcessMemory March 17, 2021, 1:48 p.m.	buffer: base_address: 0x00790000 process_identifier: 1972 process_handle: 0x00000128	1	1	0
WriteProcessMemory March 17, 2021, 1:48 p.m.	buffer: y base_address: 0xfffde008 process_identifier: 1972 process_handle: 0x00000128	1	1	0
NtSetContextThread March 17, 2021, 1:48 p.m.	registers.eip: 2000355780 registers.esp: 7929484 registers.edi: 0 registers.eax: 8035959 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000134 process_identifier: 1972	1	0	0
NtResumeThread March 17, 2021, 1:48 p.m.	thread_handle: 0x00000134 suspend_count: 1 process_identifier: 1972	1	0	0

File has been identified by 51 AntiVirus engines on VirusTotal as malicious (50 out of 51 events)

Bkav	W32.AIDetect.malware2
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.36308558
FireEye	Trojan.GenericKD.36308558
CAT-QuickHeal	Trojan.Script
ALYac	Trojan.GenericKD.36308558
Cylance	Unsafe
Zillya	Trojan.Injector.Win32.826600
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 0056e5201 )
Alibaba	Trojan:Win32/Starter.ali2000005
K7GW	Trojan ( 0056e5201 )
CrowdStrike	win/malicious_confidence_90% (W)
Arcabit	Trojan.Generic.D22A064E
Cyren	W32/Trojan.NISE-0499
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	multiple detections
APEX	Malicious
Avast	Script:SNH-gen [Trj]
ClamAV	Win.Malware.Autoit-9774701-0
Kaspersky	HEUR:Trojan.Script.Generic
BitDefender	Trojan.GenericKD.36308558
NANO-Antivirus	Trojan.Win32.AutoIt.ilnnue
Paloalto	generic.ml
Ad-Aware	Trojan.GenericKD.36308558
Sophos	Mal/Generic-S
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	Trojan.Win32.ARTEMIS.USMANB621
McAfee-GW-Edition	BehavesLike.Win32.TrojanAitInject.bc
Emsisoft	Trojan.GenericKD.36308558 (B)
Webroot	W32.Trojan.Gen
Avira	DR/AutoIt.Gen8
Gridinsoft	Trojan.Win32.Downloader.sa
Microsoft	Trojan:Win32/Ymacco.AA11
ViRobot	Trojan.Win32.Z.Agent.736773
GData	Trojan.GenericKD.36308558
Cynet	Malicious (score: 100)
AhnLab-V3	Malware/Gen.Reputation.C4326164
McAfee	RDN/Generic.dx
MAX	malware (ai score=82)
VBA32	Trojan.Ymacco
Malwarebytes	Malware.AI.1587790382
TrendMicro-HouseCall	Trojan.Win32.ARTEMIS.USMANB621
Yandex	Trojan.AvsArher.bS9LKk
Ikarus	Trojan.Win32.Obfuscated
MaxSecure	Trojan.Malware.7175203.susgen
Fortinet	W32/multiple_detections
AVG	Script:SNH-gen [Trj]
Cybereason	malicious.95a542
Panda	Trj/CI.A