Summary | ZeroBOX

winlog.exe

Category Machine Started Completed
FILE s1_win7_x6402 March 17, 2021, 4:26 p.m. March 17, 2021, 4:29 p.m.
Size 212.7KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 5db87cb7c962ba04dd978d30cb01c246
SHA256 8c12d46d8842e4aea5c000fdea92abc49a86019f74a4a3d37e039a05c0b17c23
CRC32 88C7191B
ssdeep 6144:sTqjFxBB1MGlnBeZ0lIRiCdhXZ7xQH+QkcY:s6BFlnBOieBRxtQkcY
Yara
  • PE_Header_Zero - PE File Signature Zero
  • escalate_priv - Escalade priviledges
  • screenshot - Take screenshot
  • win_registry - Affect system registries
  • win_token - Affect system token
  • win_private_profile - Affect private profile
  • win_files_operation - Affect private profile
  • IsPE32 - (no description)
  • IsWindowsGUI - (no description)
  • IsPacked - Entropy Check
  • HasOverlay - Overlay Check
  • HasRichSignature - Rich Signature Check

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.102:49813 -> 91.195.241.137:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49813 -> 91.195.241.137:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49813 -> 91.195.241.137:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49830 -> 34.102.136.180:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49830 -> 34.102.136.180:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49830 -> 34.102.136.180:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49826 -> 198.49.23.145:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49826 -> 198.49.23.145:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49826 -> 198.49.23.145:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49817 -> 94.136.40.51:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49817 -> 94.136.40.51:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49817 -> 94.136.40.51:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49819 -> 192.0.78.24:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49819 -> 192.0.78.24:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49819 -> 192.0.78.24:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49824 -> 217.160.0.236:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49824 -> 217.160.0.236:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49824 -> 217.160.0.236:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49828 -> 173.231.242.82:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49828 -> 173.231.242.82:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49828 -> 173.231.242.82:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49815 -> 74.117.219.199:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49815 -> 74.117.219.199:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49815 -> 74.117.219.199:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

1 1 0
section .ndata
suspicious_features GET method with no useragent header suspicious_request GET http://www.icepolo.com/nsag/?nt=KrISVuEJfroV2D55X6dLs0GN1f73ulMhv3kfCJ49OWlp4uYW/zulw4lDB/y+iFCn1yfvo+sH&3f=9r84q4yx
suspicious_features GET method with no useragent header suspicious_request GET http://www.botaniquecouture.com/nsag/?nt=3solHqD3xWFsPiOkiMb8ZxtvShu6k+bs5n8tAbp3gO4PLM7vhzh6xxFZXBBHvHdMHuTMMLyJ&3f=9r84q4yx
suspicious_features GET method with no useragent header suspicious_request GET http://www.usopencoverage.com/nsag/?nt=og4DIg58JlKco58KkdqEYNLQLc3eWWfvHIn4nR8VBNKZeGgyeIgd3wA4BT8g076OhyzEqtq0&3f=9r84q4yx
suspicious_features GET method with no useragent header suspicious_request GET http://www.translations.tools/nsag/?nt=1Yx90tXfD0vRUrwJZLNplGUVoptWSuBjE4n4ChdeuvIOAX2e1438cOyuyQxg5V577ZyhmWQ6&3f=9r84q4yx
suspicious_features GET method with no useragent header suspicious_request GET http://www.glowtheblog.com/nsag/?nt=HzZPNJQ8O4WE+bdm4vfaT6k2sBckkYigm/ImWf97pB6lZmCMtuvHJWo30XNbtj7YSTZJJE49&3f=9r84q4yx
suspicious_features GET method with no useragent header suspicious_request GET http://www.creationsbyjamie.com/nsag/?nt=ikjZmpp2rKIdfQGHLwg8/vzbnsAf6IhlNdWefevTJsajsTw6xmjgOZnutL3cpS9z2eZcVCpP&3f=9r84q4yx
suspicious_features GET method with no useragent header suspicious_request GET http://www.mistressofherdivinity.com/nsag/?nt=4H5+XAsX17t5i9bqNGjmVam9RdXQplhGCrWVGCPL7TSnyRXxkP5OCpmi44+txHN+I78jwTfj&3f=9r84q4yx
suspicious_features GET method with no useragent header suspicious_request GET http://www.oasisbracelet.com/nsag/?nt=X6jTNjBDiSL6TpbedZlH5jVf6UgVHRdaKJR1ltrC+bHekjCLhc2nJxvVQH1baaoFWgd9aMD6&3f=9r84q4yx
request POST http://www.icepolo.com/nsag/
request GET http://www.icepolo.com/nsag/?nt=KrISVuEJfroV2D55X6dLs0GN1f73ulMhv3kfCJ49OWlp4uYW/zulw4lDB/y+iFCn1yfvo+sH&3f=9r84q4yx
request POST http://www.botaniquecouture.com/nsag/
request GET http://www.botaniquecouture.com/nsag/?nt=3solHqD3xWFsPiOkiMb8ZxtvShu6k+bs5n8tAbp3gO4PLM7vhzh6xxFZXBBHvHdMHuTMMLyJ&3f=9r84q4yx
request POST http://www.usopencoverage.com/nsag/
request GET http://www.usopencoverage.com/nsag/?nt=og4DIg58JlKco58KkdqEYNLQLc3eWWfvHIn4nR8VBNKZeGgyeIgd3wA4BT8g076OhyzEqtq0&3f=9r84q4yx
request POST http://www.translations.tools/nsag/
request GET http://www.translations.tools/nsag/?nt=1Yx90tXfD0vRUrwJZLNplGUVoptWSuBjE4n4ChdeuvIOAX2e1438cOyuyQxg5V577ZyhmWQ6&3f=9r84q4yx
request POST http://www.glowtheblog.com/nsag/
request GET http://www.glowtheblog.com/nsag/?nt=HzZPNJQ8O4WE+bdm4vfaT6k2sBckkYigm/ImWf97pB6lZmCMtuvHJWo30XNbtj7YSTZJJE49&3f=9r84q4yx
request POST http://www.creationsbyjamie.com/nsag/
request GET http://www.creationsbyjamie.com/nsag/?nt=ikjZmpp2rKIdfQGHLwg8/vzbnsAf6IhlNdWefevTJsajsTw6xmjgOZnutL3cpS9z2eZcVCpP&3f=9r84q4yx
request POST http://www.mistressofherdivinity.com/nsag/
request GET http://www.mistressofherdivinity.com/nsag/?nt=4H5+XAsX17t5i9bqNGjmVam9RdXQplhGCrWVGCPL7TSnyRXxkP5OCpmi44+txHN+I78jwTfj&3f=9r84q4yx
request POST http://www.oasisbracelet.com/nsag/
request GET http://www.oasisbracelet.com/nsag/?nt=X6jTNjBDiSL6TpbedZlH5jVf6UgVHRdaKJR1ltrC+bHekjCLhc2nJxvVQH1baaoFWgd9aMD6&3f=9r84q4yx
request POST http://www.icepolo.com/nsag/
request POST http://www.botaniquecouture.com/nsag/
request POST http://www.usopencoverage.com/nsag/
request POST http://www.translations.tools/nsag/
request POST http://www.glowtheblog.com/nsag/
request POST http://www.creationsbyjamie.com/nsag/
request POST http://www.mistressofherdivinity.com/nsag/
request POST http://www.oasisbracelet.com/nsag/
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

process_identifier: 2504
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73772000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 1836
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a50000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\nsmFFA8.tmp\2e66zvabn.dll
file C:\Users\test22\AppData\Local\Temp\nsmFFA8.tmp\2e66zvabn.dll
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

system_name:
privilege_name: SeDebugPrivilege
1 1 0
url http://nsis.sf.net/NSIS_Error
description Code injection with CreateRemoteThread in a remote process rule inject_thread
description Create a windows service rule create_service
description Communications over UDP network rule network_udp_sock
description Listen for incoming communication rule network_tcp_listen
description Communications over P2P network rule network_p2p_win
description Communications over HTTP rule network_http
description File downloader/dropper rule network_dropper
description Communications over FTP rule network_ftp
description Communications over RAW socket rule network_tcp_socket
description Communications use DNS rule network_dns
description Communication using dga rule network_dga
description Escalade priviledges rule escalate_priv
description Take screenshot rule screenshot
description Run a keylogger rule keylogger
description Steal credential rule cred_local
description Record Audio rule sniff_audio
description APC queue tasks migration rule migrate_apc
description Malware can spread east-west using share drive rule spreading_share
description Create or check mutex rule win_mutex
description Affect system registries rule win_registry
description Affect system token rule win_token
description Affect private profile rule win_private_profile
description Affect private profile rule win_files_operation
description Match Winsock 2 API library declaration rule Str_Win32_Winsock2_Library
description Match Windows Inet API library declaration rule Str_Win32_Wininet_Library
description Match Windows Inet API call rule Str_Win32_Internet_API
description Match Windows Http API call rule Str_Win32_Http_API
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerCheck__RemoteAPI
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__ConsoleCtrl
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description (no description) rule Check_Dlls
description Checks if being debugged rule anti_dbg
description Anti-Sandbox checks for ThreatExpert rule antisb_threatExpert
description Bypass DEP rule disable_dep
description Affect hook table rule win_hook
description Code injection with CreateRemoteThread in a remote process rule inject_thread
description Create a windows service rule create_service
description Create a COM server rule create_com_service
description Communications over UDP network rule network_udp_sock
description Listen for incoming communication rule network_tcp_listen
description Communications over P2P network rule network_p2p_win
description Communications over HTTP rule network_http
description File downloader/dropper rule network_dropper
description Communications over FTP rule network_ftp
host 172.217.25.14
Process injection Process 2504 called NtSetContextThread to modify thread in remote process 1836
Time & API Arguments Status Return Repeated

NtSetContextThread

registers.eip: 2000355780
registers.esp: 1638384
registers.edi: 0
registers.eax: 4313088
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000224
process_identifier: 1836
1 0 0
Elastic malicious (high confidence)
FireEye Generic.mg.5db87cb7c962ba04
Qihoo-360 HEUR/QVM20.1.EFB0.Malware.Gen
McAfee Artemis!5DB87CB7C962
Cylance Unsafe
Sangfor Trojan.Win32.Save.a
Cyren W32/Injector.AFV.gen!Eldorado
Symantec ML.Attribute.HighConfidence
Avast FileRepMalware
Cynet Malicious (score: 90)
Kaspersky UDS:DangerousObject.Multi.Generic
Paloalto generic.ml
AegisLab Trojan.Multi.Generic.4!c
McAfee-GW-Edition BehavesLike.Win32.ICLoader.dc
Sophos Generic ML PUA (PUA)
APEX Malicious
Avira HEUR/AGEN.1134255
Gridinsoft Risk.Win32.CoinMiner.sd!s1
Microsoft Trojan:Win32/Wacatac.B!ml
ZoneAlarm UDS:DangerousObject.Multi.Generic
SentinelOne Static AI - Suspicious PE
Malwarebytes Malware.Heuristic.1001
Fortinet W32/Injector.EOWC!tr
AVG FileRepMalware
Cybereason malicious.d1e005
dead_host 103.88.34.80:80