IntelONE.txt

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW March 17, 2021, 11:09 p.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW March 17, 2021, 11:09 p.m.	buffer: SUCCESS: The scheduled task "IntelONE" has successfully been created. console_handle: 0x00000007	1	1	0

This executable has a PDB path (1 event)

pdb_path

D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.didat

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

PNG

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory March 17, 2021, 11:09 p.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1	0	0

Creates executable files on the filesystem (1 event)

file	C:\ProgramData\Intel\IntelONE.exe

Creates a suspicious process (2 events)

cmdline	"C:\Windows\System32\schtasks.exe" /CREATE /SC HOURLY /MO 1 /TN IntelONE /TR C:\ProgramData\Intel\IntelONE.exe /F
cmdline	SCHTASKS /CREATE /SC HOURLY /MO 1 /TN IntelONE /TR C:\ProgramData\Intel\IntelONE.exe /F

Yara rule detected in process memory (13 events)

description	Listen for incoming communication				rule	network_tcp_listen
description	Affect system registries				rule	win_registry
description	Affect system token				rule	win_token
description	Affect private profile				rule	win_files_operation
description	Match Winsock 2 API library declaration				rule	Str_Win32_Winsock2_Library
description	(no description)				rule	DebuggerCheck__GlobalFlags
description	(no description)				rule	DebuggerCheck__QueryInfo
description	(no description)				rule	DebuggerHiding__Thread
description	(no description)				rule	DebuggerHiding__Active
description	(no description)				rule	ThreadControl__Context
description	(no description)				rule	SEH__vectored
description	Checks if being debugged				rule	anti_dbg
description	Bypass DEP				rule	disable_dep

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	"C:\Windows\System32\schtasks.exe" /CREATE /SC HOURLY /MO 1 /TN IntelONE /TR C:\ProgramData\Intel\IntelONE.exe /F
cmdline	SCHTASKS /CREATE /SC HOURLY /MO 1 /TN IntelONE /TR C:\ProgramData\Intel\IntelONE.exe /F

Installs itself for autorun at Windows startup (2 events)

cmdline	"C:\Windows\System32\schtasks.exe" /CREATE /SC HOURLY /MO 1 /TN IntelONE /TR C:\ProgramData\Intel\IntelONE.exe /F
cmdline	SCHTASKS /CREATE /SC HOURLY /MO 1 /TN IntelONE /TR C:\ProgramData\Intel\IntelONE.exe /F

File has been identified by 19 AntiVirus engines on VirusTotal as malicious (19 events)

Bkav	W32.AIDetect.malware2
Elastic	malicious (high confidence)
FireEye	Generic.mg.8e2288bfb74d2422
McAfee	Artemis!8E2288BFB74D
Zillya	Trojan.ScriptKD.JS.10
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_60% (W)
Cyren	W32/Trojan.REOR-6425
APEX	Malicious
Avast	FileRepMalware
Kaspersky	HEUR:Backdoor.Win32.Xaparo.gen
Paloalto	generic.ml
McAfee-GW-Edition	BehavesLike.Win32.Generic.jc
Sophos	ML/PE-A
Microsoft	Program:Win32/Wacapew.C!ml
Cynet	Malicious (score: 100)
Malwarebytes	Malware.Heuristic.1001
Rising	Trojan.TaskRun/SFX!1.D3EF (CLASSIC)
AVG	FileRepMalware

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Process injection	Process 2864 resumed a thread in remote process 4892
Time & API	Arguments	Status	Return	Repeated
NtResumeThread March 17, 2021, 11:09 p.m.	thread_handle: 0x000002c4 suspend_count: 1 process_identifier: 4892	1	0	0