Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	March 17, 2021, 11:34 p.m.	March 17, 2021, 11:38 p.m.

Size	3.5MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`8f94297c9a87de5c84a3c6b2d43a3809`
SHA256	`e1eda5c9ef3158ecc5dabc82b244def26c0a938c797a1c97752ff32505b0f048`
CRC32	`0EE045CE`
ssdeep	`1536:U6+o7BcTd7F+jNFIuj+pVlw4lNJz1VD3zzvizZ5systS34UfNS34Uf:UmFCsZF1jg7TJz15PNyxs`
Yara	PE_Header_Zero - PE File Signature Zero Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT IsPE32 - (no description) IsNET_EXE - (no description) IsWindowsGUI - (no description) HasOverlay - Overlay Check HasDigitalSignature - DigitalSignature Check

1fc2d.txt "C:\Users\test22\AppData\Local\Temp\1fc2d.txt"
2208
- cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 1
  8708
  - timeout.exe timeout 1
    1472
- 1fc2d.txt "C:\Users\test22\AppData\Local\Temp\1fc2d.txt"
  8992

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
172.217.25.14	Active	Moloch
94.103.84.193	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 17, 2021, 11:33 p.m.			0	0
IsDebuggerPresent March 17, 2021, 11:33 p.m.			0	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW March 17, 2021, 11:33 p.m.	buffer: Waiting for 1 console_handle: 0x00000007	1	1	0
WriteConsoleW March 17, 2021, 11:33 p.m.	buffer: seconds, press a key to continue ... console_handle: 0x00000007	1	1	0

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey March 17, 2021, 11:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006f3418 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 17, 2021, 11:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006f31d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 17, 2021, 11:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006f31d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Tries to locate where the browsers are installed (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\Main

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 17, 2021, 11:33 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 81 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory March 17, 2021, 11:33 p.m.	process_identifier: 2208 region_size: 851968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 17, 2021, 11:33 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00430000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory March 17, 2021, 11:33 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory March 17, 2021, 11:33 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba2000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 17, 2021, 11:33 p.m.	process_identifier: 2208 region_size: 917504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d40000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 17, 2021, 11:33 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00de0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 17, 2021, 11:33 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 17, 2021, 11:33 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 17, 2021, 11:33 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 17, 2021, 11:33 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 17, 2021, 11:33 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e71000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 17, 2021, 11:33 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00405000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 17, 2021, 11:33 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 17, 2021, 11:33 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00407000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 17, 2021, 11:33 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e72000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 17, 2021, 11:33 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 17, 2021, 11:33 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 17, 2021, 11:33 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 17, 2021, 11:33 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 17, 2021, 11:33 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 17, 2021, 11:33 p.m.	process_identifier: 2208 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 17, 2021, 11:33 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 17, 2021, 11:33 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 17, 2021, 11:33 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 17, 2021, 11:33 p.m.	process_identifier: 2208 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 17, 2021, 11:33 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 17, 2021, 11:33 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e73000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 17, 2021, 11:33 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e74000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 17, 2021, 11:33 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e75000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 17, 2021, 11:33 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e76000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory March 17, 2021, 11:33 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory March 17, 2021, 11:33 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00800040 process_handle: 0xffffffff		3221225541
NtProtectVirtualMemory March 17, 2021, 11:33 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00800048 process_handle: 0xffffffff		3221225541
NtProtectVirtualMemory March 17, 2021, 11:33 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0080004c process_handle: 0xffffffff		3221225541
NtProtectVirtualMemory March 17, 2021, 11:33 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00800050 process_handle: 0xffffffff		3221225541
NtProtectVirtualMemory March 17, 2021, 11:33 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00800056 process_handle: 0xffffffff		3221225541
NtProtectVirtualMemory March 17, 2021, 11:33 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0080005c process_handle: 0xffffffff		3221225541
NtProtectVirtualMemory March 17, 2021, 11:33 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00800060 process_handle: 0xffffffff		3221225541
NtProtectVirtualMemory March 17, 2021, 11:33 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00800068 process_handle: 0xffffffff		3221225541
NtProtectVirtualMemory March 17, 2021, 11:33 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0080006c process_handle: 0xffffffff		3221225541
NtProtectVirtualMemory March 17, 2021, 11:33 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00800074 process_handle: 0xffffffff		3221225541
NtProtectVirtualMemory March 17, 2021, 11:33 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0080007c process_handle: 0xffffffff		3221225541
NtProtectVirtualMemory March 17, 2021, 11:33 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0080008c process_handle: 0xffffffff		3221225541
NtProtectVirtualMemory March 17, 2021, 11:33 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00800090 process_handle: 0xffffffff		3221225541
NtProtectVirtualMemory March 17, 2021, 11:33 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00800094 process_handle: 0xffffffff		3221225541
NtProtectVirtualMemory March 17, 2021, 11:33 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00800098 process_handle: 0xffffffff		3221225541
NtProtectVirtualMemory March 17, 2021, 11:33 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008000a0 process_handle: 0xffffffff		3221225541
NtProtectVirtualMemory March 17, 2021, 11:33 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008000a4 process_handle: 0xffffffff		3221225541
NtProtectVirtualMemory March 17, 2021, 11:33 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008000a8 process_handle: 0xffffffff		3221225541
NtProtectVirtualMemory March 17, 2021, 11:33 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008000ac process_handle: 0xffffffff		3221225541

Steals private information from local Internet browsers (3 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\Main
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox

Creates a suspicious process (2 events)

cmdline	cmd.exe /c timeout 1
cmdline	"C:\Windows\System32\cmd.exe" /c timeout 1

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW March 17, 2021, 11:33 p.m.	show_type: 0 filepath_r: cmd.exe parameters: /c timeout 1 filepath: cmd.exe	1	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (8 events)

Time & API	Arguments	Status	Return
Process32NextW March 17, 2021, 11:33 p.m.	snapshot_handle: 0x000000d4 process_name: mobsync.exe process_identifier: 8012	1	1
Process32NextW March 17, 2021, 11:33 p.m.	snapshot_handle: 0x000000d4 process_name: pw.exe process_identifier: 7308	1	1
Process32NextW March 17, 2021, 11:33 p.m.	snapshot_handle: 0x000000d4 process_name: taskhost.exe process_identifier: 6464	1	1
Process32NextW March 17, 2021, 11:33 p.m.	snapshot_handle: 0x000000d4 process_name: cmd.exe process_identifier: 2328	1	1
Process32NextW March 17, 2021, 11:33 p.m.	snapshot_handle: 0x000000d4 process_name: conhost.exe process_identifier: 1040	1	1
Process32NextW March 17, 2021, 11:33 p.m.	snapshot_handle: 0x000000d4 process_name: pw.exe process_identifier: 2288	1	1
Process32NextW March 17, 2021, 11:33 p.m.	snapshot_handle: 0x000000d4 process_name: slui.exe process_identifier: 3588	1	1
Process32NextW March 17, 2021, 11:33 p.m.	snapshot_handle: 0x000000d4 process_name: 1fc2d.txt process_identifier: 8992	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW March 17, 2021, 11:33 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Potentially malicious URLs were found in the process memory dump (1 event)

url	http://steamcommunity.com/profiles/

Yara rule detected in process memory (16 events)

description	Listen for incoming communication	rule	network_tcp_listen
description	Communications over RAW socket	rule	network_tcp_socket
description	Take screenshot	rule	screenshot
description	APC queue tasks migration	rule	migrate_apc
description	Affect system registries	rule	win_registry
description	Affect system token	rule	win_token
description	Affect private profile	rule	win_files_operation
description	Match Winsock 2 API library declaration	rule	Str_Win32_Winsock2_Library
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Communicates with host for which no DNS query was performed (2 events)

host	172.217.25.14
host	94.103.84.193

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory March 17, 2021, 11:33 p.m.	process_identifier: 8992 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000330	1	0	0

Attempts to access Bitcoin/ALTCoin wallets (1 event)

file	C:\Users\test22\AppData\Roaming\Electrum\wallets

Potential code injection by writing to the memory of another process (3 events)

Time & API	Arguments	Status	Return
WriteProcessMemory March 17, 2021, 11:33 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ÑþÍh£;£;£;Î÷ :£;Î÷¦:2£;Î÷¤:£;+î¦: £;+î§:£;+î :£;Î÷§:£;Î÷¢:£;¢;@£; í«:£; í\;£; í¡:£;Rich£;PEL¸7`àNpF`@@jÈ°Àø7Ø8 @`.textÕLN `.rdata¢`R@@.data°%n@À.rsrc°@@.relocø7À8@B base_address: 0x00400000 process_identifier: 8992 process_handle: 0x00000330	1	1
WriteProcessMemory March 17, 2021, 11:33 p.m.	buffer: 0 HX°,ä,4VS_VERSION_INFO½ïþ?StringFileInfof040904b1, Commentsdbba afee(CompanyNamedaa8FileDescriptioncdb dac0FileVersion0.5.1.4z+LegalCopyrightCopyright 2020 © fdb. All rights reserved.B OriginalFilenamefebf cde.exe2 ProductNamefebf cde4ProductVersion8.2.0.48Assembly Version8.2.0.42LegalTrademarkseeffDVarFileInfo$Translation PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD base_address: 0x0046b000 process_identifier: 8992 process_handle: 0x00000330	1	1
WriteProcessMemory March 17, 2021, 11:33 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 8992 process_handle: 0x00000330	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory March 17, 2021, 11:33 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ÑþÍh£;£;£;Î÷ :£;Î÷¦:2£;Î÷¤:£;+î¦: £;+î§:£;+î :£;Î÷§:£;Î÷¢:£;¢;@£; í«:£; í\;£; í¡:£;Rich£;PEL¸7`àNpF`@@jÈ°Àø7Ø8 @`.textÕLN `.rdata¢`R@@.data°%n@À.rsrc°@@.relocø7À8@B base_address: 0x00400000 process_identifier: 8992 process_handle: 0x00000330	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2208 called NtSetContextThread to modify thread in remote process 8992
NtSetContextThread March 17, 2021, 11:33 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4435270 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000350 process_identifier: 8992	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2208 resumed a thread in remote process 8992
NtResumeThread March 17, 2021, 11:33 p.m.	thread_handle: 0x00000350 suspend_count: 1 process_identifier: 8992	1	0	0

File has been identified by 24 AntiVirus engines on VirusTotal as malicious (24 events)

Elastic	malicious (high confidence)
FireEye	Generic.mg.8f94297c9a87de5c
Cylance	Unsafe
K7AntiVirus	Trojan ( 00575cf01 )
K7GW	Trojan ( 00575cf01 )
Cybereason	malicious.91c6a4
BitDefenderTheta	Gen:NN.ZemsilF.34628.HlZ@aiF9oip
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	Win32:Evo-gen [Susp]
Kaspersky	HEUR:Trojan.Win32.Injuke.pef
Rising	Stealer.Hunter!8.122F9 (CLOUD)
Sophos	Mal/Generic-S
DrWeb	Trojan.PackedNET.530
McAfee-GW-Edition	PWS-FCWL!8F94297C9A87
SentinelOne	Static AI - Malicious PE
Avira	HEUR/AGEN.1140844
Microsoft	Trojan:Win32/Wacatac.B!ml
Cynet	Malicious (score: 100)
McAfee	PWS-FCWL!8F94297C9A87
ESET-NOD32	a variant of MSIL/Kryptik.ZNE
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/GenKryptik.EZDB!tr
AVG	Win32:Evo-gen [Susp]

Executed a process and injected code into it, probably while unpacking (25 events)

Time & API	Arguments	Status	Return
NtResumeThread March 17, 2021, 11:33 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2208	1	0
NtResumeThread March 17, 2021, 11:33 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2208	1	0
NtResumeThread March 17, 2021, 11:33 p.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 2208	1	0
NtResumeThread March 17, 2021, 11:33 p.m.	thread_handle: 0x00000208 suspend_count: 1 process_identifier: 2208	1	0
NtGetContextThread March 17, 2021, 11:33 p.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread March 17, 2021, 11:33 p.m.	thread_handle: 0x000000e0	1	0
NtResumeThread March 17, 2021, 11:33 p.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2208	1	0
NtGetContextThread March 17, 2021, 11:33 p.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread March 17, 2021, 11:33 p.m.	thread_handle: 0x000000e0	1	0
NtResumeThread March 17, 2021, 11:33 p.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2208	1	0
NtResumeThread March 17, 2021, 11:33 p.m.	thread_handle: 0x00000258 suspend_count: 1 process_identifier: 2208	1	0
CreateProcessInternalW March 17, 2021, 11:33 p.m.	thread_identifier: 7688 thread_handle: 0x00000378 process_identifier: 8708 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /c timeout 1 filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000380	1	1
CreateProcessInternalW March 17, 2021, 11:33 p.m.	thread_identifier: 7960 thread_handle: 0x00000350 process_identifier: 8992 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\1fc2d.txt track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\1fc2d.txt stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000330	1	1
NtGetContextThread March 17, 2021, 11:33 p.m.	thread_handle: 0x00000350	1	0
NtAllocateVirtualMemory March 17, 2021, 11:33 p.m.	process_identifier: 8992 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000330	1	0
WriteProcessMemory March 17, 2021, 11:33 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ÑþÍh£;£;£;Î÷ :£;Î÷¦:2£;Î÷¤:£;+î¦: £;+î§:£;+î :£;Î÷§:£;Î÷¢:£;¢;@£; í«:£; í\;£; í¡:£;Rich£;PEL¸7`àNpF`@@jÈ°Àø7Ø8 @`.textÕLN `.rdata¢`R@@.data°%n@À.rsrc°@@.relocø7À8@B base_address: 0x00400000 process_identifier: 8992 process_handle: 0x00000330	1	1
WriteProcessMemory March 17, 2021, 11:33 p.m.	buffer: base_address: 0x00401000 process_identifier: 8992 process_handle: 0x00000330	1	1
WriteProcessMemory March 17, 2021, 11:33 p.m.	buffer: base_address: 0x00456000 process_identifier: 8992 process_handle: 0x00000330	1	1
WriteProcessMemory March 17, 2021, 11:33 p.m.	buffer: base_address: 0x00468000 process_identifier: 8992 process_handle: 0x00000330	1	1
WriteProcessMemory March 17, 2021, 11:33 p.m.	buffer: 0 HX°,ä,4VS_VERSION_INFO½ïþ?StringFileInfof040904b1, Commentsdbba afee(CompanyNamedaa8FileDescriptioncdb dac0FileVersion0.5.1.4z+LegalCopyrightCopyright 2020 © fdb. All rights reserved.B OriginalFilenamefebf cde.exe2 ProductNamefebf cde4ProductVersion8.2.0.48Assembly Version8.2.0.42LegalTrademarkseeffDVarFileInfo$Translation PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD base_address: 0x0046b000 process_identifier: 8992 process_handle: 0x00000330	1	1
WriteProcessMemory March 17, 2021, 11:33 p.m.	buffer: base_address: 0x0046c000 process_identifier: 8992 process_handle: 0x00000330	1	1
WriteProcessMemory March 17, 2021, 11:33 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 8992 process_handle: 0x00000330	1	1
NtSetContextThread March 17, 2021, 11:33 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4435270 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000350 process_identifier: 8992	1	0
NtResumeThread March 17, 2021, 11:33 p.m.	thread_handle: 0x00000350 suspend_count: 1 process_identifier: 8992	1	0
CreateProcessInternalW March 17, 2021, 11:33 p.m.	thread_identifier: 4636 thread_handle: 0x00000084 process_identifier: 1472 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\timeout.exe track: 1 command_line: timeout 1 filepath_r: C:\Windows\system32\timeout.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (50 out of 69 events)

dead_host	192.168.56.102:49827
dead_host	192.168.56.102:49845
dead_host	192.168.56.102:49856
dead_host	192.168.56.102:49882
dead_host	192.168.56.102:49836
dead_host	192.168.56.102:49869
dead_host	192.168.56.102:49816
dead_host	192.168.56.102:49831
dead_host	192.168.56.102:49849
dead_host	192.168.56.102:49860
dead_host	192.168.56.102:49840
dead_host	192.168.56.102:49873
dead_host	192.168.56.102:49820
dead_host	192.168.56.102:49835
dead_host	192.168.56.102:49853
dead_host	192.168.56.102:49864
dead_host	192.168.56.102:49826
dead_host	192.168.56.102:49871
dead_host	192.168.56.102:49844
dead_host	192.168.56.102:49859
dead_host	192.168.56.102:49877
dead_host	192.168.56.102:49839
dead_host	192.168.56.102:49868
dead_host	192.168.56.102:49819
dead_host	192.168.56.102:49830
dead_host	192.168.56.102:49848
dead_host	192.168.56.102:49863
dead_host	192.168.56.102:49881
dead_host	192.168.56.102:49843
dead_host	192.168.56.102:49872
dead_host	192.168.56.102:49823
dead_host	192.168.56.102:49852
dead_host	192.168.56.102:49867
dead_host	192.168.56.102:49814
dead_host	192.168.56.102:49847
dead_host	192.168.56.102:49858
dead_host	192.168.56.102:49876
dead_host	192.168.56.102:49838
dead_host	192.168.56.102:49834
dead_host	192.168.56.102:49818
dead_host	192.168.56.102:49825
dead_host	192.168.56.102:49851
dead_host	192.168.56.102:49862
dead_host	192.168.56.102:49880
dead_host	192.168.56.102:49842
dead_host	192.168.56.102:49875
dead_host	192.168.56.102:49822
dead_host	192.168.56.102:49829
dead_host	192.168.56.102:49855
dead_host	192.168.56.102:49866

1fc2d.txt

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All