Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 18, 2021, 10:25 a.m.	March 18, 2021, 10:27 a.m.

Size	1.2MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`5feb04f28b1b36c34c9cd6d877f4ef47`
SHA256	`24d059aa3c299c202acf0903a9a32beb4f191ae88c4835be517f8649c288d039`
CRC32	`91EE423A`
ssdeep	`24576:9ZxaKHJBLU+62PjRO+/DM/GxYUfIaaI86:9OkTo+62PljM+xpfgI`
Yara	PE_Header_Zero - PE File Signature Zero keylogger - Run a keylogger Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT IsPE32 - (no description) IsNET_EXE - (no description) IsWindowsGUI - (no description)

rrr2.exe "C:\Users\test22\AppData\Local\Temp\rrr2.exe"
204
- rrr2.exe "C:\Users\test22\AppData\Local\Temp\rrr2.exe"
  1224

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 18, 2021, 10:25 a.m.			0	0
IsDebuggerPresent March 18, 2021, 10:25 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey March 18, 2021, 10:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c5c28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 18, 2021, 10:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c5ce8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 18, 2021, 10:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c5ce8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 18, 2021, 10:25 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 79 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 18, 2021, 10:25 a.m.	process_identifier: 204 region_size: 1376256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 18, 2021, 10:25 a.m.	process_identifier: 204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 18, 2021, 10:25 a.m.	process_identifier: 204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72741000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 18, 2021, 10:25 a.m.	process_identifier: 204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72742000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 18, 2021, 10:25 a.m.	process_identifier: 204 region_size: 2293760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ad0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 18, 2021, 10:25 a.m.	process_identifier: 204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 18, 2021, 10:25 a.m.	process_identifier: 204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 18, 2021, 10:25 a.m.	process_identifier: 204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 18, 2021, 10:25 a.m.	process_identifier: 204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 18, 2021, 10:25 a.m.	process_identifier: 204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 18, 2021, 10:25 a.m.	process_identifier: 204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 18, 2021, 10:25 a.m.	process_identifier: 204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 18, 2021, 10:25 a.m.	process_identifier: 204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 18, 2021, 10:25 a.m.	process_identifier: 204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 18, 2021, 10:25 a.m.	process_identifier: 204 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 18, 2021, 10:25 a.m.	process_identifier: 204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 18, 2021, 10:25 a.m.	process_identifier: 204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 18, 2021, 10:25 a.m.	process_identifier: 204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00407000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 18, 2021, 10:25 a.m.	process_identifier: 204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0105f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 18, 2021, 10:25 a.m.	process_identifier: 204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0105f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 18, 2021, 10:25 a.m.	process_identifier: 204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f20000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 18, 2021, 10:25 a.m.	process_identifier: 204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f20000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 18, 2021, 10:25 a.m.	process_identifier: 204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f20000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 18, 2021, 10:25 a.m.	process_identifier: 204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f22000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 18, 2021, 10:25 a.m.	process_identifier: 204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01030000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 18, 2021, 10:25 a.m.	process_identifier: 204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01030000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 18, 2021, 10:25 a.m.	process_identifier: 204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01030000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 18, 2021, 10:25 a.m.	process_identifier: 204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01030000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 18, 2021, 10:25 a.m.	process_identifier: 204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01030000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 18, 2021, 10:25 a.m.	process_identifier: 204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01030000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 18, 2021, 10:25 a.m.	process_identifier: 204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01030000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 18, 2021, 10:25 a.m.	process_identifier: 204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01030000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 18, 2021, 10:25 a.m.	process_identifier: 204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01030000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 18, 2021, 10:25 a.m.	process_identifier: 204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01030000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 18, 2021, 10:25 a.m.	process_identifier: 204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01030000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 18, 2021, 10:25 a.m.	process_identifier: 204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01030000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 18, 2021, 10:25 a.m.	process_identifier: 204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01030000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 18, 2021, 10:25 a.m.	process_identifier: 204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01030000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 18, 2021, 10:25 a.m.	process_identifier: 204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01030000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 18, 2021, 10:25 a.m.	process_identifier: 204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01030000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 18, 2021, 10:25 a.m.	process_identifier: 204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01030000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 18, 2021, 10:25 a.m.	process_identifier: 204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01030000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 18, 2021, 10:25 a.m.	process_identifier: 204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01030000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 18, 2021, 10:25 a.m.	process_identifier: 204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01030000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 18, 2021, 10:25 a.m.	process_identifier: 204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01030000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 18, 2021, 10:25 a.m.	process_identifier: 204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01030000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 18, 2021, 10:25 a.m.	process_identifier: 204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01030000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 18, 2021, 10:25 a.m.	process_identifier: 204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01030000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 18, 2021, 10:25 a.m.	process_identifier: 204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01030000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 18, 2021, 10:25 a.m.	process_identifier: 204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01030000 process_handle: 0xffffffff	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW March 18, 2021, 10:27 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Potentially malicious URLs were found in the process memory dump (14 events)

url	http://go2.microsoft.com/fwlink/?LinkId=131738
url	http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0
url	http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt0
url	http://microsoft.com0
url	http://www.microsoft.com/pkiops/certs/MicCodSigPCA2011_2011-07-08.crt0
url	http://www.microsoft.com/pkiops/docs/primarycps.htm0
url	http://www.microsoft.com/pki/certs/MicCodSigPCA_08-31-2010.crt0
url	http://beta.visualstudio.net/net/sdk/feedback.asp
url	http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0
url	http://www.microsoft.com/pki/certs/MicTimStaPCA_2010-07-01.crt0
url	http://www.microsoft.com/PKI/docs/CPS/default.htm0
url	http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0
url	http://ns.adobe.com/xap/1.0/
url	http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl0a

Yara rule detected in process memory (50 out of 105 events)

description	Code injection with CreateRemoteThread in a remote process	rule	inject_thread
description	Create a windows service	rule	create_service
description	Create a COM server	rule	create_com_service
description	Communications over UDP network	rule	network_udp_sock
description	Listen for incoming communication	rule	network_tcp_listen
description	Communications smtp	rule	network_smtp_dotNet
description	Communications over P2P network	rule	network_p2p_win
description	Communications over HTTP	rule	network_http
description	File downloader/dropper	rule	network_dropper
description	Communications over FTP	rule	network_ftp
description	Communications over RAW socket	rule	network_tcp_socket
description	Communications use DNS	rule	network_dns
description	Communication using dga	rule	network_dga
description	Escalade priviledges	rule	escalate_priv
description	Take screenshot	rule	screenshot
description	Run a keylogger	rule	keylogger
description	Steal credential	rule	cred_local
description	Record Audio	rule	sniff_audio
description	APC queue tasks migration	rule	migrate_apc
description	Malware can spread east-west file	rule	spreading_file
description	Malware can spread east-west using share drive	rule	spreading_share
description	Create or check mutex	rule	win_mutex
description	Affect system registries	rule	win_registry
description	Affect system token	rule	win_token
description	Affect private profile	rule	win_private_profile
description	Affect private profile	rule	win_files_operation
description	Match Winsock 2 API library declaration	rule	Str_Win32_Winsock2_Library
description	Match Windows Inet API library declaration	rule	Str_Win32_Wininet_Library
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	(no description)	rule	Check_Qemu_Description
description	(no description)	rule	Check_Qemu_DeviceMap
description	(no description)	rule	Check_VBox_Description
description	(no description)	rule	Check_VBox_DeviceMap
description	(no description)	rule	Check_VBox_Guest_Additions
description	(no description)	rule	Check_VBox_VideoDrivers
description	(no description)	rule	Check_VMWare_DeviceMap
description	(no description)	rule	Check_VmTools
description	Detection of Virtual Appliances through the use of WMI for use of evasion.	rule	WMI_VM_Detect
description	Checks if being debugged	rule	anti_dbg

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory March 18, 2021, 10:27 a.m.	process_identifier: 1224 region_size: 163840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000244	1	0	0

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory March 18, 2021, 10:27 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $Å¥ÄäEÄäEÄäEî²OEÍÄäEî²zEÄäEî²yEÄäERichÄäEPELÐ:pTà p Ð@@.textÐop ` base_address: 0x00400000 process_identifier: 1224 process_handle: 0x00000244	1	1	0
WriteProcessMemory March 18, 2021, 10:27 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1224 process_handle: 0x00000244	1	1	0

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory March 18, 2021, 10:27 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $Å¥ÄäEÄäEÄäEî²OEÍÄäEî²zEÄäEî²yEÄäERichÄäEPELÐ:pTà p Ð@@.textÐop ` base_address: 0x00400000 process_identifier: 1224 process_handle: 0x00000244	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 204 called NtSetContextThread to modify thread in remote process 1224
NtSetContextThread March 18, 2021, 10:27 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4313120 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000024c process_identifier: 1224	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 204 resumed a thread in remote process 1224
NtResumeThread March 18, 2021, 10:27 a.m.	thread_handle: 0x0000024c suspend_count: 1 process_identifier: 1224	1	0	0

File has been identified by 23 AntiVirus engines on VirusTotal as malicious (23 events)

Elastic	malicious (high confidence)
FireEye	Generic.mg.5feb04f28b1b36c3
Qihoo-360	HEUR/QVM03.0.F2E7.Malware.Gen
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
BitDefenderTheta	Gen:NN.ZemsilF.34628.pn0@aSVRmmk
Symantec	Scr.Malcode!gdn30
APEX	Malicious
Paloalto	generic.ml
Cynet	Malicious (score: 100)
Kaspersky	UDS:DangerousObject.Multi.Generic
Avast	FileRepMetagen [Malware]
Sophos	ML/PE-A
McAfee-GW-Edition	BehavesLike.Win32.Generic.th
SentinelOne	Static AI - Malicious PE
Microsoft	Trojan:Win32/AgentTesla!ml
VBA32	CIL.HeapOverride.Heur
Malwarebytes	Malware.AI.2988386755
ESET-NOD32	a variant of MSIL/Kryptik.AABA
Ikarus	Trojan.Inject
AVG	FileRepMetagen [Malware]
CrowdStrike	win/malicious_confidence_80% (D)
MaxSecure	Trojan.Malware.300983.susgen

Executed a process and injected code into it, probably while unpacking (21 events)

Time & API	Arguments	Status	Return
NtResumeThread March 18, 2021, 10:25 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 204	1	0
NtResumeThread March 18, 2021, 10:25 a.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 204	1	0
NtResumeThread March 18, 2021, 10:25 a.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 204	1	0
NtResumeThread March 18, 2021, 10:25 a.m.	thread_handle: 0x00000204 suspend_count: 1 process_identifier: 204	1	0
NtGetContextThread March 18, 2021, 10:25 a.m.	thread_handle: 0x000000e8	1	0
NtGetContextThread March 18, 2021, 10:25 a.m.	thread_handle: 0x000000e8	1	0
NtResumeThread March 18, 2021, 10:25 a.m.	thread_handle: 0x000000e8 suspend_count: 1 process_identifier: 204	1	0
NtGetContextThread March 18, 2021, 10:25 a.m.	thread_handle: 0x000000e8	1	0
NtGetContextThread March 18, 2021, 10:25 a.m.	thread_handle: 0x000000e8	1	0
NtResumeThread March 18, 2021, 10:25 a.m.	thread_handle: 0x000000e8 suspend_count: 1 process_identifier: 204	1	0
NtGetContextThread March 18, 2021, 10:25 a.m.	thread_handle: 0x000000e8	1	0
NtGetContextThread March 18, 2021, 10:25 a.m.	thread_handle: 0x000000e8	1	0
NtResumeThread March 18, 2021, 10:25 a.m.	thread_handle: 0x000000e8 suspend_count: 1 process_identifier: 204	1	0
CreateProcessInternalW March 18, 2021, 10:27 a.m.	thread_identifier: 1572 thread_handle: 0x0000024c process_identifier: 1224 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\rrr2.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\rrr2.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000244	1	1
NtGetContextThread March 18, 2021, 10:27 a.m.	thread_handle: 0x0000024c	1	0
NtAllocateVirtualMemory March 18, 2021, 10:27 a.m.	process_identifier: 1224 region_size: 163840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000244	1	0
WriteProcessMemory March 18, 2021, 10:27 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $Å¥ÄäEÄäEÄäEî²OEÍÄäEî²zEÄäEî²yEÄäERichÄäEPELÐ:pTà p Ð@@.textÐop ` base_address: 0x00400000 process_identifier: 1224 process_handle: 0x00000244	1	1
WriteProcessMemory March 18, 2021, 10:27 a.m.	buffer: base_address: 0x00401000 process_identifier: 1224 process_handle: 0x00000244	1	1
WriteProcessMemory March 18, 2021, 10:27 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1224 process_handle: 0x00000244	1	1
NtSetContextThread March 18, 2021, 10:27 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4313120 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000024c process_identifier: 1224	1	0
NtResumeThread March 18, 2021, 10:27 a.m.	thread_handle: 0x0000024c suspend_count: 1 process_identifier: 1224	1	0

rrr2.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All