Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 19, 2023, 5:57 p.m.	June 19, 2023, 5:59 p.m.

Size	5.5MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`ef86450ca1ef20a87f9b3297aa8bb8e8`
SHA256	`a0fb2dd97975f0e746cc5c2fb2cb30d980cad135d3f4f7237b8324e0831ae7af`
CRC32	`3DEA798B`
ssdeep	`98304:MkLTpSZNWOn2F8IXgtSUg4cHprsrRmGS/kegYIiWrhOvmtZ45cYJkO0tI4NzFo:r0ZN9k8IXWpcHOYk5iWJtZmet3NzFo`
Yara	UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check mzp_file_format - MZP(Delphi) file format Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) PE_Header_Zero - PE File Signature

RedGiant Activation Service Unlocker 2023.2.1.exe "C:\Users\test22\AppData\Local\Temp\RedGiant Activation Service Unlocker 2023.2.1.exe"
2560
- RedGiant Activation Service Unlocker 2023.2.1.tmp "C:\Users\test22\AppData\Local\Temp\is-DEA6T.tmp\RedGiant Activation Service Unlocker 2023.2.1.tmp" /SL5="$80178,4765645,800256,C:\Users\test22\AppData\Local\Temp\RedGiant Activation Service Unlocker 2023.2.1.exe"
  2636
  - net.exe "C:\Windows\system32\net.exe" stop "Red Giant Service"
    2756
    - net1.exe C:\Windows\system32\net1 stop "Red Giant Service"
      2816
  - timeout.exe "timeout" /T 1 /NOBREAK
    2860
  - net.exe "C:\Windows\system32\net.exe" stop mxredirect
    2920
    - net1.exe C:\Windows\system32\net1 stop mxredirect
      2980
  - taskkill.exe "C:\Windows\system32\taskkill.exe" /f /im "RGContentService.exe"
    3024
  - taskkill.exe "C:\Windows\system32\taskkill.exe" /f /im "MxNotify.exe"
    800
  - deep.exe "C:\Users\test22\AppData\Local\Temp\is-V66SG.tmp\deep.exe" /verysilent
    148
    - deep.tmp "C:\Users\test22\AppData\Local\Temp\is-LU16A.tmp\deep.tmp" /SL5="$601E0,3608202,800256,C:\Users\test22\AppData\Local\Temp\is-V66SG.tmp\deep.exe" /verysilent
      2236
      - taskkill.exe "C:\Windows\system32\taskkill.exe" /f /im maxon.exe
        2312
  - net.exe "C:\Windows\system32\net.exe" start "Red Giant Service"
    2552
    - net1.exe C:\Windows\system32\net1 start "Red Giant Service"
      2668
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (9 events)

Time & API	Arguments	Status	Return
GetComputerNameW June 19, 2023, 5:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 19, 2023, 5:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 19, 2023, 5:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 19, 2023, 5:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 19, 2023, 5:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 19, 2023, 5:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 19, 2023, 5:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 19, 2023, 5:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 19, 2023, 5:57 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 19, 2023, 5:57 p.m.			0	0
IsDebuggerPresent June 19, 2023, 5:57 p.m.			0	0

Command line console output was observed (11 events)

Time & API	Arguments	Status	Return
WriteConsoleW June 19, 2023, 5:57 p.m.	buffer: The service name is invalid. console_handle: 0x000000000000000b	1	1
WriteConsoleW June 19, 2023, 5:57 p.m.	buffer: More help is available by typing NET HELPMSG 2185. console_handle: 0x000000000000000b	1	1
WriteConsoleW June 19, 2023, 5:57 p.m.	buffer: Waiting for 1 console_handle: 0x0000000000000007	1	1
WriteConsoleW June 19, 2023, 5:57 p.m.	buffer: seconds, press CTRL+C to quit ... console_handle: 0x0000000000000007	1	1
WriteConsoleW June 19, 2023, 5:57 p.m.	buffer: The service name is invalid. console_handle: 0x000000000000000b	1	1
WriteConsoleW June 19, 2023, 5:57 p.m.	buffer: More help is available by typing NET HELPMSG 2185. console_handle: 0x000000000000000b	1	1
WriteConsoleW June 19, 2023, 5:57 p.m.	buffer: ERROR: The process "RGContentService.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW June 19, 2023, 5:57 p.m.	buffer: ERROR: The process "MxNotify.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW June 19, 2023, 5:57 p.m.	buffer: ERROR: The process "maxon.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW June 19, 2023, 5:57 p.m.	buffer: The service name is invalid. console_handle: 0x000000000000000b	1	1
WriteConsoleW June 19, 2023, 5:57 p.m.	buffer: More help is available by typing NET HELPMSG 2185. console_handle: 0x000000000000000b	1	1

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	c:\program files\mozilla firefox\firefox.exe

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.itext
section	.didata

Allocates read-write-execute memory (usually to unpack itself) (15 events)

Time & API	Arguments	Status
NtProtectVirtualMemory June 19, 2023, 5:57 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 19, 2023, 5:57 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 745472 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 19, 2023, 5:57 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 19, 2023, 5:57 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 45056 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 19, 2023, 5:57 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x733b2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 19, 2023, 5:57 p.m.	process_identifier: 2636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x733b2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 19, 2023, 5:57 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00760000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 19, 2023, 5:58 p.m.	process_identifier: 1452 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000008710000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 19, 2023, 5:57 p.m.	process_identifier: 148 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 19, 2023, 5:57 p.m.	process_identifier: 148 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 745472 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 19, 2023, 5:57 p.m.	process_identifier: 148 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 19, 2023, 5:57 p.m.	process_identifier: 148 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 45056 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 19, 2023, 5:57 p.m.	process_identifier: 148 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x733b2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 19, 2023, 5:57 p.m.	process_identifier: 2236 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x733b2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 19, 2023, 5:57 p.m.	process_identifier: 2236 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\is-V66SG.tmp\_isetup\_iscrypt.dll
file	C:\Users\test22\AppData\Local\Temp\is-S19HO.tmp\_isetup\_iscrypt.dll

Creates a shortcut to an executable file (13 events)

file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Snipping Tool.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Welcome Center.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Fax and Scan.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Chrome.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Firefox.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Calculator.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\displayswitch.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Sticky Notes.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPS Viewer.lnk

Drops an executable to the user AppData folder (3 events)

file	C:\Users\test22\AppData\Local\Temp\is-V66SG.tmp\deep.exe
file	C:\Users\test22\AppData\Local\Temp\is-LU16A.tmp\deep.tmp
file	C:\Users\test22\AppData\Local\Temp\is-S19HO.tmp\_isetup\_iscrypt.dll

Executes one or more WMI queries (3 events)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MxNotify.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "RGContentService.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "maxon.exe")

File has been identified by 2 AntiVirus engines on VirusTotal as malicious (2 events)

Bkav	W32.AIDetectMalware
Trapmine	malicious.high.ml.score

Checks for the Locally Unique Identifier on the system for a suspicious privilege (17 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW June 19, 2023, 5:57 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW June 19, 2023, 5:57 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW June 19, 2023, 5:57 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW June 19, 2023, 5:57 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW June 19, 2023, 5:57 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW June 19, 2023, 5:57 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW June 19, 2023, 5:57 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW June 19, 2023, 5:57 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW June 19, 2023, 5:57 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW June 19, 2023, 5:57 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW June 19, 2023, 5:57 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW June 19, 2023, 5:57 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW June 19, 2023, 5:57 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW June 19, 2023, 5:57 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW June 19, 2023, 5:57 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 19, 2023, 5:57 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 19, 2023, 5:57 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Queries for potentially installed applications (2 events)

Time & API	Arguments	Status	Return	Repeated
RegOpenKeyExW June 19, 2023, 5:57 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Activation Service Unlocker_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000101 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Activation Service Unlocker_is1		2	0
RegOpenKeyExW June 19, 2023, 5:57 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Activation Service Unlocker_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000101 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Activation Service Unlocker_is1		2	0

Uses Windows utilities for basic Windows functionality (6 events)

cmdline	"C:\Windows\system32\net.exe" stop "Red Giant Service"
cmdline	"C:\Windows\system32\net.exe" stop mxredirect
cmdline	"C:\Windows\system32\taskkill.exe" /f /im "MxNotify.exe"
cmdline	"C:\Windows\system32\taskkill.exe" /f /im "RGContentService.exe"
cmdline	"C:\Windows\system32\net.exe" start "Red Giant Service"
cmdline	"C:\Windows\system32\taskkill.exe" /f /im maxon.exe

RedGiant Activation Service Unlocker 2023.2.1.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All