Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	April 30, 2024, 9:47 a.m.	April 30, 2024, 9:49 a.m.

Size	654.6KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`87f8958f40e487f7d816cd1aaf52fa84`
SHA256	`546d7f26d8b2a42b4a917e3642c2fffa89a1be3a41795da4ccf8afb2e0f417e8`
CRC32	`C9DE7D62`
ssdeep	`12288:IXAx/2a0CTmgQ9AlrsgsdNUUhfjersFwz3NTwBOuCUxQQZNIuJ3M7THqAi4dD4:IXAx/2z9CrsgsTUU1ioEnuCUxQQZN9Je`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature NSIS_Installer - Null Soft Installer IsPE32 - (no description) UPX_Zero - UPX packed file

index.php "C:\Users\test22\AppData\Local\Temp\index.php"
1984
- cmd.exe "C:\Windows\System32\cmd.exe" /k move Eva Eva.cmd & Eva.cmd & exit
  2076
  - findstr.exe findstr /I "wrsa.exe opssvc.exe"
    2212
  - tasklist.exe tasklist
    2176
  - tasklist.exe tasklist
    2320
  - findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
    2356
  - cmd.exe cmd /c md 55118595
    2432
  - findstr.exe findstr /V "RealizedBreachAttractCasino" Sapphire
    2480
  - cmd.exe cmd /c copy /b Bulk + Vic + Wherever 55118595\g
    2524
  - Weblog.pif 55118595\Weblog.pif 55118595\g
    2568
  - PING.EXE ping -n 5 127.0.0.1
    2652

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW April 30, 2024, 9:47 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW April 30, 2024, 9:47 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 30, 2024, 9:47 a.m.			0	0

Command line console output was observed (50 out of 762 events)

Time & API	Arguments	Status	Return
WriteConsoleW April 30, 2024, 9:47 a.m.	buffer: 1 file(s) moved. console_handle: 0x00000007	1	1
WriteConsoleW April 30, 2024, 9:47 a.m.	buffer: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files> console_handle: 0x00000007	1	1
WriteConsoleW April 30, 2024, 9:47 a.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW April 30, 2024, 9:47 a.m.	buffer: Colleague=9 console_handle: 0x00000007	1	1
WriteConsoleW April 30, 2024, 9:47 a.m.	buffer: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files> console_handle: 0x00000007	1	1
WriteConsoleW April 30, 2024, 9:47 a.m.	buffer: cXSwap console_handle: 0x00000007	1	1
WriteConsoleW April 30, 2024, 9:47 a.m.	buffer: Availability Documentcreatetextnode console_handle: 0x00000007	1	1
WriteConsoleW April 30, 2024, 9:47 a.m.	buffer: 'cXSwap' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW April 30, 2024, 9:47 a.m.	buffer: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files> console_handle: 0x00000007	1	1
WriteConsoleW April 30, 2024, 9:47 a.m.	buffer: rOvKSubsidiary console_handle: 0x00000007	1	1
WriteConsoleW April 30, 2024, 9:47 a.m.	buffer: 'rOvKSubsidiary' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW April 30, 2024, 9:47 a.m.	buffer: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files> console_handle: 0x00000007	1	1
WriteConsoleW April 30, 2024, 9:47 a.m.	buffer: awPrecise console_handle: 0x00000007	1	1
WriteConsoleW April 30, 2024, 9:47 a.m.	buffer: 'awPrecise' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW April 30, 2024, 9:47 a.m.	buffer: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files> console_handle: 0x00000007	1	1
WriteConsoleW April 30, 2024, 9:47 a.m.	buffer: LkRDClan console_handle: 0x00000007	1	1
WriteConsoleW April 30, 2024, 9:47 a.m.	buffer: Nevertheless Latin Diameter Modifications Occur console_handle: 0x00000007	1	1
WriteConsoleW April 30, 2024, 9:47 a.m.	buffer: 'LkRDClan' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW April 30, 2024, 9:47 a.m.	buffer: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files> console_handle: 0x00000007	1	1
WriteConsoleW April 30, 2024, 9:47 a.m.	buffer: OIPQMinute console_handle: 0x00000007	1	1
WriteConsoleW April 30, 2024, 9:47 a.m.	buffer: Era German Tribunal Apt Index Invisible console_handle: 0x00000007	1	1
WriteConsoleW April 30, 2024, 9:47 a.m.	buffer: 'OIPQMinute' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW April 30, 2024, 9:47 a.m.	buffer: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files> console_handle: 0x00000007	1	1
WriteConsoleW April 30, 2024, 9:47 a.m.	buffer: xnWWInline console_handle: 0x00000007	1	1
WriteConsoleW April 30, 2024, 9:47 a.m.	buffer: Belongs console_handle: 0x00000007	1	1
WriteConsoleW April 30, 2024, 9:47 a.m.	buffer: 'xnWWInline' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW April 30, 2024, 9:47 a.m.	buffer: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files> console_handle: 0x00000007	1	1
WriteConsoleW April 30, 2024, 9:47 a.m.	buffer: vReGovernmental console_handle: 0x00000007	1	1
WriteConsoleW April 30, 2024, 9:47 a.m.	buffer: Preference Public Israeli Rocket Promising console_handle: 0x00000007	1	1
WriteConsoleW April 30, 2024, 9:47 a.m.	buffer: 'vReGovernmental' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW April 30, 2024, 9:47 a.m.	buffer: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files> console_handle: 0x00000007	1	1
WriteConsoleW April 30, 2024, 9:47 a.m.	buffer: oFWAt console_handle: 0x00000007	1	1
WriteConsoleW April 30, 2024, 9:47 a.m.	buffer: Informative Pi Ing console_handle: 0x00000007	1	1
WriteConsoleW April 30, 2024, 9:47 a.m.	buffer: 'oFWAt' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW April 30, 2024, 9:47 a.m.	buffer: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files> console_handle: 0x00000007	1	1
WriteConsoleW April 30, 2024, 9:47 a.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW April 30, 2024, 9:47 a.m.	buffer: Proper=7 console_handle: 0x00000007	1	1
WriteConsoleW April 30, 2024, 9:47 a.m.	buffer: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files> console_handle: 0x00000007	1	1
WriteConsoleW April 30, 2024, 9:47 a.m.	buffer: JOzRPrefers console_handle: 0x00000007	1	1
WriteConsoleW April 30, 2024, 9:47 a.m.	buffer: Pharmacy console_handle: 0x00000007	1	1
WriteConsoleW April 30, 2024, 9:47 a.m.	buffer: 'JOzRPrefers' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW April 30, 2024, 9:47 a.m.	buffer: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files> console_handle: 0x00000007	1	1
WriteConsoleW April 30, 2024, 9:47 a.m.	buffer: ruBFast console_handle: 0x00000007	1	1
WriteConsoleW April 30, 2024, 9:47 a.m.	buffer: Sorts Resistant Described console_handle: 0x00000007	1	1
WriteConsoleW April 30, 2024, 9:47 a.m.	buffer: 'ruBFast' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW April 30, 2024, 9:47 a.m.	buffer: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files> console_handle: 0x00000007	1	1
WriteConsoleW April 30, 2024, 9:47 a.m.	buffer: TFChi console_handle: 0x00000007	1	1
WriteConsoleW April 30, 2024, 9:47 a.m.	buffer: Fingering Valve Enrollment Briefs Instant Booty T Jersey console_handle: 0x00000007	1	1
WriteConsoleW April 30, 2024, 9:47 a.m.	buffer: 'TFChi' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW April 30, 2024, 9:47 a.m.	buffer: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files> console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 30, 2024, 9:47 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\55118595\Weblog.pif

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\cmd.exe" /k move Eva Eva.cmd & Eva.cmd & exit

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\55118595\Weblog.pif

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\55118595\Weblog.pif

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW April 30, 2024, 9:47 a.m.	show_type: 0 filepath_r: cmd parameters: /k move Eva Eva.cmd & Eva.cmd & exit filepath: cmd	1	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (9 events)

Time & API	Arguments	Status	Return
Process32NextW April 30, 2024, 9:47 a.m.	snapshot_handle: 0x0000012c process_name: mobsync.exe process_identifier: 536	1	1
Process32NextW April 30, 2024, 9:47 a.m.	snapshot_handle: 0x0000012c process_name: taskhost.exe process_identifier: 1872	1	1
Process32NextW April 30, 2024, 9:47 a.m.	snapshot_handle: 0x0000012c process_name: cmd.exe process_identifier: 496	1	1
Process32NextW April 30, 2024, 9:47 a.m.	snapshot_handle: 0x0000012c process_name: SearchProtocolHost.exe process_identifier: 808	1	1
Process32NextW April 30, 2024, 9:47 a.m.	snapshot_handle: 0x0000012c process_name: conhost.exe process_identifier: 300	1	1
Process32NextW April 30, 2024, 9:47 a.m.	snapshot_handle: 0x0000012c process_name: pw.exe process_identifier: 1076	1	1
Process32NextW April 30, 2024, 9:47 a.m.	snapshot_handle: 0x0000012c process_name: conhost.exe process_identifier: 2112	1	1
Process32NextW April 30, 2024, 9:47 a.m.	snapshot_handle: 0x0000012c process_name: Weblog.pif process_identifier: 2568	1	1
Process32NextW April 30, 2024, 9:47 a.m.	snapshot_handle: 0x0000012c process_name: inject-x86.exe process_identifier: 2620	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW April 30, 2024, 9:47 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW April 30, 2024, 9:47 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	ping -n 5 127.0.0.1
cmdline	tasklist

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2076 resumed a thread in remote process 2568
NtResumeThread April 30, 2024, 9:47 a.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2568	1	0	0

index.php

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All