Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	May 17, 2024, 3:31 p.m.	May 17, 2024, 3:33 p.m.

Size	1.0MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`0340a002bf0a8c4a243f4bbef0834236`
SHA256	`61c0a64bfe9888a239b36e6ff9ca4a146a16cf8a8a6cea73c192294e95c60c19`
CRC32	`5ECF9172`
ssdeep	`24576:lMw+WkUCBvydcz3A8INztR7C2GcyKSaEo3hSWnkMLbiQ8zLvMM2ZkhG:lMw+WCBvCUA8CS3K1LxSWnkUbi3dMkhG`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature NSIS_Installer - Null Soft Installer IsPE32 - (no description) UPX_Zero - UPX packed file

findlawthose.exe "C:\Users\test22\AppData\Local\Temp\findlawthose.exe"
1880
- cmd.exe "C:\Windows\System32\cmd.exe" /k move Bullet Bullet.cmd & Bullet.cmd & exit
  2096
  - tasklist.exe tasklist
    2208
  - findstr.exe findstr /I "wrsa.exe opssvc.exe"
    2244
  - tasklist.exe tasklist
    2356
  - findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
    2392
  - cmd.exe cmd /c md 338493
    2508
  - findstr.exe findstr /V "EFFICIENCYORLANDOOUTCOMESONS" Yours
    2552
  - cmd.exe cmd /c copy /b Interface + Hacker + Accessory + Materials + Fox 338493\P
    2596
  - Joint.pif 338493\Joint.pif 338493\P
    2640
  - PING.EXE ping -n 5 127.0.0.1
    2724

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW May 17, 2024, 3:31 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW May 17, 2024, 3:31 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 17, 2024, 3:31 p.m.			0	0

Command line console output was observed (50 out of 1769 events)

Time & API	Arguments	Status	Return
WriteConsoleW May 17, 2024, 3:31 p.m.	buffer: 1 file(s) moved. console_handle: 0x00000007	1	1
WriteConsoleW May 17, 2024, 3:31 p.m.	buffer: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files> console_handle: 0x00000007	1	1
WriteConsoleW May 17, 2024, 3:31 p.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW May 17, 2024, 3:31 p.m.	buffer: Erik=r console_handle: 0x00000007	1	1
WriteConsoleW May 17, 2024, 3:31 p.m.	buffer: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files> console_handle: 0x00000007	1	1
WriteConsoleW May 17, 2024, 3:31 p.m.	buffer: eaHpRome console_handle: 0x00000007	1	1
WriteConsoleW May 17, 2024, 3:31 p.m.	buffer: Buf Jar Rick Raw Produced Legitimate Cocks console_handle: 0x00000007	1	1
WriteConsoleW May 17, 2024, 3:31 p.m.	buffer: 'eaHpRome' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW May 17, 2024, 3:31 p.m.	buffer: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files> console_handle: 0x00000007	1	1
WriteConsoleW May 17, 2024, 3:31 p.m.	buffer: ycQProviders console_handle: 0x00000007	1	1
WriteConsoleW May 17, 2024, 3:31 p.m.	buffer: Interested Missing Software Mediterranean Aspects Revolutionary console_handle: 0x00000007	1	1
WriteConsoleW May 17, 2024, 3:31 p.m.	buffer: 'ycQProviders' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW May 17, 2024, 3:31 p.m.	buffer: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files> console_handle: 0x00000007	1	1
WriteConsoleW May 17, 2024, 3:31 p.m.	buffer: jhXPlayer console_handle: 0x00000007	1	1
WriteConsoleW May 17, 2024, 3:31 p.m.	buffer: Lucas Cart Kick Montreal console_handle: 0x00000007	1	1
WriteConsoleW May 17, 2024, 3:31 p.m.	buffer: 'jhXPlayer' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW May 17, 2024, 3:31 p.m.	buffer: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files> console_handle: 0x00000007	1	1
WriteConsoleW May 17, 2024, 3:31 p.m.	buffer: mkCamps console_handle: 0x00000007	1	1
WriteConsoleW May 17, 2024, 3:31 p.m.	buffer: Semi Swap Antenna console_handle: 0x00000007	1	1
WriteConsoleW May 17, 2024, 3:31 p.m.	buffer: 'mkCamps' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW May 17, 2024, 3:31 p.m.	buffer: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files> console_handle: 0x00000007	1	1
WriteConsoleW May 17, 2024, 3:31 p.m.	buffer: SdbvStick console_handle: 0x00000007	1	1
WriteConsoleW May 17, 2024, 3:31 p.m.	buffer: 'SdbvStick' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW May 17, 2024, 3:31 p.m.	buffer: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files> console_handle: 0x00000007	1	1
WriteConsoleW May 17, 2024, 3:31 p.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW May 17, 2024, 3:31 p.m.	buffer: Faqs=Y console_handle: 0x00000007	1	1
WriteConsoleW May 17, 2024, 3:31 p.m.	buffer: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files> console_handle: 0x00000007	1	1
WriteConsoleW May 17, 2024, 3:31 p.m.	buffer: FjkNavy console_handle: 0x00000007	1	1
WriteConsoleW May 17, 2024, 3:31 p.m.	buffer: Hills Currently Luxembourg Stomach Lindsay Crisis Arrangements console_handle: 0x00000007	1	1
WriteConsoleW May 17, 2024, 3:31 p.m.	buffer: 'FjkNavy' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW May 17, 2024, 3:31 p.m.	buffer: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files> console_handle: 0x00000007	1	1
WriteConsoleW May 17, 2024, 3:31 p.m.	buffer: zJSweet console_handle: 0x00000007	1	1
WriteConsoleW May 17, 2024, 3:31 p.m.	buffer: 'zJSweet' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW May 17, 2024, 3:31 p.m.	buffer: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files> console_handle: 0x00000007	1	1
WriteConsoleW May 17, 2024, 3:31 p.m.	buffer: FdDIScheduled console_handle: 0x00000007	1	1
WriteConsoleW May 17, 2024, 3:31 p.m.	buffer: Realtors Contemporary Indicated Contact Showed Consolidation console_handle: 0x00000007	1	1
WriteConsoleW May 17, 2024, 3:31 p.m.	buffer: 'FdDIScheduled' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW May 17, 2024, 3:31 p.m.	buffer: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files> console_handle: 0x00000007	1	1
WriteConsoleW May 17, 2024, 3:31 p.m.	buffer: lLLocking console_handle: 0x00000007	1	1
WriteConsoleW May 17, 2024, 3:31 p.m.	buffer: Demographic Formation Hoped Theories Shaft Cole Nevertheless Valid console_handle: 0x00000007	1	1
WriteConsoleW May 17, 2024, 3:31 p.m.	buffer: 'lLLocking' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW May 17, 2024, 3:31 p.m.	buffer: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files> console_handle: 0x00000007	1	1
WriteConsoleW May 17, 2024, 3:31 p.m.	buffer: QOJRid console_handle: 0x00000007	1	1
WriteConsoleW May 17, 2024, 3:31 p.m.	buffer: Fought Consists Ultimate Reg Pee Alberta Vary Mcdonald console_handle: 0x00000007	1	1
WriteConsoleW May 17, 2024, 3:31 p.m.	buffer: 'QOJRid' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW May 17, 2024, 3:31 p.m.	buffer: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files> console_handle: 0x00000007	1	1
WriteConsoleW May 17, 2024, 3:31 p.m.	buffer: rxYRail console_handle: 0x00000007	1	1
WriteConsoleW May 17, 2024, 3:31 p.m.	buffer: 'rxYRail' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW May 17, 2024, 3:31 p.m.	buffer: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files> console_handle: 0x00000007	1	1
WriteConsoleW May 17, 2024, 3:31 p.m.	buffer: cqsStated console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 17, 2024, 3:31 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\338493\Joint.pif

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\cmd.exe" /k move Bullet Bullet.cmd & Bullet.cmd & exit

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\338493\Joint.pif

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\338493\Joint.pif

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW May 17, 2024, 3:31 p.m.	show_type: 0 filepath_r: cmd parameters: /k move Bullet Bullet.cmd & Bullet.cmd & exit filepath: cmd	1	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (6 events)

Time & API	Arguments	Status	Return
Process32NextW May 17, 2024, 3:31 p.m.	snapshot_handle: 0x0000012c process_name: mobsync.exe process_identifier: 1800	1	1
Process32NextW May 17, 2024, 3:31 p.m.	snapshot_handle: 0x0000012c process_name: SearchProtocolHost.exe process_identifier: 1268	1	1
Process32NextW May 17, 2024, 3:31 p.m.	snapshot_handle: 0x0000012c process_name: findlawthose.exe process_identifier: 1880	1	1
Process32NextW May 17, 2024, 3:31 p.m.	snapshot_handle: 0x0000012c process_name: pw.exe process_identifier: 296	1	1
Process32NextW May 17, 2024, 3:31 p.m.	snapshot_handle: 0x0000012c process_name: conhost.exe process_identifier: 2132	1	1
Process32NextW May 17, 2024, 3:31 p.m.	snapshot_handle: 0x0000012c process_name: inject-x86.exe process_identifier: 2692	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 17, 2024, 3:31 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW May 17, 2024, 3:31 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	ping -n 5 127.0.0.1
cmdline	tasklist

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2096 resumed a thread in remote process 2640
NtResumeThread May 17, 2024, 3:31 p.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2640	1	0	0

File has been identified by 39 AntiVirus engines on VirusTotal as malicious (39 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Obfus.4!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
Cylance	unsafe
Sangfor	Trojan.Win32.Obfus.V8ho
K7AntiVirus	Trojan ( 005b47811 )
BitDefender	Trojan.GenericKD.72776136
K7GW	Trojan ( 005b47811 )
Symantec	Trojan.Gen.MBT
ESET-NOD32	NSIS/Runner.I
APEX	Malicious
Avast	Win32:Evo-gen [Trj]
Kaspersky	HEUR:Trojan.BAT.Obfus.gen
MicroWorld-eScan	Trojan.GenericKD.72776136
Emsisoft	Trojan.GenericKD.72776136 (B)
F-Secure	Malware.BAT/Obfus.yzerc
FireEye	Generic.mg.0340a002bf0a8c4a
Sophos	Mal/Generic-S
Webroot	W32.Trojan.BAT.Obfus
Google	Detected
Avira	BAT/Obfus.yzerc
MAX	malware (ai score=88)
Kingsoft	Win32.Troj.Unknown.a
Xcitium	Malware@#382i43m5upkxs
Arcabit	Trojan.Generic.D45679C8
ZoneAlarm	HEUR:Trojan.Win32.Autoit.gen
GData	Win32.Trojan.Agent.05I2B1
Varist	W32/ABRisk.KHUC-0362
AhnLab-V3	Malware/Win.Generic.C5621713
DeepInstinct	MALICIOUS
Malwarebytes	Trojan.Dropper.NSIS
Tencent	Win32.Trojan.FalseSign.Ngil
SentinelOne	Static AI - Suspicious PE
MaxSecure	Trojan.Malware.7176537.susgen
Fortinet	W32/Runner.I!tr
AVG	Win32:Evo-gen [Trj]
Paloalto	generic.ml
alibabacloud	Trojan[dropper]:Win/Runner.I

findlawthose.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All