Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 30, 2024, 10:11 a.m.	May 30, 2024, 10:16 a.m.

Size	5.8MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`7c066067ec3b865ea08f31c9aa005027`
SHA256	`1c6471d6b7227e7b4c1a059cdaca47b74013bb9306c94abd74a4fc3e1656aabf`
CRC32	`FCBF2E4A`
ssdeep	`98304:e5aF2YKYZirvSA48Lm/4BCYh/hT7DXIV3lK28gYrtO7coDh/fOO1fqzYzby4vha7:e5aF3KmiOxHAYc/hT7DEKZFUwopmcThU`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

TweaksAlt.exe "C:\Users\test22\AppData\Local\Temp\TweaksAlt.exe"
2652
- cmd.exe "C:\Windows\System32\cmd.exe" /c ""C:\Users\test22\AppData\Local\Temp\SviridTweaks\KillDuplicate.cmd" "C:\Users\test22\AppData\Local\Temp\SviridTweaks" "TweaksAlt.exe""
  2772
- Launcher.exe "C:\Users\test22\AppData\Local\Temp\SviridTweaks\Launcher.exe"
  2840
  - RunAsTI.exe "RunAsTI.exe" Windows_Defender_disable.cmd
    2904
  - RunAsTI.exe "RunAsTI.exe" Windows_Defender_disable.cmd
    1400
  - RunAsTI.exe "RunAsTI.exe" Windows_Defender_disable.cmd
    2648
  - RunAsTI.exe "RunAsTI.exe" Windows_Defender_disable.cmd
    3036
  - RunAsTI.exe "RunAsTI.exe" User_Account_Control_Enable.cmd
    2384
  - RunAsTI.exe "RunAsTI.exe" User_Account_Control_Enable.cmd
    2600
  - RunAsTI.exe "RunAsTI.exe" WindowsUpdate_enable.cmd
    2748
  - RunAsTI.exe "RunAsTI.exe" WindowsUpdate_enable.cmd
    2396
  - RunAsTI.exe "RunAsTI.exe" User_Account_Control_Enable.cmd
    3008
  - RunAsTI.exe "RunAsTI.exe" User_Account_Control_Enable.cmd
    2444
  - RunAsTI.exe "RunAsTI.exe" User_Account_Control_Enable.cmd
    1332
  - RunAsTI.exe "RunAsTI.exe" User_Account_Control_Enable.cmd
    2408
  - RunAsTI.exe "RunAsTI.exe" WindowsUpdate_enable.cmd
    2512
  - RunAsTI.exe "RunAsTI.exe" WindowsUpdate_enable.cmd
    3016
  - RunAsTI.exe "RunAsTI.exe" User_Account_Control_Enable.cmd
    2180
  - RunAsTI.exe "RunAsTI.exe" User_Account_Control_Enable.cmd
    2424
  - RunAsTI.exe "RunAsTI.exe" WindowsUpdate_enable.cmd
    2728
  - RunAsTI.exe "RunAsTI.exe" WindowsUpdate_enable.cmd
    2916

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 30, 2024, 10:11 a.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW May 30, 2024, 10:11 a.m.	buffer: The system cannot find the path specified. console_handle: 0x000000000000000b	1	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 30, 2024, 10:11 a.m.		1	1	0

The executable uses a known packer (1 event)

packer

Armadillo v1.71

Allocates read-write-execute memory (usually to unpack itself) (7 events)

Time & API	Arguments	Status
NtProtectVirtualMemory May 30, 2024, 10:11 a.m.	process_identifier: 2652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 30, 2024, 10:11 a.m.	process_identifier: 2840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x741b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 30, 2024, 10:11 a.m.	process_identifier: 2840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x741b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 30, 2024, 10:11 a.m.	process_identifier: 2840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 30, 2024, 10:11 a.m.	process_identifier: 2840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 30, 2024, 10:11 a.m.	process_identifier: 2840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 30, 2024, 10:11 a.m.	process_identifier: 2840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74181000 process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW May 30, 2024, 10:11 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13316128768 root_path: C:\Users\test22\AppData\Local\Temp\SviridTweaks total_number_of_bytes: 0	1	1	0

Creates executable files on the filesystem (49 events)

file	C:\Users\test22\AppData\Local\Temp\SviridTweaks\Automatic_Registry_Backup_enable.cmd
file	C:\Users\test22\AppData\Local\Temp\SviridTweaks\BalancedPowerSupply.cmd
file	C:\Users\test22\AppData\Local\Temp\SviridTweaks\SMB1_disable.cmd
file	C:\Users\test22\AppData\Local\Temp\SviridTweaks\DefenderON.cmd
file	C:\Users\test22\AppData\Local\Temp\SviridTweaks\Windows_Defender_disable.cmd
file	C:\Users\test22\AppData\Local\Temp\SviridTweaks\Classic_Context_Menu_enable.cmd
file	C:\Users\test22\AppData\Local\Temp\SviridTweaks\NotificationCenter_enable.cmd
file	C:\Users\test22\AppData\Local\Temp\SviridTweaks\Telemetry_disable.cmd
file	C:\Users\test22\AppData\Local\Temp\SviridTweaks\ThumbnailCache_Enable.cmd
file	C:\Users\test22\AppData\Local\Temp\SviridTweaks\Firewall_enable.cmd
file	C:\Users\test22\AppData\Local\Temp\SviridTweaks\AllowInsecureGuestAuth_enable.cmd
file	C:\Users\test22\AppData\Local\Temp\SviridTweaks\Reserved_Storage_enable.cmd
file	C:\Users\test22\AppData\Local\Temp\SviridTweaks\Automatic_Registry_Backup_disable.cmd
file	C:\Users\test22\AppData\Local\Temp\SviridTweaks\KillDuplicate.cmd
file	C:\Users\test22\AppData\Local\Temp\SviridTweaks\DefStop.cmd
file	C:\Users\test22\AppData\Local\Temp\SviridTweaks\Classic_Context_Menu_disable.cmd
file	C:\Users\test22\AppData\Local\Temp\SviridTweaks\Firewall_disable.cmd
file	C:\Users\test22\AppData\Local\Temp\SviridTweaks\Reserved_Storage_disable.cmd
file	C:\Users\test22\AppData\Local\Temp\SviridTweaks\KeyboardLayout_Preload_ENG-BG.cmd
file	C:\Users\test22\AppData\Local\Temp\SviridTweaks\SmartScreen_enable.cmd
file	C:\Users\test22\AppData\Local\Temp\SviridTweaks\OneDrive_enable.cmd
file	C:\Users\test22\AppData\Local\Temp\SviridTweaks\SMB1_enable.cmd
file	C:\Users\test22\AppData\Local\Temp\SviridTweaks\High_Performance.cmd
file	C:\Users\test22\AppData\Local\Temp\SviridTweaks\WarningDisable.cmd
file	C:\Users\test22\AppData\Local\Temp\SviridTweaks\CustomContextMenu.exe
file	C:\Users\test22\AppData\Local\Temp\SviridTweaks\Show_hidden_power_settings.cmd
file	C:\Users\test22\AppData\Local\Temp\SviridTweaks\InSpectre.exe
file	C:\Users\test22\AppData\Local\Temp\SviridTweaks\AllowInsecureGuestAuth_disable.cmd
file	C:\Users\test22\AppData\Local\Temp\SviridTweaks\NotificationCenter_disable.cmd
file	C:\Users\test22\AppData\Local\Temp\SviridTweaks\ThumbnailCache_Disable.cmd
file	C:\Users\test22\AppData\Local\Temp\SviridTweaks\User_Account_Control_Enable.cmd
file	C:\Users\test22\AppData\Local\Temp\SviridTweaks\Launcher.exe
file	C:\Users\test22\AppData\Local\Temp\SviridTweaks\RunAsTI.exe
file	C:\Users\test22\AppData\Local\Temp\SviridTweaks\UpgradeDisable.cmd
file	C:\Users\test22\AppData\Local\Temp\SviridTweaks\Windows_Defender_enable.cmd
file	C:\Users\test22\AppData\Local\Temp\SviridTweaks\OneDrive_disable.cmd
file	C:\Users\test22\AppData\Local\Temp\SviridTweaks\UpgradeEnable.cmd
file	C:\Users\test22\AppData\Local\Temp\SviridTweaks\Driver_Signing_Disable.cmd
file	C:\Users\test22\AppData\Local\Temp\SviridTweaks\AddStore.cmd
file	C:\Users\test22\AppData\Local\Temp\SviridTweaks\User_Account_Control_Disable.cmd
file	C:\Users\test22\AppData\Local\Temp\SviridTweaks\WindowsUpdate_enable.cmd
file	C:\Users\test22\AppData\Local\Temp\SviridTweaks\SmartScreen_disable.cmd
file	C:\Users\test22\AppData\Local\Temp\SviridTweaks\Telemetry_enable.cmd
file	C:\Users\test22\AppData\Local\Temp\SviridTweaks\RunAsTI_x64.exe
file	C:\Users\test22\AppData\Local\Temp\SviridTweaks\TurnOn_File_Security.cmd
file	C:\Users\test22\AppData\Local\Temp\SviridTweaks\Driver_Signing_Enable.cmd
file	C:\Users\test22\AppData\Local\Temp\SviridTweaks\WindowsUpdate_disable.cmd
file	C:\Users\test22\AppData\Local\Temp\SviridTweaks\TurnOff_File_Security.cmd
file	C:\Users\test22\AppData\Local\Temp\SviridTweaks\Delete-MicrosoftStore.cmd

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\cmd.exe" /c ""C:\Users\test22\AppData\Local\Temp\SviridTweaks\KillDuplicate.cmd" "C:\Users\test22\AppData\Local\Temp\SviridTweaks" "TweaksAlt.exe""

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\SviridTweaks\Launcher.exe

Drops an executable to the user AppData folder (4 events)

file	C:\Users\test22\AppData\Local\Temp\SviridTweaks\RunAsTI.exe
file	C:\Users\test22\AppData\Local\Temp\SviridTweaks\Launcher.exe
file	C:\Users\test22\AppData\Local\Temp\SviridTweaks\CustomContextMenu.exe
file	C:\Users\test22\AppData\Local\Temp\SviridTweaks\InSpectre.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW May 30, 2024, 10:11 a.m.	show_type: 0 filepath_r: cmd parameters: /c ""C:\Users\test22\AppData\Local\Temp\SviridTweaks\KillDuplicate.cmd" "C:\Users\test22\AppData\Local\Temp\SviridTweaks" "TweaksAlt.exe"" filepath: cmd	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (36 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW May 30, 2024, 10:11 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 30, 2024, 10:11 a.m.	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	1	1
LookupPrivilegeValueW May 30, 2024, 10:11 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 30, 2024, 10:11 a.m.	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	1	1
LookupPrivilegeValueW May 30, 2024, 10:11 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 30, 2024, 10:11 a.m.	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	1	1
LookupPrivilegeValueW May 30, 2024, 10:11 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 30, 2024, 10:11 a.m.	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	1	1
LookupPrivilegeValueW May 30, 2024, 10:11 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 30, 2024, 10:11 a.m.	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	1	1
LookupPrivilegeValueW May 30, 2024, 10:11 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 30, 2024, 10:11 a.m.	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	1	1
LookupPrivilegeValueW May 30, 2024, 10:11 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 30, 2024, 10:11 a.m.	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	1	1
LookupPrivilegeValueW May 30, 2024, 10:11 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 30, 2024, 10:11 a.m.	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	1	1
LookupPrivilegeValueW May 30, 2024, 10:14 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 30, 2024, 10:14 a.m.	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	1	1
LookupPrivilegeValueW May 30, 2024, 10:14 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 30, 2024, 10:14 a.m.	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	1	1
LookupPrivilegeValueW May 30, 2024, 10:15 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 30, 2024, 10:15 a.m.	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	1	1
LookupPrivilegeValueW May 30, 2024, 10:15 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 30, 2024, 10:15 a.m.	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	1	1
LookupPrivilegeValueW May 30, 2024, 10:15 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 30, 2024, 10:15 a.m.	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	1	1
LookupPrivilegeValueW May 30, 2024, 10:15 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 30, 2024, 10:15 a.m.	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	1	1
LookupPrivilegeValueW May 30, 2024, 10:15 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 30, 2024, 10:15 a.m.	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	1	1
LookupPrivilegeValueW May 30, 2024, 10:16 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 30, 2024, 10:16 a.m.	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	1	1
LookupPrivilegeValueW May 30, 2024, 10:16 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 30, 2024, 10:16 a.m.	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	1	1
LookupPrivilegeValueW May 30, 2024, 10:16 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 30, 2024, 10:16 a.m.	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	1	1

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	"RunAsTI.exe" Windows_Defender_disable.cmd
cmdline	"RunAsTI.exe" User_Account_Control_Enable.cmd
cmdline	"RunAsTI.exe" WindowsUpdate_enable.cmd

Expresses interest in specific running processes (1 event)

process: potential process injection target

winlogon.exe

TweaksAlt.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All