Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	June 24, 2024, 11:02 a.m.	June 24, 2024, 11:06 a.m.

Size	2.4MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`033e16b6c1080d304d9abcc618db3bdb`
SHA256	`19fcb719130f0edd27552e014d5b446e85faabe82611311be6dbe28d33463327`
CRC32	`29A67CBC`
ssdeep	`49152:DWJ8voaN5Qz+lN4k8nIzHO0TcZxkYNdhN1vTLhczB17wIOmeG0Kwk:DcEoaNpN4/WHRTcZxkO7BcFBImMKV`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

ChatLife.exe "C:\Users\test22\AppData\Local\Temp\ChatLife.exe"
1508
- cmd.exe "C:\Windows\System32\cmd.exe" /c copy Confirmed Confirmed.cmd & Confirmed.cmd
  2096
  - tasklist.exe tasklist
    2184
  - findstr.exe findstr /I "wrsa.exe opssvc.exe"
    2220
  - tasklist.exe tasklist
    2332
  - findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
    2368
  - cmd.exe cmd /c md 768318
    2444
  - findstr.exe findstr /V "PhoneAbcSchedulesApr" Nbc
    2488
  - cmd.exe cmd /c copy /b Challenged + Diy + Teachers + California + Mba + Yarn + Payable + Zdnet + Plumbing + Pe + Trick + Betting + Absence + Motorcycles + Man + Analyst + Max + Patrick + Pg + Exemption + Sight 768318\B
    2532
  - Paraguay.pif 768318\Paraguay.pif 768318\B
    2576
  - timeout.exe timeout 5
    2708

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW June 24, 2024, 11:02 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW June 24, 2024, 11:02 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 24, 2024, 11:02 a.m.			0	0

Command line console output was observed (50 out of 1631 events)

Time & API	Arguments	Status	Return
WriteConsoleW June 24, 2024, 11:02 a.m.	buffer: 1 file(s) copied. console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2024, 11:02 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2024, 11:02 a.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2024, 11:02 a.m.	buffer: Marion=N console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2024, 11:02 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2024, 11:02 a.m.	buffer: RxxbHacker console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2024, 11:02 a.m.	buffer: Positions Reno Olive console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2024, 11:02 a.m.	buffer: 'RxxbHacker' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW June 24, 2024, 11:02 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2024, 11:02 a.m.	buffer: vUThompson console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2024, 11:02 a.m.	buffer: Cosmetics Century Script console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2024, 11:02 a.m.	buffer: 'vUThompson' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW June 24, 2024, 11:02 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2024, 11:02 a.m.	buffer: MYFinished console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2024, 11:02 a.m.	buffer: Area Frontpage Oecd Both Care console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2024, 11:02 a.m.	buffer: 'MYFinished' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW June 24, 2024, 11:02 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2024, 11:02 a.m.	buffer: FYEFibre console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2024, 11:02 a.m.	buffer: Gore console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2024, 11:02 a.m.	buffer: 'FYEFibre' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW June 24, 2024, 11:02 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2024, 11:02 a.m.	buffer: lYiYExam console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2024, 11:02 a.m.	buffer: Games Argued Might World Along Tcp Gnu console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2024, 11:02 a.m.	buffer: 'lYiYExam' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW June 24, 2024, 11:02 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2024, 11:02 a.m.	buffer: dEvPDiscussions console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2024, 11:02 a.m.	buffer: Ko Flights Against Stack Decrease Diving console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2024, 11:02 a.m.	buffer: 'dEvPDiscussions' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW June 24, 2024, 11:02 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2024, 11:02 a.m.	buffer: uHEnter console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2024, 11:02 a.m.	buffer: Marcus Adam Compile Acdbentity Coffee console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2024, 11:02 a.m.	buffer: 'uHEnter' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW June 24, 2024, 11:02 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2024, 11:02 a.m.	buffer: uTHEmacs console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2024, 11:02 a.m.	buffer: Karaoke console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2024, 11:02 a.m.	buffer: 'uTHEmacs' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW June 24, 2024, 11:02 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2024, 11:02 a.m.	buffer: EkMEnlargement console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2024, 11:02 a.m.	buffer: Gel Cherry Explained Mm Cable Created console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2024, 11:02 a.m.	buffer: 'EkMEnlargement' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW June 24, 2024, 11:02 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2024, 11:02 a.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2024, 11:02 a.m.	buffer: Stopped=A console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2024, 11:02 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2024, 11:02 a.m.	buffer: MFDelete console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2024, 11:02 a.m.	buffer: Guides Ut console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2024, 11:02 a.m.	buffer: 'MFDelete' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW June 24, 2024, 11:02 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2024, 11:02 a.m.	buffer: mTlVUruguay console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2024, 11:02 a.m.	buffer: Estimate console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 24, 2024, 11:02 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\768318\Paraguay.pif

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\cmd.exe" /c copy Confirmed Confirmed.cmd & Confirmed.cmd

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\768318\Paraguay.pif

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\768318\Paraguay.pif

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW June 24, 2024, 11:02 a.m.	show_type: 0 filepath_r: cmd parameters: /c copy Confirmed Confirmed.cmd & Confirmed.cmd filepath: cmd	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 24, 2024, 11:02 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW June 24, 2024, 11:02 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	cmd /c copy /b Challenged + Diy + Teachers + California + Mba + Yarn + Payable + Zdnet + Plumbing + Pe + Trick + Betting + Absence + Motorcycles + Man + Analyst + Max + Patrick + Pg + Exemption + Sight 768318\B
cmdline	tasklist

File has been identified by 17 AntiVirus engines on VirusTotal as malicious (17 events)

Bkav	W32.AIDetectMalware
Skyhigh	Artemis!Trojan
Sangfor	Trojan.Win32.Agent.V0r1
Elastic	malicious (high confidence)
McAfee	Artemis!033E16B6C108
Avast	Win32:Malware-gen
Kaspersky	HEUR:Trojan.Win32.Autoit.gen
MicroWorld-eScan	Trojan.GenericKD.73259543
McAfeeD	ti!19FCB719130F
FireEye	Generic.mg.033e16b6c1080d30
Kingsoft	Win32.Troj.Unknown.a
Gridinsoft	Malware.Win32.RisePro.tr
Microsoft	Trojan:Win32/Casdet!rfn
ZoneAlarm	HEUR:Trojan.Win32.Autoit.gen
AhnLab-V3	Trojan/Win.Connector.C5643571
DeepInstinct	MALICIOUS
AVG	Win32:Malware-gen

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2096 resumed a thread in remote process 2576
NtResumeThread June 24, 2024, 11:02 a.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2576	1	0	0

ChatLife.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All