Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 7, 2024, 7:01 p.m.	July 7, 2024, 7:03 p.m.

Size	868.3KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`16fcba4c603655fca5f10157dd6d360f`
SHA256	`9d5d203c3b42d97ea56a408189df2d6f04c0f31c5fb3057178312252b3ea8221`
CRC32	`B44DF67F`
ssdeep	`24576:uyvoo4th2Mz2T/KB9pHK+zstXLD1r69E9jZud/Wg1gCxhOKpChj:g/2MiTiBTatdr69Epkduig3KpChj`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

UNIQ.file.exe "C:\Users\test22\AppData\Local\Temp\UNIQ.file.exe"
2996
- cmd.exe "C:\Windows\System32\cmd.exe" /k move Suggesting Suggesting.cmd & Suggesting.cmd & exit
  2172
  - tasklist.exe tasklist
    1184
  - findstr.exe findstr /I "wrsa.exe opssvc.exe"
    196
  - findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
    1648
  - tasklist.exe tasklist
    2436
  - cmd.exe cmd /c md 4483354
    452
  - findstr.exe findstr /V "currentlyindiabagsbuilders" Kuwait
    1508
  - cmd.exe cmd /c copy /b Universe + Touched 4483354\L
    572
  - Viruses.pif 4483354\Viruses.pif 4483354\L
    1164
  - PING.EXE ping -n 5 127.0.0.1
    2580

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW July 7, 2024, 7:01 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW July 7, 2024, 7:01 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 7, 2024, 7:01 p.m.			0	0

Command line console output was observed (50 out of 1872 events)

Time & API	Arguments	Status	Return
WriteConsoleW July 7, 2024, 7:01 p.m.	buffer: 1 file(s) moved. console_handle: 0x00000007	1	1
WriteConsoleW July 7, 2024, 7:01 p.m.	buffer: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files> console_handle: 0x00000007	1	1
WriteConsoleW July 7, 2024, 7:01 p.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW July 7, 2024, 7:01 p.m.	buffer: Higher=D console_handle: 0x00000007	1	1
WriteConsoleW July 7, 2024, 7:01 p.m.	buffer: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files> console_handle: 0x00000007	1	1
WriteConsoleW July 7, 2024, 7:01 p.m.	buffer: yGzfPc console_handle: 0x00000007	1	1
WriteConsoleW July 7, 2024, 7:01 p.m.	buffer: Pirates Adipex Domains Arrives Plate Limousines Allowance Girls console_handle: 0x00000007	1	1
WriteConsoleW July 7, 2024, 7:01 p.m.	buffer: 'yGzfPc' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW July 7, 2024, 7:01 p.m.	buffer: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files> console_handle: 0x00000007	1	1
WriteConsoleW July 7, 2024, 7:01 p.m.	buffer: OolSeen console_handle: 0x00000007	1	1
WriteConsoleW July 7, 2024, 7:01 p.m.	buffer: Mainstream console_handle: 0x00000007	1	1
WriteConsoleW July 7, 2024, 7:01 p.m.	buffer: 'OolSeen' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW July 7, 2024, 7:01 p.m.	buffer: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files> console_handle: 0x00000007	1	1
WriteConsoleW July 7, 2024, 7:01 p.m.	buffer: vCLCurious console_handle: 0x00000007	1	1
WriteConsoleW July 7, 2024, 7:01 p.m.	buffer: Entirely Spyware Val Sage Treatments Turning Reflected Movie console_handle: 0x00000007	1	1
WriteConsoleW July 7, 2024, 7:01 p.m.	buffer: 'vCLCurious' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW July 7, 2024, 7:01 p.m.	buffer: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files> console_handle: 0x00000007	1	1
WriteConsoleW July 7, 2024, 7:01 p.m.	buffer: FVPredictions console_handle: 0x00000007	1	1
WriteConsoleW July 7, 2024, 7:01 p.m.	buffer: Alabama Survival Inn Mysql Activities Fort console_handle: 0x00000007	1	1
WriteConsoleW July 7, 2024, 7:01 p.m.	buffer: 'FVPredictions' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW July 7, 2024, 7:01 p.m.	buffer: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files> console_handle: 0x00000007	1	1
WriteConsoleW July 7, 2024, 7:01 p.m.	buffer: FtqBDated console_handle: 0x00000007	1	1
WriteConsoleW July 7, 2024, 7:01 p.m.	buffer: Specs Democrat Muscles Concerts console_handle: 0x00000007	1	1
WriteConsoleW July 7, 2024, 7:01 p.m.	buffer: 'FtqBDated' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW July 7, 2024, 7:01 p.m.	buffer: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files> console_handle: 0x00000007	1	1
WriteConsoleW July 7, 2024, 7:01 p.m.	buffer: EZvaExplaining console_handle: 0x00000007	1	1
WriteConsoleW July 7, 2024, 7:01 p.m.	buffer: Dreams console_handle: 0x00000007	1	1
WriteConsoleW July 7, 2024, 7:01 p.m.	buffer: 'EZvaExplaining' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW July 7, 2024, 7:01 p.m.	buffer: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files> console_handle: 0x00000007	1	1
WriteConsoleW July 7, 2024, 7:01 p.m.	buffer: EfPzDisplays console_handle: 0x00000007	1	1
WriteConsoleW July 7, 2024, 7:01 p.m.	buffer: Lectures console_handle: 0x00000007	1	1
WriteConsoleW July 7, 2024, 7:01 p.m.	buffer: 'EfPzDisplays' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW July 7, 2024, 7:01 p.m.	buffer: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files> console_handle: 0x00000007	1	1
WriteConsoleW July 7, 2024, 7:01 p.m.	buffer: OIrLuxury console_handle: 0x00000007	1	1
WriteConsoleW July 7, 2024, 7:01 p.m.	buffer: Flashing Boolean Nudist Cumshot Soon Heater Dem console_handle: 0x00000007	1	1
WriteConsoleW July 7, 2024, 7:01 p.m.	buffer: 'OIrLuxury' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW July 7, 2024, 7:01 p.m.	buffer: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files> console_handle: 0x00000007	1	1
WriteConsoleW July 7, 2024, 7:01 p.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW July 7, 2024, 7:01 p.m.	buffer: Preserve=y console_handle: 0x00000007	1	1
WriteConsoleW July 7, 2024, 7:01 p.m.	buffer: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files> console_handle: 0x00000007	1	1
WriteConsoleW July 7, 2024, 7:01 p.m.	buffer: ZqOPromotional console_handle: 0x00000007	1	1
WriteConsoleW July 7, 2024, 7:01 p.m.	buffer: Discrete Piece console_handle: 0x00000007	1	1
WriteConsoleW July 7, 2024, 7:01 p.m.	buffer: 'ZqOPromotional' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW July 7, 2024, 7:01 p.m.	buffer: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files> console_handle: 0x00000007	1	1
WriteConsoleW July 7, 2024, 7:01 p.m.	buffer: udhOShow console_handle: 0x00000007	1	1
WriteConsoleW July 7, 2024, 7:01 p.m.	buffer: Puerto Species Divorce Alleged Recognised console_handle: 0x00000007	1	1
WriteConsoleW July 7, 2024, 7:01 p.m.	buffer: 'udhOShow' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW July 7, 2024, 7:01 p.m.	buffer: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files> console_handle: 0x00000007	1	1
WriteConsoleW July 7, 2024, 7:01 p.m.	buffer: DBElephant console_handle: 0x00000007	1	1
WriteConsoleW July 7, 2024, 7:01 p.m.	buffer: Deck Temperatures Silence console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 7, 2024, 7:01 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 7, 2024, 7:01 p.m.	process_identifier: 2996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e92000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2024, 7:01 p.m.	process_identifier: 2996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f43000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2024, 7:01 p.m.	process_identifier: 1164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e92000 process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\4483354\Viruses.pif

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\cmd.exe" /k move Suggesting Suggesting.cmd & Suggesting.cmd & exit

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\4483354\Viruses.pif

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\4483354\Viruses.pif

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW July 7, 2024, 7:01 p.m.	show_type: 0 filepath_r: cmd parameters: /k move Suggesting Suggesting.cmd & Suggesting.cmd & exit filepath: cmd	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 7, 2024, 7:01 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW July 7, 2024, 7:01 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	ping -n 5 127.0.0.1
cmdline	tasklist

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2172 resumed a thread in remote process 1164
NtResumeThread July 7, 2024, 7:01 p.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 1164	1	0	0

File has been identified by 53 AntiVirus engines on VirusTotal as malicious (50 out of 53 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Runner.4!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
Skyhigh	Artemis!Trojan
ALYac	Trojan.Generic.35895326
Cylance	Unsafe
VIPRE	Trojan.Generic.35895326
Sangfor	Trojan.Bat.Obfus.Vrt7
K7AntiVirus	Trojan ( 005b47811 )
BitDefender	Trojan.Generic.35895326
K7GW	Trojan ( 005b47811 )
Cybereason	malicious.c60365
Arcabit	Trojan.Generic.D223B81E
Symantec	Trojan.Gen.2
ESET-NOD32	multiple detections
APEX	Malicious
McAfee	Artemis!16FCBA4C6036
Avast	Script:SNH-gen [Trj]
Kaspersky	HEUR:Trojan.BAT.Obfus.gen
Alibaba	Trojan:BAT/Obfus.61decbe5
NANO-Antivirus	Trojan.Win32.Steam.knckfo
MicroWorld-eScan	Trojan.Generic.35895326
Emsisoft	Trojan.Generic.35895326 (B)
F-Secure	Malware.BAT/Obfus.kqtzb
DrWeb	Trojan.PWS.Steam.37251
Zillya	Trojan.AutoIT.Win32.188697
TrendMicro	TrojanSpy.Win32.VIDAR.YXEEOZ
McAfeeD	ti!9D5D203C3B42
FireEye	Generic.mg.16fcba4c603655fc
Sophos	Mal/Generic-S
Ikarus	Trojan.BAT.Runner
Google	Detected
Avira	BAT/Obfus.kqtzb
MAX	malware (ai score=84)
Antiy-AVL	GrayWare/Win32.Wacapew.c
Kingsoft	Win32.Troj.Unknown.a
Microsoft	Trojan:Win32/Multiverze
ZoneAlarm	HEUR:Trojan.BAT.Obfus.gen
GData	Trojan.Generic.35895326
Varist	W32/ABTrojan.YLUL-5985
DeepInstinct	MALICIOUS
VBA32	Trojan.BAT.Obfus
Malwarebytes	Neshta.Virus.FileInfector.DDS
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TrojanSpy.Win32.VIDAR.YXEEOZ
Tencent	Win32.Trojan.FalseSign.Snkl
MaxSecure	Trojan.Malware.7176537.susgen
Fortinet	W32/Runner.I!tr
AVG	Script:SNH-gen [Trj]

UNIQ.file.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All