Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	July 27, 2024, 12:39 p.m.	July 27, 2024, 12:41 p.m.

Size	815.1KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`1b0fe9739ef19752cb12647b6a4ba97b`
SHA256	`151247e9379a755e3bb260cca5c59977e4075d5404db4198f3cec82818412479`
CRC32	`FAF13092`
ssdeep	`12288:1CIFRWBr2HxOV32SGLvstHBe4BhbSJLhpnkfkywNgk30vDe31GnkNXT:1HFsUROVGS6stHBe4rQLofwgy0beTXT`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

InfluencedNervous.exe "C:\Users\test22\AppData\Local\Temp\InfluencedNervous.exe"
1648
- cmd.exe "C:\Windows\System32\cmd.exe" /k copy Fail Fail.cmd & Fail.cmd & exit
  2068
  - tasklist.exe tasklist
    2184
  - findstr.exe findstr /I "wrsa.exe opssvc.exe"
    2220
  - tasklist.exe tasklist
    2340
  - findstr.exe findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"
    2376
  - cmd.exe cmd /c md 229536
    2448
  - findstr.exe findstr /V "ReprintVerificationMercyRepository" Elliott
    2492
  - cmd.exe cmd /c copy /b Exhibit + Rand + Hours 229536\U
    2536
  - Webster.pif 229536\Webster.pif 229536\U
    2620
  - timeout.exe timeout 5
    2708

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW July 27, 2024, 12:37 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW July 27, 2024, 12:37 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 27, 2024, 12:37 p.m.			0	0

Command line console output was observed (50 out of 1709 events)

Time & API	Arguments	Status	Return
WriteConsoleW July 27, 2024, 12:37 p.m.	buffer: 1 file(s) copied. console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2024, 12:37 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2024, 12:37 p.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2024, 12:37 p.m.	buffer: Summaries=5 console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2024, 12:37 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2024, 12:37 p.m.	buffer: xuEssentially console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2024, 12:37 p.m.	buffer: Merger Methods Polo console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2024, 12:37 p.m.	buffer: 'xuEssentially' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW July 27, 2024, 12:37 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2024, 12:37 p.m.	buffer: BtLSRays console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2024, 12:37 p.m.	buffer: 'BtLSRays' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW July 27, 2024, 12:37 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2024, 12:37 p.m.	buffer: GWDeviation console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2024, 12:37 p.m.	buffer: 'GWDeviation' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW July 27, 2024, 12:37 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2024, 12:37 p.m.	buffer: CAUSkating console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2024, 12:37 p.m.	buffer: Choice Utilization Differential Ft console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2024, 12:37 p.m.	buffer: 'CAUSkating' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW July 27, 2024, 12:37 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2024, 12:37 p.m.	buffer: FcHints console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2024, 12:37 p.m.	buffer: Estate Embedded Working Cleveland Humanities Mike Shanghai console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2024, 12:37 p.m.	buffer: 'FcHints' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW July 27, 2024, 12:37 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2024, 12:37 p.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2024, 12:37 p.m.	buffer: Rolling=U console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2024, 12:37 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2024, 12:37 p.m.	buffer: IkkThrowing console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2024, 12:37 p.m.	buffer: Excellent Routers Porter Obligations console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2024, 12:37 p.m.	buffer: 'IkkThrowing' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW July 27, 2024, 12:37 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2024, 12:37 p.m.	buffer: DTkKid console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2024, 12:37 p.m.	buffer: Guys Offense Hiring Modes Cool Jewel Erp Acer console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2024, 12:37 p.m.	buffer: 'DTkKid' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW July 27, 2024, 12:37 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2024, 12:37 p.m.	buffer: cQHNot console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2024, 12:37 p.m.	buffer: Preferred Rw Samba Challenging Equation Sea console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2024, 12:37 p.m.	buffer: 'cQHNot' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW July 27, 2024, 12:37 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2024, 12:37 p.m.	buffer: WbaMeals console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2024, 12:37 p.m.	buffer: 'WbaMeals' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW July 27, 2024, 12:37 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2024, 12:37 p.m.	buffer: PfSvBend console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2024, 12:37 p.m.	buffer: 'PfSvBend' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW July 27, 2024, 12:37 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2024, 12:37 p.m.	buffer: wXxlBrazil console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2024, 12:37 p.m.	buffer: Foot console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2024, 12:37 p.m.	buffer: 'wXxlBrazil' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW July 27, 2024, 12:37 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2024, 12:37 p.m.	buffer: FrPoems console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2024, 12:37 p.m.	buffer: 'FrPoems' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 27, 2024, 12:37 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\229536\Webster.pif

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\cmd.exe" /k copy Fail Fail.cmd & Fail.cmd & exit

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\229536\Webster.pif

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\229536\Webster.pif

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW July 27, 2024, 12:37 p.m.	show_type: 0 filepath_r: cmd parameters: /k copy Fail Fail.cmd & Fail.cmd & exit filepath: cmd	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x00004000', u'virtual_address': u'0x000f4000', u'entropy': 7.371036255059773, u'name': u'.rsrc', u'virtual_size': u'0x00003e78'}

entropy

7.37103625506

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00001000', u'virtual_address': u'0x000f8000', u'entropy': 7.909941577358269, u'name': u'.reloc', u'virtual_size': u'0x00000f32'}

entropy

7.90994157736

description

A section with a high entropy has been found

entropy

0.338983050847

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 27, 2024, 12:37 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW July 27, 2024, 12:37 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

tasklist

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2068 resumed a thread in remote process 2620
NtResumeThread July 27, 2024, 12:37 p.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2620	1	0	0

File has been identified by 33 AntiVirus engines on VirusTotal as malicious (33 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Agent.Y!c
Cynet	Malicious (score: 99)
Skyhigh	Artemis!Trojan
VIPRE	Trojan.GenericKD.73721802
Sangfor	Backdoor.Win32.Agent.Vpdq
BitDefender	Trojan.GenericKD.73721802
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	NSIS/Runner.T
Avast	Win32:Malware-gen
Kaspersky	HEUR:Backdoor.Win32.Agent.gen
MicroWorld-eScan	Trojan.GenericKD.73721802
Rising	Trojan.Autorun/NSIS!1.FF89 (CLASSIC)
Emsisoft	Trojan.GenericKD.73721802 (B)
F-Secure	Backdoor.BDS/Agent.cxwkx
McAfeeD	ti!151247E9379A
Trapmine	malicious.moderate.ml.score
FireEye	Generic.mg.1b0fe9739ef19752
Sophos	Mal/Generic-S
Webroot	W32.Malware.Gen
Avira	BDS/Agent.cxwkx
MAX	malware (ai score=81)
Kingsoft	Win32.Hack.Agent.gen
Gridinsoft	Spy.Win32.Vidar.tr
ZoneAlarm	HEUR:Backdoor.Win32.Agent.gen
GData	Trojan.GenericKD.73721802
DeepInstinct	MALICIOUS
Malwarebytes	Malware.AI.2749111198
Panda	Trj/Chgt.AD
huorong	Trojan/Runner.az
AVG	Win32:Malware-gen
Paloalto	generic.ml
CrowdStrike	win/grayware_confidence_60% (W)

InfluencedNervous.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All