Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 10, 2024, 12:28 p.m.	Aug. 10, 2024, 12:50 p.m.

Size	951.3KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`e530d19a769bcd90ec3e92ebf08d68e9`
SHA256	`feb872b8a43d6a65ed3aa7e97dfa6c729c9e6fdf31ca913cbdbf2051d990fd36`
CRC32	`0259724E`
ssdeep	`24576:VouY8YFDfePwag4UuD8fb12btPSMAs+10lDgJHuA:tYZBW4uD8fxstPSMAP10lD`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

file.exe "C:\Users\test22\AppData\Local\Temp\file.exe"
1700
- cmd.exe "C:\Windows\System32\cmd.exe" /k move Kathy Kathy.cmd & Kathy.cmd & exit
  2068
  - tasklist.exe tasklist
    2184
  - findstr.exe findstr /I "wrsa.exe opssvc.exe"
    2220
  - tasklist.exe tasklist
    2328
  - findstr.exe findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
    2364
  - cmd.exe cmd /c md 473722
    2436
  - findstr.exe findstr /V "LucasAlliedFooGraph" Armor
    2480
  - cmd.exe cmd /c copy /b Edinburgh + Elliott + Luxembourg + Calm + Circumstances + Holders 473722\f
    2524
  - Instrumental.pif Instrumental.pif f
    2572
  - choice.exe choice /d y /t 5
    2656

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Aug. 10, 2024, 12:28 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Aug. 10, 2024, 12:28 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 10, 2024, 12:29 p.m.			0	0

Command line console output was observed (50 out of 1107 events)

Time & API	Arguments	Status	Return
WriteConsoleW Aug. 10, 2024, 12:28 p.m.	buffer: 1 file(s) moved. console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2024, 12:28 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2024, 12:28 p.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2024, 12:28 p.m.	buffer: Nutten=u console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2024, 12:28 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2024, 12:28 p.m.	buffer: agnAcoustic console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2024, 12:28 p.m.	buffer: Proposal console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2024, 12:28 p.m.	buffer: 'agnAcoustic' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 10, 2024, 12:28 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2024, 12:28 p.m.	buffer: BwkSalon console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2024, 12:28 p.m.	buffer: Antenna Partner Opposite console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2024, 12:28 p.m.	buffer: 'BwkSalon' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 10, 2024, 12:28 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2024, 12:28 p.m.	buffer: AQSpPartial console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2024, 12:28 p.m.	buffer: Anger console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2024, 12:28 p.m.	buffer: 'AQSpPartial' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 10, 2024, 12:28 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2024, 12:28 p.m.	buffer: JPKVessels console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2024, 12:28 p.m.	buffer: Internship console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2024, 12:28 p.m.	buffer: 'JPKVessels' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 10, 2024, 12:28 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2024, 12:28 p.m.	buffer: wFJPMarriage console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2024, 12:28 p.m.	buffer: Keeps Nightmare console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2024, 12:28 p.m.	buffer: 'wFJPMarriage' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 10, 2024, 12:28 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2024, 12:28 p.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2024, 12:28 p.m.	buffer: Goals=A console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2024, 12:28 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2024, 12:28 p.m.	buffer: OLkGolf console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2024, 12:28 p.m.	buffer: Traveling Href Oz Supports console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2024, 12:28 p.m.	buffer: 'OLkGolf' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 10, 2024, 12:28 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2024, 12:28 p.m.	buffer: MWBDecorative console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2024, 12:28 p.m.	buffer: Uc Lesbian Counting Yang Confused Mine console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2024, 12:28 p.m.	buffer: 'MWBDecorative' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 10, 2024, 12:28 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2024, 12:28 p.m.	buffer: jdoSrc console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2024, 12:28 p.m.	buffer: Gross Executives Advertisement console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2024, 12:28 p.m.	buffer: 'jdoSrc' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 10, 2024, 12:28 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2024, 12:28 p.m.	buffer: ncStrict console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2024, 12:28 p.m.	buffer: European Executive Civic Hard console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2024, 12:28 p.m.	buffer: 'ncStrict' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 10, 2024, 12:28 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2024, 12:28 p.m.	buffer: OdEmPiss console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2024, 12:28 p.m.	buffer: Cheats Beans console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2024, 12:28 p.m.	buffer: 'OdEmPiss' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 10, 2024, 12:28 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2024, 12:28 p.m.	buffer: FYxxApril console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2024, 12:28 p.m.	buffer: Courage Kinds Till February Angel console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 10, 2024, 12:28 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\473722\Instrumental.pif

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\cmd.exe" /k move Kathy Kathy.cmd & Kathy.cmd & exit

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\473722\Instrumental.pif

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\473722\Instrumental.pif

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Aug. 10, 2024, 12:28 p.m.	show_type: 0 filepath_r: cmd parameters: /k move Kathy Kathy.cmd & Kathy.cmd & exit filepath: cmd	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 10, 2024, 12:28 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Aug. 10, 2024, 12:28 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

tasklist

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2068 resumed a thread in remote process 2572
NtResumeThread Aug. 10, 2024, 12:29 p.m.	thread_handle: 0x0000001c suspend_count: 0 process_identifier: 2572	1	0	0

File has been identified by 44 AntiVirus engines on VirusTotal as malicious (44 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Autoit.4!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 99)
Skyhigh	Artemis!Trojan
ALYac	Trojan.Generic.36679740
Cylance	Unsafe
VIPRE	Trojan.Generic.36679740
Sangfor	Trojan.Win32.Autoit.Vm78
BitDefender	Trojan.Generic.36679740
Symantec	Trojan.Gen.MBT
ESET-NOD32	a variant of Win32/Packed.NSIS.J suspicious
Avast	Win32:Malware-gen
Kaspersky	HEUR:Trojan.Win32.Autoit.gen
Alibaba	Trojan:MSIL/RedlineStealer.75fa803f
MicroWorld-eScan	Trojan.Generic.36679740
Emsisoft	Trojan.Generic.36679740 (B)
F-Secure	Trojan.TR/AutoIt.nyoht
McAfeeD	ti!FEB872B8A43D
FireEye	Trojan.Generic.36679740
Sophos	Mal/Generic-S
Webroot	W32.Trojan.Gen
Google	Detected
Avira	TR/AutoIt.nyoht
MAX	malware (ai score=82)
Antiy-AVL	Trojan/Win32.Autoit
Kingsoft	Win32.Trojan.Autoit.gen
Gridinsoft	Malware.Win32.RedLine.tr
Xcitium	Malware@#3w5b4ycetlh45
ZoneAlarm	HEUR:Trojan.Win32.Autoit.gen
McAfee	Artemis!E530D19A769B
DeepInstinct	MALICIOUS
VBA32	TrojanPSW.RedLine
Malwarebytes	Malware.AI.1516156981
Ikarus	Trojan.SuspectCRC
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R011C0DH824
Tencent	Win32.Trojan.FalseSign.Bgow
huorong	Trojan/Injector.btr
Fortinet	W32/NDAoF
AVG	Win32:Malware-gen
Paloalto	generic.ml
CrowdStrike	win/malicious_confidence_70% (W)
alibabacloud	Trojan:Win/Autoit.gyf

file.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All