Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 12, 2024, 8:50 a.m.	Aug. 12, 2024, 9:12 a.m.

Size	1.1MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`a23837debdc8f0e9fce308bff036f18f`
SHA256	`848260ba966228c4db251cfbcc0e02d6ca70523a86b56e5c21f55098cec92479`
CRC32	`BB3E38F8`
ssdeep	`24576:F5OnmONUzLJq/wjcOVe+/O6B9ZdIadBjfZF/KIu4LtaXLKBTfME0gG3vdSCUxXT:CnmONUzL0/wjtVe+19Zrn/kw9T0uG3vq`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

ConsiderableWinners.exe "C:\Users\test22\AppData\Local\Temp\ConsiderableWinners.exe"
2544
- cmd.exe "C:\Windows\System32\cmd.exe" /k move Dk Dk.cmd & Dk.cmd & exit
  2664
  - findstr.exe findstr /I "wrsa.exe opssvc.exe"
    2772
  - tasklist.exe tasklist
    2736
  - tasklist.exe tasklist
    2888
  - findstr.exe findstr /I "avastui.exe avgui.exe ekrn.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"
    2924
  - cmd.exe cmd /c md 217412
    2996
  - findstr.exe findstr /V "PlasmaProfessionalConstitutesGuide" Cheaper
    3040
  - cmd.exe cmd /c copy /b Mailing + Violin + Ethernet + Operated + Lunch + Useful 217412\N
    1120
  - Possibly.pif Possibly.pif N
    2084
  - choice.exe choice /d y /t 5
    152

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Aug. 12, 2024, 8:50 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Aug. 12, 2024, 8:50 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 12, 2024, 8:50 a.m.			0	0

Command line console output was observed (50 out of 1132 events)

Time & API	Arguments	Status	Return
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: 1 file(s) moved. console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: Temporal=U console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: hMOHRec console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: Behalf Scheduling Plus Preston Explore Suggested Attribute console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: 'hMOHRec' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: KDUnable console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: Tie Tigers Territory Regulations Enter Importantly Humans console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: 'KDUnable' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: vmSunrise console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: Madrid Dildo Maple Flood Apollo console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: 'vmSunrise' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: HFPRate console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: 'HFPRate' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: EYIgnore console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: Crazy Real Governor Wicked Revelation Garlic Won console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: 'EYIgnore' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: Commit=5 console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: bskEdward console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: Nearby Cuisine Shareware Childhood console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: 'bskEdward' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: dLEducators console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: 'dLEducators' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: kuSpChester console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: Expressed Mh Yang Bankruptcy Purposes Bm console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: 'kuSpChester' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: yogMadison console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: Lighter Whale Establishing console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: 'yogMadison' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: gNuSafety console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: Skirt Shore Broker Lb Proper Blood As Lycos console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: 'gNuSafety' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: uqGage console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: 'uqGage' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: OkMonthly console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 12, 2024, 8:50 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 12, 2024, 8:50 a.m.	process_identifier: 2084 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1	0	0

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\217412\Possibly.pif

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\cmd.exe" /k move Dk Dk.cmd & Dk.cmd & exit

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\217412\Possibly.pif

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Aug. 12, 2024, 8:50 a.m.	show_type: 0 filepath_r: cmd parameters: /k move Dk Dk.cmd & Dk.cmd & exit filepath: cmd	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 12, 2024, 8:50 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Aug. 12, 2024, 8:50 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	cmd /c copy /b Mailing + Violin + Ethernet + Operated + Lunch + Useful 217412\N
cmdline	tasklist

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2664 resumed a thread in remote process 2084
NtResumeThread Aug. 12, 2024, 8:50 a.m.	thread_handle: 0x0000001c suspend_count: 0 process_identifier: 2084	1	0	0

File has been identified by 50 AntiVirus engines on VirusTotal as malicious (50 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Autoit.4!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 99)
Skyhigh	Artemis!Trojan
ALYac	Trojan.GenericKD.73779926
Cylance	Unsafe
VIPRE	Trojan.GenericKD.73779926
Sangfor	Trojan.Win32.Znyonm.V39l
K7AntiVirus	Trojan ( 005b84ae1 )
BitDefender	Trojan.GenericKD.73779926
K7GW	Trojan ( 005b84ae1 )
ESET-NOD32	a variant of Win32/Packed.NSIS.F suspicious
McAfee	Artemis!A23837DEBDC8
Avast	Win32:Malware-gen
Kaspersky	HEUR:Trojan.Win32.Autoit.gen
Alibaba	Trojan:Win32/Znyonm.cbc61094
MicroWorld-eScan	Trojan.GenericKD.73779926
Emsisoft	Trojan.GenericKD.73779926 (B)
F-Secure	Trojan.TR/Dropper.Gen
DrWeb	Trojan.Siggen29.12542
Zillya	Trojan.AutoIT.Win32.189459
TrendMicro	TROJ_GEN.R002C0DH624
McAfeeD	ti!848260BA9662
FireEye	Trojan.GenericKD.73779926
Sophos	Mal/Generic-S
SentinelOne	Static AI - Suspicious PE
Webroot	W32.Autoit
Google	Detected
Avira	TR/Dropper.Gen
MAX	malware (ai score=82)
Antiy-AVL	Trojan/Win32.Autoit
Kingsoft	Win32.Trojan.Autoit.gen
Microsoft	Trojan:Win32/Znyonm
ZoneAlarm	HEUR:Trojan.Win32.Autoit.gen
GData	Trojan.GenericKD.73779926
AhnLab-V3	Trojan/Win.Znyonm.C5657037
DeepInstinct	MALICIOUS
VBA32	Backdoor.CobaltStrike
Ikarus	Trojan.NSIS.Runner
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R002C0DH624
Tencent	Win32.Trojan.FalseSign.Iajl
huorong	Trojan/Runner.az
MaxSecure	Trojan.Malware.7176537.susgen
Fortinet	Riskware/Application
AVG	Win32:Malware-gen
Paloalto	generic.ml
CrowdStrike	win/malicious_confidence_60% (W)
alibabacloud	Trojan:Win/Autoit.gyf

ConsiderableWinners.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All