Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 12, 2024, 8:50 a.m.	Aug. 12, 2024, 8:56 a.m.

Size	1.7MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`0dac2872a9c5b21289499db3dcd2f18d`
SHA256	`bbfda112b2d2742ec593b14cf9a0d2558cedaa24ae89d0cc9b5c94b94705c772`
CRC32	`90AA740E`
ssdeep	`49152:EzQfCT0ay5jIRZRQ+uGZU9zQfCT0ay5jIRZRQ+uGZURH9:ZNlIm2U6NlIm2URH9`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware

AnneSalt.exe "C:\Users\test22\AppData\Local\Temp\AnneSalt.exe"
1880
- cmd.exe "C:\Windows\System32\cmd.exe" /k move Technique Technique.cmd & Technique.cmd & exit
  2076
  - findstr.exe findstr /I "wrsa.exe opssvc.exe"
    2212
  - tasklist.exe tasklist
    2176
  - tasklist.exe tasklist
    2320
  - findstr.exe findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
    2356
  - cmd.exe cmd /c md 79556
    2428
  - findstr.exe findstr /V "SpecificationsRemainExtraIntellectual" Compile
    2476
  - cmd.exe cmd /c copy /b Cruz + Occupations + Grab + Recovery 79556\J
    2520
  - Boxing.pif Boxing.pif J
    2564
  - choice.exe choice /d y /t 5
    2692

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Aug. 12, 2024, 8:50 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Aug. 12, 2024, 8:50 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 12, 2024, 8:50 a.m.			0	0

Command line console output was observed (50 out of 1090 events)

Time & API	Arguments	Status	Return
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: 1 file(s) moved. console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: Responded=s console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: tlIMedication console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: Student Cove Cooperative Gothic Ranging Bits Token Voices console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: 'tlIMedication' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: DLpTConclusions console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: Paperbacks Additional Significantly Uv Permissions Handed Wma console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: 'DLpTConclusions' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: FyQInvestigators console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: Competent Removal Man Lowest Deleted Memo Securely console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: 'FyQInvestigators' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: UnhxAb console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: Counts Tea Brings Emotional Gray Unwrap Dancing console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: 'UnhxAb' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: rxLfSustained console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: Objectives console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: 'rxLfSustained' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: gUdSa console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: Triple Alternatively Compression console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: 'gUdSa' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: dwxNMedian console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: Mattress Showcase Hampton Rotation console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: 'dwxNMedian' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: Rack=1 console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: vRjjChelsea console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: Sessions Verde Harbor Treatment Complimentary Dramatic console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: 'vRjjChelsea' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: atCure console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: Eds Stockings Tsunami console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: 'atCure' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: rVRMaintenance console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: Sought console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: 'rVRMaintenance' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: nMThemselves console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 8:50 a.m.	buffer: 'nMThemselves' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 12, 2024, 8:50 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\79556\Boxing.pif

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\cmd.exe" /k move Technique Technique.cmd & Technique.cmd & exit

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\79556\Boxing.pif

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\79556\Boxing.pif

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Aug. 12, 2024, 8:50 a.m.	show_type: 0 filepath_r: cmd parameters: /k move Technique Technique.cmd & Technique.cmd & exit filepath: cmd	1	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (7 events)

Time & API	Arguments	Status	Return
Process32NextW Aug. 12, 2024, 8:50 a.m.	snapshot_handle: 0x0000012c process_name: mobsync.exe process_identifier: 1712	1	1
Process32NextW Aug. 12, 2024, 8:50 a.m.	snapshot_handle: 0x0000012c process_name: taskhost.exe process_identifier: 932	1	1
Process32NextW Aug. 12, 2024, 8:50 a.m.	snapshot_handle: 0x0000012c process_name: SearchFilterHost.exe process_identifier: 1028	1	1
Process32NextW Aug. 12, 2024, 8:50 a.m.	snapshot_handle: 0x0000012c process_name: AnneSalt.exe process_identifier: 1880	1	1
Process32NextW Aug. 12, 2024, 8:50 a.m.	snapshot_handle: 0x0000012c process_name: cmd.exe process_identifier: 2076	1	1
Process32NextW Aug. 12, 2024, 8:50 a.m.	snapshot_handle: 0x0000012c process_name: conhost.exe process_identifier: 2112	1	1
Process32NextW Aug. 12, 2024, 8:50 a.m.	snapshot_handle: 0x0000012c process_name: inject-x86.exe process_identifier: 2616	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 12, 2024, 8:50 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Aug. 12, 2024, 8:50 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

tasklist

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2076 resumed a thread in remote process 2564
NtResumeThread Aug. 12, 2024, 8:50 a.m.	thread_handle: 0x0000001c suspend_count: 0 process_identifier: 2564	1	0	0

AnneSalt.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All