Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 21, 2024, 1:24 p.m.	Aug. 21, 2024, 1:28 p.m.

Size	1.1MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`9954f7ed32d9a20cda8545c526036143`
SHA256	`a221b40667002cd19eece4e45e5dbb6f3c3dc1890870cf28ebcca0e4850102f5`
CRC32	`074A4E4A`
ssdeep	`24576:VzZhl2UEVJ/TDFjNuNl0S7u3dqoIESs4OUYyPF8P7cMDeB5obaWXRWIWI:VkvbDpNuT0S7u3dtIbYUYyd8PAMC+aiB`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file

coreplugin.exe "C:\Users\test22\AppData\Local\Temp\coreplugin.exe"
2536
- cmd.exe "C:\Windows\System32\cmd.exe" /k move Anytime Anytime.cmd & Anytime.cmd & exit
  2652
  - findstr.exe findstr /I "wrsa.exe opssvc.exe"
    2760
  - tasklist.exe tasklist
    2724
  - tasklist.exe tasklist
    2880
  - findstr.exe findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
    2916
  - cmd.exe cmd /c md 297145
    2988
  - findstr.exe findstr /V "CorkBkConditionsMoon" Scary
    3036
  - cmd.exe cmd /c copy /b ..\Dependence + ..\Nsw + ..\Developmental + ..\Shared + ..\Ranges + ..\Notify + ..\Pending + ..\Previously k
    1216
  - Cultures.pif Cultures.pif k
    2080
  - choice.exe choice /d y /t 5
    192

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Aug. 21, 2024, 1:24 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Aug. 21, 2024, 1:24 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 21, 2024, 1:24 p.m.			0	0

Command line console output was observed (50 out of 1149 events)

Time & API	Arguments	Status	Return
WriteConsoleW Aug. 21, 2024, 1:24 p.m.	buffer: 1 file(s) moved. console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:24 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:24 p.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:24 p.m.	buffer: Coins=h console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:24 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:24 p.m.	buffer: WdVBored console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:24 p.m.	buffer: Longer Baking Abstract console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:24 p.m.	buffer: 'WdVBored' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 21, 2024, 1:24 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:24 p.m.	buffer: umHsEntities console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:24 p.m.	buffer: Qualify Harbor Slut Thunder console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:24 p.m.	buffer: 'umHsEntities' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 21, 2024, 1:24 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:24 p.m.	buffer: RkKinase console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:24 p.m.	buffer: Detail Ms console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:24 p.m.	buffer: 'RkKinase' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 21, 2024, 1:24 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:24 p.m.	buffer: bcaCurrent console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:24 p.m.	buffer: Hypothetical Scenario Opposite Sexo console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:24 p.m.	buffer: 'bcaCurrent' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 21, 2024, 1:24 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:24 p.m.	buffer: WEAViewers console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:24 p.m.	buffer: Opposed Nv Trance Likelihood Appreciation Island Withdrawal console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:24 p.m.	buffer: 'WEAViewers' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 21, 2024, 1:24 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:24 p.m.	buffer: UBInstalled console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:24 p.m.	buffer: Press Publisher console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:24 p.m.	buffer: 'UBInstalled' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 21, 2024, 1:24 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:24 p.m.	buffer: coAthletes console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:24 p.m.	buffer: Obtain Murder Free Mtv console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:24 p.m.	buffer: 'coAthletes' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 21, 2024, 1:24 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:24 p.m.	buffer: kCLatinas console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:24 p.m.	buffer: Entity Jefferson Description Giants Confident Switching Newbie Officer console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:24 p.m.	buffer: 'kCLatinas' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 21, 2024, 1:24 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:24 p.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:24 p.m.	buffer: Momentum=m console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:24 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:24 p.m.	buffer: ZngYoung console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:24 p.m.	buffer: Vermont White Bike Trail console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:24 p.m.	buffer: 'ZngYoung' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 21, 2024, 1:24 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:24 p.m.	buffer: ZNebFunctional console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:24 p.m.	buffer: Directory Alerts console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:24 p.m.	buffer: 'ZNebFunctional' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 21, 2024, 1:24 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:24 p.m.	buffer: fACSnapshot console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:24 p.m.	buffer: Heaven Efficient Terrace Distance console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 21, 2024, 1:24 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 21, 2024, 1:24 p.m.	process_identifier: 2080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732c2000 process_handle: 0xffffffff	1	0	0

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\297145\Cultures.pif

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\cmd.exe" /k move Anytime Anytime.cmd & Anytime.cmd & exit

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\297145\Cultures.pif

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\297145\Cultures.pif

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Aug. 21, 2024, 1:24 p.m.	show_type: 0 filepath_r: cmd parameters: /k move Anytime Anytime.cmd & Anytime.cmd & exit filepath: cmd	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 21, 2024, 1:24 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Aug. 21, 2024, 1:24 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

tasklist

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2652 resumed a thread in remote process 2080
NtResumeThread Aug. 21, 2024, 1:24 p.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 2080	1	0	0

File has been identified by 33 AntiVirus engines on VirusTotal as malicious (33 events)

Bkav	W32.Common.B12C1A3F
Lionic	Trojan.Win32.Autoit.4!c
Cynet	Malicious (score: 99)
Cylance	Unsafe
VIPRE	Trojan.GenericKD.73871457
BitDefender	Trojan.GenericKD.73871457
Arcabit	Trojan.Generic.D4673061
Symantec	Trojan.Gen.MBT
Avast	Win32:Malware-gen
Kaspersky	HEUR:Trojan.Win32.Autoit.gen
MicroWorld-eScan	Trojan.GenericKD.73871457
Emsisoft	Trojan.GenericKD.73871457 (B)
F-Secure	Trojan.TR/AutoIt.fqhae
DrWeb	Trojan.Siggen29.24057
TrendMicro	TrojanSpy.Win32.LUMMASTEALER.YXEHRZ
McAfeeD	ti!A221B4066700
FireEye	Trojan.GenericKD.73871457
Sophos	Mal/Generic-S
Avira	TR/AutoIt.fqhae
MAX	malware (ai score=83)
Antiy-AVL	Trojan/Win32.Autoit
Kingsoft	Win32.Trojan.Autoit.gen
Gridinsoft	Spy.Win32.Gen.tr
Microsoft	Trojan:Win32/Wacatac.B!ml
ZoneAlarm	HEUR:Trojan.Win32.Autoit.gen
GData	Win32.Trojan.Agent.I6HNES
VBA32	TrojanPSW.Lumma
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TrojanSpy.Win32.LUMMASTEALER.YXEHRZ
Tencent	Win32.Trojan.FalseSign.Eflw
huorong	Trojan/Runner.ba
AVG	Win32:Malware-gen
CrowdStrike	win/malicious_confidence_90% (W)

coreplugin.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All