Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 21, 2024, 1:29 p.m.	Aug. 21, 2024, 1:50 p.m.

Size	964.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`310e5c68c94e313befd538b9e999360a`
SHA256	`2d0c0b18bc6dd823e612901f146dcb895aebae5ec0c648a97ffb36d035e05cfa`
CRC32	`1164A760`
ssdeep	`12288:czZ0rwIrpsK7p3ADr20z9Fc2DNaC5o1e5lW+9jMDLniSjJojUiCm0c5ersBM3K:czZ0fKg3ADrO2paC5fg+Wn5oju8ZM3`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

66bb9d818245b_MoonDescribing.exe "C:\Users\test22\AppData\Local\Temp\66bb9d818245b_MoonDescribing.exe"
1680
- cmd.exe "C:\Windows\System32\cmd.exe" /k move Wishlist Wishlist.cmd & Wishlist.cmd & exit
  2076
  - findstr.exe findstr /I "wrsa.exe opssvc.exe"
    2220
  - tasklist.exe tasklist
    2184
  - tasklist.exe tasklist
    2360
  - findstr.exe findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
    2396
  - cmd.exe cmd /c md 103622
    2484
  - findstr.exe findstr /V "LarryAuthenticationOasisToe" Booty
    2528
  - cmd.exe cmd /c copy /b ..\Adapter + ..\Anything + ..\Tied + ..\Evaluated + ..\Supports + ..\Rpm j
    2572
  - Meetings.pif Meetings.pif j
    2616
  - choice.exe choice /d y /t 5
    2700

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Aug. 21, 2024, 1:29 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Aug. 21, 2024, 1:29 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 21, 2024, 1:29 p.m.			0	0

Command line console output was observed (50 out of 1749 events)

Time & API	Arguments	Status	Return
WriteConsoleW Aug. 21, 2024, 1:29 p.m.	buffer: 1 file(s) moved. console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:29 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:29 p.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:29 p.m.	buffer: Printers=H console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:29 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:29 p.m.	buffer: NKTurkish console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:29 p.m.	buffer: 'NKTurkish' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 21, 2024, 1:29 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:29 p.m.	buffer: IoPanasonic console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:29 p.m.	buffer: Attorneys Serving Enb Timing Appear console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:29 p.m.	buffer: 'IoPanasonic' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 21, 2024, 1:29 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:29 p.m.	buffer: VsrNotify console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:29 p.m.	buffer: 'VsrNotify' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 21, 2024, 1:29 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:29 p.m.	buffer: yvYPotentially console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:29 p.m.	buffer: Distribute Equal Trusted Firms Herself Propecia Ceremony console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:29 p.m.	buffer: 'yvYPotentially' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 21, 2024, 1:29 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:29 p.m.	buffer: uABDistant console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:29 p.m.	buffer: Catalyst console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:29 p.m.	buffer: 'uABDistant' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 21, 2024, 1:29 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:29 p.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:29 p.m.	buffer: Pentium=Z console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:29 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:29 p.m.	buffer: DLbBanana console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:29 p.m.	buffer: News Difficult Restaurant Msn Polished Greek console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:29 p.m.	buffer: 'DLbBanana' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 21, 2024, 1:29 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:29 p.m.	buffer: HgrJersey console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:29 p.m.	buffer: 'HgrJersey' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 21, 2024, 1:29 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:29 p.m.	buffer: SIfBlank console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:29 p.m.	buffer: Checking Luck Transmission Warm Gilbert console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:29 p.m.	buffer: 'SIfBlank' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 21, 2024, 1:29 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:29 p.m.	buffer: PTProportion console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:29 p.m.	buffer: Matthew Subscribers Disks Gibson Visiting Concerns Publication Plans console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:29 p.m.	buffer: 'PTProportion' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 21, 2024, 1:29 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:29 p.m.	buffer: RwNJosh console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:29 p.m.	buffer: Department Inch Advertise Sciences Replication Sees console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:29 p.m.	buffer: 'RwNJosh' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 21, 2024, 1:29 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:29 p.m.	buffer: hWEmerald console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:29 p.m.	buffer: Configure Choose Outline Sustainability Losses console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:29 p.m.	buffer: 'hWEmerald' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 21, 2024, 1:29 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 1:29 p.m.	buffer: PvWtShowtimes console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 21, 2024, 1:29 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\103622\Meetings.pif

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\cmd.exe" /k move Wishlist Wishlist.cmd & Wishlist.cmd & exit

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\103622\Meetings.pif

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\103622\Meetings.pif

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Aug. 21, 2024, 1:29 p.m.	show_type: 0 filepath_r: cmd parameters: /k move Wishlist Wishlist.cmd & Wishlist.cmd & exit filepath: cmd	1	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (14 events)

Time & API	Arguments	Status	Return
Process32NextW Aug. 21, 2024, 1:29 p.m.	snapshot_handle: 0x0000012c process_name: mobsync.exe process_identifier: 1712	1	1
Process32NextW Aug. 21, 2024, 1:29 p.m.	snapshot_handle: 0x0000012c process_name: pw.exe process_identifier: 1944	1	1
Process32NextW Aug. 21, 2024, 1:29 p.m.	snapshot_handle: 0x0000012c process_name: taskhost.exe process_identifier: 912	1	1
Process32NextW Aug. 21, 2024, 1:29 p.m.	snapshot_handle: 0x0000012c process_name: cmd.exe process_identifier: 156	1	1
Process32NextW Aug. 21, 2024, 1:29 p.m.	snapshot_handle: 0x0000012c process_name: SearchProtocolHost.exe process_identifier: 496	1	1
Process32NextW Aug. 21, 2024, 1:29 p.m.	snapshot_handle: 0x0000012c process_name: conhost.exe process_identifier: 1516	1	1
Process32NextW Aug. 21, 2024, 1:29 p.m.	snapshot_handle: 0x0000012c process_name: SearchFilterHost.exe process_identifier: 1740	1	1
Process32NextW Aug. 21, 2024, 1:29 p.m.	snapshot_handle: 0x0000012c process_name: 66bb9d818245b_MoonDescribing.exe process_identifier: 1680	1	1
Process32NextW Aug. 21, 2024, 1:29 p.m.	snapshot_handle: 0x0000012c process_name: pw.exe process_identifier: 1184	1	1
Process32NextW Aug. 21, 2024, 1:29 p.m.	snapshot_handle: 0x0000012c process_name: cmd.exe process_identifier: 2076	1	1
Process32NextW Aug. 21, 2024, 1:29 p.m.	snapshot_handle: 0x0000012c process_name: conhost.exe process_identifier: 2112	1	1
Process32NextW Aug. 21, 2024, 1:29 p.m.	snapshot_handle: 0x0000012c process_name: WmiPrvSE.exe process_identifier: 2292	1	1
Process32NextW Aug. 21, 2024, 1:29 p.m.	snapshot_handle: 0x0000012c process_name: Meetings.pif process_identifier: 2616	1	1
Process32NextW Aug. 21, 2024, 1:29 p.m.	snapshot_handle: 0x0000012c process_name: inject-x86.exe process_identifier: 2668	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 21, 2024, 1:29 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Aug. 21, 2024, 1:29 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

tasklist

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2076 resumed a thread in remote process 2616
NtResumeThread Aug. 21, 2024, 1:29 p.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2616	1	0	0

File has been identified by 31 AntiVirus engines on VirusTotal as malicious (31 events)

Lionic	Trojan.Win32.Runner.4!c
Cynet	Malicious (score: 99)
Skyhigh	Artemis!Trojan
Sangfor	Trojan.Win32.Autoit.Vo1h
BitDefender	Trojan.GenericKD.73876195
K7GW	Trojan ( 005b96141 )
Symantec	Trojan.Gen.MBT
ESET-NOD32	NSIS/Runner.AM
McAfee	Artemis!310E5C68C94E
Avast	Win32:Malware-gen
Kaspersky	HEUR:Trojan.Win32.Autoit.gen
Alibaba	Trojan:Win32/Runner.060a610e
Emsisoft	Trojan.GenericKD.73876195 (B)
F-Secure	Trojan.TR/AutoIt.ejoaw
DrWeb	Trojan.PWS.Steam.37523
McAfeeD	ti!2D0C0B18BC6D
Sophos	Mal/Generic-S
Avira	TR/AutoIt.ejoaw
Kingsoft	Win32.Trojan.Autoit.gen
Microsoft	Trojan:Win32/Wacatac.B!ml
ZoneAlarm	HEUR:Trojan.Win32.Autoit.gen
GData	Win32.Trojan.Agent.E4UK9P
DeepInstinct	MALICIOUS
Panda	Trj/Chgt.AD
Tencent	Win32.Trojan.FalseSign.Uwhl
huorong	Trojan/Runner.ba
Fortinet	NSIS/Runner.AM!tr
AVG	Win32:Malware-gen
Paloalto	generic.ml
CrowdStrike	win/malicious_confidence_60% (W)
alibabacloud	Trojan:Win/Runner.AZ

66bb9d818245b_MoonDescribing.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All