Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 26, 2024, 10:48 a.m.	Aug. 26, 2024, 10:51 a.m.

Size	1.5MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`635508b01c2a8f9ceb1ab024c149b020`
SHA256	`baa3581920b2e641a504d5b7d2f1637d456244adbc66790de991b88650bcbd09`
CRC32	`1E7DA364`
ssdeep	`24576:kzZNMQ47A3TuY7IldB+yIh+DYVvSHugA2RcPB+bamgqvrgK4KMYb8cVDfkO80i8x:kgx7queqBFq0YVMDdKoLlp8uk5lWH/pl`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

66bf3574eb3f2_FocusesAttempted.exe "C:\Users\test22\AppData\Local\Temp\66bf3574eb3f2_FocusesAttempted.exe"
1460
- cmd.exe "C:\Windows\System32\cmd.exe" /k move Shaped Shaped.cmd & Shaped.cmd & exit
  2084
  - tasklist.exe tasklist
    2240
  - findstr.exe findstr /I "wrsa.exe opssvc.exe"
    2276
  - tasklist.exe tasklist
    2384
  - findstr.exe findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
    2420
  - cmd.exe cmd /c md 277532
    2492
  - findstr.exe findstr /V "FiguresNeonDownloadableGmt" Lynn
    2536
  - cmd.exe cmd /c copy /b ..\Gc + ..\Invasion + ..\Fit + ..\Libs + ..\Reader + ..\Wizard + ..\Plans + ..\Breeds + ..\Rare + ..\Census + ..\Ve + ..\Bd + ..\Configured + ..\Safety + ..\Accounts P
    2580
  - Forestry.pif Forestry.pif P
    2624
  - choice.exe choice /d y /t 5
    2780

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Aug. 26, 2024, 10:49 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Aug. 26, 2024, 10:49 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 26, 2024, 10:49 a.m.			0	0

Command line console output was observed (50 out of 2234 events)

Time & API	Arguments	Status	Return
WriteConsoleW Aug. 26, 2024, 10:48 a.m.	buffer: 1 file(s) moved. console_handle: 0x00000007	1	1
WriteConsoleW Aug. 26, 2024, 10:48 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 26, 2024, 10:48 a.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW Aug. 26, 2024, 10:48 a.m.	buffer: Diagnosis=c console_handle: 0x00000007	1	1
WriteConsoleW Aug. 26, 2024, 10:48 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 26, 2024, 10:48 a.m.	buffer: KvQPmid console_handle: 0x00000007	1	1
WriteConsoleW Aug. 26, 2024, 10:48 a.m.	buffer: Electro Xp Organisations Consumer Placement Empirical console_handle: 0x00000007	1	1
WriteConsoleW Aug. 26, 2024, 10:48 a.m.	buffer: 'KvQPmid' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 26, 2024, 10:48 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 26, 2024, 10:48 a.m.	buffer: EGHAfraid console_handle: 0x00000007	1	1
WriteConsoleW Aug. 26, 2024, 10:48 a.m.	buffer: Acne This Analytical Manage Resistance console_handle: 0x00000007	1	1
WriteConsoleW Aug. 26, 2024, 10:48 a.m.	buffer: 'EGHAfraid' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 26, 2024, 10:48 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 26, 2024, 10:48 a.m.	buffer: snVVerzeichnis console_handle: 0x00000007	1	1
WriteConsoleW Aug. 26, 2024, 10:48 a.m.	buffer: Two Trail console_handle: 0x00000007	1	1
WriteConsoleW Aug. 26, 2024, 10:48 a.m.	buffer: 'snVVerzeichnis' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 26, 2024, 10:48 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 26, 2024, 10:48 a.m.	buffer: xldLUndefined console_handle: 0x00000007	1	1
WriteConsoleW Aug. 26, 2024, 10:48 a.m.	buffer: Pictures Drums Offers Sku Promise Paso console_handle: 0x00000007	1	1
WriteConsoleW Aug. 26, 2024, 10:48 a.m.	buffer: 'xldLUndefined' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 26, 2024, 10:48 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 26, 2024, 10:48 a.m.	buffer: XtIyOutreach console_handle: 0x00000007	1	1
WriteConsoleW Aug. 26, 2024, 10:48 a.m.	buffer: Mall Surgeons Folk Attractions Separated Utilize Vehicles Japan console_handle: 0x00000007	1	1
WriteConsoleW Aug. 26, 2024, 10:48 a.m.	buffer: 'XtIyOutreach' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 26, 2024, 10:48 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 26, 2024, 10:48 a.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW Aug. 26, 2024, 10:48 a.m.	buffer: Crest=C console_handle: 0x00000007	1	1
WriteConsoleW Aug. 26, 2024, 10:48 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 26, 2024, 10:48 a.m.	buffer: eKgUChange console_handle: 0x00000007	1	1
WriteConsoleW Aug. 26, 2024, 10:48 a.m.	buffer: Download Tragedy Waste Receipt Folder Rebel Drums Courts console_handle: 0x00000007	1	1
WriteConsoleW Aug. 26, 2024, 10:48 a.m.	buffer: 'eKgUChange' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 26, 2024, 10:48 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 26, 2024, 10:48 a.m.	buffer: yNzzConstitution console_handle: 0x00000007	1	1
WriteConsoleW Aug. 26, 2024, 10:48 a.m.	buffer: Years Enable console_handle: 0x00000007	1	1
WriteConsoleW Aug. 26, 2024, 10:48 a.m.	buffer: 'yNzzConstitution' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 26, 2024, 10:48 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 26, 2024, 10:48 a.m.	buffer: UwiRu console_handle: 0x00000007	1	1
WriteConsoleW Aug. 26, 2024, 10:48 a.m.	buffer: Reaction Instructions Incoming Leo console_handle: 0x00000007	1	1
WriteConsoleW Aug. 26, 2024, 10:48 a.m.	buffer: 'UwiRu' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 26, 2024, 10:48 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 26, 2024, 10:48 a.m.	buffer: OqaApproximate console_handle: 0x00000007	1	1
WriteConsoleW Aug. 26, 2024, 10:48 a.m.	buffer: Unemployment Gentleman Communities Worldsex Time Compared Catholic console_handle: 0x00000007	1	1
WriteConsoleW Aug. 26, 2024, 10:48 a.m.	buffer: 'OqaApproximate' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 26, 2024, 10:48 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 26, 2024, 10:48 a.m.	buffer: SXComparison console_handle: 0x00000007	1	1
WriteConsoleW Aug. 26, 2024, 10:48 a.m.	buffer: Between Spouse Listprice Separately Appears Gtk Toolbar console_handle: 0x00000007	1	1
WriteConsoleW Aug. 26, 2024, 10:48 a.m.	buffer: 'SXComparison' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 26, 2024, 10:48 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 26, 2024, 10:48 a.m.	buffer: TqCattle console_handle: 0x00000007	1	1
WriteConsoleW Aug. 26, 2024, 10:48 a.m.	buffer: Dense Dom Touch Creek Phases Hydrogen console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 26, 2024, 10:48 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\277532\Forestry.pif

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\cmd.exe" /k move Shaped Shaped.cmd & Shaped.cmd & exit

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\277532\Forestry.pif

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\277532\Forestry.pif

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Aug. 26, 2024, 10:48 a.m.	show_type: 0 filepath_r: cmd parameters: /k move Shaped Shaped.cmd & Shaped.cmd & exit filepath: cmd	1	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (2 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW Aug. 26, 2024, 10:49 a.m.	snapshot_handle: 0x0000012c process_name: SearchFilterHost.exe process_identifier: 1096	1	1	0
Process32NextW Aug. 26, 2024, 10:49 a.m.	snapshot_handle: 0x0000012c process_name: inject-x86.exe process_identifier: 2680	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 26, 2024, 10:49 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Aug. 26, 2024, 10:49 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

tasklist

File has been identified by 13 AntiVirus engines on VirusTotal as malicious (13 events)

Bkav	W32.AIDetectMalware
Skyhigh	Artemis!Trojan
McAfee	Artemis!635508B01C2A
Kaspersky	HEUR:Backdoor.Win32.Agent.gen
DrWeb	Trojan.Siggen29.29642
McAfeeD	ti!BAA3581920B2
Kingsoft	Win32.Troj.Unknown.a
Gridinsoft	Trojan.Win32.Agent.oa!s1
Microsoft	Trojan:Win32/Casdet!rfn
ZoneAlarm	HEUR:Backdoor.Win32.Agent.gen
huorong	Trojan/Runner.ba
Fortinet	NSIS/Runner.AV!tr
CrowdStrike	win/grayware_confidence_70% (W)

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2084 resumed a thread in remote process 2624
NtResumeThread Aug. 26, 2024, 10:49 a.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2624	1	0	0

66bf3574eb3f2_FocusesAttempted.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All