Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 2, 2024, 10:11 a.m.	Sept. 2, 2024, 10:18 a.m.

Size	1.7MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`0a34380175bb4da2cce136e0cb3d3e04`
SHA256	`1ef7ccb345b2132b8e1a38bdef87dd47a0a0588603703ee63a201a9a8b5ba51d`
CRC32	`A5646B75`
ssdeep	`24576:w92WI6QAqC7rFYDkW/rdEGMcDqDc21uOGF7h/baPqprTKRpm5WfKR6bnKkXbESI9:wQDLDDkw1McDqDRuOGF9Sw5WC0zH`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

66d1b31955f50_SunshineSolving.exe "C:\Users\test22\AppData\Local\Temp\66d1b31955f50_SunshineSolving.exe"
1516
- cmd.exe "C:\Windows\System32\cmd.exe" /k move Tb Tb.bat & Tb.bat & exit
  2160
  - findstr.exe findstr /I "wrsa opssvc"
    2328
  - tasklist.exe tasklist
    2292
  - tasklist.exe tasklist
    2436
  - findstr.exe findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
    2472
  - cmd.exe cmd /c md 800157
    2544
  - findstr.exe findstr /V "ONSSPORTSSOLVEMAYOR" Cycles
    2588
  - cmd.exe cmd /c copy /b ..\Rt + ..\Core + ..\Created + ..\Reg + ..\Aa + ..\Toe + ..\Interested + ..\Opera + ..\Instant + ..\Findings + ..\Gave + ..\Hk + ..\Pollution m
    2632
  - Tapes.pif Tapes.pif m
    2676
  - choice.exe choice /d y /t 5
    2776

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Sept. 2, 2024, 10:11 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Sept. 2, 2024, 10:11 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 2, 2024, 10:11 a.m.			0	0

Command line console output was observed (50 out of 2414 events)

Time & API	Arguments	Status	Return
WriteConsoleW Sept. 2, 2024, 10:11 a.m.	buffer: 1 file(s) moved. console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:11 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:11 a.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:11 a.m.	buffer: Freight=5 console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:11 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:11 a.m.	buffer: dAStating console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:11 a.m.	buffer: Opinions Yale Confident Alberta Green Fridge Believes Awarded console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:11 a.m.	buffer: 'dAStating' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 2, 2024, 10:11 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:11 a.m.	buffer: MMSer console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:11 a.m.	buffer: Victoria console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:11 a.m.	buffer: 'MMSer' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 2, 2024, 10:11 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:11 a.m.	buffer: xTMZFormal console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:11 a.m.	buffer: Burner Enhancements Put Related Thrown Statewide Muslim console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:11 a.m.	buffer: 'xTMZFormal' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 2, 2024, 10:11 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:11 a.m.	buffer: oCcGsm console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:11 a.m.	buffer: Nato Basket Simpson Cabin Merger console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:11 a.m.	buffer: 'oCcGsm' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 2, 2024, 10:11 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:11 a.m.	buffer: ssSingle console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:11 a.m.	buffer: 'ssSingle' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 2, 2024, 10:11 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:11 a.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:11 a.m.	buffer: Biol=Y console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:11 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:11 a.m.	buffer: qvEvent console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:11 a.m.	buffer: Moderate Losing Bless Kathy Lately console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:11 a.m.	buffer: 'qvEvent' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 2, 2024, 10:11 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:11 a.m.	buffer: ngmBMainland console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:11 a.m.	buffer: Analyzed Conservation Exercises Nature console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:11 a.m.	buffer: 'ngmBMainland' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 2, 2024, 10:11 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:11 a.m.	buffer: aSECommitment console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:11 a.m.	buffer: Quizzes Mardi Agricultural Addressed Junction Off console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:11 a.m.	buffer: 'aSECommitment' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 2, 2024, 10:11 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:11 a.m.	buffer: IRoUWhale console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:11 a.m.	buffer: Testimonials Involve Tour Benjamin Gothic Feat Sport console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:11 a.m.	buffer: 'IRoUWhale' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 2, 2024, 10:11 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:11 a.m.	buffer: NRBacking console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:11 a.m.	buffer: Oops Runner Girls Speakers Passive Mostly At console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:11 a.m.	buffer: 'NRBacking' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 2, 2024, 10:11 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:11 a.m.	buffer: xQCKen console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:11 a.m.	buffer: Convicted Subtle Lloyd Southampton console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:11 a.m.	buffer: 'xQCKen' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 2, 2024, 10:11 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\800157\Tapes.pif

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\cmd.exe" /k move Tb Tb.bat & Tb.bat & exit

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\800157\Tapes.pif

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\800157\Tapes.pif

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Sept. 2, 2024, 10:11 a.m.	show_type: 0 filepath_r: cmd parameters: /k move Tb Tb.bat & Tb.bat & exit filepath: cmd	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x00003400', u'virtual_address': u'0x004b4000', u'entropy': 7.936259531347089, u'name': u'.reloc', u'virtual_size': u'0x0000320e'}

entropy

7.93625953135

description

A section with a high entropy has been found

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Sept. 2, 2024, 10:11 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Sept. 2, 2024, 10:11 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (4 events)

cmdline	"C:\Windows\System32\cmd.exe" /k move Tb Tb.bat & Tb.bat & exit
cmdline	tasklist
cmdline	cmd /k move Tb Tb.bat & Tb.bat & exit
cmdline	cmd /c copy /b ..\Rt + ..\Core + ..\Created + ..\Reg + ..\Aa + ..\Toe + ..\Interested + ..\Opera + ..\Instant + ..\Findings + ..\Gave + ..\Hk + ..\Pollution m

File has been identified by 14 AntiVirus engines on VirusTotal as malicious (14 events)

Bkav	W32.AIDetectMalware
Elastic	malicious (high confidence)
Cylance	Unsafe
tehtris	Generic.Malware
Kaspersky	HEUR:Backdoor.Win32.Agent.gen
McAfeeD	ti!1EF7CCB345B2
Sophos	Mal/Generic-S
Kingsoft	Win32.Troj.Unknown.a
Microsoft	Trojan:Win32/Casdet!rfn
ZoneAlarm	HEUR:Backdoor.Win32.Agent.gen
DeepInstinct	MALICIOUS
huorong	Trojan/BAT.Agent.cv
MaxSecure	Trojan.Malware.121218.susgen
CrowdStrike	win/grayware_confidence_100% (D)

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2160 resumed a thread in remote process 2676
NtResumeThread Sept. 2, 2024, 10:11 a.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2676	1	0	0

66d1b31955f50_SunshineSolving.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All