Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 4, 2024, 10:06 a.m.	Sept. 4, 2024, 10:13 a.m.

Size	10.7MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`b2ceff540f1fb7234b424a5702e989ba`
SHA256	`eaa5582959770d5fa7fc18fa15d6e6aedec88b7503b8d16df3dd82626fab57d9`
CRC32	`800B7C00`
ssdeep	`196608:h9oqgEzg9QvuVBkqFGKAJ9RmX2870VikXVCnZXTDqQ7poZ:h9VgECiuVi4JARx8gVJsZXTOQ7W`
Yara	Malicious_Library_Zero - Malicious_Library Admin_Tool_IN_Zero - Admin Tool Sysinternals PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer IsPE32 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file mzp_file_format - MZP(Delphi) file format OS_Processor_Check_Zero - OS Processor Check

66d6af212bad3_kbdturme.exe "C:\Users\test22\AppData\Local\Temp\66d6af212bad3_kbdturme.exe"
184
- 66d6af212bad3_kbdturme.tmp "C:\Users\test22\AppData\Local\Temp\is-R0LDD.tmp\66d6af212bad3_kbdturme.tmp" /SL5="$30028,10276342,812544,C:\Users\test22\AppData\Local\Temp\66d6af212bad3_kbdturme.exe"
  1020
  - 66d6af212bad3_kbdturme.exe "C:\Users\test22\AppData\Local\Temp\66d6af212bad3_kbdturme.exe" /VERYSILENT /NORESTART
    2104
    - 66d6af212bad3_kbdturme.tmp "C:\Users\test22\AppData\Local\Temp\is-1UAI2.tmp\66d6af212bad3_kbdturme.tmp" /SL5="$40028,10276342,812544,C:\Users\test22\AppData\Local\Temp\66d6af212bad3_kbdturme.exe" /VERYSILENT /NORESTART
      2156
      - cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"
        2252
        
        find.exe find /I "wrsa.exe"
        2348
        
        tasklist.exe tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
        2312
      - cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"
        2456
        
        tasklist.exe tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
        2516
        
        find.exe find /I "opssvc.exe"
        2552
      - cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"
        2628
        
        find.exe find /I "avastui.exe"
        2724
        
        tasklist.exe tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
        2688
      - cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe"
        2848
        
        tasklist.exe tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
        2908
        
        find.exe find /I "avgui.exe"
        2944
      - cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"
        3016
        
        tasklist.exe tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
        2056
        
        find.exe find /I "nswscsvc.exe"
        2096
      - cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe"
        2220
        
        tasklist.exe tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
        2340
        
        find.exe find /I "sophoshealth.exe"
        2412
      - AutoIt3.exe "C:\Users\test22\AppData\Local\banqueteer\\AutoIt3.exe" "C:\Users\test22\AppData\Local\banqueteer\\calimanco1.a3x"
        792
        
        cmd.exe "C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && AutoIt3.exe C:\ProgramData\\oa09sV.a3x && del C:\ProgramData\\oa09sV.a3x
        1700
        
        PING.EXE ping -n 5 127.0.0.1
        2264
        
        AutoIt3.exe AutoIt3.exe C:\ProgramData\\oa09sV.a3x
        2536
        
        MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        2924

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (7 events)

Time & API	Arguments	Status	Return
GetComputerNameW Sept. 4, 2024, 10:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 4, 2024, 9:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 4, 2024, 9:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 4, 2024, 9:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 4, 2024, 9:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 4, 2024, 9:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 4, 2024, 9:59 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 4, 2024, 10:06 a.m.			0	0
IsDebuggerPresent Sept. 4, 2024, 10:06 a.m.			0	0
IsDebuggerPresent Sept. 4, 2024, 10:06 a.m.			0	0
IsDebuggerPresent Sept. 4, 2024, 10:06 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 4, 2024, 10:06 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.itext
section	.didata

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Sept. 4, 2024, 10:06 a.m.	stacktrace: __dbk_fcall_wrapper+0x287a85 dbkFCallWrapperAddr-0x21fab 66d6af212bad3_kbdturme+0x29969d @ 0xe6969d __dbk_fcall_wrapper+0x287a85 dbkFCallWrapperAddr-0x21fab 66d6af212bad3_kbdturme+0x29969d @ 0xe6969d __dbk_fcall_wrapper+0x29c0e8 dbkFCallWrapperAddr-0xd948 66d6af212bad3_kbdturme+0x2add00 @ 0xe7dd00 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 3668572 registers.edi: 0 registers.eax: 3668572 registers.ebp: 3668652 registers.edx: 0 registers.ebx: 3 registers.esi: 2 registers.ecx: 7	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Sept. 4, 2024, 10:06 a.m.

stacktrace:

__dbk_fcall_wrapper+0x287a85 dbkFCallWrapperAddr-0x21fab 66d6af212bad3_kbdturme+0x29969d @ 0xe6969d
__dbk_fcall_wrapper+0x287a85 dbkFCallWrapperAddr-0x21fab 66d6af212bad3_kbdturme+0x29969d @ 0xe6969d
__dbk_fcall_wrapper+0x29c0e8 dbkFCallWrapperAddr-0xd948 66d6af212bad3_kbdturme+0x2add00 @ 0xe7dd00
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xeedfade
exception.offset: 46887
exception.address: 0x7559b727
registers.esp: 3668572
registers.edi: 0
registers.eax: 3668572
registers.ebp: 3668652
registers.edx: 0
registers.ebx: 3
registers.esi: 2
registers.ecx: 7

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (11 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 4, 2024, 10:06 a.m.	process_identifier: 184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01190000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 4, 2024, 10:06 a.m.	process_identifier: 184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 688128 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01191000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 4, 2024, 10:06 a.m.	process_identifier: 184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01247000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 4, 2024, 10:06 a.m.	process_identifier: 184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 110592 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01249000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2024, 10:06 a.m.	process_identifier: 1020 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 4, 2024, 10:06 a.m.	process_identifier: 2104 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01190000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 4, 2024, 10:06 a.m.	process_identifier: 2104 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 688128 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01191000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 4, 2024, 10:06 a.m.	process_identifier: 2104 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01247000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 4, 2024, 10:06 a.m.	process_identifier: 2104 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 110592 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01249000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2024, 10:06 a.m.	process_identifier: 2156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 4, 2024, 10:06 a.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 180224 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b05000 process_handle: 0xffffffff	1

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\is-QPOEU.tmp\_isetup\_iscrypt.dll
file	C:\Users\test22\AppData\Local\Temp\is-TKLM3.tmp\_isetup\_iscrypt.dll

Creates a suspicious process (8 events)

cmdline	"cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH \| find /I "avgui.exe"
cmdline	"cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH \| find /I "opssvc.exe"
cmdline	"C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && AutoIt3.exe C:\ProgramData\\oa09sV.a3x && del C:\ProgramData\\oa09sV.a3x
cmdline	"cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH \| find /I "sophoshealth.exe"
cmdline	"cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH \| find /I "wrsa.exe"
cmdline	cmd.exe /c ping -n 5 127.0.0.1 >nul && AutoIt3.exe C:\ProgramData\\oa09sV.a3x && del C:\ProgramData\\oa09sV.a3x
cmdline	"cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH \| find /I "nswscsvc.exe"
cmdline	"cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH \| find /I "avastui.exe"

Drops an executable to the user AppData folder (3 events)

file	C:\Users\test22\AppData\Local\Temp\is-R0LDD.tmp\66d6af212bad3_kbdturme.tmp
file	C:\Users\test22\AppData\Local\Temp\is-QPOEU.tmp\maintenanceservice_installer
file	C:\Users\test22\AppData\Local\Temp\is-TKLM3.tmp\_isetup\_iscrypt.dll

Executes one or more WMI queries (6 events)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'SOPHOSHEALTH.EXE'
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'WRSA.EXE'
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'AVGUI.EXE'
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'NSWSCSVC.EXE'
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'OPSSVC.EXE'
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'AVASTUI.EXE'

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Sept. 4, 2024, 10:06 a.m.	show_type: 0 filepath_r: cmd.exe parameters: /c ping -n 5 127.0.0.1 >nul && AutoIt3.exe C:\ProgramData\\oa09sV.a3x && del C:\ProgramData\\oa09sV.a3x filepath: cmd.exe	1	1	0

File has been identified by 6 AntiVirus engines on VirusTotal as malicious (6 events)

Bkav	W32.AIDetectMalware
Avast	FileRepMalware [Misc]
McAfeeD	ti!EAA558295977
DeepInstinct	MALICIOUS
AVG	FileRepMalware [Misc]
CrowdStrike	win/grayware_confidence_70% (D)

Checks for the Locally Unique Identifier on the system for a suspicious privilege (6 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Sept. 4, 2024, 9:59 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 4, 2024, 9:59 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 4, 2024, 9:59 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 4, 2024, 9:59 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 4, 2024, 9:59 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 4, 2024, 9:59 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (9 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (1 event)

Time & API	Arguments	Status	Return	Repeated
RegOpenKeyExW Sept. 4, 2024, 10:06 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{1801A5FF-B934-489D-90AA-D4EBDDD11877}}_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000101 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{1801A5FF-B934-489D-90AA-D4EBDDD11877}}_is1		2	0

Uses Windows utilities for basic Windows functionality (15 events)

cmdline	tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
cmdline	"cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH \| find /I "avgui.exe"
cmdline	"cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH \| find /I "opssvc.exe"
cmdline	ping -n 5 127.0.0.1
cmdline	tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
cmdline	"C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && AutoIt3.exe C:\ProgramData\\oa09sV.a3x && del C:\ProgramData\\oa09sV.a3x
cmdline	tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
cmdline	tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
cmdline	"cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH \| find /I "sophoshealth.exe"
cmdline	"cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH \| find /I "wrsa.exe"
cmdline	tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
cmdline	cmd.exe /c ping -n 5 127.0.0.1 >nul && AutoIt3.exe C:\ProgramData\\oa09sV.a3x && del C:\ProgramData\\oa09sV.a3x
cmdline	"cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH \| find /I "nswscsvc.exe"
cmdline	tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
cmdline	"cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH \| find /I "avastui.exe"

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 792 resumed a thread in remote process 1700
NtResumeThread Sept. 4, 2024, 10:06 a.m.	thread_handle: 0x00000298 suspend_count: 1 process_identifier: 1700	1	0	0

Detects the presence of Wine emulator (4 events)

Time & API	Arguments	Return
LdrGetProcedureAddress Sept. 4, 2024, 10:06 a.m.	ordinal: 0 function_address: 0x0119f7a8 function_name: wine_get_version module: ntdll module_address: 0x778a0000	3221225785
LdrGetProcedureAddress Sept. 4, 2024, 10:06 a.m.	ordinal: 0 function_address: 0x00be17b0 function_name: wine_get_version module: ntdll module_address: 0x778a0000	3221225785
LdrGetProcedureAddress Sept. 4, 2024, 10:06 a.m.	ordinal: 0 function_address: 0x0119f7a8 function_name: wine_get_version module: ntdll module_address: 0x778a0000	3221225785
LdrGetProcedureAddress Sept. 4, 2024, 10:06 a.m.	ordinal: 0 function_address: 0x00f117b0 function_name: wine_get_version module: ntdll module_address: 0x778a0000	3221225785

66d6af212bad3_kbdturme.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All