Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 10, 2024, 10:05 a.m.	Sept. 10, 2024, 10:14 a.m.

Size	1.3MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`66f4c467d6f87afe16daafb012f27e76`
SHA256	`d3b79435a3f7f45d17f4e21bffeacea894eb97bf3cda0e362d3a5ae11c736de1`
CRC32	`61C15B76`
ssdeep	`24576:y9x8CwG7xfSLBXJ7vZqsiMcBEXLXzIguFDZEJPsla2+Fy6:ycxWfS9Z7lbR/Lu1Z0Psla2w`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

ScreenDataSync.exe "C:\Users\test22\AppData\Local\Temp\ScreenDataSync.exe"
2068
- cmd.exe "C:\Windows\System32\cmd.exe" /c move Notice Notice.bat & Notice.bat
  2212
  - tasklist.exe tasklist
    2272
  - findstr.exe findstr /I "wrsa opssvc"
    2308
  - tasklist.exe tasklist
    2416
  - findstr.exe findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
    2452
  - cmd.exe cmd /c md 639278
    2528
  - findstr.exe findstr /V "alcoholweekskeepsmercedes" Cyber
    2572
  - cmd.exe cmd /c copy /b ..\Was + ..\Ll + ..\Rx + ..\Pursuant + ..\Competitions z
    2616
  - Assumptions.pif Assumptions.pif z
    2660
  - choice.exe choice /d y /t 5
    2748

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Sept. 10, 2024, 10:05 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Sept. 10, 2024, 10:05 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 10, 2024, 10:05 a.m.			0	0

Command line console output was observed (50 out of 835 events)

Time & API	Arguments	Status	Return
WriteConsoleW Sept. 10, 2024, 10:05 a.m.	buffer: 1 file(s) moved. console_handle: 0x00000007	1	1
WriteConsoleW Sept. 10, 2024, 10:05 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 10, 2024, 10:05 a.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW Sept. 10, 2024, 10:05 a.m.	buffer: Areas=d console_handle: 0x00000007	1	1
WriteConsoleW Sept. 10, 2024, 10:05 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 10, 2024, 10:05 a.m.	buffer: QuvHwy console_handle: 0x00000007	1	1
WriteConsoleW Sept. 10, 2024, 10:05 a.m.	buffer: Shot Pda Flavor Examining Unauthorized Louisiana Choose Pray console_handle: 0x00000007	1	1
WriteConsoleW Sept. 10, 2024, 10:05 a.m.	buffer: 'QuvHwy' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 10, 2024, 10:05 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 10, 2024, 10:05 a.m.	buffer: FFICatherine console_handle: 0x00000007	1	1
WriteConsoleW Sept. 10, 2024, 10:05 a.m.	buffer: 'FFICatherine' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 10, 2024, 10:05 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 10, 2024, 10:05 a.m.	buffer: ExAmend console_handle: 0x00000007	1	1
WriteConsoleW Sept. 10, 2024, 10:05 a.m.	buffer: Shine Collectors console_handle: 0x00000007	1	1
WriteConsoleW Sept. 10, 2024, 10:05 a.m.	buffer: 'ExAmend' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 10, 2024, 10:05 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 10, 2024, 10:05 a.m.	buffer: NHmIPages console_handle: 0x00000007	1	1
WriteConsoleW Sept. 10, 2024, 10:05 a.m.	buffer: Pharmacy Physicians Emma console_handle: 0x00000007	1	1
WriteConsoleW Sept. 10, 2024, 10:05 a.m.	buffer: 'NHmIPages' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 10, 2024, 10:05 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 10, 2024, 10:05 a.m.	buffer: RRYPub console_handle: 0x00000007	1	1
WriteConsoleW Sept. 10, 2024, 10:05 a.m.	buffer: Tables Logical Beliefs Nokia Plymouth Pressing console_handle: 0x00000007	1	1
WriteConsoleW Sept. 10, 2024, 10:05 a.m.	buffer: 'RRYPub' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 10, 2024, 10:05 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 10, 2024, 10:05 a.m.	buffer: JcuMadonna console_handle: 0x00000007	1	1
WriteConsoleW Sept. 10, 2024, 10:05 a.m.	buffer: Wal Hearings Systems Guys Brilliant Directive Subscriptions Textile console_handle: 0x00000007	1	1
WriteConsoleW Sept. 10, 2024, 10:05 a.m.	buffer: 'JcuMadonna' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 10, 2024, 10:05 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 10, 2024, 10:05 a.m.	buffer: RguBStates console_handle: 0x00000007	1	1
WriteConsoleW Sept. 10, 2024, 10:05 a.m.	buffer: 'RguBStates' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 10, 2024, 10:05 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 10, 2024, 10:05 a.m.	buffer: wQCollege console_handle: 0x00000007	1	1
WriteConsoleW Sept. 10, 2024, 10:05 a.m.	buffer: Escorts console_handle: 0x00000007	1	1
WriteConsoleW Sept. 10, 2024, 10:05 a.m.	buffer: 'wQCollege' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 10, 2024, 10:05 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 10, 2024, 10:05 a.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW Sept. 10, 2024, 10:05 a.m.	buffer: Sys=P console_handle: 0x00000007	1	1
WriteConsoleW Sept. 10, 2024, 10:05 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 10, 2024, 10:05 a.m.	buffer: XlAhWarranties console_handle: 0x00000007	1	1
WriteConsoleW Sept. 10, 2024, 10:05 a.m.	buffer: Basically Made King console_handle: 0x00000007	1	1
WriteConsoleW Sept. 10, 2024, 10:05 a.m.	buffer: 'XlAhWarranties' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 10, 2024, 10:05 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 10, 2024, 10:05 a.m.	buffer: KhColleagues console_handle: 0x00000007	1	1
WriteConsoleW Sept. 10, 2024, 10:05 a.m.	buffer: Receptor Moderator Bone console_handle: 0x00000007	1	1
WriteConsoleW Sept. 10, 2024, 10:05 a.m.	buffer: 'KhColleagues' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 10, 2024, 10:05 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 10, 2024, 10:05 a.m.	buffer: qehXPatents console_handle: 0x00000007	1	1
WriteConsoleW Sept. 10, 2024, 10:05 a.m.	buffer: 'qehXPatents' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 10, 2024, 10:05 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 10, 2024, 10:05 a.m.	buffer: wHEWCursor console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 10, 2024, 10:05 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\639278\Assumptions.pif

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\cmd.exe" /c move Notice Notice.bat & Notice.bat

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\639278\Assumptions.pif

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\639278\Assumptions.pif

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Sept. 10, 2024, 10:05 a.m.	show_type: 0 filepath_r: cmd parameters: /c move Notice Notice.bat & Notice.bat filepath: cmd	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Sept. 10, 2024, 10:05 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Sept. 10, 2024, 10:05 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	tasklist
cmdline	"C:\Windows\System32\cmd.exe" /c move Notice Notice.bat & Notice.bat
cmdline	cmd /c move Notice Notice.bat & Notice.bat

File has been identified by 16 AntiVirus engines on VirusTotal as malicious (16 events)

Bkav	W32.AIDetectMalware
Elastic	malicious (high confidence)
Cylance	Unsafe
tehtris	Generic.Malware
Kaspersky	UDS:DangerousObject.Multi.Generic
SUPERAntiSpyware	Adware.SearchSuite /Variant
McAfeeD	ti!D3B79435A3F7
FireEye	Generic.mg.66f4c467d6f87afe
SentinelOne	Static AI - Suspicious PE
Antiy-AVL	Trojan/Win32.AdLoad.bh
Kingsoft	malware.kb.a.951
Microsoft	Program:Win32/Wacapew.C!ml
ZoneAlarm	UDS:DangerousObject.Multi.Generic
McAfee	Artemis!66F4C467D6F8
DeepInstinct	MALICIOUS
MaxSecure	Trojan.Malware.121218.susgen

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2212 resumed a thread in remote process 2660
NtResumeThread Sept. 10, 2024, 10:05 a.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2660	1	0	0

ScreenDataSync.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All