Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 12, 2024, 12:52 p.m.	Sept. 12, 2024, 12:57 p.m.

Size	1017.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`0ffee13ff36c1cd606d032450deb5ac1`
SHA256	`4c05c9ade0f5fa4dda9a53c74f8bc41c3ab59d29203dc11c2f5cc99a5dbf7df1`
CRC32	`994338A6`
ssdeep	`24576:R98WcMakSY6jT7Q+vv4Vd6a4wZihgqg8w2A359Le51CU:RSyafjN4VsCQ+qgoA3vCiU`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

avoufshire.exe "C:\Users\test22\AppData\Local\Temp\avoufshire.exe"
2660
- cmd.exe "C:\Windows\System32\cmd.exe" /c move Measuring Measuring.bat & Measuring.bat
  2776
  - findstr.exe findstr /I "wrsa opssvc"
    2884
  - tasklist.exe tasklist
    2848
  - tasklist.exe tasklist
    3004
  - findstr.exe findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
    3040
  - cmd.exe cmd /c md 495055
    908
  - findstr.exe findstr /V "LIVERPOOLANGELSFOUNTAINSURPRISED" Occasional
    1484
  - cmd.exe cmd /c copy /b ..\Creative + ..\Pdas + ..\Suck + ..\Mediterranean + ..\Clan + ..\Subsequently O
    2164
  - Laid.pif Laid.pif O
    2216
  - choice.exe choice /d y /t 5
    2440

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Sept. 12, 2024, 12:53 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Sept. 12, 2024, 12:53 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 12, 2024, 12:53 p.m.			0	0

Command line console output was observed (50 out of 2094 events)

Time & API	Arguments	Status	Return
WriteConsoleW Sept. 12, 2024, 12:53 p.m.	buffer: 1 file(s) moved. console_handle: 0x00000007	1	1
WriteConsoleW Sept. 12, 2024, 12:53 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 12, 2024, 12:53 p.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW Sept. 12, 2024, 12:53 p.m.	buffer: Clarity= console_handle: 0x00000007	1	1
WriteConsoleW Sept. 12, 2024, 12:53 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 12, 2024, 12:53 p.m.	buffer: fOJm console_handle: 0x00000007	1	1
WriteConsoleW Sept. 12, 2024, 12:53 p.m.	buffer: Li Pensions Portable Wanted Nurses Referrals Persons Antibodies console_handle: 0x00000007	1	1
WriteConsoleW Sept. 12, 2024, 12:53 p.m.	buffer: 'fOJm' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 12, 2024, 12:53 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 12, 2024, 12:53 p.m.	buffer: YYhAndrews console_handle: 0x00000007	1	1
WriteConsoleW Sept. 12, 2024, 12:53 p.m.	buffer: Actions Valuation console_handle: 0x00000007	1	1
WriteConsoleW Sept. 12, 2024, 12:53 p.m.	buffer: 'YYhAndrews' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 12, 2024, 12:53 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 12, 2024, 12:53 p.m.	buffer: nIfABernard console_handle: 0x00000007	1	1
WriteConsoleW Sept. 12, 2024, 12:53 p.m.	buffer: De Animals console_handle: 0x00000007	1	1
WriteConsoleW Sept. 12, 2024, 12:53 p.m.	buffer: 'nIfABernard' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 12, 2024, 12:53 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 12, 2024, 12:53 p.m.	buffer: kzFavourites console_handle: 0x00000007	1	1
WriteConsoleW Sept. 12, 2024, 12:53 p.m.	buffer: Eng Sex Behind console_handle: 0x00000007	1	1
WriteConsoleW Sept. 12, 2024, 12:53 p.m.	buffer: 'kzFavourites' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 12, 2024, 12:53 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 12, 2024, 12:53 p.m.	buffer: kGYWhose console_handle: 0x00000007	1	1
WriteConsoleW Sept. 12, 2024, 12:53 p.m.	buffer: Trends Introduced console_handle: 0x00000007	1	1
WriteConsoleW Sept. 12, 2024, 12:53 p.m.	buffer: 'kGYWhose' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 12, 2024, 12:53 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 12, 2024, 12:53 p.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW Sept. 12, 2024, 12:53 p.m.	buffer: Jacob=S console_handle: 0x00000007	1	1
WriteConsoleW Sept. 12, 2024, 12:53 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 12, 2024, 12:53 p.m.	buffer: lUStory console_handle: 0x00000007	1	1
WriteConsoleW Sept. 12, 2024, 12:53 p.m.	buffer: Cheque Biggest console_handle: 0x00000007	1	1
WriteConsoleW Sept. 12, 2024, 12:53 p.m.	buffer: 'lUStory' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 12, 2024, 12:53 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 12, 2024, 12:53 p.m.	buffer: QuWarehouse console_handle: 0x00000007	1	1
WriteConsoleW Sept. 12, 2024, 12:53 p.m.	buffer: Crisis Mexico Increasingly Tune Incredible console_handle: 0x00000007	1	1
WriteConsoleW Sept. 12, 2024, 12:53 p.m.	buffer: 'QuWarehouse' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 12, 2024, 12:53 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 12, 2024, 12:53 p.m.	buffer: fGjCoated console_handle: 0x00000007	1	1
WriteConsoleW Sept. 12, 2024, 12:53 p.m.	buffer: Commonwealth Private Shaw Gentle Webcast Mumbai console_handle: 0x00000007	1	1
WriteConsoleW Sept. 12, 2024, 12:53 p.m.	buffer: 'fGjCoated' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 12, 2024, 12:53 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 12, 2024, 12:53 p.m.	buffer: MRwSellers console_handle: 0x00000007	1	1
WriteConsoleW Sept. 12, 2024, 12:53 p.m.	buffer: Alberta Changelog Thorough Friend Costa Exhaust Coupon console_handle: 0x00000007	1	1
WriteConsoleW Sept. 12, 2024, 12:53 p.m.	buffer: 'MRwSellers' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 12, 2024, 12:53 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 12, 2024, 12:53 p.m.	buffer: JvIAudit console_handle: 0x00000007	1	1
WriteConsoleW Sept. 12, 2024, 12:53 p.m.	buffer: 'JvIAudit' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 12, 2024, 12:53 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 12, 2024, 12:53 p.m.	buffer: xBcStatutory console_handle: 0x00000007	1	1
WriteConsoleW Sept. 12, 2024, 12:53 p.m.	buffer: Dildo console_handle: 0x00000007	1	1
WriteConsoleW Sept. 12, 2024, 12:53 p.m.	buffer: 'xBcStatutory' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 12, 2024, 12:52 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 12, 2024, 12:53 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x735e2000 process_handle: 0xffffffff	1	0	0

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\495055\Laid.pif

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\cmd.exe" /c move Measuring Measuring.bat & Measuring.bat

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\495055\Laid.pif

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\495055\Laid.pif

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Sept. 12, 2024, 12:52 p.m.	show_type: 0 filepath_r: cmd parameters: /c move Measuring Measuring.bat & Measuring.bat filepath: cmd	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Sept. 12, 2024, 12:53 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Sept. 12, 2024, 12:53 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	cmd /c move Measuring Measuring.bat & Measuring.bat
cmdline	tasklist
cmdline	"C:\Windows\System32\cmd.exe" /c move Measuring Measuring.bat & Measuring.bat

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2776 resumed a thread in remote process 2216
NtResumeThread Sept. 12, 2024, 12:53 p.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 2216	1	0	0

File has been identified by 31 AntiVirus engines on VirusTotal as malicious (31 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Stealerc.1m!c
Elastic	malicious (high confidence)
Cylance	Unsafe
Sangfor	Trojan.Win32.Agent.V5hl
Symantec	ML.Attribute.HighConfidence
tehtris	Generic.Malware
APEX	Malicious
Avast	Win32:Malware-gen
Kaspersky	HEUR:Trojan-PSW.Win32.Stealerc.gen
DrWeb	Trojan.Siggen29.37905
McAfeeD	ti!4C05C9ADE0F5
Trapmine	suspicious.low.ml.score
Sophos	Mal/Generic-S
SentinelOne	Static AI - Suspicious PE
FireEye	Generic.mg.0ffee13ff36c1cd6
Webroot	W32.Malware.Gen
Antiy-AVL	Trojan/Win32.AdLoad.bh
Kingsoft	malware.kb.a.985
Gridinsoft	Malware.Win32.Stealc.tr
Microsoft	Trojan:Win32/Znyonm
ZoneAlarm	HEUR:Trojan-PSW.Win32.Stealerc.gen
Varist	W32/ABTrojan.QLNA-2810
McAfee	Artemis!0FFEE13FF36C
DeepInstinct	MALICIOUS
Malwarebytes	Malware.AI.1918387926
huorong	Trojan/BAT.Agent.cv
MaxSecure	Trojan.Malware.121218.susgen
AVG	Win32:Malware-gen
Paloalto	generic.ml
CrowdStrike	win/grayware_confidence_60% (D)

avoufshire.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All