Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 17, 2024, 1:31 p.m.	Sept. 17, 2024, 2:16 p.m.

Size	995.1KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`969c9a7bc2e46a078fac7c27ad79fc56`
SHA256	`891306bc14e8d196e6f229dfe9d713bb1e81af30efe5ea786672648cbe6fd032`
CRC32	`1FA3724C`
ssdeep	`24576:q9w4d0VZcM0nG4fyVtHh0nut8gJXFywMgzwZCOIW1MnPvF:qmr31deutFlFJMgzeCOIW1MPd`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

gretdence.exe "C:\Users\test22\AppData\Local\Temp\gretdence.exe"
2032
- cmd.exe "C:\Windows\System32\cmd.exe" /c move Televisions Televisions.bat & Televisions.bat
  2124
  - findstr.exe findstr /I "wrsa opssvc"
    2264
  - tasklist.exe tasklist
    2228
  - tasklist.exe tasklist
    2424
  - findstr.exe findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
    2460
  - cmd.exe cmd /c md 410599
    2532
  - findstr.exe findstr /V "CarrierWorshipTftInvestigated" Notify
    2580
  - cmd.exe cmd /c copy /b ..\Canberra + ..\Conduct + ..\Pros + ..\Mu + ..\Infectious + ..\Preceding k
    2624
  - Thank.pif Thank.pif k
    2668
  - choice.exe choice /d y /t 5
    2752

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Sept. 17, 2024, 1:31 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Sept. 17, 2024, 1:31 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 17, 2024, 1:31 p.m.			0	0

Command line console output was observed (50 out of 2239 events)

Time & API	Arguments	Status	Return
WriteConsoleW Sept. 17, 2024, 1:31 p.m.	buffer: 1 file(s) moved. console_handle: 0x00000007	1	1
WriteConsoleW Sept. 17, 2024, 1:31 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 17, 2024, 1:31 p.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW Sept. 17, 2024, 1:31 p.m.	buffer: Capabilities=1 console_handle: 0x00000007	1	1
WriteConsoleW Sept. 17, 2024, 1:31 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 17, 2024, 1:31 p.m.	buffer: rfjTArgued console_handle: 0x00000007	1	1
WriteConsoleW Sept. 17, 2024, 1:31 p.m.	buffer: Riverside Played Banner console_handle: 0x00000007	1	1
WriteConsoleW Sept. 17, 2024, 1:31 p.m.	buffer: 'rfjTArgued' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 17, 2024, 1:31 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 17, 2024, 1:31 p.m.	buffer: KuSecretary console_handle: 0x00000007	1	1
WriteConsoleW Sept. 17, 2024, 1:31 p.m.	buffer: Spread Databases Army Or console_handle: 0x00000007	1	1
WriteConsoleW Sept. 17, 2024, 1:31 p.m.	buffer: 'KuSecretary' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 17, 2024, 1:31 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 17, 2024, 1:31 p.m.	buffer: UKFly console_handle: 0x00000007	1	1
WriteConsoleW Sept. 17, 2024, 1:31 p.m.	buffer: Two Soonest Pearl Scenes console_handle: 0x00000007	1	1
WriteConsoleW Sept. 17, 2024, 1:31 p.m.	buffer: 'UKFly' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 17, 2024, 1:31 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 17, 2024, 1:31 p.m.	buffer: nCFusion console_handle: 0x00000007	1	1
WriteConsoleW Sept. 17, 2024, 1:31 p.m.	buffer: Notified Lost Margin Mint Tft Interpreted console_handle: 0x00000007	1	1
WriteConsoleW Sept. 17, 2024, 1:31 p.m.	buffer: 'nCFusion' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 17, 2024, 1:31 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 17, 2024, 1:31 p.m.	buffer: XhjFinish console_handle: 0x00000007	1	1
WriteConsoleW Sept. 17, 2024, 1:31 p.m.	buffer: Touch Eh Phentermine Sad console_handle: 0x00000007	1	1
WriteConsoleW Sept. 17, 2024, 1:31 p.m.	buffer: 'XhjFinish' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 17, 2024, 1:31 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 17, 2024, 1:31 p.m.	buffer: MRAlias console_handle: 0x00000007	1	1
WriteConsoleW Sept. 17, 2024, 1:31 p.m.	buffer: Bench Baskets console_handle: 0x00000007	1	1
WriteConsoleW Sept. 17, 2024, 1:31 p.m.	buffer: 'MRAlias' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 17, 2024, 1:31 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 17, 2024, 1:31 p.m.	buffer: XfeDistributors console_handle: 0x00000007	1	1
WriteConsoleW Sept. 17, 2024, 1:31 p.m.	buffer: Murphy Confidentiality Luke Insight Fda Litigation console_handle: 0x00000007	1	1
WriteConsoleW Sept. 17, 2024, 1:31 p.m.	buffer: 'XfeDistributors' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 17, 2024, 1:31 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 17, 2024, 1:31 p.m.	buffer: jgNamespace console_handle: 0x00000007	1	1
WriteConsoleW Sept. 17, 2024, 1:31 p.m.	buffer: Cattle Ceramic Operates console_handle: 0x00000007	1	1
WriteConsoleW Sept. 17, 2024, 1:31 p.m.	buffer: 'jgNamespace' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 17, 2024, 1:31 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 17, 2024, 1:31 p.m.	buffer: YqwWrist console_handle: 0x00000007	1	1
WriteConsoleW Sept. 17, 2024, 1:31 p.m.	buffer: Acres Tires Reply Pst console_handle: 0x00000007	1	1
WriteConsoleW Sept. 17, 2024, 1:31 p.m.	buffer: 'YqwWrist' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 17, 2024, 1:31 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 17, 2024, 1:31 p.m.	buffer: sAbOlympic console_handle: 0x00000007	1	1
WriteConsoleW Sept. 17, 2024, 1:31 p.m.	buffer: Naples Holly Ref Printed Pool Anime Wrist Texts console_handle: 0x00000007	1	1
WriteConsoleW Sept. 17, 2024, 1:31 p.m.	buffer: 'sAbOlympic' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 17, 2024, 1:31 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 17, 2024, 1:31 p.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW Sept. 17, 2024, 1:31 p.m.	buffer: Mode=B console_handle: 0x00000007	1	1
WriteConsoleW Sept. 17, 2024, 1:31 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 17, 2024, 1:31 p.m.	buffer: BqxCiao console_handle: 0x00000007	1	1
WriteConsoleW Sept. 17, 2024, 1:31 p.m.	buffer: Td Investigators console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 17, 2024, 1:31 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\410599\Thank.pif

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\cmd.exe" /c move Televisions Televisions.bat & Televisions.bat

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\410599\Thank.pif

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\410599\Thank.pif

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Sept. 17, 2024, 1:31 p.m.	show_type: 0 filepath_r: cmd parameters: /c move Televisions Televisions.bat & Televisions.bat filepath: cmd	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Sept. 17, 2024, 1:31 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Sept. 17, 2024, 1:31 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	tasklist
cmdline	cmd /c move Televisions Televisions.bat & Televisions.bat
cmdline	"C:\Windows\System32\cmd.exe" /c move Televisions Televisions.bat & Televisions.bat

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2124 resumed a thread in remote process 2668
NtResumeThread Sept. 17, 2024, 1:31 p.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2668	1	0	0

File has been identified by 48 AntiVirus engines on VirusTotal as malicious (48 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Stealerc.1m!c
Cynet	Malicious (score: 99)
ALYac	Trojan.GenericKD.74134224
Cylance	Unsafe
VIPRE	Trojan.GenericKD.74134224
Sangfor	Trojan.Win32.Agent.Vtmp
CrowdStrike	win/malicious_confidence_60% (D)
BitDefender	Trojan.GenericKD.74134224
Arcabit	Trojan.Generic.D46B32D0
VirIT	Trojan.Win32.NSISDrp.HHA
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	NSIS/Runner.BJ
APEX	Malicious
Avast	Win32:Malware-gen
Kaspersky	HEUR:Trojan-PSW.Win32.Stealerc.gen
MicroWorld-eScan	Trojan.GenericKD.74134224
Emsisoft	Trojan.GenericKD.74134224 (B)
F-Secure	Trojan.TR/Redcap.qtqxo
DrWeb	Trojan.Siggen29.40219
McAfeeD	ti!891306BC14E8
Trapmine	suspicious.low.ml.score
CTX	exe.trojan.generic
Sophos	Mal/Generic-S
SentinelOne	Static AI - Suspicious PE
FireEye	Generic.mg.969c9a7bc2e46a07
Webroot	W32.Trojan.GenKD
Google	Detected
Avira	TR/Redcap.qtqxo
Antiy-AVL	Trojan/Win32.AdLoad.bh
Kingsoft	Win32.Trojan-PSW.Stealerc.gen
Gridinsoft	Malware.Win32.Stealc.tr
Microsoft	Trojan:Win32/Acll
ZoneAlarm	HEUR:Trojan-PSW.Win32.Stealerc.gen
GData	Trojan.GenericKD.74134224
McAfee	Artemis!969C9A7BC2E4
DeepInstinct	MALICIOUS
Malwarebytes	Malware.AI.3713272125
Ikarus	Trojan.NSIS.Runner
Panda	Trj/Chgt.AD
Tencent	Win32.Trojan-QQPass.QQRob.Najl
huorong	Trojan/BAT.Agent.cv
MaxSecure	Trojan.Malware.121218.susgen
Fortinet	W32/PossibleThreat
AVG	Win32:Malware-gen
Paloalto	generic.ml
alibabacloud	Trojan[stealer]:Win/Runner.BG

gretdence.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All