Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 26, 2024, 12:04 p.m.	Sept. 26, 2024, 12:06 p.m.

Size	1.0MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`88f2f4df57c115ab7062c7a2a23e454a`
SHA256	`08f30ece5f7e77a69e58a970b3684c2a0eba1aa203ac97836dad32fc10a15e90`
CRC32	`E4786E8F`
ssdeep	`24576:T97KLeYdCBMGq8TBUfnrO/E7Bup/884hvndKzVDDuy3ent:TUXfEBUvyj884uzxDqt`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

SoftShipment.exe "C:\Users\test22\AppData\Local\Temp\SoftShipment.exe"
800
- cmd.exe "C:\Windows\System32\cmd.exe" /c move Killing Killing.bat & Killing.bat
  2164
  - findstr.exe findstr /I "wrsa opssvc"
    2276
  - tasklist.exe tasklist
    2240
  - tasklist.exe tasklist
    2384
  - findstr.exe findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
    2420
  - cmd.exe cmd /c md 10518
    2504
  - findstr.exe findstr /V "BATHROOMSOFTENPAYCOMMERCIAL" Socket
    2548
  - cmd.exe cmd /c copy /b ..\Cherry + ..\Delegation + ..\Uniprotkb + ..\Explains + ..\Www + ..\Victor c
    2592
  - Voyuer.pif Voyuer.pif c
    2636
  - choice.exe choice /d y /t 5
    2776

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Sept. 26, 2024, 12:04 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Sept. 26, 2024, 12:04 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 26, 2024, 12:04 p.m.			0	0

Command line console output was observed (50 out of 989 events)

Time & API	Arguments	Status	Return
WriteConsoleW Sept. 26, 2024, 12:04 p.m.	buffer: 1 file(s) moved. console_handle: 0x00000007	1	1
WriteConsoleW Sept. 26, 2024, 12:04 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 26, 2024, 12:04 p.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW Sept. 26, 2024, 12:04 p.m.	buffer: Witnesses=d console_handle: 0x00000007	1	1
WriteConsoleW Sept. 26, 2024, 12:04 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 26, 2024, 12:04 p.m.	buffer: pMWDownloadcom console_handle: 0x00000007	1	1
WriteConsoleW Sept. 26, 2024, 12:04 p.m.	buffer: Arm console_handle: 0x00000007	1	1
WriteConsoleW Sept. 26, 2024, 12:04 p.m.	buffer: 'pMWDownloadcom' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 26, 2024, 12:04 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 26, 2024, 12:04 p.m.	buffer: gGjSubcommittee console_handle: 0x00000007	1	1
WriteConsoleW Sept. 26, 2024, 12:04 p.m.	buffer: Mate Onion console_handle: 0x00000007	1	1
WriteConsoleW Sept. 26, 2024, 12:04 p.m.	buffer: 'gGjSubcommittee' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 26, 2024, 12:04 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 26, 2024, 12:04 p.m.	buffer: KIAging console_handle: 0x00000007	1	1
WriteConsoleW Sept. 26, 2024, 12:04 p.m.	buffer: Tricks console_handle: 0x00000007	1	1
WriteConsoleW Sept. 26, 2024, 12:04 p.m.	buffer: 'KIAging' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 26, 2024, 12:04 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 26, 2024, 12:04 p.m.	buffer: IUArrived console_handle: 0x00000007	1	1
WriteConsoleW Sept. 26, 2024, 12:04 p.m.	buffer: Completion Toilet Safety Diary Questions Defense Lounge Mobiles console_handle: 0x00000007	1	1
WriteConsoleW Sept. 26, 2024, 12:04 p.m.	buffer: 'IUArrived' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 26, 2024, 12:04 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 26, 2024, 12:04 p.m.	buffer: obPromise console_handle: 0x00000007	1	1
WriteConsoleW Sept. 26, 2024, 12:04 p.m.	buffer: Senator Mozambique Boy Rg console_handle: 0x00000007	1	1
WriteConsoleW Sept. 26, 2024, 12:04 p.m.	buffer: 'obPromise' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 26, 2024, 12:04 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 26, 2024, 12:04 p.m.	buffer: WcFacilities console_handle: 0x00000007	1	1
WriteConsoleW Sept. 26, 2024, 12:04 p.m.	buffer: 'WcFacilities' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 26, 2024, 12:04 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 26, 2024, 12:04 p.m.	buffer: BbtjSterling console_handle: 0x00000007	1	1
WriteConsoleW Sept. 26, 2024, 12:04 p.m.	buffer: Co Losses console_handle: 0x00000007	1	1
WriteConsoleW Sept. 26, 2024, 12:04 p.m.	buffer: 'BbtjSterling' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 26, 2024, 12:04 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 26, 2024, 12:04 p.m.	buffer: wytiAdvert console_handle: 0x00000007	1	1
WriteConsoleW Sept. 26, 2024, 12:04 p.m.	buffer: Titans Accused Searched Eco Drain console_handle: 0x00000007	1	1
WriteConsoleW Sept. 26, 2024, 12:04 p.m.	buffer: 'wytiAdvert' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 26, 2024, 12:04 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 26, 2024, 12:04 p.m.	buffer: OpXIma console_handle: 0x00000007	1	1
WriteConsoleW Sept. 26, 2024, 12:04 p.m.	buffer: Sierra Intensity console_handle: 0x00000007	1	1
WriteConsoleW Sept. 26, 2024, 12:04 p.m.	buffer: 'OpXIma' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 26, 2024, 12:04 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 26, 2024, 12:04 p.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW Sept. 26, 2024, 12:04 p.m.	buffer: Detective=P console_handle: 0x00000007	1	1
WriteConsoleW Sept. 26, 2024, 12:04 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 26, 2024, 12:04 p.m.	buffer: fCAeWill console_handle: 0x00000007	1	1
WriteConsoleW Sept. 26, 2024, 12:04 p.m.	buffer: Tag Na Enzyme Farm console_handle: 0x00000007	1	1
WriteConsoleW Sept. 26, 2024, 12:04 p.m.	buffer: 'fCAeWill' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 26, 2024, 12:04 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 26, 2024, 12:04 p.m.	buffer: vJAReleased console_handle: 0x00000007	1	1
WriteConsoleW Sept. 26, 2024, 12:04 p.m.	buffer: Finishing Diego Long Dialogue Controllers console_handle: 0x00000007	1	1
WriteConsoleW Sept. 26, 2024, 12:04 p.m.	buffer: 'vJAReleased' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 26, 2024, 12:04 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\10518\Voyuer.pif

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\cmd.exe" /c move Killing Killing.bat & Killing.bat

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\10518\Voyuer.pif

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\10518\Voyuer.pif

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Sept. 26, 2024, 12:04 p.m.	show_type: 0 filepath_r: cmd parameters: /c move Killing Killing.bat & Killing.bat filepath: cmd	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Sept. 26, 2024, 12:04 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Sept. 26, 2024, 12:04 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	"C:\Windows\System32\cmd.exe" /c move Killing Killing.bat & Killing.bat
cmdline	tasklist
cmdline	cmd /c move Killing Killing.bat & Killing.bat

Checks presence of mIRC Chat Client (1 event)

file	C:\mIRC\mirc.ini

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2164 resumed a thread in remote process 2636
NtResumeThread Sept. 26, 2024, 12:04 p.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2636	1	0	0

File has been identified by 47 AntiVirus engines on VirusTotal as malicious (47 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Runner.4!c
Cynet	Malicious (score: 99)
ALYac	Gen:Variant.Autoruns.Nemesis.16
Cylance	Unsafe
VIPRE	Gen:Variant.Autoruns.Nemesis.16
Sangfor	Trojan.Win32.Runner.V7s2
CrowdStrike	win/grayware_confidence_60% (D)
BitDefender	Gen:Variant.Autoruns.Nemesis.16
K7GW	Trojan ( 005bad8e1 )
K7AntiVirus	Trojan ( 005bad8e1 )
Arcabit	Trojan.Autoruns.Nemesis.16
VirIT	Trojan.Win32.NSISDrp.HHH
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	NSIS/Runner.BP
APEX	Malicious
Avast	Win32:Malware-gen
MicroWorld-eScan	Gen:Variant.Autoruns.Nemesis.16
Emsisoft	Gen:Variant.Autoruns.Nemesis.16 (B)
F-Secure	Trojan.TR/AVI.Agent.bgfwt
DrWeb	Trojan.Siggen29.42523
McAfeeD	ti!08F30ECE5F7E
CTX	exe.trojan.runner
Sophos	Mal/Generic-S
FireEye	Generic.mg.88f2f4df57c115ab
Webroot	W32.Malware.Gen
Google	Detected
Avira	TR/AVI.Agent.bgfwt
Antiy-AVL	Trojan/Win32.AdLoad.bh
Kingsoft	Win32.Trojan.Autoit.gen
Gridinsoft	Ransom.Win32.Wacatac.cl
Microsoft	Trojan:Win32/Conteban.A!ml
GData	Gen:Variant.Autoruns.Nemesis.16
Varist	W32/ABTrojan.HHTL-2825
McAfee	Artemis!88F2F4DF57C1
DeepInstinct	MALICIOUS
Malwarebytes	Malware.AI.4248437397
Ikarus	Trojan.NSIS.Runner
Panda	Trj/Chgt.AD
Tencent	Win32.Trojan.Autoit.Szfl
huorong	HEUR:Trojan/Runner.b
MaxSecure	Trojan.Malware.121218.susgen
Fortinet	NSIS/Runner.K!tr
AVG	Win32:Malware-gen
Paloalto	generic.ml
alibabacloud	Trojan:Win/Runner.BT

SoftShipment.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All