Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 27, 2024, 1:36 p.m.	Sept. 27, 2024, 1:44 p.m.

Size	4.3MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`db5245aa66c7883d72b0f718467c842b`
SHA256	`2c9896b3eac1e686a331d810308ef7d7e4f131b764ec1c7c9d1205a79d00073f`
CRC32	`8F24F592`
ssdeep	`98304:0yeXw/fAXrC1h7a6dsRsB78r3SGE2rKYM0B1KEjjJQf+54C:teUAXObeeB7wM2rtZzX4C`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

66f5920e5f6b9_PoliciesCups.exe#angry "C:\Users\test22\AppData\Local\Temp\66f5920e5f6b9_PoliciesCups.exe#angry"
2060
- cmd.exe "C:\Windows\System32\cmd.exe" /c move False False.bat & False.bat
  2220
  - tasklist.exe tasklist
    2292
  - findstr.exe findstr /I "wrsa opssvc"
    2328
  - tasklist.exe tasklist
    2444
  - findstr.exe findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
    2480
  - cmd.exe cmd /c md 246579
    2552
  - findstr.exe findstr /V "KeywordCampaignSolarMatt" Settings
    2596
  - cmd.exe cmd /c copy /b ..\Enable + ..\Decide + ..\Quarter + ..\Uk + ..\Threshold + ..\Prisoner + ..\Lazy + ..\Solar + ..\Affiliation + ..\Sn + ..\Phase + ..\Sport + ..\Rays + ..\Der + ..\Sandwich + ..\Zoophilia + ..\Swedish + ..\Very + ..\Marco + ..\Brand + ..\Offensive + ..\Beside + ..\Connecting + ..\Film + ..\Snowboard + ..\Placed + ..\Occurring + ..\Brother + ..\Matches + ..\Newark + ..\Evaluating + ..\Flows + ..\Brothers + ..\Manner + ..\Challenged + ..\Approaches + ..\Forever + ..\Wireless + ..\Jamaica + ..\Restrictions n
    2640
  - Search.pif Search.pif n
    2684
  - cmd.exe cmd /c copy /b ..\Upgrades + ..\Experiences + ..\Wang + ..\Rally + ..\Junior + ..\Poultry + ..\Zdnet + ..\Write w
    2812
  - Search.pif Search.pif w
    2856
  - choice.exe choice /d y /t 15
    2924

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
79.110.49.42	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 79.110.49.42:8041 -> 192.168.56.103:49167	2400007	ET DROP Spamhaus DROP Listed Traffic Inbound group 8	Misc Attack

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Sept. 27, 2024, 1:36 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Sept. 27, 2024, 1:36 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 27, 2024, 1:36 p.m.			0	0
IsDebuggerPresent Sept. 27, 2024, 1:36 p.m.			0	0

Command line console output was observed (50 out of 830 events)

Time & API	Arguments	Status	Return
WriteConsoleW Sept. 27, 2024, 1:36 p.m.	buffer: 1 file(s) moved. console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2024, 1:36 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2024, 1:36 p.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2024, 1:36 p.m.	buffer: Exemption=P console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2024, 1:36 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2024, 1:36 p.m.	buffer: fxLoContrast console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2024, 1:36 p.m.	buffer: Accommodate Susan Hart Technician India console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2024, 1:36 p.m.	buffer: 'fxLoContrast' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 27, 2024, 1:36 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2024, 1:36 p.m.	buffer: aUAchievements console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2024, 1:36 p.m.	buffer: Naples Describing Jerusalem Requirements Jets console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2024, 1:36 p.m.	buffer: 'aUAchievements' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 27, 2024, 1:36 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2024, 1:36 p.m.	buffer: LyInitially console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2024, 1:36 p.m.	buffer: 'LyInitially' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 27, 2024, 1:36 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2024, 1:36 p.m.	buffer: DSbkMiami console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2024, 1:36 p.m.	buffer: Travel Archived Snow Bahamas Accomplish Locally Increased Missing console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2024, 1:36 p.m.	buffer: 'DSbkMiami' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 27, 2024, 1:36 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2024, 1:36 p.m.	buffer: XFNpTrains console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2024, 1:36 p.m.	buffer: Designated Myrtle console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2024, 1:36 p.m.	buffer: 'XFNpTrains' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 27, 2024, 1:36 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2024, 1:36 p.m.	buffer: zynfPlaylist console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2024, 1:36 p.m.	buffer: Nintendo Artists console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2024, 1:36 p.m.	buffer: 'zynfPlaylist' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 27, 2024, 1:36 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2024, 1:36 p.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2024, 1:36 p.m.	buffer: Ep=O console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2024, 1:36 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2024, 1:36 p.m.	buffer: EnrPrevention console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2024, 1:36 p.m.	buffer: 'EnrPrevention' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 27, 2024, 1:36 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2024, 1:36 p.m.	buffer: BArJokes console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2024, 1:36 p.m.	buffer: Construction Widescreen Treasurer Wrapped console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2024, 1:36 p.m.	buffer: 'BArJokes' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 27, 2024, 1:36 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2024, 1:36 p.m.	buffer: ILEeSaint console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2024, 1:36 p.m.	buffer: Creating Cleared Employee Nhs Sean Screensaver console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2024, 1:36 p.m.	buffer: 'ILEeSaint' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 27, 2024, 1:36 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2024, 1:36 p.m.	buffer: gjSees console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2024, 1:36 p.m.	buffer: Instrumental Accent Varied Investments Robust Interval Bathroom Chemicals console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2024, 1:36 p.m.	buffer: 'gjSees' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 27, 2024, 1:36 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2024, 1:36 p.m.	buffer: enUaRev console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2024, 1:36 p.m.	buffer: 'enUaRev' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 27, 2024, 1:36 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2024, 1:36 p.m.	buffer: gvMonaco console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 27, 2024, 1:36 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\246579\Search.pif

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\cmd.exe" /c move False False.bat & False.bat

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\246579\Search.pif

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\246579\Search.pif

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Sept. 27, 2024, 1:36 p.m.	show_type: 0 filepath_r: cmd parameters: /c move False False.bat & False.bat filepath: cmd	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Sept. 27, 2024, 1:36 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Sept. 27, 2024, 1:36 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Potentially malicious URLs were found in the process memory dump (3 events)

url	http://www.microsoft.com/schemas/ie8tldlistdescription/1.0
url	http://purl.org/rss/1.0/
url	http://www.passport.com

Yara rule detected in process memory (33 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Hijack network configuration	rule	Hijack_Network
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Install itself for autorun at Windows startup	rule	Persistence
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win

Uses Windows utilities for basic Windows functionality (4 events)

cmdline	tasklist
cmdline	"C:\Windows\System32\cmd.exe" /c move False False.bat & False.bat
cmdline	cmd /c copy /b ..\Upgrades + ..\Experiences + ..\Wang + ..\Rally + ..\Junior + ..\Poultry + ..\Zdnet + ..\Write w
cmdline	cmd /c move False False.bat & False.bat

Communicates with host for which no DNS query was performed (1 event)

host

79.110.49.42

File has been identified by 13 AntiVirus engines on VirusTotal as malicious (13 events)

Bkav	W32.AIDetectMalware
Skyhigh	BehavesLike.Win32.Dropper.rc
Cylance	Unsafe
CrowdStrike	win/malicious_confidence_60% (D)
Elastic	malicious (high confidence)
McAfeeD	ti!2C9896B3EAC1
Webroot	W32.Infostealer.Vidar
Antiy-AVL	Trojan/Win32.Leonem
Kingsoft	Win32.Hack.Agent.gen
Microsoft	Trojan:Win32/Wacatac.B!ml
McAfee	Artemis!DB5245AA66C7
DeepInstinct	MALICIOUS
huorong	HEUR:Trojan/Runner.b

Checks presence of mIRC Chat Client (1 event)

file	C:\mIRC\mirc.ini

Drops 52 unknown file mime types indicative of ransomware writing encrypted files back to disk (50 out of 52 events)

file	C:\Users\test22\AppData\Local\Temp\Rays
file	C:\Users\test22\AppData\Local\Temp\Write
file	C:\Users\test22\AppData\Local\Temp\Phase
file	C:\Users\test22\AppData\Local\Temp\Swedish
file	C:\Users\test22\AppData\Local\Temp\Sport
file	C:\Users\test22\AppData\Local\Temp\Offensive
file	C:\Users\test22\AppData\Local\Temp\Approaches
file	C:\Users\test22\AppData\Local\Temp\Wang
file	C:\Users\test22\AppData\Local\Temp\Marco
file	C:\Users\test22\AppData\Local\Temp\Der
file	C:\Users\test22\AppData\Local\Temp\Forever
file	C:\Users\test22\AppData\Local\Temp\Brand
file	C:\Users\test22\AppData\Local\Temp\Snowboard
file	C:\Users\test22\AppData\Local\Temp\Affiliation
file	C:\Users\test22\AppData\Local\Temp\Placed
file	C:\Users\test22\AppData\Local\Temp\Prisoner
file	C:\Users\test22\AppData\Local\Temp\Jamaica
file	C:\Users\test22\AppData\Local\Temp\Evaluating
file	C:\Users\test22\AppData\Local\Temp\Experiences
file	C:\Users\test22\AppData\Local\Temp\Beside
file	C:\Users\test22\AppData\Local\Temp\246579\w
file	C:\Users\test22\AppData\Local\Temp\246579\n
file	C:\Users\test22\AppData\Local\Temp\Very
file	C:\Users\test22\AppData\Local\Temp\Lazy
file	C:\Users\test22\AppData\Local\Temp\Zoophilia
file	C:\Users\test22\AppData\Local\Temp\Rally
file	C:\Users\test22\AppData\Local\Temp\Decide
file	C:\Users\test22\AppData\Local\Temp\Solar
file	C:\Users\test22\AppData\Local\Temp\Flows
file	C:\Users\test22\AppData\Local\Temp\Uk
file	C:\Users\test22\AppData\Local\Temp\Occurring
file	C:\Users\test22\AppData\Local\Temp\Connecting
file	C:\Users\test22\AppData\Local\Temp\Brother
file	C:\Users\test22\AppData\Local\Temp\Quarter
file	C:\Users\test22\AppData\Local\Temp\Manner
file	C:\Users\test22\AppData\Local\Temp\Wireless
file	C:\Users\test22\AppData\Local\Temp\Brothers
file	C:\Users\test22\AppData\Local\Temp\Film
file	C:\Users\test22\AppData\Local\Temp\Computer
file	C:\Users\test22\AppData\Local\Temp\Restrictions
file	C:\Users\test22\AppData\Local\Temp\Newark
file	C:\Users\test22\AppData\Local\Temp\Sn
file	C:\Users\test22\AppData\Local\Temp\Enable
file	C:\Users\test22\AppData\Local\Temp\Sandwich
file	C:\Users\test22\AppData\Local\Temp\Challenged
file	C:\Users\test22\AppData\Local\Temp\Poultry
file	C:\Users\test22\AppData\Local\Temp\Zdnet
file	C:\Users\test22\AppData\Local\Temp\Upgrades
file	C:\Users\test22\AppData\Local\Temp\Settings
file	C:\Users\test22\AppData\Local\Temp\Threshold

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2220 resumed a thread in remote process 2684
Process injection	Process 2220 resumed a thread in remote process 2856
NtResumeThread Sept. 27, 2024, 1:36 p.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2684	1	0	0
NtResumeThread Sept. 27, 2024, 1:36 p.m.	thread_handle: 0x00000094 suspend_count: 0 process_identifier: 2856	1	0	0

66f5920e5f6b9_PoliciesCups.exe#angry

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All