Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 1, 2024, 4:38 p.m.	Oct. 1, 2024, 4:44 p.m.

Size	1.2MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`35bab7028aa376556c3236b773506a9b`
SHA256	`3a03ef1bf1d9c906bbfbe60e96c21cc950d84695b1f0fe23ca6c0c12cbe0f97e`
CRC32	`FEA7AA82`
ssdeep	`24576:doP4FOo7B8Zbizh4H1voG+GBnh/AzWXWmPGuI:4CTiZblVvP/Az1mPGuI`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

66fad513a308f_SubstituteAgain.exe#abd "C:\Users\test22\AppData\Local\Temp\66fad513a308f_SubstituteAgain.exe#abd"
1280
- cmd.exe "C:\Windows\System32\cmd.exe" /c move Tough Tough.bat & Tough.bat
  2156
  - findstr.exe findstr /I "wrsa opssvc"
    2264
  - tasklist.exe tasklist
    2216
  - tasklist.exe tasklist
    2408
  - findstr.exe findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
    2444
  - cmd.exe cmd /c md 550360
    2516
  - findstr.exe findstr /V "RatesWarningMouseLake" Contribute
    2560
  - cmd.exe cmd /c copy /b ..\Cookies + ..\Nor + ..\Fence + ..\Interactions + ..\Doctor + ..\Monitoring t
    2604
  - Cal.pif Cal.pif t
    2648
  - choice.exe choice /d y /t 5
    2732

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Oct. 1, 2024, 4:38 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Oct. 1, 2024, 4:38 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 1, 2024, 4:38 p.m.			0	0

Command line console output was observed (50 out of 824 events)

Time & API	Arguments	Status	Return
WriteConsoleW Oct. 1, 2024, 4:38 p.m.	buffer: 1 file(s) moved. console_handle: 0x00000007	1	1
WriteConsoleW Oct. 1, 2024, 4:38 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 1, 2024, 4:38 p.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW Oct. 1, 2024, 4:38 p.m.	buffer: Geometry=v console_handle: 0x00000007	1	1
WriteConsoleW Oct. 1, 2024, 4:38 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 1, 2024, 4:38 p.m.	buffer: FnAssume console_handle: 0x00000007	1	1
WriteConsoleW Oct. 1, 2024, 4:38 p.m.	buffer: Ciao Tony Reseller Sandy Advances Nascar console_handle: 0x00000007	1	1
WriteConsoleW Oct. 1, 2024, 4:38 p.m.	buffer: 'FnAssume' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 1, 2024, 4:38 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 1, 2024, 4:38 p.m.	buffer: ApbScenic console_handle: 0x00000007	1	1
WriteConsoleW Oct. 1, 2024, 4:38 p.m.	buffer: Surfaces Treaty Group Hacker Throughout Var Representatives Chem console_handle: 0x00000007	1	1
WriteConsoleW Oct. 1, 2024, 4:38 p.m.	buffer: 'ApbScenic' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 1, 2024, 4:38 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 1, 2024, 4:38 p.m.	buffer: DISoObtain console_handle: 0x00000007	1	1
WriteConsoleW Oct. 1, 2024, 4:38 p.m.	buffer: Corps Ten Joshua Exposed Pulling Sox Microsoft Jo console_handle: 0x00000007	1	1
WriteConsoleW Oct. 1, 2024, 4:38 p.m.	buffer: 'DISoObtain' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 1, 2024, 4:38 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 1, 2024, 4:38 p.m.	buffer: RutTTerritory console_handle: 0x00000007	1	1
WriteConsoleW Oct. 1, 2024, 4:38 p.m.	buffer: Continued Elementary console_handle: 0x00000007	1	1
WriteConsoleW Oct. 1, 2024, 4:38 p.m.	buffer: 'RutTTerritory' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 1, 2024, 4:38 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 1, 2024, 4:38 p.m.	buffer: zdoBool console_handle: 0x00000007	1	1
WriteConsoleW Oct. 1, 2024, 4:38 p.m.	buffer: Endorsed Physically Raymond console_handle: 0x00000007	1	1
WriteConsoleW Oct. 1, 2024, 4:38 p.m.	buffer: 'zdoBool' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 1, 2024, 4:38 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 1, 2024, 4:38 p.m.	buffer: sFjOfferings console_handle: 0x00000007	1	1
WriteConsoleW Oct. 1, 2024, 4:38 p.m.	buffer: Amy Wheat Earn Option Propecia Cadillac Composer Vessels console_handle: 0x00000007	1	1
WriteConsoleW Oct. 1, 2024, 4:38 p.m.	buffer: 'sFjOfferings' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 1, 2024, 4:38 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 1, 2024, 4:38 p.m.	buffer: vJRoyalty console_handle: 0x00000007	1	1
WriteConsoleW Oct. 1, 2024, 4:38 p.m.	buffer: Still Surf Tomorrow Specialists Fonts console_handle: 0x00000007	1	1
WriteConsoleW Oct. 1, 2024, 4:38 p.m.	buffer: 'vJRoyalty' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 1, 2024, 4:38 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 1, 2024, 4:38 p.m.	buffer: hPISurgeons console_handle: 0x00000007	1	1
WriteConsoleW Oct. 1, 2024, 4:38 p.m.	buffer: Saskatchewan Common Pickup Wondering console_handle: 0x00000007	1	1
WriteConsoleW Oct. 1, 2024, 4:38 p.m.	buffer: 'hPISurgeons' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 1, 2024, 4:38 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 1, 2024, 4:38 p.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW Oct. 1, 2024, 4:38 p.m.	buffer: Kb=G console_handle: 0x00000007	1	1
WriteConsoleW Oct. 1, 2024, 4:38 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 1, 2024, 4:38 p.m.	buffer: qwAcc console_handle: 0x00000007	1	1
WriteConsoleW Oct. 1, 2024, 4:38 p.m.	buffer: Provincial console_handle: 0x00000007	1	1
WriteConsoleW Oct. 1, 2024, 4:38 p.m.	buffer: 'qwAcc' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 1, 2024, 4:38 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 1, 2024, 4:38 p.m.	buffer: PZMInterference console_handle: 0x00000007	1	1
WriteConsoleW Oct. 1, 2024, 4:38 p.m.	buffer: Editing Rush Passes Sam Kerry console_handle: 0x00000007	1	1
WriteConsoleW Oct. 1, 2024, 4:38 p.m.	buffer: 'PZMInterference' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 1, 2024, 4:38 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 1, 2024, 4:38 p.m.	buffer: DkvVCompared console_handle: 0x00000007	1	1
WriteConsoleW Oct. 1, 2024, 4:38 p.m.	buffer: Epa Concepts Contacted Injury Competitors Deserve Michael console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 1, 2024, 4:38 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\550360\Cal.pif

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\cmd.exe" /c move Tough Tough.bat & Tough.bat

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\550360\Cal.pif

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\550360\Cal.pif

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Oct. 1, 2024, 4:38 p.m.	show_type: 0 filepath_r: cmd parameters: /c move Tough Tough.bat & Tough.bat filepath: cmd	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Oct. 1, 2024, 4:38 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Oct. 1, 2024, 4:38 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	"C:\Windows\System32\cmd.exe" /c move Tough Tough.bat & Tough.bat
cmdline	tasklist
cmdline	cmd /c move Tough Tough.bat & Tough.bat

File has been identified by 16 AntiVirus engines on VirusTotal as malicious (16 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Runner.4!c
CTX	exe.trojan.runner
Cylance	Unsafe
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	multiple detections
McAfeeD	ti!3A03EF1BF1D9
Sophos	Mal/Generic-S
Webroot	W32.Malware.Gen
Antiy-AVL	Trojan/NSIS.Runner.bp
Kingsoft	Win32.Hack.Agent.gen
Microsoft	Trojan:Win32/Znyonm
SUPERAntiSpyware	Adware.SearchSuite /Variant
huorong	HEUR:Trojan/Runner.b
DeepInstinct	MALICIOUS

Checks presence of mIRC Chat Client (1 event)

file	C:\mIRC\mirc.ini

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2156 resumed a thread in remote process 2648
NtResumeThread Oct. 1, 2024, 4:38 p.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2648	1	0	0

66fad513a308f_SubstituteAgain.exe#abd

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All