Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 2, 2024, 2:31 p.m.	Oct. 2, 2024, 2:40 p.m.

Size	909.3KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`5e55a47b6d7053f9d1ff19539863b8c2`
SHA256	`72c40603279789c395054781be9ae0b153ca29ebe3c2f9ff0cb609a603b5c545`
CRC32	`F7556092`
ssdeep	`12288:ECXVJY0G8ReIqcEV/cjrk/BO27mOCNcnjaEpEEt/xOJUnjz/j/aP3hLnqZ:Eys07eFv1/4PwG/C5OKnjz/zwlnqZ`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

66fbd9a4db4c9_GovernmentalSa.exe#abd "C:\Users\test22\AppData\Local\Temp\66fbd9a4db4c9_GovernmentalSa.exe#abd"
1680
- cmd.exe "C:\Windows\System32\cmd.exe" /c move Extends Extends.bat & Extends.bat
  2068
  - findstr.exe findstr /I "wrsa opssvc"
    2204
  - tasklist.exe tasklist
    2168
  - tasklist.exe tasklist
    2312
  - findstr.exe findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
    2348
  - cmd.exe cmd /c md 376615
    2420
  - findstr.exe findstr /V "PieAttachedEndlessEz" Projected
    2464
  - cmd.exe cmd /c copy /b ..\Presence + ..\Expenditures + ..\Settlement + ..\Daniel + ..\Javascript + ..\Packs y
    2512
  - Sleeping.pif Sleeping.pif y
    2556
  - choice.exe choice /d y /t 5
    2644

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Oct. 2, 2024, 2:31 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Oct. 2, 2024, 2:31 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 2, 2024, 2:31 p.m.			0	0

Command line console output was observed (50 out of 651 events)

Time & API	Arguments	Status	Return
WriteConsoleW Oct. 2, 2024, 2:31 p.m.	buffer: 1 file(s) moved. console_handle: 0x00000007	1	1
WriteConsoleW Oct. 2, 2024, 2:31 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 2, 2024, 2:31 p.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW Oct. 2, 2024, 2:31 p.m.	buffer: Ton=R console_handle: 0x00000007	1	1
WriteConsoleW Oct. 2, 2024, 2:31 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 2, 2024, 2:31 p.m.	buffer: ToSystems-Selections-Radio-Relate-Obvious-Fitting-Merry-Surgical- console_handle: 0x00000007	1	1
WriteConsoleW Oct. 2, 2024, 2:31 p.m.	buffer: 'ToSystems-Selections-Radio-Relate-Obvious-Fitting-Merry-Surgical-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 2, 2024, 2:31 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 2, 2024, 2:31 p.m.	buffer: iiTracking-Practitioner-Incorporate-Knee-Automobiles-Securely-Plaintiff-Established-Weight- console_handle: 0x00000007	1	1
WriteConsoleW Oct. 2, 2024, 2:31 p.m.	buffer: 'iiTracking-Practitioner-Incorporate-Knee-Automobiles-Securely-Plaintiff-Established-Weight-' is not recognized as an internal or external command, operable pr console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 2, 2024, 2:31 p.m.	buffer: ogram or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 2, 2024, 2:31 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 2, 2024, 2:31 p.m.	buffer: kMDFWelcome-Trainer-Ga-Molecular-Richards-Responding- console_handle: 0x00000007	1	1
WriteConsoleW Oct. 2, 2024, 2:31 p.m.	buffer: 'kMDFWelcome-Trainer-Ga-Molecular-Richards-Responding-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 2, 2024, 2:31 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 2, 2024, 2:31 p.m.	buffer: vxmvTracy-Applications- console_handle: 0x00000007	1	1
WriteConsoleW Oct. 2, 2024, 2:31 p.m.	buffer: 'vxmvTracy-Applications-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 2, 2024, 2:31 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 2, 2024, 2:31 p.m.	buffer: JiyBookmarks-Doing-Deviant-Verse-Croatia-Discussion-Couple- console_handle: 0x00000007	1	1
WriteConsoleW Oct. 2, 2024, 2:31 p.m.	buffer: 'JiyBookmarks-Doing-Deviant-Verse-Croatia-Discussion-Couple-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 2, 2024, 2:31 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 2, 2024, 2:31 p.m.	buffer: UqDZAccessory-Schedule- console_handle: 0x00000007	1	1
WriteConsoleW Oct. 2, 2024, 2:31 p.m.	buffer: 'UqDZAccessory-Schedule-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 2, 2024, 2:31 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 2, 2024, 2:31 p.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW Oct. 2, 2024, 2:31 p.m.	buffer: Threesome=a console_handle: 0x00000007	1	1
WriteConsoleW Oct. 2, 2024, 2:31 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 2, 2024, 2:31 p.m.	buffer: nseCause- console_handle: 0x00000007	1	1
WriteConsoleW Oct. 2, 2024, 2:31 p.m.	buffer: 'nseCause-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 2, 2024, 2:31 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 2, 2024, 2:31 p.m.	buffer: txDirect-Promote-Moisture-Packard-Laid- console_handle: 0x00000007	1	1
WriteConsoleW Oct. 2, 2024, 2:31 p.m.	buffer: 'txDirect-Promote-Moisture-Packard-Laid-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 2, 2024, 2:31 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 2, 2024, 2:31 p.m.	buffer: BHhNBegun- console_handle: 0x00000007	1	1
WriteConsoleW Oct. 2, 2024, 2:31 p.m.	buffer: 'BHhNBegun-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 2, 2024, 2:31 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 2, 2024, 2:31 p.m.	buffer: AYfNChairs-Explaining-Chef-Liechtenstein-Audience-Virtual-Naturally-Symphony- console_handle: 0x00000007	1	1
WriteConsoleW Oct. 2, 2024, 2:31 p.m.	buffer: 'AYfNChairs-Explaining-Chef-Liechtenstein-Audience-Virtual-Naturally-Symphony-' is not recognized as an internal or external command, operable program or batch console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 2, 2024, 2:31 p.m.	buffer: file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 2, 2024, 2:31 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 2, 2024, 2:31 p.m.	buffer: eyForecasts-Off-Portraits-Bolivia-Conflicts-Secretary-Bond- console_handle: 0x00000007	1	1
WriteConsoleW Oct. 2, 2024, 2:31 p.m.	buffer: 'eyForecasts-Off-Portraits-Bolivia-Conflicts-Secretary-Bond-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 2, 2024, 2:31 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 2, 2024, 2:31 p.m.	buffer: RhJSubject-Internship- console_handle: 0x00000007	1	1
WriteConsoleW Oct. 2, 2024, 2:31 p.m.	buffer: 'RhJSubject-Internship-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 2, 2024, 2:31 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 2, 2024, 2:31 p.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW Oct. 2, 2024, 2:31 p.m.	buffer: Anger=K console_handle: 0x00000007	1	1
WriteConsoleW Oct. 2, 2024, 2:31 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 2, 2024, 2:31 p.m.	buffer: PCDjTrip-Breakdown-Administrator-Dis-Milton-Audio- console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 2, 2024, 2:31 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\376615\Sleeping.pif

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\cmd.exe" /c move Extends Extends.bat & Extends.bat

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\376615\Sleeping.pif

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\376615\Sleeping.pif

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Oct. 2, 2024, 2:31 p.m.	show_type: 0 filepath_r: cmd parameters: /c move Extends Extends.bat & Extends.bat filepath: cmd	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Oct. 2, 2024, 2:31 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Oct. 2, 2024, 2:31 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	cmd /c move Extends Extends.bat & Extends.bat
cmdline	tasklist
cmdline	"C:\Windows\System32\cmd.exe" /c move Extends Extends.bat & Extends.bat

File has been identified by 16 AntiVirus engines on VirusTotal as malicious (16 events)

Bkav	W32.AIDetectMalware
tehtris	Generic.Malware
Cylance	Unsafe
CrowdStrike	win/grayware_confidence_60% (D)
Elastic	malicious (high confidence)
McAfeeD	ti!72C406032797
Trapmine	suspicious.low.ml.score
FireEye	Generic.mg.5e55a47b6d7053f9
Webroot	W32.Infostealer.Stealc
Kingsoft	Win32.Troj.Unknown.a
Gridinsoft	Malware.Win32.Stealc.tr
Microsoft	Trojan:Win32/Wacatac.B!ml
Varist	W32/Injector.ZIQR-2473
DeepInstinct	MALICIOUS
Fortinet	BAT/Runner.U!tr
Paloalto	generic.ml

Checks presence of mIRC Chat Client (1 event)

file	C:\mIRC\mirc.ini

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2068 resumed a thread in remote process 2556
NtResumeThread Oct. 2, 2024, 2:31 p.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2556	1	0	0

66fbd9a4db4c9_GovernmentalSa.exe#abd

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All