Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 6, 2024, 6:15 p.m.	Oct. 6, 2024, 6:17 p.m.

Size	1.1MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`774c8215da3cb73644d36ca3f60e676b`
SHA256	`ad123b1589cb2c726de8da9af56ec2dacc22518cda285dc3c014c65c4d405a1d`
CRC32	`D6AB3296`
ssdeep	`24576:s9y5ZBrOwXMFjy47F710L+O0WK2h4xsPxdUn6d9dZiffX6j76oy4cXW:skjrOaM97F71tbWK2h1Px06fdqCja4mW`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

1.exe "C:\Users\test22\AppData\Local\Temp\1.exe"
792
- cmd.exe "C:\Windows\System32\cmd.exe" /c move Tits Tits.bat & Tits.bat
  2084
  - findstr.exe findstr /I "wrsa opssvc"
    2228
  - tasklist.exe tasklist
    2192
  - tasklist.exe tasklist
    2384
  - findstr.exe findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
    2420
  - cmd.exe cmd /c md 400445
    2496
  - findstr.exe findstr /V "navyfurthermoreacceptableinvestigator" Profession
    2540
  - cmd.exe cmd /c copy /b ..\Atmospheric + ..\Commons + ..\Represent + ..\Humans + ..\Href + ..\Router + ..\Connection + ..\Sol O
    2584
  - Batch.pif Batch.pif O
    2628
  - choice.exe choice /d y /t 5
    2712

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Oct. 6, 2024, 6:15 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Oct. 6, 2024, 6:15 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 6, 2024, 6:15 p.m.			0	0

Command line console output was observed (50 out of 1730 events)

Time & API	Arguments	Status	Return
WriteConsoleW Oct. 6, 2024, 6:15 p.m.	buffer: 1 file(s) moved. console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:15 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:15 p.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:15 p.m.	buffer: Opera=O console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:15 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:15 p.m.	buffer: YqsBoolean console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:15 p.m.	buffer: Dreams Featuring Buildings Widely Requirements Fails Hire console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:15 p.m.	buffer: 'YqsBoolean' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 6, 2024, 6:15 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:15 p.m.	buffer: PMZXRecordings console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:15 p.m.	buffer: Bottles console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:15 p.m.	buffer: 'PMZXRecordings' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 6, 2024, 6:15 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:15 p.m.	buffer: pjJuXnxx console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:15 p.m.	buffer: Responded Statewide console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:15 p.m.	buffer: 'pjJuXnxx' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 6, 2024, 6:15 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:15 p.m.	buffer: nVQRobot console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:15 p.m.	buffer: Leisure Virtue Bedford Producer Apr Tactics Trial console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:15 p.m.	buffer: 'nVQRobot' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 6, 2024, 6:15 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:15 p.m.	buffer: agbOl console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:15 p.m.	buffer: Food Ad Score console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:15 p.m.	buffer: 'agbOl' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 6, 2024, 6:15 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:15 p.m.	buffer: gOScott console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:15 p.m.	buffer: Sake Penny Provision Screening console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:15 p.m.	buffer: 'gOScott' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 6, 2024, 6:15 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:15 p.m.	buffer: EgEdt console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:15 p.m.	buffer: Hostels Nt Ballet Agent De console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:15 p.m.	buffer: 'EgEdt' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 6, 2024, 6:15 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:15 p.m.	buffer: TcDas console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:15 p.m.	buffer: Annually Play Theater Handmade Plasma Syndication console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:15 p.m.	buffer: 'TcDas' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 6, 2024, 6:15 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:15 p.m.	buffer: xRDOptical console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:15 p.m.	buffer: Amd Farmer console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:15 p.m.	buffer: 'xRDOptical' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 6, 2024, 6:15 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:15 p.m.	buffer: MfzVElementary console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:15 p.m.	buffer: Paying Terry Ass Streams Sri Freelance console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:15 p.m.	buffer: 'MfzVElementary' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 6, 2024, 6:15 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:15 p.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:15 p.m.	buffer: Britannica=j console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:15 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:15 p.m.	buffer: qtKValves console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:15 p.m.	buffer: Enemy Affairs Securely Parents See console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 6, 2024, 6:15 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\400445\Batch.pif

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\cmd.exe" /c move Tits Tits.bat & Tits.bat

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\400445\Batch.pif

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\400445\Batch.pif

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Oct. 6, 2024, 6:15 p.m.	show_type: 0 filepath_r: cmd parameters: /c move Tits Tits.bat & Tits.bat filepath: cmd	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Oct. 6, 2024, 6:15 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Oct. 6, 2024, 6:15 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (4 events)

cmdline	cmd /c copy /b ..\Atmospheric + ..\Commons + ..\Represent + ..\Humans + ..\Href + ..\Router + ..\Connection + ..\Sol O
cmdline	cmd /c move Tits Tits.bat & Tits.bat
cmdline	tasklist
cmdline	"C:\Windows\System32\cmd.exe" /c move Tits Tits.bat & Tits.bat

Checks presence of mIRC Chat Client (1 event)

file	C:\mIRC\mirc.ini

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2084 resumed a thread in remote process 2628
NtResumeThread Oct. 6, 2024, 6:15 p.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2628	1	0	0

File has been identified by 45 AntiVirus engines on VirusTotal as malicious (45 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Runner.m!c
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win32.Generic.tc
ALYac	Trojan.Generic.36841373
Cylance	Unsafe
VIPRE	Trojan.Generic.36841373
CrowdStrike	win/grayware_confidence_60% (D)
BitDefender	Trojan.Generic.36841373
K7GW	Trojan ( 005bad8e1 )
K7AntiVirus	Trojan ( 005bad8e1 )
Arcabit	Trojan.Generic.D232279D
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	multiple detections
APEX	Malicious
Avast	Win32:Malware-gen
Kaspersky	HEUR:Backdoor.Win32.Agent.gen
SUPERAntiSpyware	Adware.SearchSuite /Variant
MicroWorld-eScan	Trojan.Generic.36841373
Emsisoft	Trojan.Generic.36841373 (B)
F-Secure	Trojan.TR/AVI.Agent.qjmxa
McAfeeD	ti!AD123B1589CB
Trapmine	malicious.high.ml.score
CTX	exe.trojan.runner
Sophos	Mal/Generic-S
SentinelOne	Static AI - Suspicious PE
FireEye	Generic.mg.774c8215da3cb736
Google	Detected
Avira	TR/AVI.Agent.qjmxa
Antiy-AVL	Trojan/Win32.AdLoad.bh
Kingsoft	Win32.Hack.Agent.gen
Microsoft	Trojan:Win32/Wacatac.B!ml
ZoneAlarm	HEUR:Backdoor.Win32.Agent.gen
GData	Trojan.Generic.36841373
Varist	W32/ABTrojan.BUSA-2655
McAfee	Artemis!774C8215DA3C
DeepInstinct	MALICIOUS
Ikarus	Trojan.NSIS.Runner
Tencent	Win32.Backdoor.Agent.Uimw
huorong	HEUR:Trojan/Runner.b
Fortinet	W32/NDAoF
AVG	Win32:Malware-gen
Paloalto	generic.ml
alibabacloud	Backdoor:Win/Runner.KT

1.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All