Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 6, 2024, 6:39 p.m.	Oct. 6, 2024, 6:42 p.m.

Size	1.3MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`2a051b9aa77beac67746c61354d7db3a`
SHA256	`c4436ad3fc46d26c9c066489d3a04665589104813524f24352b063d21d3c8d3c`
CRC32	`FC63EEAF`
ssdeep	`24576:CHKgAPnJ2/jQPgamwcGSVZ6rtZMufRSSRYFD6BfntvnQTTj6U1jw69J/aXgt3ccS:rgAPJ2bQ4vWSVovUS069ntATj6q9glZ`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

MpgRat.exe "C:\Users\test22\AppData\Local\Temp\MpgRat.exe"
1648
- cmd.exe "C:\Windows\System32\cmd.exe" /c move Runtime Runtime.bat & Runtime.bat
  2084
  - findstr.exe findstr /I "wrsa opssvc"
    2224
  - tasklist.exe tasklist
    2188
  - tasklist.exe tasklist
    2332
  - findstr.exe findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
    2368
  - cmd.exe cmd /c md 233773
    2444
  - findstr.exe findstr /V "PortraitTaughtHintsDouglas" Bathroom
    2488
  - cmd.exe cmd /c copy /b ..\Invited + ..\Steve + ..\Diploma + ..\Avon + ..\Exclude + ..\Myself + ..\Democrats + ..\Makers + ..\Subscribe M
    2584
  - Ranch.pif Ranch.pif M
    2628
  - choice.exe choice /d y /t 5
    2712

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Oct. 6, 2024, 6:40 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Oct. 6, 2024, 6:40 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 6, 2024, 6:40 p.m.			0	0

Command line console output was observed (50 out of 1370 events)

Time & API	Arguments	Status	Return
WriteConsoleW Oct. 6, 2024, 6:39 p.m.	buffer: 1 file(s) moved. console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:39 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:39 p.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:39 p.m.	buffer: Discover=A console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:39 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:39 p.m.	buffer: tyGMistake-Prevent-Oem- console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:39 p.m.	buffer: 'tyGMistake-Prevent-Oem-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 6, 2024, 6:39 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:39 p.m.	buffer: KqWage-Dressed-Thousands- console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:39 p.m.	buffer: 'KqWage-Dressed-Thousands-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 6, 2024, 6:39 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:39 p.m.	buffer: dQfEThorough- console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:39 p.m.	buffer: 'dQfEThorough-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 6, 2024, 6:39 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:39 p.m.	buffer: TRcVeterans-Hq- console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:39 p.m.	buffer: 'TRcVeterans-Hq-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 6, 2024, 6:39 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:39 p.m.	buffer: OxPMQuarter- console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:39 p.m.	buffer: 'OxPMQuarter-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 6, 2024, 6:39 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:39 p.m.	buffer: UMbLOpportunities-Numerous-Insider-Futures-Rates-Carbon-Substantial-Renew- console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:39 p.m.	buffer: 'UMbLOpportunities-Numerous-Insider-Futures-Rates-Carbon-Substantial-Renew-' is not recognized as an internal or external command, operable program or batch fi console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 6, 2024, 6:39 p.m.	buffer: le. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 6, 2024, 6:39 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:39 p.m.	buffer: wFTar-Img-Mileage-Def- console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:39 p.m.	buffer: 'wFTar-Img-Mileage-Def-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 6, 2024, 6:39 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:39 p.m.	buffer: RxMpTouring-Nos-Lease-Dawn- console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:39 p.m.	buffer: 'RxMpTouring-Nos-Lease-Dawn-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 6, 2024, 6:39 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:39 p.m.	buffer: pUBases-Stones-Stress-Does- console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:39 p.m.	buffer: 'pUBases-Stones-Stress-Does-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 6, 2024, 6:39 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:39 p.m.	buffer: VcPostal-Annually-Besides-Powerseller-Producer- console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:39 p.m.	buffer: 'VcPostal-Annually-Besides-Powerseller-Producer-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 6, 2024, 6:39 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:39 p.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:39 p.m.	buffer: Surgeons=N console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:39 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:39 p.m.	buffer: tuMConversations-Battery- console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:39 p.m.	buffer: 'tuMConversations-Battery-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 6, 2024, 6:39 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:39 p.m.	buffer: PgcICompute-Tower-Anyway-Gen-Respective- console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:39 p.m.	buffer: 'PgcICompute-Tower-Anyway-Gen-Respective-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 6, 2024, 6:39 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:39 p.m.	buffer: xcLXSome-Thank-Approx-Sql-Grammar-Girl- console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:39 p.m.	buffer: 'xcLXSome-Thank-Approx-Sql-Grammar-Girl-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 6, 2024, 6:39 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:39 p.m.	buffer: VzKiss-Representatives-Disable-Greater- console_handle: 0x00000007	1	1
WriteConsoleW Oct. 6, 2024, 6:39 p.m.	buffer: 'VzKiss-Representatives-Disable-Greater-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 6, 2024, 6:39 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\233773\Ranch.pif

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\cmd.exe" /c move Runtime Runtime.bat & Runtime.bat

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\233773\Ranch.pif

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\233773\Ranch.pif

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Oct. 6, 2024, 6:39 p.m.	show_type: 0 filepath_r: cmd parameters: /c move Runtime Runtime.bat & Runtime.bat filepath: cmd	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Oct. 6, 2024, 6:40 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Oct. 6, 2024, 6:40 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	tasklist
cmdline	cmd /c move Runtime Runtime.bat & Runtime.bat
cmdline	"C:\Windows\System32\cmd.exe" /c move Runtime Runtime.bat & Runtime.bat

File has been identified by 13 AntiVirus engines on VirusTotal as malicious (13 events)

Bkav	W32.AIDetectMalware
CrowdStrike	win/grayware_confidence_60% (D)
Elastic	malicious (high confidence)
Kaspersky	HEUR:Backdoor.Win32.Agent.gen
McAfeeD	ti!C4436AD3FC46
Sophos	Mal/Generic-S
Kingsoft	Win32.Hack.Agent.gen
Microsoft	Trojan:Win32/Sonbokli.A!cl
ZoneAlarm	HEUR:Backdoor.Win32.Agent.gen
McAfee	Artemis!2A051B9AA77B
Panda	Trj/Chgt.AD
huorong	Trojan/BAT.Agent.cv
Paloalto	generic.ml

Checks presence of mIRC Chat Client (1 event)

file	C:\mIRC\mirc.ini

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2084 resumed a thread in remote process 2628
NtResumeThread Oct. 6, 2024, 6:40 p.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2628	1	0	0

MpgRat.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All