Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 10, 2024, 10:56 a.m.	Oct. 10, 2024, 11 a.m.

Size	1.2MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`e6dd6a25125edd4c21fe5cf7bafcd2bb`
SHA256	`523cd90154c376b7f6953f1e825eb467b231b3fffe30ab321c1a69da22cb1148`
CRC32	`B9A215C8`
ssdeep	`24576:5ACy4Y4Q1jqxeColSZkrmiZM/z+KpN/6xwA1u3l5y98IOyxa/VvEW:iF7NeY34+iNyxwg2vy9DOyWj`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

InstallSetup.exe "C:\Users\test22\AppData\Local\Temp\InstallSetup.exe"
496
- cmd.exe "C:\Windows\System32\cmd.exe" /c move Halo Halo.bat & Halo.bat
  2152
  - findstr.exe findstr /I "wrsa opssvc"
    2292
  - tasklist.exe tasklist
    2256
  - tasklist.exe tasklist
    2408
  - findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
    2444
  - cmd.exe cmd /c md 773416
    2524
  - findstr.exe findstr /V "MineralAlertSignificantVanilla" Partition
    2568
  - cmd.exe cmd /c copy /b ..\Transmit + ..\Turtle + ..\Vienna + ..\Diet + ..\Enclosure + ..\Bangladesh + ..\Mobility + ..\Cool + ..\Completely A
    2612
  - Welding.pif Welding.pif A
    2656
  - choice.exe choice /d y /t 5
    2788

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Oct. 10, 2024, 10:56 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Oct. 10, 2024, 10:56 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 10, 2024, 10:56 a.m.			0	0

Command line console output was observed (50 out of 1340 events)

Time & API	Arguments	Status	Return
WriteConsoleW Oct. 10, 2024, 10:56 a.m.	buffer: 1 file(s) moved. console_handle: 0x00000007	1	1
WriteConsoleW Oct. 10, 2024, 10:56 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 10, 2024, 10:56 a.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW Oct. 10, 2024, 10:56 a.m.	buffer: Baptist=f console_handle: 0x00000007	1	1
WriteConsoleW Oct. 10, 2024, 10:56 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 10, 2024, 10:56 a.m.	buffer: ljFwd-Lead-Strike- console_handle: 0x00000007	1	1
WriteConsoleW Oct. 10, 2024, 10:56 a.m.	buffer: 'ljFwd-Lead-Strike-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 10, 2024, 10:56 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 10, 2024, 10:56 a.m.	buffer: RcVwColleges- console_handle: 0x00000007	1	1
WriteConsoleW Oct. 10, 2024, 10:56 a.m.	buffer: 'RcVwColleges-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 10, 2024, 10:56 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 10, 2024, 10:56 a.m.	buffer: VsReduce-Ns-Attachments- console_handle: 0x00000007	1	1
WriteConsoleW Oct. 10, 2024, 10:56 a.m.	buffer: 'VsReduce-Ns-Attachments-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 10, 2024, 10:56 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 10, 2024, 10:56 a.m.	buffer: jZbPackard-Ferrari-Guarantee-Finally-Solved- console_handle: 0x00000007	1	1
WriteConsoleW Oct. 10, 2024, 10:56 a.m.	buffer: 'jZbPackard-Ferrari-Guarantee-Finally-Solved-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 10, 2024, 10:56 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 10, 2024, 10:56 a.m.	buffer: rhWiPreviews-Thousands-Loving-Camp-Thinkpad-Semiconductor-Xanax- console_handle: 0x00000007	1	1
WriteConsoleW Oct. 10, 2024, 10:56 a.m.	buffer: 'rhWiPreviews-Thousands-Loving-Camp-Thinkpad-Semiconductor-Xanax-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 10, 2024, 10:56 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 10, 2024, 10:56 a.m.	buffer: KUgVDensity-Remains-Aberdeen-Periodic-Maiden-S-Vista-Dicks-Rolling- console_handle: 0x00000007	1	1
WriteConsoleW Oct. 10, 2024, 10:56 a.m.	buffer: 'KUgVDensity-Remains-Aberdeen-Periodic-Maiden-S-Vista-Dicks-Rolling-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 10, 2024, 10:56 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 10, 2024, 10:56 a.m.	buffer: TAfmCharts-Welsh-Secret-Describes-Titanium-Consequently- console_handle: 0x00000007	1	1
WriteConsoleW Oct. 10, 2024, 10:56 a.m.	buffer: 'TAfmCharts-Welsh-Secret-Describes-Titanium-Consequently-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 10, 2024, 10:56 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 10, 2024, 10:56 a.m.	buffer: slnPractitioner-Diesel- console_handle: 0x00000007	1	1
WriteConsoleW Oct. 10, 2024, 10:56 a.m.	buffer: 'slnPractitioner-Diesel-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 10, 2024, 10:56 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 10, 2024, 10:56 a.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW Oct. 10, 2024, 10:56 a.m.	buffer: Allowing=8 console_handle: 0x00000007	1	1
WriteConsoleW Oct. 10, 2024, 10:56 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 10, 2024, 10:56 a.m.	buffer: qYejLolita-Options- console_handle: 0x00000007	1	1
WriteConsoleW Oct. 10, 2024, 10:56 a.m.	buffer: 'qYejLolita-Options-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 10, 2024, 10:56 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 10, 2024, 10:56 a.m.	buffer: HYPMerchandise-Originally-Native-Flexible-Troy-Wma-Health- console_handle: 0x00000007	1	1
WriteConsoleW Oct. 10, 2024, 10:56 a.m.	buffer: 'HYPMerchandise-Originally-Native-Flexible-Troy-Wma-Health-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 10, 2024, 10:56 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 10, 2024, 10:56 a.m.	buffer: lyForget-Favourites-Situated-Crap-Manchester-Ge-Investment-Tapes-Fall- console_handle: 0x00000007	1	1
WriteConsoleW Oct. 10, 2024, 10:56 a.m.	buffer: 'lyForget-Favourites-Situated-Crap-Manchester-Ge-Investment-Tapes-Fall-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 10, 2024, 10:56 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 10, 2024, 10:56 a.m.	buffer: tUENTrusts-Manuals-Told- console_handle: 0x00000007	1	1
WriteConsoleW Oct. 10, 2024, 10:56 a.m.	buffer: 'tUENTrusts-Manuals-Told-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 10, 2024, 10:56 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 10, 2024, 10:56 a.m.	buffer: iAPerceived-Share-Nhl-Training- console_handle: 0x00000007	1	1
WriteConsoleW Oct. 10, 2024, 10:56 a.m.	buffer: 'iAPerceived-Share-Nhl-Training-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 10, 2024, 10:56 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 10, 2024, 10:56 a.m.	buffer: UYtRiver-Thus-Acknowledge-Positions-Threesome-Functional-Erik-Bedford- console_handle: 0x00000007	1	1
WriteConsoleW Oct. 10, 2024, 10:56 a.m.	buffer: 'UYtRiver-Thus-Acknowledge-Positions-Threesome-Functional-Erik-Bedford-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 10, 2024, 10:56 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 10, 2024, 10:56 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\773416\Welding.pif

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\cmd.exe" /c move Halo Halo.bat & Halo.bat

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\773416\Welding.pif

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\773416\Welding.pif

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Oct. 10, 2024, 10:56 a.m.	show_type: 0 filepath_r: cmd parameters: /c move Halo Halo.bat & Halo.bat filepath: cmd	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Oct. 10, 2024, 10:56 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Oct. 10, 2024, 10:56 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	tasklist
cmdline	cmd /c move Halo Halo.bat & Halo.bat
cmdline	"C:\Windows\System32\cmd.exe" /c move Halo Halo.bat & Halo.bat

Checks presence of mIRC Chat Client (1 event)

file	C:\mIRC\mirc.ini

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2152 resumed a thread in remote process 2656
NtResumeThread Oct. 10, 2024, 10:56 a.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2656	1	0	0

InstallSetup.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All