Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 13, 2024, 12:05 p.m.	Oct. 13, 2024, 12:08 p.m.

Size	1.0MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`c065ba22909fc8dbded4ea0eebb24ad5`
SHA256	`9817f4d8bc1374f102196cfcb8a351abdc0563dea60f6084a7525e5ee5409b6d`
CRC32	`2D388F88`
ssdeep	`24576:vqJm/Xl+FIqBwq4QlGsljfzlE6J4zYfs6nScxy63:S4l+OqyLQHugVfDnS8y63`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

Bundicut.exe "C:\Users\test22\AppData\Local\Temp\Bundicut.exe"
1648
- cmd.exe "C:\Windows\System32\cmd.exe" /c move Centres Centres.bat & Centres.bat
  2168
  - tasklist.exe tasklist
    2304
  - findstr.exe findstr /I "wrsa opssvc"
    2340
  - tasklist.exe tasklist
    2452
  - findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
    2488
  - cmd.exe cmd /c md 103495
    2560
  - findstr.exe findstr /V "aroundaccommodategroupseverything" Fine
    2604
  - cmd.exe cmd /c copy /b ..\Correct + ..\Transparent + ..\Barbie + ..\Gloves + ..\Latin + ..\Story + ..\Ski + ..\Appraisal n
    2648
  - Powder.pif Powder.pif n
    2692
  - choice.exe choice /d y /t 5
    2776

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Oct. 13, 2024, 12:05 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Oct. 13, 2024, 12:05 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 13, 2024, 12:05 p.m.			0	0

Command line console output was observed (50 out of 1635 events)

Time & API	Arguments	Status	Return
WriteConsoleW Oct. 13, 2024, 12:05 p.m.	buffer: 1 file(s) moved. console_handle: 0x00000007	1	1
WriteConsoleW Oct. 13, 2024, 12:05 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 13, 2024, 12:05 p.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW Oct. 13, 2024, 12:05 p.m.	buffer: Adidas=T console_handle: 0x00000007	1	1
WriteConsoleW Oct. 13, 2024, 12:05 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 13, 2024, 12:05 p.m.	buffer: yUeNegotiations-Chip-Fathers-Case-Dollars-Penalties- console_handle: 0x00000007	1	1
WriteConsoleW Oct. 13, 2024, 12:05 p.m.	buffer: 'yUeNegotiations-Chip-Fathers-Case-Dollars-Penalties-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 13, 2024, 12:05 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 13, 2024, 12:05 p.m.	buffer: mxrGRochester-Vice-Assign-J-Su-Minus-Dream- console_handle: 0x00000007	1	1
WriteConsoleW Oct. 13, 2024, 12:05 p.m.	buffer: 'mxrGRochester-Vice-Assign-J-Su-Minus-Dream-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 13, 2024, 12:05 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 13, 2024, 12:05 p.m.	buffer: ZlseMate-Taxi-Waves-Sam-Parliament-Exec-Defense-Shades-Debut- console_handle: 0x00000007	1	1
WriteConsoleW Oct. 13, 2024, 12:05 p.m.	buffer: 'ZlseMate-Taxi-Waves-Sam-Parliament-Exec-Defense-Shades-Debut-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 13, 2024, 12:05 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 13, 2024, 12:05 p.m.	buffer: xWnInfinite-Ft-Increasing-N-Harrison-Finding-Apache-Varies- console_handle: 0x00000007	1	1
WriteConsoleW Oct. 13, 2024, 12:05 p.m.	buffer: 'xWnInfinite-Ft-Increasing-N-Harrison-Finding-Apache-Varies-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 13, 2024, 12:05 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 13, 2024, 12:05 p.m.	buffer: hgLouisiana-Orange-Bedford-Porno-Gregory-Skype-Eddie- console_handle: 0x00000007	1	1
WriteConsoleW Oct. 13, 2024, 12:05 p.m.	buffer: 'hgLouisiana-Orange-Bedford-Porno-Gregory-Skype-Eddie-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 13, 2024, 12:05 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 13, 2024, 12:05 p.m.	buffer: LOPromotion-Retreat-Reservations-Gig-Voyuer-Luxury-Julian-Physics-Mag- console_handle: 0x00000007	1	1
WriteConsoleW Oct. 13, 2024, 12:05 p.m.	buffer: 'LOPromotion-Retreat-Reservations-Gig-Voyuer-Luxury-Julian-Physics-Mag-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 13, 2024, 12:05 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 13, 2024, 12:05 p.m.	buffer: KQENutrition-Tue-Promotion-Subtle-Nicaragua- console_handle: 0x00000007	1	1
WriteConsoleW Oct. 13, 2024, 12:05 p.m.	buffer: 'KQENutrition-Tue-Promotion-Subtle-Nicaragua-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 13, 2024, 12:05 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 13, 2024, 12:05 p.m.	buffer: KmSPRack-Mem-Badge-Modular-Pee-Dd- console_handle: 0x00000007	1	1
WriteConsoleW Oct. 13, 2024, 12:05 p.m.	buffer: 'KmSPRack-Mem-Badge-Modular-Pee-Dd-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 13, 2024, 12:05 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 13, 2024, 12:05 p.m.	buffer: JvSoon-Permitted-Voted-Bath-Helped-Management-Nobody- console_handle: 0x00000007	1	1
WriteConsoleW Oct. 13, 2024, 12:05 p.m.	buffer: 'JvSoon-Permitted-Voted-Bath-Helped-Management-Nobody-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 13, 2024, 12:05 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 13, 2024, 12:05 p.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW Oct. 13, 2024, 12:05 p.m.	buffer: Foot=H console_handle: 0x00000007	1	1
WriteConsoleW Oct. 13, 2024, 12:05 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 13, 2024, 12:05 p.m.	buffer: ESLfShit-Pills-Tvs- console_handle: 0x00000007	1	1
WriteConsoleW Oct. 13, 2024, 12:05 p.m.	buffer: 'ESLfShit-Pills-Tvs-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 13, 2024, 12:05 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 13, 2024, 12:05 p.m.	buffer: OSGuns-General-Terry-Telephone-Barn-Stress- console_handle: 0x00000007	1	1
WriteConsoleW Oct. 13, 2024, 12:05 p.m.	buffer: 'OSGuns-General-Terry-Telephone-Barn-Stress-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 13, 2024, 12:05 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 13, 2024, 12:05 p.m.	buffer: VMfMarried-Schools-Tracks-Bradley-Massive- console_handle: 0x00000007	1	1
WriteConsoleW Oct. 13, 2024, 12:05 p.m.	buffer: 'VMfMarried-Schools-Tracks-Bradley-Massive-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 13, 2024, 12:05 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 13, 2024, 12:05 p.m.	buffer: KmWTent-Jail- console_handle: 0x00000007	1	1
WriteConsoleW Oct. 13, 2024, 12:05 p.m.	buffer: 'KmWTent-Jail-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 13, 2024, 12:05 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 13, 2024, 12:05 p.m.	buffer: oiPci-Concerned-Exceptional-Halo-Hate-Paris-Marc-Programs- console_handle: 0x00000007	1	1
WriteConsoleW Oct. 13, 2024, 12:05 p.m.	buffer: 'oiPci-Concerned-Exceptional-Halo-Hate-Paris-Marc-Programs-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 13, 2024, 12:05 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 13, 2024, 12:05 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\103495\Powder.pif

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\cmd.exe" /c move Centres Centres.bat & Centres.bat

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\103495\Powder.pif

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\103495\Powder.pif

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Oct. 13, 2024, 12:05 p.m.	show_type: 0 filepath_r: cmd parameters: /c move Centres Centres.bat & Centres.bat filepath: cmd	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x00008600', u'virtual_address': u'0x000f4000', u'entropy': 7.386337967469147, u'name': u'.rsrc', u'virtual_size': u'0x000085a8'}

entropy

7.38633796747

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00001000', u'virtual_address': u'0x000fd000', u'entropy': 7.948997141079563, u'name': u'.reloc', u'virtual_size': u'0x00000f32'}

entropy

7.94899714108

description

A section with a high entropy has been found

entropy

0.490196078431

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Oct. 13, 2024, 12:05 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Oct. 13, 2024, 12:05 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	tasklist
cmdline	cmd /c move Centres Centres.bat & Centres.bat
cmdline	"C:\Windows\System32\cmd.exe" /c move Centres Centres.bat & Centres.bat

File has been identified by 12 AntiVirus engines on VirusTotal as malicious (12 events)

Bkav	W32.AIDetectMalware
Sangfor	Trojan.Win32.Agent.Vsbz
CrowdStrike	win/grayware_confidence_60% (D)
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (moderate confidence)
Trapmine	suspicious.low.ml.score
FireEye	Generic.mg.c065ba22909fc8db
Microsoft	Trojan:Win32/Phonzy.B!ml
GData	Win32.Trojan.Ilgergop.W1D270
DeepInstinct	MALICIOUS
huorong	Trojan/BAT.Agent.cv
Paloalto	generic.ml

Checks presence of mIRC Chat Client (1 event)

file	C:\mIRC\mirc.ini

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2168 resumed a thread in remote process 2692
NtResumeThread Oct. 13, 2024, 12:05 p.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2692	1	0	0

Bundicut.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All