Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 14, 2024, 10:38 a.m.	Oct. 14, 2024, 10:44 a.m.

Size	7.3MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`bf53f19b542df72aacf589a049619bc7`
SHA256	`c5c3401f71f4361ed454bbd96ea7cdd8a9132a655815e35e207dfff0ea690469`
CRC32	`CCBF2A89`
ssdeep	`196608:DEBX5DhP1gFOa/70gM8bGEvPV1RZ2Vjj77aOEDKTeIQg8Fw:DaJDhGwa/7YWHBZ2jSjDC83S`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

RedeemShore.exe "C:\Users\test22\AppData\Local\Temp\RedeemShore.exe"
2060
- cmd.exe "C:\Windows\System32\cmd.exe" /c move Min Min.bat & Min.bat
  2188
  - findstr.exe findstr /I "wrsa opssvc"
    2288
  - tasklist.exe tasklist
    2252
  - tasklist.exe tasklist
    2396
  - findstr.exe findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
    2432
  - cmd.exe cmd /c md 353685
    2504
  - findstr.exe findstr /V "WirelessNeilAspBringing" Actively
    2560
  - cmd.exe cmd /c copy /b ..\Skirts D
    2636
  - Soldiers.pif Soldiers.pif D
    2680
  - choice.exe choice /d y /t 5
    2764

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Oct. 14, 2024, 10:38 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Oct. 14, 2024, 10:38 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 14, 2024, 10:38 a.m.			0	0

Command line console output was observed (50 out of 868 events)

Time & API	Arguments	Status	Return
WriteConsoleW Oct. 14, 2024, 10:38 a.m.	buffer: 1 file(s) moved. console_handle: 0x00000007	1	1
WriteConsoleW Oct. 14, 2024, 10:38 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 14, 2024, 10:38 a.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW Oct. 14, 2024, 10:38 a.m.	buffer: Fbi=6 console_handle: 0x00000007	1	1
WriteConsoleW Oct. 14, 2024, 10:38 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 14, 2024, 10:38 a.m.	buffer: PMKNPhiladelphia console_handle: 0x00000007	1	1
WriteConsoleW Oct. 14, 2024, 10:38 a.m.	buffer: Which Demands Friendly Ky Glenn console_handle: 0x00000007	1	1
WriteConsoleW Oct. 14, 2024, 10:38 a.m.	buffer: 'PMKNPhiladelphia' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 14, 2024, 10:38 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 14, 2024, 10:38 a.m.	buffer: CtSword console_handle: 0x00000007	1	1
WriteConsoleW Oct. 14, 2024, 10:38 a.m.	buffer: Drum Manufacturing console_handle: 0x00000007	1	1
WriteConsoleW Oct. 14, 2024, 10:38 a.m.	buffer: 'CtSword' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 14, 2024, 10:38 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 14, 2024, 10:38 a.m.	buffer: fwLocked console_handle: 0x00000007	1	1
WriteConsoleW Oct. 14, 2024, 10:38 a.m.	buffer: Regardless console_handle: 0x00000007	1	1
WriteConsoleW Oct. 14, 2024, 10:38 a.m.	buffer: 'fwLocked' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 14, 2024, 10:38 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 14, 2024, 10:38 a.m.	buffer: CYbMGoto console_handle: 0x00000007	1	1
WriteConsoleW Oct. 14, 2024, 10:38 a.m.	buffer: Create Cnetcom Interracial Standing console_handle: 0x00000007	1	1
WriteConsoleW Oct. 14, 2024, 10:38 a.m.	buffer: 'CYbMGoto' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 14, 2024, 10:38 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 14, 2024, 10:38 a.m.	buffer: boAgainst console_handle: 0x00000007	1	1
WriteConsoleW Oct. 14, 2024, 10:38 a.m.	buffer: Illustration Heads Pasta Howard Amino Doom Generous Rpg console_handle: 0x00000007	1	1
WriteConsoleW Oct. 14, 2024, 10:38 a.m.	buffer: 'boAgainst' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 14, 2024, 10:38 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 14, 2024, 10:38 a.m.	buffer: LGFTwiki console_handle: 0x00000007	1	1
WriteConsoleW Oct. 14, 2024, 10:38 a.m.	buffer: P Ol Cottages console_handle: 0x00000007	1	1
WriteConsoleW Oct. 14, 2024, 10:38 a.m.	buffer: 'LGFTwiki' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 14, 2024, 10:38 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 14, 2024, 10:38 a.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW Oct. 14, 2024, 10:38 a.m.	buffer: Watson=k console_handle: 0x00000007	1	1
WriteConsoleW Oct. 14, 2024, 10:38 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 14, 2024, 10:38 a.m.	buffer: JBSignup console_handle: 0x00000007	1	1
WriteConsoleW Oct. 14, 2024, 10:38 a.m.	buffer: Borders Clips Yamaha Base console_handle: 0x00000007	1	1
WriteConsoleW Oct. 14, 2024, 10:38 a.m.	buffer: 'JBSignup' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 14, 2024, 10:38 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 14, 2024, 10:38 a.m.	buffer: icNe console_handle: 0x00000007	1	1
WriteConsoleW Oct. 14, 2024, 10:38 a.m.	buffer: 'icNe' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 14, 2024, 10:38 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 14, 2024, 10:38 a.m.	buffer: SGCtMaterials console_handle: 0x00000007	1	1
WriteConsoleW Oct. 14, 2024, 10:38 a.m.	buffer: Clip Continuity Antenna Act Undo Saudi console_handle: 0x00000007	1	1
WriteConsoleW Oct. 14, 2024, 10:38 a.m.	buffer: 'SGCtMaterials' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 14, 2024, 10:38 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 14, 2024, 10:38 a.m.	buffer: jRkWDecide console_handle: 0x00000007	1	1
WriteConsoleW Oct. 14, 2024, 10:38 a.m.	buffer: Territory Fault Titled Tonight console_handle: 0x00000007	1	1
WriteConsoleW Oct. 14, 2024, 10:38 a.m.	buffer: 'jRkWDecide' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 14, 2024, 10:38 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 14, 2024, 10:38 a.m.	buffer: dTgfDiane console_handle: 0x00000007	1	1
WriteConsoleW Oct. 14, 2024, 10:38 a.m.	buffer: Essential Leisure Address Food console_handle: 0x00000007	1	1
WriteConsoleW Oct. 14, 2024, 10:38 a.m.	buffer: 'dTgfDiane' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 14, 2024, 10:38 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\353685\Soldiers.pif

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\cmd.exe" /c move Min Min.bat & Min.bat

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\353685\Soldiers.pif

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\353685\Soldiers.pif

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Oct. 14, 2024, 10:38 a.m.	show_type: 0 filepath_r: cmd parameters: /c move Min Min.bat & Min.bat filepath: cmd	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Oct. 14, 2024, 10:38 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Oct. 14, 2024, 10:38 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	tasklist
cmdline	"C:\Windows\System32\cmd.exe" /c move Min Min.bat & Min.bat
cmdline	cmd /c move Min Min.bat & Min.bat

Checks presence of mIRC Chat Client (1 event)

file	C:\mIRC\mirc.ini

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2188 resumed a thread in remote process 2680
NtResumeThread Oct. 14, 2024, 10:38 a.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2680	1	0	0

File has been identified by 47 AntiVirus engines on VirusTotal as malicious (47 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Runner.m!c
Cynet	Malicious (score: 99)
ALYac	Trojan.Generic.36845781
Cylance	Unsafe
VIPRE	Trojan.Generic.36845781
Sangfor	Trojan.Win32.Runner.V6gt
CrowdStrike	win/grayware_confidence_60% (D)
BitDefender	Trojan.Generic.36845781
K7GW	Trojan ( 005baadc1 )
K7AntiVirus	Trojan ( 005baadc1 )
Arcabit	Trojan.Generic.D23238D5
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	multiple detections
APEX	Malicious
Avast	Win32:Malware-gen
Kaspersky	UDS:Backdoor.Win32.Agent
Alibaba	Trojan:Script/Runner.d5ab163f
MicroWorld-eScan	Trojan.Generic.36845781
Emsisoft	Trojan.Generic.36845781 (B)
F-Secure	Trojan.TR/Redcap.redji
McAfeeD	ti!C5C3401F71F4
Trapmine	suspicious.low.ml.score
CTX	exe.trojan.runner
Sophos	Mal/Generic-S
SentinelOne	Static AI - Suspicious PE
FireEye	Generic.mg.bf53f19b542df72a
Google	Detected
Avira	TR/Redcap.redji
Antiy-AVL	Trojan/Win32.AdLoad.bh
Kingsoft	Win32.Hack.Agent.a
Gridinsoft	Trojan.Win32.Agent.sa
Microsoft	Trojan:Win32/Wacatac.B!ml
GData	Trojan.Generic.36845781
Varist	W32/ABTrojan.JQMI-1641
McAfee	Artemis!BF53F19B542D
DeepInstinct	MALICIOUS
Ikarus	Trojan.NSIS.Runner
Panda	Trj/Chgt.AD
Tencent	Script.Trojan.Generic.Zylw
huorong	HEUR:Trojan/Runner.b
MaxSecure	Trojan.Malware.121218.susgen
Fortinet	W32/Runner.BM!tr
AVG	Win32:Malware-gen
Paloalto	generic.ml
alibabacloud	Trojan:Multi/Runner.BZ

RedeemShore.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All