Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 20, 2024, 9:16 a.m.	Oct. 20, 2024, 9:47 a.m.

Size	88.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`c8b1964f7fe72bf917125109877bdda4`
SHA256	`02afb1f9c3c736a82fb7a4ae2930dee7c89fad2b76f5b0ed5ee7059da3a9c737`
CRC32	`F5B8DAB5`
ssdeep	`1536:b7fPGykbOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIfMxjB1OE:3q6+ouCpk2mpcWJ0r+QNTBfMxBp`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer IsPE32 - (no description) UPX_Zero - UPX packed file

run.exe "C:\Users\test22\AppData\Local\Temp\run.exe"
1372
- cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\BF82.tmp\BF83.tmp\BF94.bat C:\Users\test22\AppData\Local\Temp\run.exe"
  2084
  - icacls.exe icacls "C:\ProgramData\GBClientApp\Wallpapers" /deny administrator:(OI)(CI)F /t /c
    2208
  - icacls.exe icacls "C:\ProgramData\GBClientApp\Wallpapers" /deny administrators:(OI)(CI)F /t /c
    2264
  - chcp.com chcp 65001
    2328

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (50 out of 99 events)

Time & API	Arguments	Status	Return
WriteConsoleW Oct. 20, 2024, 9:16 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x0000000000000007	1	1
WriteConsoleW Oct. 20, 2024, 9:16 a.m.	buffer: icacls console_handle: 0x0000000000000007	1	1
WriteConsoleW Oct. 20, 2024, 9:16 a.m.	buffer: "C:\ProgramData\GBClientApp\Wallpapers" /deny administrator:(OI)(CI)F /t /c console_handle: 0x0000000000000007	1	1
WriteConsoleW Oct. 20, 2024, 9:16 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x0000000000000007	1	1
WriteConsoleW Oct. 20, 2024, 9:16 a.m.	buffer: icacls console_handle: 0x0000000000000007	1	1
WriteConsoleW Oct. 20, 2024, 9:16 a.m.	buffer: "C:\ProgramData\GBClientApp\Wallpapers" /deny administrators:(OI)(CI)F /t /c console_handle: 0x0000000000000007	1	1
WriteConsoleW Oct. 20, 2024, 9:16 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x0000000000000007	1	1
WriteConsoleW Oct. 20, 2024, 9:16 a.m.	buffer: del console_handle: 0x0000000000000007	1	1
WriteConsoleW Oct. 20, 2024, 9:16 a.m.	buffer: "C:\Users\test22\Desktop\Chrome.*" /q console_handle: 0x0000000000000007	1	1
WriteConsoleW Oct. 20, 2024, 9:16 a.m.	buffer: Could Not Find C:\Users\test22\Desktop\Chrome.* console_handle: 0x000000000000000b	1	1
WriteConsoleW Oct. 20, 2024, 9:16 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x0000000000000007	1	1
WriteConsoleW Oct. 20, 2024, 9:16 a.m.	buffer: del console_handle: 0x0000000000000007	1	1
WriteConsoleW Oct. 20, 2024, 9:16 a.m.	buffer: "C:\Users\test22\Desktop\Chrome." /q console_handle: 0x0000000000000007	1	1
WriteConsoleW Oct. 20, 2024, 9:16 a.m.	buffer: Could Not Find C:\Users\test22\Desktop\Chrome. console_handle: 0x000000000000000b	1	1
WriteConsoleW Oct. 20, 2024, 9:16 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x0000000000000007	1	1
WriteConsoleW Oct. 20, 2024, 9:16 a.m.	buffer: del console_handle: 0x0000000000000007	1	1
WriteConsoleW Oct. 20, 2024, 9:16 a.m.	buffer: "C:\Users\test22\Desktop\Chrome." /q console_handle: 0x0000000000000007	1	1
WriteConsoleW Oct. 20, 2024, 9:16 a.m.	buffer: Could Not Find C:\Users\test22\Desktop\Chrome. console_handle: 0x000000000000000b	1	1
WriteConsoleW Oct. 20, 2024, 9:16 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x0000000000000007	1	1
WriteConsoleW Oct. 20, 2024, 9:16 a.m.	buffer: del console_handle: 0x0000000000000007	1	1
WriteConsoleW Oct. 20, 2024, 9:16 a.m.	buffer: "C:\Users\test22\Desktop\Chrome." /q console_handle: 0x0000000000000007	1	1
WriteConsoleW Oct. 20, 2024, 9:16 a.m.	buffer: Could Not Find C:\Users\test22\Desktop\Chrome. console_handle: 0x000000000000000b	1	1
WriteConsoleW Oct. 20, 2024, 9:16 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x0000000000000007	1	1
WriteConsoleW Oct. 20, 2024, 9:16 a.m.	buffer: del console_handle: 0x0000000000000007	1	1
WriteConsoleW Oct. 20, 2024, 9:16 a.m.	buffer: "C:\Users\test22\Desktop\Chome." /q console_handle: 0x0000000000000007	1	1
WriteConsoleW Oct. 20, 2024, 9:16 a.m.	buffer: Could Not Find C:\Users\test22\Desktop\Chome. console_handle: 0x000000000000000b	1	1
WriteConsoleW Oct. 20, 2024, 9:16 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x0000000000000007	1	1
WriteConsoleW Oct. 20, 2024, 9:16 a.m.	buffer: del console_handle: 0x0000000000000007	1	1
WriteConsoleW Oct. 20, 2024, 9:16 a.m.	buffer: "C:\Users\test22\Desktop\Chome.*" /q console_handle: 0x0000000000000007	1	1
WriteConsoleW Oct. 20, 2024, 9:16 a.m.	buffer: Could Not Find C:\Users\test22\Desktop\Chome.* console_handle: 0x000000000000000b	1	1
WriteConsoleW Oct. 20, 2024, 9:16 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x0000000000000007	1	1
WriteConsoleW Oct. 20, 2024, 9:16 a.m.	buffer: del console_handle: 0x0000000000000007	1	1
WriteConsoleW Oct. 20, 2024, 9:16 a.m.	buffer: "C:\Users\test22\Desktop\Google.*" /q console_handle: 0x0000000000000007	1	1
WriteConsoleW Oct. 20, 2024, 9:16 a.m.	buffer: Could Not Find C:\Users\test22\Desktop\Google.* console_handle: 0x000000000000000b	1	1
WriteConsoleW Oct. 20, 2024, 9:16 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x0000000000000007	1	1
WriteConsoleW Oct. 20, 2024, 9:16 a.m.	buffer: del console_handle: 0x0000000000000007	1	1
WriteConsoleW Oct. 20, 2024, 9:16 a.m.	buffer: "C:\Users\test22\Desktop\Google." /q console_handle: 0x0000000000000007	1	1
WriteConsoleW Oct. 20, 2024, 9:16 a.m.	buffer: Could Not Find C:\Users\test22\Desktop\Google. console_handle: 0x000000000000000b	1	1
WriteConsoleW Oct. 20, 2024, 9:16 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x0000000000000007	1	1
WriteConsoleW Oct. 20, 2024, 9:16 a.m.	buffer: del console_handle: 0x0000000000000007	1	1
WriteConsoleW Oct. 20, 2024, 9:16 a.m.	buffer: "C:\Users\test22\Desktop\Google." /q console_handle: 0x0000000000000007	1	1
WriteConsoleW Oct. 20, 2024, 9:16 a.m.	buffer: Could Not Find C:\Users\test22\Desktop\Google. console_handle: 0x000000000000000b	1	1
WriteConsoleW Oct. 20, 2024, 9:16 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x0000000000000007	1	1
WriteConsoleW Oct. 20, 2024, 9:16 a.m.	buffer: del console_handle: 0x0000000000000007	1	1
WriteConsoleW Oct. 20, 2024, 9:16 a.m.	buffer: "C:\Users\test22\Desktop\Gogle." /q console_handle: 0x0000000000000007	1	1
WriteConsoleW Oct. 20, 2024, 9:16 a.m.	buffer: Could Not Find C:\Users\test22\Desktop\Gogle. console_handle: 0x000000000000000b	1	1
WriteConsoleW Oct. 20, 2024, 9:16 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x0000000000000007	1	1
WriteConsoleW Oct. 20, 2024, 9:16 a.m.	buffer: del console_handle: 0x0000000000000007	1	1
WriteConsoleW Oct. 20, 2024, 9:16 a.m.	buffer: "C:\Users\test22\Desktop\Gogle." /q console_handle: 0x0000000000000007	1	1
WriteConsoleW Oct. 20, 2024, 9:16 a.m.	buffer: Could Not Find C:\Users\test22\Desktop\Gogle. console_handle: 0x000000000000000b	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 20, 2024, 9:16 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.code

The executable uses a known packer (1 event)

packer

PureBasic 4.x -> Neil Hodgson

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\BF82.tmp\BF83.tmp\BF94.bat

Creates a suspicious process (1 event)

cmdline

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\BF82.tmp\BF83.tmp\BF94.bat C:\Users\test22\AppData\Local\Temp\run.exe"

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Oct. 20, 2024, 9:16 a.m.	show_type: 0 filepath_r: C:\Windows\sysnative\cmd parameters: /c "C:\Users\test22\AppData\Local\Temp\BF82.tmp\BF83.tmp\BF94.bat C:\Users\test22\AppData\Local\Temp\run.exe" filepath: C:\Windows\sysnative\cmd	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00003400', u'virtual_address': u'0x00013000', u'entropy': 7.110640338733982, u'name': u'.rdata', u'virtual_size': u'0x0000339d'}

entropy

7.11064033873

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00000c00', u'virtual_address': u'0x00019000', u'entropy': 7.081744135563848, u'name': u'.rsrc', u'virtual_size': u'0x00000aa8'}

entropy

7.08174413556

description

A section with a high entropy has been found

Yara rule detected in process memory (9 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	C:\Windows\sysnative\cmd /c "C:\Users\test22\AppData\Local\Temp\BF82.tmp\BF83.tmp\BF94.bat C:\Users\test22\AppData\Local\Temp\run.exe"
cmdline	"C:\Windows\sysnative\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\BF82.tmp\BF83.tmp\BF94.bat C:\Users\test22\AppData\Local\Temp\run.exe"
cmdline	chcp 65001

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1372 resumed a thread in remote process 2084
NtResumeThread Oct. 20, 2024, 9:16 a.m.	thread_handle: 0x00000208 suspend_count: 1 process_identifier: 2084	1	0	0

Uses suspicious command line tools or Windows utilities (2 events)

cmdline	icacls "C:\ProgramData\GBClientApp\Wallpapers" /deny administrator:(OI)(CI)F /t /c
cmdline	icacls "C:\ProgramData\GBClientApp\Wallpapers" /deny administrators:(OI)(CI)F /t /c

File has been identified by 48 AntiVirus engines on VirusTotal as malicious (48 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Tiny.trFe
Cynet	Malicious (score: 100)
CAT-QuickHeal	Trojan.GenericPMF.S17666681
Skyhigh	BehavesLike.Win32.Generic.mh
ALYac	Trojan.GenericKD.74344035
Cylance	Unsafe
VIPRE	Trojan.GenericKD.74344035
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Trojan.GenericKD.74344035
Arcabit	Trojan.Generic.D46E6663
VirIT	Trojan.Win32.Genus.IHW
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
APEX	Malicious
Avast	Win32:Malware-gen
Kaspersky	Trojan.Win32.Agent.xbjyls
MicroWorld-eScan	Trojan.GenericKD.74344035
Rising	Trojan.Agent!8.B1E (CLOUD)
Emsisoft	Trojan.GenericKD.74344035 (B)
F-Secure	Trojan.TR/Agent.grvgx
Zillya	Tool.Lazagne.Win32.102
McAfeeD	Real Protect-LS!C8B1964F7FE7
CTX	exe.trojan.generic
Sophos	Mal/Generic-S
SentinelOne	Static AI - Suspicious PE
FireEye	Generic.mg.c8b1964f7fe72bf9
Webroot	W32.Trojan.Gen
Google	Detected
Avira	TR/Agent.grvgx
Antiy-AVL	Trojan/Win32.Nitol
Kingsoft	malware.kb.a.988
Microsoft	Trojan:Win32/Wacatac.B!ml
ZoneAlarm	Trojan.Win32.Agent.xbjyls
GData	Trojan.GenericKD.74344035
Varist	W32/Kryptik.FDM.gen!Eldorado
McAfee	GenericRXWO-YL!C8B1964F7FE7
DeepInstinct	MALICIOUS
Malwarebytes	Generic.Malware.AI.DDS
Ikarus	Trojan.PowerShell.Crypt
Zoner	Trojan.Win32.85523
Tencent	Malware.Win32.Gencirc.141ba8b4
MaxSecure	Trojan.Malware.320772.susgen
Fortinet	W32/PossibleThreat
AVG	Win32:Malware-gen
Paloalto	generic.ml
alibabacloud	Trojan:Win/Agent.xhQcil

run.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All