Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 30, 2024, 9:19 a.m.	Oct. 30, 2024, 9:21 a.m.

Size	3.0MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`649673218a19e8fd278c99d1355949f4`
SHA256	`7a2c1437ed5ff19adf078f17881fc836a4b08d3eaaff243d5ca77577f5880169`
CRC32	`26CC8A49`
ssdeep	`24576:1az71UBrCXaw68FowF0vkf2fkAJzGthOXUKqx3Weeg:szRUDyFMPsAB0OXAV`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

BandiCut.exe "C:\Users\test22\AppData\Local\Temp\BandiCut.exe"
1460
- cmd.exe "C:\Windows\System32\cmd.exe" /c copy Highlighted Highlighted.bat & Highlighted.bat
  2096
  - findstr.exe findstr /I "wrsa opssvc"
    2240
  - tasklist.exe tasklist
    2204
  - tasklist.exe tasklist
    2348
  - findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
    2384
  - cmd.exe cmd /c md 438799
    2460
  - findstr.exe findstr /V "pantyhoseyourslandscapesdisposition" Flyer
    2504
  - cmd.exe cmd /c copy /b ..\Turn + ..\Tale + ..\Intensity L
    2552
  - Dump.pif Dump.pif L
    2596
  - choice.exe choice /d y /t 15
    2680

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Oct. 30, 2024, 9:19 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Oct. 30, 2024, 9:19 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 30, 2024, 9:19 a.m.			0	0

Command line console output was observed (50 out of 559 events)

Time & API	Arguments	Status	Return
WriteConsoleW Oct. 30, 2024, 9:19 a.m.	buffer: 1 file(s) copied. console_handle: 0x00000007	1	1
WriteConsoleW Oct. 30, 2024, 9:19 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 30, 2024, 9:19 a.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW Oct. 30, 2024, 9:19 a.m.	buffer: Expanding=6 console_handle: 0x00000007	1	1
WriteConsoleW Oct. 30, 2024, 9:19 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 30, 2024, 9:19 a.m.	buffer: FiDh-Component-Tracks- console_handle: 0x00000007	1	1
WriteConsoleW Oct. 30, 2024, 9:19 a.m.	buffer: 'FiDh-Component-Tracks-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 30, 2024, 9:19 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 30, 2024, 9:19 a.m.	buffer: opTvcom-Lowest-Outline-Democrat-Raid-Directly-Vertical-Backgrounds- console_handle: 0x00000007	1	1
WriteConsoleW Oct. 30, 2024, 9:19 a.m.	buffer: 'opTvcom-Lowest-Outline-Democrat-Raid-Directly-Vertical-Backgrounds-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 30, 2024, 9:19 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 30, 2024, 9:19 a.m.	buffer: KCrAud-Impact-Styles-Wild- console_handle: 0x00000007	1	1
WriteConsoleW Oct. 30, 2024, 9:19 a.m.	buffer: 'KCrAud-Impact-Styles-Wild-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 30, 2024, 9:19 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 30, 2024, 9:19 a.m.	buffer: TQAChase-Associates-Madrid-Invite-Nutrition-Pleased-Tyler-Replace-Admitted- console_handle: 0x00000007	1	1
WriteConsoleW Oct. 30, 2024, 9:19 a.m.	buffer: 'TQAChase-Associates-Madrid-Invite-Nutrition-Pleased-Tyler-Replace-Admitted-' is not recognized as an internal or external command, operable program or batch f console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 30, 2024, 9:19 a.m.	buffer: ile. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 30, 2024, 9:19 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 30, 2024, 9:19 a.m.	buffer: BedNa-Fingers-Recording-Chelsea-Van-Kick-Ill-Stated-Lions- console_handle: 0x00000007	1	1
WriteConsoleW Oct. 30, 2024, 9:19 a.m.	buffer: 'BedNa-Fingers-Recording-Chelsea-Van-Kick-Ill-Stated-Lions-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 30, 2024, 9:19 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 30, 2024, 9:19 a.m.	buffer: MhQUnauthorized-Nitrogen-Ee- console_handle: 0x00000007	1	1
WriteConsoleW Oct. 30, 2024, 9:19 a.m.	buffer: 'MhQUnauthorized-Nitrogen-Ee-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 30, 2024, 9:19 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 30, 2024, 9:19 a.m.	buffer: zWzProvides-Devoted-Pay-Dublin-Cb-Nowhere- console_handle: 0x00000007	1	1
WriteConsoleW Oct. 30, 2024, 9:19 a.m.	buffer: 'zWzProvides-Devoted-Pay-Dublin-Cb-Nowhere-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 30, 2024, 9:19 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 30, 2024, 9:19 a.m.	buffer: iCaNDocuments-Overnight-Probe-Questionnaire-Sunset- console_handle: 0x00000007	1	1
WriteConsoleW Oct. 30, 2024, 9:19 a.m.	buffer: 'iCaNDocuments-Overnight-Probe-Questionnaire-Sunset-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 30, 2024, 9:19 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 30, 2024, 9:19 a.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW Oct. 30, 2024, 9:19 a.m.	buffer: Lodging=G console_handle: 0x00000007	1	1
WriteConsoleW Oct. 30, 2024, 9:19 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 30, 2024, 9:19 a.m.	buffer: QkISupreme-Shed-Initial-Folding-Example-Attractive-Improved- console_handle: 0x00000007	1	1
WriteConsoleW Oct. 30, 2024, 9:19 a.m.	buffer: 'QkISupreme-Shed-Initial-Folding-Example-Attractive-Improved-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 30, 2024, 9:19 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 30, 2024, 9:19 a.m.	buffer: wSDemocratic-Financing- console_handle: 0x00000007	1	1
WriteConsoleW Oct. 30, 2024, 9:19 a.m.	buffer: 'wSDemocratic-Financing-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 30, 2024, 9:19 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 30, 2024, 9:19 a.m.	buffer: WcHThereby-Most-Geology-Guru-Infrastructure-Alphabetical- console_handle: 0x00000007	1	1
WriteConsoleW Oct. 30, 2024, 9:19 a.m.	buffer: 'WcHThereby-Most-Geology-Guru-Infrastructure-Alphabetical-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 30, 2024, 9:19 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 30, 2024, 9:19 a.m.	buffer: zoIRCount-Mcdonald-Motels-Calgary-Newsletters-Justice-Ahead- console_handle: 0x00000007	1	1
WriteConsoleW Oct. 30, 2024, 9:19 a.m.	buffer: 'zoIRCount-Mcdonald-Motels-Calgary-Newsletters-Justice-Ahead-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 30, 2024, 9:19 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 30, 2024, 9:19 a.m.	buffer: fcfTicket-Welsh-Resorts-Bm-Compilation- console_handle: 0x00000007	1	1
WriteConsoleW Oct. 30, 2024, 9:19 a.m.	buffer: 'fcfTicket-Welsh-Resorts-Bm-Compilation-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 30, 2024, 9:19 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 30, 2024, 9:19 a.m.	buffer: VdSlBeen-Friendship-Invoice- console_handle: 0x00000007	1	1
WriteConsoleW Oct. 30, 2024, 9:19 a.m.	buffer: 'VdSlBeen-Friendship-Invoice-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 30, 2024, 9:19 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\438799\Dump.pif

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\cmd.exe" /c copy Highlighted Highlighted.bat & Highlighted.bat

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\438799\Dump.pif

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\438799\Dump.pif

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Oct. 30, 2024, 9:19 a.m.	show_type: 0 filepath_r: cmd parameters: /c copy Highlighted Highlighted.bat & Highlighted.bat filepath: cmd	1	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (10 events)

Time & API	Arguments	Status	Return
Process32NextW Oct. 30, 2024, 9:19 a.m.	snapshot_handle: 0x00000130 process_name: mobsync.exe process_identifier: 536	1	1
Process32NextW Oct. 30, 2024, 9:19 a.m.	snapshot_handle: 0x00000130 process_name: SearchProtocolHost.exe process_identifier: 776	1	1
Process32NextW Oct. 30, 2024, 9:19 a.m.	snapshot_handle: 0x00000130 process_name: SearchFilterHost.exe process_identifier: 1440	1	1
Process32NextW Oct. 30, 2024, 9:19 a.m.	snapshot_handle: 0x00000130 process_name: conhost.exe process_identifier: 1740	1	1
Process32NextW Oct. 30, 2024, 9:19 a.m.	snapshot_handle: 0x00000130 process_name: BandiCut.exe process_identifier: 1460	1	1
Process32NextW Oct. 30, 2024, 9:19 a.m.	snapshot_handle: 0x00000130 process_name: pw.exe process_identifier: 1516	1	1
Process32NextW Oct. 30, 2024, 9:19 a.m.	snapshot_handle: 0x00000130 process_name: cmd.exe process_identifier: 2096	1	1
Process32NextW Oct. 30, 2024, 9:19 a.m.	snapshot_handle: 0x00000130 process_name: conhost.exe process_identifier: 2132	1	1
Process32NextW Oct. 30, 2024, 9:19 a.m.	snapshot_handle: 0x00000130 process_name: Dump.pif process_identifier: 2596	1	1
Process32NextW Oct. 30, 2024, 9:19 a.m.	snapshot_handle: 0x00000130 process_name: inject-x86.exe process_identifier: 2648	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00020e00', u'virtual_address': u'0x000f4000', u'entropy': 7.853116998357046, u'name': u'.rsrc', u'virtual_size': u'0x00020d4a'}

entropy

7.85311699836

description

A section with a high entropy has been found

entropy

0.753581661891

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Oct. 30, 2024, 9:19 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Oct. 30, 2024, 9:19 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	tasklist
cmdline	cmd /c copy Highlighted Highlighted.bat & Highlighted.bat
cmdline	"C:\Windows\System32\cmd.exe" /c copy Highlighted Highlighted.bat & Highlighted.bat

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2096 resumed a thread in remote process 2596
NtResumeThread Oct. 30, 2024, 9:19 a.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2596	1	0	0

File has been identified by 20 AntiVirus engines on VirusTotal as malicious (20 events)

Bkav	W32.AIDetectMalware
tehtris	Generic.Malware
Skyhigh	BehavesLike.Win32.Generic.wm
Cylance	Unsafe
CrowdStrike	win/malicious_confidence_60% (D)
Elastic	malicious (high confidence)
ESET-NOD32	NSIS/Runner.CR
Kaspersky	UDS:DangerousObject.Multi.Generic
Rising	Trojan.Runner/NSIS!1.104E6 (CLASSIC)
DrWeb	Trojan.MulDrop28.35217
McAfeeD	ti!7A2C1437ED5F
CTX	exe.trojan.runner
Sophos	Generic ML PUA (PUA)
Antiy-AVL	Trojan/Win32.Runner.bq
Kingsoft	Win32.Trojan.Autoit.gen
ZoneAlarm	UDS:DangerousObject.Multi.Generic
McAfee	Artemis!649673218A19
DeepInstinct	MALICIOUS
huorong	Trojan/Runner.bn
Paloalto	generic.ml

BandiCut.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All