Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 13, 2024, 1:57 p.m.	Nov. 13, 2024, 2:02 p.m.

Size	17.7MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`cc7580472c8aa97ff84ded87d5cf6e6e`
SHA256	`d021943f6b200279c380f80842eef13d574d0e6ad1af315842c6b5f741d0773d`
CRC32	`A049B283`
ssdeep	`393216:xgnJY3fSnUp9MeiwRonMyfvA0TW5+TbqzzILj0lkdNGUJKzumoDW4O4:CnJGf0Up9MeiConPoDzL7UJoumoL`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

ghost.exe "C:\Users\test22\AppData\Local\Temp\ghost.exe"
2084
- SHOWDRIVE.EXE SHOWDRIVE.EXE
  2164
- PECMD.EXE PECMD.EXE show -1:-1
  2236
- cmd.exe C:\Windows\system32\cmd.exe /c bcdedit>C:\Windows\efi.txt
  2304
- cmd.exe C:\Windows\system32\cmd.exe /c omnifs32.exe -nousb -noide info>omnifs.txt
  2364
  - omnifs32.EXE omnifs32.exe -nousb -noide info
    2424
- SHOWDRIVE.EXE SHOWDRIVE.EXE
  2536
- cmd.exe C:\Windows\system32\cmd.exe /c omnifs32.exe -nousb -noide info>omnifs.txt
  2624
  - omnifs32.EXE omnifs32.exe -nousb -noide info
    2684
- cmd.exe C:\Windows\system32\cmd.exe /c DSPTW.exe /a /pdr /y>dspt.txt
  2748
  - DSPTW.exe DSPTW.exe /a /pdr /y
    2808
- cmd.exe C:\Windows\system32\cmd.exe /c DSPTW.exe 1 /find:all /ghoststyle /y>dspt1.txt
  2852
  - DSPTW.exe DSPTW.exe 1 /find:all /ghoststyle /y
    2912

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 13, 2024, 1:57 p.m.			0	0
IsDebuggerPresent Nov. 13, 2024, 1:57 p.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Nov. 13, 2024, 1:57 p.m.	buffer: 'bcdedit' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1	0

At least one process apparently crashed during execution (1 event)

Time & API	Arguments	Status	Return	Repeated
LdrLoadDll Nov. 13, 2024, 1:57 p.m.	module_name: faultrep.dll basename: faultrep stack_pivoted: 0 flags: 0 module_address: 0x74320000	1	0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 13, 2024, 1:57 p.m.		1	1	0

One or more processes crashed (4 events)

Time & API	Arguments	Status
__exception__ Nov. 13, 2024, 1:57 p.m.	stacktrace: omnifs32+0x1d726 @ 0x41d726 omnifs32+0x7904d @ 0x47904d omnifs32+0x15e4a5 @ 0x55e4a5 0x1f6d324 exception.instruction_r: 66 3b 11 75 0d 40 40 41 41 ff 4c 24 0c 75 ee 33 exception.symbol: omnifs32+0xd3b6 exception.instruction: cmp dx, word ptr [ecx] exception.module: omnifs32.EXE exception.exception_code: 0xc0000005 exception.offset: 54198 exception.address: 0x40d3b6 registers.esp: 1635844 registers.edi: 0 registers.eax: 32949148 registers.ebp: 1635872 registers.edx: 92 registers.ebx: 18 registers.esi: 32949148 registers.ecx: 1745385215	1
__exception__ Nov. 13, 2024, 1:57 p.m.	stacktrace: omnifs32+0x1854 @ 0x401854 omnifs32+0x1232dd @ 0x5232dd omnifs32+0x123413 @ 0x523413 omnifs32+0x123483 @ 0x523483 omnifs32+0x1237eb @ 0x5237eb exception.instruction_r: 39 50 04 75 0f 8b 52 04 85 d2 89 50 04 74 54 89 exception.symbol: omnifs32+0x154a exception.instruction: cmp dword ptr [eax + 4], edx exception.module: omnifs32.EXE exception.exception_code: 0xc0000005 exception.offset: 5450 exception.address: 0x40154a registers.esp: 1627296 registers.edi: 32953328 registers.eax: 3898664671 registers.ebp: 1627300 registers.edx: 32953328 registers.ebx: 0 registers.esi: 32954304 registers.ecx: 4294967288	1
__exception__ Nov. 13, 2024, 1:57 p.m.	stacktrace: omnifs32+0xedff @ 0x40edff omnifs32+0xeebf @ 0x40eebf omnifs32+0x16e79d @ 0x56e79d omnifs32+0x16e913 @ 0x56e913 omnifs32+0x15e088 @ 0x55e088 omnifs32+0x15433e @ 0x55433e omnifs32+0x15433e @ 0x55433e omnifs32+0x15433e @ 0x55433e omnifs32+0x15433e @ 0x55433e omnifs32+0x15433e @ 0x55433e omnifs32+0x15433e @ 0x55433e omnifs32+0x15433e @ 0x55433e omnifs32+0x15433e @ 0x55433e omnifs32+0x15433e @ 0x55433e omnifs32+0x15433e @ 0x55433e omnifs32+0x15433e @ 0x55433e omnifs32+0x15433e @ 0x55433e omnifs32+0x15433e @ 0x55433e omnifs32+0x15433e @ 0x55433e omnifs32+0x15433e @ 0x55433e omnifs32+0x15433e @ 0x55433e omnifs32+0x15433e @ 0x55433e omnifs32+0x15433e @ 0x55433e omnifs32+0x15433e @ 0x55433e omnifs32+0x15433e @ 0x55433e omnifs32+0x15433e @ 0x55433e omnifs32+0x15433e @ 0x55433e omnifs32+0x15433e @ 0x55433e omnifs32+0x15433e @ 0x55433e omnifs32+0x15433e @ 0x55433e omnifs32+0x15433e @ 0x55433e omnifs32+0x15433e @ 0x55433e omnifs32+0x15433e @ 0x55433e omnifs32+0x15433e @ 0x55433e omnifs32+0x15433e @ 0x55433e omnifs32+0x15433e @ 0x55433e omnifs32+0x15433e @ 0x55433e omnifs32+0x15433e @ 0x55433e omnifs32+0x15433e @ 0x55433e omnifs32+0x15433e @ 0x55433e omnifs32+0x15433e @ 0x55433e omnifs32+0x15433e @ 0x55433e omnifs32+0x15433e @ 0x55433e omnifs32+0x15433e @ 0x55433e omnifs32+0x15433e @ 0x55433e omnifs32+0x15433e @ 0x55433e omnifs32+0x15433e @ 0x55433e omnifs32+0x15433e @ 0x55433e omnifs32+0x15433e @ 0x55433e omnifs32+0x15433e @ 0x55433e omnifs32+0x15433e @ 0x55433e omnifs32+0x15433e @ 0x55433e omnifs32+0x15433e @ 0x55433e omnifs32+0x15433e @ 0x55433e omnifs32+0x15433e @ 0x55433e omnifs32+0x15433e @ 0x55433e omnifs32+0x15433e @ 0x55433e omnifs32+0x15433e @ 0x55433e omnifs32+0x15433e @ 0x55433e omnifs32+0x15433e @ 0x55433e omnifs32+0x15433e @ 0x55433e omnifs32+0x15433e @ 0x55433e omnifs32+0x15433e @ 0x55433e omnifs32+0x15433e @ 0x55433e exception.instruction_r: 8b 4c 31 04 33 c8 f7 c1 f8 ff ff ff 74 0d ff 05 exception.symbol: omnifs32+0x19c2 exception.instruction: mov ecx, dword ptr [ecx + esi + 4] exception.module: omnifs32.EXE exception.exception_code: 0xc0000005 exception.offset: 6594 exception.address: 0x4019c2 registers.esp: 1635452 registers.edi: 33018404 registers.eax: 3200057348 registers.ebp: 1635456 registers.edx: 0 registers.ebx: 1 registers.esi: 33018400 registers.ecx: 3200057344	1
__exception__ Nov. 13, 2024, 1:57 p.m.	stacktrace: omnifs32+0x198a @ 0x40198a omnifs32+0x122f2b @ 0x522f2b omnifs32+0x123276 @ 0x523276 omnifs32+0x123413 @ 0x523413 omnifs32+0x123483 @ 0x523483 omnifs32+0x1237eb @ 0x5237eb exception.instruction_r: 89 5a 08 e9 46 ff ff ff 89 1e e9 3f ff ff ff 8b exception.symbol: omnifs32+0x1726 exception.instruction: mov dword ptr [edx + 8], ebx exception.module: omnifs32.EXE exception.exception_code: 0xc0000005 exception.offset: 5926 exception.address: 0x401726 registers.esp: 1626864 registers.edi: 1704 registers.eax: 33018504 registers.ebp: 1626892 registers.edx: 2323382459 registers.ebx: 1988755542 registers.esi: 6685652 registers.ecx: 0	1

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (22 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceExW Nov. 13, 2024, 1:57 p.m.	total_number_of_free_bytes: 9888124928 free_bytes_available: 9888124928 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Nov. 13, 2024, 1:57 p.m.	total_number_of_free_bytes: 9888124928 free_bytes_available: 9888124928 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Nov. 13, 2024, 1:57 p.m.	total_number_of_free_bytes: 9888124928 free_bytes_available: 9888124928 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Nov. 13, 2024, 1:57 p.m.	total_number_of_free_bytes: 9888124928 free_bytes_available: 9888124928 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Nov. 13, 2024, 1:57 p.m.	total_number_of_free_bytes: 75309056 free_bytes_available: 75309056 root_path: E:\ total_number_of_bytes: 104853504	1	1
GetDiskFreeSpaceExW Nov. 13, 2024, 1:57 p.m.	total_number_of_free_bytes: 75309056 free_bytes_available: 75309056 root_path: E:\ total_number_of_bytes: 104853504	1	1
GetDiskFreeSpaceExW Nov. 13, 2024, 1:57 p.m.	total_number_of_free_bytes: 75309056 free_bytes_available: 75309056 root_path: E:\ total_number_of_bytes: 104853504	1	1
GetDiskFreeSpaceExW Nov. 13, 2024, 1:57 p.m.	total_number_of_free_bytes: 75309056 free_bytes_available: 75309056 root_path: E:\ total_number_of_bytes: 104853504	1	1
GetDiskFreeSpaceExW Nov. 13, 2024, 1:57 p.m.	total_number_of_free_bytes: 75309056 free_bytes_available: 75309056 root_path: E:\ total_number_of_bytes: 104853504	1	1
GetDiskFreeSpaceExW Nov. 13, 2024, 1:57 p.m.	total_number_of_free_bytes: 9888124928 free_bytes_available: 9888124928 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Nov. 13, 2024, 1:57 p.m.	total_number_of_free_bytes: 9888124928 free_bytes_available: 9888124928 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Nov. 13, 2024, 1:57 p.m.	total_number_of_free_bytes: 75309056 free_bytes_available: 75309056 root_path: E:\ total_number_of_bytes: 104853504	1	1
GetDiskFreeSpaceExW Nov. 13, 2024, 1:57 p.m.	total_number_of_free_bytes: 9888124928 free_bytes_available: 9888124928 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Nov. 13, 2024, 1:57 p.m.	total_number_of_free_bytes: 9888124928 free_bytes_available: 9888124928 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Nov. 13, 2024, 1:57 p.m.	total_number_of_free_bytes: 75309056 free_bytes_available: 75309056 root_path: E:\ total_number_of_bytes: 104853504	1	1
GetDiskFreeSpaceExW Nov. 13, 2024, 1:57 p.m.	total_number_of_free_bytes: 9888124928 free_bytes_available: 9888124928 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Nov. 13, 2024, 1:57 p.m.	total_number_of_free_bytes: 9888124928 free_bytes_available: 9888124928 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceW Nov. 13, 2024, 1:57 p.m.	number_of_free_clusters: 4949636 sectors_per_cluster: 39599556 bytes_per_sector: 0 root_path: d:\ total_number_of_clusters: 4209387		0
GetDiskFreeSpaceW Nov. 13, 2024, 1:57 p.m.	number_of_free_clusters: 2414087 sectors_per_cluster: 8 bytes_per_sector: 0 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Nov. 13, 2024, 1:57 p.m.	number_of_free_clusters: 18386 sectors_per_cluster: 8 bytes_per_sector: 0 root_path: E:\ total_number_of_clusters: 25599	1	1
GetDiskFreeSpaceW Nov. 13, 2024, 1:57 p.m.	number_of_free_clusters: 2414087 sectors_per_cluster: 8 bytes_per_sector: 0 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Nov. 13, 2024, 1:57 p.m.	number_of_free_clusters: 18386 sectors_per_cluster: 8 bytes_per_sector: 0 root_path: E:\ total_number_of_clusters: 25599	1	1

Foreign language identified in PE resource (2 events)

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000c150c

size

0x0000017c

name

RT_MANIFEST

language

LANG_CHINESE

filetype

XML 1.0 document, ASCII text, with CRLF line terminators

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000c1688

size

0x00000317

Creates executable files on the filesystem (2 events)

file	C:\Windows\SysWOW64\SHOWDRIVE.EXE
file	C:\Windows\SysWOW64\omnifs32.EXE

Creates a suspicious process (5 events)

cmdline	C:\Windows\system32\cmd.exe /c DSPTW.exe /a /pdr /y>dspt.txt
cmdline	C:\Windows\system32\cmd.exe /c omnifs32.exe -nousb -noide info>omnifs.txt
cmdline	C:\Windows\system32\cmd.exe /c bcdedit>C:\Windows\efi.txt
cmdline	C:\Windows\system32\cmd.exe /c DSPTW.exe 1 /find:all /ghoststyle /y>dspt1.txt
cmdline	PECMD.EXE show -1:-1

Drops a binary and executes it (1 event)

file	C:\Windows\SysWOW64\omnifs32.EXE

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\autD947.tmp
file	C:\Users\test22\AppData\Local\Temp\autC494.tmp

Attempts to identify installed AV products by installation directory (1 event)

file	C:\Users\test22\AppData\Local\Temp\SandboxieInstall.exe

Detects virtualization software with SCSI Disk Identifier trick(s) (1 event)

registry

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0

Queries information on disks, possibly for anti-virtualization (5 events)

Time & API	Arguments	Status	Return
NtCreateFile Nov. 13, 2024, 1:57 p.m.	create_disposition: 1 (FILE_OPEN) file_handle: 0x00000038 filepath: \??\PhysicalDrive0 desired_access: 0x80100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE) file_attributes: 0 () filepath_r: \??\PhysicalDrive0 create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 1 (FILE_OPENED) share_access: 3 (FILE_SHARE_READ\|FILE_SHARE_WRITE)	1	0
NtCreateFile Nov. 13, 2024, 1:57 p.m.	create_disposition: 1 (FILE_OPEN) file_handle: 0x00000038 filepath: \??\PhysicalDrive0 desired_access: 0x80100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE) file_attributes: 0 () filepath_r: \??\PhysicalDrive0 create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 1 (FILE_OPENED) share_access: 3 (FILE_SHARE_READ\|FILE_SHARE_WRITE)	1	0
NtCreateFile Nov. 13, 2024, 1:57 p.m.	create_disposition: 1 (FILE_OPEN) file_handle: 0x00000038 filepath: \??\PhysicalDrive0 desired_access: 0x80100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE) file_attributes: 0 () filepath_r: \??\PhysicalDrive0 create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 1 (FILE_OPENED) share_access: 3 (FILE_SHARE_READ\|FILE_SHARE_WRITE)	1	0
NtCreateFile Nov. 13, 2024, 1:57 p.m.	create_disposition: 1 (FILE_OPEN) file_handle: 0x00000104 filepath: \??\PhysicalDrive0 desired_access: 0x80100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE) file_attributes: 0 () filepath_r: \??\PhysicalDrive0 create_options: 104 (FILE_NON_DIRECTORY_FILE\|FILE_NO_INTERMEDIATE_BUFFERING\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 1 (FILE_OPENED) share_access: 3 (FILE_SHARE_READ\|FILE_SHARE_WRITE)	1	0
DeviceIoControl Nov. 13, 2024, 1:57 p.m.	input_buffer: control_code: 2954240 () device_handle: 0x00000104 output_buffer: (§	1	1

File has been identified by 32 AntiVirus engines on VirusTotal as malicious (32 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.PSWTool.4!c
tehtris	Generic.Malware
Cynet	Malicious (score: 100)
CTX	exe.trojan.pswtool
Cylance	Unsafe
CrowdStrike	win/malicious_confidence_90% (W)
K7GW	Unwanted-Program ( 005892ec1 )
K7AntiVirus	Unwanted-Program ( 005892ec1 )
Elastic	malicious (high confidence)
ESET-NOD32	Win32/PSWTool.GhostPWD.B potentially unsafe
Paloalto	generic.ml
ClamAV	Win.Malware.Autoit-6753917-0
F-Secure	PotentialRisk.PUA/Agent.bdj
Zillya	Adware.PSWTool.Win32.2
McAfeeD	ti!D021943F6B20
Trapmine	malicious.high.ml.score
Sophos	Generic Reputation PUA (PUA)
FireEye	Generic.mg.cc7580472c8aa97f
Google	Detected
Avira	PUA/Agent.bdj
Kingsoft	malware.kb.a.996
Xcitium	TrojWare.Win32.Hider.REXR@5364l6
ViRobot	Trojan.Win32.A.Agent.690283
GData	Win32.Trojan.Agent.1WL3QC
Varist	W32/Trojan.IJBN-1595
DeepInstinct	MALICIOUS
VBA32	IMWorm.Sohanad
Malwarebytes	PUP.Optional.ChinAd
Ikarus	Trojan.Win32.HackKMS
Yandex	Trojan.GenAsa!i9rai7w7/WE
Fortinet	Riskware/GhostPWD

ghost.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All