Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 13, 2024, 2:07 p.m.	Nov. 13, 2024, 2:17 p.m.

Size	1.0MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`bf265e0055178b2aa642fc6df2ae5f40`
SHA256	`9b0021640b636a39ab43bfff88e5dca26161e8cd4da26596f0c3068fb7659642`
CRC32	`24136809`
ssdeep	`12288:BCQdkpj9XCQR9Fo+lSEr/CAcHqpxr0H8totz8LfAz1uviBCGG4HgoKQJZNL:BVdujt9pAE0+rMN8LYzcyTAqJZNL`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

PowderGpl.exe "C:\Users\test22\AppData\Local\Temp\PowderGpl.exe"
1460
- cmd.exe "C:\Windows\System32\cmd.exe" /c copy Dragon Dragon.bat & Dragon.bat
  2168
  - tasklist.exe tasklist
    2244
  - findstr.exe findstr /I "wrsa opssvc"
    2280
  - tasklist.exe tasklist
    2392
  - findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
    2428
  - cmd.exe cmd /c md 609587
    2500
  - findstr.exe findstr /V "outputdiffswalnutcontainer" Sufficient
    2544
  - cmd.exe cmd /c copy /b ..\Combine + ..\Transportation + ..\Chef k
    2588
  - Horizon.pif Horizon.pif k
    2632
  - choice.exe choice /d y /t 5
    2764

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Nov. 13, 2024, 2:07 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Nov. 13, 2024, 2:07 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 13, 2024, 2:07 p.m.			0	0

Command line console output was observed (50 out of 1083 events)

Time & API	Arguments	Status	Return
WriteConsoleW Nov. 13, 2024, 2:07 p.m.	buffer: 1 file(s) copied. console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:07 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:07 p.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:07 p.m.	buffer: Door=o console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:07 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:07 p.m.	buffer: RJPrince-Mastercard-Horses-Pac-What-Charity-Silence- console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:07 p.m.	buffer: 'RJPrince-Mastercard-Horses-Pac-What-Charity-Silence-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 13, 2024, 2:07 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:07 p.m.	buffer: IUXdExercise-Supply-Sound- console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:07 p.m.	buffer: 'IUXdExercise-Supply-Sound-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 13, 2024, 2:07 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:07 p.m.	buffer: ByEarlier-Vary-Recipes-Latest-Carmen-France- console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:07 p.m.	buffer: 'ByEarlier-Vary-Recipes-Latest-Carmen-France-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 13, 2024, 2:07 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:07 p.m.	buffer: ZgpGovernment-Rev-Meanwhile-Algebra-Accessible-Lambda-Acquisition-Ask-Cest- console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:07 p.m.	buffer: 'ZgpGovernment-Rev-Meanwhile-Algebra-Accessible-Lambda-Acquisition-Ask-Cest-' is not recognized as an internal or external command, operable program or batch f console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 13, 2024, 2:07 p.m.	buffer: ile. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 13, 2024, 2:07 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:07 p.m.	buffer: PrhDifferential- console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:07 p.m.	buffer: 'PrhDifferential-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 13, 2024, 2:07 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:07 p.m.	buffer: WppuRecommended-Apollo-Gone-Removed-Simpsons-Trucks-Lamp- console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:07 p.m.	buffer: 'WppuRecommended-Apollo-Gone-Removed-Simpsons-Trucks-Lamp-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 13, 2024, 2:07 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:07 p.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:07 p.m.	buffer: Lined=S console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:07 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:07 p.m.	buffer: fLVAnalyses-Trailers-Lows-Earth- console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:07 p.m.	buffer: 'fLVAnalyses-Trailers-Lows-Earth-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 13, 2024, 2:07 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:07 p.m.	buffer: aITalk-Measured-Warcraft-Translate-Ourselves-Thomson- console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:07 p.m.	buffer: 'aITalk-Measured-Warcraft-Translate-Ourselves-Thomson-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 13, 2024, 2:07 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:07 p.m.	buffer: DoViolations-Employment-Clan-Resident-Priorities-Reset-Easily-Last- console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:07 p.m.	buffer: 'DoViolations-Employment-Clan-Resident-Priorities-Reset-Easily-Last-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 13, 2024, 2:07 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:07 p.m.	buffer: lcOr-Relate-This-Valuable-Possession-Guess-Talk- console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:07 p.m.	buffer: 'lcOr-Relate-This-Valuable-Possession-Guess-Talk-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 13, 2024, 2:07 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:07 p.m.	buffer: RbmSubsidiaries-Dozens-Lounge-Electronic-Examining-Mystery- console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:07 p.m.	buffer: 'RbmSubsidiaries-Dozens-Lounge-Electronic-Examining-Mystery-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 13, 2024, 2:07 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:07 p.m.	buffer: LxvOhio-Discussing-Dynamics-Crossing-Salaries-Zshops-Maintaining- console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:07 p.m.	buffer: 'LxvOhio-Discussing-Dynamics-Crossing-Salaries-Zshops-Maintaining-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 13, 2024, 2:07 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:07 p.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:07 p.m.	buffer: Goes=G console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:07 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:07 p.m.	buffer: jGWarren-Admitted-Thats-Bicycle- console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:07 p.m.	buffer: 'jGWarren-Admitted-Thats-Bicycle-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 13, 2024, 2:07 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\609587\Horizon.pif

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\cmd.exe" /c copy Dragon Dragon.bat & Dragon.bat

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\609587\Horizon.pif

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\609587\Horizon.pif

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Nov. 13, 2024, 2:07 p.m.	show_type: 0 filepath_r: cmd parameters: /c copy Dragon Dragon.bat & Dragon.bat filepath: cmd	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Nov. 13, 2024, 2:07 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Nov. 13, 2024, 2:07 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	cmd /c copy Dragon Dragon.bat & Dragon.bat
cmdline	tasklist
cmdline	"C:\Windows\System32\cmd.exe" /c copy Dragon Dragon.bat & Dragon.bat

Checks presence of mIRC Chat Client (1 event)

file	C:\mIRC\mirc.ini

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2168 resumed a thread in remote process 2632
NtResumeThread Nov. 13, 2024, 2:07 p.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2632	1	0	0

PowderGpl.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All