Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 18, 2024, 9:30 a.m.	Nov. 18, 2024, 9:33 a.m.

Size	8.9MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`5b4638166b2777535fdf6fe015a1b2ee`
SHA256	`d837e482914ca074ab9ba923cea6e8ef576c6291ef2c314027ce682e449f08d9`
CRC32	`C1C8A6B0`
ssdeep	`196608:Zc1DS9gZfS/C/mIkAa+h/u3uGEajbk643yGkaPQFrAsA+iiFi:ZgfS/C/DrawWeSbkH3yuQFrAsVY`
Yara	Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

GHO%E9%95%9C%E5%83%8F%E5%AE%89%E8%A3%85%E5%99%A8.EXE "C:\Users\test22\AppData\Local\Temp\GHO%E9%95%9C%E5%83%8F%E5%AE%89%E8%A3%85%E5%99%A8.EXE"
2544
- SHOWDRIVE.EXE SHOWDRIVE.EXE
  2616
- cmd.exe C:\Windows\system32\cmd.exe /c DSPTW.exe /a /pdr /y>dspt.txt
  2688
  - DSPTW.exe DSPTW.exe /a /pdr /y
    2768
- cmd.exe C:\Windows\system32\cmd.exe /c DSPTW.exe 1 /find:all /ghoststyle /y>dspt1.txt
  2812
  - DSPTW.exe DSPTW.exe 1 /find:all /ghoststyle /y
    2872

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 18, 2024, 9:30 a.m.			0	0
IsDebuggerPresent Nov. 18, 2024, 9:30 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 18, 2024, 9:30 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Nov. 18, 2024, 9:30 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734c2000 process_handle: 0xffffffff	1	0	0

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (23 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceExW Nov. 18, 2024, 9:30 a.m.	total_number_of_free_bytes: 13314965504 free_bytes_available: 13314965504 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Nov. 18, 2024, 9:30 a.m.	total_number_of_free_bytes: 13314965504 free_bytes_available: 13314965504 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Nov. 18, 2024, 9:30 a.m.	total_number_of_free_bytes: 13314965504 free_bytes_available: 13314965504 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Nov. 18, 2024, 9:30 a.m.	total_number_of_free_bytes: 13314965504 free_bytes_available: 13314965504 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Nov. 18, 2024, 9:30 a.m.	total_number_of_free_bytes: 75362304 free_bytes_available: 75362304 root_path: E:\ total_number_of_bytes: 104853504	1	1
GetDiskFreeSpaceExW Nov. 18, 2024, 9:30 a.m.	total_number_of_free_bytes: 75362304 free_bytes_available: 75362304 root_path: E:\ total_number_of_bytes: 104853504	1	1
GetDiskFreeSpaceExW Nov. 18, 2024, 9:30 a.m.	total_number_of_free_bytes: 75362304 free_bytes_available: 75362304 root_path: E:\ total_number_of_bytes: 104853504	1	1
GetDiskFreeSpaceExW Nov. 18, 2024, 9:30 a.m.	total_number_of_free_bytes: 75362304 free_bytes_available: 75362304 root_path: E:\ total_number_of_bytes: 104853504	1	1
GetDiskFreeSpaceExW Nov. 18, 2024, 9:30 a.m.	total_number_of_free_bytes: 75362304 free_bytes_available: 75362304 root_path: E:\ total_number_of_bytes: 104853504	1	1
GetDiskFreeSpaceExW Nov. 18, 2024, 9:30 a.m.	total_number_of_free_bytes: 13314965504 free_bytes_available: 13314965504 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Nov. 18, 2024, 9:30 a.m.	total_number_of_free_bytes: 13314965504 free_bytes_available: 13314965504 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Nov. 18, 2024, 9:30 a.m.	total_number_of_free_bytes: 75362304 free_bytes_available: 75362304 root_path: E:\ total_number_of_bytes: 104853504	1	1
GetDiskFreeSpaceExW Nov. 18, 2024, 9:30 a.m.	total_number_of_free_bytes: 13314965504 free_bytes_available: 13314965504 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Nov. 18, 2024, 9:30 a.m.	total_number_of_free_bytes: 13314965504 free_bytes_available: 13314965504 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Nov. 18, 2024, 9:30 a.m.	total_number_of_free_bytes: 75362304 free_bytes_available: 75362304 root_path: E:\ total_number_of_bytes: 104853504	1	1
GetDiskFreeSpaceExW Nov. 18, 2024, 9:30 a.m.	total_number_of_free_bytes: 13314965504 free_bytes_available: 13314965504 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Nov. 18, 2024, 9:30 a.m.	total_number_of_free_bytes: 13314965504 free_bytes_available: 13314965504 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceW Nov. 18, 2024, 9:30 a.m.	number_of_free_clusters: 18399 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: E:\ total_number_of_clusters: 25599	1	1
GetDiskFreeSpaceW Nov. 18, 2024, 9:30 a.m.	number_of_free_clusters: 4883988 sectors_per_cluster: 39728396 bytes_per_sector: 0 root_path: d:\ total_number_of_clusters: 4209915		0
GetDiskFreeSpaceW Nov. 18, 2024, 9:30 a.m.	number_of_free_clusters: 3250726 sectors_per_cluster: 8 bytes_per_sector: 0 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Nov. 18, 2024, 9:30 a.m.	number_of_free_clusters: 18399 sectors_per_cluster: 8 bytes_per_sector: 0 root_path: E:\ total_number_of_clusters: 25599	1	1
GetDiskFreeSpaceW Nov. 18, 2024, 9:30 a.m.	number_of_free_clusters: 3250721 sectors_per_cluster: 8 bytes_per_sector: 0 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Nov. 18, 2024, 9:30 a.m.	number_of_free_clusters: 18399 sectors_per_cluster: 8 bytes_per_sector: 0 root_path: E:\ total_number_of_clusters: 25599	1	1

Creates executable files on the filesystem (1 event)

file	C:\Windows\SysWOW64\SHOWDRIVE.EXE

Creates a suspicious process (2 events)

cmdline	C:\Windows\system32\cmd.exe /c DSPTW.exe /a /pdr /y>dspt.txt
cmdline	C:\Windows\system32\cmd.exe /c DSPTW.exe 1 /find:all /ghoststyle /y>dspt1.txt

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\autF33A.tmp

Attempts to identify installed AV products by installation directory (1 event)

file	C:\Users\test22\AppData\Local\Temp\SandboxieInstall.exe

File has been identified by 24 AntiVirus engines on VirusTotal as malicious (24 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Generic.4!c
tehtris	Generic.Malware
CTX	exe.trojan.ghostpwd
Skyhigh	BehavesLike.Win32.Agent.rc
Cylance	Unsafe
K7GW	Unwanted-Program ( 0058a70e1 )
K7AntiVirus	Unwanted-Program ( 0058a70e1 )
VirIT	Trojan.Win32.Generic.MRX
Elastic	malicious (high confidence)
ESET-NOD32	Win32/PSWTool.GhostPWD.B potentially unsafe
APEX	Malicious
Paloalto	generic.ml
Cynet	Malicious (score: 100)
DrWeb	Trojan.KillFiles.22263
Zillya	Trojan.Black.Win32.49891
McAfeeD	ti!D837E482914C
Trapmine	malicious.moderate.ml.score
Sophos	Generic ML PUA (PUA)
FireEye	Generic.mg.5b4638166b277753
Gridinsoft	Trojan.Win32.Agent.dg
DeepInstinct	MALICIOUS
Malwarebytes	Malware.AI.638141481
Fortinet	Malicious_Behavior.SB

GHO%E9%95%9C%E5%83%8F%E5%AE%89%E8%A3%85%E5%99%A8.EXE

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All