Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Jan. 27, 2025, 4:42 p.m.	Jan. 27, 2025, 4:56 p.m.

Size	846.6KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`c3d89e95bfb66f5127ac1f2f3e1bd665`
SHA256	`5d07ad572a6a37d07d0b7ca990087960ad8850d7cfc56b8c7270c826c70fb56b`
CRC32	`2FBAB64E`
ssdeep	`24576:+VIFvGC3R+NVgcijiCnjWii1bAL3ztlmAQJut:Cg2VghqVRKz6AQwt`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

tYrnx75.exe "C:\Users\test22\AppData\Local\Temp\tYrnx75.exe"
1132
- cmd.exe "C:\Windows\System32\cmd.exe" /c copy Turner Turner.cmd & Turner.cmd
  2088
  - findstr.exe findstr /I "opssvc wrsa"
    2200
  - tasklist.exe tasklist
    2164
  - tasklist.exe tasklist
    2312
  - findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    2348
  - cmd.exe cmd /c md 764661
    2420
  - extrac32.exe extrac32 /Y /E Fm
    2472
  - findstr.exe findstr /V "Tunnel" Addresses
    2516
  - cmd.exe cmd /c copy /b 764661\Macromedia.com + Totally + York + Drunk + Baghdad + Benz + Glasses + Pac + Tender + Racing + Deluxe + Derived 764661\Macromedia.com
    2560
  - cmd.exe cmd /c copy /b ..\Complement + ..\Soundtrack + ..\Plumbing + ..\Hills F
    2604
  - Macromedia.com Macromedia.com F
    2648
  - choice.exe choice /d y /t 15
    2776

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Jan. 27, 2025, 4:42 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Jan. 27, 2025, 4:42 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Jan. 27, 2025, 4:42 p.m.			0	0
IsDebuggerPresent Jan. 27, 2025, 4:42 p.m.			0	0

Command line console output was observed (50 out of 1194 events)

Time & API	Arguments	Status	Return
WriteConsoleW Jan. 27, 2025, 4:42 p.m.	buffer: 1 file(s) copied. console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:42 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:42 p.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:42 p.m.	buffer: Challenged=M console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:42 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:42 p.m.	buffer: XfAp-Unified-Librarian- console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:42 p.m.	buffer: 'XfAp-Unified-Librarian-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Jan. 27, 2025, 4:42 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:42 p.m.	buffer: XAKAhead-Winter-Bestiality-Courtesy-Sorted-Essays- console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:42 p.m.	buffer: 'XAKAhead-Winter-Bestiality-Courtesy-Sorted-Essays-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Jan. 27, 2025, 4:42 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:42 p.m.	buffer: TrJnEllen-Ways-Geometry- console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:42 p.m.	buffer: 'TrJnEllen-Ways-Geometry-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Jan. 27, 2025, 4:42 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:42 p.m.	buffer: chhProjected-Citizens-Exclusion- console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:42 p.m.	buffer: 'chhProjected-Citizens-Exclusion-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Jan. 27, 2025, 4:42 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:42 p.m.	buffer: fAHuRand-Site-Inclusion-Model-Consideration-Nov-Advances- console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:42 p.m.	buffer: 'fAHuRand-Site-Inclusion-Model-Consideration-Nov-Advances-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Jan. 27, 2025, 4:42 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:42 p.m.	buffer: rvdValidation- console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:42 p.m.	buffer: 'rvdValidation-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Jan. 27, 2025, 4:42 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:42 p.m.	buffer: dnqBaby-Media-Casa-Vietnam-Probability-Deutsche-Gradually-Terminology-Subscription- console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:42 p.m.	buffer: 'dnqBaby-Media-Casa-Vietnam-Probability-Deutsche-Gradually-Terminology-Subscription-' is not recognized as an internal or external command, operable program or console_handle: 0x0000000b	1	1
WriteConsoleW Jan. 27, 2025, 4:42 p.m.	buffer: batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Jan. 27, 2025, 4:42 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:42 p.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:42 p.m.	buffer: Hwy=m console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:42 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:42 p.m.	buffer: rqSpam-Printable-Ceremony-Richmond-Priced-Interests-Additional-Sprint- console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:42 p.m.	buffer: 'rqSpam-Printable-Ceremony-Richmond-Priced-Interests-Additional-Sprint-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Jan. 27, 2025, 4:42 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:42 p.m.	buffer: nHRPink-Supplemental-Villas-Harassment-Focal- console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:42 p.m.	buffer: 'nHRPink-Supplemental-Villas-Harassment-Focal-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Jan. 27, 2025, 4:42 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:42 p.m.	buffer: yXbDraws- console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:42 p.m.	buffer: 'yXbDraws-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Jan. 27, 2025, 4:42 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:42 p.m.	buffer: ZrXProcesses-Er-Collector- console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:42 p.m.	buffer: 'ZrXProcesses-Er-Collector-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Jan. 27, 2025, 4:42 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:42 p.m.	buffer: JPQxReveal-Dow-Unavailable-Southern-Fixes- console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:42 p.m.	buffer: 'JPQxReveal-Dow-Unavailable-Southern-Fixes-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Jan. 27, 2025, 4:42 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:42 p.m.	buffer: xwLSimultaneously- console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:42 p.m.	buffer: 'xwLSimultaneously-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Jan. 27, 2025, 4:42 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:42 p.m.	buffer: pYCUGospel-Organize-Sure-Er-Projector-Growth-Ascii-Moisture-Qualified- console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:42 p.m.	buffer: 'pYCUGospel-Organize-Sure-Er-Projector-Growth-Ascii-Moisture-Qualified-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Jan. 27, 2025, 4:42 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\764661\Macromedia.com

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\cmd.exe" /c copy Turner Turner.cmd & Turner.cmd

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\764661\Macromedia.com

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\764661\Macromedia.com

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Jan. 27, 2025, 4:42 p.m.	show_type: 0 filepath_r: cmd parameters: /c copy Turner Turner.cmd & Turner.cmd filepath: cmd	1	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (10 events)

Time & API	Arguments	Status	Return
Process32NextW Jan. 27, 2025, 4:42 p.m.	snapshot_handle: 0x00000130 process_name: mobsync.exe process_identifier: 1712	1	1
Process32NextW Jan. 27, 2025, 4:42 p.m.	snapshot_handle: 0x00000130 process_name: pw.exe process_identifier: 1688	1	1
Process32NextW Jan. 27, 2025, 4:42 p.m.	snapshot_handle: 0x00000130 process_name: taskhost.exe process_identifier: 772	1	1
Process32NextW Jan. 27, 2025, 4:42 p.m.	snapshot_handle: 0x00000130 process_name: SearchProtocolHost.exe process_identifier: 1648	1	1
Process32NextW Jan. 27, 2025, 4:42 p.m.	snapshot_handle: 0x00000130 process_name: cmd.exe process_identifier: 632	1	1
Process32NextW Jan. 27, 2025, 4:42 p.m.	snapshot_handle: 0x00000130 process_name: tYrnx75.exe process_identifier: 1132	1	1
Process32NextW Jan. 27, 2025, 4:42 p.m.	snapshot_handle: 0x00000130 process_name: pw.exe process_identifier: 1000	1	1
Process32NextW Jan. 27, 2025, 4:42 p.m.	snapshot_handle: 0x00000130 process_name: conhost.exe process_identifier: 2124	1	1
Process32NextW Jan. 27, 2025, 4:42 p.m.	snapshot_handle: 0x00000130 process_name: Macromedia.com process_identifier: 2648	1	1
Process32NextW Jan. 27, 2025, 4:42 p.m.	snapshot_handle: 0x00000130 process_name: inject-x86.exe process_identifier: 2700	1	1

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x0000ee00', u'virtual_address': u'0x00100000', u'entropy': 7.598129118910282, u'name': u'.rsrc', u'virtual_size': u'0x0000ed6a'}

entropy

7.59812911891

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00001000', u'virtual_address': u'0x0010f000', u'entropy': 7.893401772874734, u'name': u'.reloc', u'virtual_size': u'0x00000fd6'}

entropy

7.89340177287

description

A section with a high entropy has been found

entropy

0.610576923077

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Jan. 27, 2025, 4:42 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Jan. 27, 2025, 4:42 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

tasklist

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2088 resumed a thread in remote process 2648
NtResumeThread Jan. 27, 2025, 4:42 p.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2648	1	0	0

File has been identified by 32 AntiVirus engines on VirusTotal as malicious (32 events)

Lionic	Trojan.Win32.AutoIt.4!c
Cylance	Unsafe
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Trojan.GenericKD.75593447
K7GW	Trojan ( 005be4d31 )
K7AntiVirus	Trojan ( 005be4d31 )
Arcabit	Trojan.Generic.D48176E7
Symantec	Trojan.Gen.MBT
Elastic	malicious (high confidence)
Kaspersky	HEUR:Trojan.Win32.Autoit.gen
Alibaba	Trojan:Win32/Runner.acc2a874
MicroWorld-eScan	Trojan.GenericKD.75593447
Emsisoft	Trojan.GenericKD.75593447 (B)
F-Secure	Trojan.TR/AutoIt.aousf
DrWeb	Trojan.Inject5.15294
McAfeeD	ti!5D07AD572A6A
CTX	exe.trojan.autoit
Sophos	Mal/Generic-S
FireEye	Trojan.GenericKD.75593447
Google	Detected
Avira	TR/AutoIt.aousf
Kingsoft	Win32.Trojan.Autoit.gen
Microsoft	Trojan:Win32/Wacatac.B!ml
GData	Win32.Trojan.Agent.LYISJ9
Varist	W32/ABTrojan.IVQG-0483
McAfee	Artemis!C3D89E95BFB6
DeepInstinct	MALICIOUS
Ikarus	Trojan.NSIS.Runner
Tencent	Win32.Trojan.FalseSign.Iajl
huorong	Trojan/BAT.Agent.cv
Fortinet	W32/PossibleThreat
alibabacloud	Trojan:Win/Sonbokli.A9uj

tYrnx75.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All