Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Jan. 27, 2025, 4:43 p.m.	Jan. 27, 2025, 5:02 p.m.

Size	866.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`e7c964e5bd52da0b4ff1e6543608cf27`
SHA256	`33cab7cd9069c761a907a2498c2d496da5e9332412b13472710e774ca80c4b48`
CRC32	`0A9A4B2E`
ssdeep	`12288:gCxr3SAoHl8uj7c8BNV0CW9TBBMtVIN+9exmPh0LguCifyV03qGs7ifbVpBgYeSa:gcrCAY8uj7nGPFLWVIN+9e5iUDTq/Shk`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

1.exe "C:\Users\test22\AppData\Local\Temp\1.exe"
872
- cmd.exe "C:\Windows\System32\cmd.exe" /c copy Universities Universities.cmd & Universities.cmd
  2088
  - findstr.exe findstr /I "opssvc wrsa"
    2216
  - tasklist.exe tasklist
    2176
  - tasklist.exe tasklist
    2324
  - findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    2360
  - cmd.exe cmd /c md 634977
    2432
  - extrac32.exe extrac32 /Y /E Gtk
    2536
  - findstr.exe findstr /V "Constitution" Wagon
    2584
  - cmd.exe cmd /c copy /b 634977\Surrey.com + Firewire + Values + Expanding + Representing + Gothic + Voltage + Refinance + Nec + Kate 634977\Surrey.com
    2628
  - cmd.exe cmd /c copy /b ..\Courage + ..\Remove + ..\Throws + ..\Competing Q
    2672
  - Surrey.com Surrey.com Q
    2716
  - choice.exe choice /d y /t 5
    2800

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Jan. 27, 2025, 4:43 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Jan. 27, 2025, 4:43 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Jan. 27, 2025, 4:43 p.m.			0	0
IsDebuggerPresent Jan. 27, 2025, 4:43 p.m.			0	0

Command line console output was observed (50 out of 1758 events)

Time & API	Arguments	Status	Return
WriteConsoleW Jan. 27, 2025, 4:43 p.m.	buffer: 1 file(s) copied. console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:43 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:43 p.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:43 p.m.	buffer: Entity=F console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:43 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:43 p.m.	buffer: xRPxSoutheast-Gazette-Norman-Similar-Placed- console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:43 p.m.	buffer: 'xRPxSoutheast-Gazette-Norman-Similar-Placed-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Jan. 27, 2025, 4:43 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:43 p.m.	buffer: nqPartially-Approved-Prize-Teenage-Arlington-Tony-Ecuador-Demonstration- console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:43 p.m.	buffer: 'nqPartially-Approved-Prize-Teenage-Arlington-Tony-Ecuador-Demonstration-' is not recognized as an internal or external command, operable program or batch file console_handle: 0x0000000b	1	1
WriteConsoleW Jan. 27, 2025, 4:43 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:43 p.m.	buffer: MFMil-Began-Moving-Entire-Builder-Solution-Lender- console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:43 p.m.	buffer: 'MFMil-Began-Moving-Entire-Builder-Solution-Lender-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Jan. 27, 2025, 4:43 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:43 p.m.	buffer: qscRHindu-Feels-Meditation-Diagram-Xl-Almost-Measurements-Travis-Fastest- console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:43 p.m.	buffer: 'qscRHindu-Feels-Meditation-Diagram-Xl-Almost-Measurements-Travis-Fastest-' is not recognized as an internal or external command, operable program or batch fil console_handle: 0x0000000b	1	1
WriteConsoleW Jan. 27, 2025, 4:43 p.m.	buffer: e. console_handle: 0x0000000b	1	1
WriteConsoleW Jan. 27, 2025, 4:43 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:43 p.m.	buffer: iZIgnored-Communication-Nike-Christ-Revelation-Asset-Scale- console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:43 p.m.	buffer: 'iZIgnored-Communication-Nike-Christ-Revelation-Asset-Scale-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Jan. 27, 2025, 4:43 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:43 p.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:43 p.m.	buffer: Applicant=5 console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:43 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:43 p.m.	buffer: RDcMagnetic-Fell- console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:43 p.m.	buffer: 'RDcMagnetic-Fell-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Jan. 27, 2025, 4:43 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:43 p.m.	buffer: uUiiEncourage-Solutions-Powell-Romania- console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:43 p.m.	buffer: 'uUiiEncourage-Solutions-Powell-Romania-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Jan. 27, 2025, 4:43 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:43 p.m.	buffer: zTsModification-Holdem-Gcc-Worldcat- console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:43 p.m.	buffer: 'zTsModification-Holdem-Gcc-Worldcat-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Jan. 27, 2025, 4:43 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:43 p.m.	buffer: ZDAssociate- console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:43 p.m.	buffer: 'ZDAssociate-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Jan. 27, 2025, 4:43 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:43 p.m.	buffer: JOGLaunch-Jerusalem-Ons-Blowjobs-Cdt-Horny-Was-Missile- console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:43 p.m.	buffer: 'JOGLaunch-Jerusalem-Ons-Blowjobs-Cdt-Horny-Was-Missile-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Jan. 27, 2025, 4:43 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:43 p.m.	buffer: JsThought- console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:43 p.m.	buffer: 'JsThought-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Jan. 27, 2025, 4:43 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:43 p.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:43 p.m.	buffer: Lasting=I console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:43 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:43 p.m.	buffer: hgIrs-Array-Rent-Spring-Page-Coral- console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:43 p.m.	buffer: 'hgIrs-Array-Rent-Spring-Page-Coral-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Jan. 27, 2025, 4:43 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:43 p.m.	buffer: JUuTh-Others-Heated-Adjustments-Pools-Levels-Prayers- console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:43 p.m.	buffer: 'JUuTh-Others-Heated-Adjustments-Pools-Levels-Prayers-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Jan. 27, 2025, 4:43 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\634977\Surrey.com

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\cmd.exe" /c copy Universities Universities.cmd & Universities.cmd

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\634977\Surrey.com

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\634977\Surrey.com

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Jan. 27, 2025, 4:43 p.m.	show_type: 0 filepath_r: cmd parameters: /c copy Universities Universities.cmd & Universities.cmd filepath: cmd	1	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (8 events)

Time & API	Arguments	Status	Return
Process32NextW Jan. 27, 2025, 4:43 p.m.	snapshot_handle: 0x0000012c process_name: pw.exe process_identifier: 524	1	1
Process32NextW Jan. 27, 2025, 4:43 p.m.	snapshot_handle: 0x0000012c process_name: taskhost.exe process_identifier: 1944	1	1
Process32NextW Jan. 27, 2025, 4:43 p.m.	snapshot_handle: 0x0000012c process_name: SearchProtocolHost.exe process_identifier: 1200	1	1
Process32NextW Jan. 27, 2025, 4:43 p.m.	snapshot_handle: 0x0000012c process_name: conhost.exe process_identifier: 1212	1	1
Process32NextW Jan. 27, 2025, 4:43 p.m.	snapshot_handle: 0x0000012c process_name: 1.exe process_identifier: 872	1	1
Process32NextW Jan. 27, 2025, 4:43 p.m.	snapshot_handle: 0x0000012c process_name: pw.exe process_identifier: 1188	1	1
Process32NextW Jan. 27, 2025, 4:43 p.m.	snapshot_handle: 0x0000012c process_name: Surrey.com process_identifier: 2716	1	1
Process32NextW Jan. 27, 2025, 4:43 p.m.	snapshot_handle: 0x0000012c process_name: inject-x86.exe process_identifier: 2768	1	1

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x0000be00', u'virtual_address': u'0x000f4000', u'entropy': 7.208891662649734, u'name': u'.rsrc', u'virtual_size': u'0x0000bcfe'}

entropy

7.20889166265

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00001000', u'virtual_address': u'0x00100000', u'entropy': 7.933129462779457, u'name': u'.reloc', u'virtual_size': u'0x00000f32'}

entropy

7.93312946278

description

A section with a high entropy has been found

entropy

0.569060773481

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Jan. 27, 2025, 4:43 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Jan. 27, 2025, 4:43 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

tasklist

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2088 resumed a thread in remote process 2716
NtResumeThread Jan. 27, 2025, 4:43 p.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2716	1	0	0

File has been identified by 48 AntiVirus engines on VirusTotal as malicious (48 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Runner.m!c
Cynet	Malicious (score: 99)
CAT-QuickHeal	Trojan.Ghanarava.173788898408cf27
Skyhigh	Artemis!Trojan
ALYac	Trojan.Generic.37258956
Cylance	Unsafe
VIPRE	Trojan.Generic.37258956
Sangfor	Trojan.Win32.Agent.Awz3
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Trojan.Generic.37258956
K7GW	Trojan ( 005bf3e91 )
K7AntiVirus	Trojan ( 005bf3e91 )
Arcabit	Trojan.Generic.D23886CC
VirIT	Trojan.Win32.NSISGenT.ABRY
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Packed.NSIS.CG
Avast	Win32:Malware-gen
Kaspersky	Trojan.Script.Agentb.cs
Alibaba	Packed:Win32/Runner.9ed0c569
MicroWorld-eScan	Trojan.Generic.37258956
Emsisoft	Trojan.Generic.37258956 (B)
F-Secure	Backdoor.BDS/Agent.tfsdc
McAfeeD	ti!33CAB7CD9069
Trapmine	suspicious.low.ml.score
CTX	exe.trojan.runner
Sophos	Mal/Generic-S
FireEye	Trojan.Generic.37258956
Google	Detected
Avira	BDS/Agent.tfsdc
Antiy-AVL	Trojan/NSIS.Runner.ew
Kingsoft	Win32.Hack.Agent.gen
Microsoft	Trojan:Win32/Znyonm
GData	Win32.Trojan.Agent.NY4X7A
Varist	W32/ABTrojan.OARA-4691
AhnLab-V3	Trojan/Win.Agent.C5721021
McAfee	Artemis!E7C964E5BD52
DeepInstinct	MALICIOUS
Malwarebytes	Malware.AI.4288530468
Ikarus	Trojan.NSIS.Runner
TrendMicro-HouseCall	TROJ_GEN.R053H01AP25
Tencent	Win32.Trojan.FalseSign.Bdhl
huorong	HEUR:Trojan/Runner.bv
Fortinet	W32/Runner.FS!tr
AVG	Win32:Malware-gen
Paloalto	generic.ml
alibabacloud	Backdoor:Win/Runner.FB

1.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All