Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Jan. 27, 2025, 4:44 p.m.	Jan. 27, 2025, 4:47 p.m.

Size	884.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`9ce7b5dc80b072328c7bbcdb1c787941`
SHA256	`d264ece444ce4f309f8abb6624a948b7e475b0ea41922a167b2c206a99a2f3ed`
CRC32	`1E780A23`
ssdeep	`24576:92AkXmXG/wzcVn5eiBOdsd1NvyiOIMEWozYL:umXGAcVN8dsFaiXvWeu`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

random.exe "C:\Users\test22\AppData\Local\Temp\random.exe"
2028
- cmd.exe "C:\Windows\System32\cmd.exe" /c copy Fixed Fixed.cmd & Fixed.cmd
  2180
  - findstr.exe findstr /I "opssvc wrsa"
    2276
  - tasklist.exe tasklist
    2240
  - tasklist.exe tasklist
    2384
  - findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    2420
  - cmd.exe cmd /c md 567757
    2496
  - extrac32.exe extrac32 /Y /E Activation
    2540
  - findstr.exe findstr /V "VIETNAM" Diagnostic
    2592
  - cmd.exe cmd /c copy /b 567757\Appeal.com + Entirely + Thumbnails + Atmospheric + Eternal + Quite + Strictly + Mongolia + Card + Decent 567757\Appeal.com
    2636
  - cmd.exe cmd /c copy /b ..\Tuner + ..\Rest + ..\Reservation + ..\Twiki j
    2680
  - Appeal.com Appeal.com j
    2724
  - choice.exe choice /d y /t 5
    2860

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Jan. 27, 2025, 4:44 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Jan. 27, 2025, 4:44 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Jan. 27, 2025, 4:44 p.m.			0	0
IsDebuggerPresent Jan. 27, 2025, 4:45 p.m.			0	0

Command line console output was observed (50 out of 761 events)

Time & API	Arguments	Status	Return
WriteConsoleW Jan. 27, 2025, 4:44 p.m.	buffer: 1 file(s) copied. console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:44 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:44 p.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:44 p.m.	buffer: Double=E console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:44 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:44 p.m.	buffer: evXSheep-Restriction-Stood-Cam-Scientific-Live-Ve-Situated-Club- console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:44 p.m.	buffer: 'evXSheep-Restriction-Stood-Cam-Scientific-Live-Ve-Situated-Club-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Jan. 27, 2025, 4:44 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:44 p.m.	buffer: bfOOMaintaining-Ant-Across-Webshots-Printed-Planner-Devel-Edition- console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:44 p.m.	buffer: 'bfOOMaintaining-Ant-Across-Webshots-Printed-Planner-Devel-Edition-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Jan. 27, 2025, 4:44 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:44 p.m.	buffer: ZBUAlgorithms-Powered-Rolled- console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:44 p.m.	buffer: 'ZBUAlgorithms-Powered-Rolled-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Jan. 27, 2025, 4:44 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:44 p.m.	buffer: GNvZMarkers-Oops-Imported-Devon-Disabilities-El-Stage- console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:44 p.m.	buffer: 'GNvZMarkers-Oops-Imported-Devon-Disabilities-El-Stage-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Jan. 27, 2025, 4:44 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:44 p.m.	buffer: SkLlp-Breaks-Grateful-Anaheim-Investing-Destroyed-Ex-Membrane-Involved- console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:44 p.m.	buffer: 'SkLlp-Breaks-Grateful-Anaheim-Investing-Destroyed-Ex-Membrane-Involved-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Jan. 27, 2025, 4:44 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:44 p.m.	buffer: ihPetroleum-Seas-Just-Candy-Remarks-Porno- console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:44 p.m.	buffer: 'ihPetroleum-Seas-Just-Candy-Remarks-Porno-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Jan. 27, 2025, 4:44 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:44 p.m.	buffer: sTLabeled-Gmbh-Lower-Implementing-Haven-Visible-Include-Measured- console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:44 p.m.	buffer: 'sTLabeled-Gmbh-Lower-Implementing-Haven-Visible-Include-Measured-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Jan. 27, 2025, 4:44 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:44 p.m.	buffer: fVTrailers-Effectively-Recruiting-Detect-Gate-Im-Tasks- console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:44 p.m.	buffer: 'fVTrailers-Effectively-Recruiting-Detect-Gate-Im-Tasks-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Jan. 27, 2025, 4:44 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:44 p.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:44 p.m.	buffer: Representative=S console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:44 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:44 p.m.	buffer: HPSiSons-Double-Desirable-Printers- console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:44 p.m.	buffer: 'HPSiSons-Double-Desirable-Printers-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Jan. 27, 2025, 4:44 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:44 p.m.	buffer: sGSPools-Color-Dump-Pond-Improvement-Females-Span- console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:44 p.m.	buffer: 'sGSPools-Color-Dump-Pond-Improvement-Females-Span-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Jan. 27, 2025, 4:44 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:44 p.m.	buffer: kaJAmericas-Across-Davidson-Racing- console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:44 p.m.	buffer: 'kaJAmericas-Across-Davidson-Racing-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Jan. 27, 2025, 4:44 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:44 p.m.	buffer: IQoSociology-Activities-Discount-Nightlife-Indicators- console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:44 p.m.	buffer: 'IQoSociology-Activities-Discount-Nightlife-Indicators-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Jan. 27, 2025, 4:44 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:44 p.m.	buffer: PgRaising-Workflow-Descriptions-Engineers-Hong-Cargo-Pays- console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:44 p.m.	buffer: 'PgRaising-Workflow-Descriptions-Engineers-Hong-Cargo-Pays-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Jan. 27, 2025, 4:44 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:44 p.m.	buffer: VDuMw-Label-Investments- console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 4:44 p.m.	buffer: 'VDuMw-Label-Investments-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Jan. 27, 2025, 4:44 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Jan. 27, 2025, 4:44 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\567757\Appeal.com

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\cmd.exe" /c copy Fixed Fixed.cmd & Fixed.cmd

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\567757\Appeal.com

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\567757\Appeal.com

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Jan. 27, 2025, 4:44 p.m.	show_type: 0 filepath_r: cmd parameters: /c copy Fixed Fixed.cmd & Fixed.cmd filepath: cmd	1	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (10 events)

Time & API	Arguments	Status	Return
Process32NextW Jan. 27, 2025, 4:45 p.m.	snapshot_handle: 0x0000012c process_name: mobsync.exe process_identifier: 536	1	1
Process32NextW Jan. 27, 2025, 4:45 p.m.	snapshot_handle: 0x0000012c process_name: SearchProtocolHost.exe process_identifier: 1572	1	1
Process32NextW Jan. 27, 2025, 4:45 p.m.	snapshot_handle: 0x0000012c process_name: conhost.exe process_identifier: 1020	1	1
Process32NextW Jan. 27, 2025, 4:45 p.m.	snapshot_handle: 0x0000012c process_name: random.exe process_identifier: 2028	1	1
Process32NextW Jan. 27, 2025, 4:45 p.m.	snapshot_handle: 0x0000012c process_name: pw.exe process_identifier: 1076	1	1
Process32NextW Jan. 27, 2025, 4:45 p.m.	snapshot_handle: 0x0000012c process_name: cmd.exe process_identifier: 2180	1	1
Process32NextW Jan. 27, 2025, 4:45 p.m.	snapshot_handle: 0x0000012c process_name: conhost.exe process_identifier: 2216	1	1
Process32NextW Jan. 27, 2025, 4:45 p.m.	snapshot_handle: 0x0000012c process_name: WmiPrvSE.exe process_identifier: 2344	1	1
Process32NextW Jan. 27, 2025, 4:45 p.m.	snapshot_handle: 0x0000012c process_name: Appeal.com process_identifier: 2724	1	1
Process32NextW Jan. 27, 2025, 4:45 p.m.	snapshot_handle: 0x0000012c process_name: inject-x86.exe process_identifier: 2776	1	1

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x0000a600', u'virtual_address': u'0x00100000', u'entropy': 7.364725559975049, u'name': u'.rsrc', u'virtual_size': u'0x0000a416'}

entropy

7.36472555998

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00001000', u'virtual_address': u'0x0010b000', u'entropy': 7.926452079815375, u'name': u'.reloc', u'virtual_size': u'0x00000fd6'}

entropy

7.92645207982

description

A section with a high entropy has been found

entropy

0.529069767442

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Jan. 27, 2025, 4:44 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Jan. 27, 2025, 4:44 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

tasklist

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2180 resumed a thread in remote process 2724
NtResumeThread Jan. 27, 2025, 4:45 p.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2724	1	0	0

File has been identified by 25 AntiVirus engines on VirusTotal as malicious (25 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Runner.m!c
Skyhigh	ACL/Malware Generic.CPVH
McAfee	ACL/Malware Generic.CPVH
Cylance	Unsafe
CrowdStrike	win/malicious_confidence_70% (W)
Symantec	Trojan Horse
Elastic	malicious (high confidence)
Avast	FileRepMalware [Misc]
Kaspersky	HEUR:Backdoor.Win32.Agent.gen
F-Secure	Backdoor.BDS/Agent.ipyph
McAfeeD	ti!D264ECE444CE
CTX	exe.trojan.runner
Sophos	Mal/Generic-S
Google	Detected
Avira	BDS/Agent.ipyph
Kingsoft	Win32.Hack.Agent.gen
Microsoft	Trojan:Win32/Wacatac.B!ml
GData	Win32.Trojan.Agent.1ETXBY
Varist	W32/ABTrojan.ZKHI-2375
DeepInstinct	MALICIOUS
Ikarus	Trojan.NSIS.Runner
Fortinet	BAT/Runner.U!tr
AVG	FileRepMalware [Misc]
alibabacloud	Backdoor:Win/Wacatac.B9nj

random.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All