Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	April 7, 2025, 9:59 a.m.	April 7, 2025, 10:10 a.m.

Size	1.3MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`09232161939bec92432fe5751b7cd092`
SHA256	`f741a6cfbd22e05821557394ea54651c78882c16e1ce667ef0343957abe201a0`
CRC32	`1662E9B7`
ssdeep	`24576:LtCChnogHYbLwdCUnwZz+T8xoqW0R+oiiaebS842S6iEzcB9Ho6Usx8zhh:LfogddCZVRviihb4Lk4BBDvK`
Yara	PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) UPX_Zero - UPX packed file

random.exe "C:\Users\test22\AppData\Local\Temp\random.exe"
1872
- cmd.exe "C:\Windows\System32\cmd.exe" /c copy Bc.wbk Bc.wbk.bat & Bc.wbk.bat
  2068
  - tasklist.exe tasklist
    2228
  - findstr.exe findstr /I "opssvc wrsa"
    2264
  - tasklist.exe tasklist
    2376
  - findstr.exe findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
    2412
  - cmd.exe cmd /c md 674187
    2484
  - extrac32.exe extrac32 /Y /E Funky.wbk
    2528
  - findstr.exe findstr /V "Und" Tournament
    2576
  - cmd.exe cmd /c copy /b 674187\Constraints.com + Lu + Pepper + Cn + Hairy + Nose + Providence + Bra + Corresponding + Promo + Ending 674187\Constraints.com
    2620
  - cmd.exe cmd /c copy /b ..\Losses.wbk + ..\Finally.wbk + ..\Medications.wbk + ..\Borough.wbk + ..\Trim.wbk + ..\Ellis.wbk + ..\Truly.wbk + ..\Was.wbk r
    2664
  - Constraints.com Constraints.com r
    2708
  - choice.exe choice /d y /t 5
    2792

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW April 7, 2025, 9:59 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW April 7, 2025, 9:59 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 7, 2025, 9:59 a.m.			0	0
IsDebuggerPresent April 7, 2025, 9:59 a.m.			0	0

Command line console output was observed (50 out of 2018 events)

Time & API	Arguments	Status	Return
WriteConsoleW April 7, 2025, 9:59 a.m.	buffer: 1 file(s) copied. console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 9:59 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 9:59 a.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 9:59 a.m.	buffer: Victoria=G console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 9:59 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 9:59 a.m.	buffer: vOqCancellation console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 9:59 a.m.	buffer: (Tobago(Ep( console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 9:59 a.m.	buffer: 'vOqCancellation' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW April 7, 2025, 9:59 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 9:59 a.m.	buffer: jpdTFrankfurt console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 9:59 a.m.	buffer: (Respondents(Harmful(Advert(Doctrine(Respected( console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 9:59 a.m.	buffer: 'jpdTFrankfurt' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW April 7, 2025, 9:59 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 9:59 a.m.	buffer: KhtPoland console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 9:59 a.m.	buffer: (Aaron(Expenditures(Describe(Tribunal( console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 9:59 a.m.	buffer: 'KhtPoland' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW April 7, 2025, 9:59 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 9:59 a.m.	buffer: JXfbInterview console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 9:59 a.m.	buffer: (Zshops( console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 9:59 a.m.	buffer: 'JXfbInterview' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW April 7, 2025, 9:59 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 9:59 a.m.	buffer: UfPReload console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 9:59 a.m.	buffer: (Gzip(Server( console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 9:59 a.m.	buffer: 'UfPReload' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW April 7, 2025, 9:59 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 9:59 a.m.	buffer: wEVLatvia console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 9:59 a.m.	buffer: (Editorial( console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 9:59 a.m.	buffer: 'wEVLatvia' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW April 7, 2025, 9:59 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 9:59 a.m.	buffer: RSpJMessage console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 9:59 a.m.	buffer: (Canal(Movers(Assured(Third( console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 9:59 a.m.	buffer: 'RSpJMessage' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW April 7, 2025, 9:59 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 9:59 a.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 9:59 a.m.	buffer: Snap=F console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 9:59 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 9:59 a.m.	buffer: haJack console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 9:59 a.m.	buffer: (Astronomy(Commercial(Literacy(Quarters(Survivors(Ask(Bullet(Democrat( console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 9:59 a.m.	buffer: 'haJack' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW April 7, 2025, 9:59 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 9:59 a.m.	buffer: RGStudents console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 9:59 a.m.	buffer: (Medium(Cars(Robertson( console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 9:59 a.m.	buffer: 'RGStudents' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW April 7, 2025, 9:59 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 9:59 a.m.	buffer: aVMExcerpt console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 9:59 a.m.	buffer: (Buyer(Glossary(Vs(Evident(Arrangement(Twisted( console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 9:59 a.m.	buffer: 'aVMExcerpt' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW April 7, 2025, 9:59 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 9:59 a.m.	buffer: GQEeConsiderations console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 9:59 a.m.	buffer: (Working(Asbestos(Rugby(St(Faced(Bureau(Opposite(Reduce( console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 7, 2025, 9:59 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\674187\Constraints.com

Creates a suspicious process (2 events)

cmdline	"C:\Windows\System32\cmd.exe" /c copy Bc.wbk Bc.wbk.bat & Bc.wbk.bat
cmdline	CMD.exe /c copy Bc.wbk Bc.wbk.bat & Bc.wbk.bat

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\674187\Constraints.com

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\674187\Constraints.com

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW April 7, 2025, 9:59 a.m.	show_type: 0 filepath_r: CMD.exe parameters: /c copy Bc.wbk Bc.wbk.bat & Bc.wbk.bat filepath: CMD.exe	1	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (3 events)

Time & API	Arguments	Status	Return
Process32NextW April 7, 2025, 9:59 a.m.	snapshot_handle: 0x0000012c process_name: taskhost.exe process_identifier: 660	1	1
Process32NextW April 7, 2025, 9:59 a.m.	snapshot_handle: 0x0000012c process_name: cmd.exe process_identifier: 416	1	1
Process32NextW April 7, 2025, 9:59 a.m.	snapshot_handle: 0x0000012c process_name: random.exe process_identifier: 1872	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00029400', u'virtual_address': u'0x00470000', u'entropy': 7.838032677428376, u'name': u'.rsrc', u'virtual_size': u'0x000293f8'}

entropy

7.83803267743

description

A section with a high entropy has been found

entropy

0.837563451777

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW April 7, 2025, 9:59 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW April 7, 2025, 9:59 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	tasklist
cmdline	"C:\Windows\System32\cmd.exe" /c copy Bc.wbk Bc.wbk.bat & Bc.wbk.bat
cmdline	CMD.exe /c copy Bc.wbk Bc.wbk.bat & Bc.wbk.bat

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2068 resumed a thread in remote process 2708
NtResumeThread April 7, 2025, 9:59 a.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2708	1	0	0

File has been identified by 45 AntiVirus engines on VirusTotal as malicious (45 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Runner.m!c
Cynet	Malicious (score: 99)
CAT-QuickHeal	cld.backdoor.agent
Skyhigh	Artemis!Trojan
ALYac	Trojan.Generic.37795009
Cylance	Unsafe
VIPRE	Trojan.Generic.37795009
Sangfor	Backdoor.Win32.Agent.V3kj
CrowdStrike	win/malicious_confidence_60% (W)
BitDefender	Trojan.Generic.37795009
K7GW	Trojan ( 005c4c581 )
K7AntiVirus	Trojan ( 005c4c581 )
Arcabit	Trojan.Generic.D240B4C1
VirIT	Trojan.Win32.NSISGenT.ACOL
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Packed.NSIS.CS
Avast	Win32:Malware-gen
Kaspersky	HEUR:Backdoor.Win32.Agent.gen
MicroWorld-eScan	Trojan.Generic.37795009
Emsisoft	Trojan.Generic.37795009 (B)
F-Secure	Trojan.TR/AVI.Agent.uglqm
TrendMicro	Trojan.Win32.AMADEY.YXFC5Z
Trapmine	suspicious.low.ml.score
CTX	exe.trojan.runner
Sophos	Mal/Generic-S
FireEye	Generic.mg.09232161939bec92
Google	Detected
Avira	TR/AVI.Agent.uglqm
Antiy-AVL	Trojan/NSIS.Runner.lg
Kingsoft	malware.kb.a.844
Microsoft	Trojan:Win64/LummaStealer!rfn
GData	Trojan.Generic.37795009
Varist	W32/ABTrojan.UTDZ-4006
McAfee	Artemis!09232161939B
Ikarus	Trojan.NSIS.Runner
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	Trojan.Win32.AMADEY.YXFC5Z
Tencent	Win32.Trojan.FalseSign.Pcnw
huorong	Trojan/BAT.Agent.cv
MaxSecure	Trojan.Malware.325674353.susgen
Fortinet	W32/Runner.LP!tr
AVG	Win32:Malware-gen
Paloalto	generic.ml

random.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All