Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 7, 2025, 10:01 a.m.	April 7, 2025, 10:06 a.m.

Size	1.2MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`4641a0bec2101c82f575862f97be861c`
SHA256	`fc2ac17498bd7846607110e66426bdad0ab5302f5c7978dd72c20d99166292e1`
CRC32	`5956F279`
ssdeep	`24576:etCs8d5ZIman4nF4GbZ8Yuk2qLwNmZIjZF+hBJwMwtpQI//3Vah0y4hQ/Dkk:eMd5eman4nOGb6YvVIfsm1tpQk/l5hQr`
Yara	PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) UPX_Zero - UPX packed file

larBxd7.exe "C:\Users\test22\AppData\Local\Temp\larBxd7.exe"
2544
- cmd.exe "C:\Windows\System32\cmd.exe" /c copy Cattle.psd Cattle.psd.bat & Cattle.psd.bat
  2664
  - findstr.exe findstr /I "opssvc wrsa"
    2760
  - tasklist.exe tasklist
    2724
  - tasklist.exe tasklist
    2876
  - findstr.exe findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
    2916
  - cmd.exe cmd /c md 689912
    2988
  - extrac32.exe extrac32 /Y /E Exclusion.psd
    3032
  - findstr.exe findstr /V "users" Findarticles
    1120
  - cmd.exe cmd /c copy /b 689912\Jordan.com + Bg + Batteries + Boss + Illustrations + Boards + Within + Pushed + Brunei + Dead 689912\Jordan.com
    2084
  - cmd.exe cmd /c copy /b ..\Customized.psd + ..\Permits.psd + ..\Teeth.psd + ..\Feel.psd + ..\Nonprofit.psd + ..\Shoes.psd + ..\Bruce.psd b
    2108
  - Jordan.com Jordan.com b
    196
  - choice.exe choice /d y /t 5
    2228

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW April 7, 2025, 10:01 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW April 7, 2025, 10:01 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 7, 2025, 10:01 a.m.			0	0
IsDebuggerPresent April 7, 2025, 10:01 a.m.			0	0

Command line console output was observed (50 out of 1034 events)

Time & API	Arguments	Status	Return
WriteConsoleW April 7, 2025, 10:01 a.m.	buffer: 1 file(s) copied. console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 10:01 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 10:01 a.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 10:01 a.m.	buffer: Extent=4 console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 10:01 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 10:01 a.m.	buffer: iLkStocks console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 10:01 a.m.	buffer: (Tube(Laugh(Angel(Macromedia(Bronze(Barbados( console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 10:01 a.m.	buffer: 'iLkStocks' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW April 7, 2025, 10:01 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 10:01 a.m.	buffer: VCIntake console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 10:01 a.m.	buffer: (Sys(Leaves(Trouble(Carrying(Enrolled(Plymouth(Daily(Termination( console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 10:01 a.m.	buffer: 'VCIntake' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW April 7, 2025, 10:01 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 10:01 a.m.	buffer: ylHoward console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 10:01 a.m.	buffer: (Connections(Rail(Colleges(Importantly(Using(Interest(Royal(Bookmark( console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 10:01 a.m.	buffer: 'ylHoward' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW April 7, 2025, 10:01 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 10:01 a.m.	buffer: mAAvenue console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 10:01 a.m.	buffer: (Epinions(Alarm( console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 10:01 a.m.	buffer: 'mAAvenue' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW April 7, 2025, 10:01 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 10:01 a.m.	buffer: RQwForums console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 10:01 a.m.	buffer: (Guidance(Simulation(Const( console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 10:01 a.m.	buffer: 'RQwForums' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW April 7, 2025, 10:01 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 10:01 a.m.	buffer: inFame console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 10:01 a.m.	buffer: (Italy(Republic(Rapids(Loose( console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 10:01 a.m.	buffer: 'inFame' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW April 7, 2025, 10:01 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 10:01 a.m.	buffer: sxUWalking console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 10:01 a.m.	buffer: (Bibliographic(Carmen(Flows(Rid(Aging(Hell(Tires( console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 10:01 a.m.	buffer: 'sxUWalking' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW April 7, 2025, 10:01 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 10:01 a.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 10:01 a.m.	buffer: Education=J console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 10:01 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 10:01 a.m.	buffer: UQCompetition console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 10:01 a.m.	buffer: (Hire(Disability( console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 10:01 a.m.	buffer: 'UQCompetition' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW April 7, 2025, 10:01 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 10:01 a.m.	buffer: FURivers console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 10:01 a.m.	buffer: 'FURivers' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW April 7, 2025, 10:01 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 10:01 a.m.	buffer: upODirected console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 10:01 a.m.	buffer: (Italic(Consultant(Invite(Hispanic(Cake(Manor(Regional(They( console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 10:01 a.m.	buffer: 'upODirected' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW April 7, 2025, 10:01 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 10:01 a.m.	buffer: sApVBrakes console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 10:01 a.m.	buffer: (Jay( console_handle: 0x00000007	1	1
WriteConsoleW April 7, 2025, 10:01 a.m.	buffer: 'sApVBrakes' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 7, 2025, 10:01 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtProtectVirtualMemory April 7, 2025, 10:01 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732d2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 7, 2025, 10:01 a.m.	process_identifier: 3032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 7, 2025, 10:01 a.m.	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73452000 process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\689912\Jordan.com

Creates a suspicious process (2 events)

cmdline	C:\Windows\System32\cmd.exe /c copy Cattle.psd Cattle.psd.bat & Cattle.psd.bat
cmdline	"C:\Windows\System32\cmd.exe" /c copy Cattle.psd Cattle.psd.bat & Cattle.psd.bat

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\689912\Jordan.com

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\689912\Jordan.com

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW April 7, 2025, 10:01 a.m.	show_type: 0 filepath_r: C:\Windows\System32\cmd.exe parameters: /c copy Cattle.psd Cattle.psd.bat & Cattle.psd.bat filepath: C:\Windows\System32\cmd.exe	1	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (1 event)

Time & API	Arguments	Status	Return	Repeated
Process32NextW April 7, 2025, 10:01 a.m.	snapshot_handle: 0x00000134 process_name: inject-x86.exe process_identifier: 2252	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0001aa00', u'virtual_address': u'0x00470000', u'entropy': 7.762937999863443, u'name': u'.rsrc', u'virtual_size': u'0x0001a9d8'}

entropy

7.76293799986

description

A section with a high entropy has been found

entropy

0.768953068592

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW April 7, 2025, 10:01 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW April 7, 2025, 10:01 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	tasklist
cmdline	C:\Windows\System32\cmd.exe /c copy Cattle.psd Cattle.psd.bat & Cattle.psd.bat
cmdline	"C:\Windows\System32\cmd.exe" /c copy Cattle.psd Cattle.psd.bat & Cattle.psd.bat

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2664 resumed a thread in remote process 196
NtResumeThread April 7, 2025, 10:01 a.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 196	1	0	0

File has been identified by 40 AntiVirus engines on VirusTotal as malicious (40 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Runner.m!c
Cynet	Malicious (score: 99)
CAT-QuickHeal	cld.backdoor.agent
Skyhigh	Artemis!Trojan
Cylance	Unsafe
Sangfor	Backdoor.Win32.Agent.Vmqt
CrowdStrike	win/malicious_confidence_60% (W)
K7GW	Trojan ( 005c4ee51 )
K7AntiVirus	Trojan ( 005c4ee51 )
VirIT	Trojan.Win32.NSISGenT.ACOY
Symantec	Trojan.Gen.2
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Packed.NSIS.CS
Avast	Script:SNH-gen [Trj]
Kaspersky	HEUR:Backdoor.Win32.Agent.gen
F-Secure	Trojan.TR/AVI.Agent.xutea
TrendMicro	Trojan.Win32.AMADEY.YXFDDZ
CTX	exe.trojan.runner
Sophos	Mal/Generic-S
SentinelOne	Static AI - Suspicious PE
FireEye	Generic.mg.4641a0bec2101c82
Google	Detected
Avira	TR/AVI.Agent.xutea
Antiy-AVL	Trojan/NSIS.Runner.lg
Kingsoft	malware.kb.a.907
Microsoft	Trojan:Win32/Wacatac.B!ml
GData	Win32.Trojan.Agent.9YY2S1
Varist	W32/ABTrojan.XKOF-8531
McAfee	Artemis!4641A0BEC210
Malwarebytes	Backdoor.Agent
Ikarus	Trojan.NSIS.Runner
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	Trojan.Win32.AMADEY.YXFDDZ
Tencent	Win32.Trojan.FalseSign.Zfow
huorong	Trojan/Runner.cr
Fortinet	W32/Runner.MD!tr
AVG	Script:SNH-gen [Trj]
Paloalto	generic.ml
alibabacloud	Backdoor:Win/Packed.NSIS.CB

larBxd7.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All