Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 4, 2025, 12:46 p.m.	May 4, 2025, 1:11 p.m.

Size	1.2MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`bbb2fadd18b94c71dabdcf9abe2f60a2`
SHA256	`52c976140a7b016bcc8978be4d5a887a86e6b454aae7dce95ed15628d3326eb3`
CRC32	`31D6388B`
ssdeep	`24576:n0afOGVvlEldsFx10TKGRLTh3yIQvlRCVP54521aZ7mW/7/z3uWe:nJOqdACFxa2GRLTh3DQtYVPG57ZKOLeW`
Yara	PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) UPX_Zero - UPX packed file

a10d94b7-8fb0-40c9-a1aa-15103db98d15.exe "C:\Users\test22\AppData\Local\Temp\a10d94b7-8fb0-40c9-a1aa-15103db98d15.exe"
2540
- cmd.exe "C:\Windows\System32\cmd.exe" /c copy Loan.ppam Loan.ppam.bat & Loan.ppam.bat
  2668
  - findstr.exe findstr /I "opssvc wrsa"
    2792
  - tasklist.exe tasklist
    2756
  - tasklist.exe tasklist
    2908
  - findstr.exe findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
    2944
  - cmd.exe cmd /c md 829811
    3016
  - extrac32.exe extrac32 /Y /E Theoretical.ppam
    3060
  - findstr.exe findstr /V "Html" Defeat
    1964
  - cmd.exe cmd /c copy /b 829811\Sugar.com + Jose + Trials + Ideal + Advertiser + Report + Bumper + Container + Widespread + Likely 829811\Sugar.com
    2120
  - cmd.exe cmd /c copy /b ..\Floors.ppam + ..\Soma.ppam + ..\Collector.ppam + ..\Heat.ppam + ..\Warnings.ppam + ..\Smith.ppam + ..\French.ppam T
    2136
  - Sugar.com Sugar.com T
    2180
  - choice.exe choice /d y /t 5
    2312

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW May 4, 2025, 12:46 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW May 4, 2025, 12:46 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 4, 2025, 12:46 p.m.			0	0
IsDebuggerPresent May 4, 2025, 12:46 p.m.			0	0

Command line console output was observed (50 out of 1518 events)

Time & API	Arguments	Status	Return
WriteConsoleW May 4, 2025, 12:46 p.m.	buffer: 1 file(s) copied. console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:46 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:46 p.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:46 p.m.	buffer: Planner=g console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:46 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:46 p.m.	buffer: LxLoFemales console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:46 p.m.	buffer: (Kong(Cord(Clearly(Sonic( console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:46 p.m.	buffer: 'LxLoFemales' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW May 4, 2025, 12:46 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:46 p.m.	buffer: GWRxThriller console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:46 p.m.	buffer: (Fist(Learned(Statute( console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:46 p.m.	buffer: 'GWRxThriller' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW May 4, 2025, 12:46 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:46 p.m.	buffer: UwesAbilities console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:46 p.m.	buffer: (Horse(Magnetic(Chester(Possibilities(Gun(Alleged(Visible(Diagnostic( console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:46 p.m.	buffer: 'UwesAbilities' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW May 4, 2025, 12:46 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:46 p.m.	buffer: XSWhButtons console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:46 p.m.	buffer: (Memorial(Dodge(Buses(Visited(Suppose(With(Anyone(Wicked( console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:46 p.m.	buffer: 'XSWhButtons' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW May 4, 2025, 12:46 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:46 p.m.	buffer: gMPsychiatry console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:46 p.m.	buffer: (Smilies(Fossil( console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:46 p.m.	buffer: 'gMPsychiatry' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW May 4, 2025, 12:46 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:46 p.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:46 p.m.	buffer: Cheap=v console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:46 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:46 p.m.	buffer: DWgZFirmware console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:46 p.m.	buffer: (Contamination(Harbor( console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:46 p.m.	buffer: 'DWgZFirmware' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW May 4, 2025, 12:46 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:46 p.m.	buffer: RxIssue console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:46 p.m.	buffer: (Payable(Stewart( console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:46 p.m.	buffer: 'RxIssue' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW May 4, 2025, 12:46 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:46 p.m.	buffer: ABjWin console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:46 p.m.	buffer: (Morocco(Actors(Federal(Translate( console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:46 p.m.	buffer: 'ABjWin' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW May 4, 2025, 12:46 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:46 p.m.	buffer: udSteven console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:46 p.m.	buffer: (Chip(Kid(Car(Specials( console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:46 p.m.	buffer: 'udSteven' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW May 4, 2025, 12:46 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:46 p.m.	buffer: trEReview console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:46 p.m.	buffer: (Fails(Transfer( console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:46 p.m.	buffer: 'trEReview' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW May 4, 2025, 12:46 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:46 p.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:46 p.m.	buffer: Core=I console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 4, 2025, 12:46 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtProtectVirtualMemory May 4, 2025, 12:46 p.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732d2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 4, 2025, 12:46 p.m.	process_identifier: 3060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732d2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 4, 2025, 12:46 p.m.	process_identifier: 2180 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732d2000 process_handle: 0xffffffff	1

Creates (office) documents on the filesystem (9 events)

file	C:\Users\test22\AppData\Local\Temp\Smith.ppam
file	C:\Users\test22\AppData\Local\Temp\Loan.ppam
file	C:\Users\test22\AppData\Local\Temp\French.ppam
file	C:\Users\test22\AppData\Local\Temp\Heat.ppam
file	C:\Users\test22\AppData\Local\Temp\Warnings.ppam
file	C:\Users\test22\AppData\Local\Temp\Soma.ppam
file	C:\Users\test22\AppData\Local\Temp\Floors.ppam
file	C:\Users\test22\AppData\Local\Temp\Theoretical.ppam
file	C:\Users\test22\AppData\Local\Temp\Collector.ppam

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\829811\Sugar.com

Creates a suspicious process (2 events)

cmdline	"C:\Windows\System32\cmd.exe" /c copy Loan.ppam Loan.ppam.bat & Loan.ppam.bat
cmdline	C:\Windows\System32\cmd.exe /c copy Loan.ppam Loan.ppam.bat & Loan.ppam.bat

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\829811\Sugar.com

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\829811\Sugar.com

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW May 4, 2025, 12:46 p.m.	show_type: 0 filepath_r: C:\Windows\System32\cmd.exe parameters: /c copy Loan.ppam Loan.ppam.bat & Loan.ppam.bat filepath: C:\Windows\System32\cmd.exe	1	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (6 events)

Time & API	Arguments	Status	Return
Process32NextW May 4, 2025, 12:46 p.m.	snapshot_handle: 0x00000134 process_name: mobsync.exe process_identifier: 2272	1	1
Process32NextW May 4, 2025, 12:46 p.m.	snapshot_handle: 0x00000134 process_name: a10d94b7-8fb0-40c9-a1aa-15103db98d15.exe process_identifier: 2540	1	1
Process32NextW May 4, 2025, 12:46 p.m.	snapshot_handle: 0x00000134 process_name: cmd.exe process_identifier: 2668	1	1
Process32NextW May 4, 2025, 12:46 p.m.	snapshot_handle: 0x00000134 process_name: conhost.exe process_identifier: 2704	1	1
Process32NextW May 4, 2025, 12:46 p.m.	snapshot_handle: 0x00000134 process_name: WmiPrvSE.exe process_identifier: 2868	1	1
Process32NextW May 4, 2025, 12:46 p.m.	snapshot_handle: 0x00000134 process_name: Sugar.com process_identifier: 2180	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00023a00', u'virtual_address': u'0x000f2000', u'entropy': 7.865434341963707, u'name': u'.rsrc', u'virtual_size': u'0x00023900'}

entropy

7.86543434196

description

A section with a high entropy has been found

entropy

0.816618911175

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 4, 2025, 12:46 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW May 4, 2025, 12:46 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (4 events)

cmdline	findstr /V "Html" Defeat
cmdline	tasklist
cmdline	"C:\Windows\System32\cmd.exe" /c copy Loan.ppam Loan.ppam.bat & Loan.ppam.bat
cmdline	C:\Windows\System32\cmd.exe /c copy Loan.ppam Loan.ppam.bat & Loan.ppam.bat

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2668 resumed a thread in remote process 2180
NtResumeThread May 4, 2025, 12:46 p.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 2180	1	0	0

File has been identified by 33 AntiVirus engines on VirusTotal as malicious (33 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.LummaStealer.4!c
Cynet	Malicious (score: 99)
CAT-QuickHeal	cld.backdoor.agent
Cylance	Unsafe
Sangfor	Trojan.Win32.Lummastealer.Vj3d
CrowdStrike	win/malicious_confidence_70% (W)
K7GW	Trojan ( 005c5b261 )
K7AntiVirus	Trojan ( 005c5b261 )
Symantec	Trojan.Gen.2
Elastic	malicious (moderate confidence)
ESET-NOD32	Win32/Spy.LummaStealer.T
Avast	Win32:Malware-gen
Kaspersky	HEUR:Backdoor.Win32.Agent.gen
F-Secure	Trojan.TR/AVI.Agent.xptyb
McAfeeD	ti!52C976140A7B
CTX	exe.trojan.lummastealer
Sophos	Mal/Generic-S
Google	Detected
Avira	TR/AVI.Agent.xptyb
Antiy-AVL	Trojan/NSIS.Runner.lg
Microsoft	Trojan:Win64/LummaStealer!rfn
GData	Win32.Trojan.Agent.U2T7XJ
Varist	W32/ABTrojan.BEQP-2448
AhnLab-V3	Infostealer/Win.LummaC2.R699686
McAfee	Artemis!BBB2FADD18B9
DeepInstinct	MALICIOUS
Malwarebytes	Malware.AI.625067345
Ikarus	Trojan.NSIS.Runner
TrendMicro-HouseCall	Trojan.Win32.VSX.PE04C9Z
Fortinet	NSIS/Runner.OK!tr
AVG	Win32:Malware-gen
alibabacloud	Backdoor:Win/LummaStealer.T

a10d94b7-8fb0-40c9-a1aa-15103db98d15

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All