Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Dec. 11, 2022, 3:56 p.m.	Dec. 11, 2022, 3:58 p.m.

Size	9.5KB
Type	DOS batch file, ASCII text, with CRLF line terminators
MD5	`bbae81b88416d8fba76dd3145a831d19`
SHA256	`5c3fde60c178ed0306dd3e396032acdc9bc55c690e27a926923dd18238bbd64c`
CRC32	`F0BCA32F`
ssdeep	`192:XBOTDzoOgdlf7MAdTyQuHq2b1vXei2SLca5icrLJlz3:ss/tDyQuHZddL5Jlz3`
Yara	None matched

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "BSMcazjkjIKA" C:\Users\test22\AppData\Local\Temp\0xSE7Qn2.bat
3036
- cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\0xSE7Qn2.bat
  2208
  - cscript.exe cscript x.js
    2312
  - MEMZ.exe "C:\Users\test22\AppData\Roaming\MEMZ.exe"
    1588
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Dec. 11, 2022, 3:56 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x0000000f	1	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Dec. 11, 2022, 3:56 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (5 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Dec. 11, 2022, 3:56 p.m.	process_identifier: 2312 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x742f2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 11, 2022, 3:56 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03b90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 11, 2022, 3:49 p.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000007760000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 11, 2022, 3:56 p.m.	process_identifier: 1588 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74172000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 11, 2022, 3:56 p.m.	process_identifier: 1588 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x741e3000 process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

MEMZ.exe tried to sleep 767 seconds, actually delayed analysis time by 767 seconds

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Roaming\MEMZ.exe
file	C:\Users\test22\AppData\Local\Temp\x.js

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Roaming\MEMZ.exe

Potentially malicious URLs were found in the process memory dump (27 events)

url	http://pcoptimizerpro.com
url	http://google.co.ck/search?q=batch
url	http://google.co.ck/search?q=best
url	http://google.co.ck/search?q=bonzi
url	http://google.co.ck/search?q=g3t
url	http://google.co.ck/search?q=stanky
url	http://google.co.ck/search?q=virus
url	http://google.co.ck/search?q=mcafee
url	http://google.co.ck/search?q=the
url	http://google.co.ck/search?q=virus.exe
url	http://google.co.ck/search?q=internet
url	http://google.co.ck/search?q=facebook
url	http://google.co.ck/search?q=what
url	http://answers.microsoft.com/en-us/protect/forum/protect_other-protect_scanning/memz-malwarevirus-trojan-completely-destroying/268bc1c2-39f4-42f8-90c2-597a673b6b45
url	http://google.co.ck/search?q=my
url	http://google.co.ck/search?q=vinesauce
url	http://google.co.ck/search?q=half
url	http://motherboard.vice.com/read/watch-this-malware-turn-a-computer-into-a-digital-hellscape
url	http://google.co.ck/search?q=john
url	http://google.co.ck/search?q=skrillex
url	http://google.co.ck/search?q=minecraft
url	http://google.co.ck/search?q=montage
url	http://softonic.com
url	http://google.co.ck/search?q=how
url	http://play.clubpenguin.com
url	http://google.co.ck/search?q=dank
url	http://google.co.ck/search?q=is

Yara rule detected in process memory (50 out of 63 events)

description	Create a windows service	rule	Create_Service
description	Communication using DGA	rule	Network_DGA
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Take ScreenShot	rule	ScreenShot
description	Communications use DNS	rule	Network_DNS
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Steal credential	rule	local_credential_Steal
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win
description	File Downloader	rule	Network_Downloader
description	Escalate priviledges	rule	Escalate_priviledges
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Install itself for autorun at Windows startup	rule	Persistence
description	Communications over FTP	rule	Network_FTP
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Create a windows service	rule	Create_Service
description	Communication using DGA	rule	Network_DGA
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Take ScreenShot	rule	ScreenShot
description	Communications use DNS	rule	Network_DNS
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Steal credential	rule	local_credential_Steal
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win
description	File Downloader	rule	Network_Downloader
description	Escalate priviledges	rule	Escalate_priviledges
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Roaming\MEMZ.exe

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2208 resumed a thread in remote process 1588
NtResumeThread Dec. 11, 2022, 3:56 p.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 1588	1	0	0

File has been identified by 37 AntiVirus engines on VirusTotal as malicious (37 events)

Lionic	Trojan.BAT.Memz.4!c
DrWeb	Trojan.MulDrop7.56069
CAT-QuickHeal	BAT.Agent.FS
ALYac	Generic.Zmem.1.0DBCAADC
VIPRE	Generic.Zmem.1.0DBCAADC
Sangfor	Trojan.Generic-BAT.Save.9468f731
Arcabit	Generic.Zmem.1.0DBCAADC
VirIT	Trojan.Win32.MulDrop7.DEYN
Cyren	BAT/Agent.AGE
Symantec	Trojan.Gen.2
ESET-NOD32	BAT/TrojanDropper.Agent.NCY
TrendMicro-HouseCall	Trojan.BAT.MEMZ.A
Avast	Other:Malware-gen [Trj]
Cynet	Malicious (score: 99)
Kaspersky	Trojan.BAT.Memz.b
BitDefender	Generic.Zmem.1.0DBCAADC
NANO-Antivirus	Trojan.Script.Dropper.hkfymg
MicroWorld-eScan	Generic.Zmem.1.0DBCAADC
Tencent	Unk.Win32.Script.403928
Ad-Aware	Generic.Zmem.1.0DBCAADC
Emsisoft	Generic.Zmem.1.0DBCAADC (B)
Comodo	Malware@#2hee97o1j8686
F-Secure	Malware.HTML/ExpKit.Gen2
TrendMicro	Trojan.BAT.MEMZ.A
FireEye	Generic.Zmem.1.0DBCAADC
Sophos	Troj/BatDrp-AB
Avira	HTML/ExpKit.Gen2
MAX	malware (ai score=99)
Antiy-AVL	Trojan/BAT.Memz
Microsoft	TrojanDropper:BAT/Starter.G!MSR
ZoneAlarm	Trojan.BAT.Memz.b
GData	Generic.Zmem.1.0DBCAADC
Google	Detected
Rising	Dropper.Agent/BAT!1.CE50 (CLASSIC)
Ikarus	Trojan-Dropper.BAT.Agent
Fortinet	BAT/Agent.NCY!tr
AVG	Other:Malware-gen [Trj]

0xSE7Qn2.bat

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All