Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Dec. 15, 2022, 10:18 a.m.	Dec. 15, 2022, 10:21 a.m.

Size	13.5KB
Type	ASCII text, with CRLF line terminators
MD5	`bc9ac7c15b87ae4439fc51991d20388e`
SHA256	`7e804934fe7fcb439fe24ca08fc959dfffb20bc959216d809b9ad2109d8a9988`
CRC32	`9B3D9066`
ssdeep	`192:WOyUySl0UaDz2gWsIzlmj+BxZ3yqueWQx0lZicyC8Sh31xcjBzyxwn7AVhllz3:WVODaDSHMql3yqlxy5L1xcjwrlz3`
Yara	None matched

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "rWzKnoaMZVOkFHg" C:\Users\test22\AppData\Local\Temp\BRDbdWBB.bat
1208
- cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\BRDbdWBB.bat
  2124
  - cscript.exe cscript x.js
    2212
  - MEMZ.exe "C:\Users\test22\AppData\Roaming\MEMZ.exe"
    2404
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (4 events)

Time & API	Arguments	Status	Return
WriteConsoleW Dec. 15, 2022, 10:18 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Dec. 15, 2022, 10:18 a.m.	buffer: echo console_handle: 0x00000007	1	1
WriteConsoleW Dec. 15, 2022, 10:18 a.m.	buffer: off console_handle: 0x00000007	1	1
WriteConsoleW Dec. 15, 2022, 10:18 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x0000000f	1	1

One or more processes crashed (4 events)

Time & API	Arguments	Status
__exception__ Dec. 15, 2022, 10:19 a.m.	stacktrace: GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x755f6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x755f6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x778b011a DialogBoxIndirectParamAorW+0x108 SetDlgItemTextW-0x44 user32+0x3cf5c @ 0x7561cf5c SoftModalMessageBox+0x757 MessageBoxTimeoutW-0x391 user32+0x6f73c @ 0x7564f73c SoftModalMessageBox+0xa33 MessageBoxTimeoutW-0xb5 user32+0x6fa18 @ 0x7564fa18 MessageBoxTimeoutW+0x52 MessageBoxTimeoutA-0x9 user32+0x6fb1f @ 0x7564fb1f New_user32_MessageBoxTimeoutW@24+0x5e New_user32_RegisterHotKey@16-0x159 @ 0x746e76de MessageBoxTimeoutA+0x76 MessageBoxIndirectA-0x33 user32+0x6fb9e @ 0x7564fb9e New_user32_MessageBoxTimeoutA@24+0x137 New_user32_MessageBoxTimeoutW@24-0x80 @ 0x746e7600 MessageBoxExA+0x1b MessageBoxExW-0x9 user32+0x6fcf1 @ 0x7564fcf1 MessageBoxA+0x18 MessageBoxW-0x9 user32+0x6fd36 @ 0x7564fd36 memz+0x1465 @ 0x111465 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x74433f46 registers.esp: 4256148 registers.edi: 0 registers.eax: 1950564166 registers.ebp: 4256188 registers.edx: 0 registers.ebx: 0 registers.esi: 1950564166 registers.ecx: 9178472	1
__exception__ Dec. 15, 2022, 10:19 a.m.	stacktrace: GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x755f6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x755f6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x778b011a DialogBoxIndirectParamAorW+0x108 SetDlgItemTextW-0x44 user32+0x3cf5c @ 0x7561cf5c SoftModalMessageBox+0x757 MessageBoxTimeoutW-0x391 user32+0x6f73c @ 0x7564f73c SoftModalMessageBox+0xa33 MessageBoxTimeoutW-0xb5 user32+0x6fa18 @ 0x7564fa18 MessageBoxTimeoutW+0x52 MessageBoxTimeoutA-0x9 user32+0x6fb1f @ 0x7564fb1f New_user32_MessageBoxTimeoutW@24+0x5e New_user32_RegisterHotKey@16-0x159 @ 0x746e76de MessageBoxTimeoutA+0x76 MessageBoxIndirectA-0x33 user32+0x6fb9e @ 0x7564fb9e New_user32_MessageBoxTimeoutA@24+0x137 New_user32_MessageBoxTimeoutW@24-0x80 @ 0x746e7600 MessageBoxExA+0x1b MessageBoxExW-0x9 user32+0x6fcf1 @ 0x7564fcf1 MessageBoxA+0x18 MessageBoxW-0x9 user32+0x6fd36 @ 0x7564fd36 memz+0x1465 @ 0x111465 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x74433f46 registers.esp: 4256148 registers.edi: 0 registers.eax: 1950564166 registers.ebp: 4256188 registers.edx: 0 registers.ebx: 0 registers.esi: 1950564166 registers.ecx: 9178472	1
__exception__ Dec. 15, 2022, 10:19 a.m.	stacktrace: GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x755f6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x755f6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x778b011a gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa GetCursor+0x2ff DrawStateW-0x265 user32+0x3f9df @ 0x7561f9df GetCursor+0xa4 DrawStateW-0x4c0 user32+0x3f784 @ 0x7561f784 GetCursor+0x1a9 DrawStateW-0x3bb user32+0x3f889 @ 0x7561f889 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a GetWindow+0x3f0 SendMessageW-0x1b user32+0x1965e @ 0x755f965e SetKeyboardState+0xbbd CliImmSetHotKey-0x12c9e user32+0x4206f @ 0x7562206f DialogBoxIndirectParamAorW+0xf7 SetDlgItemTextW-0x55 user32+0x3cf4b @ 0x7561cf4b SoftModalMessageBox+0x757 MessageBoxTimeoutW-0x391 user32+0x6f73c @ 0x7564f73c SoftModalMessageBox+0xa33 MessageBoxTimeoutW-0xb5 user32+0x6fa18 @ 0x7564fa18 MessageBoxTimeoutW+0x52 MessageBoxTimeoutA-0x9 user32+0x6fb1f @ 0x7564fb1f New_user32_MessageBoxTimeoutW@24+0x5e New_user32_RegisterHotKey@16-0x159 @ 0x746e76de MessageBoxTimeoutA+0x76 MessageBoxIndirectA-0x33 user32+0x6fb9e @ 0x7564fb9e New_user32_MessageBoxTimeoutA@24+0x137 New_user32_MessageBoxTimeoutW@24-0x80 @ 0x746e7600 MessageBoxExA+0x1b MessageBoxExW-0x9 user32+0x6fcf1 @ 0x7564fcf1 MessageBoxA+0x18 MessageBoxW-0x9 user32+0x6fd36 @ 0x7564fd36 memz+0x1479 @ 0x111479 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x74433f46 registers.esp: 4255448 registers.edi: 0 registers.eax: 1950564166 registers.ebp: 4255488 registers.edx: 0 registers.ebx: 0 registers.esi: 1950564166 registers.ecx: 9178472	1
__exception__ Dec. 15, 2022, 10:19 a.m.	stacktrace: GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755f788a DialogBoxIndirectParamW+0x20a DialogBoxIndirectParamAorW-0x57 user32+0x3cdfd @ 0x7561cdfd DialogBoxIndirectParamAorW+0x108 SetDlgItemTextW-0x44 user32+0x3cf5c @ 0x7561cf5c SoftModalMessageBox+0x757 MessageBoxTimeoutW-0x391 user32+0x6f73c @ 0x7564f73c SoftModalMessageBox+0xa33 MessageBoxTimeoutW-0xb5 user32+0x6fa18 @ 0x7564fa18 MessageBoxTimeoutW+0x52 MessageBoxTimeoutA-0x9 user32+0x6fb1f @ 0x7564fb1f New_user32_MessageBoxTimeoutW@24+0x5e New_user32_RegisterHotKey@16-0x159 @ 0x746e76de MessageBoxTimeoutA+0x76 MessageBoxIndirectA-0x33 user32+0x6fb9e @ 0x7564fb9e New_user32_MessageBoxTimeoutA@24+0x137 New_user32_MessageBoxTimeoutW@24-0x80 @ 0x746e7600 MessageBoxExA+0x1b MessageBoxExW-0x9 user32+0x6fcf1 @ 0x7564fcf1 MessageBoxA+0x18 MessageBoxW-0x9 user32+0x6fd36 @ 0x7564fd36 memz+0x1479 @ 0x111479 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x74433f46 registers.esp: 4256240 registers.edi: 0 registers.eax: 1950564166 registers.ebp: 4256280 registers.edx: 0 registers.ebx: 0 registers.esi: 1950564166 registers.ecx: 9178472	1

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Dec. 15, 2022, 10:18 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x031c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Dec. 15, 2022, 10:19 a.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000006cd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0	0

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Roaming\MEMZ.exe
file	C:\Users\test22\AppData\Local\Temp\x.js

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Roaming\MEMZ.exe

Potentially malicious URLs were found in the process memory dump (27 events)

url	http://pcoptimizerpro.com
url	http://google.co.ck/search?q=batch
url	http://google.co.ck/search?q=best
url	http://google.co.ck/search?q=bonzi
url	http://google.co.ck/search?q=g3t
url	http://google.co.ck/search?q=stanky
url	http://google.co.ck/search?q=virus
url	http://google.co.ck/search?q=mcafee
url	http://google.co.ck/search?q=the
url	http://google.co.ck/search?q=virus.exe
url	http://google.co.ck/search?q=internet
url	http://google.co.ck/search?q=facebook
url	http://google.co.ck/search?q=what
url	http://answers.microsoft.com/en-us/protect/forum/protect_other-protect_scanning/memz-malwarevirus-trojan-completely-destroying/268bc1c2-39f4-42f8-90c2-597a673b6b45
url	http://google.co.ck/search?q=my
url	http://google.co.ck/search?q=vinesauce
url	http://google.co.ck/search?q=half
url	http://motherboard.vice.com/read/watch-this-malware-turn-a-computer-into-a-digital-hellscape
url	http://google.co.ck/search?q=john
url	http://google.co.ck/search?q=skrillex
url	http://google.co.ck/search?q=minecraft
url	http://google.co.ck/search?q=montage
url	http://softonic.com
url	http://google.co.ck/search?q=how
url	http://play.clubpenguin.com
url	http://google.co.ck/search?q=dank
url	http://google.co.ck/search?q=is

Yara rule detected in process memory (50 out of 63 events)

description	Create a windows service	rule	Create_Service
description	Communication using DGA	rule	Network_DGA
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Take ScreenShot	rule	ScreenShot
description	Communications use DNS	rule	Network_DNS
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Steal credential	rule	local_credential_Steal
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win
description	File Downloader	rule	Network_Downloader
description	Escalate priviledges	rule	Escalate_priviledges
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Communications over FTP	rule	Network_FTP
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Create a windows service	rule	Create_Service
description	Communication using DGA	rule	Network_DGA
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Take ScreenShot	rule	ScreenShot
description	Communications use DNS	rule	Network_DNS
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Steal credential	rule	local_credential_Steal
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win
description	File Downloader	rule	Network_Downloader
description	Escalate priviledges	rule	Escalate_priviledges
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Roaming\MEMZ.exe

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2124 resumed a thread in remote process 2404
NtResumeThread Dec. 15, 2022, 10:18 a.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2404	1	0	0

File has been identified by 30 AntiVirus engines on VirusTotal as malicious (30 events)

Lionic	Trojan.BAT.Memz.4!c
DrWeb	Trojan.KillAll.143
FireEye	Generic.Zmem.1.F55992DD
CAT-QuickHeal	BAT.Agent.FS
McAfee	BAT/Dropper.e
Sangfor	Trojan.Generic-BAT.Save.9468f731
Arcabit	Generic.Zmem.1.F55992DD
Cyren	BAT/Agent.AGE
Symantec	Trojan.Gen.NPE
ESET-NOD32	BAT/TrojanDropper.Agent.NCY
Avast	Script:SNH-gen [Drp]
Cynet	Malicious (score: 99)
Kaspersky	Trojan.BAT.Memz.b
BitDefender	Generic.Zmem.1.F55992DD
NANO-Antivirus	Trojan.Script.Dropper.hkfymg
MicroWorld-eScan	Generic.Zmem.1.F55992DD
Tencent	Unk.Win32.Script.403928
Ad-Aware	Generic.Zmem.1.F55992DD
Emsisoft	Trojan.Memz (A)
VIPRE	Generic.Zmem.1.F55992DD
McAfee-GW-Edition	BAT/Dropper.e
Ikarus	Trojan-Dropper.BAT.Agent
Avira	HTML/ExpKit.Gen2
Microsoft	TrojanDropper:BAT/Starter.G!MSR
GData	Generic.Zmem.1.F55992DD
Google	Detected
ALYac	Generic.Zmem.1.F55992DD
MAX	malware (ai score=82)
Fortinet	BAT/Dropper.E!tr
AVG	Script:SNH-gen [Drp]

BRDbdWBB.bat

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All