Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	July 4, 2023, 11:10 a.m.	July 4, 2023, 11:13 a.m.

Size	61.2MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`229b39c9a2ed47dd87d2eae54f11f41f`
SHA256	`0d82b1a03a626ae36f777573c66de32b4b5487be24137baa06b9f3da6538166a`
CRC32	`1FBBB021`
ssdeep	`1572864:uohRuJvESn4nTKLbKVDCsAq3rYkctmFV1Ga6cbgghbqa9Kbu3bFYF8R0ROt11L98:uMu72TKLbyqOc`
PDB Path	D:\a\_work\1\s\artifacts\obj\win-x86.Release\corehost\cli\apphost\Release\apphost.pdb
Yara	UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet Malicious_Library_Zero - Malicious_Library Win_Trojan_Formbook_Zero - Used Formbook PE_Header_Zero - PE File Signature Admin_Tool_IN_Zero - Admin Tool Sysinternals Malicious_Packer_Zero - Malicious Packer IsPE32 - (no description) Generic_Malware_Zero - Generic Malware

JD%20Business%20Plan%202023.lnk "C:\Users\test22\AppData\Local\Temp\JD%20Business%20Plan%202023.lnk"
2100

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA July 4, 2023, 11:10 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW July 4, 2023, 11:10 a.m.	computer_name: TEST22-PC	1	1	0

This executable has a PDB path (1 event)

pdb_path

D:\a\_work\1\s\artifacts\obj\win-x86.Release\corehost\cli\apphost\Release\apphost.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 4, 2023, 11:10 a.m.		1	1	0

Creates executable files on the filesystem (50 out of 221 events)

file	C:\Users\test22\AppData\Local\Temp\.net\JD%20Business%20Plan%202023.lnk\834\System.dll
file	C:\Users\test22\AppData\Local\Temp\.net\JD%20Business%20Plan%202023.lnk\834\api-ms-win-core-processthreads-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\.net\JD%20Business%20Plan%202023.lnk\834\System.Diagnostics.TextWriterTraceListener.dll
file	C:\Users\test22\AppData\Local\Temp\.net\JD%20Business%20Plan%202023.lnk\834\api-ms-win-core-datetime-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\.net\JD%20Business%20Plan%202023.lnk\834\System.Text.RegularExpressions.dll
file	C:\Users\test22\AppData\Local\Temp\.net\JD%20Business%20Plan%202023.lnk\834\System.Threading.Channels.dll
file	C:\Users\test22\AppData\Local\Temp\.net\JD%20Business%20Plan%202023.lnk\834\System.Linq.Expressions.dll
file	C:\Users\test22\AppData\Local\Temp\.net\JD%20Business%20Plan%202023.lnk\834\netstandard.dll
file	C:\Users\test22\AppData\Local\Temp\.net\JD%20Business%20Plan%202023.lnk\834\System.Runtime.CompilerServices.VisualC.dll
file	C:\Users\test22\AppData\Local\Temp\.net\JD%20Business%20Plan%202023.lnk\834\api-ms-win-core-file-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\.net\JD%20Business%20Plan%202023.lnk\834\System.Diagnostics.Tracing.dll
file	C:\Users\test22\AppData\Local\Temp\.net\JD%20Business%20Plan%202023.lnk\834\System.Runtime.Serialization.dll
file	C:\Users\test22\AppData\Local\Temp\.net\JD%20Business%20Plan%202023.lnk\834\System.Drawing.dll
file	C:\Users\test22\AppData\Local\Temp\.net\JD%20Business%20Plan%202023.lnk\834\System.Reflection.Emit.ILGeneration.dll
file	C:\Users\test22\AppData\Local\Temp\.net\JD%20Business%20Plan%202023.lnk\834\System.Threading.Timer.dll
file	C:\Users\test22\AppData\Local\Temp\.net\JD%20Business%20Plan%202023.lnk\834\System.ComponentModel.DataAnnotations.dll
file	C:\Users\test22\AppData\Local\Temp\.net\JD%20Business%20Plan%202023.lnk\834\hostfxr.dll
file	C:\Users\test22\AppData\Local\Temp\.net\JD%20Business%20Plan%202023.lnk\834\System.Web.dll
file	C:\Users\test22\AppData\Local\Temp\.net\JD%20Business%20Plan%202023.lnk\834\api-ms-win-core-interlocked-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\.net\JD%20Business%20Plan%202023.lnk\834\System.Net.Requests.dll
file	C:\Users\test22\AppData\Local\Temp\.net\JD%20Business%20Plan%202023.lnk\834\System.Windows.dll
file	C:\Users\test22\AppData\Local\Temp\.net\JD%20Business%20Plan%202023.lnk\834\System.ValueTuple.dll
file	C:\Users\test22\AppData\Local\Temp\.net\JD%20Business%20Plan%202023.lnk\834\api-ms-win-core-heap-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\.net\JD%20Business%20Plan%202023.lnk\834\System.Net.Http.dll
file	C:\Users\test22\AppData\Local\Temp\.net\JD%20Business%20Plan%202023.lnk\834\System.IO.dll
file	C:\Users\test22\AppData\Local\Temp\.net\JD%20Business%20Plan%202023.lnk\834\System.Xml.ReaderWriter.dll
file	C:\Users\test22\AppData\Local\Temp\.net\JD%20Business%20Plan%202023.lnk\834\clrjit.dll
file	C:\Users\test22\AppData\Local\Temp\.net\JD%20Business%20Plan%202023.lnk\834\api-ms-win-core-console-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\.net\JD%20Business%20Plan%202023.lnk\834\api-ms-win-crt-convert-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\.net\JD%20Business%20Plan%202023.lnk\834\System.ComponentModel.Primitives.dll
file	C:\Users\test22\AppData\Local\Temp\.net\JD%20Business%20Plan%202023.lnk\834\api-ms-win-core-handle-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\.net\JD%20Business%20Plan%202023.lnk\834\System.Runtime.Serialization.Xml.dll
file	C:\Users\test22\AppData\Local\Temp\.net\JD%20Business%20Plan%202023.lnk\834\System.Text.Encodings.Web.dll
file	C:\Users\test22\AppData\Local\Temp\.net\JD%20Business%20Plan%202023.lnk\834\api-ms-win-core-rtlsupport-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\.net\JD%20Business%20Plan%202023.lnk\834\WindowsBase.dll
file	C:\Users\test22\AppData\Local\Temp\.net\JD%20Business%20Plan%202023.lnk\834\System.Data.DataSetExtensions.dll
file	C:\Users\test22\AppData\Local\Temp\.net\JD%20Business%20Plan%202023.lnk\834\api-ms-win-core-memory-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\.net\JD%20Business%20Plan%202023.lnk\834\clrcompression.dll
file	C:\Users\test22\AppData\Local\Temp\.net\JD%20Business%20Plan%202023.lnk\834\System.AppContext.dll
file	C:\Users\test22\AppData\Local\Temp\.net\JD%20Business%20Plan%202023.lnk\834\System.IO.Pipes.dll
file	C:\Users\test22\AppData\Local\Temp\.net\JD%20Business%20Plan%202023.lnk\834\System.Xml.XmlDocument.dll
file	C:\Users\test22\AppData\Local\Temp\.net\JD%20Business%20Plan%202023.lnk\834\System.Security.SecureString.dll
file	C:\Users\test22\AppData\Local\Temp\.net\JD%20Business%20Plan%202023.lnk\834\System.IO.Pipes.AccessControl.dll
file	C:\Users\test22\AppData\Local\Temp\.net\JD%20Business%20Plan%202023.lnk\834\System.ServiceProcess.dll
file	C:\Users\test22\AppData\Local\Temp\.net\JD%20Business%20Plan%202023.lnk\834\System.IO.Compression.FileSystem.dll
file	C:\Users\test22\AppData\Local\Temp\.net\JD%20Business%20Plan%202023.lnk\834\api-ms-win-crt-runtime-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\.net\JD%20Business%20Plan%202023.lnk\834\api-ms-win-core-profile-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\.net\JD%20Business%20Plan%202023.lnk\834\api-ms-win-crt-multibyte-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\.net\JD%20Business%20Plan%202023.lnk\834\System.Runtime.Serialization.Primitives.dll
file	C:\Users\test22\AppData\Local\Temp\.net\JD%20Business%20Plan%202023.lnk\834\System.Threading.Thread.dll

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\JD%20Business%20Plan%202023.lnk

File has been identified by 4 AntiVirus engines on VirusTotal as malicious (4 events)

Kaspersky	UDS:Trojan-Spy.Win32.Bobik.a
Webroot	W32.Trojan.Gen
Microsoft	Trojan:Win32/Malgent!MSR
Ikarus	Trojan-Spy.MSIL.Agent

Moves the original executable to a new location (1 event)

Time & API	Arguments	Status	Return	Repeated
MoveFileWithProgressW July 4, 2023, 11:10 a.m.	newfilepath_r: C:\Users\test22\AppData\Local\Temp\.net\JD%20Business%20Plan%202023.lnk\vmvhkc1y.wj3 flags: 2 oldfilepath_r: C:\Users\test22\AppData\Local\Temp\.net\JD%20Business%20Plan%202023.lnk\834 newfilepath: C:\Users\test22\AppData\Local\Temp\.net\JD%20Business%20Plan%202023.lnk\vmvhkc1y.wj3 oldfilepath: C:\Users\test22\AppData\Local\Temp\.net\JD%20Business%20Plan%202023.lnk\834	1	1	0

Creates known IcePoint RAT files, registry keys and/or mutexes (1 event)

file	C:\Users\test22\AppData\Local\Temp\.net\JD%20Business%20Plan%202023.lnk\834\System.Net.ServicePoint.dll

JD%20Business%20Plan%202023.lnk

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All