Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
09.21 02:09
l6E.exe
09.20 01:09
setup.exe
09.20 11:09
3uTools.exe
09.20 11:09
66ecb4573225b_vsbhfdg1...
09.20 10:09
66ecb452ba19c_sfbdsgfd...
09.20 10:09
66ecb44c35444_vfdhsgdf...
09.20 10:09
66ec0e61998bf_setup30.exe
09.20 10:09
66ebf725efe38_lyla.exe
09.20 10:09
Desktop_Explorer.exe
09.20 10:09
66ec3528901bb_winupdat...

Latest News
09.21 04:09
Metasploit Weekly Wrap...
09.21 03:09
Fixing an Elgato HD60 ...
09.21 02:09
Google Faces EU Ultima...
09.21 02:09
This New Video Game Is...
09.21 02:09
FTC finds social media...
09.21 02:09
FTC finds social media...
09.21 01:09
Automate detection and...
09.21 01:09
Hackaday Podcast Episo...
09.21 01:09
The Russian Bot Army T...
09.21 01:09
Australia’s Labor Part...

Summary | ZeroBOX

Multi National Recruitment System Templete.pdf.lnk

Antivirus AntiVM AntiDebug GIF Format

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 19, 2023, 9:23 a.m.	July 19, 2023, 9:25 a.m.

Size	1019.0B
Type	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has command line arguments, Icon number=13, Archive, ctime=Fri Apr 9 04:49:28 2021, mtime=Mon May 30 17:40:02 2022, atime=Fri Apr 9 04:49:28 2021, length=289792, window=hidenormalshowminimized
MD5	`3c5aacd54c4f9baa9a58423b3fe0969d`
SHA256	`89062a28f33021539ab3d197c124040177e5ae94a05e1ac7a4f1c852d6b498cf`
CRC32	`A3D839CB`
ssdeep	`24:8zaoJI4C5p1POAIpm7NuYqVR8DSDDSxabfCKfvmH:8O42TIPBWSAaLk`
Yara	Antivirus - Contains references to security software Lnk_Format_Zero - LNK Format

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "soBtY" "C:\Users\test22\AppData\Local\Temp\Multi National Recruitment System Templete.pdf.lnk"
3036
- cmd.exe "C:\Windows\System32\cmd.exe" /c powershell.exe -command - < Thumbs.db
  2196

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW July 19, 2023, 9:23 a.m.	buffer: The system cannot find the file specified. console_handle: 0x0000000b	1	1	0

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\Multi National Recruitment System Templete.pdf.lnk

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\cmd.exe" /c powershell.exe -command - < Thumbs.db

File has been identified by 3 AntiVirus engines on VirusTotal as malicious (3 events)

Sangfor	Trojan.Generic-LNK.Save.bfcd5f80
VBA32	Trojan.Link.CmdRunner
SentinelOne	Static AI - Suspicious LNK

Yara rule detected in process memory (9 events)

description	(no description)				rule	DebuggerCheck__GlobalFlags
description	(no description)				rule	DebuggerCheck__QueryInfo
description	(no description)				rule	DebuggerHiding__Thread
description	(no description)				rule	DebuggerHiding__Active
description	(no description)				rule	DebuggerException__SetConsoleCtrl
description	(no description)				rule	ThreadControl__Context
description	(no description)				rule	SEH__vectored
description	Checks if being debugged				rule	anti_dbg
description	Bypass DEP				rule	disable_dep

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3036 resumed a thread in remote process 2196
NtResumeThread July 19, 2023, 9:23 a.m.	thread_handle: 0x00000334 suspend_count: 1 process_identifier: 2196	1	0	0