Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
11.13 03:11
espsemhvcioff.exe
11.13 02:11
Geek_se.exe
11.13 02:11
cred64.dll
11.13 02:11
svhost.exe
11.13 02:11
nb.exe
11.13 02:11
svcyr.exe
11.13 02:11
Ghost_1.5.11.5.exe
11.13 02:11
PowderGpl.exe
11.13 02:11
goodlabel%E6%89%93%E5%...
11.13 02:11
ua.exe

Latest News
11.13 02:11
Ransomware intrusion t...
11.13 02:11
Cyber incident impacts...
11.13 02:11
Set Forth hack comprom...
11.13 02:11
Over 300K Presbyterian...
11.13 02:11
DDoS attack targets Is...
11.13 02:11
Almost 57M affected by...
11.13 02:11
프리미엄 펫푸드 브랜드 애니콩, '메가쇼...
11.13 02:11
November 2024 Patch Tu...
11.13 02:11
터빈크루, '2024 MNU메이커페스티벌...
11.13 02:11
[사전규격공개] 25년 주요 침해사고 탐...

Summary | ZeroBOX

Multi National Recruitment System Templete.pdf.lnk

Antivirus AntiVM AntiDebug GIF Format

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 19, 2023, 9:23 a.m.	July 19, 2023, 9:25 a.m.

Size	1019.0B
Type	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has command line arguments, Icon number=13, Archive, ctime=Fri Apr 9 04:49:28 2021, mtime=Mon May 30 17:40:02 2022, atime=Fri Apr 9 04:49:28 2021, length=289792, window=hidenormalshowminimized
MD5	`3c5aacd54c4f9baa9a58423b3fe0969d`
SHA256	`89062a28f33021539ab3d197c124040177e5ae94a05e1ac7a4f1c852d6b498cf`
CRC32	`A3D839CB`
ssdeep	`24:8zaoJI4C5p1POAIpm7NuYqVR8DSDDSxabfCKfvmH:8O42TIPBWSAaLk`
Yara	Antivirus - Contains references to security software Lnk_Format_Zero - LNK Format

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "soBtY" "C:\Users\test22\AppData\Local\Temp\Multi National Recruitment System Templete.pdf.lnk"
3036
- cmd.exe "C:\Windows\System32\cmd.exe" /c powershell.exe -command - < Thumbs.db
  2196

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW July 19, 2023, 9:23 a.m.	buffer: The system cannot find the file specified. console_handle: 0x0000000b	1	1	0

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\Multi National Recruitment System Templete.pdf.lnk

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\cmd.exe" /c powershell.exe -command - < Thumbs.db

File has been identified by 3 AntiVirus engines on VirusTotal as malicious (3 events)

Sangfor	Trojan.Generic-LNK.Save.bfcd5f80
VBA32	Trojan.Link.CmdRunner
SentinelOne	Static AI - Suspicious LNK

Yara rule detected in process memory (9 events)

description	(no description)				rule	DebuggerCheck__GlobalFlags
description	(no description)				rule	DebuggerCheck__QueryInfo
description	(no description)				rule	DebuggerHiding__Thread
description	(no description)				rule	DebuggerHiding__Active
description	(no description)				rule	DebuggerException__SetConsoleCtrl
description	(no description)				rule	ThreadControl__Context
description	(no description)				rule	SEH__vectored
description	Checks if being debugged				rule	anti_dbg
description	Bypass DEP				rule	disable_dep

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3036 resumed a thread in remote process 2196
NtResumeThread July 19, 2023, 9:23 a.m.	thread_handle: 0x00000334 suspend_count: 1 process_identifier: 2196	1	0	0