Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 7, 2023, 2:42 p.m.	Oct. 7, 2023, 2:45 p.m.

Size	13.5KB
Type	ASCII text, with CRLF line terminators
MD5	`17787170abd9adf8dcdfcfefdeea0194`
SHA256	`d8e4108286c37367977484ab4318358cc12613a686eb75bde3d75d64228b23be`
CRC32	`80FB19B1`
ssdeep	`192:DOyUySl0UaDz2gWsIzlmj+BxZ3yqueWQx0lZicyC8Sh31xcjBzyxwn7AVhllz3:DVODaDSHMql3yqlxy5L1xcjwrlz3`
Yara	None matched

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "LCtKcmsKEZFv" C:\Users\test22\AppData\Local\Temp\DgKW9Ycr.bat
2548
- cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\DgKW9Ycr.bat
  2620
  - cscript.exe cscript x.js
    2740
  - MEMZ.exe "C:\Users\test22\AppData\Roaming\MEMZ.exe"
    2892
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (5 events)

Time & API	Arguments	Status	Return
WriteConsoleW Oct. 7, 2023, 2:42 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 7, 2023, 2:42 p.m.	buffer: un console_handle: 0x00000007	1	1
WriteConsoleW Oct. 7, 2023, 2:42 p.m.	buffer: ban collab vm; console_handle: 0x00000007	1	1
WriteConsoleW Oct. 7, 2023, 2:42 p.m.	buffer: 'un' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 7, 2023, 2:42 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x0000000f	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 7, 2023, 2:42 p.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Oct. 7, 2023, 2:42 p.m.	stacktrace: GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75856d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x758577c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7585788a DialogBoxIndirectParamW+0x20a DialogBoxIndirectParamAorW-0x57 user32+0x3cdfd @ 0x7587cdfd DialogBoxIndirectParamAorW+0x108 SetDlgItemTextW-0x44 user32+0x3cf5c @ 0x7587cf5c SoftModalMessageBox+0x757 MessageBoxTimeoutW-0x391 user32+0x6f73c @ 0x758af73c SoftModalMessageBox+0xa33 MessageBoxTimeoutW-0xb5 user32+0x6fa18 @ 0x758afa18 MessageBoxTimeoutW+0x52 MessageBoxTimeoutA-0x9 user32+0x6fb1f @ 0x758afb1f New_user32_MessageBoxTimeoutW@24+0x5e New_user32_RegisterHotKey@16-0x159 @ 0x736f76de MessageBoxTimeoutA+0x76 MessageBoxIndirectA-0x33 user32+0x6fb9e @ 0x758afb9e New_user32_MessageBoxTimeoutA@24+0x137 New_user32_MessageBoxTimeoutW@24-0x80 @ 0x736f7600 MessageBoxExA+0x1b MessageBoxExW-0x9 user32+0x6fcf1 @ 0x758afcf1 MessageBoxA+0x18 MessageBoxW-0x9 user32+0x6fd36 @ 0x758afd36 memz+0x1479 @ 0x1061479 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x73403c8c registers.esp: 2683932 registers.edi: 0 registers.eax: 1933589644 registers.ebp: 2683972 registers.edx: 0 registers.ebx: 0 registers.esi: 1933589644 registers.ecx: 7146856	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Oct. 7, 2023, 2:42 p.m.

stacktrace:

GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75856d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x758577c4
DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7585788a
DialogBoxIndirectParamW+0x20a DialogBoxIndirectParamAorW-0x57 user32+0x3cdfd @ 0x7587cdfd
DialogBoxIndirectParamAorW+0x108 SetDlgItemTextW-0x44 user32+0x3cf5c @ 0x7587cf5c
SoftModalMessageBox+0x757 MessageBoxTimeoutW-0x391 user32+0x6f73c @ 0x758af73c
SoftModalMessageBox+0xa33 MessageBoxTimeoutW-0xb5 user32+0x6fa18 @ 0x758afa18
MessageBoxTimeoutW+0x52 MessageBoxTimeoutA-0x9 user32+0x6fb1f @ 0x758afb1f
New_user32_MessageBoxTimeoutW@24+0x5e New_user32_RegisterHotKey@16-0x159 @ 0x736f76de
MessageBoxTimeoutA+0x76 MessageBoxIndirectA-0x33 user32+0x6fb9e @ 0x758afb9e
New_user32_MessageBoxTimeoutA@24+0x137 New_user32_MessageBoxTimeoutW@24-0x80 @ 0x736f7600
MessageBoxExA+0x1b MessageBoxExW-0x9 user32+0x6fcf1 @ 0x758afcf1
MessageBoxA+0x18 MessageBoxW-0x9 user32+0x6fd36 @ 0x758afd36
memz+0x1479 @ 0x1061479
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0x73403c8c
registers.esp: 2683932
registers.edi: 0
registers.eax: 1933589644
registers.ebp: 2683972
registers.edx: 0
registers.ebx: 0
registers.esi: 1933589644
registers.ecx: 7146856

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Oct. 7, 2023, 2:42 p.m.	process_identifier: 2740 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73662000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 7, 2023, 2:42 p.m.	process_identifier: 2740 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03600000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 7, 2023, 2:44 p.m.	process_identifier: 1452 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000003ef0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Roaming\MEMZ.exe
file	C:\Users\test22\AppData\Local\Temp\x.js

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Roaming\MEMZ.exe

Potentially malicious URLs were found in the process memory dump (27 events)

url	http://pcoptimizerpro.com
url	http://google.co.ck/search?q=batch
url	http://google.co.ck/search?q=best
url	http://google.co.ck/search?q=bonzi
url	http://google.co.ck/search?q=g3t
url	http://google.co.ck/search?q=stanky
url	http://google.co.ck/search?q=virus
url	http://google.co.ck/search?q=mcafee
url	http://google.co.ck/search?q=the
url	http://google.co.ck/search?q=virus.exe
url	http://google.co.ck/search?q=internet
url	http://google.co.ck/search?q=facebook
url	http://google.co.ck/search?q=what
url	http://answers.microsoft.com/en-us/protect/forum/protect_other-protect_scanning/memz-malwarevirus-trojan-completely-destroying/268bc1c2-39f4-42f8-90c2-597a673b6b45
url	http://google.co.ck/search?q=my
url	http://google.co.ck/search?q=vinesauce
url	http://google.co.ck/search?q=half
url	http://motherboard.vice.com/read/watch-this-malware-turn-a-computer-into-a-digital-hellscape
url	http://google.co.ck/search?q=john
url	http://google.co.ck/search?q=skrillex
url	http://google.co.ck/search?q=minecraft
url	http://google.co.ck/search?q=montage
url	http://softonic.com
url	http://google.co.ck/search?q=how
url	http://play.clubpenguin.com
url	http://google.co.ck/search?q=dank
url	http://google.co.ck/search?q=is

Yara rule detected in process memory (50 out of 63 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win
description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Roaming\MEMZ.exe

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2620 resumed a thread in remote process 2892
NtResumeThread Oct. 7, 2023, 2:42 p.m.	thread_handle: 0x0000008c suspend_count: 0 process_identifier: 2892	1	0	0

File has been identified by 27 AntiVirus engines on VirusTotal as malicious (27 events)

Lionic	Trojan.Script.Memz.4!c
MicroWorld-eScan	Generic.Zmem.1.3F7310CB
FireEye	Generic.Zmem.1.3F7310CB
CAT-QuickHeal	BAT.Agent.FS
ALYac	Generic.Zmem.1.3F7310CB
Sangfor	Trojan.Generic-BAT.Save.6fddfff7
Cyren	BAT/Agent.AGE
Symantec	Trojan.Gen.NPE
ESET-NOD32	BAT/TrojanDropper.Agent.NCY
Avast	Script:SNH-gen [Drp]
Kaspersky	Trojan.BAT.Memz.b
BitDefender	Generic.Zmem.1.3F7310CB
NANO-Antivirus	Trojan.Script.Dropper.hkfymg
DrWeb	Trojan.KillAll.143
VIPRE	Generic.Zmem.1.3F7310CB
McAfee-GW-Edition	BAT/Dropper.e
Ikarus	Trojan-Dropper.BAT.Agent
Kingsoft	Script.Ks.Malware.17099
Arcabit	Generic.Zmem.1.3F7310CB
ViRobot	HTML.Z.Agent.13803
ZoneAlarm	Trojan.BAT.Memz.b
GData	Generic.Zmem.1.3F7310CB
Google	Detected
Tencent	Unk.Win32.Script.403928
MAX	malware (ai score=81)
Fortinet	BAT/Agent.NCY!tr
AVG	Script:SNH-gen [Drp]

DgKW9Ycr.bat

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All