Summary | ZeroBOX

DgKW9Ycr.bat

Suspicious_Script_Bin Malicious Library Downloader HTTP ScreenShot Create Service KeyLogger Internet API P2P DGA Http API persistence FTP Socket Escalate priviledges DNS Code injection PWS Sniff Audio Steal credential AntiDebug PE File AntiVM PE32
Category Machine Started Completed
FILE s1_win7_x6401 Oct. 7, 2023, 2:42 p.m. Oct. 7, 2023, 2:45 p.m.
Size 13.5KB
Type ASCII text, with CRLF line terminators
MD5 17787170abd9adf8dcdfcfefdeea0194
SHA256 d8e4108286c37367977484ab4318358cc12613a686eb75bde3d75d64228b23be
CRC32 80FB19B1
ssdeep 192:DOyUySl0UaDz2gWsIzlmj+BxZ3yqueWQx0lZicyC8Sh31xcjBzyxwn7AVhllz3:DVODaDSHMql3yqlxy5L1xcjwrlz3
Yara None matched

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

WriteConsoleW

buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

buffer: un
console_handle: 0x00000007
1 1 0

WriteConsoleW

buffer: ban collab vm;
console_handle: 0x00000007
1 1 0

WriteConsoleW

buffer: 'un' is not recognized as an internal or external command, operable program or batch file.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x0000000f
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

1 1 0
Time & API Arguments Status Return Repeated

__exception__

stacktrace:
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75856d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x758577c4
DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7585788a
DialogBoxIndirectParamW+0x20a DialogBoxIndirectParamAorW-0x57 user32+0x3cdfd @ 0x7587cdfd
DialogBoxIndirectParamAorW+0x108 SetDlgItemTextW-0x44 user32+0x3cf5c @ 0x7587cf5c
SoftModalMessageBox+0x757 MessageBoxTimeoutW-0x391 user32+0x6f73c @ 0x758af73c
SoftModalMessageBox+0xa33 MessageBoxTimeoutW-0xb5 user32+0x6fa18 @ 0x758afa18
MessageBoxTimeoutW+0x52 MessageBoxTimeoutA-0x9 user32+0x6fb1f @ 0x758afb1f
New_user32_MessageBoxTimeoutW@24+0x5e New_user32_RegisterHotKey@16-0x159 @ 0x736f76de
MessageBoxTimeoutA+0x76 MessageBoxIndirectA-0x33 user32+0x6fb9e @ 0x758afb9e
New_user32_MessageBoxTimeoutA@24+0x137 New_user32_MessageBoxTimeoutW@24-0x80 @ 0x736f7600
MessageBoxExA+0x1b MessageBoxExW-0x9 user32+0x6fcf1 @ 0x758afcf1
MessageBoxA+0x18 MessageBoxW-0x9 user32+0x6fd36 @ 0x758afd36
memz+0x1479 @ 0x1061479
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0x73403c8c
registers.esp: 2683932
registers.edi: 0
registers.eax: 1933589644
registers.ebp: 2683972
registers.edx: 0
registers.ebx: 0
registers.esi: 1933589644
registers.ecx: 7146856
1 0 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

process_identifier: 2740
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73662000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03600000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 1452
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000003ef0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0
file C:\Users\test22\AppData\Roaming\MEMZ.exe
file C:\Users\test22\AppData\Local\Temp\x.js
file C:\Users\test22\AppData\Roaming\MEMZ.exe
url http://pcoptimizerpro.com
url http://google.co.ck/search?q=batch
url http://google.co.ck/search?q=best
url http://google.co.ck/search?q=bonzi
url http://google.co.ck/search?q=g3t
url http://google.co.ck/search?q=stanky
url http://google.co.ck/search?q=virus
url http://google.co.ck/search?q=mcafee
url http://google.co.ck/search?q=the
url http://google.co.ck/search?q=virus.exe
url http://google.co.ck/search?q=internet
url http://google.co.ck/search?q=facebook
url http://google.co.ck/search?q=what
url http://answers.microsoft.com/en-us/protect/forum/protect_other-protect_scanning/memz-malwarevirus-trojan-completely-destroying/268bc1c2-39f4-42f8-90c2-597a673b6b45
url http://google.co.ck/search?q=my
url http://google.co.ck/search?q=vinesauce
url http://google.co.ck/search?q=half
url http://motherboard.vice.com/read/watch-this-malware-turn-a-computer-into-a-digital-hellscape
url http://google.co.ck/search?q=john
url http://google.co.ck/search?q=skrillex
url http://google.co.ck/search?q=minecraft
url http://google.co.ck/search?q=montage
url http://softonic.com
url http://google.co.ck/search?q=how
url http://play.clubpenguin.com
url http://google.co.ck/search?q=dank
url http://google.co.ck/search?q=is
description Create a windows service rule Create_Service
description Communications over RAW Socket rule Network_TCP_Socket
description Communication using DGA rule Network_DGA
description Match Windows Http API call rule Str_Win32_Http_API
description Take ScreenShot rule ScreenShot
description Escalate priviledges rule Escalate_priviledges
description Steal credential rule local_credential_Steal
description PWS Memory rule Generic_PWS_Memory_Zero
description Record Audio rule Sniff_Audio
description Communications over HTTP rule Network_HTTP
description Communications use DNS rule Network_DNS
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerCheck__RemoteAPI
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__ConsoleCtrl
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description (no description) rule Check_Dlls
description Checks if being debugged rule anti_dbg
description Anti-Sandbox checks for ThreatExpert rule antisb_threatExpert
description Bypass DEP rule disable_dep
description Affect hook table rule win_hook
description File Downloader rule Network_Downloader
description Match Windows Inet API call rule Str_Win32_Internet_API
description Communications over FTP rule Network_FTP
description Run a KeyLogger rule KeyLogger
description Communications over P2P network rule Network_P2P_Win
description Create a windows service rule Create_Service
description Communications over RAW Socket rule Network_TCP_Socket
description Communication using DGA rule Network_DGA
description Match Windows Http API call rule Str_Win32_Http_API
description Take ScreenShot rule ScreenShot
description Escalate priviledges rule Escalate_priviledges
description Steal credential rule local_credential_Steal
description PWS Memory rule Generic_PWS_Memory_Zero
description Record Audio rule Sniff_Audio
description Communications over HTTP rule Network_HTTP
description Communications use DNS rule Network_DNS
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerCheck__RemoteAPI
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__ConsoleCtrl
description (no description) rule DebuggerException__SetConsoleCtrl
file C:\Users\test22\AppData\Roaming\MEMZ.exe
Process injection Process 2620 resumed a thread in remote process 2892
Time & API Arguments Status Return Repeated

NtResumeThread

thread_handle: 0x0000008c
suspend_count: 0
process_identifier: 2892
1 0 0
Lionic Trojan.Script.Memz.4!c
MicroWorld-eScan Generic.Zmem.1.3F7310CB
FireEye Generic.Zmem.1.3F7310CB
CAT-QuickHeal BAT.Agent.FS
ALYac Generic.Zmem.1.3F7310CB
Sangfor Trojan.Generic-BAT.Save.6fddfff7
Cyren BAT/Agent.AGE
Symantec Trojan.Gen.NPE
ESET-NOD32 BAT/TrojanDropper.Agent.NCY
Avast Script:SNH-gen [Drp]
Kaspersky Trojan.BAT.Memz.b
BitDefender Generic.Zmem.1.3F7310CB
NANO-Antivirus Trojan.Script.Dropper.hkfymg
DrWeb Trojan.KillAll.143
VIPRE Generic.Zmem.1.3F7310CB
McAfee-GW-Edition BAT/Dropper.e
Ikarus Trojan-Dropper.BAT.Agent
Kingsoft Script.Ks.Malware.17099
Arcabit Generic.Zmem.1.3F7310CB
ViRobot HTML.Z.Agent.13803
ZoneAlarm Trojan.BAT.Memz.b
GData Generic.Zmem.1.3F7310CB
Google Detected
Tencent Unk.Win32.Script.403928
MAX malware (ai score=81)
Fortinet BAT/Agent.NCY!tr
AVG Script:SNH-gen [Drp]