Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Oct. 7, 2023, 2:45 p.m.	Oct. 7, 2023, 2:48 p.m.

Size	13.5KB
Type	ASCII text, with CRLF line terminators
MD5	`44fbd58c401a7786da2e8b6a6291379e`
SHA256	`d8b47727ea05305ad396977b336c3bfc86ae122cdde01976fa9b0c3a7c2d3f24`
CRC32	`B49D9752`
ssdeep	`192:vOyUySl0UaDz2gWsIzlmj+BxZ3yqueWQx0lZicyC8Sh31xcjBzyxwn7AVhllz3:vVODaDSHMql3yqlxy5L1xcjwrlz3`
Yara	None matched

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "zqeuKpD" C:\Users\test22\AppData\Local\Temp\ZBzdymFh.bat
3068
- cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\ZBzdymFh.bat
  2200
  - cscript.exe cscript x.js
    296
  - MEMZ.exe "C:\Users\test22\AppData\Roaming\MEMZ.exe"
    1628
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Oct. 7, 2023, 2:45 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x0000000f	1	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 7, 2023, 2:45 p.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Oct. 7, 2023, 2:46 p.m.	stacktrace: GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75736d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x757377c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7573788a DialogBoxIndirectParamW+0x20a DialogBoxIndirectParamAorW-0x57 user32+0x3cdfd @ 0x7575cdfd DialogBoxIndirectParamAorW+0x108 SetDlgItemTextW-0x44 user32+0x3cf5c @ 0x7575cf5c SoftModalMessageBox+0x757 MessageBoxTimeoutW-0x391 user32+0x6f73c @ 0x7578f73c SoftModalMessageBox+0xa33 MessageBoxTimeoutW-0xb5 user32+0x6fa18 @ 0x7578fa18 MessageBoxTimeoutW+0x52 MessageBoxTimeoutA-0x9 user32+0x6fb1f @ 0x7578fb1f New_user32_MessageBoxTimeoutW@24+0x5e New_user32_RegisterHotKey@16-0x159 @ 0x745276de MessageBoxTimeoutA+0x76 MessageBoxIndirectA-0x33 user32+0x6fb9e @ 0x7578fb9e New_user32_MessageBoxTimeoutA@24+0x137 New_user32_MessageBoxTimeoutW@24-0x80 @ 0x74527600 MessageBoxExA+0x1b MessageBoxExW-0x9 user32+0x6fcf1 @ 0x7578fcf1 MessageBoxA+0x18 MessageBoxW-0x9 user32+0x6fd36 @ 0x7578fd36 memz+0x1479 @ 0x1121479 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x740369a8 registers.esp: 4519088 registers.edi: 0 registers.eax: 1946380712 registers.ebp: 4519128 registers.edx: 0 registers.ebx: 0 registers.esi: 1946380712 registers.ecx: 7343464	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Oct. 7, 2023, 2:46 p.m.

stacktrace:

GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75736d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x757377c4
DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7573788a
DialogBoxIndirectParamW+0x20a DialogBoxIndirectParamAorW-0x57 user32+0x3cdfd @ 0x7575cdfd
DialogBoxIndirectParamAorW+0x108 SetDlgItemTextW-0x44 user32+0x3cf5c @ 0x7575cf5c
SoftModalMessageBox+0x757 MessageBoxTimeoutW-0x391 user32+0x6f73c @ 0x7578f73c
SoftModalMessageBox+0xa33 MessageBoxTimeoutW-0xb5 user32+0x6fa18 @ 0x7578fa18
MessageBoxTimeoutW+0x52 MessageBoxTimeoutA-0x9 user32+0x6fb1f @ 0x7578fb1f
New_user32_MessageBoxTimeoutW@24+0x5e New_user32_RegisterHotKey@16-0x159 @ 0x745276de
MessageBoxTimeoutA+0x76 MessageBoxIndirectA-0x33 user32+0x6fb9e @ 0x7578fb9e
New_user32_MessageBoxTimeoutA@24+0x137 New_user32_MessageBoxTimeoutW@24-0x80 @ 0x74527600
MessageBoxExA+0x1b MessageBoxExW-0x9 user32+0x6fcf1 @ 0x7578fcf1
MessageBoxA+0x18 MessageBoxW-0x9 user32+0x6fd36 @ 0x7578fd36
memz+0x1479 @ 0x1121479
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5

exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0x740369a8
registers.esp: 4519088
registers.edi: 0
registers.eax: 1946380712
registers.ebp: 4519128
registers.edx: 0
registers.ebx: 0
registers.esi: 1946380712
registers.ecx: 7343464

Allocates read-write-execute memory (usually to unpack itself) (4 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Oct. 7, 2023, 2:45 p.m.	process_identifier: 296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x742f2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 7, 2023, 2:45 p.m.	process_identifier: 296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03750000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 7, 2023, 2:39 p.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000075b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 7, 2023, 2:45 p.m.	process_identifier: 1628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74383000 process_handle: 0xffffffff	1

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Roaming\MEMZ.exe
file	C:\Users\test22\AppData\Local\Temp\x.js

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Roaming\MEMZ.exe

Potentially malicious URLs were found in the process memory dump (27 events)

url	http://pcoptimizerpro.com
url	http://google.co.ck/search?q=batch
url	http://google.co.ck/search?q=best
url	http://google.co.ck/search?q=bonzi
url	http://google.co.ck/search?q=g3t
url	http://google.co.ck/search?q=stanky
url	http://google.co.ck/search?q=virus
url	http://google.co.ck/search?q=mcafee
url	http://google.co.ck/search?q=the
url	http://google.co.ck/search?q=virus.exe
url	http://google.co.ck/search?q=internet
url	http://google.co.ck/search?q=facebook
url	http://google.co.ck/search?q=what
url	http://answers.microsoft.com/en-us/protect/forum/protect_other-protect_scanning/memz-malwarevirus-trojan-completely-destroying/268bc1c2-39f4-42f8-90c2-597a673b6b45
url	http://google.co.ck/search?q=my
url	http://google.co.ck/search?q=vinesauce
url	http://google.co.ck/search?q=half
url	http://motherboard.vice.com/read/watch-this-malware-turn-a-computer-into-a-digital-hellscape
url	http://google.co.ck/search?q=john
url	http://google.co.ck/search?q=skrillex
url	http://google.co.ck/search?q=minecraft
url	http://google.co.ck/search?q=montage
url	http://softonic.com
url	http://google.co.ck/search?q=how
url	http://play.clubpenguin.com
url	http://google.co.ck/search?q=dank
url	http://google.co.ck/search?q=is

Yara rule detected in process memory (50 out of 63 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Install itself for autorun at Windows startup	rule	Persistence
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win
description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Roaming\MEMZ.exe

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2200 resumed a thread in remote process 1628
NtResumeThread Oct. 7, 2023, 2:45 p.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 1628	1	0	0

File has been identified by 36 AntiVirus engines on VirusTotal as malicious (36 events)

Lionic	Trojan.BAT.Memz.4!c
CAT-QuickHeal	BAT.Agent.FS
McAfee	BAT/Dropper.e
Sangfor	Trojan.Generic-BAT.Save.6fddfff7
Arcabit	Generic.Zmem.1.A4BD8DA5
Cyren	BAT/Agent.AGE
Symantec	Trojan.Gen.MBT
ESET-NOD32	BAT/TrojanDropper.Agent.NCY
Avast	Other:Malware-gen [Trj]
Cynet	Malicious (score: 99)
Kaspersky	Trojan.BAT.Memz.b
BitDefender	Generic.Zmem.1.A4BD8DA5
NANO-Antivirus	Trojan.Script.Dropper.hkfymg
MicroWorld-eScan	Generic.Zmem.1.A4BD8DA5
Tencent	Unk.Win32.Script.403928
Emsisoft	Trojan.Memz (A)
F-Secure	Malware.HTML/ExpKit.Gen2
DrWeb	Trojan.KillAll.143
VIPRE	Generic.Zmem.1.A4BD8DA5
McAfee-GW-Edition	BAT/Dropper.e
FireEye	Generic.Zmem.1.A4BD8DA5
Sophos	Troj/BatDrp-AA
Ikarus	Trojan-Dropper.BAT.Agent
Jiangmin	Trojan.BAT.Memz.a
Avira	HTML/ExpKit.Gen2
Kingsoft	Script.Ks.Malware.17099
Xcitium	Malware@#10ov8inbnn3yr
Microsoft	TrojanDropper:BAT/Starter.G!MSR
ZoneAlarm	Trojan.BAT.Memz.b
GData	Generic.Zmem.1.A4BD8DA5
Google	Detected
ALYac	Generic.Zmem.1.A4BD8DA5
Rising	Dropper.Agent/BAT!1.CE50 (CLASSIC)
MAX	malware (ai score=84)
Fortinet	BAT/Agent.NCY!tr
AVG	Other:Malware-gen [Trj]

ZBzdymFh.bat

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All