Report - ZeroBOX

ScreenShot


Created	2023.09.17 09:38	Machine	s1_win7_x6402
Filename	Invoice_88737.lnk
Type	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Fri May 7 23:16:08 2021, mtime=Fri May 7 23:16:08 2021, atime=Fri May 7 23:16:
AI Score	Not founds	Behavior Score	9.2
ZERO API	file : clean
VT API (file)	5 detected (PSRunner, CLASSIC, Probably Heur, LNKScript, Static AI, Suspicious LNK)
md5	9226cdef332b7e61317d0d12e76578c8
sha256	916ea8bc5735dae25ea4df4eadba0da4f85fdaeaf99dd6f7210e44ee594425e2
ssdeep	24:8FimDF69tYDvqswCK4IWsOmJBWkp+/CWRHUTHVHeEcR5FpYkUm:8smR69tGy4sjJ4m14R5FplU
imphash
impfuzzy

Network IP location

Level	Description
watch	A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations.
watch	Communicates with host for which no DNS query was performed
watch	Creates a suspicious Powershell process
watch	Creates a windows hook that monitors keyboard input (keylogger)
watch	Drops a binary and executes it
watch	One or more non-whitelisted processes were created
watch	Resumed a suspended thread in a remote process potentially indicative of process injection
watch	The process powershell.exe wrote an executable file to disk
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	Checks adapter addresses which can be used to detect virtual network interfaces
notice	Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice	Creates a shortcut to an executable file
notice	Creates a suspicious process
notice	File has been identified by 5 AntiVirus engines on VirusTotal as malicious
notice	Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
notice	Yara rule detected in process memory
info	Checks amount of memory in system
info	Checks if process is being debugged by a debugger
info	Collects information to fingerprint the system (MachineGuid
info	Command line console output was observed
info	Queries for the computername
info	Uses Windows APIs to generate a cryptographic key

Level	Name	Description	Collection
warning	Generic_Malware_Zero	Generic Malware	binaries (upload)
watch	Antivirus	Contains references to security software	binaries (upload)
watch	Malicious_Library_Zero	Malicious_Library	binaries (download)
watch	Malicious_Packer_Zero	Malicious Packer	binaries (download)
watch	UPX_Zero	UPX packed file	binaries (download)
info	anti_dbg	Checks if being debugged	memory
info	DebuggerCheck__GlobalFlags	(no description)	memory
info	DebuggerCheck__QueryInfo	(no description)	memory
info	DebuggerHiding__Active	(no description)	memory
info	DebuggerHiding__Thread	(no description)	memory
info	disable_dep	Bypass DEP	memory
info	IsPE64	(no description)	binaries (download)
info	lnk_file_format	Microsoft Windows Shortcut File Format	binaries (upload)
info	Lnk_Format_Zero	LNK Format	binaries (upload)
info	OS_Processor_Check_Zero	OS Processor Check	binaries (download)
info	PE_Header_Zero	PE File Signature	binaries (download)
info	SEH__vectored	(no description)	memory
info	ThreadControl__Context	(no description)	memory

Request	ASN Co	IP4	ZERO ?
http://154.53.50.79:8081/fud.vbs whois	COGENT-174	154.53.50.79	mailcious
http://154.53.50.79:8081/d.ico whois	COGENT-174	154.53.50.79	clean
http://154.53.50.79:8081/payload.zip whois	COGENT-174	154.53.50.79	malware
http://154.53.50.79:8081/ whois	COGENT-174	154.53.50.79	clean
http://154.53.50.79:8081/cmd.exe whois	COGENT-174	154.53.50.79	clean
154.53.50.79 whois	COGENT-174	154.53.50.79	malware

Report - Invoice_88737.lnk