Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 2, 2021, 10:34 a.m.	April 2, 2021, 10:48 a.m.

Size	235.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`85fe410ff23b4ef7db799ecdf574dd91`
SHA256	`9b877d63088137a893a8b4b9f6774b25f7f9edaa6345e09130b3d18dcbed2ff7`
CRC32	`585AC197`
ssdeep	`6144:LkfzyEnKwa1oLsfi8X4jqbGelDBDDAObo+WH2Xe:LkKv1oLsfwo13DDfbX`
PDB Path	D:\Zenar Project\Miner\Zenar Ð¿Ð¾Ð±Ð¾ÑÐ½Ð°Ñ Ð²ÐµÑÐ²Ñ\Release\Zenar.pdb
Yara	PE_Header_Zero - PE File Signature Zero OS_Processor_Check_Zero - OS Processor Check Signature Zero network_http - Communications over HTTP win_files_operation - Affect private profile Str_Win32_Wininet_Library - Match Windows Inet API library declaration Str_Win32_Internet_API - Match Windows Inet API call Str_Win32_Http_API - Match Windows Http API call IsPE32 - (no description) IsWindowsGUI - (no description) HasDebugData - DebugData Check HasRichSignature - Rich Signature Check

Zenar.exe "C:\Users\test22\AppData\Local\Temp\Zenar.exe"
620
explorer.exe C:\Windows\Explorer.EXE
1848

Name	Response	Post-Analysis Lookup
iplogger.org	A 88.99.66.31	88.99.66.31

IP Address	Status	Action
164.124.101.2	Active	Moloch
86.105.252.166	Active	Moloch
88.99.66.31	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

This executable has a PDB path (1 event)

pdb_path

D:\Zenar Project\Miner\Zenar Ð¿Ð¾Ð±Ð¾ÑÐ½Ð°Ñ Ð²ÐµÑÐ²Ñ\Release\Zenar.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 2, 2021, 10:34 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (2 events)

request	GET http://iplogger.org/1ueLp7
request	GET https://iplogger.org/1ueLp7

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory April 2, 2021, 10:34 a.m.	process_identifier: 620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72842000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory April 2, 2021, 10:34 a.m.	process_identifier: 620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03250000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

A process attempted to delay the analysis task. (1 event)

description

Zenar.exe tried to sleep 176 seconds, actually delayed analysis time by 176 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (2 events)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW April 2, 2021, 10:34 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13719175168 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1	0
GetDiskFreeSpaceExW April 2, 2021, 10:35 a.m.	total_number_of_free_bytes: 13716099072 free_bytes_available: 13716099072 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Creates executable files on the filesystem (3 events)

file	C:\ProgramData\Data\Data\Database.exe
file	C:\ProgramData\7zxa.dll
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\7zxa[1].dll

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (6 events)

Time & API	Arguments	Status	Return
Process32NextW April 2, 2021, 10:34 a.m.	snapshot_handle: 0x000004b0 process_name: mobsync.exe process_identifier: 2540	1	1
Process32NextW April 2, 2021, 10:34 a.m.	snapshot_handle: 0x000004b0 process_name: pw.exe process_identifier: 1188	1	1
Process32NextW April 2, 2021, 10:34 a.m.	snapshot_handle: 0x000004b0 process_name: taskhost.exe process_identifier: 2032	1	1
Process32NextW April 2, 2021, 10:34 a.m.	snapshot_handle: 0x000004b0 process_name: Zenar.exe process_identifier: 620	1	1
Process32NextW April 2, 2021, 10:35 a.m.	snapshot_handle: 0x00000214 process_name: cmd.exe process_identifier: 2344	1	1
Process32NextW April 2, 2021, 10:35 a.m.	snapshot_handle: 0x00000214 process_name: conhost.exe process_identifier: 1908	1	1

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (50 out of 116 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW April 2, 2021, 10:34 a.m.	snapshot_handle: 0x000004b0 process_name: Zenar.exe process_identifier: 620		0	0
Process32NextW April 2, 2021, 10:34 a.m.	snapshot_handle: 0x000004b0 process_name: Zenar.exe process_identifier: 620		0	0
Process32NextW April 2, 2021, 10:34 a.m.	snapshot_handle: 0x000004bc process_name: Zenar.exe process_identifier: 620		0	0
Process32NextW April 2, 2021, 10:34 a.m.	snapshot_handle: 0x000004bc process_name: Zenar.exe process_identifier: 620		0	0
Process32NextW April 2, 2021, 10:34 a.m.	snapshot_handle: 0x000004c4 process_name: Zenar.exe process_identifier: 620		0	0
Process32NextW April 2, 2021, 10:34 a.m.	snapshot_handle: 0x000004b0 process_name: Zenar.exe process_identifier: 620		0	0
Process32NextW April 2, 2021, 10:34 a.m.	snapshot_handle: 0x000004bc process_name: Zenar.exe process_identifier: 620		0	0
Process32NextW April 2, 2021, 10:34 a.m.	snapshot_handle: 0x000004c0 process_name: Zenar.exe process_identifier: 620		0	0
Process32NextW April 2, 2021, 10:34 a.m.	snapshot_handle: 0x000004c4 process_name: Zenar.exe process_identifier: 620		0	0
Process32NextW April 2, 2021, 10:34 a.m.	snapshot_handle: 0x000004c4 process_name: Zenar.exe process_identifier: 620		0	0
Process32NextW April 2, 2021, 10:34 a.m.	snapshot_handle: 0x000004c4 process_name: Zenar.exe process_identifier: 620		0	0
Process32NextW April 2, 2021, 10:34 a.m.	snapshot_handle: 0x000004c8 process_name: Zenar.exe process_identifier: 620		0	0
Process32NextW April 2, 2021, 10:34 a.m.	snapshot_handle: 0x000004c8 process_name: Zenar.exe process_identifier: 620		0	0
Process32NextW April 2, 2021, 10:34 a.m.	snapshot_handle: 0x000004c8 process_name: Zenar.exe process_identifier: 620		0	0
Process32NextW April 2, 2021, 10:34 a.m.	snapshot_handle: 0x000004e0 process_name: Zenar.exe process_identifier: 620		0	0
Process32NextW April 2, 2021, 10:34 a.m.	snapshot_handle: 0x000004e0 process_name: Zenar.exe process_identifier: 620		0	0
Process32NextW April 2, 2021, 10:34 a.m.	snapshot_handle: 0x000004e0 process_name: Zenar.exe process_identifier: 620		0	0
Process32NextW April 2, 2021, 10:34 a.m.	snapshot_handle: 0x000004e0 process_name: Zenar.exe process_identifier: 620		0	0
Process32NextW April 2, 2021, 10:34 a.m.	snapshot_handle: 0x000004e0 process_name: Zenar.exe process_identifier: 620		0	0
Process32NextW April 2, 2021, 10:34 a.m.	snapshot_handle: 0x000004e0 process_name: Zenar.exe process_identifier: 620		0	0
Process32NextW April 2, 2021, 10:34 a.m.	snapshot_handle: 0x000004e0 process_name: Zenar.exe process_identifier: 620		0	0
Process32NextW April 2, 2021, 10:34 a.m.	snapshot_handle: 0x000004e0 process_name: Zenar.exe process_identifier: 620		0	0
Process32NextW April 2, 2021, 10:34 a.m.	snapshot_handle: 0x000004e0 process_name: Zenar.exe process_identifier: 620		0	0
Process32NextW April 2, 2021, 10:34 a.m.	snapshot_handle: 0x000004e0 process_name: Zenar.exe process_identifier: 620		0	0
Process32NextW April 2, 2021, 10:34 a.m.	snapshot_handle: 0x000004e0 process_name: Zenar.exe process_identifier: 620		0	0
Process32NextW April 2, 2021, 10:34 a.m.	snapshot_handle: 0x000004e0 process_name: Zenar.exe process_identifier: 620		0	0
Process32NextW April 2, 2021, 10:34 a.m.	snapshot_handle: 0x000004e0 process_name: Zenar.exe process_identifier: 620		0	0
Process32NextW April 2, 2021, 10:34 a.m.	snapshot_handle: 0x00000220 process_name: Zenar.exe process_identifier: 620		0	0
Process32NextW April 2, 2021, 10:34 a.m.	snapshot_handle: 0x00000220 process_name: Zenar.exe process_identifier: 620		0	0
Process32NextW April 2, 2021, 10:34 a.m.	snapshot_handle: 0x00000220 process_name: Zenar.exe process_identifier: 620		0	0
Process32NextW April 2, 2021, 10:34 a.m.	snapshot_handle: 0x00000220 process_name: Zenar.exe process_identifier: 620		0	0
Process32NextW April 2, 2021, 10:34 a.m.	snapshot_handle: 0x00000220 process_name: Zenar.exe process_identifier: 620		0	0
Process32NextW April 2, 2021, 10:34 a.m.	snapshot_handle: 0x00000220 process_name: Zenar.exe process_identifier: 620		0	0
Process32NextW April 2, 2021, 10:34 a.m.	snapshot_handle: 0x00000220 process_name: Zenar.exe process_identifier: 620		0	0
Process32NextW April 2, 2021, 10:34 a.m.	snapshot_handle: 0x00000220 process_name: Zenar.exe process_identifier: 620		0	0
Process32NextW April 2, 2021, 10:34 a.m.	snapshot_handle: 0x00000220 process_name: Zenar.exe process_identifier: 620		0	0
Process32NextW April 2, 2021, 10:34 a.m.	snapshot_handle: 0x00000220 process_name: Zenar.exe process_identifier: 620		0	0
Process32NextW April 2, 2021, 10:34 a.m.	snapshot_handle: 0x00000220 process_name: Zenar.exe process_identifier: 620		0	0
Process32NextW April 2, 2021, 10:34 a.m.	snapshot_handle: 0x00000220 process_name: Zenar.exe process_identifier: 620		0	0
Process32NextW April 2, 2021, 10:34 a.m.	snapshot_handle: 0x00000220 process_name: Zenar.exe process_identifier: 620		0	0
Process32NextW April 2, 2021, 10:34 a.m.	snapshot_handle: 0x00000220 process_name: Zenar.exe process_identifier: 620		0	0
Process32NextW April 2, 2021, 10:34 a.m.	snapshot_handle: 0x00000220 process_name: Zenar.exe process_identifier: 620		0	0
Process32NextW April 2, 2021, 10:34 a.m.	snapshot_handle: 0x00000220 process_name: Zenar.exe process_identifier: 620		0	0
Process32NextW April 2, 2021, 10:34 a.m.	snapshot_handle: 0x00000220 process_name: Zenar.exe process_identifier: 620		0	0
Process32NextW April 2, 2021, 10:34 a.m.	snapshot_handle: 0x00000220 process_name: Zenar.exe process_identifier: 620		0	0
Process32NextW April 2, 2021, 10:34 a.m.	snapshot_handle: 0x00000220 process_name: Zenar.exe process_identifier: 620		0	0
Process32NextW April 2, 2021, 10:34 a.m.	snapshot_handle: 0x00000220 process_name: Zenar.exe process_identifier: 620		0	0
Process32NextW April 2, 2021, 10:34 a.m.	snapshot_handle: 0x00000220 process_name: Zenar.exe process_identifier: 620		0	0
Process32NextW April 2, 2021, 10:34 a.m.	snapshot_handle: 0x00000220 process_name: Zenar.exe process_identifier: 620		0	0
Process32NextW April 2, 2021, 10:34 a.m.	snapshot_handle: 0x00000220 process_name: Zenar.exe process_identifier: 620		0	0

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: 90e1dffda9e0346c7453c01a73936644cc4c225f

Communicates with host for which no DNS query was performed (1 event)

host

86.105.252.166

Network activity contains more than one unique useragent (2 events)

process	Zenar.exe				useragent	Run
process	Zenar.exe				useragent

File has been identified by 28 AntiVirus engines on VirusTotal as malicious (28 events)

Bkav	W32.AIDetect.malware2
FireEye	Generic.mg.85fe410ff23b4ef7
McAfee	RDN/Generic.rp
Sangfor	Trojan.Win32.Save.a
Cybereason	malicious.65ba59
Arcabit	Trojan.Generic.D22EB586
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	Win32:Malware-gen
Cynet	Malicious (score: 100)
BitDefender	Trojan.GenericKD.36615558
MicroWorld-eScan	Trojan.GenericKD.36615558
Ad-Aware	Trojan.GenericKD.36615558
Emsisoft	Trojan.GenericKD.36615558 (B)
McAfee-GW-Edition	BehavesLike.Win32.OxyPump.dh
eGambit	Unsafe.AI_Score_99%
Gridinsoft	Adware.Win32.Downloader.sa
Microsoft	PUA:Win32/CoinMiner
AegisLab	Trojan.Win32.Generic.4!c
GData	Trojan.GenericKD.36615558
BitDefenderTheta	Gen:NN.ZexaF.34662.ouW@aeSEXkfi
VBA32	suspected of Trojan.Downloader.gen
Rising	Trojan.CoinMiner!8.30A (CLOUD)
SentinelOne	Static AI - Malicious PE
Fortinet	PossibleThreat.MU
AVG	Win32:Malware-gen
CrowdStrike	win/malicious_confidence_90% (W)
Qihoo-360	Win32/Heur.Generic.HwoCRhsA

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 events)

dead_host	86.105.252.166:55387
dead_host	86.105.252.166:57668

Zenar.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All