Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
09.09 10:09
vjgg.exe
09.09 10:09
lnef.exe
09.09 10:09
1.exe
09.09 10:09
oclo.exe
09.09 10:09
pclient.exe
09.09 10:09
lemon.exe
09.09 10:09
responsibilityleadpro.exe
09.09 09:09
Twitch x Loot Lab Even...
09.09 09:09
66dcad8f5f33a_crypted.exe
09.09 09:09
sgf.exe

Latest News
09.09 02:09
국정원, CSK 2024서 주요 사이버안...
09.09 02:09
Mainframe Chip has 360...
09.09 01:09
U.S. Offers $10 Millio...
09.09 01:09
밸롭·웨이든, 24FW 뉴 컬렉션 런칭에...
09.09 01:09
플로리아, 층간소음매트부문 '2024년 ...
09.09 01:09
웹 예능 '기억을 잊는 밤' 누적 조회수...
09.09 01:09
한국장학진흥원, 심리상담사 자격증 24종...
09.09 01:09
코드크레용 'Shortime', 글로벌 ...
09.09 01:09
핀블랙(PINBLACK), 빈티지 '여성...
09.09 01:09
Why ICS Is the Busines...

Summary | ZeroBOX

FACTCARREFES12222432422112843423221DBESE.msi

Malicious Packer Admin Tool (Sysinternals etc ...) Malicious Library OS Processor Check MSOffice File

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 23, 2021, 10:35 a.m.	Aug. 23, 2021, 10:38 a.m.

Size	8.0MB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Dec 11 11:47:44 2009, Code page: 1252, Revision Number: {F9414DB5-3023-4F85-ACF8-B859D47AFDA0}, Number of Words: 10, Subject: PDF Adobe Flash, Author: PDF Adobe Flash, Name of Creating Application: Advanced Installer 12.2.1 build 64247, Template: ;1033, Comments: This installer database contains the logic and data required to install PDF Adobe Flash., Title: Installation Database, Keywords: Installer, MSI, Database, Security: 0, Number of Pages: 200
MD5	`c7f61bcdad06be4d2f14d67f428765cd`
SHA256	`75fb4eb817f922245e1efb31e4209363693da76993b30466e4059b50ab1e80be`
CRC32	`589B2187`
ssdeep	`98304:qOYaA5EMVUi/7N7t8w+L0787OqOVHnEGVA74cHwKe:q1Bp8z7KP+`
Yara	Admin_Tool_IN_Zero - Admin Tool Sysinternals Win32_Trojan_Gen_2_0904B0_Zero - Win32 Trojan Gen OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library Microsoft_Office_File_Zero - Microsoft Office File Malicious_Packer_Zero - Malicious Packer

msiexec.exe "C:\Windows\System32\msiexec.exe" /I C:\Users\test22\AppData\Local\Temp\FACTCARREFES12222432422112843423221DBESE.msi
2300
explorer.exe C:\Windows\Explorer.EXE
1924

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (3 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Aug. 23, 2021, 10:35 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameA Aug. 23, 2021, 10:35 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Aug. 23, 2021, 10:35 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 23, 2021, 10:35 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 23, 2021, 10:35 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (13 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 23, 2021, 10:35 a.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73aa1000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Aug. 23, 2021, 10:35 a.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73a81000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Aug. 23, 2021, 10:35 a.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x738f1000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Aug. 23, 2021, 10:35 a.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73101000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Aug. 23, 2021, 10:35 a.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x738d1000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Aug. 23, 2021, 10:35 a.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x738c1000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Aug. 23, 2021, 10:35 a.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x738a1000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Aug. 23, 2021, 10:35 a.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x730b1000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Aug. 23, 2021, 10:35 a.m.	process_identifier: 2300 region_size: 1835008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x040a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Aug. 23, 2021, 10:35 a.m.	process_identifier: 2300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04220000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Aug. 23, 2021, 10:35 a.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x730a2000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Aug. 23, 2021, 10:35 a.m.	process_identifier: 2300 region_size: 262144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03e50000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Aug. 23, 2021, 10:35 a.m.	process_identifier: 2300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03e50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (2 events)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Aug. 23, 2021, 10:35 a.m.	total_number_of_free_bytes: 10231083008 free_bytes_available: 10231083008 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0
GetDiskFreeSpaceW Aug. 23, 2021, 10:35 a.m.	number_of_free_clusters: 2497823 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (16 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 23, 2021, 10:35 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1	0
LookupPrivilegeValueW Aug. 23, 2021, 10:35 a.m.	system_name: privilege_name: SeCreateTokenPrivilege	1	1	0
LookupPrivilegeValueW Aug. 23, 2021, 10:35 a.m.	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	1	1	0
LookupPrivilegeValueW Aug. 23, 2021, 10:35 a.m.	system_name: privilege_name: SeMachineAccountPrivilege	1	1	0
LookupPrivilegeValueW Aug. 23, 2021, 10:35 a.m.	system_name: privilege_name: SeTcbPrivilege	1	1	0
LookupPrivilegeValueW Aug. 23, 2021, 10:35 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1	0
LookupPrivilegeValueW Aug. 23, 2021, 10:35 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1	0
LookupPrivilegeValueW Aug. 23, 2021, 10:35 a.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1	0
LookupPrivilegeValueW Aug. 23, 2021, 10:35 a.m.	system_name: privilege_name: SeBackupPrivilege	1	1	0
LookupPrivilegeValueW Aug. 23, 2021, 10:35 a.m.	system_name: privilege_name: SeRestorePrivilege	1	1	0
LookupPrivilegeValueW Aug. 23, 2021, 10:35 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1	0
LookupPrivilegeValueW Aug. 23, 2021, 10:35 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Aug. 23, 2021, 10:35 a.m.	system_name: privilege_name: SeRemoteShutdownPrivilege	1	1	0
LookupPrivilegeValueW Aug. 23, 2021, 10:35 a.m.	system_name: privilege_name: SeEnableDelegationPrivilege	1	1	0
LookupPrivilegeValueW Aug. 23, 2021, 10:35 a.m.	system_name: privilege_name: SeManageVolumePrivilege	1	1	0
LookupPrivilegeValueW Aug. 23, 2021, 10:35 a.m.	system_name: privilege_name: SeCreateGlobalPrivilege	1	1	0

File has been identified by 17 AntiVirus engines on VirusTotal as malicious (17 events)

MicroWorld-eScan	Gen:Variant.Cerbu.110516
FireEye	Gen:Variant.Cerbu.110516
ALYac	Gen:Variant.Cerbu.110516
Sangfor	Worm.Win32.Save.a
ESET-NOD32	a variant of Win32/TrojanDownloader.Banload.YQW
ClamAV	Win.Downloader.Zusy-9871340-0
BitDefender	Gen:Variant.Cerbu.110516
Emsisoft	Gen:Variant.Cerbu.110516 (B)
MAX	malware (ai score=84)
Microsoft	Trojan:Win32/Wacatac.B!ml
Arcabit	Trojan.Cerbu.D1AFB4
GData	Gen:Variant.Cerbu.110516
AhnLab-V3	Trojan/Win.Generic.C4524271
McAfee	Artemis!3BCAD32DBB1B
VBA32	TScope.Trojan.Delf
Zoner	Trojan.DOC.81465
Fortinet	W32/Banload.YQD!tr.dldr