Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
09.22 06:09
audiodg.exe
09.22 06:09
psfod.exe
09.22 06:09
73EtsZxIoDetWTu.exe
09.22 06:09
otqp9.exe
09.22 06:09
xx.exe
09.22 06:09
fck.exe
09.22 06:09
LummaC222222.exe
09.22 06:09
seethebestwayforunders...
09.22 06:09
Name.exe
09.22 06:09
needmoney.exe

Latest News
09.22 08:09
Hackfest, A New Event ...
09.22 08:09
엠클라우독, 문서 관리 및 정보보안 분야...
09.22 08:09
엘세븐시큐리티, 개인정보 차단 솔루션 시...
09.22 07:09
Examining Mobile Threa...
09.22 07:09
스패로우, SW 공급망 보안 시장서 리더...
09.22 07:09
스콥정보통신, 네트워크 자원관리 및 접근...
09.22 06:09
Unicorn2 Devblog: mmap...
09.22 06:09
국제 사이버범죄조직들에 맞서 치열한 전투...
09.22 05:09
Staffelstabübergabe de...
09.22 05:09
세일포인트, 금융기관 맞춤형 아이덴티티 ...

Summary | ZeroBOX

setup.exe

Generic Malware Malicious Library Admin Tool (Sysinternals etc ...) UPX Malicious Packer PE File DLL OS Processor Check PE32

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 18, 2021, 7:44 a.m.	Nov. 18, 2021, 8:13 a.m.

Size	1.9MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`682d741260d7a77643182eb40000ca92`
SHA256	`7f57705a95aea58f631f0d287cf0e6d380fa5c13bc95021997d1bb1d2940534f`
CRC32	`7ADED0CC`
ssdeep	`49152:eKzaWct2mph4nm83MsWpErDZ4rgNvFeBIDOeP:BGpt/ph4n9B4rgxk0P`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file

setup.exe "C:\Users\test22\AppData\Local\Temp\setup.exe"
2768
- cmd.exe C:\Windows\system32\cmd.exe /C net stop MiningeService
  2868
  - net.exe net stop MiningeService
    2932
    - net1.exe C:\Windows\system32\net1 stop MiningeService
      2976
- cmd.exe C:\Windows\system32\cmd.exe /C Sc delete MiningeService
  3028
  - sc.exe Sc delete MiningeService
    2060
- cmd.exe C:\Windows\system32\cmd.exe /C Sc create MiningeService binpath= C:\Windows\Client.exe start= auto DisplayName= MiningeService
  1112
  - sc.exe Sc create MiningeService binpath= C:\Windows\Client.exe start= auto DisplayName= MiningeService
    1304
- cmd.exe C:\Windows\system32\cmd.exe /C sc description MiningeService ServiceManagerForMiner
  2232
  - sc.exe sc description MiningeService ServiceManagerForMiner
    2296
- cmd.exe C:\Windows\system32\cmd.exe /C net start MiningeService
  2404
  - net.exe net start MiningeService
    2456
    - net1.exe C:\Windows\system32\net1 start MiningeService
      2496

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
91.243.59.61	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 18, 2021, 7:44 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

Creates executable files on the filesystem (3 events)

file	C:\Users\test22\AppData\Local\Temp\nsbE11A.tmp\nsExec.dll
file	C:\Windows\Client.exe
file	C:\Users\test22\AppData\Local\Temp\nsbE11A.tmp\nsProcess.dll

Creates a service (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceW Nov. 18, 2021, 7:44 a.m.	service_start_name: start_type: 2 password: display_name: MiningeService filepath: C:\Windows\Client.exe service_name: MiningeService filepath_r: C:\Windows\Client.exe desired_access: 983551 service_handle: 0x0051b888 error_control: 1 service_type: 16 service_manager_handle: 0x0051b928	1	5355656	0

Creates a suspicious process (5 events)

cmdline	C:\Windows\system32\cmd.exe /C sc description MiningeService ServiceManagerForMiner
cmdline	C:\Windows\system32\cmd.exe /C Sc delete MiningeService
cmdline	C:\Windows\system32\cmd.exe /C net stop MiningeService
cmdline	C:\Windows\system32\cmd.exe /C net start MiningeService
cmdline	C:\Windows\system32\cmd.exe /C Sc create MiningeService binpath= C:\Windows\Client.exe start= auto DisplayName= MiningeService

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\nsbE11A.tmp\nsExec.dll
file	C:\Users\test22\AppData\Local\Temp\nsbE11A.tmp\nsProcess.dll

Uses Windows utilities for basic Windows functionality (10 events)

cmdline	net start MiningeService
cmdline	C:\Windows\system32\cmd.exe /C sc description MiningeService ServiceManagerForMiner
cmdline	Sc delete MiningeService
cmdline	Sc create MiningeService binpath= C:\Windows\Client.exe start= auto DisplayName= MiningeService
cmdline	net stop MiningeService
cmdline	sc description MiningeService ServiceManagerForMiner
cmdline	C:\Windows\system32\cmd.exe /C Sc delete MiningeService
cmdline	C:\Windows\system32\cmd.exe /C net stop MiningeService
cmdline	C:\Windows\system32\cmd.exe /C net start MiningeService
cmdline	C:\Windows\system32\cmd.exe /C Sc create MiningeService binpath= C:\Windows\Client.exe start= auto DisplayName= MiningeService

Communicates with host for which no DNS query was performed (1 event)

host

91.243.59.61

Installs itself for autorun at Windows startup (1 event)

service_name

MiningeService

service_path

C:\Windows\Client.exe