Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
11.20 09:11
mainbas.bat
11.20 09:11
dll007.dll
11.20 09:11
exe004.exe
11.20 09:11
exe010.exe
11.20 09:11
blecher.exe
11.20 09:11
GetAdapterInfo.exe
11.20 09:11
dll004.dll
11.20 09:11
dll008.dll
11.20 09:11
bestthingsalwaysgetbes...
11.20 09:11
DKM-9067291.pdf.lnk

Latest News
11.21 02:11
Super Micro Hires New ...
11.21 02:11
Leveling Up Fuzzing: F...
11.21 02:11
Multiple Vulnerabiliti...
11.21 02:11
WOM’s Bond Rally Stall...
11.21 02:11
Detecting Pacific Rim ...
11.21 02:11
Senate Hearing Highlig...
11.21 02:11
Over 21K Equinox patie...
11.21 02:11
Misconfigured Jupyter ...
11.21 02:11
Meow, INC Ransom gangs...
11.21 02:11
Alleged Finastra breac...

Summary | ZeroBOX

setup.exe

Generic Malware Malicious Library Admin Tool (Sysinternals etc ...) UPX Malicious Packer PE File DLL OS Processor Check PE32

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 18, 2021, 7:44 a.m.	Nov. 18, 2021, 8:13 a.m.

Size	1.9MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`682d741260d7a77643182eb40000ca92`
SHA256	`7f57705a95aea58f631f0d287cf0e6d380fa5c13bc95021997d1bb1d2940534f`
CRC32	`7ADED0CC`
ssdeep	`49152:eKzaWct2mph4nm83MsWpErDZ4rgNvFeBIDOeP:BGpt/ph4n9B4rgxk0P`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file

setup.exe "C:\Users\test22\AppData\Local\Temp\setup.exe"
2768
- cmd.exe C:\Windows\system32\cmd.exe /C net stop MiningeService
  2868
  - net.exe net stop MiningeService
    2932
    - net1.exe C:\Windows\system32\net1 stop MiningeService
      2976
- cmd.exe C:\Windows\system32\cmd.exe /C Sc delete MiningeService
  3028
  - sc.exe Sc delete MiningeService
    2060
- cmd.exe C:\Windows\system32\cmd.exe /C Sc create MiningeService binpath= C:\Windows\Client.exe start= auto DisplayName= MiningeService
  1112
  - sc.exe Sc create MiningeService binpath= C:\Windows\Client.exe start= auto DisplayName= MiningeService
    1304
- cmd.exe C:\Windows\system32\cmd.exe /C sc description MiningeService ServiceManagerForMiner
  2232
  - sc.exe sc description MiningeService ServiceManagerForMiner
    2296
- cmd.exe C:\Windows\system32\cmd.exe /C net start MiningeService
  2404
  - net.exe net start MiningeService
    2456
    - net1.exe C:\Windows\system32\net1 start MiningeService
      2496

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
91.243.59.61	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 18, 2021, 7:44 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

Creates executable files on the filesystem (3 events)

file	C:\Users\test22\AppData\Local\Temp\nsbE11A.tmp\nsExec.dll
file	C:\Windows\Client.exe
file	C:\Users\test22\AppData\Local\Temp\nsbE11A.tmp\nsProcess.dll

Creates a service (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceW Nov. 18, 2021, 7:44 a.m.	service_start_name: start_type: 2 password: display_name: MiningeService filepath: C:\Windows\Client.exe service_name: MiningeService filepath_r: C:\Windows\Client.exe desired_access: 983551 service_handle: 0x0051b888 error_control: 1 service_type: 16 service_manager_handle: 0x0051b928	1	5355656	0

Creates a suspicious process (5 events)

cmdline	C:\Windows\system32\cmd.exe /C sc description MiningeService ServiceManagerForMiner
cmdline	C:\Windows\system32\cmd.exe /C Sc delete MiningeService
cmdline	C:\Windows\system32\cmd.exe /C net stop MiningeService
cmdline	C:\Windows\system32\cmd.exe /C net start MiningeService
cmdline	C:\Windows\system32\cmd.exe /C Sc create MiningeService binpath= C:\Windows\Client.exe start= auto DisplayName= MiningeService

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\nsbE11A.tmp\nsExec.dll
file	C:\Users\test22\AppData\Local\Temp\nsbE11A.tmp\nsProcess.dll

Uses Windows utilities for basic Windows functionality (10 events)

cmdline	net start MiningeService
cmdline	C:\Windows\system32\cmd.exe /C sc description MiningeService ServiceManagerForMiner
cmdline	Sc delete MiningeService
cmdline	Sc create MiningeService binpath= C:\Windows\Client.exe start= auto DisplayName= MiningeService
cmdline	net stop MiningeService
cmdline	sc description MiningeService ServiceManagerForMiner
cmdline	C:\Windows\system32\cmd.exe /C Sc delete MiningeService
cmdline	C:\Windows\system32\cmd.exe /C net stop MiningeService
cmdline	C:\Windows\system32\cmd.exe /C net start MiningeService
cmdline	C:\Windows\system32\cmd.exe /C Sc create MiningeService binpath= C:\Windows\Client.exe start= auto DisplayName= MiningeService

Communicates with host for which no DNS query was performed (1 event)

host

91.243.59.61

Installs itself for autorun at Windows startup (1 event)

service_name

MiningeService

service_path

C:\Windows\Client.exe