Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

Summary | ZeroBOX

pls.exe

NSIS UPX Malicious Library PE File DLL OS Processor Check PE32

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	July 25, 2023, 8:26 a.m.	July 25, 2023, 8:28 a.m.

Size	321.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`3b32db2fff556c03e79cf112664238fd`
SHA256	`d077f7cdbf9da10df4b138ca548aa8293649c6e2b496a76574b73749d5ee01f6`
CRC32	`C1204081`
ssdeep	`6144:AYa6ricpu7o430Rh8ep9jSzqDeohc0n0gEkWGXRNSJK7EpyKwTwGMM9T:AYBTpE53O8OSzgzhZn0FQNQCSM9T`
Yara	UPX_Zero - UPX packed file NSIS_Installer - Null Soft Installer Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description)

pls.exe "C:\Users\test22\AppData\Local\Temp\pls.exe"
1020
- pls.exe "C:\Users\test22\AppData\Local\Temp\pls.exe"
  2132

Name	Response	Post-Analysis Lookup
www.mioranopshop1.com	CNAME cdn1.wixdns.net CNAME td-ccm-neg-87-45.wixdns.net A 34.149.87.45	34.149.87.45
www.rumirajut.com	A 173.232.112.114	173.232.112.114
www.kwikwak.top	A 162.0.214.109	162.0.214.109
www.purelyunorthodox.com	A 154.204.19.73	154.204.19.73
www.amazing-s.com	CNAME amazing-s.com A 81.169.145.68	81.169.145.68
www.sqlite.org	A 45.33.6.223	45.33.6.223
www.ianfobase.com	A 167.172.228.26 CNAME ianfobase.com	167.172.228.26
www.gt6yzx.cfd	A 43.154.67.170	43.154.67.170
www.xn--cailang1-ml9sl35r.xyz	A 35.186.197.188	35.186.197.188
www.gtma10.vip	A 104.21.36.97 A 172.67.192.77	172.67.192.77

IP Address	Status	Action
154.204.19.73	Active	Moloch
162.0.214.109	Active	Moloch
164.124.101.2	Active	Moloch
167.172.228.26	Active	Moloch
172.67.192.77	Active	Moloch
173.232.112.114	Active	Moloch
34.149.87.45	Active	Moloch
35.186.197.188	Active	Moloch
43.154.67.170	Active	Moloch
45.33.6.223	Active	Moloch
81.169.145.68	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49186 -> 162.0.214.109:80	2023882	ET INFO HTTP Request to a *.top domain	Potentially Bad Traffic
UDP 192.168.56.103:53658 -> 164.124.101.2:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 25, 2023, 8:26 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

Performs some HTTP requests (19 events)

request	POST http://www.purelyunorthodox.com/r862/
request	GET http://www.purelyunorthodox.com/r862/?9HLhJ=PG+qG0x7ut6mghFWWv9z1aDvXJK7PEjXaxh4JoeELx5QQPgBEqAa9HIswWXT0JiH0VH9RlNF/ZpaJPb31jDauT2CX4A+EFc+mct1Eo4=&z15D5=o-d4OppZ1CkegyG
request	GET http://www.sqlite.org/2017/sqlite-dll-win32-x86-3200000.zip
request	POST http://www.amazing-s.com/r862/
request	GET http://www.amazing-s.com/r862/?9HLhJ=69RVFoxGUY0D0B3YqV+2mwld1PL5jwXfCjKjkpFiZLY9mwR5LQBOEU2e4EMrrKOfaYIcO1mtIEZSetKk7fnyFeOPJ3RpyEil2UQyy0o=&z15D5=o-d4OppZ1CkegyG
request	POST http://www.xn--cailang1-ml9sl35r.xyz/r862/
request	GET http://www.xn--cailang1-ml9sl35r.xyz/r862/?9HLhJ=S/uF320df8UnDjQS/4k38ZSLphwfiAtDFhdsqMNymj/DeDghP6n6HhyCBg2DbRSzT3vxi2zyebAOy4KdU8evD5ZQgDrzpIHmTqE3N+A=&z15D5=o-d4OppZ1CkegyG
request	POST http://www.mioranopshop1.com/r862/
request	GET http://www.mioranopshop1.com/r862/?9HLhJ=cfbduTtVFkWmRD2P4Oq/5eEMdctrPNntf4MnpZA55yca/7EmbnTer6jTOsB3u9XDWPwG0+Qof3Hb8E9shSYTsXaQROqx/cLcjawbQss=&z15D5=o-d4OppZ1CkegyG
request	POST http://www.rumirajut.com/r862/
request	GET http://www.rumirajut.com/r862/?9HLhJ=1rAwQw2q1BpIxjxJkxZnSFonK+gXIesu8ZIiKuE2uI5xydDspJKJXPKvtGbjys3KWnfwZosHEMAN/bUeljygPFh0vZwT4MGahhqUpDc=&z15D5=o-d4OppZ1CkegyG
request	POST http://www.ianfobase.com/r862/
request	GET http://www.ianfobase.com/r862/?9HLhJ=9rRZzNTr1dZKiLQzoI8XLjplaAqV+6t0e2B+X0zrtppRDMRYTz2tf5iTpqyOXvL8YlOJPhd6SWRcIOrEs9d7dAqVmuaL1+6j3ULt+YU=&z15D5=o-d4OppZ1CkegyG
request	POST http://www.gtma10.vip/r862/
request	GET http://www.gtma10.vip/r862/?9HLhJ=8U41kzTN+uwIk3DyTQw7tTBJajqrXzV/U9eOIBRkK2PXE9wxxbe3C7vN86vdfopV2wBFBOOuk8l7RbumaXqM7+uyZLgcll40YrlUwV0=&z15D5=o-d4OppZ1CkegyG
request	POST http://www.kwikwak.top/r862/
request	GET http://www.kwikwak.top/r862/?9HLhJ=T36R+hE18isjZaXjHzJ7Zkpexlmt5v6sU4YsQWgDgXjuAXXLweAwq0yhvE2TlpXK9Gtcm5Nka75XxGZqFoeRwg4xeWPhgOB9NrAcAUA=&z15D5=o-d4OppZ1CkegyG
request	POST http://www.gt6yzx.cfd/r862/
request	GET http://www.gt6yzx.cfd/r862/?9HLhJ=jgW1+RlOC4xiYAXn1VJcs3xpdlY55VN4wLhIJOPbS0OP2EW6OQwN62RI3QxvYMjApYT1XrwWyIHWN8qx3bgOQseXlpGUbfms8CoO5DA=&z15D5=o-d4OppZ1CkegyG

Sends data using the HTTP POST Method (9 events)

request	POST http://www.purelyunorthodox.com/r862/
request	POST http://www.amazing-s.com/r862/
request	POST http://www.xn--cailang1-ml9sl35r.xyz/r862/
request	POST http://www.mioranopshop1.com/r862/
request	POST http://www.rumirajut.com/r862/
request	POST http://www.ianfobase.com/r862/
request	POST http://www.gtma10.vip/r862/
request	POST http://www.kwikwak.top/r862/
request	POST http://www.gt6yzx.cfd/r862/

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

www.kwikwak.top

description

Generic top level domain TLD

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 25, 2023, 8:26 a.m.	process_identifier: 1020 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x741db000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory July 25, 2023, 8:26 a.m.	process_identifier: 1020 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e70000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory July 25, 2023, 8:26 a.m.	process_identifier: 2132 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00840000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0	0

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\nseC1D6.tmp\yznrf.dll

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\nseC1D6.tmp\yznrf.dll

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 25, 2023, 8:26 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1020 called NtSetContextThread to modify thread in remote process 2132
NtSetContextThread July 25, 2023, 8:26 a.m.	registers.eip: 2005598660 registers.esp: 1638384 registers.edi: 0 registers.eax: 4199584 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000023c process_identifier: 2132	1	0	0