Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
09.20 01:09
setup.exe
09.20 11:09
3uTools.exe
09.20 11:09
66ecb4573225b_vsbhfdg1...
09.20 10:09
66ecb452ba19c_sfbdsgfd...
09.20 10:09
66ecb44c35444_vfdhsgdf...
09.20 10:09
66ec0e61998bf_setup30.exe
09.20 10:09
66ebf725efe38_lyla.exe
09.20 10:09
Desktop_Explorer.exe
09.20 10:09
66ec3528901bb_winupdat...
09.20 10:09
Inquiry-Dubai.js

Latest News
09.21 12:09
Middle East backdoored...
09.21 12:09
Updated CISA exploited...
09.21 12:09
Several orgs purported...
09.21 12:09
New CISA guidance seek...
09.21 12:09
Lumma Stealer deployed...
09.21 12:09
InfoSec World Intervie...
09.21 12:09
InfoSec World CRTV Liv...
09.21 12:09
FTC: Mass surveillance...
09.21 12:09
Disney reportedly ditc...
09.21 12:09
Dell claimed to be bre...

Summary | ZeroBOX

wininit.exe

Malicious Library UPX PE32 PE File DLL

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 26, 2023, 7:43 a.m.	July 26, 2023, 7:47 a.m.

Size	369.9KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`66a020cc3acbd4f1badbff616662ce02`
SHA256	`b36dee6691e5fe4f8caabfe5602e16b6a287f98aa3a13df2deedad15e31aec32`
CRC32	`1AE02288`
ssdeep	`6144:ryIIW3gq6qMsKF8W8YI1DpMWlUDCbjNDw9b5kZNgNsJZTpFZK:rv6qMHCW8YaVMWnb5DsyNgNsJZ`
Yara	UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description)

wininit.exe "C:\Users\test22\AppData\Local\Temp\wininit.exe"
2556

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 26, 2023, 7:43 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 26, 2023, 7:43 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73272000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory July 26, 2023, 7:43 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10004000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory July 26, 2023, 7:43 a.m.	process_identifier: 2556 region_size: 48594944 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03bc0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0	0

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\nsoEE77.tmp\System.dll

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\nsoEE77.tmp\System.dll

File has been identified by 12 AntiVirus engines on VirusTotal as malicious (12 events)

Bkav	W32.AIDetectMalware
CrowdStrike	win/malicious_confidence_60% (D)
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
APEX	Malicious
Kaspersky	UDS:DangerousObject.Multi.Generic
Trapmine	suspicious.low.ml.score
FireEye	Generic.mg.66a020cc3acbd4f1
ZoneAlarm	UDS:DangerousObject.Multi.Generic
Cylance	unsafe
DeepInstinct	MALICIOUS