Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
11.13 04:11
hello.exe
11.13 03:11
espsemhvcioff.exe
11.13 02:11
Geek_se.exe
11.13 02:11
cred64.dll
11.13 02:11
svhost.exe
11.13 02:11
nb.exe
11.13 02:11
svcyr.exe
11.13 02:11
Ghost_1.5.11.5.exe
11.13 02:11
PowderGpl.exe
11.13 02:11
goodlabel%E6%89%93%E5%...

Latest News
11.14 01:11
Sicherheitsupdates: Zo...
11.14 01:11
Bengal cat lovers in A...
11.14 12:11
RCE intrusions likely ...
11.14 12:11
Permiso releases 3 ope...
11.14 12:11
Impersonation attacks ...
11.14 12:11
Half a dozen HPE Aruba...
11.14 12:11
Broadcom unveils priva...
11.14 12:11
Broadcom introduces Ve...
11.14 12:11
Tesla Recalls Cybertru...
11.14 12:11
Altman-Backed Oklo Ink...

Summary | ZeroBOX

inte.exe

Malicious Library UPX OS Processor Check PE32 PE File

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Feb. 4, 2024, 4:41 p.m.	Feb. 4, 2024, 4:47 p.m.

Size	176.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`fa092cd96d9916f2e247067653cd1110`
SHA256	`110c64b4a03a6ed6c8ffd2baba0a5831fd8bd59ca6b23d6e885a8f34e13461fc`
CRC32	`E8411775`
ssdeep	`3072:fjJNYb6cSN+tDbI3FUAiJtFej2TUgObqt/Y8O/tOAg0Fuj0thzIt3Za:fjJNYuR0Ifu9TxObNgAOSMZZa`
Yara	Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

inte.exe "C:\Users\test22\AppData\Local\Temp\inte.exe"
1072
- cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "inte.exe" /f & erase "C:\Users\test22\AppData\Local\Temp\inte.exe" & exit
  2128
  - taskkill.exe taskkill /im "inte.exe" /f
    2196

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
185.172.128.90	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Feb. 4, 2024, 4:41 p.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Feb. 4, 2024, 4:41 p.m.	buffer: ERROR: The process "inte.exe" not found. console_handle: 0x0000000b	1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

Connection to IP address

suspicious_request

GET http://185.172.128.90/cpa/ping.php?substr=one&s=two

Performs some HTTP requests (1 event)

request

GET http://185.172.128.90/cpa/ping.php?substr=one&s=two

Creates a suspicious process (2 events)

cmdline	C:\Windows\System32\cmd.exe /c taskkill /im "inte.exe" /f & erase "C:\Users\test22\AppData\Local\Temp\inte.exe" & exit
cmdline	"C:\Windows\System32\cmd.exe" /c taskkill /im "inte.exe" /f & erase "C:\Users\test22\AppData\Local\Temp\inte.exe" & exit

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\inte.exe

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "inte.exe")

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Feb. 4, 2024, 4:41 p.m.	show_type: 0 filepath_r: C:\Windows\System32\cmd.exe parameters: /c taskkill /im "inte.exe" /f & erase "C:\Users\test22\AppData\Local\Temp\inte.exe" & exit filepath: C:\Windows\System32\cmd.exe	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Feb. 4, 2024, 4:41 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	taskkill /im "inte.exe" /f
cmdline	C:\Windows\System32\cmd.exe /c taskkill /im "inte.exe" /f & erase "C:\Users\test22\AppData\Local\Temp\inte.exe" & exit
cmdline	"C:\Windows\System32\cmd.exe" /c taskkill /im "inte.exe" /f & erase "C:\Users\test22\AppData\Local\Temp\inte.exe" & exit

Communicates with host for which no DNS query was performed (1 event)

host

185.172.128.90