Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
10.05 02:10
mime-attachment 2
10.05 11:10
66fffb908255c_nnxin.exe
10.05 11:10
66fe13d56fd43_EdgeOUpd...
10.05 11:10
9dd06d870941.exe#d15
10.05 11:10
7f3c2473d1e6.exe#sp_vid
10.05 11:10
f2e7fcb20146.exe#sp_sl
10.05 11:10
956d73b7f041.exe#defau...
10.05 09:10
payload.msi
10.05 09:10
fedf8679e8d2.exe#d12
10.05 09:10
segura.vbs

Latest News
10.05 04:10
Clone of TEST BLOG WIL...
10.05 03:10
Anzeige: So gelingt di...
10.05 03:10
KI verstehen mit Excel...
10.05 03:10
Apple Releases Critica...
10.05 02:10
Mechanical Switch Sci-...
10.05 11:10
This Bluetooth GATT Co...
10.05 09:10
Mac Malware with L0Pse...
10.05 09:10
타이거다즐러, 올리브영 온라인몰 입점… ...
10.05 09:10
Ben Horowitz Will Dona...
10.05 09:10
5G-Ausbau: Zwei Bundes...

Summary | ZeroBOX

setup.exe

Malicious Library PE32 PE File

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 1, 2024, 12:03 p.m.	March 1, 2024, 12:07 p.m.

Size	7.3MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`5230cc00eecf61973aa8baf3f2a8cce6`
SHA256	`4cceb5b7212b102f6a043579f91ff9374f68275bf77122e86f4fc3fb42fc0cf3`
CRC32	`F5459434`
ssdeep	`196608:91OlSCGyaq6w0xrErCiH5kHOiHz1r4AYWQwI0uS:3OlHDaH/aaHOiR/YWQeuS`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description)

setup.exe "C:\Users\test22\AppData\Local\Temp\setup.exe"
2548
- Install.exe .\Install.exe
  2636
  - Install.exe .\Install.exe /VDVdidkXTS "385119" /S
    2688

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW March 1, 2024, 12:03 p.m.	computer_name: TEST22-PC	1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.sxdata

The executable uses a known packer (1 event)

packer

Armadillo v1.71

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory March 1, 2024, 12:03 p.m.	process_identifier: 2688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75511000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory March 1, 2024, 12:03 p.m.	process_identifier: 2688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73311000 process_handle: 0xffffffff	1	0	0

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\7zSEE86.tmp\Install.exe
file	C:\Users\test22\AppData\Local\Temp\7zSF145.tmp\Install.exe

Executes one or more WMI queries (1 event)

wmi	<INVALID POINTER>

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory March 1, 2024, 12:03 p.m.	process_identifier: 2688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 1482752 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x10001000 process_handle: 0xffffffff	1	0	0

Checks the version of Bios, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion

Detects VirtualBox using WNetGetProviderName trick (1 event)

Time & API	Arguments	Status	Return	Repeated
WNetGetProviderNameW March 1, 2024, 12:03 p.m.	net_type: 0x00250000		1222	0