Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 18, 2024, 9:54 a.m.	Oct. 18, 2024, 9:58 a.m.

Size	1.8MB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 14:06:51 2020, Security: 0, Code page: 1252, Revision Number: {52B140B4-7696-4EC7-BF03-5B14B1FC7533}, Number of Words: 10, Subject: PlaceInllinet, Author: Pablo Network, Name of Creating Application: PlaceInllinet, Template: ;1033, Comments: This installer database contains the logic and data required to install PlaceInllinet., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
MD5	`5375c07cb8e6bedd4c3f26c9509d1562`
SHA256	`fd4b6e419691647b9ae0ca60e5b383c5d9fe1d5fcfc8dec887bb188c4d39d36e`
CRC32	`5EA789F7`
ssdeep	`49152:9+u3YhW8zBQSc0ZnSKBZKumZr7ACyO2mAB66VENFzqM1Q:5YY0Zn3K/Ak7ABPyhW`
Yara	Malicious_Library_Zero - Malicious_Library Admin_Tool_IN_Zero - Admin Tool Sysinternals Microsoft_Office_File_Zero - Microsoft Office File CAB_file_format - CAB archive file Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

msiexec.exe "C:\Windows\System32\msiexec.exe" /I C:\Users\test22\AppData\Local\Temp\net.msi
912
explorer.exe C:\Windows\Explorer.EXE
1236
- rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" C:\Users\test22\AppData\Roaming\network.dll, Name
  2264
  - rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" C:\Users\test22\AppData\Roaming\network.dll, Name
    2376

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameW Oct. 18, 2024, 9:54 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 18, 2024, 9:54 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 18, 2024, 9:54 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 18, 2024, 9:54 a.m.			0	0
IsDebuggerPresent Oct. 18, 2024, 9:54 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 18, 2024, 9:54 a.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Oct. 18, 2024, 9:54 a.m.	stacktrace: 0x1cbd0b8 0x1cbbf16 0x240230 bson_destroy+0x3d bson_append_int-0x17b @ 0x749c134c 0x1cbce42 0x21ee10 exception.instruction_r: 42 88 04 09 49 83 c1 01 4d 39 c8 75 ee 48 89 c8 exception.instruction: mov byte ptr [rcx + r9], al exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x1cbd0b8 registers.r14: 2223104 registers.r15: 2554432 registers.rcx: 4096 registers.rsi: 2554000 registers.r10: 0 registers.rbx: 2223632 registers.rsp: 2223328 registers.r11: 514 registers.r8: 215040 registers.r9: 0 registers.rdx: 2555024 registers.r12: 2554128 registers.rbp: 2223952 registers.rdi: 2554752 registers.rax: 72 registers.r13: 2223064	1	0	0

Allocates read-write-execute memory (usually to unpack itself) (15 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Oct. 18, 2024, 9:54 a.m.	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 18, 2024, 9:54 a.m.	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73de1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 18, 2024, 9:54 a.m.	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 18, 2024, 9:54 a.m.	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73481000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 18, 2024, 9:54 a.m.	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 18, 2024, 9:54 a.m.	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c21000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 18, 2024, 9:54 a.m.	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 18, 2024, 9:54 a.m.	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73431000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 9:54 a.m.	process_identifier: 912 region_size: 1441792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03dc0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 9:54 a.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03ee0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 18, 2024, 9:54 a.m.	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73422000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 9:54 a.m.	process_identifier: 912 region_size: 1114112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03dc0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 9:54 a.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03e90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 9:54 a.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000041e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 18, 2024, 9:54 a.m.	process_identifier: 2376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 253952 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c80000 process_handle: 0xffffffffffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (2 events)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Oct. 18, 2024, 9:54 a.m.	total_number_of_free_bytes: 9934446592 free_bytes_available: 9934446592 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0
GetDiskFreeSpaceW Oct. 18, 2024, 9:54 a.m.	number_of_free_clusters: 2425402 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (16 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Oct. 18, 2024, 9:54 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Oct. 18, 2024, 9:54 a.m.	system_name: privilege_name: SeCreateTokenPrivilege	1	1
LookupPrivilegeValueW Oct. 18, 2024, 9:54 a.m.	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	1	1
LookupPrivilegeValueW Oct. 18, 2024, 9:54 a.m.	system_name: privilege_name: SeMachineAccountPrivilege	1	1
LookupPrivilegeValueW Oct. 18, 2024, 9:54 a.m.	system_name: privilege_name: SeTcbPrivilege	1	1
LookupPrivilegeValueW Oct. 18, 2024, 9:54 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Oct. 18, 2024, 9:54 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW Oct. 18, 2024, 9:54 a.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW Oct. 18, 2024, 9:54 a.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW Oct. 18, 2024, 9:54 a.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Oct. 18, 2024, 9:54 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Oct. 18, 2024, 9:54 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 18, 2024, 9:54 a.m.	system_name: privilege_name: SeRemoteShutdownPrivilege	1	1
LookupPrivilegeValueW Oct. 18, 2024, 9:54 a.m.	system_name: privilege_name: SeEnableDelegationPrivilege	1	1
LookupPrivilegeValueW Oct. 18, 2024, 9:54 a.m.	system_name: privilege_name: SeManageVolumePrivilege	1	1
LookupPrivilegeValueW Oct. 18, 2024, 9:54 a.m.	system_name: privilege_name: SeCreateGlobalPrivilege	1	1

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1236 resumed a thread in remote process 2264
NtResumeThread Oct. 18, 2024, 9:54 a.m.	thread_handle: 0x0000000000000764 suspend_count: 1 process_identifier: 2264	1	0	0

File has been identified by 26 AntiVirus engines on VirusTotal as malicious (26 events)

Lionic	Trojan.Win32.Brutel.4!c
CTX	msi.trojan.brutel
Sangfor	Trojan.Win32.Brutel.V309
Arcabit	Trojan.Generic.D46E32F0
Symantec	Scr.Malcode!gen
ESET-NOD32	Win64/Brutel.M
TrendMicro-HouseCall	Backdoor.Win64.BRUTEL.YXEJQZ
Kaspersky	UDS:Trojan.Win32.Shelm.aqit
BitDefender	Trojan.GenericKD.74330864
MicroWorld-eScan	Trojan.GenericKD.74330864
Rising	Trojan.Brutel!8.160CF (LESS:bWQ1OiPYcIYbK5R7)
Emsisoft	Trojan.GenericKD.74330864 (B)
DrWeb	Trojan.Brutel.2
TrendMicro	Backdoor.Win64.BRUTEL.YXEJQZ
Sophos	Mal/Generic-S
Ikarus	Win32.Outbreak
FireEye	Trojan.GenericKD.74330864
Google	Detected
Antiy-AVL	Trojan/Win32.Shelm
Kingsoft	Win32.Trojan.Shelm.aqit
Microsoft	Trojan:Win32/Seheq!rfn
GData	Trojan.GenericKD.74330864
Varist	W64/ABTrojan.HLKU-5846
McAfee	Artemis!2D884DAB37FA
Tencent	Win32.Trojan.Shelm.Agow
Fortinet	W64/Brutel.M!tr

net.msi

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All