Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
11.19 02:11
Potwierdzenie.exe
11.19 02:11
cheet.exe
11.19 02:11
chelentano.exe
11.19 02:11
12.exe
11.19 02:11
caspol.exe
11.19 02:11
gambinho.exe
11.19 02:11
Getdp.exe
11.19 02:11
caspol.exe
11.19 02:11
caspol.exe
11.18 02:11
DOCTOR FIRM ORDER FORM...

Latest News
11.19 06:11
Spot the Difference: E...
11.19 06:11
The Barcode Beast Like...
11.19 06:11
China’s Chip Advances ...
11.19 06:11
이지중고가전, 나눔과 환경보호로 사회적공...
11.19 06:11
Spot the Difference: E...
11.19 05:11
[AIS 2024 영상] KISA 강동우...
11.19 05:11
WVC대학교, 테솔자격증 장학생 모집 실시
11.19 05:11
[긴급] 현재 사이버 공격에 악용중인 팔...
11.19 05:11
온도의민족, 출시 동시에 일시품절...리...
11.19 05:11
[긴급] 중국 해커, 포티넷 VPN 제로...

Summary | ZeroBOX

Getdp.exe

Emotet Gen1 Generic Malware Malicious Library UPX PE64 MZP Format PE File OS Processor Check PE32 DLL

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Nov. 19, 2024, 2:39 p.m.	Nov. 19, 2024, 2:42 p.m.

Size	736.3KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`4450ac5d9c08453f7faa1c3f9569350e`
SHA256	`057ca3a5512eeffd679e2ad93bbfa86ad88398d35addda66502115cf54e91c06`
CRC32	`6ECACFF8`
ssdeep	`12288:KQiGZASXj0BL0YvEgpzDXplSH549k1l2i/ykG0TMOUHbzMUFIKiM:KQiggKY5/8T+i/ykLDUGKN`
Yara	Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) PE_Header_Zero - PE File Signature Win32_Trojan_Emotet_2_Zero - Win32 Trojan Emotet UPX_Zero - UPX packed file mzp_file_format - MZP(Delphi) file format

Getdp.exe "C:\Users\test22\AppData\Local\Temp\Getdp.exe"
3000
- Getdp.tmp "C:\Users\test22\AppData\Local\Temp\is-N2J6P.tmp\Getdp.tmp" /SL5="$2016C,439205,56832,C:\Users\test22\AppData\Local\Temp\Getdp.exe"
  964
  - cmd.exe "C:\Windows\system32\cmd.exe" /c tasklist>"C:\Users\test22\AppData\Local\Temp\is-ESS4Q.tmp"\tasklist.txt
    2188
    - tasklist.exe tasklist
      2260

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Nov. 19, 2024, 3:29 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 19, 2024, 3:29 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 19, 2024, 3:29 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

Allocates read-write-execute memory (usually to unpack itself) (7 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Nov. 19, 2024, 3:29 a.m.	process_identifier: 3000 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Nov. 19, 2024, 3:29 a.m.	process_identifier: 3000 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 40960 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Nov. 19, 2024, 3:29 a.m.	process_identifier: 3000 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 20480 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040f000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Nov. 19, 2024, 3:29 a.m.	process_identifier: 3000 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x741b2000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Nov. 19, 2024, 3:29 a.m.	process_identifier: 964 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01dc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Nov. 19, 2024, 3:29 a.m.	process_identifier: 964 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x741b2000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Nov. 19, 2024, 3:29 a.m.	process_identifier: 964 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ef3000 process_handle: 0xffffffff	1	0	0

Creates executable files on the filesystem (3 events)

file	C:\Users\test22\AppData\Local\Temp\is-ESS4Q.tmp\isxdl.dll
file	C:\Users\test22\AppData\Local\Temp\is-ESS4Q.tmp\_isetup\_shfoldr.dll
file	C:\Users\test22\AppData\Local\Temp\is-ESS4Q.tmp\isskin.dll

Creates a suspicious process (1 event)

cmdline

"C:\Windows\system32\cmd.exe" /c tasklist>"C:\Users\test22\AppData\Local\Temp\is-ESS4Q.tmp"\tasklist.txt

Drops an executable to the user AppData folder (5 events)

file	C:\Users\test22\AppData\Local\Temp\is-ESS4Q.tmp\isskin.dll
file	C:\Users\test22\AppData\Local\Temp\is-ESS4Q.tmp\Office2007.cjstyles
file	C:\Users\test22\AppData\Local\Temp\is-ESS4Q.tmp\_isetup\_shfoldr.dll
file	C:\Users\test22\AppData\Local\Temp\is-ESS4Q.tmp\isxdl.dll
file	C:\Users\test22\AppData\Local\Temp\is-N2J6P.tmp\Getdp.tmp

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

File has been identified by 2 AntiVirus engines on VirusTotal as malicious (2 events)

APEX	Malicious
Kingsoft	malware.kb.a.800

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Nov. 19, 2024, 3:29 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Queries for potentially installed applications (2 events)

Time & API	Arguments	Status	Return	Repeated
RegOpenKeyExA Nov. 19, 2024, 3:29 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Atualizador DP_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Atualizador DP_is1		2	0
RegOpenKeyExA Nov. 19, 2024, 3:29 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Atualizador DP_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Atualizador DP_is1		2	0

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	"C:\Windows\system32\cmd.exe" /c tasklist>"C:\Users\test22\AppData\Local\Temp\is-ESS4Q.tmp"\tasklist.txt
cmdline	tasklist