Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	May 14, 2021, 9:45 a.m.	May 14, 2021, 9:51 a.m.

Size	2.7MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`d5caa26ca65ca5e2c8921030993afcd2`
SHA256	`fad18db3699a8e92909a2eb0754fbee8f609e28d5a2bf32c8aaa2ec12764c278`
CRC32	`1D25D4E0`
ssdeep	`49152:/2BT/j0AG7BmgYBf/ZkYDXAOcLSLWx0Oe50pnriqtQo5WwnCQmZ0XM:e1j0JVm/peYDXAOc+a5PriOQ5V/0c`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) Win32_Trojan_Emotet_2_Zero - Win32 Trojan Emotet

SupremeSpySetup.exe "C:\Users\test22\AppData\Local\Temp\SupremeSpySetup.exe"
2952
- SupremeSpySetup.tmp "C:\Users\test22\AppData\Local\Temp\is-554CE.tmp\SupremeSpySetup.tmp" /SL5="$8502BC,2493529,54272,C:\Users\test22\AppData\Local\Temp\SupremeSpySetup.exe"
  8564

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
172.217.25.14	Active	Moloch

No Suricata Alerts

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 14, 2021, 9:45 a.m.			0	0

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 14, 2021, 9:45 a.m.		1	1	0

Time & API	Arguments	Status
NtProtectVirtualMemory May 14, 2021, 9:45 a.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2021, 9:45 a.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 40960 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2021, 9:45 a.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 20480 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2021, 9:45 a.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2021, 9:45 a.m.	process_identifier: 8564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00350000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2021, 9:45 a.m.	process_identifier: 8564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1

file	C:\Users\test22\AppData\Local\Temp\is-G8GV9.tmp\_isetup\_shfoldr.dll

file	C:\Users\test22\AppData\Local\Temp\is-G8GV9.tmp\_isetup\_shfoldr.dll
file	C:\Users\test22\AppData\Local\Temp\is-554CE.tmp\SupremeSpySetup.tmp
file	C:\Users\test22\AppData\Local\Temp\is-G8GV9.tmp\_isetup\_RegDLL.tmp

Time & API	Arguments	Return
RegOpenKeyExA May 14, 2021, 9:45 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{984B859C-773F-7E26-1623-B765A907F0F3}_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{984B859C-773F-7E26-1623-B765A907F0F3}_is1	2
RegOpenKeyExA May 14, 2021, 9:45 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{984B859C-773F-7E26-1623-B765A907F0F3}_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{984B859C-773F-7E26-1623-B765A907F0F3}_is1	2
RegOpenKeyExA May 14, 2021, 9:45 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{984B859C-773F-7E26-1623-B765A907F0F3}_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{984B859C-773F-7E26-1623-B765A907F0F3}_is1	2
RegOpenKeyExA May 14, 2021, 9:45 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{984B859C-773F-7E26-1623-B765A907F0F3}_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{984B859C-773F-7E26-1623-B765A907F0F3}_is1	2

host

172.217.25.14

DrWeb	Trojan.InstallCore.1418
MicroWorld-eScan	Application.Keylogger.QQN
FireEye	Application.Keylogger.QQN
McAfee	Keylog-SupremeSpy.b
Cylance	Unsafe
Cybereason	malicious.ca65ca
Symantec	Spyware.Supremespy
ESET-NOD32	a variant of Win32/SpyBoss.A potentially unsafe
Avast	Win32:KeyLogger-AQO [PUP]
BitDefender	Application.Keylogger.QQN
NANO-Antivirus	Trojan.Win32.InstallCore.efumab
Rising	PUA.Presenoker!8.F608 (CLOUD)
Comodo	Malware@#3gpaet0sdx5se
VIPRE	SupremeSpy
McAfee-GW-Edition	Keylog-SupremeSpy.b
Emsisoft	Application.Keylogger.QQN (B)
Microsoft	PUA:Win32/Vigua.A
Arcabit	Application.Keylogger.QQN
GData	Application.Keylogger.QQN
VBA32	Trojan.InstallCore
ALYac	Application.Keylogger.QQN
MAX	malware (ai score=99)
Malwarebytes	Malware.AI.4281419225
TrendMicro-HouseCall	TROJ_GEN.R002C0OD421
Yandex	Trojan.GenAsa!goxqqu97wFw
MaxSecure	Trojan.Malware.3758777.susgen
Fortinet	Riskware/SupremeSpy
Webroot	System.Monitor.Rebrand.Software
AVG	Win32:KeyLogger-AQO [PUP]

SupremeSpySetup.exe