Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 25, 2021, 3:16 p.m.	June 25, 2021, 3:21 p.m.

Size	17.6MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`8073587ad2b8cc9882aa1b320ba04c19`
SHA256	`77890e3304d01af0b665bb2a29039f6675c7ab0c3e5fd31056b4898810f26011`
CRC32	`A55993C2`
ssdeep	`393216:RCKmoic/i2IIQ1YhJQw85hjLhVcESy4Y7atNW/+hKEhlJgJRkYFZFZfLWPfC:EKmu/e1IJ23gSFay/+WPZFZfLm6`
Yara	IsPE32 - (no description) PE_Header_Zero - PE File Signature

pc-eq.setup.2.0.0.exe "C:\Users\test22\AppData\Local\Temp\pc-eq.setup.2.0.0.exe"
3804
- PC-Equalizer.exe "C:\Program Files (x86)\PC Equalizer\PC-Equalizer.exe"
  5656
  - cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\7ZSfx000.cmd" "
    3660
- EqualizerAPO64-1.2.1.exe "C:\Users\test22\AppData\Local\Temp\EqualizerAPO64-1.2.1.exe"
  3908
explorer.exe C:\Windows\Explorer.EXE
1848

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
172.217.25.14	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW June 25, 2021, 3:16 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 25, 2021, 3:16 p.m.			0	0
IsDebuggerPresent June 25, 2021, 3:16 p.m.			0	0

Command line console output was observed (12 events)

Time & API	Arguments	Status	Return
WriteConsoleW June 25, 2021, 3:16 p.m.	buffer: C:\Program Files (x86)\PC Equalizer> console_handle: 0x00000007	1	1
WriteConsoleW June 25, 2021, 3:16 p.m.	buffer: del console_handle: 0x00000007	1	1
WriteConsoleW June 25, 2021, 3:16 p.m.	buffer: "C:\Program Files (x86)\PC Equalizer\PC-Equalizer.exe" console_handle: 0x00000007	1	1
WriteConsoleW June 25, 2021, 3:16 p.m.	buffer: C:\Program Files (x86)\PC Equalizer> console_handle: 0x00000007	1	1
WriteConsoleW June 25, 2021, 3:16 p.m.	buffer: if console_handle: 0x00000007	1	1
WriteConsoleW June 25, 2021, 3:16 p.m.	buffer: exist "C:\Program Files (x86)\PC Equalizer\PC-Equalizer.exe" console_handle: 0x00000007	1	1
WriteConsoleW June 25, 2021, 3:16 p.m.	buffer: goto console_handle: 0x00000007	1	1
WriteConsoleW June 25, 2021, 3:16 p.m.	buffer: Repeat console_handle: 0x00000007	1	1
WriteConsoleW June 25, 2021, 3:16 p.m.	buffer: C:\Program Files (x86)\PC Equalizer> console_handle: 0x00000007	1	1
WriteConsoleW June 25, 2021, 3:16 p.m.	buffer: del console_handle: 0x00000007	1	1
WriteConsoleW June 25, 2021, 3:16 p.m.	buffer: "C:\Users\test22\AppData\Local\Temp\7ZSfx000.cmd" console_handle: 0x00000007	1	1
WriteConsoleW June 25, 2021, 3:16 p.m.	buffer: The batch file cannot be found. console_handle: 0x0000000b	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 25, 2021, 3:16 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

The executable uses a known packer (1 event)

packer

BobSoft Mini Delphi -> BoB / BobSoft

Allocates read-write-execute memory (usually to unpack itself) (4 events)

Time & API	Arguments	Status
NtProtectVirtualMemory June 25, 2021, 3:16 p.m.	process_identifier: 3804 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 3:16 p.m.	process_identifier: 5656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 3:16 p.m.	process_identifier: 3908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 3:16 p.m.	process_identifier: 3908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02904000 process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (3 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceExW June 25, 2021, 3:16 p.m.	total_number_of_free_bytes: 13277720576 free_bytes_available: 13277720576 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW June 25, 2021, 3:16 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13259161600 root_path: C:\Program Files (x86)\PC Equalizer total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW June 25, 2021, 3:09 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13250600960 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer total_number_of_bytes: 0	1	1

Creates executable files on the filesystem (13 events)

file	C:\Program Files (x86)\PC Equalizer\PCEqualizer.exe
file	C:\Users\test22\AppData\Local\Temp\nsv4145.tmp\nsDialogs.dll
file	C:\Program Files (x86)\PC Equalizer\PC-Equalizer.exe
file	C:\Program Files (x86)\PC Equalizer\data\Plugins\requ\liceline.exe
file	C:\Users\test22\AppData\Local\Temp\EqualizerAPO64-1.2.1.exe
file	C:\Program Files (x86)\PC Equalizer\lua5.1.dll
file	C:\Program Files (x86)\PC Equalizer\Uninstall.exe
file	C:\Users\test22\Desktop\PC Equalizer.lnk
file	C:\Users\test22\AppData\Local\Temp\nsv4145.tmp\NSISpcre.dll
file	C:\Users\test22\AppData\Local\Temp\nsv4145.tmp\System.dll
file	C:\Program Files (x86)\PC Equalizer\PCEqualizer.dll
file	C:\Users\test22\AppData\Local\Temp\7ZSfx000.cmd
file	C:\Program Files (x86)\PC Equalizer\lua51.dll

Creates a shortcut to an executable file (2 events)

file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration.lnk
file	C:\Users\test22\Desktop\PC Equalizer.lnk

Drops a binary and executes it (3 events)

file	C:\Program Files (x86)\PC Equalizer\PC-Equalizer.exe
file	C:\Users\test22\AppData\Local\Temp\EqualizerAPO64-1.2.1.exe
file	C:\Users\test22\AppData\Local\Temp\7ZSfx000.cmd

Drops an executable to the user AppData folder (4 events)

file	C:\Users\test22\AppData\Local\Temp\nsv4145.tmp\nsDialogs.dll
file	C:\Users\test22\AppData\Local\Temp\nsv4145.tmp\NSISpcre.dll
file	C:\Users\test22\AppData\Local\Temp\nsv4145.tmp\System.dll
file	C:\Users\test22\AppData\Local\Temp\EqualizerAPO64-1.2.1.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW June 25, 2021, 3:16 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\7ZSfx000.cmd parameters: filepath: C:\Users\test22\AppData\Local\Temp\7ZSfx000.cmd	1	1	0

Potentially malicious URLs were found in the process memory dump (1 event)

url	http://nsis.sf.net/NSIS_Error

Yara rule detected in process memory (19 events)

description	Escalate priviledges	rule	Escalate_priviledges
description	Take ScreenShot	rule	ScreenShot
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Take ScreenShot	rule	ScreenShot
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\7ZSfx000.cmd

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3804 resumed a thread in remote process 5656
Process injection	Process 3804 resumed a thread in remote process 3908
NtResumeThread June 25, 2021, 3:16 p.m.	thread_handle: 0x000002a4 suspend_count: 1 process_identifier: 5656	1	0	0
NtResumeThread June 25, 2021, 3:16 p.m.	thread_handle: 0x00000328 suspend_count: 1 process_identifier: 3908	1	0	0

File has been identified by 24 AntiVirus engines on VirusTotal as malicious (24 events)

MicroWorld-eScan	Gen:Heur.SMHeist.3
FireEye	Generic.mg.8073587ad2b8cc98
McAfee	Artemis!8073587AD2B8
Sangfor	Suspicious.Win32.SMHeist.3
Cybereason	malicious.ad2b8c
Cyren	W32/Trojan.DXXJ-1478
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	FileRepMalware
BitDefender	Gen:Heur.SMHeist.3
Ad-Aware	Gen:Heur.SMHeist.3
Emsisoft	Gen:Heur.SMHeist.3 (B)
McAfee-GW-Edition	Artemis
Webroot	W32.Malware.Gen
Microsoft	Ransom:Win32/Crypmod
Arcabit	Trojan.SMHeist.3
GData	Gen:Heur.SMHeist.3
MAX	malware (ai score=80)
Malwarebytes	Malware.AI.4286241904
TrendMicro-HouseCall	TROJ_GEN.R002H09FL21
Ikarus	Gen.SMHeist
Fortinet	W32/PossibleThreat
AVG	FileRepMalware
CrowdStrike	win/malicious_confidence_60% (W)

pc-eq.setup.2.0.0.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All