Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 30, 2021, 9:58 a.m.	Sept. 30, 2021, 10 a.m.

Size	775.8KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`71c7975385f73ae32b06f69dbe79290b`
SHA256	`c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c`
CRC32	`4D1BF5E8`
ssdeep	`12288:XaWzgMg7v3qnCi9ErQohh0F4fCJ8lnyQQdbpSulVAbWjuixwhQaB/Q:qaHMv6CRrj3nyQQdpSulmWjxwhQaG`
Yara	PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library IsPE32 - (no description)

PowerRun.exe "C:\Users\test22\AppData\Local\Temp\PowerRun.exe"
2232
- PowerRun.exe "C:\Users\test22\AppData\Local\Temp\PowerRun.exe" /P:524836
  2384

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 30, 2021, 9:58 a.m.			0	0
IsDebuggerPresent Sept. 30, 2021, 9:58 a.m.			0	0
IsDebuggerPresent Sept. 30, 2021, 9:58 a.m.			0	0
IsDebuggerPresent Sept. 30, 2021, 9:58 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 30, 2021, 9:58 a.m.		1	1	0

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ Sept. 30, 2021, 9:58 a.m.	stacktrace: Wow64DisableWow64FsRedirection+0x10 Wow64RevertWow64FsRedirection-0x1a kernelbase+0xc6d7 @ 0x76a7c6d7 powerrun+0x10df1 @ 0x410df1 powerrun+0x736ac @ 0x4736ac powerrun+0x41c6 @ 0x4041c6 exception.instruction_r: 89 11 c7 45 fc fe ff ff ff e8 8e 9b fc ff c2 08 exception.symbol: RtlWow64EnableFsRedirectionEx+0x43 RtlTryAcquirePebLock-0x2f7 ntdll+0x6435d exception.instruction: mov dword ptr [ecx], edx exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 410461 exception.address: 0x7740435d registers.esp: 9171552 registers.edi: 4882208 registers.eax: 0 registers.ebp: 9171596 registers.edx: 0 registers.ebx: 9172632 registers.esi: 1 registers.ecx: 1	1	0	0
__exception__ Sept. 30, 2021, 9:58 a.m.	stacktrace: Wow64DisableWow64FsRedirection+0x10 Wow64RevertWow64FsRedirection-0x1a kernelbase+0xc6d7 @ 0x76a7c6d7 powerrun+0x10df1 @ 0x410df1 powerrun+0x736ac @ 0x4736ac powerrun+0x41c6 @ 0x4041c6 exception.instruction_r: 89 11 c7 45 fc fe ff ff ff e8 8e 9b fc ff c2 08 exception.symbol: RtlWow64EnableFsRedirectionEx+0x43 RtlTryAcquirePebLock-0x2f7 ntdll+0x6435d exception.instruction: mov dword ptr [ecx], edx exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 410461 exception.address: 0x7740435d registers.esp: 9171552 registers.edi: 4882208 registers.eax: 0 registers.ebp: 9171596 registers.edx: 0 registers.ebx: 9172632 registers.esi: 1 registers.ecx: 1	1	0	0

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 30, 2021, 9:58 a.m.	process_identifier: 2232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73de2000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Sept. 30, 2021, 9:58 a.m.	process_identifier: 2384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73de2000 process_handle: 0xffffffff	1	0	0

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (35 events)

Time & API	Arguments	Status	Return
Process32NextW Sept. 30, 2021, 9:58 a.m.	snapshot_handle: 0x000001b4 process_name: smss.exe process_identifier: 224	1	1
Process32NextW Sept. 30, 2021, 9:58 a.m.	snapshot_handle: 0x000001b4 process_name: csrss.exe process_identifier: 300	1	1
Process32NextW Sept. 30, 2021, 9:58 a.m.	snapshot_handle: 0x000001b4 process_name: csrss.exe process_identifier: 364	1	1
Process32NextW Sept. 30, 2021, 9:58 a.m.	snapshot_handle: 0x000001b4 process_name: winlogon.exe process_identifier: 396	1	1
Process32NextW Sept. 30, 2021, 9:58 a.m.	snapshot_handle: 0x000001b4 process_name: services.exe process_identifier: 440	1	1
Process32NextW Sept. 30, 2021, 9:58 a.m.	snapshot_handle: 0x000001b4 process_name: lsass.exe process_identifier: 456	1	1
Process32NextW Sept. 30, 2021, 9:58 a.m.	snapshot_handle: 0x000001b4 process_name: svchost.exe process_identifier: 568	1	1
Process32NextW Sept. 30, 2021, 9:58 a.m.	snapshot_handle: 0x000001b4 process_name: svchost.exe process_identifier: 640	1	1
Process32NextW Sept. 30, 2021, 9:58 a.m.	snapshot_handle: 0x000001b4 process_name: svchost.exe process_identifier: 700	1	1
Process32NextW Sept. 30, 2021, 9:58 a.m.	snapshot_handle: 0x000001b4 process_name: svchost.exe process_identifier: 776	1	1
Process32NextW Sept. 30, 2021, 9:58 a.m.	snapshot_handle: 0x000001b4 process_name: svchost.exe process_identifier: 824	1	1
Process32NextW Sept. 30, 2021, 9:58 a.m.	snapshot_handle: 0x000001b4 process_name: audiodg.exe process_identifier: 892	1	1
Process32NextW Sept. 30, 2021, 9:58 a.m.	snapshot_handle: 0x000001b4 process_name: svchost.exe process_identifier: 968	1	1
Process32NextW Sept. 30, 2021, 9:58 a.m.	snapshot_handle: 0x000001b4 process_name: svchost.exe process_identifier: 264	1	1
Process32NextW Sept. 30, 2021, 9:58 a.m.	snapshot_handle: 0x000001b4 process_name: svchost.exe process_identifier: 292	1	1
Process32NextW Sept. 30, 2021, 9:58 a.m.	snapshot_handle: 0x000001b4 process_name: svchost.exe process_identifier: 1192	1	1
Process32NextW Sept. 30, 2021, 9:58 a.m.	snapshot_handle: 0x000001b4 process_name: srvany.exe process_identifier: 1244	1	1
Process32NextW Sept. 30, 2021, 9:58 a.m.	snapshot_handle: 0x000001b4 process_name: taskhost.exe process_identifier: 1284	1	1
Process32NextW Sept. 30, 2021, 9:58 a.m.	snapshot_handle: 0x000001b4 process_name: KMService.exe process_identifier: 1324	1	1
Process32NextW Sept. 30, 2021, 9:58 a.m.	snapshot_handle: 0x000001b4 process_name: conhost.exe process_identifier: 1376	1	1
Process32NextW Sept. 30, 2021, 9:58 a.m.	snapshot_handle: 0x000001b4 process_name: sppsvc.exe process_identifier: 1800	1	1
Process32NextW Sept. 30, 2021, 9:58 a.m.	snapshot_handle: 0x000001b4 process_name: svchost.exe process_identifier: 1876	1	1
Process32NextW Sept. 30, 2021, 9:58 a.m.	snapshot_handle: 0x000001b4 process_name: dwm.exe process_identifier: 1496	1	1
Process32NextW Sept. 30, 2021, 9:58 a.m.	snapshot_handle: 0x000001b4 process_name: explorer.exe process_identifier: 1848	1	1
Process32NextW Sept. 30, 2021, 9:58 a.m.	snapshot_handle: 0x000001b4 process_name: WmiPrvSE.exe process_identifier: 1916	1	1
Process32NextW Sept. 30, 2021, 9:58 a.m.	snapshot_handle: 0x000001b4 process_name: pw.exe process_identifier: 2816	1	1
Process32NextW Sept. 30, 2021, 9:58 a.m.	snapshot_handle: 0x000001b4 process_name: SearchIndexer.exe process_identifier: 2940	1	1
Process32NextW Sept. 30, 2021, 9:58 a.m.	snapshot_handle: 0x000001b4 process_name: SearchProtocolHost.exe process_identifier: 1480	1	1
Process32NextW Sept. 30, 2021, 9:58 a.m.	snapshot_handle: 0x000001b4 process_name: SearchFilterHost.exe process_identifier: 3040	1	1
Process32NextW Sept. 30, 2021, 9:58 a.m.	snapshot_handle: 0x000001b4 process_name: SearchProtocolHost.exe process_identifier: 2120	1	1
Process32NextW Sept. 30, 2021, 9:58 a.m.	snapshot_handle: 0x000001b4 process_name: mobsync.exe process_identifier: 1068	1	1
Process32NextW Sept. 30, 2021, 9:58 a.m.	snapshot_handle: 0x000001b4 process_name: pw.exe process_identifier: 3060	1	1
Process32NextW Sept. 30, 2021, 9:58 a.m.	snapshot_handle: 0x000001b4 process_name: taskhost.exe process_identifier: 752	1	1
Process32NextW Sept. 30, 2021, 9:58 a.m.	snapshot_handle: 0x000001b4 process_name: PowerRun.exe process_identifier: 2232	1	1
Process32NextW Sept. 30, 2021, 9:58 a.m.	snapshot_handle: 0x000001c4 process_name: PowerRun.exe process_identifier: 2384	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Sept. 30, 2021, 9:58 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Sept. 30, 2021, 9:58 a.m.	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	1	1	0

PowerRun.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All