Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Dec. 30, 2022, 2:53 p.m.	Dec. 30, 2022, 2:55 p.m.

Size	3.7MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`097051905db43d636c3f71f3b2037e02`
SHA256	`306a4acb51995d012cedf11eeae5e6cd9f41bf577dc5b6855a9df61ce843bc67`
CRC32	`FCC0C16F`
ssdeep	`98304:TkLgeKBazj/p0ZQmS5OpksgwOJQgRYYPaL+o8EytXjV:YqBazjWZO5OptKafiXjV`
Yara	IsPE32 - (no description) OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file

PokemonBetaGame.exe "C:\Users\test22\AppData\Local\Temp\PokemonBetaGame.exe"
2564
- PokemonBetaGame.tmp "C:\Users\test22\AppData\Local\Temp\is-CD52N.tmp\PokemonBetaGame.tmp" /SL5="$80178,2988445,1046528,C:\Users\test22\AppData\Local\Temp\PokemonBetaGame.exe"
  2644
  - client32.exe "C:\Users\test22\AppData\Roaming\SKPWJE\client32.exe"
    2760
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
geo.netsupportsoftware.com	A 51.142.119.24 CNAME geography.netsupportsoftware.com A 62.172.138.67	62.172.138.67
tradinghuy.duckdns.org	A 65.108.67.37	65.108.67.37

IP Address	Status	Action
164.124.101.2	Active	Moloch
62.172.138.67	Active	Moloch
65.108.67.37	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW Dec. 30, 2022, 2:53 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 30, 2022, 2:53 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 30, 2022, 2:53 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Dec. 30, 2022, 2:53 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 30, 2022, 2:53 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 30, 2022, 2:53 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Dec. 30, 2022, 2:53 p.m.			0	0
IsDebuggerPresent Dec. 30, 2022, 2:53 p.m.			0	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.itext
section	.didata

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET http://geo.netsupportsoftware.com/location/loca.asp

Connects to a Dynamic DNS Domain (1 event)

domain

tradinghuy.duckdns.org

Performs some HTTP requests (1 event)

request

GET http://geo.netsupportsoftware.com/location/loca.asp

Allocates read-write-execute memory (usually to unpack itself) (9 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Dec. 30, 2022, 2:53 p.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 30, 2022, 2:53 p.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 745472 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 30, 2022, 2:53 p.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 30, 2022, 2:53 p.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 290816 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 30, 2022, 2:53 p.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72dd2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 30, 2022, 2:53 p.m.	process_identifier: 2644 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72dd2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 30, 2022, 2:53 p.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02210000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 30, 2022, 2:55 p.m.	process_identifier: 1452 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000046e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 30, 2022, 2:53 p.m.	process_identifier: 2760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732e2000 process_handle: 0xffffffff	1

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

A process attempted to delay the analysis task. (1 event)

description

client32.exe tried to sleep 177 seconds, actually delayed analysis time by 177 seconds

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftStore.lnk

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftStore.lnk

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\is-CD52N.tmp\PokemonBetaGame.tmp

Executes one or more WMI queries (2 events)

wmi	SELECT * FROM Win32_SystemEnclosure
wmi	SELECT * FROM Win32_ComputerSystem

File has been identified by 3 AntiVirus engines on VirusTotal as malicious (3 events)

CrowdStrike	win/grayware_confidence_70% (D)
Kaspersky	not-a-virus:HEUR:RemoteAdmin.Win32.NetSup.gen
AhnLab-V3	Dropper/Win.NetSupport.C5345365

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Dec. 30, 2022, 2:53 p.m.	flags: 0 family: 2		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Dec. 30, 2022, 2:53 p.m.	system_name: privilege_name: SeSecurityPrivilege	1	1	0

Queries for potentially installed applications (5 events)

Time & API	Arguments	Return
RegOpenKeyExW Dec. 30, 2022, 2:53 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\9124_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\9124_is1	2
RegOpenKeyExA Dec. 30, 2022, 2:53 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3F709462-4AD7-482F-8761-C6ED6AD145A1} base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3F709462-4AD7-482F-8761-C6ED6AD145A1}	2
RegOpenKeyExA Dec. 30, 2022, 2:53 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C412F191-BB15-4e40-9CCC-97E571D2C6BF} base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C412F191-BB15-4e40-9CCC-97E571D2C6BF}	2
RegOpenKeyExA Dec. 30, 2022, 2:53 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{787DFE02-CC6C-4AAC-B455-166BBEE4C5AF} base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{787DFE02-CC6C-4AAC-B455-166BBEE4C5AF}	2
RegOpenKeyExA Dec. 30, 2022, 2:53 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{787DFE02-CC6C-4AAC-B455-166BBEE4C5AF} base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{787DFE02-CC6C-4AAC-B455-166BBEE4C5AF}	2

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	SELECT * FROM Win32_ComputerSystem

Installs itself for autorun at Windows startup (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftStore.lnk

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\is-CD52N.tmp\PokemonBetaGame.tmp

PokemonBetaGame.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All