Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 12, 2024, 8:48 a.m.	Aug. 12, 2024, 9:07 a.m.

Size	2.1MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, RAR self-extracting archive
MD5	`77970896073bbafdc8c1811414c62536`
SHA256	`980fcb6365092cd752934417abb0f2a95bca452c58856240157107e70c1d754d`
CRC32	`55B21464`
ssdeep	`49152:/Xe2JFJ0l5VO6T9xX2AdPj15GZ0yB/dqyvVamJW:/Xe2JFJ0liu3GAdPj15GZft6`
PDB Path	d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

ApertureLab.exe "C:\Users\test22\AppData\Local\Temp\ApertureLab.exe"
1700
- client32.exe "C:\Users\test22\AppData\Roaming\updtewinsup221\client32.exe"
  2112
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
geo.netsupportsoftware.com	A 172.67.68.212 A 104.26.1.231 A 104.26.0.231	172.67.68.212
Amnahuseta19.com	A 162.33.178.156

IP Address	Status	Action
162.33.178.156	Active	Moloch
164.124.101.2	Active	Moloch
172.67.68.212	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49169 -> 172.67.68.212:80	2034559	ET POLICY NetSupport GeoLocation Lookup Request	Potential Corporate Privacy Violation
TCP 192.168.56.103:49166 -> 172.67.68.212:80	2034559	ET POLICY NetSupport GeoLocation Lookup Request	Potential Corporate Privacy Violation
TCP 192.168.56.103:49168 -> 172.67.68.212:80	2034559	ET POLICY NetSupport GeoLocation Lookup Request	Potential Corporate Privacy Violation
TCP 192.168.56.103:49167 -> 162.33.178.156:3122	2035892	ET INFO NetSupport Remote Admin Checkin	Misc activity
TCP 162.33.178.156:3122 -> 192.168.56.103:49167	2035895	ET INFO NetSupport Remote Admin Response	Misc activity
TCP 192.168.56.103:49167 -> 162.33.178.156:3122	2035892	ET INFO NetSupport Remote Admin Checkin	Misc activity
TCP 162.33.178.156:3122 -> 192.168.56.103:49167	2035895	ET INFO NetSupport Remote Admin Response	Misc activity
TCP 192.168.56.103:49167 -> 162.33.178.156:3122	2035892	ET INFO NetSupport Remote Admin Checkin	Misc activity
TCP 192.168.56.103:49167 -> 162.33.178.156:3122	2035892	ET INFO NetSupport Remote Admin Checkin	Misc activity

Suricata TLS

No Suricata TLS

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 12, 2024, 8:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 12, 2024, 8:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 12, 2024, 8:48 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 12, 2024, 8:48 a.m.			0	0

This executable has a PDB path (1 event)

pdb_path

d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET http://geo.netsupportsoftware.com/location/loca.asp

Performs some HTTP requests (1 event)

request

GET http://geo.netsupportsoftware.com/location/loca.asp

Allocates read-write-execute memory (usually to unpack itself) (18 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 12, 2024, 8:48 a.m.	process_identifier: 1700 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74291000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 12, 2024, 8:48 a.m.	process_identifier: 1700 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74271000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 12, 2024, 8:48 a.m.	process_identifier: 1700 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x740c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 12, 2024, 8:48 a.m.	process_identifier: 1700 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76bd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 12, 2024, 8:48 a.m.	process_identifier: 1700 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x756f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 12, 2024, 8:48 a.m.	process_identifier: 1700 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74fe1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 12, 2024, 8:48 a.m.	process_identifier: 1700 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 12, 2024, 8:48 a.m.	process_identifier: 1700 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ec1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 12, 2024, 8:48 a.m.	process_identifier: 1700 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 12, 2024, 8:48 a.m.	process_identifier: 1700 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ea1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:41 a.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000006de0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 12, 2024, 8:48 a.m.	process_identifier: 2112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74211000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 12, 2024, 8:48 a.m.	process_identifier: 2112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74201000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 12, 2024, 8:48 a.m.	process_identifier: 2112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74190000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 12, 2024, 8:48 a.m.	process_identifier: 2112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74160000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 12, 2024, 8:48 a.m.	process_identifier: 2112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74101000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 12, 2024, 8:48 a.m.	process_identifier: 2112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x740d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 12, 2024, 8:48 a.m.	process_identifier: 2112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74041000 process_handle: 0xffffffff	1

Creates executable files on the filesystem (10 events)

file	C:\Users\test22\AppData\Roaming\updtewinsup221\remcmdstub.exe
file	C:\Users\test22\AppData\Roaming\updtewinsup221\AudioCapture.dll
file	C:\Users\test22\AppData\Roaming\updtewinsup221\client32.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\automrunner201.ini.lnk
file	C:\Users\test22\AppData\Roaming\updtewinsup221\HTCTL32.DLL
file	C:\Users\test22\AppData\Roaming\updtewinsup221\PCICHEK.DLL
file	C:\Users\test22\AppData\Roaming\updtewinsup221\PCICL32.DLL
file	C:\Users\test22\AppData\Roaming\updtewinsup221\msvcr100.dll
file	C:\Users\test22\AppData\Roaming\updtewinsup221\TCCTL32.DLL
file	C:\Users\test22\AppData\Roaming\updtewinsup221\pcicapi.dll

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\automrunner201.ini.lnk

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Roaming\updtewinsup221\client32.exe

Drops an executable to the user AppData folder (9 events)

file	C:\Users\test22\AppData\Roaming\updtewinsup221\AudioCapture.dll
file	C:\Users\test22\AppData\Roaming\updtewinsup221\remcmdstub.exe
file	C:\Users\test22\AppData\Roaming\updtewinsup221\TCCTL32.DLL
file	C:\Users\test22\AppData\Roaming\updtewinsup221\client32.exe
file	C:\Users\test22\AppData\Roaming\updtewinsup221\HTCTL32.DLL
file	C:\Users\test22\AppData\Roaming\updtewinsup221\PCICHEK.DLL
file	C:\Users\test22\AppData\Roaming\updtewinsup221\pcicapi.dll
file	C:\Users\test22\AppData\Roaming\updtewinsup221\msvcr100.dll
file	C:\Users\test22\AppData\Roaming\updtewinsup221\PCICL32.DLL

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Aug. 12, 2024, 8:48 a.m.	flags: 0 family: 2		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 12, 2024, 8:48 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1	0

Queries for potentially installed applications (4 events)

Time & API	Arguments	Return
RegOpenKeyExA Aug. 12, 2024, 8:48 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3F709462-4AD7-482F-8761-C6ED6AD145A1} base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3F709462-4AD7-482F-8761-C6ED6AD145A1}	2
RegOpenKeyExA Aug. 12, 2024, 8:48 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C412F191-BB15-4e40-9CCC-97E571D2C6BF} base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C412F191-BB15-4e40-9CCC-97E571D2C6BF}	2
RegOpenKeyExA Aug. 12, 2024, 8:48 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{787DFE02-CC6C-4AAC-B455-166BBEE4C5AF} base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{787DFE02-CC6C-4AAC-B455-166BBEE4C5AF}	2
RegOpenKeyExA Aug. 12, 2024, 8:48 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{787DFE02-CC6C-4AAC-B455-166BBEE4C5AF} base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{787DFE02-CC6C-4AAC-B455-166BBEE4C5AF}	2

Installs itself for autorun at Windows startup (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\automrunner201.ini.lnk

File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 events)

Bkav	W32.Common.964CBEE9
Lionic	Trojan.Win32.ChePro.7!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 99)
Skyhigh	Artemis!PUP
ALYac	Trojan.GenericKD.72359057
Cylance	Unsafe
VIPRE	Trojan.GenericKD.72359057
K7AntiVirus	Riskware ( 00584baa1 )
BitDefender	Trojan.GenericKD.72359057
K7GW	Riskware ( 00584baa1 )
Cybereason	malicious.6073bb
Arcabit	Trojan.Generic.D4501C91
VirIT	Trojan.Win32.RarDrp.GNT
Symantec	Trojan.Gen.MBT
ESET-NOD32	multiple detections
McAfee	Artemis!77970896073B
Avast	Win32:Malware-gen
Kaspersky	Trojan-Banker.Win32.ChePro.nkuj
Alibaba	RiskWare:Win32/NetSup.715e48de
MicroWorld-eScan	Trojan.GenericKD.72359057
Emsisoft	Trojan.GenericKD.72359057 (B)
F-Secure	Trojan.TR/Spy.ChePro.mshfk
DrWeb	Program.RemoteAdmin.840
Zillya	Tool.NetSup.Win32.21
McAfeeD	ti!980FCB636509
FireEye	Trojan.GenericKD.72359057
Sophos	Generic Reputation PUA (PUA)
Jiangmin	RemoteAdmin.NetSup.ai
Webroot	W32.Malware.Gen
Google	Detected
Avira	TR/Spy.ChePro.mshfk
MAX	malware (ai score=81)
Kingsoft	Win32.Troj.Generic.v
Xcitium	ApplicUnwnt@#1w2oxz4iznm7d
Microsoft	Trojan:Win32/Znyonm
ZoneAlarm	Trojan-Banker.Win32.ChePro.nkuj
GData	Trojan.GenericKD.72359057
Varist	W32/Tool.EQYN-2153
AhnLab-V3	Unwanted/Win.Agent.C5613130
DeepInstinct	MALICIOUS
Malwarebytes	Malware.AI.4001533009
Ikarus	Trojan.Win32.Netsupportmanager
Panda	Trj/CI.A
Zoner	Trojan.Win32.153308
Tencent	Win32.Trojan-Banker.Chepro.Ikjl
MaxSecure	Trojan.Malware.219152854.susgen
Fortinet	Riskware/NetSup
AVG	Win32:Malware-gen
Paloalto	generic.ml

ApertureLab.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All