ScreenShot
| Created | 2021.04.08 12:20 | Machine | s1_win7_x6401 |
| Filename | Practical3.ex_ | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 50 detected (malicious, high confidence, Ransomware, Ryuk, H8oAChsA, Unsafe, confidence, 100%, Genasom, ali1000102, Eldorado, Hermes, gen2, Filecoder, score, RansomX, Jabaxsta, CLASSIC, Inject4, RansomRyuk, A + Troj, cpxqa, AGEN, Ryukran, R234901, ai score=86, Dyzx, Static AI, Malicious PE, susgen) | ||
| md5 | 8819d7f8069d35e71902025d801b44dd | ||
| sha256 | 98ece6bcafa296326654db862140520afc19cfa0b4a76a5950deedb2618097ab | ||
| ssdeep | 3072:b+hfiA0PJ/lmL4a17VnAy5jtZXDkIVT49RQwo:i4AK/lmkaFVz7QQw | ||
| imphash | 3d84250cdbe08a9921b4fb008881914b | ||
| impfuzzy | 24:/zx543jOBDyPO3OwJlf02teS17V/lmGc+Co8vR0OoviZqjM9rra2zTkKjN:rAOoRuteS17V/lc+CpB7rzHjN | ||
Network IP location
Signature (12cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 50 AntiVirus engines on VirusTotal as malicious |
| watch | Deletes executed files from disk |
| watch | Uses Sysinternals tools in order to add additional command line functionality |
| notice | A process created a hidden window |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Executes one or more WMI queries |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks amount of memory in system |
| info | Command line console output was observed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | This executable has a PDB path |
Rules (11cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Antivirus | Contains references to security software | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check Signature Zero | binaries (upload) |
| info | PE_Header_Zero | PE File Signature Zero | binaries (upload) |
| info | escalate_priv | Escalade priviledges | binaries (upload) |
| info | HasDebugData | DebugData Check | binaries (upload) |
| info | HasRichSignature | Rich Signature Check | binaries (upload) |
| info | inject_thread | Code injection with CreateRemoteThread in a remote process | binaries (upload) |
| info | IsWindowsGUI | (no description) | binaries (upload) |
| info | win_files_operation | Affect private profile | binaries (upload) |
| info | win_token | Affect system token | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x140018048 OpenProcess
0x140018050 CreateToolhelp32Snapshot
0x140018058 Sleep
0x140018060 GetLastError
0x140018068 Process32NextW
0x140018070 GetCurrentThread
0x140018078 LoadLibraryA
0x140018080 GlobalAlloc
0x140018088 DeleteFileW
0x140018090 Process32FirstW
0x140018098 GetModuleHandleA
0x1400180a0 CloseHandle
0x1400180a8 HeapAlloc
0x1400180b0 GetWindowsDirectoryW
0x1400180b8 GetProcAddress
0x1400180c0 VirtualAllocEx
0x1400180c8 LocalFree
0x1400180d0 GetProcessHeap
0x1400180d8 FreeLibrary
0x1400180e0 CreateRemoteThread
0x1400180e8 VirtualFreeEx
0x1400180f0 GetVersionExW
0x1400180f8 CreateFileW
0x140018100 GetModuleFileNameW
0x140018108 GetCurrentProcess
0x140018110 GetCommandLineW
0x140018118 SetLastError
0x140018120 HeapFree
0x140018128 GlobalFree
0x140018130 WriteConsoleW
0x140018138 SetFilePointerEx
0x140018140 HeapReAlloc
0x140018148 HeapSize
0x140018150 RtlCaptureContext
0x140018158 RtlLookupFunctionEntry
0x140018160 RtlVirtualUnwind
0x140018168 UnhandledExceptionFilter
0x140018170 SetUnhandledExceptionFilter
0x140018178 TerminateProcess
0x140018180 IsProcessorFeaturePresent
0x140018188 QueryPerformanceCounter
0x140018190 GetCurrentProcessId
0x140018198 GetCurrentThreadId
0x1400181a0 GetSystemTimeAsFileTime
0x1400181a8 InitializeSListHead
0x1400181b0 IsDebuggerPresent
0x1400181b8 GetStartupInfoW
0x1400181c0 GetModuleHandleW
0x1400181c8 RtlUnwindEx
0x1400181d0 RaiseException
0x1400181d8 InitializeCriticalSectionAndSpinCount
0x1400181e0 TlsAlloc
0x1400181e8 TlsGetValue
0x1400181f0 TlsSetValue
0x1400181f8 TlsFree
0x140018200 LoadLibraryExW
0x140018208 EnterCriticalSection
0x140018210 LeaveCriticalSection
0x140018218 DeleteCriticalSection
0x140018220 ExitProcess
0x140018228 GetModuleHandleExW
0x140018230 GetStdHandle
0x140018238 WriteFile
0x140018240 GetModuleFileNameA
0x140018248 MultiByteToWideChar
0x140018250 WideCharToMultiByte
0x140018258 GetACP
0x140018260 LCMapStringW
0x140018268 GetFileType
0x140018270 FindClose
0x140018278 FindFirstFileExA
0x140018280 FindNextFileA
0x140018288 IsValidCodePage
0x140018290 GetOEMCP
0x140018298 GetCPInfo
0x1400182a0 GetCommandLineA
0x1400182a8 GetEnvironmentStringsW
0x1400182b0 FreeEnvironmentStringsW
0x1400182b8 SetStdHandle
0x1400182c0 GetStringTypeW
0x1400182c8 FlushFileBuffers
0x1400182d0 GetConsoleCP
0x1400182d8 GetConsoleMode
0x1400182e0 WriteProcessMemory
ADVAPI32.dll
0x140018000 SystemFunction036
0x140018008 LookupPrivilegeValueW
0x140018010 AdjustTokenPrivileges
0x140018018 ImpersonateSelf
0x140018020 OpenProcessToken
0x140018028 OpenThreadToken
0x140018030 LookupAccountSidW
0x140018038 GetTokenInformation
SHELL32.dll
0x1400182f0 CommandLineToArgvW
0x1400182f8 ShellExecuteW
0x140018300 ShellExecuteA
EAT(Export Address Table) is none
KERNEL32.dll
0x140018048 OpenProcess
0x140018050 CreateToolhelp32Snapshot
0x140018058 Sleep
0x140018060 GetLastError
0x140018068 Process32NextW
0x140018070 GetCurrentThread
0x140018078 LoadLibraryA
0x140018080 GlobalAlloc
0x140018088 DeleteFileW
0x140018090 Process32FirstW
0x140018098 GetModuleHandleA
0x1400180a0 CloseHandle
0x1400180a8 HeapAlloc
0x1400180b0 GetWindowsDirectoryW
0x1400180b8 GetProcAddress
0x1400180c0 VirtualAllocEx
0x1400180c8 LocalFree
0x1400180d0 GetProcessHeap
0x1400180d8 FreeLibrary
0x1400180e0 CreateRemoteThread
0x1400180e8 VirtualFreeEx
0x1400180f0 GetVersionExW
0x1400180f8 CreateFileW
0x140018100 GetModuleFileNameW
0x140018108 GetCurrentProcess
0x140018110 GetCommandLineW
0x140018118 SetLastError
0x140018120 HeapFree
0x140018128 GlobalFree
0x140018130 WriteConsoleW
0x140018138 SetFilePointerEx
0x140018140 HeapReAlloc
0x140018148 HeapSize
0x140018150 RtlCaptureContext
0x140018158 RtlLookupFunctionEntry
0x140018160 RtlVirtualUnwind
0x140018168 UnhandledExceptionFilter
0x140018170 SetUnhandledExceptionFilter
0x140018178 TerminateProcess
0x140018180 IsProcessorFeaturePresent
0x140018188 QueryPerformanceCounter
0x140018190 GetCurrentProcessId
0x140018198 GetCurrentThreadId
0x1400181a0 GetSystemTimeAsFileTime
0x1400181a8 InitializeSListHead
0x1400181b0 IsDebuggerPresent
0x1400181b8 GetStartupInfoW
0x1400181c0 GetModuleHandleW
0x1400181c8 RtlUnwindEx
0x1400181d0 RaiseException
0x1400181d8 InitializeCriticalSectionAndSpinCount
0x1400181e0 TlsAlloc
0x1400181e8 TlsGetValue
0x1400181f0 TlsSetValue
0x1400181f8 TlsFree
0x140018200 LoadLibraryExW
0x140018208 EnterCriticalSection
0x140018210 LeaveCriticalSection
0x140018218 DeleteCriticalSection
0x140018220 ExitProcess
0x140018228 GetModuleHandleExW
0x140018230 GetStdHandle
0x140018238 WriteFile
0x140018240 GetModuleFileNameA
0x140018248 MultiByteToWideChar
0x140018250 WideCharToMultiByte
0x140018258 GetACP
0x140018260 LCMapStringW
0x140018268 GetFileType
0x140018270 FindClose
0x140018278 FindFirstFileExA
0x140018280 FindNextFileA
0x140018288 IsValidCodePage
0x140018290 GetOEMCP
0x140018298 GetCPInfo
0x1400182a0 GetCommandLineA
0x1400182a8 GetEnvironmentStringsW
0x1400182b0 FreeEnvironmentStringsW
0x1400182b8 SetStdHandle
0x1400182c0 GetStringTypeW
0x1400182c8 FlushFileBuffers
0x1400182d0 GetConsoleCP
0x1400182d8 GetConsoleMode
0x1400182e0 WriteProcessMemory
ADVAPI32.dll
0x140018000 SystemFunction036
0x140018008 LookupPrivilegeValueW
0x140018010 AdjustTokenPrivileges
0x140018018 ImpersonateSelf
0x140018020 OpenProcessToken
0x140018028 OpenThreadToken
0x140018030 LookupAccountSidW
0x140018038 GetTokenInformation
SHELL32.dll
0x1400182f0 CommandLineToArgvW
0x1400182f8 ShellExecuteW
0x140018300 ShellExecuteA
EAT(Export Address Table) is none