ScreenShot
| Created | 2021.04.13 09:15 | Machine | s1_win7_x6401 |
| Filename | tk.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 28 detected (malicious, high confidence, HxQBiSgA, Unsafe, Wacatac, ZexaF, XvW@aGzAtFdi, Kryptik, Eldorado, Attribute, HighConfidence, GXKQ, FileRepMalware, CLOUD, Outbreak, kcloud, score, Artemis, BScope, confidence) | ||
| md5 | b23af6c6f1a909df7d67de1e4c2aaa8c | ||
| sha256 | 98bfe099448bb6fd9805a64eef2cdcf84c7ea5ac8112540d5f21cc5e8294ed94 | ||
| ssdeep | 12288:trDRwp8F0xFZqtUQxEEnZjPyKcPb/hKc9+94NVpmw3EzxBllk:tIe0xFdQsKcDkcYi/i | ||
| imphash | 403dd600b89f7fbd0ff9bd9eb624c5b8 | ||
| impfuzzy | 96:h03IagjX1y7EJvxABivLe+SLzJxlelvXvUKs362HmNGETv0s:3FCdiwzJxlinsq2GDD0s | ||
Network IP location
Signature (31cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 28 AntiVirus engines on VirusTotal as malicious |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Attempts to remove evidence of file being downloaded from the Internet |
| watch | Communicates with host for which no DNS query was performed |
| watch | Creates an Alternate Data Stream (ADS) |
| watch | Harvests credentials from local email clients |
| watch | Installs itself for autorun at Windows startup |
| watch | Potential code injection by writing to the memory of another process |
| watch | The process powershell.exe wrote an executable file to disk |
| notice | A process attempted to delay the analysis task. |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Checks whether any human activity is being performed by constantly checking whether the foreground window changed |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Executes one or more WMI queries |
| notice | One or more potentially interesting buffers were extracted |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Steals private information from local Internet browsers |
| notice | Terminates another process |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Command line console output was observed |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | This executable has a PDB path |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (17cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Antivirus | Contains references to security software | binaries (download) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | IsPE64 | (no description) | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check Signature Zero | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check Signature Zero | binaries (upload) |
| info | PE_Header_Zero | PE File Signature Zero | binaries (download) |
| info | PE_Header_Zero | PE File Signature Zero | binaries (upload) |
| info | HasDebugData | DebugData Check | binaries (upload) |
| info | HasRichSignature | Rich Signature Check | binaries (download) |
| info | HasRichSignature | Rich Signature Check | binaries (upload) |
| info | IsWindowsGUI | (no description) | binaries (download) |
| info | IsWindowsGUI | (no description) | binaries (upload) |
| info | win_files_operation | Affect private profile | binaries (download) |
| info | win_files_operation | Affect private profile | binaries (upload) |
| info | win_registry | Affect system registries | binaries (upload) |
| info | win_token | Affect system token | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x47309c TlsFree
0x4730a0 TlsGetValue
0x4730a4 TlsSetValue
0x4730a8 VirtualAlloc
0x4730ac WaitForSingleObject
0x4730b0 GetCurrentThreadId
0x4730b4 GetCommandLineA
0x4730b8 SetEvent
0x4730bc CloseHandle
0x4730c0 CreateThread
0x4730c4 GetModuleHandleW
0x4730c8 CreateEventA
0x4730cc GetConsoleMode
0x4730d0 GetConsoleCP
0x4730d4 FlushFileBuffers
0x4730d8 GetStringTypeW
0x4730dc SetEnvironmentVariableW
0x4730e0 SetEnvironmentVariableA
0x4730e4 FreeEnvironmentStringsW
0x4730e8 GetEnvironmentStringsW
0x4730ec TlsAlloc
0x4730f0 GetCPInfo
0x4730f4 GetOEMCP
0x4730f8 IsValidCodePage
0x4730fc FindNextFileW
0x473100 FindNextFileA
0x473104 FindFirstFileExW
0x473108 FindFirstFileExA
0x47310c FindClose
0x473110 GetProcessHeap
0x473114 HeapQueryInformation
0x473118 HeapFree
0x47311c SetConsoleCtrlHandler
0x473120 WriteConsoleW
0x473124 HeapReAlloc
0x473128 HeapSize
0x47312c GetFileType
0x473130 GetCurrentThread
0x473134 EnumSystemLocalesW
0x473138 GetUserDefaultLCID
0x47313c TerminateProcess
0x473140 TerminateJobObject
0x473144 SystemTimeToTzSpecificLocalTime
0x473148 SwitchToThread
0x47314c SuspendThread
0x473150 SleepEx
0x473154 SleepConditionVariableSRW
0x473158 Sleep
0x47315c SignalObjectAndWait
0x473160 SetUnhandledExceptionFilter
0x473164 SetThreadPriority
0x473168 SetStdHandle
0x47316c SetProcessShutdownParameters
0x473170 SetNamedPipeHandleState
0x473174 SetInformationJobObject
0x473178 SetHandleInformation
0x47317c SetFilePointerEx
0x473180 SetFileAttributesW
0x473184 lstrcmpiA
0x473188 WideCharToMultiByte
0x47318c FreeLibrary
0x473190 DeleteCriticalSection
0x473194 GetProcAddress
0x473198 DecodePointer
0x47319c GetModuleFileNameA
0x4731a0 LoadResource
0x4731a4 IsDBCSLeadByte
0x4731a8 RaiseException
0x4731ac GetLastError
0x4731b0 MultiByteToWideChar
0x4731b4 GetModuleHandleA
0x4731b8 FindResourceA
0x4731bc InitializeCriticalSectionEx
0x4731c0 LeaveCriticalSection
0x4731c4 LoadLibraryExA
0x4731c8 EnterCriticalSection
0x4731cc SetLastError
0x4731d0 SizeofResource
0x4731d4 GetCommandLineW
0x4731d8 IsValidLocale
0x4731dc GetLocaleInfoW
0x4731e0 LCMapStringW
0x4731e4 CompareStringW
0x4731e8 GetTimeFormatW
0x4731ec GetDateFormatW
0x4731f0 OutputDebugStringA
0x4731f4 GetACP
0x4731f8 WriteFile
0x4731fc GetStdHandle
0x473200 ExitProcess
0x473204 HeapValidate
0x473208 HeapAlloc
0x47320c GetModuleHandleExW
0x473210 GetModuleFileNameW
0x473214 VirtualQuery
0x473218 VirtualProtect
0x47321c GetSystemInfo
0x473220 LoadLibraryExW
0x473224 InitializeCriticalSectionAndSpinCount
0x473228 EncodePointer
0x47322c InterlockedFlushSList
0x473230 InterlockedPushEntrySList
0x473234 RtlUnwind
0x473238 InitializeSListHead
0x47323c IsDebuggerPresent
0x473240 OutputDebugStringW
0x473244 UnhandledExceptionFilter
0x473248 GetCurrentProcess
0x47324c IsProcessorFeaturePresent
0x473250 GetStartupInfoW
0x473254 QueryPerformanceCounter
0x473258 GetCurrentProcessId
0x47325c GetSystemTimeAsFileTime
0x473260 CreateFileW
USER32.dll
0x473298 AllowSetForegroundWindow
0x47329c CloseDesktop
0x4732a0 CloseWindowStation
0x4732a4 UnregisterClassA
0x4732a8 CreateWindowExW
0x4732ac CreateWindowStationW
0x4732b0 DefWindowProcW
0x4732b4 DestroyWindow
0x4732b8 CharNextA
0x4732bc CreateDesktopW
0x4732c0 RegisterClassW
0x4732c4 DispatchMessageW
0x4732c8 GetMessageA
0x4732cc FindWindowExW
0x4732d0 PostThreadMessageA
0x4732d4 CharNextW
0x4732d8 TranslateMessage
0x4732dc CharUpperA
0x4732e0 DispatchMessageA
0x4732e4 PostMessageW
0x4732e8 IsWindow
0x4732ec GetWindowThreadProcessId
0x4732f0 GetUserObjectInformationW
0x4732f4 GetThreadDesktop
0x4732f8 GetProcessWindowStation
0x4732fc GetMessageW
ADVAPI32.dll
0x473000 GetKernelObjectSecurity
0x473004 RegQueryInfoKeyA
0x473008 SystemFunction036
0x47300c SetTokenInformation
0x473010 SetThreadToken
0x473014 SetSecurityInfo
0x473018 SetKernelObjectSecurity
0x47301c SetEntriesInAclW
0x473020 RevertToSelf
0x473024 RegSetValueExW
0x473028 RegQueryValueExW
0x47302c GetSecurityDescriptorSacl
0x473030 GetNamedSecurityInfoW
0x473034 GetLengthSid
0x473038 GetAce
0x47303c FreeSid
0x473040 EventWrite
0x473044 EventUnregister
0x473048 EventRegister
0x47304c EqualSid
0x473050 DuplicateTokenEx
0x473054 DuplicateToken
0x473058 CreateWellKnownSid
0x47305c CreateRestrictedToken
0x473060 CreateProcessAsUserW
0x473064 CopySid
0x473068 ConvertStringSidToSidW
0x47306c ConvertStringSecurityDescriptorToSecurityDescriptorW
0x473070 ConvertSidToStringSidW
0x473074 AccessCheck
0x473078 RegCloseKey
0x47307c RegQueryInfoKeyW
0x473080 RegDeleteKeyA
0x473084 RegCreateKeyExA
0x473088 RegSetValueExA
0x47308c RegOpenKeyExA
0x473090 RegDeleteValueA
0x473094 RegEnumKeyExA
SHELL32.dll
0x47328c SHGetFolderPathW
0x473290 SHGetKnownFolderPath
ole32.dll
0x473304 CoRevokeClassObject
0x473308 CoTaskMemAlloc
0x47330c CoTaskMemFree
0x473310 CoTaskMemRealloc
0x473314 CoAddRefServerProcess
0x473318 CoReleaseServerProcess
0x47331c CoInitialize
0x473320 StringFromGUID2
0x473324 CoUninitialize
0x473328 CoCreateInstance
0x47332c CoRegisterClassObject
0x473330 CoResumeClassObjects
OLEAUT32.dll
0x473268 LoadRegTypeLib
0x47326c LoadTypeLib
0x473270 UnRegisterTypeLib
0x473274 SysAllocString
0x473278 SysStringLen
0x47327c VarUI4FromStr
0x473280 SysFreeString
0x473284 RegisterTypeLib
EAT(Export Address Table) is none
KERNEL32.dll
0x47309c TlsFree
0x4730a0 TlsGetValue
0x4730a4 TlsSetValue
0x4730a8 VirtualAlloc
0x4730ac WaitForSingleObject
0x4730b0 GetCurrentThreadId
0x4730b4 GetCommandLineA
0x4730b8 SetEvent
0x4730bc CloseHandle
0x4730c0 CreateThread
0x4730c4 GetModuleHandleW
0x4730c8 CreateEventA
0x4730cc GetConsoleMode
0x4730d0 GetConsoleCP
0x4730d4 FlushFileBuffers
0x4730d8 GetStringTypeW
0x4730dc SetEnvironmentVariableW
0x4730e0 SetEnvironmentVariableA
0x4730e4 FreeEnvironmentStringsW
0x4730e8 GetEnvironmentStringsW
0x4730ec TlsAlloc
0x4730f0 GetCPInfo
0x4730f4 GetOEMCP
0x4730f8 IsValidCodePage
0x4730fc FindNextFileW
0x473100 FindNextFileA
0x473104 FindFirstFileExW
0x473108 FindFirstFileExA
0x47310c FindClose
0x473110 GetProcessHeap
0x473114 HeapQueryInformation
0x473118 HeapFree
0x47311c SetConsoleCtrlHandler
0x473120 WriteConsoleW
0x473124 HeapReAlloc
0x473128 HeapSize
0x47312c GetFileType
0x473130 GetCurrentThread
0x473134 EnumSystemLocalesW
0x473138 GetUserDefaultLCID
0x47313c TerminateProcess
0x473140 TerminateJobObject
0x473144 SystemTimeToTzSpecificLocalTime
0x473148 SwitchToThread
0x47314c SuspendThread
0x473150 SleepEx
0x473154 SleepConditionVariableSRW
0x473158 Sleep
0x47315c SignalObjectAndWait
0x473160 SetUnhandledExceptionFilter
0x473164 SetThreadPriority
0x473168 SetStdHandle
0x47316c SetProcessShutdownParameters
0x473170 SetNamedPipeHandleState
0x473174 SetInformationJobObject
0x473178 SetHandleInformation
0x47317c SetFilePointerEx
0x473180 SetFileAttributesW
0x473184 lstrcmpiA
0x473188 WideCharToMultiByte
0x47318c FreeLibrary
0x473190 DeleteCriticalSection
0x473194 GetProcAddress
0x473198 DecodePointer
0x47319c GetModuleFileNameA
0x4731a0 LoadResource
0x4731a4 IsDBCSLeadByte
0x4731a8 RaiseException
0x4731ac GetLastError
0x4731b0 MultiByteToWideChar
0x4731b4 GetModuleHandleA
0x4731b8 FindResourceA
0x4731bc InitializeCriticalSectionEx
0x4731c0 LeaveCriticalSection
0x4731c4 LoadLibraryExA
0x4731c8 EnterCriticalSection
0x4731cc SetLastError
0x4731d0 SizeofResource
0x4731d4 GetCommandLineW
0x4731d8 IsValidLocale
0x4731dc GetLocaleInfoW
0x4731e0 LCMapStringW
0x4731e4 CompareStringW
0x4731e8 GetTimeFormatW
0x4731ec GetDateFormatW
0x4731f0 OutputDebugStringA
0x4731f4 GetACP
0x4731f8 WriteFile
0x4731fc GetStdHandle
0x473200 ExitProcess
0x473204 HeapValidate
0x473208 HeapAlloc
0x47320c GetModuleHandleExW
0x473210 GetModuleFileNameW
0x473214 VirtualQuery
0x473218 VirtualProtect
0x47321c GetSystemInfo
0x473220 LoadLibraryExW
0x473224 InitializeCriticalSectionAndSpinCount
0x473228 EncodePointer
0x47322c InterlockedFlushSList
0x473230 InterlockedPushEntrySList
0x473234 RtlUnwind
0x473238 InitializeSListHead
0x47323c IsDebuggerPresent
0x473240 OutputDebugStringW
0x473244 UnhandledExceptionFilter
0x473248 GetCurrentProcess
0x47324c IsProcessorFeaturePresent
0x473250 GetStartupInfoW
0x473254 QueryPerformanceCounter
0x473258 GetCurrentProcessId
0x47325c GetSystemTimeAsFileTime
0x473260 CreateFileW
USER32.dll
0x473298 AllowSetForegroundWindow
0x47329c CloseDesktop
0x4732a0 CloseWindowStation
0x4732a4 UnregisterClassA
0x4732a8 CreateWindowExW
0x4732ac CreateWindowStationW
0x4732b0 DefWindowProcW
0x4732b4 DestroyWindow
0x4732b8 CharNextA
0x4732bc CreateDesktopW
0x4732c0 RegisterClassW
0x4732c4 DispatchMessageW
0x4732c8 GetMessageA
0x4732cc FindWindowExW
0x4732d0 PostThreadMessageA
0x4732d4 CharNextW
0x4732d8 TranslateMessage
0x4732dc CharUpperA
0x4732e0 DispatchMessageA
0x4732e4 PostMessageW
0x4732e8 IsWindow
0x4732ec GetWindowThreadProcessId
0x4732f0 GetUserObjectInformationW
0x4732f4 GetThreadDesktop
0x4732f8 GetProcessWindowStation
0x4732fc GetMessageW
ADVAPI32.dll
0x473000 GetKernelObjectSecurity
0x473004 RegQueryInfoKeyA
0x473008 SystemFunction036
0x47300c SetTokenInformation
0x473010 SetThreadToken
0x473014 SetSecurityInfo
0x473018 SetKernelObjectSecurity
0x47301c SetEntriesInAclW
0x473020 RevertToSelf
0x473024 RegSetValueExW
0x473028 RegQueryValueExW
0x47302c GetSecurityDescriptorSacl
0x473030 GetNamedSecurityInfoW
0x473034 GetLengthSid
0x473038 GetAce
0x47303c FreeSid
0x473040 EventWrite
0x473044 EventUnregister
0x473048 EventRegister
0x47304c EqualSid
0x473050 DuplicateTokenEx
0x473054 DuplicateToken
0x473058 CreateWellKnownSid
0x47305c CreateRestrictedToken
0x473060 CreateProcessAsUserW
0x473064 CopySid
0x473068 ConvertStringSidToSidW
0x47306c ConvertStringSecurityDescriptorToSecurityDescriptorW
0x473070 ConvertSidToStringSidW
0x473074 AccessCheck
0x473078 RegCloseKey
0x47307c RegQueryInfoKeyW
0x473080 RegDeleteKeyA
0x473084 RegCreateKeyExA
0x473088 RegSetValueExA
0x47308c RegOpenKeyExA
0x473090 RegDeleteValueA
0x473094 RegEnumKeyExA
SHELL32.dll
0x47328c SHGetFolderPathW
0x473290 SHGetKnownFolderPath
ole32.dll
0x473304 CoRevokeClassObject
0x473308 CoTaskMemAlloc
0x47330c CoTaskMemFree
0x473310 CoTaskMemRealloc
0x473314 CoAddRefServerProcess
0x473318 CoReleaseServerProcess
0x47331c CoInitialize
0x473320 StringFromGUID2
0x473324 CoUninitialize
0x473328 CoCreateInstance
0x47332c CoRegisterClassObject
0x473330 CoResumeClassObjects
OLEAUT32.dll
0x473268 LoadRegTypeLib
0x47326c LoadTypeLib
0x473270 UnRegisterTypeLib
0x473274 SysAllocString
0x473278 SysStringLen
0x47327c VarUI4FromStr
0x473280 SysFreeString
0x473284 RegisterTypeLib
EAT(Export Address Table) is none