ScreenShot
| Created | 2021.04.13 10:24 | Machine | s1_win7_x6402 |
| Filename | scan.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 29 detected (GenericKD, Kryptik, Eldorado, Attribute, HighConfidence, GXKQ, Malicious, score, yaolx@0, kcloud, Bsymem, AMRat, QXPVW3, BScope, Wacatac, ai score=80, CLOUD, HwoCiSgA) | ||
| md5 | 90aced49ee9c5ce3fc9f47ba8fd7333d | ||
| sha256 | 40d4ee1e0fa412176d826027c500bfbc29ee4c65bfd13dcec2f0facd0021399c | ||
| ssdeep | 6144:zdhq8+0St/u22jBUYWccGQy0AZo/aiEzHmHufrIbpZlvRBFyV9tDH6VdIa3aLHbc:zJ5XjBUYhc97AGaJ62rOw3EzxBl | ||
| imphash | 4a781930090209c67b1a0398b1940cca | ||
| impfuzzy | 96:Nr+IagjX1ynmrvxAYgMLsvJVzJxaeXXvUKs3He2HmNGETv0s:F1FyTRzJxaQnsu2GDD0s | ||
Network IP location
Signature (31cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 29 AntiVirus engines on VirusTotal as malicious |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Attempts to remove evidence of file being downloaded from the Internet |
| watch | Communicates with host for which no DNS query was performed |
| watch | Creates an Alternate Data Stream (ADS) |
| watch | Harvests credentials from local email clients |
| watch | Installs itself for autorun at Windows startup |
| watch | Potential code injection by writing to the memory of another process |
| watch | The process powershell.exe wrote an executable file to disk |
| notice | A process attempted to delay the analysis task. |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Checks whether any human activity is being performed by constantly checking whether the foreground window changed |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Executes one or more WMI queries |
| notice | One or more potentially interesting buffers were extracted |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Steals private information from local Internet browsers |
| notice | Terminates another process |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Command line console output was observed |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | This executable has a PDB path |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (17cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Antivirus | Contains references to security software | binaries (download) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | IsPE64 | (no description) | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check Signature Zero | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check Signature Zero | binaries (upload) |
| info | PE_Header_Zero | PE File Signature Zero | binaries (download) |
| info | PE_Header_Zero | PE File Signature Zero | binaries (upload) |
| info | HasDebugData | DebugData Check | binaries (upload) |
| info | HasRichSignature | Rich Signature Check | binaries (download) |
| info | HasRichSignature | Rich Signature Check | binaries (upload) |
| info | IsWindowsGUI | (no description) | binaries (download) |
| info | IsWindowsGUI | (no description) | binaries (upload) |
| info | win_files_operation | Affect private profile | binaries (download) |
| info | win_files_operation | Affect private profile | binaries (upload) |
| info | win_registry | Affect system registries | binaries (upload) |
| info | win_token | Affect system token | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x44309c TlsFree
0x4430a0 TlsGetValue
0x4430a4 TlsSetValue
0x4430a8 VirtualProtect
0x4430ac VirtualAlloc
0x4430b0 WaitForSingleObject
0x4430b4 GetCurrentThreadId
0x4430b8 GetCommandLineA
0x4430bc SetEvent
0x4430c0 CloseHandle
0x4430c4 CreateThread
0x4430c8 GetModuleHandleW
0x4430cc CreateEventA
0x4430d0 WriteConsoleW
0x4430d4 GetConsoleMode
0x4430d8 GetConsoleCP
0x4430dc FlushFileBuffers
0x4430e0 GetStringTypeW
0x4430e4 WaitForSingleObjectEx
0x4430e8 OutputDebugStringA
0x4430ec SetConsoleCtrlHandler
0x4430f0 TlsAlloc
0x4430f4 SetEnvironmentVariableW
0x4430f8 SetEnvironmentVariableA
0x4430fc FreeEnvironmentStringsW
0x443100 GetEnvironmentStringsW
0x443104 GetCommandLineW
0x443108 GetCPInfo
0x44310c GetOEMCP
0x443110 IsValidCodePage
0x443114 FindNextFileW
0x443118 FindNextFileA
0x44311c FindFirstFileExW
0x443120 FindFirstFileExA
0x443124 FindClose
0x443128 GetFileType
0x44312c HeapAlloc
0x443130 HeapFree
0x443134 GetCurrentThread
0x443138 HeapReAlloc
0x44313c HeapSize
0x443140 EnumSystemLocalesW
0x443144 TerminateProcess
0x443148 TerminateJobObject
0x44314c SystemTimeToTzSpecificLocalTime
0x443150 SwitchToThread
0x443154 SuspendThread
0x443158 SleepEx
0x44315c SleepConditionVariableSRW
0x443160 Sleep
0x443164 SignalObjectAndWait
0x443168 SetUnhandledExceptionFilter
0x44316c SetThreadPriority
0x443170 SetStdHandle
0x443174 SetProcessShutdownParameters
0x443178 SetNamedPipeHandleState
0x44317c SetLastError
0x443180 SetInformationJobObject
0x443184 SetHandleInformation
0x443188 SetFilePointerEx
0x44318c SetFileAttributesW
0x443190 lstrcmpiA
0x443194 WideCharToMultiByte
0x443198 FreeLibrary
0x44319c GetModuleFileNameA
0x4431a0 DeleteCriticalSection
0x4431a4 GetProcAddress
0x4431a8 DecodePointer
0x4431ac LoadResource
0x4431b0 IsDBCSLeadByte
0x4431b4 RaiseException
0x4431b8 GetLastError
0x4431bc MultiByteToWideChar
0x4431c0 GetModuleHandleA
0x4431c4 FindResourceA
0x4431c8 InitializeCriticalSectionEx
0x4431cc LeaveCriticalSection
0x4431d0 LoadLibraryExA
0x4431d4 EnterCriticalSection
0x4431d8 SizeofResource
0x4431dc GetProcessHeap
0x4431e0 GetUserDefaultLCID
0x4431e4 IsValidLocale
0x4431e8 GetLocaleInfoW
0x4431ec LCMapStringW
0x4431f0 CompareStringW
0x4431f4 GetTimeFormatW
0x4431f8 GetDateFormatW
0x4431fc GetACP
0x443200 WriteFile
0x443204 GetStdHandle
0x443208 GetModuleFileNameW
0x44320c GetModuleHandleExW
0x443210 ExitProcess
0x443214 VirtualQuery
0x443218 GetSystemInfo
0x44321c LoadLibraryExW
0x443220 InitializeCriticalSectionAndSpinCount
0x443224 EncodePointer
0x443228 InterlockedFlushSList
0x44322c InterlockedPushEntrySList
0x443230 RtlUnwind
0x443234 InitializeSListHead
0x443238 GetSystemTimeAsFileTime
0x44323c GetCurrentProcessId
0x443240 QueryPerformanceCounter
0x443244 IsDebuggerPresent
0x443248 OutputDebugStringW
0x44324c UnhandledExceptionFilter
0x443250 GetCurrentProcess
0x443254 IsProcessorFeaturePresent
0x443258 GetStartupInfoW
0x44325c CreateFileW
USER32.dll
0x443294 AllowSetForegroundWindow
0x443298 CloseDesktop
0x44329c CloseWindowStation
0x4432a0 UnregisterClassA
0x4432a4 CreateWindowExW
0x4432a8 CreateWindowStationW
0x4432ac DefWindowProcW
0x4432b0 DestroyWindow
0x4432b4 CharNextA
0x4432b8 CreateDesktopW
0x4432bc RegisterClassW
0x4432c0 DispatchMessageW
0x4432c4 GetMessageA
0x4432c8 FindWindowExW
0x4432cc PostThreadMessageA
0x4432d0 MessageBoxA
0x4432d4 CharNextW
0x4432d8 TranslateMessage
0x4432dc CharUpperA
0x4432e0 DispatchMessageA
0x4432e4 PostMessageW
0x4432e8 IsWindow
0x4432ec GetWindowThreadProcessId
0x4432f0 GetUserObjectInformationW
0x4432f4 GetThreadDesktop
0x4432f8 GetProcessWindowStation
0x4432fc GetMessageW
ADVAPI32.dll
0x443000 FreeSid
0x443004 RegQueryInfoKeyA
0x443008 SystemFunction036
0x44300c SetTokenInformation
0x443010 SetThreadToken
0x443014 SetSecurityInfo
0x443018 SetKernelObjectSecurity
0x44301c SetEntriesInAclW
0x443020 RevertToSelf
0x443024 RegSetValueExW
0x443028 RegQueryValueExW
0x44302c GetSecurityDescriptorSacl
0x443030 GetNamedSecurityInfoW
0x443034 GetLengthSid
0x443038 GetKernelObjectSecurity
0x44303c GetAce
0x443040 EventWrite
0x443044 EventUnregister
0x443048 EventRegister
0x44304c EqualSid
0x443050 DuplicateTokenEx
0x443054 DuplicateToken
0x443058 CreateWellKnownSid
0x44305c CreateRestrictedToken
0x443060 CreateProcessAsUserW
0x443064 CopySid
0x443068 ConvertStringSidToSidW
0x44306c ConvertStringSecurityDescriptorToSecurityDescriptorW
0x443070 ConvertSidToStringSidW
0x443074 AccessCheck
0x443078 RegCloseKey
0x44307c RegQueryInfoKeyW
0x443080 RegDeleteKeyA
0x443084 RegCreateKeyExA
0x443088 RegSetValueExA
0x44308c RegOpenKeyExA
0x443090 RegDeleteValueA
0x443094 RegEnumKeyExA
SHELL32.dll
0x443288 SHGetFolderPathW
0x44328c SHGetKnownFolderPath
ole32.dll
0x443304 CoRevokeClassObject
0x443308 CoTaskMemAlloc
0x44330c CoTaskMemFree
0x443310 CoTaskMemRealloc
0x443314 CoAddRefServerProcess
0x443318 CoReleaseServerProcess
0x44331c CoInitialize
0x443320 StringFromGUID2
0x443324 CoUninitialize
0x443328 CoCreateInstance
0x44332c CoRegisterClassObject
0x443330 CoResumeClassObjects
OLEAUT32.dll
0x443264 LoadRegTypeLib
0x443268 LoadTypeLib
0x44326c UnRegisterTypeLib
0x443270 SysAllocString
0x443274 SysStringLen
0x443278 VarUI4FromStr
0x44327c SysFreeString
0x443280 RegisterTypeLib
EAT(Export Address Table) is none
KERNEL32.dll
0x44309c TlsFree
0x4430a0 TlsGetValue
0x4430a4 TlsSetValue
0x4430a8 VirtualProtect
0x4430ac VirtualAlloc
0x4430b0 WaitForSingleObject
0x4430b4 GetCurrentThreadId
0x4430b8 GetCommandLineA
0x4430bc SetEvent
0x4430c0 CloseHandle
0x4430c4 CreateThread
0x4430c8 GetModuleHandleW
0x4430cc CreateEventA
0x4430d0 WriteConsoleW
0x4430d4 GetConsoleMode
0x4430d8 GetConsoleCP
0x4430dc FlushFileBuffers
0x4430e0 GetStringTypeW
0x4430e4 WaitForSingleObjectEx
0x4430e8 OutputDebugStringA
0x4430ec SetConsoleCtrlHandler
0x4430f0 TlsAlloc
0x4430f4 SetEnvironmentVariableW
0x4430f8 SetEnvironmentVariableA
0x4430fc FreeEnvironmentStringsW
0x443100 GetEnvironmentStringsW
0x443104 GetCommandLineW
0x443108 GetCPInfo
0x44310c GetOEMCP
0x443110 IsValidCodePage
0x443114 FindNextFileW
0x443118 FindNextFileA
0x44311c FindFirstFileExW
0x443120 FindFirstFileExA
0x443124 FindClose
0x443128 GetFileType
0x44312c HeapAlloc
0x443130 HeapFree
0x443134 GetCurrentThread
0x443138 HeapReAlloc
0x44313c HeapSize
0x443140 EnumSystemLocalesW
0x443144 TerminateProcess
0x443148 TerminateJobObject
0x44314c SystemTimeToTzSpecificLocalTime
0x443150 SwitchToThread
0x443154 SuspendThread
0x443158 SleepEx
0x44315c SleepConditionVariableSRW
0x443160 Sleep
0x443164 SignalObjectAndWait
0x443168 SetUnhandledExceptionFilter
0x44316c SetThreadPriority
0x443170 SetStdHandle
0x443174 SetProcessShutdownParameters
0x443178 SetNamedPipeHandleState
0x44317c SetLastError
0x443180 SetInformationJobObject
0x443184 SetHandleInformation
0x443188 SetFilePointerEx
0x44318c SetFileAttributesW
0x443190 lstrcmpiA
0x443194 WideCharToMultiByte
0x443198 FreeLibrary
0x44319c GetModuleFileNameA
0x4431a0 DeleteCriticalSection
0x4431a4 GetProcAddress
0x4431a8 DecodePointer
0x4431ac LoadResource
0x4431b0 IsDBCSLeadByte
0x4431b4 RaiseException
0x4431b8 GetLastError
0x4431bc MultiByteToWideChar
0x4431c0 GetModuleHandleA
0x4431c4 FindResourceA
0x4431c8 InitializeCriticalSectionEx
0x4431cc LeaveCriticalSection
0x4431d0 LoadLibraryExA
0x4431d4 EnterCriticalSection
0x4431d8 SizeofResource
0x4431dc GetProcessHeap
0x4431e0 GetUserDefaultLCID
0x4431e4 IsValidLocale
0x4431e8 GetLocaleInfoW
0x4431ec LCMapStringW
0x4431f0 CompareStringW
0x4431f4 GetTimeFormatW
0x4431f8 GetDateFormatW
0x4431fc GetACP
0x443200 WriteFile
0x443204 GetStdHandle
0x443208 GetModuleFileNameW
0x44320c GetModuleHandleExW
0x443210 ExitProcess
0x443214 VirtualQuery
0x443218 GetSystemInfo
0x44321c LoadLibraryExW
0x443220 InitializeCriticalSectionAndSpinCount
0x443224 EncodePointer
0x443228 InterlockedFlushSList
0x44322c InterlockedPushEntrySList
0x443230 RtlUnwind
0x443234 InitializeSListHead
0x443238 GetSystemTimeAsFileTime
0x44323c GetCurrentProcessId
0x443240 QueryPerformanceCounter
0x443244 IsDebuggerPresent
0x443248 OutputDebugStringW
0x44324c UnhandledExceptionFilter
0x443250 GetCurrentProcess
0x443254 IsProcessorFeaturePresent
0x443258 GetStartupInfoW
0x44325c CreateFileW
USER32.dll
0x443294 AllowSetForegroundWindow
0x443298 CloseDesktop
0x44329c CloseWindowStation
0x4432a0 UnregisterClassA
0x4432a4 CreateWindowExW
0x4432a8 CreateWindowStationW
0x4432ac DefWindowProcW
0x4432b0 DestroyWindow
0x4432b4 CharNextA
0x4432b8 CreateDesktopW
0x4432bc RegisterClassW
0x4432c0 DispatchMessageW
0x4432c4 GetMessageA
0x4432c8 FindWindowExW
0x4432cc PostThreadMessageA
0x4432d0 MessageBoxA
0x4432d4 CharNextW
0x4432d8 TranslateMessage
0x4432dc CharUpperA
0x4432e0 DispatchMessageA
0x4432e4 PostMessageW
0x4432e8 IsWindow
0x4432ec GetWindowThreadProcessId
0x4432f0 GetUserObjectInformationW
0x4432f4 GetThreadDesktop
0x4432f8 GetProcessWindowStation
0x4432fc GetMessageW
ADVAPI32.dll
0x443000 FreeSid
0x443004 RegQueryInfoKeyA
0x443008 SystemFunction036
0x44300c SetTokenInformation
0x443010 SetThreadToken
0x443014 SetSecurityInfo
0x443018 SetKernelObjectSecurity
0x44301c SetEntriesInAclW
0x443020 RevertToSelf
0x443024 RegSetValueExW
0x443028 RegQueryValueExW
0x44302c GetSecurityDescriptorSacl
0x443030 GetNamedSecurityInfoW
0x443034 GetLengthSid
0x443038 GetKernelObjectSecurity
0x44303c GetAce
0x443040 EventWrite
0x443044 EventUnregister
0x443048 EventRegister
0x44304c EqualSid
0x443050 DuplicateTokenEx
0x443054 DuplicateToken
0x443058 CreateWellKnownSid
0x44305c CreateRestrictedToken
0x443060 CreateProcessAsUserW
0x443064 CopySid
0x443068 ConvertStringSidToSidW
0x44306c ConvertStringSecurityDescriptorToSecurityDescriptorW
0x443070 ConvertSidToStringSidW
0x443074 AccessCheck
0x443078 RegCloseKey
0x44307c RegQueryInfoKeyW
0x443080 RegDeleteKeyA
0x443084 RegCreateKeyExA
0x443088 RegSetValueExA
0x44308c RegOpenKeyExA
0x443090 RegDeleteValueA
0x443094 RegEnumKeyExA
SHELL32.dll
0x443288 SHGetFolderPathW
0x44328c SHGetKnownFolderPath
ole32.dll
0x443304 CoRevokeClassObject
0x443308 CoTaskMemAlloc
0x44330c CoTaskMemFree
0x443310 CoTaskMemRealloc
0x443314 CoAddRefServerProcess
0x443318 CoReleaseServerProcess
0x44331c CoInitialize
0x443320 StringFromGUID2
0x443324 CoUninitialize
0x443328 CoCreateInstance
0x44332c CoRegisterClassObject
0x443330 CoResumeClassObjects
OLEAUT32.dll
0x443264 LoadRegTypeLib
0x443268 LoadTypeLib
0x44326c UnRegisterTypeLib
0x443270 SysAllocString
0x443274 SysStringLen
0x443278 VarUI4FromStr
0x44327c SysFreeString
0x443280 RegisterTypeLib
EAT(Export Address Table) is none