ScreenShot
| Created | 2021.04.14 18:17 | Machine | s1_win7_x6402 |
| Filename | fix.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 25 detected (AIDetect, malware1, malicious, high confidence, Unsafe, Save, IUNU, Attribute, HighConfidence, KillAV, score, xahlxv, PowerShell, kcloud, CoinMiner, Phonzy, ET#100%, RDMK, cmRtazqvTOj24YHY3fvo4PROTNRA, Genetic, QVM05) | ||
| md5 | 025e0b547c344ac713a7284e17feaca7 | ||
| sha256 | 448c916483d9a19490c29bbd8286ff297d8fa1828f5626deebc82ea605e66928 | ||
| ssdeep | 1536:o7f9h0UPJP/CpICdikMLMLv5PFNg1qrX+VIOlnToIf7gIxsV3M3aOn:mliUPXC8k1nJrX+fNTBfnyM3Z | ||
| imphash | 5877688b4859ffd051f6be3b8e0cd533 | ||
| impfuzzy | 48:YMaG/U3WrCpt1vJOI40EdXlqSZ/g/KA/kEUEk1WSY+09AEFXolvyAobFzGJ6tn63:YnmU3aCpt1vJh400XlZW4wvIow | ||
Network IP location
Signature (19cnts)
| Level | Description |
|---|---|
| danger | Disables Windows Security features |
| danger | Stops Windows services |
| warning | File has been identified by 25 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| watch | Creates known SpyNet files |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | A process created a hidden window |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Executes one or more WMI queries |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Command line console output was observed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The executable uses a known packer |
Rules (18cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| notice | anti_vm_detect | Possibly employs anti-virtualization techniques | binaries (download) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | Lnk_Format_Zero | LNK Format | binaries (download) |
| info | PE_Header_Zero | PE File Signature Zero | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | IsWindowsGUI | (no description) | binaries (upload) |
| info | win_files_operation | Affect private profile | binaries (upload) |
| info | win_files_operation | Affect private profile | memory |
| info | win_registry | Affect system registries | memory |
| info | win_token | Affect system token | memory |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
MSVCRT.dll
0x416468 memset
0x41646c wcsncmp
0x416470 memmove
0x416474 wcsncpy
0x416478 wcsstr
0x41647c _wcsnicmp
0x416480 _wcsdup
0x416484 free
0x416488 _wcsicmp
0x41648c wcslen
0x416490 wcscpy
0x416494 wcscmp
0x416498 memcpy
0x41649c tolower
0x4164a0 wcscat
0x4164a4 malloc
KERNEL32.dll
0x4164ac GetModuleHandleW
0x4164b0 HeapCreate
0x4164b4 GetStdHandle
0x4164b8 HeapDestroy
0x4164bc ExitProcess
0x4164c0 WriteFile
0x4164c4 GetTempFileNameW
0x4164c8 LoadLibraryExW
0x4164cc EnumResourceTypesW
0x4164d0 FreeLibrary
0x4164d4 RemoveDirectoryW
0x4164d8 GetExitCodeProcess
0x4164dc EnumResourceNamesW
0x4164e0 GetCommandLineW
0x4164e4 LoadResource
0x4164e8 SizeofResource
0x4164ec FreeResource
0x4164f0 FindResourceW
0x4164f4 GetNativeSystemInfo
0x4164f8 GetShortPathNameW
0x4164fc GetWindowsDirectoryW
0x416500 GetSystemDirectoryW
0x416504 EnterCriticalSection
0x416508 CloseHandle
0x41650c LeaveCriticalSection
0x416510 InitializeCriticalSection
0x416514 WaitForSingleObject
0x416518 TerminateThread
0x41651c CreateThread
0x416520 Sleep
0x416524 GetProcAddress
0x416528 GetVersionExW
0x41652c WideCharToMultiByte
0x416530 HeapAlloc
0x416534 HeapFree
0x416538 LoadLibraryW
0x41653c GetCurrentProcessId
0x416540 GetCurrentThreadId
0x416544 GetModuleFileNameW
0x416548 GetEnvironmentVariableW
0x41654c SetEnvironmentVariableW
0x416550 GetCurrentProcess
0x416554 TerminateProcess
0x416558 SetUnhandledExceptionFilter
0x41655c HeapSize
0x416560 MultiByteToWideChar
0x416564 CreateDirectoryW
0x416568 SetFileAttributesW
0x41656c GetTempPathW
0x416570 DeleteFileW
0x416574 GetCurrentDirectoryW
0x416578 SetCurrentDirectoryW
0x41657c CreateFileW
0x416580 SetFilePointer
0x416584 TlsFree
0x416588 TlsGetValue
0x41658c TlsSetValue
0x416590 TlsAlloc
0x416594 HeapReAlloc
0x416598 DeleteCriticalSection
0x41659c InterlockedCompareExchange
0x4165a0 InterlockedExchange
0x4165a4 GetLastError
0x4165a8 SetLastError
0x4165ac UnregisterWait
0x4165b0 GetCurrentThread
0x4165b4 DuplicateHandle
0x4165b8 RegisterWaitForSingleObject
USER32.DLL
0x4165c0 CharUpperW
0x4165c4 CharLowerW
0x4165c8 MessageBoxW
0x4165cc DefWindowProcW
0x4165d0 DestroyWindow
0x4165d4 GetWindowLongW
0x4165d8 GetWindowTextLengthW
0x4165dc GetWindowTextW
0x4165e0 UnregisterClassW
0x4165e4 LoadIconW
0x4165e8 LoadCursorW
0x4165ec RegisterClassExW
0x4165f0 IsWindowEnabled
0x4165f4 EnableWindow
0x4165f8 GetSystemMetrics
0x4165fc CreateWindowExW
0x416600 SetWindowLongW
0x416604 SendMessageW
0x416608 SetFocus
0x41660c CreateAcceleratorTableW
0x416610 SetForegroundWindow
0x416614 BringWindowToTop
0x416618 GetMessageW
0x41661c TranslateAcceleratorW
0x416620 TranslateMessage
0x416624 DispatchMessageW
0x416628 DestroyAcceleratorTable
0x41662c PostMessageW
0x416630 GetForegroundWindow
0x416634 GetWindowThreadProcessId
0x416638 IsWindowVisible
0x41663c EnumWindows
0x416640 SetWindowPos
GDI32.DLL
0x416648 GetStockObject
COMCTL32.DLL
0x416650 InitCommonControlsEx
SHELL32.DLL
0x416658 ShellExecuteExW
0x41665c SHGetFolderLocation
0x416660 SHGetPathFromIDListW
WINMM.DLL
0x416668 timeBeginPeriod
OLE32.DLL
0x416670 CoInitialize
0x416674 CoTaskMemFree
SHLWAPI.DLL
0x41667c PathAddBackslashW
0x416680 PathRenameExtensionW
0x416684 PathQuoteSpacesW
0x416688 PathRemoveArgsW
0x41668c PathRemoveBackslashW
EAT(Export Address Table) is none
MSVCRT.dll
0x416468 memset
0x41646c wcsncmp
0x416470 memmove
0x416474 wcsncpy
0x416478 wcsstr
0x41647c _wcsnicmp
0x416480 _wcsdup
0x416484 free
0x416488 _wcsicmp
0x41648c wcslen
0x416490 wcscpy
0x416494 wcscmp
0x416498 memcpy
0x41649c tolower
0x4164a0 wcscat
0x4164a4 malloc
KERNEL32.dll
0x4164ac GetModuleHandleW
0x4164b0 HeapCreate
0x4164b4 GetStdHandle
0x4164b8 HeapDestroy
0x4164bc ExitProcess
0x4164c0 WriteFile
0x4164c4 GetTempFileNameW
0x4164c8 LoadLibraryExW
0x4164cc EnumResourceTypesW
0x4164d0 FreeLibrary
0x4164d4 RemoveDirectoryW
0x4164d8 GetExitCodeProcess
0x4164dc EnumResourceNamesW
0x4164e0 GetCommandLineW
0x4164e4 LoadResource
0x4164e8 SizeofResource
0x4164ec FreeResource
0x4164f0 FindResourceW
0x4164f4 GetNativeSystemInfo
0x4164f8 GetShortPathNameW
0x4164fc GetWindowsDirectoryW
0x416500 GetSystemDirectoryW
0x416504 EnterCriticalSection
0x416508 CloseHandle
0x41650c LeaveCriticalSection
0x416510 InitializeCriticalSection
0x416514 WaitForSingleObject
0x416518 TerminateThread
0x41651c CreateThread
0x416520 Sleep
0x416524 GetProcAddress
0x416528 GetVersionExW
0x41652c WideCharToMultiByte
0x416530 HeapAlloc
0x416534 HeapFree
0x416538 LoadLibraryW
0x41653c GetCurrentProcessId
0x416540 GetCurrentThreadId
0x416544 GetModuleFileNameW
0x416548 GetEnvironmentVariableW
0x41654c SetEnvironmentVariableW
0x416550 GetCurrentProcess
0x416554 TerminateProcess
0x416558 SetUnhandledExceptionFilter
0x41655c HeapSize
0x416560 MultiByteToWideChar
0x416564 CreateDirectoryW
0x416568 SetFileAttributesW
0x41656c GetTempPathW
0x416570 DeleteFileW
0x416574 GetCurrentDirectoryW
0x416578 SetCurrentDirectoryW
0x41657c CreateFileW
0x416580 SetFilePointer
0x416584 TlsFree
0x416588 TlsGetValue
0x41658c TlsSetValue
0x416590 TlsAlloc
0x416594 HeapReAlloc
0x416598 DeleteCriticalSection
0x41659c InterlockedCompareExchange
0x4165a0 InterlockedExchange
0x4165a4 GetLastError
0x4165a8 SetLastError
0x4165ac UnregisterWait
0x4165b0 GetCurrentThread
0x4165b4 DuplicateHandle
0x4165b8 RegisterWaitForSingleObject
USER32.DLL
0x4165c0 CharUpperW
0x4165c4 CharLowerW
0x4165c8 MessageBoxW
0x4165cc DefWindowProcW
0x4165d0 DestroyWindow
0x4165d4 GetWindowLongW
0x4165d8 GetWindowTextLengthW
0x4165dc GetWindowTextW
0x4165e0 UnregisterClassW
0x4165e4 LoadIconW
0x4165e8 LoadCursorW
0x4165ec RegisterClassExW
0x4165f0 IsWindowEnabled
0x4165f4 EnableWindow
0x4165f8 GetSystemMetrics
0x4165fc CreateWindowExW
0x416600 SetWindowLongW
0x416604 SendMessageW
0x416608 SetFocus
0x41660c CreateAcceleratorTableW
0x416610 SetForegroundWindow
0x416614 BringWindowToTop
0x416618 GetMessageW
0x41661c TranslateAcceleratorW
0x416620 TranslateMessage
0x416624 DispatchMessageW
0x416628 DestroyAcceleratorTable
0x41662c PostMessageW
0x416630 GetForegroundWindow
0x416634 GetWindowThreadProcessId
0x416638 IsWindowVisible
0x41663c EnumWindows
0x416640 SetWindowPos
GDI32.DLL
0x416648 GetStockObject
COMCTL32.DLL
0x416650 InitCommonControlsEx
SHELL32.DLL
0x416658 ShellExecuteExW
0x41665c SHGetFolderLocation
0x416660 SHGetPathFromIDListW
WINMM.DLL
0x416668 timeBeginPeriod
OLE32.DLL
0x416670 CoInitialize
0x416674 CoTaskMemFree
SHLWAPI.DLL
0x41667c PathAddBackslashW
0x416680 PathRenameExtensionW
0x416684 PathQuoteSpacesW
0x416688 PathRemoveArgsW
0x41668c PathRemoveBackslashW
EAT(Export Address Table) is none