ScreenShot
Created | 2021.04.21 17:15 | Machine | s1_win7_x6401 |
Filename | BrowserUpdate.exe | ||
Type | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : clean | ||
VT API (file) | 38 detected (AIDetect, malware2, malicious, high confidence, Dacic, BitCoinMiner, QVM11, Unsafe, ZexaF, 5mGfaOWMXigj, IBKR, Attribute, HighConfidence, CoinMiner, Miner, score, Bitminer, TOOLXMR, Generic ML PUA, RiskTool, Artemis, ai score=89, ET#96%, RDMK, cmRtazpe2J7sEjSVXhRxPZhklgfW, Static AI, Malicious PE, confidence) | ||
md5 | 048aa5b804cde0768111c633e0faa028 | ||
sha256 | 59df8a62108bbf3120e6699e616417f393aefaf0574b1fd1ae2bcb7802d543da | ||
ssdeep | 12288:21oYI63MyxbFvw5pQKEjp9JsAAs0UWUKRHhhWV0EYn0v7KytlZTVtMh1FP8TjOu:WLr9RAphLWyEY0veytNWh1un | ||
imphash | 88e0f730d73b3894d47f1966d8f19ff9 | ||
impfuzzy | 3:swBJAEPw1MO/OywS9KTXzhAXwEQaxRYNLbW6LTKfKSXR1bXGRY:dBJAEoZ/OEGDzyRMbs7GY |
Network IP location
Signature (21cnts)
Level | Description |
---|---|
danger | File has been identified by 38 AntiVirus engines on VirusTotal as malicious |
watch | A stratum cryptocurrency mining command was executed |
watch | Created a service where a service was also not started |
watch | Installs itself for autorun at Windows startup |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | Creates a suspicious process |
notice | Creates executable files on the filesystem |
notice | Drops a binary and executes it |
notice | Drops an executable to the user AppData folder |
notice | Expresses interest in specific running processes |
notice | Foreign language identified in PE resource |
notice | Repeatedly searches for a not-found process |
notice | Searches running processes potentially to identify processes for sandbox evasion |
notice | The binary likely contains encrypted or compressed data indicative of a packer |
notice | The executable is compressed using UPX |
notice | Uses Windows utilities for basic Windows functionality |
info | Checks amount of memory in system |
info | Command line console output was observed |
info | Queries for the computername |
info | The executable uses a known packer |
info | The file contains an unknown PE resource name possibly indicative of a packer |
Rules (28cnts)
Level | Name | Description | Collection |
---|---|---|---|
watch | UPX_Zero | UPX packed file | binaries (download) |
watch | UPX_Zero | UPX packed file | binaries (upload) |
info | IsPE32 | (no description) | binaries (download) |
info | IsPE32 | (no description) | binaries (upload) |
info | IsPE64 | (no description) | binaries (download) |
info | OS_Processor_Check_Zero | OS Processor Check Signature Zero | binaries (download) |
info | PE_Header_Zero | PE File Signature Zero | binaries (download) |
info | PE_Header_Zero | PE File Signature Zero | binaries (upload) |
info | create_service | Create a windows service | binaries (download) |
info | escalate_priv | Escalade priviledges | binaries (download) |
info | HasDebugData | DebugData Check | binaries (download) |
info | HasDigitalSignature | DigitalSignature Check | binaries (download) |
info | HasOverlay | Overlay Check | binaries (download) |
info | HasRichSignature | Rich Signature Check | binaries (download) |
info | HasRichSignature | Rich Signature Check | binaries (upload) |
info | IsConsole | (no description) | binaries (download) |
info | IsPacked | Entropy Check | binaries (download) |
info | IsPacked | Entropy Check | binaries (upload) |
info | IsWindowsGUI | (no description) | binaries (download) |
info | IsWindowsGUI | (no description) | binaries (upload) |
info | keylogger | Run a keylogger | binaries (download) |
info | network_dns | Communications use DNS | binaries (download) |
info | network_tcp_listen | Listen for incoming communication | binaries (download) |
info | network_tcp_socket | Communications over RAW socket | binaries (download) |
info | network_udp_sock | Communications over UDP network | binaries (download) |
info | Str_Win32_Winsock2_Library | Match Winsock 2 API library declaration | binaries (download) |
info | win_files_operation | Affect private profile | binaries (download) |
info | win_token | Affect system token | binaries (download) |
PE API
IAT(Import Address Table) Library
KERNEL32.DLL
0x648f74 LoadLibraryA
0x648f78 ExitProcess
0x648f7c GetProcAddress
0x648f80 VirtualProtect
SHELL32.dll
0x648f88 ShellExecuteW
SHLWAPI.dll
0x648f90 PathIsDirectoryW
USER32.dll
0x648f98 wsprintfA
EAT(Export Address Table) is none
KERNEL32.DLL
0x648f74 LoadLibraryA
0x648f78 ExitProcess
0x648f7c GetProcAddress
0x648f80 VirtualProtect
SHELL32.dll
0x648f88 ShellExecuteW
SHLWAPI.dll
0x648f90 PathIsDirectoryW
USER32.dll
0x648f98 wsprintfA
EAT(Export Address Table) is none