popup

Report - explorer.exe

PE File PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.05.04 09:13 Machine s1_win7_x6402
Filename explorer.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
8
 Behavior Score
7.2
ZERO API file : clean
VT API (file) 54 detected (AIDetect, malware1, malicious, high confidence, MulDrop16, DeepScan, Rincux2, Unsafe, Farfli, ZexaF, zqW@aSaiSPgb, BYFY, Attribute, HighConfidence, GenKryptik, FCQT, Gh0stRAT, iudwcf, R + Mal, FakeAV, Magania, F@7jjkv4, Static AI, Suspicious PE, wfzk, ljbcq, ai score=100, kcloud, Kryptik, score, Zegost, R361328, R03AC0DDD21, CLOUD, GenAsa, UgP2HmBuAUY, Krypt, susgen, GdSda, confidence, 100%)
md5 01c087629a99a6cb94700ae1f8f4d894
sha256 ed5646b78d8d18ee534bb54d9708f5881d075c38d8f46dfa7e4c4a0783b01e27
ssdeep 1536:siRtp/YdUQtzqeCNNzwft8dJHHRP+QAhYd13afFM1c7EHChiH0hLP+VVVVVVVVVQ:sAAdrt4Ot6dpgxfFMa7EHbH0hLNZ
imphash b1b0e62d3ddafa526052777d5f7706b2
impfuzzy 12:mDzEMYAOovaZG2tPXJU3wXJYv8ERRvNu1Gbze6G9sAILFQLRJ:mDAMnOovuXd3iv8ERRvNuk/eJmtG
  Network IP location

Signature (14cnts)

Level Description
danger File has been identified by 54 AntiVirus engines on VirusTotal as malicious
danger Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually)
watch Communicates with host for which no DNS query was performed
watch Installs itself for autorun at Windows startup
watch Network communications indicative of possible code injection originated from the process explorer.exe
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice Creates a service
notice Creates executable files on the filesystem
notice Foreign language identified in PE resource
notice Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
notice Repeatedly searches for a not-found process
notice Searches running processes potentially to identify processes for sandbox evasion
info Checks amount of memory in system
info The executable uses a known packer

Rules (2cnts)

Level Name Description Collection
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (2cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
62.234.113.47
whois
CN Shenzhen Tencent Computer Systems Company Limited 62.234.113.47 clean
106.52.15.123
whois
CN Shenzhen Tencent Computer Systems Company Limited 106.52.15.123 malware

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x407000 GetProcAddress
 0x407004 GetModuleHandleA
 0x407008 RtlUnwind
 0x40700c RaiseException
 0x407010 GetStartupInfoA
 0x407014 GetCommandLineA
 0x407018 GetVersion
 0x40701c ExitProcess
 0x407020 HeapFree
 0x407024 SetUnhandledExceptionFilter
 0x407028 TerminateProcess
 0x40702c GetCurrentProcess
 0x407030 UnhandledExceptionFilter
 0x407034 GetModuleFileNameA
 0x407038 FreeEnvironmentStringsA
 0x40703c FreeEnvironmentStringsW
 0x407040 WideCharToMultiByte
 0x407044 GetEnvironmentStrings
 0x407048 GetEnvironmentStringsW
 0x40704c SetHandleCount
 0x407050 GetStdHandle
 0x407054 GetFileType
 0x407058 GetEnvironmentVariableA
 0x40705c GetVersionExA
 0x407060 HeapDestroy
 0x407064 HeapCreate
 0x407068 VirtualFree
 0x40706c WriteFile
 0x407070 HeapAlloc
 0x407074 VirtualAlloc
 0x407078 HeapReAlloc
 0x40707c IsBadWritePtr
 0x407080 IsBadReadPtr
 0x407084 IsBadCodePtr
 0x407088 GetCPInfo
 0x40708c GetACP
 0x407090 GetOEMCP
 0x407094 LoadLibraryA
 0x407098 MultiByteToWideChar
 0x40709c LCMapStringA
 0x4070a0 LCMapStringW
 0x4070a4 GetStringTypeA
 0x4070a8 GetStringTypeW

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure