ScreenShot
| Created | 2021.05.18 09:07 | Machine | s1_win7_x6402 |
| Filename | n9yo6g3m.rar | ||
| Type | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 7 detected (malicious, high confidence, Save, Wacapew, score) | ||
| md5 | e5769bdf194b0a6369c0f58cc16e5a96 | ||
| sha256 | 3a2300c069338bb09fabbccb368930a85e7390a1dc02fa8a08f9aaeec0223123 | ||
| ssdeep | 12288:AWM5dKYoaXExbYau0l4BaauBv+te08MX7nPH+lGr2jLYN9fM+:AWaK5xdJl4QnJ+teumlOe8TM+ | ||
| imphash | bb0de8a8adafa3758124639bf7d99d8c | ||
| impfuzzy | 24:jjM6vVrOov2g9FTelVGdloXDuc9JgvgSuZatRlrqDSM1w2MlwaTmdIEp4wubBBg9:h0Ng9FCGdlXcKgSdtR6hW5mrqiFl | ||
Network IP location
Signature (5cnts)
| Level | Description |
|---|---|
| watch | Communicates with host for which no DNS query was performed |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | File has been identified by 7 AntiVirus engines on VirusTotal as malicious |
| info | One or more processes crashed |
| info | This executable has a PDB path |
Rules (4cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | IsDLL | (no description) | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x20cc084 GetConsoleCP
0x20cc088 GetConsoleMode
0x20cc08c SetFilePointerEx
0x20cc090 SetStdHandle
0x20cc094 WriteConsoleW
0x20cc098 SetSystemPowerState
0x20cc09c CreateFileA
0x20cc0a0 GetTempPathA
0x20cc0a4 GetCommandLineA
0x20cc0a8 GetModuleFileNameA
0x20cc0ac OpenMutexA
0x20cc0b0 FormatMessageA
0x20cc0b4 GetSystemTimeAsFileTime
0x20cc0b8 CloseHandle
0x20cc0bc GetFileSize
0x20cc0c0 DeleteCriticalSection
0x20cc0c4 VirtualProtectEx
0x20cc0c8 VirtualProtect
0x20cc0cc EncodePointer
0x20cc0d0 DecodePointer
0x20cc0d4 GetLastError
0x20cc0d8 HeapFree
0x20cc0dc HeapAlloc
0x20cc0e0 RaiseException
0x20cc0e4 RtlUnwind
0x20cc0e8 GetCurrentThreadId
0x20cc0ec IsProcessorFeaturePresent
0x20cc0f0 ExitProcess
0x20cc0f4 GetModuleHandleExW
0x20cc0f8 GetProcAddress
0x20cc0fc MultiByteToWideChar
0x20cc100 WideCharToMultiByte
0x20cc104 HeapSize
0x20cc108 GetProcessHeap
0x20cc10c GetStdHandle
0x20cc110 WriteFile
0x20cc114 GetModuleFileNameW
0x20cc118 IsDebuggerPresent
0x20cc11c EnterCriticalSection
0x20cc120 LeaveCriticalSection
0x20cc124 SetLastError
0x20cc128 GetFileType
0x20cc12c GetStartupInfoW
0x20cc130 QueryPerformanceCounter
0x20cc134 GetCurrentProcessId
0x20cc138 GetEnvironmentStringsW
0x20cc13c FreeEnvironmentStringsW
0x20cc140 UnhandledExceptionFilter
0x20cc144 SetUnhandledExceptionFilter
0x20cc148 InitializeCriticalSectionAndSpinCount
0x20cc14c Sleep
0x20cc150 GetCurrentProcess
0x20cc154 TerminateProcess
0x20cc158 TlsAlloc
0x20cc15c TlsGetValue
0x20cc160 TlsSetValue
0x20cc164 TlsFree
0x20cc168 GetModuleHandleW
0x20cc16c LCMapStringW
0x20cc170 LoadLibraryExW
0x20cc174 IsValidCodePage
0x20cc178 GetACP
0x20cc17c GetOEMCP
0x20cc180 GetCPInfo
0x20cc184 HeapReAlloc
0x20cc188 OutputDebugStringW
0x20cc18c GetStringTypeW
0x20cc190 FlushFileBuffers
0x20cc194 CreateFileW
ole32.dll
0x20cc19c CoTaskMemAlloc
0x20cc1a0 CoUninitialize
0x20cc1a4 CoInitialize
0x20cc1a8 CoTaskMemFree
ADVAPI32.dll
0x20cc000 RegCloseKey
0x20cc004 RegQueryValueExA
0x20cc008 RegOpenKeyExA
0x20cc00c RegEnumKeyA
0x20cc010 RegDeleteKeyA
0x20cc014 RegCreateKeyExA
0x20cc018 LookupPrivilegeValueA
0x20cc01c SetSecurityDescriptorDacl
0x20cc020 InitializeSecurityDescriptor
0x20cc024 SetEntriesInAclA
0x20cc028 StartServiceCtrlDispatcherA
0x20cc02c SetServiceStatus
0x20cc030 RegisterServiceCtrlHandlerA
0x20cc034 QueryServiceStatus
0x20cc038 OpenServiceA
0x20cc03c OpenSCManagerA
0x20cc040 CreateServiceW
0x20cc044 ControlService
0x20cc048 OpenProcessToken
0x20cc04c OpenThreadToken
0x20cc050 AllocateAndInitializeSid
0x20cc054 FreeSid
0x20cc058 RegSetValueExA
Cabinet.dll
0x20cc060 None
0x20cc064 None
0x20cc068 None
GPEDIT.DLL
0x20cc070 DeleteGPOLink
0x20cc074 BrowseForGPO
0x20cc078 ExportRSoPData
0x20cc07c CreateGPOLink
EAT(Export Address Table) Library
0x10ad2f0 Me
0x10acc00 Specialgun
0x10ad3b0 Spendbroke
KERNEL32.dll
0x20cc084 GetConsoleCP
0x20cc088 GetConsoleMode
0x20cc08c SetFilePointerEx
0x20cc090 SetStdHandle
0x20cc094 WriteConsoleW
0x20cc098 SetSystemPowerState
0x20cc09c CreateFileA
0x20cc0a0 GetTempPathA
0x20cc0a4 GetCommandLineA
0x20cc0a8 GetModuleFileNameA
0x20cc0ac OpenMutexA
0x20cc0b0 FormatMessageA
0x20cc0b4 GetSystemTimeAsFileTime
0x20cc0b8 CloseHandle
0x20cc0bc GetFileSize
0x20cc0c0 DeleteCriticalSection
0x20cc0c4 VirtualProtectEx
0x20cc0c8 VirtualProtect
0x20cc0cc EncodePointer
0x20cc0d0 DecodePointer
0x20cc0d4 GetLastError
0x20cc0d8 HeapFree
0x20cc0dc HeapAlloc
0x20cc0e0 RaiseException
0x20cc0e4 RtlUnwind
0x20cc0e8 GetCurrentThreadId
0x20cc0ec IsProcessorFeaturePresent
0x20cc0f0 ExitProcess
0x20cc0f4 GetModuleHandleExW
0x20cc0f8 GetProcAddress
0x20cc0fc MultiByteToWideChar
0x20cc100 WideCharToMultiByte
0x20cc104 HeapSize
0x20cc108 GetProcessHeap
0x20cc10c GetStdHandle
0x20cc110 WriteFile
0x20cc114 GetModuleFileNameW
0x20cc118 IsDebuggerPresent
0x20cc11c EnterCriticalSection
0x20cc120 LeaveCriticalSection
0x20cc124 SetLastError
0x20cc128 GetFileType
0x20cc12c GetStartupInfoW
0x20cc130 QueryPerformanceCounter
0x20cc134 GetCurrentProcessId
0x20cc138 GetEnvironmentStringsW
0x20cc13c FreeEnvironmentStringsW
0x20cc140 UnhandledExceptionFilter
0x20cc144 SetUnhandledExceptionFilter
0x20cc148 InitializeCriticalSectionAndSpinCount
0x20cc14c Sleep
0x20cc150 GetCurrentProcess
0x20cc154 TerminateProcess
0x20cc158 TlsAlloc
0x20cc15c TlsGetValue
0x20cc160 TlsSetValue
0x20cc164 TlsFree
0x20cc168 GetModuleHandleW
0x20cc16c LCMapStringW
0x20cc170 LoadLibraryExW
0x20cc174 IsValidCodePage
0x20cc178 GetACP
0x20cc17c GetOEMCP
0x20cc180 GetCPInfo
0x20cc184 HeapReAlloc
0x20cc188 OutputDebugStringW
0x20cc18c GetStringTypeW
0x20cc190 FlushFileBuffers
0x20cc194 CreateFileW
ole32.dll
0x20cc19c CoTaskMemAlloc
0x20cc1a0 CoUninitialize
0x20cc1a4 CoInitialize
0x20cc1a8 CoTaskMemFree
ADVAPI32.dll
0x20cc000 RegCloseKey
0x20cc004 RegQueryValueExA
0x20cc008 RegOpenKeyExA
0x20cc00c RegEnumKeyA
0x20cc010 RegDeleteKeyA
0x20cc014 RegCreateKeyExA
0x20cc018 LookupPrivilegeValueA
0x20cc01c SetSecurityDescriptorDacl
0x20cc020 InitializeSecurityDescriptor
0x20cc024 SetEntriesInAclA
0x20cc028 StartServiceCtrlDispatcherA
0x20cc02c SetServiceStatus
0x20cc030 RegisterServiceCtrlHandlerA
0x20cc034 QueryServiceStatus
0x20cc038 OpenServiceA
0x20cc03c OpenSCManagerA
0x20cc040 CreateServiceW
0x20cc044 ControlService
0x20cc048 OpenProcessToken
0x20cc04c OpenThreadToken
0x20cc050 AllocateAndInitializeSid
0x20cc054 FreeSid
0x20cc058 RegSetValueExA
Cabinet.dll
0x20cc060 None
0x20cc064 None
0x20cc068 None
GPEDIT.DLL
0x20cc070 DeleteGPOLink
0x20cc074 BrowseForGPO
0x20cc078 ExportRSoPData
0x20cc07c CreateGPOLink
EAT(Export Address Table) Library
0x10ad2f0 Me
0x10acc00 Specialgun
0x10ad3b0 Spendbroke