ScreenShot
| Created | 2021.05.20 10:04 | Machine | s1_win7_x6402 |
| Filename | 0519_2457254452195.doc | ||
| Type | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Auth | ||
| AI Score | Not founds | Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 7 detected (Suspexec, gen29, Alien, Ole2, druvzi) | ||
| md5 | 4680281474f5c31c4161ea107032b297 | ||
| sha256 | 49294badb32f0de8845001dcfa55223bb4bdf916905ef3148847ab9799b4d7f1 | ||
| ssdeep | 24576:MEIjrPUaphvGvGUZ93/semhXp7AsWZXgPUw2:M/jhvGvGU93097AFZgP | ||
| imphash | |||
| impfuzzy | |||
Network IP location
Signature (42cnts)
| Level | Description |
|---|---|
| danger | Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) |
| danger | Executed a process and injected code into it |
| watch | A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations. |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Appends a known CryptoMix ransomware file extension to files that have been encrypted |
| watch | Attempts to access Bitcoin/ALTCoin wallets |
| watch | Checks the CPU name from registry |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Creates suspicious VBA object |
| watch | Harvests credentials from local FTP client softwares |
| watch | Harvests information related to installed instant messenger clients |
| watch | Libraries known to be associated with a CVE were requested (may be False Positive) |
| watch | One or more non-whitelisted processes were created |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | The process winword.exe wrote an executable file to disk |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | An executable file was downloaded by the process rundll32.exe |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Creates (office) documents on the filesystem |
| notice | Creates a suspicious process |
| notice | Creates hidden or system file |
| notice | File has been identified by 7 AntiVirus engines on VirusTotal as malicious |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Looks up the external IP address |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Queries for potentially installed applications |
| notice | Resolves a suspicious Top Level Domain (TLD) |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Sends data using the HTTP POST Method |
| notice | Steals private information from local Internet browsers |
| notice | Word document hooks document open |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Queries for the computername |
| info | Tries to locate where the browsers are installed |
Rules (16cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (upload) |
| warning | Contains_VBA_macro_code | Detect a MS Office document with embedded VBA macro code [binaries] | binaries (upload) |
| notice | Network_DNS | Communications use DNS | memory |
| notice | Network_TCP_Socket | Communications over RAW Socket | memory |
| notice | ScreenShot | Take ScreenShot | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | Microsoft_Office_File_Zero | Microsoft Office File | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | Win32_Trojan_Gen_2_0904B0_Zero | Win32 Trojan Gen | binaries (upload) |
Network (15cnts) ?
Suricata ids
ET MALWARE Win32/Ficker Stealer Activity
ET MALWARE Win32/Ficker Stealer Activity M3
ET POLICY External IP Lookup api.ipify.org
ET POLICY External IP Lookup (ipify .org)
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Win32/Ficker Stealer Activity M3
ET POLICY External IP Lookup api.ipify.org
ET POLICY External IP Lookup (ipify .org)
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP