ScreenShot
| Created | 2021.06.16 10:17 | Machine | s1_win7_x6402 |
| Filename | WindowsSecurity.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 27 detected (malicious, high confidence, Johnnie, Artemis, Save, ZexaF, PuX@aO3vbBfi, Attribute, HighConfidence, VSNW0FF21, Discord, ai score=85, Wacapew, score, Static AI, Suspicious PE, PossibleThreat, PALLASNET, confidence) | ||
| md5 | 04f7ee1aa5e29d2f2d4ea6b539d20709 | ||
| sha256 | e9d550d9a18dd0efee23eb189ba79917d39e5c33fc1dfac662248868c260f073 | ||
| ssdeep | 12288:Gz8Jjl7QuKXDpHyONt5geHO4Gfcju+ot5Sa/BJO6M6H2UG/cKMg5yyeqdXeRymh:Gzux7QVXgiTot5SCPO6WMg5yvQkB | ||
| imphash | 22ab859a05d3941a6575d64f5a0e3871 | ||
| impfuzzy | 96:wjG1Qipxf0r7BisGGxDstV1RtURXv6DkV6KR:GG1Uiy4ty4KR | ||
Network IP location
Signature (5cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 27 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| notice | A process attempted to delay the analysis task. |
| info | Checks amount of memory in system |
| info | This executable has a PDB path |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x483070 GetModuleHandleA
0x483074 LoadLibraryA
0x483078 QueryPerformanceCounter
0x48307c GetTickCount
0x483080 MoveFileExA
0x483084 WaitForSingleObjectEx
0x483088 GetEnvironmentVariableA
0x48308c GetStdHandle
0x483090 GetFileType
0x483094 ReadFile
0x483098 PeekNamedPipe
0x48309c WaitForMultipleObjects
0x4830a0 SetLastError
0x4830a4 FormatMessageW
0x4830a8 VerSetConditionMask
0x4830ac VerifyVersionInfoA
0x4830b0 CreateFileA
0x4830b4 GetFileSizeEx
0x4830b8 HeapSize
0x4830bc DeleteFileW
0x4830c0 GetProcessHeap
0x4830c4 FreeLibrary
0x4830c8 GetSystemDirectoryA
0x4830cc QueryPerformanceFrequency
0x4830d0 SleepEx
0x4830d4 GetLastError
0x4830d8 DeleteCriticalSection
0x4830dc InitializeCriticalSectionEx
0x4830e0 LeaveCriticalSection
0x4830e4 EnterCriticalSection
0x4830e8 CreateProcessA
0x4830ec GetConsoleWindow
0x4830f0 SetEnvironmentVariableW
0x4830f4 FreeEnvironmentStringsW
0x4830f8 GetEnvironmentStringsW
0x4830fc GetOEMCP
0x483100 GetACP
0x483104 IsValidCodePage
0x483108 FindNextFileW
0x48310c FindFirstFileExW
0x483110 WideCharToMultiByte
0x483114 GetTimeZoneInformation
0x483118 GetFullPathNameW
0x48311c GetCurrentDirectoryW
0x483120 SetEndOfFile
0x483124 SetStdHandle
0x483128 HeapReAlloc
0x48312c EnumSystemLocalesW
0x483130 GetUserDefaultLCID
0x483134 IsValidLocale
0x483138 GetLocaleInfoW
0x48313c LCMapStringW
0x483140 CompareStringW
0x483144 GetTimeFormatW
0x483148 GetDateFormatW
0x48314c CreatePipe
0x483150 GetFileAttributesExW
0x483154 GetExitCodeProcess
0x483158 HeapFree
0x48315c FlushFileBuffers
0x483160 HeapAlloc
0x483164 GetConsoleOutputCP
0x483168 ReadConsoleW
0x48316c GetConsoleMode
0x483170 GetCommandLineW
0x483174 GetCommandLineA
0x483178 SetFilePointerEx
0x48317c FreeLibraryAndExitThread
0x483180 ExitThread
0x483184 CreateThread
0x483188 FileTimeToSystemTime
0x48318c SystemTimeToTzSpecificLocalTime
0x483190 GetFileInformationByHandle
0x483194 GetDriveTypeW
0x483198 CreateProcessW
0x48319c DuplicateHandle
0x4831a0 GetModuleHandleExW
0x4831a4 ExitProcess
0x4831a8 LoadLibraryExW
0x4831ac WriteConsoleW
0x4831b0 TlsFree
0x4831b4 TlsSetValue
0x4831b8 TlsGetValue
0x4831bc TlsAlloc
0x4831c0 InitializeCriticalSectionAndSpinCount
0x4831c4 RaiseException
0x4831c8 RtlUnwind
0x4831cc InitializeSListHead
0x4831d0 CopyFileW
0x4831d4 GetModuleHandleW
0x4831d8 GlobalMemoryStatusEx
0x4831dc GetProcAddress
0x4831e0 K32EnumProcesses
0x4831e4 GetSystemInfo
0x4831e8 CloseHandle
0x4831ec GetTickCount64
0x4831f0 GetTempPathA
0x4831f4 Sleep
0x4831f8 MultiByteToWideChar
0x4831fc CreateFileW
0x483200 WaitForSingleObject
0x483204 SetFilePointer
0x483208 GetModuleFileNameW
0x48320c FindClose
0x483210 WriteFile
0x483214 EncodePointer
0x483218 DecodePointer
0x48321c LCMapStringEx
0x483220 GetStringTypeW
0x483224 GetCPInfo
0x483228 UnhandledExceptionFilter
0x48322c SetUnhandledExceptionFilter
0x483230 GetCurrentProcess
0x483234 TerminateProcess
0x483238 IsProcessorFeaturePresent
0x48323c IsDebuggerPresent
0x483240 GetStartupInfoW
0x483244 GetCurrentProcessId
0x483248 GetCurrentThreadId
0x48324c GetSystemTimeAsFileTime
USER32.dll
0x48325c GetCursorPos
0x483260 ShowWindow
ADVAPI32.dll
0x483000 CryptAcquireContextA
0x483004 CryptGenRandom
0x483008 CryptCreateHash
0x48300c CryptHashData
0x483010 CryptDestroyHash
0x483014 CryptDestroyKey
0x483018 CryptImportKey
0x48301c CryptEncrypt
0x483020 CryptReleaseContext
0x483024 CryptGetHashParam
urlmon.dll
0x48334c URLDownloadToFileW
Normaliz.dll
0x483254 IdnToAscii
WS2_32.dll
0x4832b4 select
0x4832b8 __WSAFDIsSet
0x4832bc ioctlsocket
0x4832c0 listen
0x4832c4 htonl
0x4832c8 accept
0x4832cc WSAIoctl
0x4832d0 WSACloseEvent
0x4832d4 socket
0x4832d8 ntohs
0x4832dc getsockopt
0x4832e0 getsockname
0x4832e4 getpeername
0x4832e8 connect
0x4832ec ind
0x4832f0 WSAGetLastError
0x4832f4 send
0x4832f8 WSACleanup
0x4832fc GetNameInfoW
0x483300 closesocket
0x483304 WSASocketW
0x483308 getaddrinfo
0x48330c WSAStartup
0x483310 WSAConnect
0x483314 InetPtonW
0x483318 gethostname
0x48331c recv
0x483320 htons
0x483324 freeaddrinfo
0x483328 setsockopt
0x48332c WSACreateEvent
0x483330 WSAEnumNetworkEvents
0x483334 WSAEventSelect
0x483338 ntohl
0x48333c sendto
0x483340 recvfrom
0x483344 WSASetLastError
WLDAP32.dll
0x483268 None
0x48326c None
0x483270 None
0x483274 None
0x483278 None
0x48327c None
0x483280 None
0x483284 None
0x483288 None
0x48328c None
0x483290 None
0x483294 None
0x483298 None
0x48329c None
0x4832a0 None
0x4832a4 None
0x4832a8 None
0x4832ac None
CRYPT32.dll
0x48302c CertFindCertificateInStore
0x483030 PFXImportCertStore
0x483034 CertCloseStore
0x483038 CertOpenStore
0x48303c CryptDecodeObjectEx
0x483040 CertFreeCertificateContext
0x483044 CryptStringToBinaryA
0x483048 CertAddCertificateContextToStore
0x48304c CertFindExtension
0x483050 CertGetNameStringA
0x483054 CryptQueryObject
0x483058 CertCreateCertificateChainEngine
0x48305c CertFreeCertificateChainEngine
0x483060 CertGetCertificateChain
0x483064 CertEnumCertificatesInStore
0x483068 CertFreeCertificateChain
EAT(Export Address Table) is none
KERNEL32.dll
0x483070 GetModuleHandleA
0x483074 LoadLibraryA
0x483078 QueryPerformanceCounter
0x48307c GetTickCount
0x483080 MoveFileExA
0x483084 WaitForSingleObjectEx
0x483088 GetEnvironmentVariableA
0x48308c GetStdHandle
0x483090 GetFileType
0x483094 ReadFile
0x483098 PeekNamedPipe
0x48309c WaitForMultipleObjects
0x4830a0 SetLastError
0x4830a4 FormatMessageW
0x4830a8 VerSetConditionMask
0x4830ac VerifyVersionInfoA
0x4830b0 CreateFileA
0x4830b4 GetFileSizeEx
0x4830b8 HeapSize
0x4830bc DeleteFileW
0x4830c0 GetProcessHeap
0x4830c4 FreeLibrary
0x4830c8 GetSystemDirectoryA
0x4830cc QueryPerformanceFrequency
0x4830d0 SleepEx
0x4830d4 GetLastError
0x4830d8 DeleteCriticalSection
0x4830dc InitializeCriticalSectionEx
0x4830e0 LeaveCriticalSection
0x4830e4 EnterCriticalSection
0x4830e8 CreateProcessA
0x4830ec GetConsoleWindow
0x4830f0 SetEnvironmentVariableW
0x4830f4 FreeEnvironmentStringsW
0x4830f8 GetEnvironmentStringsW
0x4830fc GetOEMCP
0x483100 GetACP
0x483104 IsValidCodePage
0x483108 FindNextFileW
0x48310c FindFirstFileExW
0x483110 WideCharToMultiByte
0x483114 GetTimeZoneInformation
0x483118 GetFullPathNameW
0x48311c GetCurrentDirectoryW
0x483120 SetEndOfFile
0x483124 SetStdHandle
0x483128 HeapReAlloc
0x48312c EnumSystemLocalesW
0x483130 GetUserDefaultLCID
0x483134 IsValidLocale
0x483138 GetLocaleInfoW
0x48313c LCMapStringW
0x483140 CompareStringW
0x483144 GetTimeFormatW
0x483148 GetDateFormatW
0x48314c CreatePipe
0x483150 GetFileAttributesExW
0x483154 GetExitCodeProcess
0x483158 HeapFree
0x48315c FlushFileBuffers
0x483160 HeapAlloc
0x483164 GetConsoleOutputCP
0x483168 ReadConsoleW
0x48316c GetConsoleMode
0x483170 GetCommandLineW
0x483174 GetCommandLineA
0x483178 SetFilePointerEx
0x48317c FreeLibraryAndExitThread
0x483180 ExitThread
0x483184 CreateThread
0x483188 FileTimeToSystemTime
0x48318c SystemTimeToTzSpecificLocalTime
0x483190 GetFileInformationByHandle
0x483194 GetDriveTypeW
0x483198 CreateProcessW
0x48319c DuplicateHandle
0x4831a0 GetModuleHandleExW
0x4831a4 ExitProcess
0x4831a8 LoadLibraryExW
0x4831ac WriteConsoleW
0x4831b0 TlsFree
0x4831b4 TlsSetValue
0x4831b8 TlsGetValue
0x4831bc TlsAlloc
0x4831c0 InitializeCriticalSectionAndSpinCount
0x4831c4 RaiseException
0x4831c8 RtlUnwind
0x4831cc InitializeSListHead
0x4831d0 CopyFileW
0x4831d4 GetModuleHandleW
0x4831d8 GlobalMemoryStatusEx
0x4831dc GetProcAddress
0x4831e0 K32EnumProcesses
0x4831e4 GetSystemInfo
0x4831e8 CloseHandle
0x4831ec GetTickCount64
0x4831f0 GetTempPathA
0x4831f4 Sleep
0x4831f8 MultiByteToWideChar
0x4831fc CreateFileW
0x483200 WaitForSingleObject
0x483204 SetFilePointer
0x483208 GetModuleFileNameW
0x48320c FindClose
0x483210 WriteFile
0x483214 EncodePointer
0x483218 DecodePointer
0x48321c LCMapStringEx
0x483220 GetStringTypeW
0x483224 GetCPInfo
0x483228 UnhandledExceptionFilter
0x48322c SetUnhandledExceptionFilter
0x483230 GetCurrentProcess
0x483234 TerminateProcess
0x483238 IsProcessorFeaturePresent
0x48323c IsDebuggerPresent
0x483240 GetStartupInfoW
0x483244 GetCurrentProcessId
0x483248 GetCurrentThreadId
0x48324c GetSystemTimeAsFileTime
USER32.dll
0x48325c GetCursorPos
0x483260 ShowWindow
ADVAPI32.dll
0x483000 CryptAcquireContextA
0x483004 CryptGenRandom
0x483008 CryptCreateHash
0x48300c CryptHashData
0x483010 CryptDestroyHash
0x483014 CryptDestroyKey
0x483018 CryptImportKey
0x48301c CryptEncrypt
0x483020 CryptReleaseContext
0x483024 CryptGetHashParam
urlmon.dll
0x48334c URLDownloadToFileW
Normaliz.dll
0x483254 IdnToAscii
WS2_32.dll
0x4832b4 select
0x4832b8 __WSAFDIsSet
0x4832bc ioctlsocket
0x4832c0 listen
0x4832c4 htonl
0x4832c8 accept
0x4832cc WSAIoctl
0x4832d0 WSACloseEvent
0x4832d4 socket
0x4832d8 ntohs
0x4832dc getsockopt
0x4832e0 getsockname
0x4832e4 getpeername
0x4832e8 connect
0x4832ec ind
0x4832f0 WSAGetLastError
0x4832f4 send
0x4832f8 WSACleanup
0x4832fc GetNameInfoW
0x483300 closesocket
0x483304 WSASocketW
0x483308 getaddrinfo
0x48330c WSAStartup
0x483310 WSAConnect
0x483314 InetPtonW
0x483318 gethostname
0x48331c recv
0x483320 htons
0x483324 freeaddrinfo
0x483328 setsockopt
0x48332c WSACreateEvent
0x483330 WSAEnumNetworkEvents
0x483334 WSAEventSelect
0x483338 ntohl
0x48333c sendto
0x483340 recvfrom
0x483344 WSASetLastError
WLDAP32.dll
0x483268 None
0x48326c None
0x483270 None
0x483274 None
0x483278 None
0x48327c None
0x483280 None
0x483284 None
0x483288 None
0x48328c None
0x483290 None
0x483294 None
0x483298 None
0x48329c None
0x4832a0 None
0x4832a4 None
0x4832a8 None
0x4832ac None
CRYPT32.dll
0x48302c CertFindCertificateInStore
0x483030 PFXImportCertStore
0x483034 CertCloseStore
0x483038 CertOpenStore
0x48303c CryptDecodeObjectEx
0x483040 CertFreeCertificateContext
0x483044 CryptStringToBinaryA
0x483048 CertAddCertificateContextToStore
0x48304c CertFindExtension
0x483050 CertGetNameStringA
0x483054 CryptQueryObject
0x483058 CertCreateCertificateChainEngine
0x48305c CertFreeCertificateChainEngine
0x483060 CertGetCertificateChain
0x483064 CertEnumCertificatesInStore
0x483068 CertFreeCertificateChain
EAT(Export Address Table) is none