popup

Report - d3

PE File PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.06.19 09:09 Machine s1_win7_x6402
Filename d3
Type PE32 executable (native) Intel 80386, for MS Windows
AI Score
4
 Behavior Score
1.0
ZERO API file : clean
VT API (file) 13 detected (Retliften, AJIH, ADFG, Hijacker, CLASSIC, ai score=85, Netfilter, Artemis)
md5 cb34374f1b5fb771076872c6b14b7501
sha256 e0afb8b937a5907fbe55a1d1cc7574e9304007ef33fa80ff3896e997a1beaf37
ssdeep 768:8WetQRPOQaniqkpY0O5w8dBxmT9yWU3jSPyyihNfVARbpn:8WXOQwi6wEBxmTSp3Epn
imphash b5403fb8687d7afd40fd8cf3b4dfe29b
impfuzzy 48:gBWXAOfVN+MwagfGIqokKo6PdZ/Cf5l70sEupnb/Jye:Zz+Mw7fJqiZ/CxprXb/Jye
  Network IP location

Signature (3cnts)

Level Description
watch File has been identified by 13 AntiVirus engines on VirusTotal as malicious
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info This executable has a PDB path

Rules (2cnts)

Level Name Description Collection
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (0cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?

Suricata ids

PE API

IAT(Import Address Table) Library

fwpkclnt.sys
 0x407030 FwpsAcquireClassifyHandle0
 0x407034 FwpsReleaseClassifyHandle0
 0x407038 FwpmFilterDeleteById0
 0x40703c FwpsAcquireWritableLayerDataPointer0
 0x407040 FwpsApplyModifiedLayerData0
 0x407044 FwpmFilterAdd0
 0x407048 FwpmCalloutAdd0
 0x40704c FwpmSubLayerDeleteByKey0
 0x407050 FwpmSubLayerAdd0
 0x407054 FwpmTransactionAbort0
 0x407058 FwpmTransactionCommit0
 0x40705c FwpmTransactionBegin0
 0x407060 FwpmEngineClose0
 0x407064 FwpmEngineOpen0
 0x407068 FwpsCalloutUnregisterById0
 0x40706c FwpsCompleteClassify0
 0x407070 FwpsCalloutRegister1
ntoskrnl.exe
 0x407078 IofCallDriver
 0x40707c IoCreateFile
 0x407080 IoFreeIrp
 0x407084 IoGetRelatedDeviceObject
 0x407088 ObReferenceObjectByHandle
 0x40708c ObfDereferenceObject
 0x407090 ZwQueryInformationFile
 0x407094 ZwSetInformationFile
 0x407098 ZwReadFile
 0x40709c ZwWriteFile
 0x4070a0 ZwClose
 0x4070a4 IoFileObjectType
 0x4070a8 KeEnterCriticalRegion
 0x4070ac KeLeaveCriticalRegion
 0x4070b0 PsTerminateSystemThread
 0x4070b4 KeSetBasePriorityThread
 0x4070b8 sprintf
 0x4070bc CmUnRegisterCallback
 0x4070c0 CmRegisterCallbackEx
 0x4070c4 CmCallbackGetKeyObjectID
 0x4070c8 MmIsAddressValid
 0x4070cc strlen
 0x4070d0 strncmp
 0x4070d4 strncpy
 0x4070d8 wcscat
 0x4070dc wcslen
 0x4070e0 wcsncmp
 0x4070e4 RtlInitAnsiString
 0x4070e8 strcat
 0x4070ec strcmp
 0x4070f0 strncat
 0x4070f4 ExAllocatePoolWithTag
 0x4070f8 ExAcquireSpinLockExclusive
 0x4070fc ExReleaseSpinLockExclusive
 0x407100 wcscpy
 0x407104 RtlAnsiStringToUnicodeString
 0x407108 RtlFreeUnicodeString
 0x40710c RtlCreateSecurityDescriptor
 0x407110 RtlSetDaclSecurityDescriptor
 0x407114 KeResetEvent
 0x407118 KeInitializeTimerEx
 0x40711c KeSetTimerEx
 0x407120 PsCreateSystemThread
 0x407124 ZwCreateKey
 0x407128 ZwOpenKey
 0x40712c ZwFlushKey
 0x407130 ZwQueryValueKey
 0x407134 ZwSetValueKey
 0x407138 NtQueryInformationToken
 0x40713c RtlLengthSid
 0x407140 RtlConvertSidToUnicodeString
 0x407144 RtlCreateAcl
 0x407148 RtlAddAccessAllowedAce
 0x40714c RtlSetOwnerSecurityDescriptor
 0x407150 PsLookupProcessByProcessId
 0x407154 ObOpenObjectByPointer
 0x407158 ZwOpenProcessTokenEx
 0x40715c ZwSetSecurityObject
 0x407160 PsGetProcessImageFileName
 0x407164 _allmul
 0x407168 PsProcessType
 0x40716c SeExports
 0x407170 strchr
 0x407174 strncpy_s
 0x407178 MmProbeAndLockPages
 0x40717c MmUnlockPages
 0x407180 IoAllocateMdl
 0x407184 IoFreeMdl
 0x407188 IoReuseIrp
 0x40718c IoAllocateIrp
 0x407190 RtlUnwind
 0x407194 KeWaitForSingleObject
 0x407198 KeSetEvent
 0x40719c KeInitializeEvent
 0x4071a0 KeGetCurrentThread
 0x4071a4 IoDeleteSymbolicLink
 0x4071a8 KeBugCheckEx
 0x4071ac ExFreePoolWithTag
 0x4071b0 RtlInitUnicodeString
 0x4071b4 RtlCopyUnicodeString
 0x4071b8 strcpy
 0x4071bc memset
 0x4071c0 memcpy
 0x4071c4 strstr
NETIO.SYS
 0x407008 WskDeregister
 0x40700c WskReleaseProviderNPI
 0x407010 WskCaptureProviderNPI
 0x407014 WskRegister
HAL.dll
 0x407000 KeGetCurrentIrql
WDFLDR.SYS
 0x40701c WdfVersionBind
 0x407020 WdfVersionBindClass
 0x407024 WdfVersionUnbindClass
 0x407028 WdfVersionUnbind

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure