popup

Report - مدمج الفصل الأول+الثاني+ الثالث +الرابع + المصادر+الملاحق .exe

Anti_VM PE File PE32 PE64
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.06.24 08:54 Machine s1_win7_x6402
Filename مدمج الفصل الأول+الثاني+ الثالث +الرابع + المصادر+الملاحق .exe
Type MS-DOS executable, MZ for MS-DOS
AI Score
2
 Behavior Score
13.0
ZERO API file : clean
VT API (file) 59 detected (AIDetect, malware1, malicious, high confidence, Doboc, Tempedreve, Unsafe, Save, PolyRansom, Kryptik, Ursnif, GWUR, CTYE, dmvgtq, CLASSIC, R + W32, MPhage, DA@5jb9qs, bggax, ai score=86, ASBOL, mE18, score, PdfCrypt, Daws, FileInfector, Tuscas, ihP2Abnyiok, Static AI, Malicious PE, CryptD, confidence, 100%, Agentb, btuc)
md5 11fdd27279a2a41a93b3ef63dd1ff548
sha256 392d82e299dd3c9297a13cee34bbb04248f6e63a3d551ef47ef1346387c66447
ssdeep 98304:n8qbrrz2PI4SyqBMvP5oEWdTdT/Z9wbvboefUE3biLJ1G6ZC:Z/zKwBMvBobZx9mvcMUEuLzRZ
imphash 18c89e2ec0a399c68eaedd6551ce71fc
impfuzzy 3:siGV2SxqrJae0JSx3kMO26BJO7EBJJ67Sx2AEZsS9KTXzhAXwS9KnJsJSHXXL/On:KVhRbAMrERGD+ArOZETObln
  Network IP location

Signature (29cnts)

Level Description
danger File has been identified by 59 AntiVirus engines on VirusTotal as malicious
watch Allocates execute permission to another process indicative of possible code injection
watch Communicates with host for which no DNS query was performed
watch Creates a thread using CreateRemoteThread in a non-child process indicative of process injection
watch Creates an executable file in a user folder
watch Drops a binary and executes it
watch Installs itself for autorun at Windows startup
watch Manipulates memory of a non-child process indicative of process injection
watch One or more non-whitelisted processes were created
watch One or more of the buffers contains an embedded PE file
watch Resumed a suspended thread in a remote process potentially indicative of process injection
notice Allocates read-write-execute memory (usually to unpack itself)
notice An application raised an exception which may be indicative of an exploit crash
notice Creates (office) documents on the filesystem
notice Creates a service
notice Creates executable files on the filesystem
notice One or more potentially interesting buffers were extracted
notice Repeatedly searches for a not-found process
notice Searches running processes potentially to identify processes for sandbox evasion
notice Steals private information from local Internet browsers
notice Terminates another process
notice The binary likely contains encrypted or compressed data indicative of a packer
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Collects information to fingerprint the system (MachineGuid
info One or more processes crashed
info Queries for the computername
info The file contains an unknown PE resource name possibly indicative of a packer
info Tries to locate where the browsers are installed

Rules (7cnts)

Level Name Description Collection
notice anti_vm_detect Possibly employs anti-virtualization techniques binaries (download)
notice anti_vm_detect Possibly employs anti-virtualization techniques binaries (upload)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info IsPE64 (no description) binaries (download)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)

Network (0cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x402000 VirtualFree
 0x402004 GetModuleFileNameW
 0x402008 CreateFileW
 0x40200c GetFileSize
 0x402010 ReadFile
 0x402014 CloseHandle
 0x402018 VirtualAlloc
 0x40201c GetModuleHandleA
 0x402020 GetProcAddress
 0x402024 GetProcessHeap
 0x402028 GetCurrentProcess
 0x40202c TerminateProcess
 0x402030 HeapAlloc
 0x402034 HeapFree

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure