ScreenShot
| Created | 2021.06.24 19:32 | Machine | s1_win7_x6402 |
| Filename | svcshost.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 29 detected (malicious, high confidence, Inject4, Zusy, Unsafe, Kryptik, Eldorado, GXKQ, RATX, Streamer, ivltka, ASMalwS, Tnega, score, R342422, ai score=80, GdSda, b8k7lxMFPUQ) | ||
| md5 | 71a631f1113b4a885d5bc6bcd063482f | ||
| sha256 | e502d29756866e30ae71ffc91e9e9357ec03769001ddab947f68d93926cfe371 | ||
| ssdeep | 6144:gdgLjs1IAuaZDcppZeNYyhGmhTsYLl8v7pqFETv+AqW/ExaXwhp2U5Ouk/PCJDrJ:gqjs1puagZmYEV1QpqJaY2483C1J | ||
| imphash | 1dee63b6ebc44356529c6f4aed76bd09 | ||
| impfuzzy | 96:UbIagjX1y5ErvxAH4nsveLJ3neKXvUKs3HF2HmNGzS:jF4ZUJ3nznsV2GR | ||
Network IP location
Signature (22cnts)
| Level | Description |
|---|---|
| danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
| warning | File has been identified by 29 AntiVirus engines on VirusTotal as malicious |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Attempts to remove evidence of file being downloaded from the Internet |
| watch | Communicates with host for which no DNS query was performed |
| watch | Creates an Alternate Data Stream (ADS) |
| watch | Installs itself for autorun at Windows startup |
| watch | Potential code injection by writing to the memory of another process |
| watch | The process powershell.exe wrote an executable file to disk |
| notice | A process attempted to delay the analysis task. |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | Queries for the computername |
| info | This executable has a PDB path |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Antivirus | Contains references to security software | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | Win32_Trojan_Gen_2_0904B0_Zero | Win32 Trojan Gen | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x41a098 TlsFree
0x41a09c TlsGetValue
0x41a0a0 TlsSetValue
0x41a0a4 VirtualAlloc
0x41a0a8 GetCurrentThreadId
0x41a0ac GetCommandLineA
0x41a0b0 SetEvent
0x41a0b4 CloseHandle
0x41a0b8 GetModuleHandleW
0x41a0bc CreateFileW
0x41a0c0 GetConsoleMode
0x41a0c4 GetConsoleCP
0x41a0c8 FlushFileBuffers
0x41a0cc GetStringTypeW
0x41a0d0 GetProcessHeap
0x41a0d4 TlsAlloc
0x41a0d8 GetEnvironmentStringsW
0x41a0dc GetCommandLineW
0x41a0e0 GetCPInfo
0x41a0e4 GetOEMCP
0x41a0e8 GetACP
0x41a0ec IsValidCodePage
0x41a0f0 FindNextFileW
0x41a0f4 FindFirstFileExW
0x41a0f8 FindClose
0x41a0fc GetFileType
0x41a100 HeapAlloc
0x41a104 HeapFree
0x41a108 HeapReAlloc
0x41a10c HeapSize
0x41a110 TerminateProcess
0x41a114 TerminateJobObject
0x41a118 SystemTimeToTzSpecificLocalTime
0x41a11c SwitchToThread
0x41a120 SuspendThread
0x41a124 SleepEx
0x41a128 SleepConditionVariableSRW
0x41a12c Sleep
0x41a130 SignalObjectAndWait
0x41a134 SetUnhandledExceptionFilter
0x41a138 SetThreadPriority
0x41a13c SetStdHandle
0x41a140 SetProcessShutdownParameters
0x41a144 SetNamedPipeHandleState
0x41a148 SetLastError
0x41a14c SetInformationJobObject
0x41a150 SetHandleInformation
0x41a154 SetFilePointerEx
0x41a158 SetFileAttributesW
0x41a15c lstrcmpiA
0x41a160 WideCharToMultiByte
0x41a164 GetModuleFileNameA
0x41a168 FreeLibrary
0x41a16c DeleteCriticalSection
0x41a170 GetProcAddress
0x41a174 DecodePointer
0x41a178 LoadResource
0x41a17c IsDBCSLeadByte
0x41a180 RaiseException
0x41a184 GetLastError
0x41a188 MultiByteToWideChar
0x41a18c GetModuleHandleA
0x41a190 FindResourceA
0x41a194 InitializeCriticalSectionEx
0x41a198 LeaveCriticalSection
0x41a19c LoadLibraryExA
0x41a1a0 EnterCriticalSection
0x41a1a4 SizeofResource
0x41a1a8 FreeEnvironmentStringsW
0x41a1ac LCMapStringW
0x41a1b0 WriteFile
0x41a1b4 GetStdHandle
0x41a1b8 GetModuleFileNameW
0x41a1bc GetModuleHandleExW
0x41a1c0 ExitProcess
0x41a1c4 VirtualQuery
0x41a1c8 VirtualProtect
0x41a1cc GetSystemInfo
0x41a1d0 LoadLibraryExW
0x41a1d4 InitializeCriticalSectionAndSpinCount
0x41a1d8 EncodePointer
0x41a1dc RtlUnwind
0x41a1e0 InitializeSListHead
0x41a1e4 GetSystemTimeAsFileTime
0x41a1e8 GetCurrentProcessId
0x41a1ec QueryPerformanceCounter
0x41a1f0 GetStartupInfoW
0x41a1f4 IsProcessorFeaturePresent
0x41a1f8 GetCurrentProcess
0x41a1fc IsDebuggerPresent
0x41a200 OutputDebugStringW
0x41a204 UnhandledExceptionFilter
0x41a208 WriteConsoleW
USER32.dll
0x41a238 AllowSetForegroundWindow
0x41a23c CloseDesktop
0x41a240 CloseWindowStation
0x41a244 CreateWindowExW
0x41a248 CreateWindowStationW
0x41a24c DefWindowProcW
0x41a250 DestroyWindow
0x41a254 CharNextA
0x41a258 CreateDesktopW
0x41a25c RegisterClassW
0x41a260 DispatchMessageW
0x41a264 FindWindowExW
0x41a268 PostThreadMessageA
0x41a26c CharNextW
0x41a270 PostMessageW
0x41a274 IsWindow
0x41a278 GetWindowThreadProcessId
0x41a27c GetUserObjectInformationW
0x41a280 GetThreadDesktop
0x41a284 GetProcessWindowStation
0x41a288 GetMessageW
ADVAPI32.dll
0x41a000 EventWrite
0x41a004 SystemFunction036
0x41a008 SetTokenInformation
0x41a00c SetThreadToken
0x41a010 SetSecurityInfo
0x41a014 SetKernelObjectSecurity
0x41a018 SetEntriesInAclW
0x41a01c RevertToSelf
0x41a020 RegSetValueExW
0x41a024 RegQueryValueExW
0x41a028 GetSecurityDescriptorSacl
0x41a02c GetNamedSecurityInfoW
0x41a030 GetLengthSid
0x41a034 GetKernelObjectSecurity
0x41a038 GetAce
0x41a03c FreeSid
0x41a040 EventUnregister
0x41a044 EventRegister
0x41a048 EqualSid
0x41a04c DuplicateTokenEx
0x41a050 DuplicateToken
0x41a054 CreateWellKnownSid
0x41a058 CreateRestrictedToken
0x41a05c CreateProcessAsUserW
0x41a060 CopySid
0x41a064 ConvertStringSidToSidW
0x41a068 ConvertStringSecurityDescriptorToSecurityDescriptorW
0x41a06c ConvertSidToStringSidW
0x41a070 AccessCheck
0x41a074 RegCloseKey
0x41a078 RegQueryInfoKeyW
0x41a07c RegDeleteKeyA
0x41a080 RegCreateKeyExA
0x41a084 RegSetValueExA
0x41a088 RegOpenKeyExA
0x41a08c RegDeleteValueA
0x41a090 RegEnumKeyExA
SHELL32.dll
0x41a22c SHGetFolderPathW
0x41a230 SHGetKnownFolderPath
ole32.dll
0x41a290 CoTaskMemAlloc
0x41a294 CoTaskMemFree
0x41a298 CoTaskMemRealloc
0x41a29c CoAddRefServerProcess
0x41a2a0 CoReleaseServerProcess
0x41a2a4 CoCreateInstance
OLEAUT32.dll
0x41a210 LoadRegTypeLib
0x41a214 LoadTypeLib
0x41a218 SysAllocString
0x41a21c SysStringLen
0x41a220 VarUI4FromStr
0x41a224 SysFreeString
EAT(Export Address Table) is none
KERNEL32.dll
0x41a098 TlsFree
0x41a09c TlsGetValue
0x41a0a0 TlsSetValue
0x41a0a4 VirtualAlloc
0x41a0a8 GetCurrentThreadId
0x41a0ac GetCommandLineA
0x41a0b0 SetEvent
0x41a0b4 CloseHandle
0x41a0b8 GetModuleHandleW
0x41a0bc CreateFileW
0x41a0c0 GetConsoleMode
0x41a0c4 GetConsoleCP
0x41a0c8 FlushFileBuffers
0x41a0cc GetStringTypeW
0x41a0d0 GetProcessHeap
0x41a0d4 TlsAlloc
0x41a0d8 GetEnvironmentStringsW
0x41a0dc GetCommandLineW
0x41a0e0 GetCPInfo
0x41a0e4 GetOEMCP
0x41a0e8 GetACP
0x41a0ec IsValidCodePage
0x41a0f0 FindNextFileW
0x41a0f4 FindFirstFileExW
0x41a0f8 FindClose
0x41a0fc GetFileType
0x41a100 HeapAlloc
0x41a104 HeapFree
0x41a108 HeapReAlloc
0x41a10c HeapSize
0x41a110 TerminateProcess
0x41a114 TerminateJobObject
0x41a118 SystemTimeToTzSpecificLocalTime
0x41a11c SwitchToThread
0x41a120 SuspendThread
0x41a124 SleepEx
0x41a128 SleepConditionVariableSRW
0x41a12c Sleep
0x41a130 SignalObjectAndWait
0x41a134 SetUnhandledExceptionFilter
0x41a138 SetThreadPriority
0x41a13c SetStdHandle
0x41a140 SetProcessShutdownParameters
0x41a144 SetNamedPipeHandleState
0x41a148 SetLastError
0x41a14c SetInformationJobObject
0x41a150 SetHandleInformation
0x41a154 SetFilePointerEx
0x41a158 SetFileAttributesW
0x41a15c lstrcmpiA
0x41a160 WideCharToMultiByte
0x41a164 GetModuleFileNameA
0x41a168 FreeLibrary
0x41a16c DeleteCriticalSection
0x41a170 GetProcAddress
0x41a174 DecodePointer
0x41a178 LoadResource
0x41a17c IsDBCSLeadByte
0x41a180 RaiseException
0x41a184 GetLastError
0x41a188 MultiByteToWideChar
0x41a18c GetModuleHandleA
0x41a190 FindResourceA
0x41a194 InitializeCriticalSectionEx
0x41a198 LeaveCriticalSection
0x41a19c LoadLibraryExA
0x41a1a0 EnterCriticalSection
0x41a1a4 SizeofResource
0x41a1a8 FreeEnvironmentStringsW
0x41a1ac LCMapStringW
0x41a1b0 WriteFile
0x41a1b4 GetStdHandle
0x41a1b8 GetModuleFileNameW
0x41a1bc GetModuleHandleExW
0x41a1c0 ExitProcess
0x41a1c4 VirtualQuery
0x41a1c8 VirtualProtect
0x41a1cc GetSystemInfo
0x41a1d0 LoadLibraryExW
0x41a1d4 InitializeCriticalSectionAndSpinCount
0x41a1d8 EncodePointer
0x41a1dc RtlUnwind
0x41a1e0 InitializeSListHead
0x41a1e4 GetSystemTimeAsFileTime
0x41a1e8 GetCurrentProcessId
0x41a1ec QueryPerformanceCounter
0x41a1f0 GetStartupInfoW
0x41a1f4 IsProcessorFeaturePresent
0x41a1f8 GetCurrentProcess
0x41a1fc IsDebuggerPresent
0x41a200 OutputDebugStringW
0x41a204 UnhandledExceptionFilter
0x41a208 WriteConsoleW
USER32.dll
0x41a238 AllowSetForegroundWindow
0x41a23c CloseDesktop
0x41a240 CloseWindowStation
0x41a244 CreateWindowExW
0x41a248 CreateWindowStationW
0x41a24c DefWindowProcW
0x41a250 DestroyWindow
0x41a254 CharNextA
0x41a258 CreateDesktopW
0x41a25c RegisterClassW
0x41a260 DispatchMessageW
0x41a264 FindWindowExW
0x41a268 PostThreadMessageA
0x41a26c CharNextW
0x41a270 PostMessageW
0x41a274 IsWindow
0x41a278 GetWindowThreadProcessId
0x41a27c GetUserObjectInformationW
0x41a280 GetThreadDesktop
0x41a284 GetProcessWindowStation
0x41a288 GetMessageW
ADVAPI32.dll
0x41a000 EventWrite
0x41a004 SystemFunction036
0x41a008 SetTokenInformation
0x41a00c SetThreadToken
0x41a010 SetSecurityInfo
0x41a014 SetKernelObjectSecurity
0x41a018 SetEntriesInAclW
0x41a01c RevertToSelf
0x41a020 RegSetValueExW
0x41a024 RegQueryValueExW
0x41a028 GetSecurityDescriptorSacl
0x41a02c GetNamedSecurityInfoW
0x41a030 GetLengthSid
0x41a034 GetKernelObjectSecurity
0x41a038 GetAce
0x41a03c FreeSid
0x41a040 EventUnregister
0x41a044 EventRegister
0x41a048 EqualSid
0x41a04c DuplicateTokenEx
0x41a050 DuplicateToken
0x41a054 CreateWellKnownSid
0x41a058 CreateRestrictedToken
0x41a05c CreateProcessAsUserW
0x41a060 CopySid
0x41a064 ConvertStringSidToSidW
0x41a068 ConvertStringSecurityDescriptorToSecurityDescriptorW
0x41a06c ConvertSidToStringSidW
0x41a070 AccessCheck
0x41a074 RegCloseKey
0x41a078 RegQueryInfoKeyW
0x41a07c RegDeleteKeyA
0x41a080 RegCreateKeyExA
0x41a084 RegSetValueExA
0x41a088 RegOpenKeyExA
0x41a08c RegDeleteValueA
0x41a090 RegEnumKeyExA
SHELL32.dll
0x41a22c SHGetFolderPathW
0x41a230 SHGetKnownFolderPath
ole32.dll
0x41a290 CoTaskMemAlloc
0x41a294 CoTaskMemFree
0x41a298 CoTaskMemRealloc
0x41a29c CoAddRefServerProcess
0x41a2a0 CoReleaseServerProcess
0x41a2a4 CoCreateInstance
OLEAUT32.dll
0x41a210 LoadRegTypeLib
0x41a214 LoadTypeLib
0x41a218 SysAllocString
0x41a21c SysStringLen
0x41a220 VarUI4FromStr
0x41a224 SysFreeString
EAT(Export Address Table) is none