ScreenShot
Created | 2021.06.24 20:21 | Machine | s1_win7_x6402 |
Filename | PianoScrap.exe | ||
Type | PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : clean | ||
VT API (file) | 29 detected (AIDetect, malware1, malicious, high confidence, KillFiles, Strictor, GenericRI, S14805165, Unsafe, Save, Eldorado, score, Generic ML PUA, Static AI, Malicious PE, ai score=84, ASMalwS, Tnega, R343616) | ||
md5 | 2e765a8048bcd67f293f11db938e77c3 | ||
sha256 | 5f7322f79d8ce25a52aadf16b3f068169990cda606fb287d74fd5957c250c3b5 | ||
ssdeep | 1536:lTViOcRUBWC2jZP2ITQX5+e7ZnbHJNvgKWEJ4AZD6nm3ZjayurLT:lTUOPWC/IUJtZnbHJGc4w6m3ZjayILT | ||
imphash | 378c4792225854c10b4a5f5d67ecdbd2 | ||
impfuzzy | 48:hpBbLkVScJrOLeA+tAt8tz4eObGLlla/7rEFpV74dT+0Q6U095/1xyAC8L5lSvXG:nBHkVScJrye/q7ygCrXM |
Network IP location
Signature (57cnts)
Level | Description |
---|---|
danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
warning | File has been identified by 29 AntiVirus engines on VirusTotal as malicious |
warning | Generates some ICMP traffic |
watch | Appends a known multi-family ransomware file extension to files that have been encrypted |
watch | Attempts to modify browser security settings |
watch | Checks the CPU name from registry |
watch | Checks the presence of IDE drives in the registry |
watch | Communicates with host for which no DNS query was performed |
watch | Connects to an IRC server |
watch | Creates or sets a registry key to a long series of bytes |
watch | Detects Virtual Machines through their custom firmware |
watch | Detects VirtualBox through the presence of a device |
watch | Detects VirtualBox through the presence of a file |
watch | Detects VirtualBox through the presence of a registry key |
watch | Detects VMWare through the in instruction feature |
watch | Disables proxy possibly for traffic interception |
watch | Enumerates services |
watch | Expresses interest in specific running processes |
watch | Installs itself for autorun at Windows startup |
watch | Network activity contains more than one unique useragent |
watch | Network communications indicative of possible code injection originated from the process explorer.exe |
watch | Queries information on disks |
watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
watch | Tries to detect VirtualPC |
watch | Zeus P2P (Banking Trojan) |
notice | A process created a hidden window |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
notice | Checks for known Chinese AV sofware registry keys |
notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
notice | Creates a service |
notice | Creates a shortcut to an executable file |
notice | Creates a suspicious process |
notice | Creates executable files on the filesystem |
notice | Drops a binary and executes it |
notice | Drops an executable to the user AppData folder |
notice | Executes one or more WMI queries |
notice | Executes one or more WMI queries which can be used to identify virtual machines |
notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
notice | One or more potentially interesting buffers were extracted |
notice | Performs some HTTP requests |
notice | Queries for potentially installed applications |
notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
notice | Reads the systems User Agent and subsequently performs requests |
notice | Repeatedly searches for a not-found process |
notice | Resolves a suspicious Top Level Domain (TLD) |
notice | Searches running processes potentially to identify processes for sandbox evasion |
notice | Sends data using the HTTP POST Method |
notice | Uses Windows utilities for basic Windows functionality |
notice | Yara rule detected in process memory |
info | Checks amount of memory in system |
info | Checks if process is being debugged by a debugger |
info | Collects information to fingerprint the system (MachineGuid |
info | One or more processes crashed |
info | Queries for the computername |
info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
info | Tries to locate where the browsers are installed |
Rules (33cnts)
Level | Name | Description | Collection |
---|---|---|---|
danger | NorthKorea_Zero | Maybe it's North Korea File | binaries (download) |
danger | NPKI_Zero | File included NPKI | binaries (download) |
danger | Win32_Trojan_Emotet_2_Zero | Win32 Trojan Emotet | binaries (download) |
danger | Win32_Trojan_Emotet_RL_Gen_Zero | Win32 Trojan Emotet | binaries (download) |
danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (download) |
warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
watch | Admin_Tool_IN_Zero | Admin Tool Sysinternals | binaries (download) |
watch | Antivirus | Contains references to security software | binaries (download) |
watch | VMProtect_Zero | VMProtect packed file | binaries (download) |
notice | anti_vm_detect | Possibly employs anti-virtualization techniques | binaries (download) |
notice | Str_Win32_Http_API | Match Windows Http API call | memory |
info | anti_dbg | Checks if being debugged | memory |
info | antisb_threatExpert | Anti-Sandbox checks for ThreatExpert | memory |
info | DebuggerCheck__GlobalFlags | (no description) | memory |
info | DebuggerCheck__QueryInfo | (no description) | memory |
info | DebuggerHiding__Active | (no description) | memory |
info | DebuggerHiding__Thread | (no description) | memory |
info | disable_dep | Bypass DEP | memory |
info | Is_DotNET_DLL | (no description) | binaries (download) |
info | Is_DotNET_EXE | (no description) | binaries (download) |
info | IsDLL | (no description) | binaries (download) |
info | IsPE32 | (no description) | binaries (download) |
info | IsPE32 | (no description) | binaries (upload) |
info | IsPE64 | (no description) | binaries (download) |
info | Lnk_Format_Zero | LNK Format | binaries (download) |
info | Microsoft_Office_File_Zero | Microsoft Office File | binaries (download) |
info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
info | PE_Header_Zero | PE File Signature | binaries (download) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
info | PNG_Format_Zero | PNG Format | binaries (download) |
info | SEH__vectored | (no description) | memory |
info | ThreadControl__Context | (no description) | memory |
info | Win32_Trojan_Gen_2_0904B0_Zero | Win32 Trojan Gen | binaries (download) |
Network (128cnts) ?
Suricata ids
ET DNS Query to a *.top domain - Likely Hostile
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET INFO HTTP Request to a *.top domain
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING Possible EXE Download From Suspicious TLD
ET INFO EXE - Served Attached HTTP
ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
ET MALWARE Suspicious Download Setup_ exe
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET INFO HTTP Request to a *.top domain
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING Possible EXE Download From Suspicious TLD
ET INFO EXE - Served Attached HTTP
ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
ET MALWARE Suspicious Download Setup_ exe
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x40805c GlobalLock
0x408060 GlobalAlloc
0x408064 CloseHandle
0x408068 SetFileTime
0x40806c CompareFileTime
0x408070 SearchPathA
0x408074 GetShortPathNameA
0x408078 GetFullPathNameA
0x40807c MoveFileA
0x408080 SetCurrentDirectoryA
0x408084 GetFileAttributesA
0x408088 GetLastError
0x40808c CreateDirectoryA
0x408090 SetFileAttributesA
0x408094 Sleep
0x408098 GetTickCount
0x40809c GetFileSize
0x4080a0 GetModuleFileNameA
0x4080a4 GetCurrentProcess
0x4080a8 CopyFileA
0x4080ac ExitProcess
0x4080b0 GlobalUnlock
0x4080b4 GetTempPathA
0x4080b8 GetCommandLineA
0x4080bc SetErrorMode
0x4080c0 lstrcpyA
0x4080c4 lstrcpynA
0x4080c8 lstrcatA
0x4080cc LoadLibraryA
0x4080d0 lstrlenA
0x4080d4 WideCharToMultiByte
0x4080d8 VirtualAlloc
0x4080dc VirtualProtect
0x4080e0 GetDiskFreeSpaceA
0x4080e4 CreateThread
0x4080e8 CreateProcessA
0x4080ec RemoveDirectoryA
0x4080f0 CreateFileA
0x4080f4 GetTempFileNameA
0x4080f8 GetSystemDirectoryA
0x4080fc GetVersion
0x408100 lstrcmpiA
0x408104 lstrcmpA
0x408108 ExpandEnvironmentStringsA
0x40810c GlobalFree
0x408110 WaitForSingleObject
0x408114 GetExitCodeProcess
0x408118 GetModuleHandleA
0x40811c LoadLibraryExA
0x408120 GetProcAddress
0x408124 FreeLibrary
0x408128 MulDiv
0x40812c MultiByteToWideChar
0x408130 WritePrivateProfileStringA
0x408134 GetPrivateProfileStringA
0x408138 WriteFile
0x40813c ReadFile
0x408140 SetFilePointer
0x408144 FindClose
0x408148 FindNextFileA
0x40814c FindFirstFileA
0x408150 DeleteFileA
0x408154 GlobalSize
0x408158 GetWindowsDirectoryA
USER32.dll
0x40817c SetClassLongA
0x408180 IsWindowEnabled
0x408184 GetSysColor
0x408188 GetWindowLongA
0x40818c SetCursor
0x408190 LoadCursorA
0x408194 CheckDlgButton
0x408198 GetMessagePos
0x40819c LoadBitmapA
0x4081a0 CallWindowProcA
0x4081a4 IsWindowVisible
0x4081a8 CloseClipboard
0x4081ac SetClipboardData
0x4081b0 EmptyClipboard
0x4081b4 OpenClipboard
0x4081b8 TrackPopupMenu
0x4081bc GetSystemMenu
0x4081c0 CreatePopupMenu
0x4081c4 GetSystemMetrics
0x4081c8 SetDlgItemTextA
0x4081cc GetDlgItemTextA
0x4081d0 MessageBoxIndirectA
0x4081d4 CharPrevA
0x4081d8 DispatchMessageA
0x4081dc PeekMessageA
0x4081e0 RegisterClassA
0x4081e4 DialogBoxParamA
0x4081e8 CharNextA
0x4081ec ExitWindowsEx
0x4081f0 DestroyWindow
0x4081f4 CreateDialogParamA
0x4081f8 SetTimer
0x4081fc SetWindowTextA
0x408200 EnableMenuItem
0x408204 GetWindowRect
0x408208 ScreenToClient
0x40820c SetWindowPos
0x408210 EndDialog
0x408214 AppendMenuA
0x408218 GetClassInfoA
0x40821c PostQuitMessage
0x408220 SetForegroundWindow
0x408224 ShowWindow
0x408228 wsprintfA
0x40822c FindWindowExA
0x408230 IsWindow
0x408234 GetDlgItem
0x408238 SetWindowLongA
0x40823c GetClientRect
0x408240 LoadImageA
0x408244 GetDC
0x408248 EnableWindow
0x40824c InvalidateRect
0x408250 SendMessageA
0x408254 SendMessageTimeoutA
GDI32.dll
0x40803c SetBkMode
0x408040 SetBkColor
0x408044 CreateBrushIndirect
0x408048 DeleteObject
0x40804c GetDeviceCaps
0x408050 SetTextColor
0x408054 CreateFontIndirectA
SHELL32.dll
0x408160 SHGetPathFromIDListA
0x408164 SHBrowseForFolderA
0x408168 SHGetFileInfoA
0x40816c ShellExecuteA
0x408170 SHFileOperationA
0x408174 SHGetSpecialFolderLocation
ADVAPI32.dll
0x408000 RegSetValueExA
0x408004 RegCreateKeyExA
0x408008 RegQueryValueExA
0x40800c RegEnumKeyA
0x408010 RegOpenKeyExA
0x408014 RegDeleteKeyA
0x408018 RegDeleteValueA
0x40801c RegEnumValueA
0x408020 RegCloseKey
COMCTL32.dll
0x408028 ImageList_AddMasked
0x40802c ImageList_Destroy
0x408030 None
0x408034 ImageList_Create
ole32.dll
0x40826c CLSIDFromString
0x408270 OleInitialize
0x408274 OleUninitialize
0x408278 CoTaskMemFree
0x40827c StringFromGUID2
0x408280 CoCreateInstance
VERSION.dll
0x40825c GetFileVersionInfoA
0x408260 VerQueryValueA
0x408264 GetFileVersionInfoSizeA
EAT(Export Address Table) is none
KERNEL32.dll
0x40805c GlobalLock
0x408060 GlobalAlloc
0x408064 CloseHandle
0x408068 SetFileTime
0x40806c CompareFileTime
0x408070 SearchPathA
0x408074 GetShortPathNameA
0x408078 GetFullPathNameA
0x40807c MoveFileA
0x408080 SetCurrentDirectoryA
0x408084 GetFileAttributesA
0x408088 GetLastError
0x40808c CreateDirectoryA
0x408090 SetFileAttributesA
0x408094 Sleep
0x408098 GetTickCount
0x40809c GetFileSize
0x4080a0 GetModuleFileNameA
0x4080a4 GetCurrentProcess
0x4080a8 CopyFileA
0x4080ac ExitProcess
0x4080b0 GlobalUnlock
0x4080b4 GetTempPathA
0x4080b8 GetCommandLineA
0x4080bc SetErrorMode
0x4080c0 lstrcpyA
0x4080c4 lstrcpynA
0x4080c8 lstrcatA
0x4080cc LoadLibraryA
0x4080d0 lstrlenA
0x4080d4 WideCharToMultiByte
0x4080d8 VirtualAlloc
0x4080dc VirtualProtect
0x4080e0 GetDiskFreeSpaceA
0x4080e4 CreateThread
0x4080e8 CreateProcessA
0x4080ec RemoveDirectoryA
0x4080f0 CreateFileA
0x4080f4 GetTempFileNameA
0x4080f8 GetSystemDirectoryA
0x4080fc GetVersion
0x408100 lstrcmpiA
0x408104 lstrcmpA
0x408108 ExpandEnvironmentStringsA
0x40810c GlobalFree
0x408110 WaitForSingleObject
0x408114 GetExitCodeProcess
0x408118 GetModuleHandleA
0x40811c LoadLibraryExA
0x408120 GetProcAddress
0x408124 FreeLibrary
0x408128 MulDiv
0x40812c MultiByteToWideChar
0x408130 WritePrivateProfileStringA
0x408134 GetPrivateProfileStringA
0x408138 WriteFile
0x40813c ReadFile
0x408140 SetFilePointer
0x408144 FindClose
0x408148 FindNextFileA
0x40814c FindFirstFileA
0x408150 DeleteFileA
0x408154 GlobalSize
0x408158 GetWindowsDirectoryA
USER32.dll
0x40817c SetClassLongA
0x408180 IsWindowEnabled
0x408184 GetSysColor
0x408188 GetWindowLongA
0x40818c SetCursor
0x408190 LoadCursorA
0x408194 CheckDlgButton
0x408198 GetMessagePos
0x40819c LoadBitmapA
0x4081a0 CallWindowProcA
0x4081a4 IsWindowVisible
0x4081a8 CloseClipboard
0x4081ac SetClipboardData
0x4081b0 EmptyClipboard
0x4081b4 OpenClipboard
0x4081b8 TrackPopupMenu
0x4081bc GetSystemMenu
0x4081c0 CreatePopupMenu
0x4081c4 GetSystemMetrics
0x4081c8 SetDlgItemTextA
0x4081cc GetDlgItemTextA
0x4081d0 MessageBoxIndirectA
0x4081d4 CharPrevA
0x4081d8 DispatchMessageA
0x4081dc PeekMessageA
0x4081e0 RegisterClassA
0x4081e4 DialogBoxParamA
0x4081e8 CharNextA
0x4081ec ExitWindowsEx
0x4081f0 DestroyWindow
0x4081f4 CreateDialogParamA
0x4081f8 SetTimer
0x4081fc SetWindowTextA
0x408200 EnableMenuItem
0x408204 GetWindowRect
0x408208 ScreenToClient
0x40820c SetWindowPos
0x408210 EndDialog
0x408214 AppendMenuA
0x408218 GetClassInfoA
0x40821c PostQuitMessage
0x408220 SetForegroundWindow
0x408224 ShowWindow
0x408228 wsprintfA
0x40822c FindWindowExA
0x408230 IsWindow
0x408234 GetDlgItem
0x408238 SetWindowLongA
0x40823c GetClientRect
0x408240 LoadImageA
0x408244 GetDC
0x408248 EnableWindow
0x40824c InvalidateRect
0x408250 SendMessageA
0x408254 SendMessageTimeoutA
GDI32.dll
0x40803c SetBkMode
0x408040 SetBkColor
0x408044 CreateBrushIndirect
0x408048 DeleteObject
0x40804c GetDeviceCaps
0x408050 SetTextColor
0x408054 CreateFontIndirectA
SHELL32.dll
0x408160 SHGetPathFromIDListA
0x408164 SHBrowseForFolderA
0x408168 SHGetFileInfoA
0x40816c ShellExecuteA
0x408170 SHFileOperationA
0x408174 SHGetSpecialFolderLocation
ADVAPI32.dll
0x408000 RegSetValueExA
0x408004 RegCreateKeyExA
0x408008 RegQueryValueExA
0x40800c RegEnumKeyA
0x408010 RegOpenKeyExA
0x408014 RegDeleteKeyA
0x408018 RegDeleteValueA
0x40801c RegEnumValueA
0x408020 RegCloseKey
COMCTL32.dll
0x408028 ImageList_AddMasked
0x40802c ImageList_Destroy
0x408030 None
0x408034 ImageList_Create
ole32.dll
0x40826c CLSIDFromString
0x408270 OleInitialize
0x408274 OleUninitialize
0x408278 CoTaskMemFree
0x40827c StringFromGUID2
0x408280 CoCreateInstance
VERSION.dll
0x40825c GetFileVersionInfoA
0x408260 VerQueryValueA
0x408264 GetFileVersionInfoSizeA
EAT(Export Address Table) is none