ScreenShot
| Created | 2021.06.25 08:53 | Machine | s1_win7_x6401 |
| Filename | CUTE3532.EXE | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | |||
| md5 | d41ed89e802f03dd13dd93b68b1a2053 | ||
| sha256 | 6def6dcb544ad06427d74d064fdb2bb91923ca14b3835dc8e017859ecda73ce8 | ||
| ssdeep | 49152:weGA1Fxn3XeQUf19xhda/sRl0r+8j764wYuToNtG7uIem:weH3uQUfXcQW6zYru1 | ||
| imphash | 52304e2a18fa5608f4f4aeb8041c7da0 | ||
| impfuzzy | 24:jOovUOw9+F4D+yYv2RjLA4hS5GbnQnAxt/12JEUE5lKhkijSLC0Qw35+O7b/8MaS:CpN9ncoA4hS5QnBX/1olE5lKCySe0Qup | ||
Network IP location
Signature (15cnts)
| Level | Description |
|---|---|
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Creates a shortcut to an executable file |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | Queries for potentially installed applications |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Command line console output was observed |
| info | Queries for the computername |
| info | The executable uses a known packer |
| info | Tries to locate where the browsers are installed |
Rules (18cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Emotet_1_Zero | Win32 Trojan Emotet | binaries (download) |
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (download) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | Lnk_Format_Zero | LNK Format | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | Win32_Trojan_Gen_2_0904B0_Zero | Win32 Trojan Gen | binaries (download) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x40404c GetCommandLineA
0x404050 SetErrorMode
0x404054 GetModuleHandleA
0x404058 MulDiv
0x40405c GetTempFileNameA
0x404060 GetModuleFileNameA
0x404064 lstrlenA
0x404068 _lclose
0x40406c lstrcpyA
0x404070 FormatMessageA
0x404074 lstrcatA
0x404078 GetLastError
0x40407c _lwrite
0x404080 _llseek
0x404084 GlobalUnlock
0x404088 GlobalFree
0x40408c GlobalAlloc
0x404090 _lopen
0x404094 GetProcAddress
0x404098 _lcreat
0x40409c LoadLibraryA
0x4040a0 GetVersionExA
0x4040a4 FreeLibrary
0x4040a8 OpenFile
0x4040ac ExitProcess
0x4040b0 GetCurrentProcess
0x4040b4 WinExec
0x4040b8 GetTempPathA
0x4040bc _lread
0x4040c0 LocalFree
0x4040c4 GetWindowsDirectoryA
0x4040c8 GlobalLock
USER32.dll
0x4040d0 GetDC
0x4040d4 DrawTextA
0x4040d8 EndPaint
0x4040dc InvalidateRect
0x4040e0 PostQuitMessage
0x4040e4 SendMessageA
0x4040e8 DefWindowProcA
0x4040ec GetClientRect
0x4040f0 CreateWindowExA
0x4040f4 BeginPaint
0x4040f8 ReleaseDC
0x4040fc SetWindowPos
0x404100 ShowWindow
0x404104 UpdateWindow
0x404108 SetTimer
0x40410c LoadIconA
0x404110 RegisterClassA
0x404114 MessageBoxA
0x404118 ExitWindowsEx
0x40411c LoadCursorA
GDI32.dll
0x404010 DeleteObject
0x404014 PatBlt
0x404018 CreateSolidBrush
0x40401c GetDeviceCaps
0x404020 SetTextColor
0x404024 SetBkMode
0x404028 TextOutA
0x40402c StretchDIBits
0x404030 CreateFontA
0x404034 SelectObject
0x404038 SelectPalette
0x40403c CreatePalette
0x404040 RealizePalette
0x404044 GetStockObject
ADVAPI32.dll
0x404000 AdjustTokenPrivileges
0x404004 LookupPrivilegeValueA
0x404008 OpenProcessToken
EAT(Export Address Table) Library
0x4029ce _MainWndProc@16
0x402f64 _StubFileWrite@12
KERNEL32.dll
0x40404c GetCommandLineA
0x404050 SetErrorMode
0x404054 GetModuleHandleA
0x404058 MulDiv
0x40405c GetTempFileNameA
0x404060 GetModuleFileNameA
0x404064 lstrlenA
0x404068 _lclose
0x40406c lstrcpyA
0x404070 FormatMessageA
0x404074 lstrcatA
0x404078 GetLastError
0x40407c _lwrite
0x404080 _llseek
0x404084 GlobalUnlock
0x404088 GlobalFree
0x40408c GlobalAlloc
0x404090 _lopen
0x404094 GetProcAddress
0x404098 _lcreat
0x40409c LoadLibraryA
0x4040a0 GetVersionExA
0x4040a4 FreeLibrary
0x4040a8 OpenFile
0x4040ac ExitProcess
0x4040b0 GetCurrentProcess
0x4040b4 WinExec
0x4040b8 GetTempPathA
0x4040bc _lread
0x4040c0 LocalFree
0x4040c4 GetWindowsDirectoryA
0x4040c8 GlobalLock
USER32.dll
0x4040d0 GetDC
0x4040d4 DrawTextA
0x4040d8 EndPaint
0x4040dc InvalidateRect
0x4040e0 PostQuitMessage
0x4040e4 SendMessageA
0x4040e8 DefWindowProcA
0x4040ec GetClientRect
0x4040f0 CreateWindowExA
0x4040f4 BeginPaint
0x4040f8 ReleaseDC
0x4040fc SetWindowPos
0x404100 ShowWindow
0x404104 UpdateWindow
0x404108 SetTimer
0x40410c LoadIconA
0x404110 RegisterClassA
0x404114 MessageBoxA
0x404118 ExitWindowsEx
0x40411c LoadCursorA
GDI32.dll
0x404010 DeleteObject
0x404014 PatBlt
0x404018 CreateSolidBrush
0x40401c GetDeviceCaps
0x404020 SetTextColor
0x404024 SetBkMode
0x404028 TextOutA
0x40402c StretchDIBits
0x404030 CreateFontA
0x404034 SelectObject
0x404038 SelectPalette
0x40403c CreatePalette
0x404040 RealizePalette
0x404044 GetStockObject
ADVAPI32.dll
0x404000 AdjustTokenPrivileges
0x404004 LookupPrivilegeValueA
0x404008 OpenProcessToken
EAT(Export Address Table) Library
0x4029ce _MainWndProc@16
0x402f64 _StubFileWrite@12