ScreenShot
| Created | 2021.06.25 11:37 | Machine | s1_win7_x6401 |
| Filename | April_2016_IMG128315 jpeg.jpeg.exe | ||
| Type | MS-DOS executable, MZ for MS-DOS | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 63 detected (AIDetectVM, malware1, malicious, high confidence, GenericKD, Ransomware, Locky, Unsafe, Agentb, INJECTO, Kryptik, BYJI, Gosys, bsgn, Fareit, fcgwnn, CnBJHqPajgI, Waski, DYS@6118f4, ZPACK, ewim, R + Troj, ARMA, ai score=100, Upatre, mCSi, E86EG0, score, Lockycrypt, ZexaF, gqW@ayXmQio, BScope, Sunv, PY2wyAsdgs, Malicious PE, EVQK, confidence, 100%) | ||
| md5 | 5647f5ae95b3fe769f47c214d85989ac | ||
| sha256 | 14c369419759256f0282034b23797c6f279ecbd283ff1b32c930773af9b54b9e | ||
| ssdeep | 1536:+1cq2U2JhHk+GoMctoraGH/oBBiaLiP56k6om2zvtAyhRCVjDZndjLRYqYQ:+cs2JhXPkH8BXojRAqR+1nr | ||
| imphash | cb51a2620da8eb6a193b8ebb91a90417 | ||
| impfuzzy | 24:VjGhGq4GKGYCGGi4Jk9nQ6xR69JjstVpXdKIXJDLqee2u:BMV4/FCA7ptKIJLqee2u | ||
Network IP location
Signature (15cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 63 AntiVirus engines on VirusTotal as malicious |
| danger | Executed a process and injected code into it |
| watch | Created a process named as a common system process |
| watch | Executes one or more WMI queries |
| watch | Installs itself for autorun at Windows startup |
| watch | Queries information on disks |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Executes one or more WMI queries which can be used to identify virtual machines |
| notice | One or more potentially interesting buffers were extracted |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (13cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| notice | KeyLogger | Run a KeyLogger | memory |
| notice | ScreenShot | Take ScreenShot | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | win_hook | Affect hook table | memory |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
msdart.dll
0x404000 ??0CReaderWriterLock@@QAE@XZ
0x404004 ??0CSingleList@@QAE@XZ
0x404008 ??0CSmallSpinLock@@QAE@XZ
0x40400c ??0CSpinLock@@QAE@XZ
0x404010 ??1CCritSec@@QAE@XZ
0x404014 ??1CDoubleList@@QAE@XZ
mlang.dll
0x40401c ConvertINetString
midimap.dll
0x404024 modMessage
midimap.dll
0x40402c modMessage
icmp.dll
0x404034 IcmpSendEcho
mfcsubs.dll
0x40403c ??0CString@@QAE@PBG@Z
0x404040 ??0CString@@QAE@PBGH@Z
msacm32.dll
0x404048 acmFilterChooseA
kernel32.dll
0x404050 GetWindowsDirectoryA
0x404054 CreateFileA
0x404058 LoadLibraryW
0x40405c GetConsoleCP
0x404060 Sleep
0x404064 GetConsoleCP
0x404068 GetTickCount
0x40406c Sleep
0x404070 CompareStringA
0x404074 _lread
glu32.dll
0x40407c gluLoadSamplingMatrices
mscat32.dll
0x404084 CryptCATOpen
0x404088 CryptCATPersistStore
0x40408c CryptCATClose
clusapi.dll
0x404094 ClusterGroupCloseEnum
0x404098 ClusterGroupControl
0x40409c ClusterGroupEnum
mmcbase.dll
0x4040a4 ??_FSC@mmcerror@@QAEXXZ
msoert2.dll
0x4040ac CreateLogFile
EAT(Export Address Table) is none
msdart.dll
0x404000 ??0CReaderWriterLock@@QAE@XZ
0x404004 ??0CSingleList@@QAE@XZ
0x404008 ??0CSmallSpinLock@@QAE@XZ
0x40400c ??0CSpinLock@@QAE@XZ
0x404010 ??1CCritSec@@QAE@XZ
0x404014 ??1CDoubleList@@QAE@XZ
mlang.dll
0x40401c ConvertINetString
midimap.dll
0x404024 modMessage
midimap.dll
0x40402c modMessage
icmp.dll
0x404034 IcmpSendEcho
mfcsubs.dll
0x40403c ??0CString@@QAE@PBG@Z
0x404040 ??0CString@@QAE@PBGH@Z
msacm32.dll
0x404048 acmFilterChooseA
kernel32.dll
0x404050 GetWindowsDirectoryA
0x404054 CreateFileA
0x404058 LoadLibraryW
0x40405c GetConsoleCP
0x404060 Sleep
0x404064 GetConsoleCP
0x404068 GetTickCount
0x40406c Sleep
0x404070 CompareStringA
0x404074 _lread
glu32.dll
0x40407c gluLoadSamplingMatrices
mscat32.dll
0x404084 CryptCATOpen
0x404088 CryptCATPersistStore
0x40408c CryptCATClose
clusapi.dll
0x404094 ClusterGroupCloseEnum
0x404098 ClusterGroupControl
0x40409c ClusterGroupEnum
mmcbase.dll
0x4040a4 ??_FSC@mmcerror@@QAEXXZ
msoert2.dll
0x4040ac CreateLogFile
EAT(Export Address Table) is none