ScreenShot
Created | 2021.06.25 14:45 | Machine | s1_win7_x6401 |
Filename | lock_Setup.exe | ||
Type | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : clean | ||
VT API (file) | 42 detected (AIDetect, malware2, malicious, high confidence, Click3, GenericKD, Unsafe, confidence, MOTR, Attribute, HighConfidence, VSNTFJ21, TrojanAitInject, Symmi, ai score=81, ASMalwS, kcloud, Vigorf, score, SelfDel, Autoit, CLASSIC, GenAsa, NHzzuRkQa3Y, susgen, PossibleThreat) | ||
md5 | 4c5c0403d852fcd471a2954fb50f8e60 | ||
sha256 | 2833f915058c8702173bae120076e2841097204affb98c9d3e5153cd5164d518 | ||
ssdeep | 12288:A6tyWjX4LovCsYi5xYZheILnhXFTpqF9kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkq:dUWjEmPLnItQr | ||
imphash | 11ea841ebb83b186805cc0d8a1a3d4a1 | ||
impfuzzy | 12:VA/DzqYOZkKDHLB78r4B3ExjLAkcOaiTQQnd3mxCHDsR:V0DBaPHLB7PxExjLAkcOV2kjsR |
Network IP location
Signature (17cnts)
Level | Description |
---|---|
danger | File has been identified by 42 AntiVirus engines on VirusTotal as malicious |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | Attempts to modify Internet Explorer's start page |
notice | Checks for known Chinese AV sofware registry keys |
notice | Creates a shortcut to an executable file |
notice | Creates a suspicious process |
notice | Creates executable files on the filesystem |
notice | Drops an executable to the user AppData folder |
notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
notice | Searches running processes potentially to identify processes for sandbox evasion |
notice | The binary likely contains encrypted or compressed data indicative of a packer |
notice | The executable is compressed using UPX |
notice | Uses Windows utilities for basic Windows functionality |
info | Checks amount of memory in system |
info | Checks if process is being debugged by a debugger |
info | Queries for the computername |
info | Tries to locate where the browsers are installed |
Rules (5cnts)
Level | Name | Description | Collection |
---|---|---|---|
info | IsPE32 | (no description) | binaries (download) |
info | IsPE32 | (no description) | binaries (upload) |
info | Lnk_Format_Zero | LNK Format | binaries (download) |
info | PE_Header_Zero | PE File Signature | binaries (download) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.DLL
0x503894 LoadLibraryA
0x503898 GetProcAddress
0x50389c VirtualProtect
0x5038a0 VirtualAlloc
0x5038a4 VirtualFree
0x5038a8 ExitProcess
ADVAPI32.dll
0x5038b0 GetAce
COMCTL32.dll
0x5038b8 ImageList_Remove
COMDLG32.dll
0x5038c0 GetOpenFileNameW
GDI32.dll
0x5038c8 LineTo
IPHLPAPI.DLL
0x5038d0 IcmpSendEcho
MPR.dll
0x5038d8 WNetUseConnectionW
ole32.dll
0x5038e0 CoGetObject
OLEAUT32.dll
0x5038e8 VariantInit
PSAPI.DLL
0x5038f0 GetProcessMemoryInfo
SHELL32.dll
0x5038f8 DragFinish
USER32.dll
0x503900 GetDC
USERENV.dll
0x503908 LoadUserProfileW
UxTheme.dll
0x503910 IsThemeActive
VERSION.dll
0x503918 VerQueryValueW
WININET.dll
0x503920 FtpOpenFileW
WINMM.dll
0x503928 timeGetTime
WSOCK32.dll
0x503930 setsockopt
EAT(Export Address Table) is none
KERNEL32.DLL
0x503894 LoadLibraryA
0x503898 GetProcAddress
0x50389c VirtualProtect
0x5038a0 VirtualAlloc
0x5038a4 VirtualFree
0x5038a8 ExitProcess
ADVAPI32.dll
0x5038b0 GetAce
COMCTL32.dll
0x5038b8 ImageList_Remove
COMDLG32.dll
0x5038c0 GetOpenFileNameW
GDI32.dll
0x5038c8 LineTo
IPHLPAPI.DLL
0x5038d0 IcmpSendEcho
MPR.dll
0x5038d8 WNetUseConnectionW
ole32.dll
0x5038e0 CoGetObject
OLEAUT32.dll
0x5038e8 VariantInit
PSAPI.DLL
0x5038f0 GetProcessMemoryInfo
SHELL32.dll
0x5038f8 DragFinish
USER32.dll
0x503900 GetDC
USERENV.dll
0x503908 LoadUserProfileW
UxTheme.dll
0x503910 IsThemeActive
VERSION.dll
0x503918 VerQueryValueW
WININET.dll
0x503920 FtpOpenFileW
WINMM.dll
0x503928 timeGetTime
WSOCK32.dll
0x503930 setsockopt
EAT(Export Address Table) is none