ScreenShot
| Created | 2021.06.29 09:58 | Machine | s1_win7_x6402 |
| Filename | idu9A98.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 13 detected (AIDetect, malware2, malicious, high confidence, Unsafe, Crypmodng, Wacapew, Static AI, Malicious PE, Score, ZexaF, cA0@aCppeVfk) | ||
| md5 | 16493223940cd99199a672e44dec05d6 | ||
| sha256 | 7b844cc75f594f536f486b137817a497407b689725ab45c7904444e82374d4ac | ||
| ssdeep | 24576:m92KPqd9u0yepqI5DpBa4w3JhGdvpJhHmAc+dYTTRKwUvC5YYGayq1FOXTK8HidV:s2fyepz5DpLwnaxbc1t4iCaDvkKpdV | ||
| imphash | 67f1f64a3db0d22bf48121a6cea1da22 | ||
| impfuzzy | 48:9O/r4WOSX8ZWGQVUYQbcGtpe8N9ffOsb9rQtb78FxcgGVjW:9C9XuWGQVvQbcGtpeWtfRb1Qtb78Fx46 | ||
Network IP location
Signature (16cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Code injection by writing an executable or DLL to the memory of another process |
| watch | Communicates with host for which no DNS query was performed |
| watch | File has been identified by 13 AntiVirus engines on VirusTotal as malicious |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Expresses interest in specific running processes |
| notice | One or more potentially interesting buffers were extracted |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (16cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| notice | Code_injection | Code injection with CreateRemoteThread in a remote process | memory |
| notice | Escalate_priviledges | Escalate priviledges | memory |
| notice | KeyLogger | Run a KeyLogger | memory |
| notice | ScreenShot | Take ScreenShot | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | win_hook | Affect hook table | memory |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x528000 DeleteFileW
0x528004 WriteConsoleW
0x528008 GetTickCount
0x52800c Sleep
0x528010 GetProcessHeap
0x528014 HeapAlloc
0x528018 HeapFree
0x52801c CreateMutexA
0x528020 GetLastError
0x528024 GetCommandLineA
0x528028 ExitProcess
0x52802c CreateProcessA
0x528030 GetModuleHandleA
0x528034 GetProcAddress
0x528038 ReadProcessMemory
0x52803c WriteProcessMemory
0x528040 VirtualAllocEx
0x528044 GetThreadContext
0x528048 SetThreadContext
0x52804c ResumeThread
0x528050 CloseHandle
0x528054 VirtualFreeEx
0x528058 TerminateProcess
0x52805c Process32First
0x528060 GetCommandLineW
0x528064 WriteFile
0x528068 OpenProcess
0x52806c CreateToolhelp32Snapshot
0x528070 CreateFileA
0x528074 Process32Next
0x528078 K32GetModuleBaseNameA
0x52807c GetCurrentProcessId
0x528080 K32EnumProcessModules
0x528084 SetConsoleCtrlHandler
0x528088 FindFirstFileW
0x52808c GetConsoleScreenBufferInfo
0x528090 SetConsoleTextAttribute
0x528094 GetCurrentProcess
0x528098 GetStdHandle
0x52809c SetFileTime
0x5280a0 GetEnvironmentVariableA
0x5280a4 FindClose
0x5280a8 CreateFileW
0x5280ac LoadLibraryW
0x5280b0 SetCurrentDirectoryW
0x5280b4 SystemTimeToFileTime
0x5280b8 FreeLibrary
0x5280bc GetSystemTime
0x5280c0 DebugBreak
0x5280c4 AreFileApisANSI
0x5280c8 ReadFile
0x5280cc TryEnterCriticalSection
0x5280d0 HeapCreate
0x5280d4 EnterCriticalSection
0x5280d8 GetFullPathNameW
0x5280dc GetDiskFreeSpaceW
0x5280e0 OutputDebugStringA
0x5280e4 LockFile
0x5280e8 LeaveCriticalSection
0x5280ec InitializeCriticalSection
0x5280f0 SetFilePointer
0x5280f4 GetFullPathNameA
0x5280f8 SetEndOfFile
0x5280fc UnlockFileEx
0x528100 GetTempPathW
0x528104 CreateMutexW
0x528108 WaitForSingleObject
0x52810c GetFileAttributesW
0x528110 GetCurrentThreadId
0x528114 UnmapViewOfFile
0x528118 HeapValidate
0x52811c HeapSize
0x528120 MultiByteToWideChar
0x528124 GetTempPathA
0x528128 FormatMessageW
0x52812c GetDiskFreeSpaceA
0x528130 GetFileAttributesA
0x528134 GetFileAttributesExW
0x528138 OutputDebugStringW
0x52813c FlushViewOfFile
0x528140 LoadLibraryA
0x528144 WaitForSingleObjectEx
0x528148 DeleteFileA
0x52814c DecodePointer
0x528150 HeapReAlloc
0x528154 GetSystemInfo
0x528158 HeapCompact
0x52815c HeapDestroy
0x528160 UnlockFile
0x528164 LocalFree
0x528168 LockFileEx
0x52816c GetFileSize
0x528170 DeleteCriticalSection
0x528174 WideCharToMultiByte
0x528178 GetSystemTimeAsFileTime
0x52817c FormatMessageA
0x528180 CreateFileMappingW
0x528184 MapViewOfFile
0x528188 QueryPerformanceCounter
0x52818c FlushFileBuffers
0x528190 UnhandledExceptionFilter
0x528194 SetUnhandledExceptionFilter
0x528198 IsProcessorFeaturePresent
0x52819c InitializeSListHead
0x5281a0 IsDebuggerPresent
0x5281a4 GetStartupInfoW
0x5281a8 GetModuleHandleW
0x5281ac GetStringTypeW
0x5281b0 RtlUnwind
0x5281b4 SetLastError
0x5281b8 InitializeCriticalSectionAndSpinCount
0x5281bc TlsAlloc
0x5281c0 TlsGetValue
0x5281c4 TlsSetValue
0x5281c8 TlsFree
0x5281cc LoadLibraryExW
0x5281d0 RaiseException
0x5281d4 GetModuleHandleExW
0x5281d8 FindFirstFileExW
0x5281dc FindNextFileW
0x5281e0 SystemTimeToTzSpecificLocalTime
0x5281e4 FileTimeToSystemTime
0x5281e8 DuplicateHandle
0x5281ec CreateProcessW
0x5281f0 GetDriveTypeW
0x5281f4 GetFileInformationByHandle
0x5281f8 GetFileType
0x5281fc PeekNamedPipe
0x528200 CreateThread
0x528204 ExitThread
0x528208 FreeLibraryAndExitThread
0x52820c GetModuleFileNameW
0x528210 CompareStringW
0x528214 LCMapStringW
0x528218 SetFilePointerEx
0x52821c GetConsoleMode
0x528220 ReadConsoleW
0x528224 GetFileSizeEx
0x528228 GetConsoleCP
0x52822c GetExitCodeProcess
0x528230 CreatePipe
0x528234 SetStdHandle
0x528238 GetCurrentDirectoryW
0x52823c SetFileAttributesW
0x528240 CreateDirectoryW
0x528244 GetTimeZoneInformation
0x528248 IsValidCodePage
0x52824c GetACP
0x528250 GetOEMCP
0x528254 GetCPInfo
0x528258 GetEnvironmentStringsW
0x52825c FreeEnvironmentStringsW
0x528260 SetEnvironmentVariableW
EAT(Export Address Table) is none
KERNEL32.dll
0x528000 DeleteFileW
0x528004 WriteConsoleW
0x528008 GetTickCount
0x52800c Sleep
0x528010 GetProcessHeap
0x528014 HeapAlloc
0x528018 HeapFree
0x52801c CreateMutexA
0x528020 GetLastError
0x528024 GetCommandLineA
0x528028 ExitProcess
0x52802c CreateProcessA
0x528030 GetModuleHandleA
0x528034 GetProcAddress
0x528038 ReadProcessMemory
0x52803c WriteProcessMemory
0x528040 VirtualAllocEx
0x528044 GetThreadContext
0x528048 SetThreadContext
0x52804c ResumeThread
0x528050 CloseHandle
0x528054 VirtualFreeEx
0x528058 TerminateProcess
0x52805c Process32First
0x528060 GetCommandLineW
0x528064 WriteFile
0x528068 OpenProcess
0x52806c CreateToolhelp32Snapshot
0x528070 CreateFileA
0x528074 Process32Next
0x528078 K32GetModuleBaseNameA
0x52807c GetCurrentProcessId
0x528080 K32EnumProcessModules
0x528084 SetConsoleCtrlHandler
0x528088 FindFirstFileW
0x52808c GetConsoleScreenBufferInfo
0x528090 SetConsoleTextAttribute
0x528094 GetCurrentProcess
0x528098 GetStdHandle
0x52809c SetFileTime
0x5280a0 GetEnvironmentVariableA
0x5280a4 FindClose
0x5280a8 CreateFileW
0x5280ac LoadLibraryW
0x5280b0 SetCurrentDirectoryW
0x5280b4 SystemTimeToFileTime
0x5280b8 FreeLibrary
0x5280bc GetSystemTime
0x5280c0 DebugBreak
0x5280c4 AreFileApisANSI
0x5280c8 ReadFile
0x5280cc TryEnterCriticalSection
0x5280d0 HeapCreate
0x5280d4 EnterCriticalSection
0x5280d8 GetFullPathNameW
0x5280dc GetDiskFreeSpaceW
0x5280e0 OutputDebugStringA
0x5280e4 LockFile
0x5280e8 LeaveCriticalSection
0x5280ec InitializeCriticalSection
0x5280f0 SetFilePointer
0x5280f4 GetFullPathNameA
0x5280f8 SetEndOfFile
0x5280fc UnlockFileEx
0x528100 GetTempPathW
0x528104 CreateMutexW
0x528108 WaitForSingleObject
0x52810c GetFileAttributesW
0x528110 GetCurrentThreadId
0x528114 UnmapViewOfFile
0x528118 HeapValidate
0x52811c HeapSize
0x528120 MultiByteToWideChar
0x528124 GetTempPathA
0x528128 FormatMessageW
0x52812c GetDiskFreeSpaceA
0x528130 GetFileAttributesA
0x528134 GetFileAttributesExW
0x528138 OutputDebugStringW
0x52813c FlushViewOfFile
0x528140 LoadLibraryA
0x528144 WaitForSingleObjectEx
0x528148 DeleteFileA
0x52814c DecodePointer
0x528150 HeapReAlloc
0x528154 GetSystemInfo
0x528158 HeapCompact
0x52815c HeapDestroy
0x528160 UnlockFile
0x528164 LocalFree
0x528168 LockFileEx
0x52816c GetFileSize
0x528170 DeleteCriticalSection
0x528174 WideCharToMultiByte
0x528178 GetSystemTimeAsFileTime
0x52817c FormatMessageA
0x528180 CreateFileMappingW
0x528184 MapViewOfFile
0x528188 QueryPerformanceCounter
0x52818c FlushFileBuffers
0x528190 UnhandledExceptionFilter
0x528194 SetUnhandledExceptionFilter
0x528198 IsProcessorFeaturePresent
0x52819c InitializeSListHead
0x5281a0 IsDebuggerPresent
0x5281a4 GetStartupInfoW
0x5281a8 GetModuleHandleW
0x5281ac GetStringTypeW
0x5281b0 RtlUnwind
0x5281b4 SetLastError
0x5281b8 InitializeCriticalSectionAndSpinCount
0x5281bc TlsAlloc
0x5281c0 TlsGetValue
0x5281c4 TlsSetValue
0x5281c8 TlsFree
0x5281cc LoadLibraryExW
0x5281d0 RaiseException
0x5281d4 GetModuleHandleExW
0x5281d8 FindFirstFileExW
0x5281dc FindNextFileW
0x5281e0 SystemTimeToTzSpecificLocalTime
0x5281e4 FileTimeToSystemTime
0x5281e8 DuplicateHandle
0x5281ec CreateProcessW
0x5281f0 GetDriveTypeW
0x5281f4 GetFileInformationByHandle
0x5281f8 GetFileType
0x5281fc PeekNamedPipe
0x528200 CreateThread
0x528204 ExitThread
0x528208 FreeLibraryAndExitThread
0x52820c GetModuleFileNameW
0x528210 CompareStringW
0x528214 LCMapStringW
0x528218 SetFilePointerEx
0x52821c GetConsoleMode
0x528220 ReadConsoleW
0x528224 GetFileSizeEx
0x528228 GetConsoleCP
0x52822c GetExitCodeProcess
0x528230 CreatePipe
0x528234 SetStdHandle
0x528238 GetCurrentDirectoryW
0x52823c SetFileAttributesW
0x528240 CreateDirectoryW
0x528244 GetTimeZoneInformation
0x528248 IsValidCodePage
0x52824c GetACP
0x528250 GetOEMCP
0x528254 GetCPInfo
0x528258 GetEnvironmentStringsW
0x52825c FreeEnvironmentStringsW
0x528260 SetEnvironmentVariableW
EAT(Export Address Table) is none