ScreenShot
Created | 2021.06.29 13:58 | Machine | s1_win7_x6401 |
Filename | microsoftedgecps.exe | ||
Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : clean | ||
VT API (file) | 43 detected (AIDetect, malware2, malicious, high confidence, Fugrafa, Unsafe, Save, Rbot, Eldorado, Attribute, HighConfidence, ACSB, Snojan, ctjj, SpyEyes, iukpuu, TrojanX, Diamondfox, CLASSIC, Swizzor, AGEN, ASMalwS, Zbot, score, GenericRXOV, ai score=84, BScope, Static AI, Malicious PE, ZexaF, mqW@aS, FA6g, GdSda, confidence, susgen) | ||
md5 | b2600237508f0a8e5ca2c5c80018eaca | ||
sha256 | f0d5d648196be621082563732760402a0d8bb78629f0beb6b2e5386ed53a5976 | ||
ssdeep | 6144:SnSNM0tFUkfgEYxE91e/QkqCh+FjvTBir+:SSN3zgpxooF3h+FjvTo6 | ||
imphash | 8316bcd12417e59032ab566efaeaa8d5 | ||
impfuzzy | 48:UMwtgGonqdAzE7UJtX76Ncp55V9O4GEdDI27t1CFD456wSZQHY/ega/1P3sqKtSQ:BwWFqdAzEQX76NcpHjPG0DIq3Xx3KK4 |
Network IP location
Signature (51cnts)
Level | Description |
---|---|
danger | File has been identified by 43 AntiVirus engines on VirusTotal as malicious |
danger | Executed a process and injected code into it |
warning | Generates some ICMP traffic |
watch | Allocates execute permission to another process indicative of possible code injection |
watch | Appends a known CryptoMix ransomware file extension to files that have been encrypted |
watch | Code injection by writing an executable or DLL to the memory of another process |
watch | Collects information about installed applications |
watch | Communicates with host for which no DNS query was performed |
watch | Executes one or more WMI queries |
watch | Harvests credentials from local email clients |
watch | Harvests credentials from local FTP client softwares |
watch | Harvests information related to installed instant messenger clients |
watch | Installs itself for autorun at Windows startup |
watch | One or more non-whitelisted processes were created |
watch | One or more of the buffers contains an embedded PE file |
watch | Potential code injection by writing to the memory of another process |
watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
watch | The process powershell.exe wrote an executable file to disk |
watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | An executable file was downloaded by the process microsoftedgecps.exe |
notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
notice | Creates a shortcut to an executable file |
notice | Creates a suspicious process |
notice | Creates executable files on the filesystem |
notice | Creates hidden or system file |
notice | Drops an executable to the user AppData folder |
notice | Executes one or more WMI queries which can be used to identify virtual machines |
notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
notice | One or more potentially interesting buffers were extracted |
notice | Performs some HTTP requests |
notice | Potentially malicious URLs were found in the process memory dump |
notice | Queries for potentially installed applications |
notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
notice | Searches running processes potentially to identify processes for sandbox evasion |
notice | Sends data using the HTTP POST Method |
notice | Steals private information from local Internet browsers |
notice | Terminates another process |
notice | The binary likely contains encrypted or compressed data indicative of a packer |
notice | Uses Windows utilities for basic Windows functionality |
notice | Yara rule detected in process memory |
info | Checks amount of memory in system |
info | Checks if process is being debugged by a debugger |
info | Command line console output was observed |
info | One or more processes crashed |
info | Queries for the computername |
info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
info | The executable uses a known packer |
info | Tries to locate where the browsers are installed |
info | Uses Windows APIs to generate a cryptographic key |
Rules (24cnts)
Level | Name | Description | Collection |
---|---|---|---|
warning | infoStealer_emailClients_Zero | email clients info stealer | memory |
watch | Antivirus | Contains references to security software | binaries (download) |
watch | Antivirus | Contains references to security software | binaries (upload) |
watch | PWS_CnC_memory_Zero | Communications PWS network | memory |
notice | Code_injection | Code injection with CreateRemoteThread in a remote process | memory |
notice | Escalate_priviledges | Escalate priviledges | memory |
notice | KeyLogger | Run a KeyLogger | memory |
notice | local_credential_Steal | Steal credential | memory |
notice | ScreenShot | Take ScreenShot | memory |
info | anti_dbg | Checks if being debugged | memory |
info | DebuggerCheck__GlobalFlags | (no description) | memory |
info | DebuggerCheck__QueryInfo | (no description) | memory |
info | DebuggerHiding__Active | (no description) | memory |
info | DebuggerHiding__Thread | (no description) | memory |
info | disable_dep | Bypass DEP | memory |
info | IsPE32 | (no description) | binaries (download) |
info | IsPE32 | (no description) | binaries (upload) |
info | JPEG_Format_Zero | JPEG Format | binaries (download) |
info | Lnk_Format_Zero | LNK Format | binaries (download) |
info | PE_Header_Zero | PE File Signature | binaries (download) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
info | SEH__vba | (no description) | memory |
info | SEH__vectored | (no description) | memory |
info | ThreadControl__Context | (no description) | memory |
Network (32cnts) ?
Suricata ids
ET MALWARE Generic gate[.].php GET with minimal headers
ET HUNTING Suspicious GET To gate.php with no Referer
ET MALWARE Trojan Generic - POST To gate.php with no referer
ET MALWARE Trojan Generic - POST To gate.php with no accept headers
ET MALWARE DiamondFox HTTP Post CnC Checkin M3
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING Suspicious GET To gate.php with no Referer
ET MALWARE Trojan Generic - POST To gate.php with no referer
ET MALWARE Trojan Generic - POST To gate.php with no accept headers
ET MALWARE DiamondFox HTTP Post CnC Checkin M3
ET POLICY PE EXE or DLL Windows file download HTTP
PE API
IAT(Import Address Table) Library
MSVCRT.dll
0x433870 memset
0x433874 memcpy
0x433878 wcslen
0x43387c wcscpy
0x433880 wcscat
0x433884 wcscmp
0x433888 memmove
0x43388c wcschr
0x433890 _CIlog
0x433894 floor
0x433898 ceil
0x43389c _CIpow
0x4338a0 strstr
0x4338a4 strlen
0x4338a8 _strnicmp
0x4338ac strcmp
0x4338b0 strncpy
0x4338b4 strcpy
0x4338b8 sprintf
0x4338bc _wcsicmp
0x4338c0 tolower
0x4338c4 wcsncpy
0x4338c8 fabs
0x4338cc malloc
0x4338d0 free
0x4338d4 fseek
0x4338d8 ftell
0x4338dc fread
0x4338e0 fclose
0x4338e4 pow
0x4338e8 ??3@YAXPAX@Z
0x4338ec wcsncmp
0x4338f0 wcsstr
0x4338f4 _wcsnicmp
0x4338f8 _wcsdup
0x4338fc _isnan
0x433900 _vsnwprintf
0x433904 cos
0x433908 fmod
0x43390c sin
0x433910 abs
KERNEL32.dll
0x433918 GetModuleHandleW
0x43391c HeapCreate
0x433920 CreateMutexW
0x433924 GetLastError
0x433928 HeapDestroy
0x43392c ExitProcess
0x433930 CreateToolhelp32Snapshot
0x433934 Process32FirstW
0x433938 Process32NextW
0x43393c GetCurrentProcessId
0x433940 CloseHandle
0x433944 GetTickCount
0x433948 LoadLibraryW
0x43394c GetDiskFreeSpaceExW
0x433950 GetSystemPowerStatus
0x433954 CreateProcessW
0x433958 GetThreadContext
0x43395c ReadProcessMemory
0x433960 VirtualAllocEx
0x433964 WriteProcessMemory
0x433968 SetThreadContext
0x43396c ResumeThread
0x433970 TerminateProcess
0x433974 GetModuleFileNameW
0x433978 VirtualFree
0x43397c VirtualAlloc
0x433980 FreeLibrary
0x433984 VirtualProtect
0x433988 IsBadReadPtr
0x43398c EnterCriticalSection
0x433990 LeaveCriticalSection
0x433994 InitializeCriticalSection
0x433998 WaitForSingleObject
0x43399c CreateThread
0x4339a0 GetEnvironmentVariableW
0x4339a4 SetEnvironmentVariableW
0x4339a8 GetCurrentProcess
0x4339ac DuplicateHandle
0x4339b0 CreatePipe
0x4339b4 GetStdHandle
0x4339b8 HeapAlloc
0x4339bc HeapFree
0x4339c0 PeekNamedPipe
0x4339c4 GetEnvironmentStringsW
0x4339c8 FreeEnvironmentStringsW
0x4339cc ReadFile
0x4339d0 HeapReAlloc
0x4339d4 TlsAlloc
0x4339d8 TlsSetValue
0x4339dc GetCurrentThreadId
0x4339e0 TlsGetValue
0x4339e4 GetProcAddress
0x4339e8 Sleep
0x4339ec GetSystemInfo
0x4339f0 GlobalMemoryStatusEx
0x4339f4 GetComputerNameW
0x4339f8 CreateDirectoryW
0x4339fc SetFileAttributesW
0x433a00 CopyFileW
0x433a04 DeleteFileW
0x433a08 GetTempPathW
0x433a0c GetDriveTypeW
0x433a10 FindFirstFileW
0x433a14 FindClose
0x433a18 GetFileAttributesW
0x433a1c WriteFile
0x433a20 CreateFileW
0x433a24 SetFilePointer
0x433a28 GetFileSize
0x433a2c WideCharToMultiByte
0x433a30 GetVersionExW
0x433a34 MultiByteToWideChar
0x433a38 HeapSize
0x433a3c TlsFree
0x433a40 DeleteCriticalSection
0x433a44 InterlockedCompareExchange
0x433a48 InterlockedExchange
0x433a4c SetLastError
0x433a50 UnregisterWait
0x433a54 GetCurrentThread
0x433a58 RegisterWaitForSingleObject
gdiplus.dll
0x433a60 GdiplusStartup
0x433a64 GdipCreateBitmapFromFile
0x433a68 GdipSaveImageToFile
0x433a6c GdipDisposeImage
0x433a70 GdiplusShutdown
0x433a74 GdipDeleteFont
0x433a78 GdipDeleteGraphics
0x433a7c GdipDeletePath
0x433a80 GdipDeleteMatrix
0x433a84 GdipDeletePen
0x433a88 GdipDeleteStringFormat
0x433a8c GdipFree
0x433a90 GdipGetDpiX
0x433a94 GdipGetDpiY
USER32.DLL
0x433a9c GetSystemMetrics
0x433aa0 GetCursorPos
0x433aa4 GetDC
0x433aa8 ReleaseDC
0x433aac DestroyIcon
0x433ab0 FillRect
0x433ab4 CharUpperW
0x433ab8 CharLowerW
0x433abc GetIconInfo
0x433ac0 DrawIconEx
GDI32.DLL
0x433ac8 BitBlt
0x433acc GetObjectType
0x433ad0 DeleteObject
0x433ad4 GetObjectW
0x433ad8 CreateCompatibleDC
0x433adc SelectObject
0x433ae0 CreateSolidBrush
0x433ae4 DeleteDC
0x433ae8 GdiGetBatchLimit
0x433aec GdiSetBatchLimit
0x433af0 CreateDIBSection
0x433af4 CreateBitmap
0x433af8 SetPixel
0x433afc GetStockObject
0x433b00 GetDIBits
0x433b04 CreateDCW
0x433b08 GetDeviceCaps
0x433b0c GetTextExtentPoint32W
0x433b10 SetBkMode
0x433b14 SetTextAlign
0x433b18 SetBkColor
0x433b1c SetTextColor
0x433b20 TextOutW
0x433b24 SetStretchBltMode
0x433b28 SetBrushOrgEx
0x433b2c StretchBlt
0x433b30 CreateFontIndirectW
0x433b34 GetTextMetricsW
0x433b38 CreateCompatibleBitmap
0x433b3c GetPixel
ADVAPI32.DLL
0x433b44 RegOpenKeyExW
0x433b48 RegCloseKey
0x433b4c RegQueryInfoKeyW
0x433b50 RegEnumKeyExW
0x433b54 RegQueryValueExW
0x433b58 GetUserNameW
SHELL32.DLL
0x433b60 SHGetSpecialFolderLocation
0x433b64 SHGetPathFromIDListW
0x433b68 ShellExecuteExW
WSOCK32.DLL
0x433b70 closesocket
0x433b74 WSACleanup
0x433b78 WSAStartup
WINMM.DLL
0x433b80 timeBeginPeriod
SHLWAPI.DLL
0x433b88 PathFileExistsW
OLE32.DLL
0x433b90 CoInitialize
0x433b94 CoCreateInstance
0x433b98 CoUninitialize
0x433b9c CoTaskMemFree
NTDLL.DLL
0x433ba4 ZwUnmapViewOfSection
SETUPAPI.DLL
0x433bac IsUserAdmin
URLMON.DLL
0x433bb4 URLDownloadToFileW
WININET.DLL
0x433bbc InternetOpenW
0x433bc0 InternetSetOptionW
0x433bc4 InternetConnectW
0x433bc8 HttpOpenRequestW
0x433bcc HttpAddRequestHeadersW
0x433bd0 HttpSendRequestW
0x433bd4 InternetReadFile
0x433bd8 InternetCloseHandle
0x433bdc InternetGetConnectedState
EAT(Export Address Table) is none
MSVCRT.dll
0x433870 memset
0x433874 memcpy
0x433878 wcslen
0x43387c wcscpy
0x433880 wcscat
0x433884 wcscmp
0x433888 memmove
0x43388c wcschr
0x433890 _CIlog
0x433894 floor
0x433898 ceil
0x43389c _CIpow
0x4338a0 strstr
0x4338a4 strlen
0x4338a8 _strnicmp
0x4338ac strcmp
0x4338b0 strncpy
0x4338b4 strcpy
0x4338b8 sprintf
0x4338bc _wcsicmp
0x4338c0 tolower
0x4338c4 wcsncpy
0x4338c8 fabs
0x4338cc malloc
0x4338d0 free
0x4338d4 fseek
0x4338d8 ftell
0x4338dc fread
0x4338e0 fclose
0x4338e4 pow
0x4338e8 ??3@YAXPAX@Z
0x4338ec wcsncmp
0x4338f0 wcsstr
0x4338f4 _wcsnicmp
0x4338f8 _wcsdup
0x4338fc _isnan
0x433900 _vsnwprintf
0x433904 cos
0x433908 fmod
0x43390c sin
0x433910 abs
KERNEL32.dll
0x433918 GetModuleHandleW
0x43391c HeapCreate
0x433920 CreateMutexW
0x433924 GetLastError
0x433928 HeapDestroy
0x43392c ExitProcess
0x433930 CreateToolhelp32Snapshot
0x433934 Process32FirstW
0x433938 Process32NextW
0x43393c GetCurrentProcessId
0x433940 CloseHandle
0x433944 GetTickCount
0x433948 LoadLibraryW
0x43394c GetDiskFreeSpaceExW
0x433950 GetSystemPowerStatus
0x433954 CreateProcessW
0x433958 GetThreadContext
0x43395c ReadProcessMemory
0x433960 VirtualAllocEx
0x433964 WriteProcessMemory
0x433968 SetThreadContext
0x43396c ResumeThread
0x433970 TerminateProcess
0x433974 GetModuleFileNameW
0x433978 VirtualFree
0x43397c VirtualAlloc
0x433980 FreeLibrary
0x433984 VirtualProtect
0x433988 IsBadReadPtr
0x43398c EnterCriticalSection
0x433990 LeaveCriticalSection
0x433994 InitializeCriticalSection
0x433998 WaitForSingleObject
0x43399c CreateThread
0x4339a0 GetEnvironmentVariableW
0x4339a4 SetEnvironmentVariableW
0x4339a8 GetCurrentProcess
0x4339ac DuplicateHandle
0x4339b0 CreatePipe
0x4339b4 GetStdHandle
0x4339b8 HeapAlloc
0x4339bc HeapFree
0x4339c0 PeekNamedPipe
0x4339c4 GetEnvironmentStringsW
0x4339c8 FreeEnvironmentStringsW
0x4339cc ReadFile
0x4339d0 HeapReAlloc
0x4339d4 TlsAlloc
0x4339d8 TlsSetValue
0x4339dc GetCurrentThreadId
0x4339e0 TlsGetValue
0x4339e4 GetProcAddress
0x4339e8 Sleep
0x4339ec GetSystemInfo
0x4339f0 GlobalMemoryStatusEx
0x4339f4 GetComputerNameW
0x4339f8 CreateDirectoryW
0x4339fc SetFileAttributesW
0x433a00 CopyFileW
0x433a04 DeleteFileW
0x433a08 GetTempPathW
0x433a0c GetDriveTypeW
0x433a10 FindFirstFileW
0x433a14 FindClose
0x433a18 GetFileAttributesW
0x433a1c WriteFile
0x433a20 CreateFileW
0x433a24 SetFilePointer
0x433a28 GetFileSize
0x433a2c WideCharToMultiByte
0x433a30 GetVersionExW
0x433a34 MultiByteToWideChar
0x433a38 HeapSize
0x433a3c TlsFree
0x433a40 DeleteCriticalSection
0x433a44 InterlockedCompareExchange
0x433a48 InterlockedExchange
0x433a4c SetLastError
0x433a50 UnregisterWait
0x433a54 GetCurrentThread
0x433a58 RegisterWaitForSingleObject
gdiplus.dll
0x433a60 GdiplusStartup
0x433a64 GdipCreateBitmapFromFile
0x433a68 GdipSaveImageToFile
0x433a6c GdipDisposeImage
0x433a70 GdiplusShutdown
0x433a74 GdipDeleteFont
0x433a78 GdipDeleteGraphics
0x433a7c GdipDeletePath
0x433a80 GdipDeleteMatrix
0x433a84 GdipDeletePen
0x433a88 GdipDeleteStringFormat
0x433a8c GdipFree
0x433a90 GdipGetDpiX
0x433a94 GdipGetDpiY
USER32.DLL
0x433a9c GetSystemMetrics
0x433aa0 GetCursorPos
0x433aa4 GetDC
0x433aa8 ReleaseDC
0x433aac DestroyIcon
0x433ab0 FillRect
0x433ab4 CharUpperW
0x433ab8 CharLowerW
0x433abc GetIconInfo
0x433ac0 DrawIconEx
GDI32.DLL
0x433ac8 BitBlt
0x433acc GetObjectType
0x433ad0 DeleteObject
0x433ad4 GetObjectW
0x433ad8 CreateCompatibleDC
0x433adc SelectObject
0x433ae0 CreateSolidBrush
0x433ae4 DeleteDC
0x433ae8 GdiGetBatchLimit
0x433aec GdiSetBatchLimit
0x433af0 CreateDIBSection
0x433af4 CreateBitmap
0x433af8 SetPixel
0x433afc GetStockObject
0x433b00 GetDIBits
0x433b04 CreateDCW
0x433b08 GetDeviceCaps
0x433b0c GetTextExtentPoint32W
0x433b10 SetBkMode
0x433b14 SetTextAlign
0x433b18 SetBkColor
0x433b1c SetTextColor
0x433b20 TextOutW
0x433b24 SetStretchBltMode
0x433b28 SetBrushOrgEx
0x433b2c StretchBlt
0x433b30 CreateFontIndirectW
0x433b34 GetTextMetricsW
0x433b38 CreateCompatibleBitmap
0x433b3c GetPixel
ADVAPI32.DLL
0x433b44 RegOpenKeyExW
0x433b48 RegCloseKey
0x433b4c RegQueryInfoKeyW
0x433b50 RegEnumKeyExW
0x433b54 RegQueryValueExW
0x433b58 GetUserNameW
SHELL32.DLL
0x433b60 SHGetSpecialFolderLocation
0x433b64 SHGetPathFromIDListW
0x433b68 ShellExecuteExW
WSOCK32.DLL
0x433b70 closesocket
0x433b74 WSACleanup
0x433b78 WSAStartup
WINMM.DLL
0x433b80 timeBeginPeriod
SHLWAPI.DLL
0x433b88 PathFileExistsW
OLE32.DLL
0x433b90 CoInitialize
0x433b94 CoCreateInstance
0x433b98 CoUninitialize
0x433b9c CoTaskMemFree
NTDLL.DLL
0x433ba4 ZwUnmapViewOfSection
SETUPAPI.DLL
0x433bac IsUserAdmin
URLMON.DLL
0x433bb4 URLDownloadToFileW
WININET.DLL
0x433bbc InternetOpenW
0x433bc0 InternetSetOptionW
0x433bc4 InternetConnectW
0x433bc8 HttpOpenRequestW
0x433bcc HttpAddRequestHeadersW
0x433bd0 HttpSendRequestW
0x433bd4 InternetReadFile
0x433bd8 InternetCloseHandle
0x433bdc InternetGetConnectedState
EAT(Export Address Table) is none