ScreenShot
| Created | 2021.07.04 11:03 | Machine | s1_win7_x6402 |
| Filename | windef.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 54 detected (AIDetect, malware2, malicious, high confidence, Fugrafa, Snojan, GenericRXOV, Unsafe, Save, ZexaF, mqW@aS, FA6g, Rbot, Eldorado, Attribute, HighConfidence, ACSB, TrojanX, ctjj, SpyEyes, iukpuu, Lndx, R011C0GFE21, Swizzor, AGEN, ASMalwS, Tiggre, score, BScope, ai score=88, DiamondFox, CLASSIC, Static AI, Malicious PE, susgen, GdSda, confidence, 100%, Nemucod, HwUB2nEA) | ||
| md5 | a1e165e1926c0c83123c89fce6b1af56 | ||
| sha256 | 2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215 | ||
| ssdeep | 6144:SnSNM0tFUkfgEYxE91e/QkqCh+FjvTBiG+:SSN3zgpxooF3h+FjvTor | ||
| imphash | 8316bcd12417e59032ab566efaeaa8d5 | ||
| impfuzzy | 48:UMwtgGonqdAzE7UJtX76Ncp55V9O4GEdDI27t1CFD456wSZQHY/ega/1P3sqKtSQ:BwWFqdAzEQX76NcpHjPG0DIq3Xx3KK4 | ||
Network IP location
Signature (19cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 54 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| watch | The process powershell.exe wrote an executable file to disk |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | Creates hidden or system file |
| notice | Drops an executable to the user AppData folder |
| notice | Performs some HTTP requests |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The executable uses a known packer |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (6cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | Antivirus | Contains references to security software | binaries (upload) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (3cnts) ?
Suricata ids
ET MALWARE Generic gate[.].php GET with minimal headers
ET HUNTING Suspicious GET To gate.php with no Referer
ET HUNTING Suspicious GET To gate.php with no Referer
PE API
IAT(Import Address Table) Library
MSVCRT.dll
0x433870 memset
0x433874 memcpy
0x433878 wcslen
0x43387c wcscpy
0x433880 wcscat
0x433884 wcscmp
0x433888 memmove
0x43388c wcschr
0x433890 _CIlog
0x433894 floor
0x433898 ceil
0x43389c _CIpow
0x4338a0 strstr
0x4338a4 strlen
0x4338a8 _strnicmp
0x4338ac strcmp
0x4338b0 strncpy
0x4338b4 strcpy
0x4338b8 sprintf
0x4338bc _wcsicmp
0x4338c0 tolower
0x4338c4 wcsncpy
0x4338c8 fabs
0x4338cc malloc
0x4338d0 free
0x4338d4 fseek
0x4338d8 ftell
0x4338dc fread
0x4338e0 fclose
0x4338e4 pow
0x4338e8 ??3@YAXPAX@Z
0x4338ec wcsncmp
0x4338f0 wcsstr
0x4338f4 _wcsnicmp
0x4338f8 _wcsdup
0x4338fc _isnan
0x433900 _vsnwprintf
0x433904 cos
0x433908 fmod
0x43390c sin
0x433910 abs
KERNEL32.dll
0x433918 GetModuleHandleW
0x43391c HeapCreate
0x433920 CreateMutexW
0x433924 GetLastError
0x433928 HeapDestroy
0x43392c ExitProcess
0x433930 CreateToolhelp32Snapshot
0x433934 Process32FirstW
0x433938 Process32NextW
0x43393c GetCurrentProcessId
0x433940 CloseHandle
0x433944 GetTickCount
0x433948 LoadLibraryW
0x43394c GetDiskFreeSpaceExW
0x433950 GetSystemPowerStatus
0x433954 CreateProcessW
0x433958 GetThreadContext
0x43395c ReadProcessMemory
0x433960 VirtualAllocEx
0x433964 WriteProcessMemory
0x433968 SetThreadContext
0x43396c ResumeThread
0x433970 TerminateProcess
0x433974 GetModuleFileNameW
0x433978 VirtualFree
0x43397c VirtualAlloc
0x433980 FreeLibrary
0x433984 VirtualProtect
0x433988 IsBadReadPtr
0x43398c EnterCriticalSection
0x433990 LeaveCriticalSection
0x433994 InitializeCriticalSection
0x433998 WaitForSingleObject
0x43399c CreateThread
0x4339a0 GetEnvironmentVariableW
0x4339a4 SetEnvironmentVariableW
0x4339a8 GetCurrentProcess
0x4339ac DuplicateHandle
0x4339b0 CreatePipe
0x4339b4 GetStdHandle
0x4339b8 HeapAlloc
0x4339bc HeapFree
0x4339c0 PeekNamedPipe
0x4339c4 GetEnvironmentStringsW
0x4339c8 FreeEnvironmentStringsW
0x4339cc ReadFile
0x4339d0 HeapReAlloc
0x4339d4 TlsAlloc
0x4339d8 TlsSetValue
0x4339dc GetCurrentThreadId
0x4339e0 TlsGetValue
0x4339e4 GetProcAddress
0x4339e8 Sleep
0x4339ec GetSystemInfo
0x4339f0 GlobalMemoryStatusEx
0x4339f4 GetComputerNameW
0x4339f8 CreateDirectoryW
0x4339fc SetFileAttributesW
0x433a00 CopyFileW
0x433a04 DeleteFileW
0x433a08 GetTempPathW
0x433a0c GetDriveTypeW
0x433a10 FindFirstFileW
0x433a14 FindClose
0x433a18 GetFileAttributesW
0x433a1c WriteFile
0x433a20 CreateFileW
0x433a24 SetFilePointer
0x433a28 GetFileSize
0x433a2c WideCharToMultiByte
0x433a30 GetVersionExW
0x433a34 MultiByteToWideChar
0x433a38 HeapSize
0x433a3c TlsFree
0x433a40 DeleteCriticalSection
0x433a44 InterlockedCompareExchange
0x433a48 InterlockedExchange
0x433a4c SetLastError
0x433a50 UnregisterWait
0x433a54 GetCurrentThread
0x433a58 RegisterWaitForSingleObject
gdiplus.dll
0x433a60 GdiplusStartup
0x433a64 GdipCreateBitmapFromFile
0x433a68 GdipSaveImageToFile
0x433a6c GdipDisposeImage
0x433a70 GdiplusShutdown
0x433a74 GdipDeleteFont
0x433a78 GdipDeleteGraphics
0x433a7c GdipDeletePath
0x433a80 GdipDeleteMatrix
0x433a84 GdipDeletePen
0x433a88 GdipDeleteStringFormat
0x433a8c GdipFree
0x433a90 GdipGetDpiX
0x433a94 GdipGetDpiY
USER32.DLL
0x433a9c GetSystemMetrics
0x433aa0 GetCursorPos
0x433aa4 GetDC
0x433aa8 ReleaseDC
0x433aac DestroyIcon
0x433ab0 FillRect
0x433ab4 CharUpperW
0x433ab8 CharLowerW
0x433abc GetIconInfo
0x433ac0 DrawIconEx
GDI32.DLL
0x433ac8 BitBlt
0x433acc GetObjectType
0x433ad0 DeleteObject
0x433ad4 GetObjectW
0x433ad8 CreateCompatibleDC
0x433adc SelectObject
0x433ae0 CreateSolidBrush
0x433ae4 DeleteDC
0x433ae8 GdiGetBatchLimit
0x433aec GdiSetBatchLimit
0x433af0 CreateDIBSection
0x433af4 CreateBitmap
0x433af8 SetPixel
0x433afc GetStockObject
0x433b00 GetDIBits
0x433b04 CreateDCW
0x433b08 GetDeviceCaps
0x433b0c GetTextExtentPoint32W
0x433b10 SetBkMode
0x433b14 SetTextAlign
0x433b18 SetBkColor
0x433b1c SetTextColor
0x433b20 TextOutW
0x433b24 SetStretchBltMode
0x433b28 SetBrushOrgEx
0x433b2c StretchBlt
0x433b30 CreateFontIndirectW
0x433b34 GetTextMetricsW
0x433b38 CreateCompatibleBitmap
0x433b3c GetPixel
ADVAPI32.DLL
0x433b44 RegOpenKeyExW
0x433b48 RegCloseKey
0x433b4c RegQueryInfoKeyW
0x433b50 RegEnumKeyExW
0x433b54 RegQueryValueExW
0x433b58 GetUserNameW
SHELL32.DLL
0x433b60 SHGetSpecialFolderLocation
0x433b64 SHGetPathFromIDListW
0x433b68 ShellExecuteExW
WSOCK32.DLL
0x433b70 closesocket
0x433b74 WSACleanup
0x433b78 WSAStartup
WINMM.DLL
0x433b80 timeBeginPeriod
SHLWAPI.DLL
0x433b88 PathFileExistsW
OLE32.DLL
0x433b90 CoInitialize
0x433b94 CoCreateInstance
0x433b98 CoUninitialize
0x433b9c CoTaskMemFree
NTDLL.DLL
0x433ba4 ZwUnmapViewOfSection
SETUPAPI.DLL
0x433bac IsUserAdmin
URLMON.DLL
0x433bb4 URLDownloadToFileW
WININET.DLL
0x433bbc InternetOpenW
0x433bc0 InternetSetOptionW
0x433bc4 InternetConnectW
0x433bc8 HttpOpenRequestW
0x433bcc HttpAddRequestHeadersW
0x433bd0 HttpSendRequestW
0x433bd4 InternetReadFile
0x433bd8 InternetCloseHandle
0x433bdc InternetGetConnectedState
EAT(Export Address Table) is none
MSVCRT.dll
0x433870 memset
0x433874 memcpy
0x433878 wcslen
0x43387c wcscpy
0x433880 wcscat
0x433884 wcscmp
0x433888 memmove
0x43388c wcschr
0x433890 _CIlog
0x433894 floor
0x433898 ceil
0x43389c _CIpow
0x4338a0 strstr
0x4338a4 strlen
0x4338a8 _strnicmp
0x4338ac strcmp
0x4338b0 strncpy
0x4338b4 strcpy
0x4338b8 sprintf
0x4338bc _wcsicmp
0x4338c0 tolower
0x4338c4 wcsncpy
0x4338c8 fabs
0x4338cc malloc
0x4338d0 free
0x4338d4 fseek
0x4338d8 ftell
0x4338dc fread
0x4338e0 fclose
0x4338e4 pow
0x4338e8 ??3@YAXPAX@Z
0x4338ec wcsncmp
0x4338f0 wcsstr
0x4338f4 _wcsnicmp
0x4338f8 _wcsdup
0x4338fc _isnan
0x433900 _vsnwprintf
0x433904 cos
0x433908 fmod
0x43390c sin
0x433910 abs
KERNEL32.dll
0x433918 GetModuleHandleW
0x43391c HeapCreate
0x433920 CreateMutexW
0x433924 GetLastError
0x433928 HeapDestroy
0x43392c ExitProcess
0x433930 CreateToolhelp32Snapshot
0x433934 Process32FirstW
0x433938 Process32NextW
0x43393c GetCurrentProcessId
0x433940 CloseHandle
0x433944 GetTickCount
0x433948 LoadLibraryW
0x43394c GetDiskFreeSpaceExW
0x433950 GetSystemPowerStatus
0x433954 CreateProcessW
0x433958 GetThreadContext
0x43395c ReadProcessMemory
0x433960 VirtualAllocEx
0x433964 WriteProcessMemory
0x433968 SetThreadContext
0x43396c ResumeThread
0x433970 TerminateProcess
0x433974 GetModuleFileNameW
0x433978 VirtualFree
0x43397c VirtualAlloc
0x433980 FreeLibrary
0x433984 VirtualProtect
0x433988 IsBadReadPtr
0x43398c EnterCriticalSection
0x433990 LeaveCriticalSection
0x433994 InitializeCriticalSection
0x433998 WaitForSingleObject
0x43399c CreateThread
0x4339a0 GetEnvironmentVariableW
0x4339a4 SetEnvironmentVariableW
0x4339a8 GetCurrentProcess
0x4339ac DuplicateHandle
0x4339b0 CreatePipe
0x4339b4 GetStdHandle
0x4339b8 HeapAlloc
0x4339bc HeapFree
0x4339c0 PeekNamedPipe
0x4339c4 GetEnvironmentStringsW
0x4339c8 FreeEnvironmentStringsW
0x4339cc ReadFile
0x4339d0 HeapReAlloc
0x4339d4 TlsAlloc
0x4339d8 TlsSetValue
0x4339dc GetCurrentThreadId
0x4339e0 TlsGetValue
0x4339e4 GetProcAddress
0x4339e8 Sleep
0x4339ec GetSystemInfo
0x4339f0 GlobalMemoryStatusEx
0x4339f4 GetComputerNameW
0x4339f8 CreateDirectoryW
0x4339fc SetFileAttributesW
0x433a00 CopyFileW
0x433a04 DeleteFileW
0x433a08 GetTempPathW
0x433a0c GetDriveTypeW
0x433a10 FindFirstFileW
0x433a14 FindClose
0x433a18 GetFileAttributesW
0x433a1c WriteFile
0x433a20 CreateFileW
0x433a24 SetFilePointer
0x433a28 GetFileSize
0x433a2c WideCharToMultiByte
0x433a30 GetVersionExW
0x433a34 MultiByteToWideChar
0x433a38 HeapSize
0x433a3c TlsFree
0x433a40 DeleteCriticalSection
0x433a44 InterlockedCompareExchange
0x433a48 InterlockedExchange
0x433a4c SetLastError
0x433a50 UnregisterWait
0x433a54 GetCurrentThread
0x433a58 RegisterWaitForSingleObject
gdiplus.dll
0x433a60 GdiplusStartup
0x433a64 GdipCreateBitmapFromFile
0x433a68 GdipSaveImageToFile
0x433a6c GdipDisposeImage
0x433a70 GdiplusShutdown
0x433a74 GdipDeleteFont
0x433a78 GdipDeleteGraphics
0x433a7c GdipDeletePath
0x433a80 GdipDeleteMatrix
0x433a84 GdipDeletePen
0x433a88 GdipDeleteStringFormat
0x433a8c GdipFree
0x433a90 GdipGetDpiX
0x433a94 GdipGetDpiY
USER32.DLL
0x433a9c GetSystemMetrics
0x433aa0 GetCursorPos
0x433aa4 GetDC
0x433aa8 ReleaseDC
0x433aac DestroyIcon
0x433ab0 FillRect
0x433ab4 CharUpperW
0x433ab8 CharLowerW
0x433abc GetIconInfo
0x433ac0 DrawIconEx
GDI32.DLL
0x433ac8 BitBlt
0x433acc GetObjectType
0x433ad0 DeleteObject
0x433ad4 GetObjectW
0x433ad8 CreateCompatibleDC
0x433adc SelectObject
0x433ae0 CreateSolidBrush
0x433ae4 DeleteDC
0x433ae8 GdiGetBatchLimit
0x433aec GdiSetBatchLimit
0x433af0 CreateDIBSection
0x433af4 CreateBitmap
0x433af8 SetPixel
0x433afc GetStockObject
0x433b00 GetDIBits
0x433b04 CreateDCW
0x433b08 GetDeviceCaps
0x433b0c GetTextExtentPoint32W
0x433b10 SetBkMode
0x433b14 SetTextAlign
0x433b18 SetBkColor
0x433b1c SetTextColor
0x433b20 TextOutW
0x433b24 SetStretchBltMode
0x433b28 SetBrushOrgEx
0x433b2c StretchBlt
0x433b30 CreateFontIndirectW
0x433b34 GetTextMetricsW
0x433b38 CreateCompatibleBitmap
0x433b3c GetPixel
ADVAPI32.DLL
0x433b44 RegOpenKeyExW
0x433b48 RegCloseKey
0x433b4c RegQueryInfoKeyW
0x433b50 RegEnumKeyExW
0x433b54 RegQueryValueExW
0x433b58 GetUserNameW
SHELL32.DLL
0x433b60 SHGetSpecialFolderLocation
0x433b64 SHGetPathFromIDListW
0x433b68 ShellExecuteExW
WSOCK32.DLL
0x433b70 closesocket
0x433b74 WSACleanup
0x433b78 WSAStartup
WINMM.DLL
0x433b80 timeBeginPeriod
SHLWAPI.DLL
0x433b88 PathFileExistsW
OLE32.DLL
0x433b90 CoInitialize
0x433b94 CoCreateInstance
0x433b98 CoUninitialize
0x433b9c CoTaskMemFree
NTDLL.DLL
0x433ba4 ZwUnmapViewOfSection
SETUPAPI.DLL
0x433bac IsUserAdmin
URLMON.DLL
0x433bb4 URLDownloadToFileW
WININET.DLL
0x433bbc InternetOpenW
0x433bc0 InternetSetOptionW
0x433bc4 InternetConnectW
0x433bc8 HttpOpenRequestW
0x433bcc HttpAddRequestHeadersW
0x433bd0 HttpSendRequestW
0x433bd4 InternetReadFile
0x433bd8 InternetCloseHandle
0x433bdc InternetGetConnectedState
EAT(Export Address Table) is none