ScreenShot
| Created | 2021.07.08 08:59 | Machine | s1_win7_x6402 |
| Filename | MSBuild.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | |||
| md5 | 9ffc562fb2a6e705358345db65c7782a | ||
| sha256 | 46869f599d80f48ea0fa267b5692a94cba01556f49da9c8c0861150c4643861c | ||
| ssdeep | 3072:WfUomEuYm98dlSq7gt5q7Dx+XgS6aCEwhOfUbCalNT2pbB3fI01Xi6FLPo3c:WfUauY68uSWCx+XA7mg2pNl1Ljo3c | ||
| imphash | 7bb9d345a5fec4fbbf5100d6a3ffbb8c | ||
| impfuzzy | 24:E2UmvkMUuDus9OovAZtQk9J3qDEMcpluiyv9Ou9WukhHOSZ6dArZQG3k:3+tZt/LMcpsb9GES0dAre | ||
Network IP location
Signature (25cnts)
| Level | Description |
|---|---|
| watch | Attempts to access Bitcoin/ALTCoin wallets |
| watch | Checks the CPU name from registry |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Deletes executed files from disk |
| watch | Harvests credentials from local email clients |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | An executable file was downloaded by the process msbuild.exe |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | Executes one or more WMI queries |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Queries for potentially installed applications |
| notice | Sends data using the HTTP POST Method |
| notice | Steals private information from local Internet browsers |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks amount of memory in system |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Command line console output was observed |
| info | Queries for the computername |
| info | Tries to locate where the browsers are installed |
Rules (9cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (download) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | JPEG_Format_Zero | JPEG Format | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (10cnts) ?
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x427000 HeapAlloc
0x427004 GetProcessHeap
0x427008 CreateFileA
0x42700c GetFileSize
0x427010 WriteFile
0x427014 ReadFile
0x427018 MultiByteToWideChar
0x42701c CloseHandle
0x427020 GetFullPathNameW
0x427024 FindFirstFileExW
0x427028 FindClose
0x42702c FindNextFileW
0x427030 LocalAlloc
0x427034 GetVersionExA
0x427038 LocalFree
0x42703c Sleep
0x427040 GlobalMemoryStatus
0x427044 GetFileAttributesA
0x427048 SetFilePointer
0x42704c MapViewOfFile
0x427050 UnmapViewOfFile
0x427054 SystemTimeToFileTime
0x427058 GetTickCount
0x42705c FileTimeToSystemTime
0x427060 GetLocalTime
0x427064 CreateFileMappingA
0x427068 GetFileInformationByHandle
0x42706c WriteConsoleW
0x427070 SetEndOfFile
0x427074 FlushFileBuffers
0x427078 GetConsoleMode
0x42707c GetConsoleCP
0x427080 SetStdHandle
0x427084 FileTimeToLocalFileTime
0x427088 GetLastError
0x42708c FindFirstFileExA
0x427090 FindNextFileA
0x427094 EncodePointer
0x427098 DecodePointer
0x42709c HeapFree
0x4270a0 WideCharToMultiByte
0x4270a4 GetSystemTimeAsFileTime
0x4270a8 GetCommandLineA
0x4270ac HeapSetInformation
0x4270b0 GetStartupInfoW
0x4270b4 RaiseException
0x4270b8 TerminateProcess
0x4270bc GetCurrentProcess
0x4270c0 UnhandledExceptionFilter
0x4270c4 SetUnhandledExceptionFilter
0x4270c8 IsDebuggerPresent
0x4270cc IsProcessorFeaturePresent
0x4270d0 GetCPInfo
0x4270d4 InterlockedIncrement
0x4270d8 InterlockedDecrement
0x4270dc GetACP
0x4270e0 GetOEMCP
0x4270e4 IsValidCodePage
0x4270e8 TlsAlloc
0x4270ec TlsGetValue
0x4270f0 TlsSetValue
0x4270f4 TlsFree
0x4270f8 GetModuleHandleW
0x4270fc SetLastError
0x427100 GetCurrentThreadId
0x427104 GetProcAddress
0x427108 HeapSize
0x42710c ExitProcess
0x427110 HeapCreate
0x427114 GetStdHandle
0x427118 GetModuleFileNameW
0x42711c EnterCriticalSection
0x427120 LeaveCriticalSection
0x427124 InitializeCriticalSectionAndSpinCount
0x427128 RtlUnwind
0x42712c SetHandleCount
0x427130 GetFileType
0x427134 DeleteCriticalSection
0x427138 SetEnvironmentVariableW
0x42713c SetEnvironmentVariableA
0x427140 GetTimeZoneInformation
0x427144 LCMapStringW
0x427148 GetModuleFileNameA
0x42714c FreeEnvironmentStringsW
0x427150 GetEnvironmentStringsW
0x427154 QueryPerformanceCounter
0x427158 GetCurrentProcessId
0x42715c GetStringTypeW
0x427160 HeapReAlloc
0x427164 LoadLibraryW
0x427168 CompareStringW
0x42716c CreateFileW
USER32.dll
0x427184 GetDesktopWindow
NETAPI32.dll
0x427174 NetWkstaGetInfo
0x427178 NetApiBufferFree
0x42717c DsRoleGetPrimaryDomainInformation
EAT(Export Address Table) is none
KERNEL32.dll
0x427000 HeapAlloc
0x427004 GetProcessHeap
0x427008 CreateFileA
0x42700c GetFileSize
0x427010 WriteFile
0x427014 ReadFile
0x427018 MultiByteToWideChar
0x42701c CloseHandle
0x427020 GetFullPathNameW
0x427024 FindFirstFileExW
0x427028 FindClose
0x42702c FindNextFileW
0x427030 LocalAlloc
0x427034 GetVersionExA
0x427038 LocalFree
0x42703c Sleep
0x427040 GlobalMemoryStatus
0x427044 GetFileAttributesA
0x427048 SetFilePointer
0x42704c MapViewOfFile
0x427050 UnmapViewOfFile
0x427054 SystemTimeToFileTime
0x427058 GetTickCount
0x42705c FileTimeToSystemTime
0x427060 GetLocalTime
0x427064 CreateFileMappingA
0x427068 GetFileInformationByHandle
0x42706c WriteConsoleW
0x427070 SetEndOfFile
0x427074 FlushFileBuffers
0x427078 GetConsoleMode
0x42707c GetConsoleCP
0x427080 SetStdHandle
0x427084 FileTimeToLocalFileTime
0x427088 GetLastError
0x42708c FindFirstFileExA
0x427090 FindNextFileA
0x427094 EncodePointer
0x427098 DecodePointer
0x42709c HeapFree
0x4270a0 WideCharToMultiByte
0x4270a4 GetSystemTimeAsFileTime
0x4270a8 GetCommandLineA
0x4270ac HeapSetInformation
0x4270b0 GetStartupInfoW
0x4270b4 RaiseException
0x4270b8 TerminateProcess
0x4270bc GetCurrentProcess
0x4270c0 UnhandledExceptionFilter
0x4270c4 SetUnhandledExceptionFilter
0x4270c8 IsDebuggerPresent
0x4270cc IsProcessorFeaturePresent
0x4270d0 GetCPInfo
0x4270d4 InterlockedIncrement
0x4270d8 InterlockedDecrement
0x4270dc GetACP
0x4270e0 GetOEMCP
0x4270e4 IsValidCodePage
0x4270e8 TlsAlloc
0x4270ec TlsGetValue
0x4270f0 TlsSetValue
0x4270f4 TlsFree
0x4270f8 GetModuleHandleW
0x4270fc SetLastError
0x427100 GetCurrentThreadId
0x427104 GetProcAddress
0x427108 HeapSize
0x42710c ExitProcess
0x427110 HeapCreate
0x427114 GetStdHandle
0x427118 GetModuleFileNameW
0x42711c EnterCriticalSection
0x427120 LeaveCriticalSection
0x427124 InitializeCriticalSectionAndSpinCount
0x427128 RtlUnwind
0x42712c SetHandleCount
0x427130 GetFileType
0x427134 DeleteCriticalSection
0x427138 SetEnvironmentVariableW
0x42713c SetEnvironmentVariableA
0x427140 GetTimeZoneInformation
0x427144 LCMapStringW
0x427148 GetModuleFileNameA
0x42714c FreeEnvironmentStringsW
0x427150 GetEnvironmentStringsW
0x427154 QueryPerformanceCounter
0x427158 GetCurrentProcessId
0x42715c GetStringTypeW
0x427160 HeapReAlloc
0x427164 LoadLibraryW
0x427168 CompareStringW
0x42716c CreateFileW
USER32.dll
0x427184 GetDesktopWindow
NETAPI32.dll
0x427174 NetWkstaGetInfo
0x427178 NetApiBufferFree
0x42717c DsRoleGetPrimaryDomainInformation
EAT(Export Address Table) is none