ScreenShot
| Created | 2021.07.08 09:36 | Machine | s1_win7_x6401 |
| Filename | cryptq.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 27 detected (AIDetect, malware1, malicious, high confidence, GenericKD, Artemis, Unsafe, Save, GenKryptik, FHHB, TrojanX, Raccoon, M1C2EL, ai score=84, Sabsik, score, BScope, Cidox, susgen, PossibleThreat, ZexaF, qz3@aSfZY2gc, confidence) | ||
| md5 | 616ae69cbf101d5b170846c3fd63a930 | ||
| sha256 | be0d8928d4c9b226389bd2cfa04a6410aa9fe209aaaed24880e40b4e0a6cd7cd | ||
| ssdeep | 12288:CFPwV0BeiN7K2cQZebRiE0y4sziyXRXi0JMOfKSRdIwcYc7G+yAdtkfX4U4NjBiT:/jit8p4sOyXtJMOLvW79dQqjBiT | ||
| imphash | 3c7cf310519cb6b2ae1650f9bdc35f1c | ||
| impfuzzy | 12:YQHD0AgG1R33wXJXPXJy3AGcY3vQwDDwDOG:YQHD0Iwt03B3vQw3wqG | ||
Network IP location
Signature (22cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 27 AntiVirus engines on VirusTotal as malicious |
| watch | Appends a known CryptoMix ransomware file extension to files that have been encrypted |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Deletes executed files from disk |
| watch | Harvests credentials from local email clients |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Queries for potentially installed applications |
| notice | Sends data using the HTTP POST Method |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks amount of memory in system |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Queries for the computername |
| info | This executable has a PDB path |
| info | Tries to locate where the browsers are installed |
Rules (10cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | Win32_Trojan_Gen_2_0904B0_Zero | Win32 Trojan Gen | binaries (download) |
Network (7cnts) ?
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x4a1000 GetFileSize
0x4a1004 SetFilePointer
0x4a1008 GetModuleHandleW
0x4a100c GetTickCount
0x4a1010 Sleep
0x4a1014 ReadFile
0x4a1018 GetModuleFileNameW
0x4a101c CreateFileW
0x4a1020 GetProcAddress
0x4a1024 GetLocalTime
0x4a1028 LoadLibraryA
0x4a102c LocalAlloc
0x4a1030 GetModuleHandleA
0x4a1034 GetSystemTime
0x4a1038 VirtualQuery
0x4a103c RtlUnwind
0x4a1040 GetProcessHeap
0x4a1044 TerminateProcess
0x4a1048 GetCurrentProcess
0x4a104c UnhandledExceptionFilter
0x4a1050 SetUnhandledExceptionFilter
0x4a1054 IsDebuggerPresent
0x4a1058 RaiseException
0x4a105c WideCharToMultiByte
0x4a1060 MultiByteToWideChar
0x4a1064 LoadLibraryW
0x4a1068 IsProcessorFeaturePresent
0x4a106c FreeLibrary
0x4a1070 HeapFree
0x4a1074 HeapAlloc
USER32.dll
0x4a107c MessageBoxA
0x4a1080 MessageBoxIndirectA
EAT(Export Address Table) is none
KERNEL32.dll
0x4a1000 GetFileSize
0x4a1004 SetFilePointer
0x4a1008 GetModuleHandleW
0x4a100c GetTickCount
0x4a1010 Sleep
0x4a1014 ReadFile
0x4a1018 GetModuleFileNameW
0x4a101c CreateFileW
0x4a1020 GetProcAddress
0x4a1024 GetLocalTime
0x4a1028 LoadLibraryA
0x4a102c LocalAlloc
0x4a1030 GetModuleHandleA
0x4a1034 GetSystemTime
0x4a1038 VirtualQuery
0x4a103c RtlUnwind
0x4a1040 GetProcessHeap
0x4a1044 TerminateProcess
0x4a1048 GetCurrentProcess
0x4a104c UnhandledExceptionFilter
0x4a1050 SetUnhandledExceptionFilter
0x4a1054 IsDebuggerPresent
0x4a1058 RaiseException
0x4a105c WideCharToMultiByte
0x4a1060 MultiByteToWideChar
0x4a1064 LoadLibraryW
0x4a1068 IsProcessorFeaturePresent
0x4a106c FreeLibrary
0x4a1070 HeapFree
0x4a1074 HeapAlloc
USER32.dll
0x4a107c MessageBoxA
0x4a1080 MessageBoxIndirectA
EAT(Export Address Table) is none