ScreenShot
| Created | 2021.07.09 10:01 | Machine | s1_win7_x6402 |
| Filename | 08.jpg | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 20 detected (Pack, Emotet, Artemis, ZexaF, Uu0@aO44wCdi, Malicious, Krypt, Wacapew, score, ai score=86, Static AI, Suspicious PE, QVM20) | ||
| md5 | ed1921467f6784af6bdca40a06a541b5 | ||
| sha256 | 3db14214a9eb98b3b5abffcb314c808a25ed82456ce01251d31e8ea960f6e4e6 | ||
| ssdeep | 12288:4AbvaOTfFGikmS6jd2QML8HXWp8KEwbHBkm9jjgbFHLViv0dC2x0uTadTaUk7u:vbvJfFGikmS0pXfw7Bkm9j088PlTaDj | ||
| imphash | 5a2e77913b081a443f9195818466685a | ||
| impfuzzy | 48:c3G3Qd1ZmQ1Xc+CM6tMSTMvUiAEkDCxqQ59v3099l4zHAOFEK3zveK0svkea:r3Q5dXc+CBtMSTMc5tYmK0Sy | ||
Network IP location
Signature (34cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| warning | File has been identified by 20 AntiVirus engines on VirusTotal as malicious |
| warning | Generates some ICMP traffic |
| watch | A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations. |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Appends a known CryptoMix ransomware file extension to files that have been encrypted |
| watch | Attempts to access Bitcoin/ALTCoin wallets |
| watch | Checks the CPU name from registry |
| watch | Collects information about installed applications |
| watch | Harvests credentials from local FTP client softwares |
| watch | Harvests information related to installed instant messenger clients |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | An executable file was downloaded by the process 08.jpg |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Creates a suspicious process |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Looks up the external IP address |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Queries for potentially installed applications |
| notice | Resolves a suspicious Top Level Domain (TLD) |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Sends data using the HTTP POST Method |
| notice | Steals private information from local Internet browsers |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Queries for the computername |
| info | This executable has a PDB path |
| info | Tries to locate where the browsers are installed |
Rules (14cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| notice | Network_DNS | Communications use DNS | memory |
| notice | Network_TCP_Socket | Communications over RAW Socket | memory |
| notice | ScreenShot | Take ScreenShot | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (12cnts) ?
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x1078074 GetOEMCP
0x1078078 GetCommandLineA
0x107807c GetCommandLineW
0x1078080 GetEnvironmentStringsW
0x1078084 GetACP
0x1078088 IsValidCodePage
0x107808c FindNextFileW
0x1078090 FindFirstFileExW
0x1078094 FindClose
0x1078098 OutputDebugStringW
0x107809c FreeEnvironmentStringsW
0x10780a0 SetEnvironmentVariableW
0x10780a4 SetStdHandle
0x10780a8 GetProcessHeap
0x10780ac GetFileSizeEx
0x10780b0 SetFilePointerEx
0x10780b4 HeapSize
0x10780b8 FlushFileBuffers
0x10780bc GetConsoleCP
0x10780c0 GetConsoleMode
0x10780c4 ReadFile
0x10780c8 ReadConsoleW
0x10780cc CloseHandle
0x10780d0 CreateFileW
0x10780d4 CreateProcessW
0x10780d8 SetConsoleCP
0x10780dc GetCurrentDirectoryW
0x10780e0 GetSystemDirectoryW
0x10780e4 GetCurrentThreadId
0x10780e8 GetTempPathW
0x10780ec RemoveDirectoryW
0x10780f0 GetDiskFreeSpaceW
0x10780f4 VirtualProtect
0x10780f8 GetTimeZoneInformation
0x10780fc SetConsoleCtrlHandler
0x1078100 HeapReAlloc
0x1078104 EnumSystemLocalesW
0x1078108 GetUserDefaultLCID
0x107810c IsValidLocale
0x1078110 GetTimeFormatW
0x1078114 GetDateFormatW
0x1078118 HeapAlloc
0x107811c HeapFree
0x1078120 GetCurrentThread
0x1078124 GetFileType
0x1078128 GetModuleHandleExW
0x107812c ExitProcess
0x1078130 GetModuleFileNameW
0x1078134 WriteFile
0x1078138 GetStdHandle
0x107813c EncodePointer
0x1078140 DecodePointer
0x1078144 EnterCriticalSection
0x1078148 LeaveCriticalSection
0x107814c DeleteCriticalSection
0x1078150 WideCharToMultiByte
0x1078154 SetLastError
0x1078158 InitializeCriticalSectionAndSpinCount
0x107815c CreateEventW
0x1078160 SwitchToThread
0x1078164 TlsAlloc
0x1078168 TlsGetValue
0x107816c TlsSetValue
0x1078170 TlsFree
0x1078174 GetSystemTimeAsFileTime
0x1078178 GetTickCount
0x107817c GetModuleHandleW
0x1078180 GetProcAddress
0x1078184 MultiByteToWideChar
0x1078188 GetStringTypeW
0x107818c CompareStringW
0x1078190 LCMapStringW
0x1078194 GetLocaleInfoW
0x1078198 GetCPInfo
0x107819c UnhandledExceptionFilter
0x10781a0 SetUnhandledExceptionFilter
0x10781a4 GetCurrentProcess
0x10781a8 TerminateProcess
0x10781ac IsProcessorFeaturePresent
0x10781b0 QueryPerformanceCounter
0x10781b4 GetCurrentProcessId
0x10781b8 InitializeSListHead
0x10781bc IsDebuggerPresent
0x10781c0 GetStartupInfoW
0x10781c4 RtlUnwind
0x10781c8 RaiseException
0x10781cc InterlockedPushEntrySList
0x10781d0 InterlockedFlushSList
0x10781d4 GetLastError
0x10781d8 FreeLibrary
0x10781dc LoadLibraryExW
0x10781e0 WriteConsoleW
USER32.dll
0x10781e8 GetWindowTextW
0x10781ec GetCursorPos
0x10781f0 UpdateWindow
0x10781f4 GetClassInfoExA
0x10781f8 AppendMenuW
0x10781fc GetClassNameW
0x1078200 FindWindowW
0x1078204 SetFocus
0x1078208 GetAsyncKeyState
0x107820c RegisterClassExW
0x1078210 EnumChildWindows
0x1078214 SetWindowPos
0x1078218 GetDC
0x107821c GetFocus
0x1078220 CallWindowProcW
0x1078224 GetMessagePos
0x1078228 GetMessageW
0x107822c GetWindowTextLengthW
GDI32.dll
0x107805c CreateCompatibleBitmap
0x1078060 SetPixel
0x1078064 PatBlt
0x1078068 StretchBlt
0x107806c GetTextExtentPoint32W
ole32.dll
0x1078278 OleInitialize
0x107827c OleSetContainedObject
0x1078280 OleUninitialize
ADVAPI32.dll
0x1078000 RegisterServiceCtrlHandlerW
0x1078004 LookupPrivilegeValueW
0x1078008 RegCloseKey
0x107800c RegEnumKeyW
0x1078010 QueryServiceStatus
0x1078014 OpenSCManagerW
0x1078018 RegDeleteKeyW
0x107801c AllocateAndInitializeSid
0x1078020 SetEntriesInAclW
0x1078024 RegCreateKeyExW
0x1078028 DeleteService
0x107802c GetTokenInformation
0x1078030 RegSetValueExW
0x1078034 OpenProcessToken
0x1078038 FreeSid
0x107803c InitializeSecurityDescriptor
0x1078040 RegOpenKeyExW
0x1078044 StartServiceCtrlDispatcherW
0x1078048 OpenServiceW
0x107804c OpenThreadToken
0x1078050 RegOpenKeyW
0x1078054 RegQueryValueExW
VERSION.dll
0x1078248 GetFileVersionInfoW
0x107824c GetFileVersionInfoSizeW
0x1078250 VerQueryValueW
WS2_32.dll
0x1078258 socket
0x107825c WSAStartup
0x1078260 closesocket
0x1078264 ind
0x1078268 accept
0x107826c WSACleanup
0x1078270 connect
UxTheme.dll
0x1078234 GetThemeBackgroundRegion
0x1078238 CloseThemeData
0x107823c GetThemeTextExtent
0x1078240 GetThemeFont
EAT(Export Address Table) is none
KERNEL32.dll
0x1078074 GetOEMCP
0x1078078 GetCommandLineA
0x107807c GetCommandLineW
0x1078080 GetEnvironmentStringsW
0x1078084 GetACP
0x1078088 IsValidCodePage
0x107808c FindNextFileW
0x1078090 FindFirstFileExW
0x1078094 FindClose
0x1078098 OutputDebugStringW
0x107809c FreeEnvironmentStringsW
0x10780a0 SetEnvironmentVariableW
0x10780a4 SetStdHandle
0x10780a8 GetProcessHeap
0x10780ac GetFileSizeEx
0x10780b0 SetFilePointerEx
0x10780b4 HeapSize
0x10780b8 FlushFileBuffers
0x10780bc GetConsoleCP
0x10780c0 GetConsoleMode
0x10780c4 ReadFile
0x10780c8 ReadConsoleW
0x10780cc CloseHandle
0x10780d0 CreateFileW
0x10780d4 CreateProcessW
0x10780d8 SetConsoleCP
0x10780dc GetCurrentDirectoryW
0x10780e0 GetSystemDirectoryW
0x10780e4 GetCurrentThreadId
0x10780e8 GetTempPathW
0x10780ec RemoveDirectoryW
0x10780f0 GetDiskFreeSpaceW
0x10780f4 VirtualProtect
0x10780f8 GetTimeZoneInformation
0x10780fc SetConsoleCtrlHandler
0x1078100 HeapReAlloc
0x1078104 EnumSystemLocalesW
0x1078108 GetUserDefaultLCID
0x107810c IsValidLocale
0x1078110 GetTimeFormatW
0x1078114 GetDateFormatW
0x1078118 HeapAlloc
0x107811c HeapFree
0x1078120 GetCurrentThread
0x1078124 GetFileType
0x1078128 GetModuleHandleExW
0x107812c ExitProcess
0x1078130 GetModuleFileNameW
0x1078134 WriteFile
0x1078138 GetStdHandle
0x107813c EncodePointer
0x1078140 DecodePointer
0x1078144 EnterCriticalSection
0x1078148 LeaveCriticalSection
0x107814c DeleteCriticalSection
0x1078150 WideCharToMultiByte
0x1078154 SetLastError
0x1078158 InitializeCriticalSectionAndSpinCount
0x107815c CreateEventW
0x1078160 SwitchToThread
0x1078164 TlsAlloc
0x1078168 TlsGetValue
0x107816c TlsSetValue
0x1078170 TlsFree
0x1078174 GetSystemTimeAsFileTime
0x1078178 GetTickCount
0x107817c GetModuleHandleW
0x1078180 GetProcAddress
0x1078184 MultiByteToWideChar
0x1078188 GetStringTypeW
0x107818c CompareStringW
0x1078190 LCMapStringW
0x1078194 GetLocaleInfoW
0x1078198 GetCPInfo
0x107819c UnhandledExceptionFilter
0x10781a0 SetUnhandledExceptionFilter
0x10781a4 GetCurrentProcess
0x10781a8 TerminateProcess
0x10781ac IsProcessorFeaturePresent
0x10781b0 QueryPerformanceCounter
0x10781b4 GetCurrentProcessId
0x10781b8 InitializeSListHead
0x10781bc IsDebuggerPresent
0x10781c0 GetStartupInfoW
0x10781c4 RtlUnwind
0x10781c8 RaiseException
0x10781cc InterlockedPushEntrySList
0x10781d0 InterlockedFlushSList
0x10781d4 GetLastError
0x10781d8 FreeLibrary
0x10781dc LoadLibraryExW
0x10781e0 WriteConsoleW
USER32.dll
0x10781e8 GetWindowTextW
0x10781ec GetCursorPos
0x10781f0 UpdateWindow
0x10781f4 GetClassInfoExA
0x10781f8 AppendMenuW
0x10781fc GetClassNameW
0x1078200 FindWindowW
0x1078204 SetFocus
0x1078208 GetAsyncKeyState
0x107820c RegisterClassExW
0x1078210 EnumChildWindows
0x1078214 SetWindowPos
0x1078218 GetDC
0x107821c GetFocus
0x1078220 CallWindowProcW
0x1078224 GetMessagePos
0x1078228 GetMessageW
0x107822c GetWindowTextLengthW
GDI32.dll
0x107805c CreateCompatibleBitmap
0x1078060 SetPixel
0x1078064 PatBlt
0x1078068 StretchBlt
0x107806c GetTextExtentPoint32W
ole32.dll
0x1078278 OleInitialize
0x107827c OleSetContainedObject
0x1078280 OleUninitialize
ADVAPI32.dll
0x1078000 RegisterServiceCtrlHandlerW
0x1078004 LookupPrivilegeValueW
0x1078008 RegCloseKey
0x107800c RegEnumKeyW
0x1078010 QueryServiceStatus
0x1078014 OpenSCManagerW
0x1078018 RegDeleteKeyW
0x107801c AllocateAndInitializeSid
0x1078020 SetEntriesInAclW
0x1078024 RegCreateKeyExW
0x1078028 DeleteService
0x107802c GetTokenInformation
0x1078030 RegSetValueExW
0x1078034 OpenProcessToken
0x1078038 FreeSid
0x107803c InitializeSecurityDescriptor
0x1078040 RegOpenKeyExW
0x1078044 StartServiceCtrlDispatcherW
0x1078048 OpenServiceW
0x107804c OpenThreadToken
0x1078050 RegOpenKeyW
0x1078054 RegQueryValueExW
VERSION.dll
0x1078248 GetFileVersionInfoW
0x107824c GetFileVersionInfoSizeW
0x1078250 VerQueryValueW
WS2_32.dll
0x1078258 socket
0x107825c WSAStartup
0x1078260 closesocket
0x1078264 ind
0x1078268 accept
0x107826c WSACleanup
0x1078270 connect
UxTheme.dll
0x1078234 GetThemeBackgroundRegion
0x1078238 CloseThemeData
0x107823c GetThemeTextExtent
0x1078240 GetThemeFont
EAT(Export Address Table) is none