ScreenShot
| Created | 2021.07.13 09:45 | Machine | s1_win7_x6401 |
| Filename | newApps.exe | ||
| Type | PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 36 detected (DownLoad4, GenericKD, Unsafe, Save, GenCBL, malicious, confidence, YUMT, seskno, DangerousSig, Artemis, npkep, ai score=86, Tnega, score, R002H0DGA21, susgen, H8oAfUsA) | ||
| md5 | 1d3ee4783ce7a30a7fd422f5abe7ba25 | ||
| sha256 | f9fe730178dcb234b908d759db705a9f78c1505df5bd5c09a5369a6f9ed2363b | ||
| ssdeep | 98304:KRXBy+ZqGGBfu6ETBJjvgQKNHnFDJiy6OL9BAYHRZ2uBO9D6y:UxtZ5G4vTBJ7UHGy6OL9BAKeuqWy | ||
| imphash | f32b3285ebecf2ab26752aa86ba5f08c | ||
| impfuzzy | 24:UbVjhN5O+VuT2oLtXOr6kwmDruMztxdEr6UNQtXJHc9NDI5Q8:K5O+VAXOmGx0nAXpcM5Q8 | ||
Network IP location
Signature (21cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 36 AntiVirus engines on VirusTotal as malicious |
| watch | Creates a suspicious Powershell process |
| watch | Detects the presence of Wine emulator |
| watch | One or more non-whitelisted processes were created |
| watch | The process powershell.exe wrote an executable file to disk |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | One or more potentially interesting buffers were extracted |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (9cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | NPKI_Zero | File included NPKI | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| info | Is_DotNET_DLL | (no description) | binaries (download) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
kernel32.dll
0xa41000 WriteFile
0xa41008 WriteConsoleW
0xa41010 WaitForMultipleObjects
0xa41018 WaitForSingleObject
0xa41020 VirtualQuery
0xa41028 VirtualFree
0xa41030 VirtualAlloc
0xa41038 SwitchToThread
0xa41040 SuspendThread
0xa41048 Sleep
0xa41050 SetWaitableTimer
0xa41058 SetUnhandledExceptionFilter
0xa41060 SetProcessPriorityBoost
0xa41068 SetEvent
0xa41070 SetErrorMode
0xa41078 SetConsoleCtrlHandler
0xa41080 ResumeThread
0xa41088 PostQueuedCompletionStatus
0xa41090 LoadLibraryA
0xa41098 LoadLibraryW
0xa410a0 SetThreadContext
0xa410a8 GetThreadContext
0xa410b0 GetSystemInfo
0xa410b8 GetSystemDirectoryA
0xa410c0 GetStdHandle
0xa410c8 GetQueuedCompletionStatusEx
0xa410d0 GetProcessAffinityMask
0xa410d8 GetProcAddress
0xa410e0 GetEnvironmentStringsW
0xa410e8 GetConsoleMode
0xa410f0 FreeEnvironmentStringsW
0xa410f8 ExitProcess
0xa41100 DuplicateHandle
0xa41108 CreateWaitableTimerExW
0xa41110 CreateThread
0xa41118 CreateIoCompletionPort
0xa41120 CreateEventA
0xa41128 CloseHandle
0xa41130 AddVectoredExceptionHandler
kernel32.dll
0xa41140 LocalAlloc
0xa41148 LocalFree
0xa41150 GetModuleFileNameW
0xa41158 GetProcessAffinityMask
0xa41160 SetProcessAffinityMask
0xa41168 SetThreadAffinityMask
0xa41170 Sleep
0xa41178 ExitProcess
0xa41180 FreeLibrary
0xa41188 LoadLibraryA
0xa41190 GetModuleHandleA
0xa41198 GetProcAddress
USER32.dll
0xa411a8 GetProcessWindowStation
0xa411b0 GetUserObjectInformationW
EAT(Export Address Table) is none
kernel32.dll
0xa41000 WriteFile
0xa41008 WriteConsoleW
0xa41010 WaitForMultipleObjects
0xa41018 WaitForSingleObject
0xa41020 VirtualQuery
0xa41028 VirtualFree
0xa41030 VirtualAlloc
0xa41038 SwitchToThread
0xa41040 SuspendThread
0xa41048 Sleep
0xa41050 SetWaitableTimer
0xa41058 SetUnhandledExceptionFilter
0xa41060 SetProcessPriorityBoost
0xa41068 SetEvent
0xa41070 SetErrorMode
0xa41078 SetConsoleCtrlHandler
0xa41080 ResumeThread
0xa41088 PostQueuedCompletionStatus
0xa41090 LoadLibraryA
0xa41098 LoadLibraryW
0xa410a0 SetThreadContext
0xa410a8 GetThreadContext
0xa410b0 GetSystemInfo
0xa410b8 GetSystemDirectoryA
0xa410c0 GetStdHandle
0xa410c8 GetQueuedCompletionStatusEx
0xa410d0 GetProcessAffinityMask
0xa410d8 GetProcAddress
0xa410e0 GetEnvironmentStringsW
0xa410e8 GetConsoleMode
0xa410f0 FreeEnvironmentStringsW
0xa410f8 ExitProcess
0xa41100 DuplicateHandle
0xa41108 CreateWaitableTimerExW
0xa41110 CreateThread
0xa41118 CreateIoCompletionPort
0xa41120 CreateEventA
0xa41128 CloseHandle
0xa41130 AddVectoredExceptionHandler
kernel32.dll
0xa41140 LocalAlloc
0xa41148 LocalFree
0xa41150 GetModuleFileNameW
0xa41158 GetProcessAffinityMask
0xa41160 SetProcessAffinityMask
0xa41168 SetThreadAffinityMask
0xa41170 Sleep
0xa41178 ExitProcess
0xa41180 FreeLibrary
0xa41188 LoadLibraryA
0xa41190 GetModuleHandleA
0xa41198 GetProcAddress
USER32.dll
0xa411a8 GetProcessWindowStation
0xa411b0 GetUserObjectInformationW
EAT(Export Address Table) is none