ScreenShot
| Created | 2021.07.27 18:02 | Machine | s1_win7_x6402 |
| Filename | ma.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 60 detected (AIDetect, malware2, Reconyc, malicious, high confidence, CGMR, WebToos, S18562, Unsafe, Save, Dorpal, ali1000029, Eldorado, multiple detections, Gadoopt, esql, exhhog, Prockill, Gencirc, Gates, ASMalwS, kcloud, score, GenericRXDY, ai score=100, BScope, Nagyo, CLASSIC, GenAsa, 84t1QyHA9Mc, Static AI, Suspicious PE, DGUG, ZexaF, puW@aKX7Duki, Genetic, confidence, HykCqv8A) | ||
| md5 | 36efb3390df7e6ecc5289f72cdf59d82 | ||
| sha256 | a42e903ae820f28980e819453ce24adcb66832cb474b993a288518562092fb68 | ||
| ssdeep | 24576:UZUwXfHfdrWqVn6tnFE2A8ZF6Qm+pKVG29fcwDLMQG+Z2XlR:Cf/RCGmdpKb9fc1q2f | ||
| imphash | 97684ed2b4bb5eb7f373577c0891222e | ||
| impfuzzy | 24:/kgeHOiC2OovIG1tDSDRjFQ8RyvDh/J3ISRT4RfvjMPpl790gBzB9IBk:/GO9TG1t66DjTcRfUzfRIm | ||
Network IP location
Signature (12cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 60 AntiVirus engines on VirusTotal as malicious |
| watch | Installs itself for autorun at Windows startup |
| watch | Installs WinPCAP |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a service |
| notice | Creates executable files on the filesystem |
| notice | Executes one or more WMI queries |
| notice | Foreign language identified in PE resource |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Command line console output was observed |
| info | Queries for the computername |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
Rules (11cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | IsPE64 | (no description) | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.DLL
0x40d020 GetSystemWow64DirectoryA
0x40d024 GetLastError
0x40d028 WinExec
0x40d02c CloseHandle
0x40d030 GetSystemInfo
0x40d034 Sleep
0x40d038 CreateProcessA
0x40d03c WriteFile
0x40d040 CreateFileA
0x40d044 DeleteFileA
0x40d048 SizeofResource
0x40d04c LoadResource
0x40d050 FindResourceA
0x40d054 CreateDirectoryA
0x40d058 GetVersionExA
0x40d05c GetCommandLineA
0x40d060 RaiseException
0x40d064 RtlUnwind
0x40d068 TerminateProcess
0x40d06c GetCurrentProcess
0x40d070 UnhandledExceptionFilter
0x40d074 SetUnhandledExceptionFilter
0x40d078 IsDebuggerPresent
0x40d07c HeapFree
0x40d080 HeapAlloc
0x40d084 GetModuleHandleW
0x40d088 GetProcAddress
0x40d08c ExitProcess
0x40d090 GetStdHandle
0x40d094 GetModuleFileNameA
0x40d098 FreeEnvironmentStringsA
0x40d09c GetEnvironmentStrings
0x40d0a0 FreeEnvironmentStringsW
0x40d0a4 WideCharToMultiByte
0x40d0a8 GetEnvironmentStringsW
0x40d0ac SetHandleCount
0x40d0b0 GetFileType
0x40d0b4 GetStartupInfoA
0x40d0b8 DeleteCriticalSection
0x40d0bc TlsGetValue
0x40d0c0 TlsAlloc
0x40d0c4 TlsSetValue
0x40d0c8 TlsFree
0x40d0cc InterlockedIncrement
0x40d0d0 SetLastError
0x40d0d4 GetCurrentThreadId
0x40d0d8 InterlockedDecrement
0x40d0dc HeapCreate
0x40d0e0 VirtualFree
0x40d0e4 QueryPerformanceCounter
0x40d0e8 GetTickCount
0x40d0ec GetCurrentProcessId
0x40d0f0 GetSystemTimeAsFileTime
0x40d0f4 LeaveCriticalSection
0x40d0f8 EnterCriticalSection
0x40d0fc VirtualAlloc
0x40d100 HeapReAlloc
0x40d104 HeapSize
0x40d108 SetFilePointer
0x40d10c GetConsoleCP
0x40d110 GetConsoleMode
0x40d114 GetCPInfo
0x40d118 GetACP
0x40d11c GetOEMCP
0x40d120 IsValidCodePage
0x40d124 LoadLibraryA
0x40d128 InitializeCriticalSectionAndSpinCount
0x40d12c SetStdHandle
0x40d130 WriteConsoleA
0x40d134 GetConsoleOutputCP
0x40d138 WriteConsoleW
0x40d13c MultiByteToWideChar
0x40d140 LCMapStringA
0x40d144 LCMapStringW
0x40d148 GetStringTypeA
0x40d14c GetStringTypeW
0x40d150 GetLocaleInfoA
0x40d154 FlushFileBuffers
ADVAPI32.dll
0x40d000 OpenSCManagerA
0x40d004 StartServiceA
0x40d008 CreateServiceA
0x40d00c DeleteService
0x40d010 CloseServiceHandle
0x40d014 OpenServiceA
0x40d018 ControlService
EAT(Export Address Table) is none
KERNEL32.DLL
0x40d020 GetSystemWow64DirectoryA
0x40d024 GetLastError
0x40d028 WinExec
0x40d02c CloseHandle
0x40d030 GetSystemInfo
0x40d034 Sleep
0x40d038 CreateProcessA
0x40d03c WriteFile
0x40d040 CreateFileA
0x40d044 DeleteFileA
0x40d048 SizeofResource
0x40d04c LoadResource
0x40d050 FindResourceA
0x40d054 CreateDirectoryA
0x40d058 GetVersionExA
0x40d05c GetCommandLineA
0x40d060 RaiseException
0x40d064 RtlUnwind
0x40d068 TerminateProcess
0x40d06c GetCurrentProcess
0x40d070 UnhandledExceptionFilter
0x40d074 SetUnhandledExceptionFilter
0x40d078 IsDebuggerPresent
0x40d07c HeapFree
0x40d080 HeapAlloc
0x40d084 GetModuleHandleW
0x40d088 GetProcAddress
0x40d08c ExitProcess
0x40d090 GetStdHandle
0x40d094 GetModuleFileNameA
0x40d098 FreeEnvironmentStringsA
0x40d09c GetEnvironmentStrings
0x40d0a0 FreeEnvironmentStringsW
0x40d0a4 WideCharToMultiByte
0x40d0a8 GetEnvironmentStringsW
0x40d0ac SetHandleCount
0x40d0b0 GetFileType
0x40d0b4 GetStartupInfoA
0x40d0b8 DeleteCriticalSection
0x40d0bc TlsGetValue
0x40d0c0 TlsAlloc
0x40d0c4 TlsSetValue
0x40d0c8 TlsFree
0x40d0cc InterlockedIncrement
0x40d0d0 SetLastError
0x40d0d4 GetCurrentThreadId
0x40d0d8 InterlockedDecrement
0x40d0dc HeapCreate
0x40d0e0 VirtualFree
0x40d0e4 QueryPerformanceCounter
0x40d0e8 GetTickCount
0x40d0ec GetCurrentProcessId
0x40d0f0 GetSystemTimeAsFileTime
0x40d0f4 LeaveCriticalSection
0x40d0f8 EnterCriticalSection
0x40d0fc VirtualAlloc
0x40d100 HeapReAlloc
0x40d104 HeapSize
0x40d108 SetFilePointer
0x40d10c GetConsoleCP
0x40d110 GetConsoleMode
0x40d114 GetCPInfo
0x40d118 GetACP
0x40d11c GetOEMCP
0x40d120 IsValidCodePage
0x40d124 LoadLibraryA
0x40d128 InitializeCriticalSectionAndSpinCount
0x40d12c SetStdHandle
0x40d130 WriteConsoleA
0x40d134 GetConsoleOutputCP
0x40d138 WriteConsoleW
0x40d13c MultiByteToWideChar
0x40d140 LCMapStringA
0x40d144 LCMapStringW
0x40d148 GetStringTypeA
0x40d14c GetStringTypeW
0x40d150 GetLocaleInfoA
0x40d154 FlushFileBuffers
ADVAPI32.dll
0x40d000 OpenSCManagerA
0x40d004 StartServiceA
0x40d008 CreateServiceA
0x40d00c DeleteService
0x40d010 CloseServiceHandle
0x40d014 OpenServiceA
0x40d018 ControlService
EAT(Export Address Table) is none