ScreenShot
| Created | 2021.07.30 11:06 | Machine | s1_win7_x6401 |
| Filename | WUpdate.exe | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 30 detected (GenericKD, Unsafe, malicious, confidence, Coinminer, GenKryptik, FHBF, Convagent, PUPXME, ai score=87, ASBOL, Wacatac, score, Artemis, R002H0CG221, Behavior) | ||
| md5 | 22e4972a8a73e90a38f379ff527759dc | ||
| sha256 | 1c377a9ac966d3cb6950cb27ed3cc2abfa1299e9611a87735f258088e01bf7af | ||
| ssdeep | 49152:V+clb1BRntmeSKZQvQVPWA6LKk7MhU6GuMEHksv95y7PETs7qXnsZtI76:PmF4VPILK/z398PEMqXnIIO | ||
| imphash | e2a1496c94d52a035fe47259ee6587b7 | ||
| impfuzzy | 48:J9jOX8LKc1XFjsX1Pfc++6WQYgebtSXCBinUb:JdJLKc1XFgX1Pfc++VVnbtSXCBink | ||
Network IP location
Signature (20cnts)
| Level | Description |
|---|---|
| danger | Disables Windows Security features |
| danger | File has been identified by 30 AntiVirus engines on VirusTotal as malicious |
| warning | Stops Windows services |
| watch | Drops a binary and executes it |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | One or more processes crashed |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
| info | This executable has a PDB path |
Rules (28cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| warning | PowerShell_Script_MZ_Zero | PowerShell Script MZ [Zero] | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | Code_injection | Code injection with CreateRemoteThread in a remote process | memory |
| notice | Escalate_priviledges | Escalate priviledges | memory |
| notice | KeyLogger | Run a KeyLogger | memory |
| notice | Network_HTTP | Communications over HTTP | memory |
| notice | ScreenShot | Take ScreenShot | memory |
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE64 | (no description) | binaries (download) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x140038000 GetLastError
0x140038008 SetLastError
0x140038010 FormatMessageW
0x140038018 GetCurrentProcess
0x140038020 DeviceIoControl
0x140038028 SetFileTime
0x140038030 CloseHandle
0x140038038 CreateDirectoryW
0x140038040 RemoveDirectoryW
0x140038048 CreateFileW
0x140038050 DeleteFileW
0x140038058 CreateHardLinkW
0x140038060 GetShortPathNameW
0x140038068 GetLongPathNameW
0x140038070 MoveFileW
0x140038078 GetFileType
0x140038080 GetStdHandle
0x140038088 WriteFile
0x140038090 ReadFile
0x140038098 FlushFileBuffers
0x1400380a0 SetEndOfFile
0x1400380a8 SetFilePointer
0x1400380b0 SetFileAttributesW
0x1400380b8 GetFileAttributesW
0x1400380c0 FindClose
0x1400380c8 FindFirstFileW
0x1400380d0 FindNextFileW
0x1400380d8 GetVersionExW
0x1400380e0 GetCurrentDirectoryW
0x1400380e8 GetFullPathNameW
0x1400380f0 FoldStringW
0x1400380f8 GetModuleFileNameW
0x140038100 GetModuleHandleW
0x140038108 FindResourceW
0x140038110 FreeLibrary
0x140038118 GetProcAddress
0x140038120 GetCurrentProcessId
0x140038128 ExitProcess
0x140038130 SetThreadExecutionState
0x140038138 Sleep
0x140038140 LoadLibraryW
0x140038148 GetSystemDirectoryW
0x140038150 CompareStringW
0x140038158 AllocConsole
0x140038160 FreeConsole
0x140038168 AttachConsole
0x140038170 WriteConsoleW
0x140038178 GetProcessAffinityMask
0x140038180 CreateThread
0x140038188 SetThreadPriority
0x140038190 InitializeCriticalSection
0x140038198 EnterCriticalSection
0x1400381a0 LeaveCriticalSection
0x1400381a8 DeleteCriticalSection
0x1400381b0 SetEvent
0x1400381b8 ResetEvent
0x1400381c0 ReleaseSemaphore
0x1400381c8 WaitForSingleObject
0x1400381d0 CreateEventW
0x1400381d8 CreateSemaphoreW
0x1400381e0 GetSystemTime
0x1400381e8 SystemTimeToTzSpecificLocalTime
0x1400381f0 TzSpecificLocalTimeToSystemTime
0x1400381f8 SystemTimeToFileTime
0x140038200 FileTimeToLocalFileTime
0x140038208 LocalFileTimeToFileTime
0x140038210 FileTimeToSystemTime
0x140038218 GetCPInfo
0x140038220 IsDBCSLeadByte
0x140038228 MultiByteToWideChar
0x140038230 WideCharToMultiByte
0x140038238 GlobalAlloc
0x140038240 LockResource
0x140038248 GlobalLock
0x140038250 GlobalUnlock
0x140038258 GlobalFree
0x140038260 LoadResource
0x140038268 SizeofResource
0x140038270 SetCurrentDirectoryW
0x140038278 GetExitCodeProcess
0x140038280 GetLocalTime
0x140038288 GetTickCount
0x140038290 MapViewOfFile
0x140038298 UnmapViewOfFile
0x1400382a0 CreateFileMappingW
0x1400382a8 OpenFileMappingW
0x1400382b0 GetCommandLineW
0x1400382b8 SetEnvironmentVariableW
0x1400382c0 ExpandEnvironmentStringsW
0x1400382c8 GetTempPathW
0x1400382d0 MoveFileExW
0x1400382d8 GetLocaleInfoW
0x1400382e0 GetTimeFormatW
0x1400382e8 GetDateFormatW
0x1400382f0 GetNumberFormatW
0x1400382f8 SetFilePointerEx
0x140038300 GetConsoleMode
0x140038308 GetConsoleCP
0x140038310 HeapSize
0x140038318 SetStdHandle
0x140038320 GetProcessHeap
0x140038328 FreeEnvironmentStringsW
0x140038330 RaiseException
0x140038338 GetSystemInfo
0x140038340 VirtualProtect
0x140038348 VirtualQuery
0x140038350 LoadLibraryExA
0x140038358 RtlCaptureContext
0x140038360 RtlLookupFunctionEntry
0x140038368 RtlVirtualUnwind
0x140038370 IsDebuggerPresent
0x140038378 UnhandledExceptionFilter
0x140038380 SetUnhandledExceptionFilter
0x140038388 GetStartupInfoW
0x140038390 IsProcessorFeaturePresent
0x140038398 QueryPerformanceCounter
0x1400383a0 GetCurrentThreadId
0x1400383a8 GetSystemTimeAsFileTime
0x1400383b0 InitializeSListHead
0x1400383b8 RtlUnwindEx
0x1400383c0 RtlPcToFileHeader
0x1400383c8 EncodePointer
0x1400383d0 InitializeCriticalSectionAndSpinCount
0x1400383d8 TlsAlloc
0x1400383e0 TlsGetValue
0x1400383e8 TlsSetValue
0x1400383f0 TlsFree
0x1400383f8 LoadLibraryExW
0x140038400 QueryPerformanceFrequency
0x140038408 TerminateProcess
0x140038410 GetModuleHandleExW
0x140038418 GetModuleFileNameA
0x140038420 GetACP
0x140038428 HeapFree
0x140038430 HeapAlloc
0x140038438 HeapReAlloc
0x140038440 GetStringTypeW
0x140038448 LCMapStringW
0x140038450 FindFirstFileExA
0x140038458 FindNextFileA
0x140038460 IsValidCodePage
0x140038468 GetOEMCP
0x140038470 GetCommandLineA
0x140038478 GetEnvironmentStringsW
gdiplus.dll
0x140038488 GdiplusShutdown
0x140038490 GdiplusStartup
0x140038498 GdipCreateHBITMAPFromBitmap
0x1400384a0 GdipCreateBitmapFromStream
0x1400384a8 GdipDisposeImage
0x1400384b0 GdipCloneImage
0x1400384b8 GdipFree
0x1400384c0 GdipAlloc
EAT(Export Address Table) Library
KERNEL32.dll
0x140038000 GetLastError
0x140038008 SetLastError
0x140038010 FormatMessageW
0x140038018 GetCurrentProcess
0x140038020 DeviceIoControl
0x140038028 SetFileTime
0x140038030 CloseHandle
0x140038038 CreateDirectoryW
0x140038040 RemoveDirectoryW
0x140038048 CreateFileW
0x140038050 DeleteFileW
0x140038058 CreateHardLinkW
0x140038060 GetShortPathNameW
0x140038068 GetLongPathNameW
0x140038070 MoveFileW
0x140038078 GetFileType
0x140038080 GetStdHandle
0x140038088 WriteFile
0x140038090 ReadFile
0x140038098 FlushFileBuffers
0x1400380a0 SetEndOfFile
0x1400380a8 SetFilePointer
0x1400380b0 SetFileAttributesW
0x1400380b8 GetFileAttributesW
0x1400380c0 FindClose
0x1400380c8 FindFirstFileW
0x1400380d0 FindNextFileW
0x1400380d8 GetVersionExW
0x1400380e0 GetCurrentDirectoryW
0x1400380e8 GetFullPathNameW
0x1400380f0 FoldStringW
0x1400380f8 GetModuleFileNameW
0x140038100 GetModuleHandleW
0x140038108 FindResourceW
0x140038110 FreeLibrary
0x140038118 GetProcAddress
0x140038120 GetCurrentProcessId
0x140038128 ExitProcess
0x140038130 SetThreadExecutionState
0x140038138 Sleep
0x140038140 LoadLibraryW
0x140038148 GetSystemDirectoryW
0x140038150 CompareStringW
0x140038158 AllocConsole
0x140038160 FreeConsole
0x140038168 AttachConsole
0x140038170 WriteConsoleW
0x140038178 GetProcessAffinityMask
0x140038180 CreateThread
0x140038188 SetThreadPriority
0x140038190 InitializeCriticalSection
0x140038198 EnterCriticalSection
0x1400381a0 LeaveCriticalSection
0x1400381a8 DeleteCriticalSection
0x1400381b0 SetEvent
0x1400381b8 ResetEvent
0x1400381c0 ReleaseSemaphore
0x1400381c8 WaitForSingleObject
0x1400381d0 CreateEventW
0x1400381d8 CreateSemaphoreW
0x1400381e0 GetSystemTime
0x1400381e8 SystemTimeToTzSpecificLocalTime
0x1400381f0 TzSpecificLocalTimeToSystemTime
0x1400381f8 SystemTimeToFileTime
0x140038200 FileTimeToLocalFileTime
0x140038208 LocalFileTimeToFileTime
0x140038210 FileTimeToSystemTime
0x140038218 GetCPInfo
0x140038220 IsDBCSLeadByte
0x140038228 MultiByteToWideChar
0x140038230 WideCharToMultiByte
0x140038238 GlobalAlloc
0x140038240 LockResource
0x140038248 GlobalLock
0x140038250 GlobalUnlock
0x140038258 GlobalFree
0x140038260 LoadResource
0x140038268 SizeofResource
0x140038270 SetCurrentDirectoryW
0x140038278 GetExitCodeProcess
0x140038280 GetLocalTime
0x140038288 GetTickCount
0x140038290 MapViewOfFile
0x140038298 UnmapViewOfFile
0x1400382a0 CreateFileMappingW
0x1400382a8 OpenFileMappingW
0x1400382b0 GetCommandLineW
0x1400382b8 SetEnvironmentVariableW
0x1400382c0 ExpandEnvironmentStringsW
0x1400382c8 GetTempPathW
0x1400382d0 MoveFileExW
0x1400382d8 GetLocaleInfoW
0x1400382e0 GetTimeFormatW
0x1400382e8 GetDateFormatW
0x1400382f0 GetNumberFormatW
0x1400382f8 SetFilePointerEx
0x140038300 GetConsoleMode
0x140038308 GetConsoleCP
0x140038310 HeapSize
0x140038318 SetStdHandle
0x140038320 GetProcessHeap
0x140038328 FreeEnvironmentStringsW
0x140038330 RaiseException
0x140038338 GetSystemInfo
0x140038340 VirtualProtect
0x140038348 VirtualQuery
0x140038350 LoadLibraryExA
0x140038358 RtlCaptureContext
0x140038360 RtlLookupFunctionEntry
0x140038368 RtlVirtualUnwind
0x140038370 IsDebuggerPresent
0x140038378 UnhandledExceptionFilter
0x140038380 SetUnhandledExceptionFilter
0x140038388 GetStartupInfoW
0x140038390 IsProcessorFeaturePresent
0x140038398 QueryPerformanceCounter
0x1400383a0 GetCurrentThreadId
0x1400383a8 GetSystemTimeAsFileTime
0x1400383b0 InitializeSListHead
0x1400383b8 RtlUnwindEx
0x1400383c0 RtlPcToFileHeader
0x1400383c8 EncodePointer
0x1400383d0 InitializeCriticalSectionAndSpinCount
0x1400383d8 TlsAlloc
0x1400383e0 TlsGetValue
0x1400383e8 TlsSetValue
0x1400383f0 TlsFree
0x1400383f8 LoadLibraryExW
0x140038400 QueryPerformanceFrequency
0x140038408 TerminateProcess
0x140038410 GetModuleHandleExW
0x140038418 GetModuleFileNameA
0x140038420 GetACP
0x140038428 HeapFree
0x140038430 HeapAlloc
0x140038438 HeapReAlloc
0x140038440 GetStringTypeW
0x140038448 LCMapStringW
0x140038450 FindFirstFileExA
0x140038458 FindNextFileA
0x140038460 IsValidCodePage
0x140038468 GetOEMCP
0x140038470 GetCommandLineA
0x140038478 GetEnvironmentStringsW
gdiplus.dll
0x140038488 GdiplusShutdown
0x140038490 GdiplusStartup
0x140038498 GdipCreateHBITMAPFromBitmap
0x1400384a0 GdipCreateBitmapFromStream
0x1400384a8 GdipDisposeImage
0x1400384b0 GdipCloneImage
0x1400384b8 GdipFree
0x1400384c0 GdipAlloc
EAT(Export Address Table) Library