Report - 6.exe

PE32 PE File
ScreenShot
Created 2021.08.02 09:19 Machine s1_win7_x6403
Filename 6.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
8
Behavior Score
9.0
ZERO API file : clean
VT API (file) 47 detected (AIDetect, malware1, malicious, high confidence, MachineLearning, Anomalous, Save, Mint, Zard, QSPK, Attribute, HighConfidence, a variant of Generik, HLXFKFN, score, ccmw, Generic@ML, RDML, JZFVDQXqy3+v9yTioog97Q, EPACK, Gen2, R002C0WH121, Unsafe, kcloud, Genasom, ai score=89, Static AI, Suspicious PE, susgen, PossibleThreat, confidence, 100%, HxQB9jsA)
md5 598c53bfef81e489375f09792e487f1a
sha256 22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6
ssdeep 1536:RzICS4AT6GxdEe+TOdincJXvKv8Zg3kl:qR7auJXSkZg3C
imphash c94b1566bf307396953c849ef18f9857
impfuzzy 12:JFC9B/mlA7dJTJHBJNCQaB1byBJJ2mSOGOovF9xw:XS/KA5RNBJNCQaB1bSJJEOGOovF9+
  Network IP location

Signature (15cnts)

Level Description
danger Appends a new file extension or content to 2049 files indicative of a ransomware file encryption process
danger File has been identified by 47 AntiVirus engines on VirusTotal as malicious
danger Performs 2049 file moves indicative of a ransomware file encryption process
danger Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually)
watch Appends a known multi-family ransomware file extension to files that have been encrypted
watch Attempts to detect Cuckoo Sandbox through the presence of a file
watch Attempts to stop active services
watch Harvests credentials from local email clients
notice Allocates read-write-execute memory (usually to unpack itself)
notice Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
notice The binary likely contains encrypted or compressed data indicative of a packer
info Checks amount of memory in system
info Collects information to fingerprint the system (MachineGuid
info One or more processes crashed
info Queries for the computername

Rules (2cnts)

Level Name Description Collection
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (2cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
paymenthacks.com US NETWORK-SOLUTIONS-HOSTING 206.188.197.206 clean
206.188.197.206 US NETWORK-SOLUTIONS-HOSTING 206.188.197.206 clean

Suricata ids

PE API

IAT(Import Address Table) Library

gdi32.dll
 0x40f050 SelectPalette
 0x40f054 GetTextCharset
 0x40f058 GetDeviceCaps
 0x40f05c CreateSolidBrush
 0x40f060 CreateFontW
USER32.dll
 0x40f024 DefWindowProcW
 0x40f028 GetClassNameW
 0x40f02c GetDlgItem
 0x40f030 GetDlgItemTextW
 0x40f034 IsDlgButtonChecked
 0x40f038 LoadImageW
 0x40f03c LoadMenuW
 0x40f040 CreateMenu
 0x40f044 CreateDialogParamW
 0x40f048 EndDialog
KERNEL32.dll
 0x40f000 SetLastError
 0x40f004 GetModuleHandleA
 0x40f008 GetFileAttributesW
 0x40f00c GetCommandLineW
 0x40f010 GetCommandLineA
 0x40f014 FormatMessageW
 0x40f018 GetAtomNameW
 0x40f01c FreeLibrary

EAT(Export Address Table) is none



Similarity measure (PE file only) - Checking for service failure