ScreenShot
| Created | 2021.08.02 10:00 | Machine | s1_win7_x6401 |
| Filename | 6.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 47 detected (AIDetect, malware1, malicious, high confidence, MachineLearning, Anomalous, Save, Mint, Zard, QSPK, Attribute, HighConfidence, a variant of Generik, HLXFKFN, score, ccmw, Generic@ML, RDML, JZFVDQXqy3+v9yTioog97Q, EPACK, Gen2, R002C0WH121, Unsafe, kcloud, Genasom, ai score=89, Static AI, Suspicious PE, susgen, PossibleThreat, confidence, 100%, HxQB9jsA) | ||
| md5 | 598c53bfef81e489375f09792e487f1a | ||
| sha256 | 22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6 | ||
| ssdeep | 1536:RzICS4AT6GxdEe+TOdincJXvKv8Zg3kl:qR7auJXSkZg3C | ||
| imphash | c94b1566bf307396953c849ef18f9857 | ||
| impfuzzy | 12:JFC9B/mlA7dJTJHBJNCQaB1byBJJ2mSOGOovF9xw:XS/KA5RNBJNCQaB1bSJJEOGOovF9+ | ||
Network IP location
Signature (14cnts)
| Level | Description |
|---|---|
| danger | Appends a new file extension or content to 2092 files indicative of a ransomware file encryption process |
| danger | File has been identified by 47 AntiVirus engines on VirusTotal as malicious |
| danger | Performs 2092 file moves indicative of a ransomware file encryption process |
| danger | Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) |
| watch | Appends a known multi-family ransomware file extension to files that have been encrypted |
| watch | Attempts to detect Cuckoo Sandbox through the presence of a file |
| watch | Attempts to stop active services |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks amount of memory in system |
| info | Collects information to fingerprint the system (MachineGuid |
| info | One or more processes crashed |
| info | Queries for the computername |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | DarkMatter_Ransomware_IN | DarkMatter Ransomware | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
gdi32.dll
0x40f050 SelectPalette
0x40f054 GetTextCharset
0x40f058 GetDeviceCaps
0x40f05c CreateSolidBrush
0x40f060 CreateFontW
USER32.dll
0x40f024 DefWindowProcW
0x40f028 GetClassNameW
0x40f02c GetDlgItem
0x40f030 GetDlgItemTextW
0x40f034 IsDlgButtonChecked
0x40f038 LoadImageW
0x40f03c LoadMenuW
0x40f040 CreateMenu
0x40f044 CreateDialogParamW
0x40f048 EndDialog
KERNEL32.dll
0x40f000 SetLastError
0x40f004 GetModuleHandleA
0x40f008 GetFileAttributesW
0x40f00c GetCommandLineW
0x40f010 GetCommandLineA
0x40f014 FormatMessageW
0x40f018 GetAtomNameW
0x40f01c FreeLibrary
EAT(Export Address Table) is none
gdi32.dll
0x40f050 SelectPalette
0x40f054 GetTextCharset
0x40f058 GetDeviceCaps
0x40f05c CreateSolidBrush
0x40f060 CreateFontW
USER32.dll
0x40f024 DefWindowProcW
0x40f028 GetClassNameW
0x40f02c GetDlgItem
0x40f030 GetDlgItemTextW
0x40f034 IsDlgButtonChecked
0x40f038 LoadImageW
0x40f03c LoadMenuW
0x40f040 CreateMenu
0x40f044 CreateDialogParamW
0x40f048 EndDialog
KERNEL32.dll
0x40f000 SetLastError
0x40f004 GetModuleHandleA
0x40f008 GetFileAttributesW
0x40f00c GetCommandLineW
0x40f010 GetCommandLineA
0x40f014 FormatMessageW
0x40f018 GetAtomNameW
0x40f01c FreeLibrary
EAT(Export Address Table) is none