ScreenShot
Created | 2021.08.06 09:55 | Machine | s1_win7_x6401 |
Filename | kill$.exe | ||
Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : malware | ||
VT API (file) | 40 detected (DelShad, malicious, high confidence, score, Unsafe, a variant of Generik, FJCGWGZ, GenericKD, ixwims, Generic ML PUA, MulDrop18, R011C0PH421, susgen, ai score=88, Tiggre, MulDrop, PowerShell, Static AI, Malicious PE, confidence, HgEASZgA) | ||
md5 | 6b351a94a1b2da234cd920dfbf7499af | ||
sha256 | 225aee453b9568adc4ebb27ce98fd80feabf144356196aa1139f08f4fe10eadc | ||
ssdeep | 3072:N2sMWkzbJh1qZ9QW69hd1MMdxPe9N9uA0hu9TBfcXW2bOlDGhek/:0bJhs7QW69hd1MMdxPe9N9uA0hu9TBrG | ||
imphash | 7182b1ea6f92adbf459a2c65d8d4dd9e | ||
impfuzzy | 48:YMaG/U3WmCp51GNxOI40nlUY5LoeSZ/g/KAwEUEkE/1WSY+09AFXElvyAobFzGJm:YnmU3JCp51GNxh40nlbo1WNwCJ |
Network IP location
Signature (18cnts)
Level | Description |
---|---|
danger | File has been identified by 40 AntiVirus engines on VirusTotal as malicious |
watch | Creates an Alternate Data Stream (ADS) |
watch | Removes the Shadow Copy to avoid recovery of the system |
watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
watch | Uses suspicious command line tools or Windows utilities |
watch | Uses Sysinternals tools in order to add additional command line functionality |
notice | A process created a hidden window |
notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
notice | Creates a suspicious process |
notice | Creates executable files on the filesystem |
notice | Executes one or more WMI queries |
notice | The binary likely contains encrypted or compressed data indicative of a packer |
notice | Uses Windows utilities for basic Windows functionality |
notice | Yara rule detected in process memory |
info | Checks amount of memory in system |
info | Command line console output was observed |
info | Queries for the computername |
info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (42cnts)
Level | Name | Description | Collection |
---|---|---|---|
watch | Antivirus | Contains references to security software | binaries (download) |
watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
watch | Network_Downloader | File Downloader | memory |
watch | UPX_Zero | UPX packed file | binaries (download) |
watch | UPX_Zero | UPX packed file | binaries (upload) |
notice | anti_vm_detect | Possibly employs anti-virtualization techniques | binaries (download) |
notice | Code_injection | Code injection with CreateRemoteThread in a remote process | memory |
notice | Create_Service | Create a windows service | memory |
notice | Escalate_priviledges | Escalate priviledges | memory |
notice | KeyLogger | Run a KeyLogger | memory |
notice | local_credential_Steal | Steal credential | memory |
notice | Network_DGA | Communication using DGA | memory |
notice | Network_DNS | Communications use DNS | memory |
notice | Network_FTP | Communications over FTP | memory |
notice | Network_HTTP | Communications over HTTP | memory |
notice | Network_P2P_Win | Communications over P2P network | memory |
notice | Network_TCP_Socket | Communications over RAW Socket | memory |
notice | ScreenShot | Take ScreenShot | memory |
notice | Sniff_Audio | Record Audio | memory |
notice | Str_Win32_Http_API | Match Windows Http API call | memory |
notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
info | anti_dbg | Checks if being debugged | memory |
info | antisb_threatExpert | Anti-Sandbox checks for ThreatExpert | memory |
info | antivm_vmware | AntiVM checks for VMWare | memory |
info | Check_Dlls | (no description) | memory |
info | DebuggerCheck__GlobalFlags | (no description) | memory |
info | DebuggerCheck__QueryInfo | (no description) | memory |
info | DebuggerCheck__RemoteAPI | (no description) | memory |
info | DebuggerException__ConsoleCtrl | (no description) | memory |
info | DebuggerException__SetConsoleCtrl | (no description) | memory |
info | DebuggerHiding__Active | (no description) | memory |
info | DebuggerHiding__Thread | (no description) | memory |
info | disable_dep | Bypass DEP | memory |
info | IsPE64 | (no description) | binaries (download) |
info | IsPE64 | (no description) | binaries (upload) |
info | PE_Header_Zero | PE File Signature | binaries (download) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
info | SEH__vectored | (no description) | memory |
info | ThreadControl__Context | (no description) | memory |
info | vmdetect | Possibly employs anti-virtualization techniques | memory |
info | win_hook | Affect hook table | memory |
Network (0cnts) ?
Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
---|
Suricata ids
PE API
IAT(Import Address Table) Library
msvcrt.dll
0x14001f6a8 memset
0x14001f6b0 wcsncmp
0x14001f6b8 memmove
0x14001f6c0 wcsncpy
0x14001f6c8 wcsstr
0x14001f6d0 _wcsnicmp
0x14001f6d8 _wcsdup
0x14001f6e0 free
0x14001f6e8 _wcsicmp
0x14001f6f0 wcslen
0x14001f6f8 wcscpy
0x14001f700 wcscmp
0x14001f708 memcpy
0x14001f710 tolower
0x14001f718 wcscat
0x14001f720 malloc
KERNEL32.dll
0x14001f730 GetModuleHandleW
0x14001f738 HeapCreate
0x14001f740 GetStdHandle
0x14001f748 HeapDestroy
0x14001f750 ExitProcess
0x14001f758 WriteFile
0x14001f760 GetTempFileNameW
0x14001f768 LoadLibraryExW
0x14001f770 EnumResourceTypesW
0x14001f778 FreeLibrary
0x14001f780 RemoveDirectoryW
0x14001f788 GetExitCodeProcess
0x14001f790 EnumResourceNamesW
0x14001f798 GetCommandLineW
0x14001f7a0 LoadResource
0x14001f7a8 SizeofResource
0x14001f7b0 FreeResource
0x14001f7b8 FindResourceW
0x14001f7c0 GetShortPathNameW
0x14001f7c8 GetSystemDirectoryW
0x14001f7d0 EnterCriticalSection
0x14001f7d8 CloseHandle
0x14001f7e0 LeaveCriticalSection
0x14001f7e8 InitializeCriticalSection
0x14001f7f0 WaitForSingleObject
0x14001f7f8 TerminateThread
0x14001f800 CreateThread
0x14001f808 Sleep
0x14001f810 WideCharToMultiByte
0x14001f818 HeapAlloc
0x14001f820 HeapFree
0x14001f828 LoadLibraryW
0x14001f830 GetProcAddress
0x14001f838 GetCurrentProcessId
0x14001f840 GetCurrentThreadId
0x14001f848 GetModuleFileNameW
0x14001f850 GetEnvironmentVariableW
0x14001f858 SetEnvironmentVariableW
0x14001f860 GetCurrentProcess
0x14001f868 TerminateProcess
0x14001f870 RtlLookupFunctionEntry
0x14001f878 RtlVirtualUnwind
0x14001f880 RemoveVectoredExceptionHandler
0x14001f888 AddVectoredExceptionHandler
0x14001f890 HeapSize
0x14001f898 MultiByteToWideChar
0x14001f8a0 CreateDirectoryW
0x14001f8a8 SetFileAttributesW
0x14001f8b0 GetTempPathW
0x14001f8b8 DeleteFileW
0x14001f8c0 GetCurrentDirectoryW
0x14001f8c8 SetCurrentDirectoryW
0x14001f8d0 CreateFileW
0x14001f8d8 SetFilePointer
0x14001f8e0 TlsFree
0x14001f8e8 TlsGetValue
0x14001f8f0 TlsSetValue
0x14001f8f8 TlsAlloc
0x14001f900 HeapReAlloc
0x14001f908 DeleteCriticalSection
0x14001f910 GetLastError
0x14001f918 SetLastError
0x14001f920 UnregisterWait
0x14001f928 GetCurrentThread
0x14001f930 DuplicateHandle
0x14001f938 RegisterWaitForSingleObject
SHELL32.DLL
0x14001f948 ShellExecuteExW
0x14001f950 SHGetFolderLocation
0x14001f958 SHGetPathFromIDListW
WINMM.DLL
0x14001f968 timeBeginPeriod
OLE32.DLL
0x14001f978 CoInitialize
0x14001f980 CoTaskMemFree
SHLWAPI.DLL
0x14001f990 PathAddBackslashW
0x14001f998 PathRenameExtensionW
0x14001f9a0 PathQuoteSpacesW
0x14001f9a8 PathRemoveArgsW
0x14001f9b0 PathRemoveBackslashW
USER32.DLL
0x14001f9c0 CharUpperW
0x14001f9c8 CharLowerW
0x14001f9d0 MessageBoxW
0x14001f9d8 DefWindowProcW
0x14001f9e0 GetWindowLongPtrW
0x14001f9e8 GetWindowTextLengthW
0x14001f9f0 GetWindowTextW
0x14001f9f8 EnableWindow
0x14001fa00 DestroyWindow
0x14001fa08 UnregisterClassW
0x14001fa10 LoadIconW
0x14001fa18 LoadCursorW
0x14001fa20 RegisterClassExW
0x14001fa28 IsWindowEnabled
0x14001fa30 GetSystemMetrics
0x14001fa38 CreateWindowExW
0x14001fa40 SetWindowLongPtrW
0x14001fa48 SendMessageW
0x14001fa50 SetFocus
0x14001fa58 CreateAcceleratorTableW
0x14001fa60 SetForegroundWindow
0x14001fa68 BringWindowToTop
0x14001fa70 GetMessageW
0x14001fa78 TranslateAcceleratorW
0x14001fa80 TranslateMessage
0x14001fa88 DispatchMessageW
0x14001fa90 DestroyAcceleratorTable
0x14001fa98 PostMessageW
0x14001faa0 GetForegroundWindow
0x14001faa8 GetWindowThreadProcessId
0x14001fab0 IsWindowVisible
0x14001fab8 EnumWindows
0x14001fac0 SetWindowPos
GDI32.DLL
0x14001fad0 GetStockObject
COMCTL32.DLL
0x14001fae0 InitCommonControlsEx
EAT(Export Address Table) is none
msvcrt.dll
0x14001f6a8 memset
0x14001f6b0 wcsncmp
0x14001f6b8 memmove
0x14001f6c0 wcsncpy
0x14001f6c8 wcsstr
0x14001f6d0 _wcsnicmp
0x14001f6d8 _wcsdup
0x14001f6e0 free
0x14001f6e8 _wcsicmp
0x14001f6f0 wcslen
0x14001f6f8 wcscpy
0x14001f700 wcscmp
0x14001f708 memcpy
0x14001f710 tolower
0x14001f718 wcscat
0x14001f720 malloc
KERNEL32.dll
0x14001f730 GetModuleHandleW
0x14001f738 HeapCreate
0x14001f740 GetStdHandle
0x14001f748 HeapDestroy
0x14001f750 ExitProcess
0x14001f758 WriteFile
0x14001f760 GetTempFileNameW
0x14001f768 LoadLibraryExW
0x14001f770 EnumResourceTypesW
0x14001f778 FreeLibrary
0x14001f780 RemoveDirectoryW
0x14001f788 GetExitCodeProcess
0x14001f790 EnumResourceNamesW
0x14001f798 GetCommandLineW
0x14001f7a0 LoadResource
0x14001f7a8 SizeofResource
0x14001f7b0 FreeResource
0x14001f7b8 FindResourceW
0x14001f7c0 GetShortPathNameW
0x14001f7c8 GetSystemDirectoryW
0x14001f7d0 EnterCriticalSection
0x14001f7d8 CloseHandle
0x14001f7e0 LeaveCriticalSection
0x14001f7e8 InitializeCriticalSection
0x14001f7f0 WaitForSingleObject
0x14001f7f8 TerminateThread
0x14001f800 CreateThread
0x14001f808 Sleep
0x14001f810 WideCharToMultiByte
0x14001f818 HeapAlloc
0x14001f820 HeapFree
0x14001f828 LoadLibraryW
0x14001f830 GetProcAddress
0x14001f838 GetCurrentProcessId
0x14001f840 GetCurrentThreadId
0x14001f848 GetModuleFileNameW
0x14001f850 GetEnvironmentVariableW
0x14001f858 SetEnvironmentVariableW
0x14001f860 GetCurrentProcess
0x14001f868 TerminateProcess
0x14001f870 RtlLookupFunctionEntry
0x14001f878 RtlVirtualUnwind
0x14001f880 RemoveVectoredExceptionHandler
0x14001f888 AddVectoredExceptionHandler
0x14001f890 HeapSize
0x14001f898 MultiByteToWideChar
0x14001f8a0 CreateDirectoryW
0x14001f8a8 SetFileAttributesW
0x14001f8b0 GetTempPathW
0x14001f8b8 DeleteFileW
0x14001f8c0 GetCurrentDirectoryW
0x14001f8c8 SetCurrentDirectoryW
0x14001f8d0 CreateFileW
0x14001f8d8 SetFilePointer
0x14001f8e0 TlsFree
0x14001f8e8 TlsGetValue
0x14001f8f0 TlsSetValue
0x14001f8f8 TlsAlloc
0x14001f900 HeapReAlloc
0x14001f908 DeleteCriticalSection
0x14001f910 GetLastError
0x14001f918 SetLastError
0x14001f920 UnregisterWait
0x14001f928 GetCurrentThread
0x14001f930 DuplicateHandle
0x14001f938 RegisterWaitForSingleObject
SHELL32.DLL
0x14001f948 ShellExecuteExW
0x14001f950 SHGetFolderLocation
0x14001f958 SHGetPathFromIDListW
WINMM.DLL
0x14001f968 timeBeginPeriod
OLE32.DLL
0x14001f978 CoInitialize
0x14001f980 CoTaskMemFree
SHLWAPI.DLL
0x14001f990 PathAddBackslashW
0x14001f998 PathRenameExtensionW
0x14001f9a0 PathQuoteSpacesW
0x14001f9a8 PathRemoveArgsW
0x14001f9b0 PathRemoveBackslashW
USER32.DLL
0x14001f9c0 CharUpperW
0x14001f9c8 CharLowerW
0x14001f9d0 MessageBoxW
0x14001f9d8 DefWindowProcW
0x14001f9e0 GetWindowLongPtrW
0x14001f9e8 GetWindowTextLengthW
0x14001f9f0 GetWindowTextW
0x14001f9f8 EnableWindow
0x14001fa00 DestroyWindow
0x14001fa08 UnregisterClassW
0x14001fa10 LoadIconW
0x14001fa18 LoadCursorW
0x14001fa20 RegisterClassExW
0x14001fa28 IsWindowEnabled
0x14001fa30 GetSystemMetrics
0x14001fa38 CreateWindowExW
0x14001fa40 SetWindowLongPtrW
0x14001fa48 SendMessageW
0x14001fa50 SetFocus
0x14001fa58 CreateAcceleratorTableW
0x14001fa60 SetForegroundWindow
0x14001fa68 BringWindowToTop
0x14001fa70 GetMessageW
0x14001fa78 TranslateAcceleratorW
0x14001fa80 TranslateMessage
0x14001fa88 DispatchMessageW
0x14001fa90 DestroyAcceleratorTable
0x14001fa98 PostMessageW
0x14001faa0 GetForegroundWindow
0x14001faa8 GetWindowThreadProcessId
0x14001fab0 IsWindowVisible
0x14001fab8 EnumWindows
0x14001fac0 SetWindowPos
GDI32.DLL
0x14001fad0 GetStockObject
COMCTL32.DLL
0x14001fae0 InitCommonControlsEx
EAT(Export Address Table) is none