ScreenShot
| Created | 2021.08.10 10:45 | Machine | s1_win7_x6402 |
| Filename | storm.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 29 detected (AIDetect, malware2, Solmyr, malicious, high confidence, Artemis, Save, ali2000010, confidence, ZexaF, zqW@a4t0QUoi, Attribute, HighConfidence, Vega, ccnc, FileRepMalware, Static AI, Malicious PE, Wacatac, Zeppelin, POEXBW, score, Unsafe, Raas, Auto, Buran) | ||
| md5 | de904e0d5b71c0c3d99430b61d40aae2 | ||
| sha256 | 43812b98e4f9480d25b426a23a7b4d2a4e498110545c7a3cb21159bf75c18e7b | ||
| ssdeep | 6144:Zmr7jJUEMBNUNwxJ6m16i6d+W+u7Qn7prLtSacoTccdk+Hy:ZyfJcLUNMu7Qn7prLQQTccrS | ||
| imphash | c4d14a42e6a78b07bbf1d524c984cfc3 | ||
| impfuzzy | 3:swBJAEPwEBJJ67EQaxRAAbsS9KTXzhAXw3aAXw3hyw+KWRAqX+JSKWRAqX4P7XmU:dBJAEtwyRlb7GDMylv5Xx5XMXmG55MzA | ||
Network IP location
Signature (28cnts)
| Level | Description |
|---|---|
| danger | Drops 10559 unknown file mime types indicative of ransomware writing encrypted files back to disk |
| danger | Executed a process and injected code into it |
| warning | File has been identified by 29 AntiVirus engines on VirusTotal as malicious |
| warning | Generates some ICMP traffic |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Created a process named as a common system process |
| watch | Creates a thread using CreateRemoteThread in a non-child process indicative of process injection |
| watch | Installs itself for autorun at Windows startup |
| watch | Manipulates memory of a non-child process indicative of process injection |
| watch | Modifies boot configuration settings |
| watch | Network communications indicative of possible code injection originated from the process csrss.exe |
| watch | Potential code injection by writing to the memory of another process |
| watch | Removes the Shadow Copy to avoid recovery of the system |
| watch | Uses suspicious command line tools or Windows utilities |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Executes one or more WMI queries |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Looks up the external IP address |
| notice | Performs some HTTP requests |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (17cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | NPKI_Zero | File included NPKI | binaries (download) |
| danger | Win32_Trojan_Emotet_2_Zero | Win32 Trojan Emotet | binaries (download) |
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (download) |
| danger | Win_Trojan_Formbook_Zero | Used Formbook | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| warning | PDF_Javascript_ShellCode | PDF Javascript ShellCode | binaries (download) |
| watch | Admin_Tool_IN_Zero | Admin Tool Sysinternals | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | Win32_HWP_PostScript_Zero | Detect a HWP with embedded Post Script code | binaries (download) |
| notice | anti_vm_detect | Possibly employs anti-virtualization techniques | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | Microsoft_Office_File_Zero | Microsoft Office File | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | Win32_Trojan_Gen_2_0904B0_Zero | Win32 Trojan Gen | binaries (download) |
| info | Win_Backdoor_AsyncRAT_Zero | Win Backdoor AsyncRAT | binaries (download) |
Network (9cnts) ?
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Geo Location IP info online service (geoiptool.com)
ET POLICY Geo Location IP info online service (geoiptool.com)
PE API
IAT(Import Address Table) Library
kernel32.dll
0x461a00 LoadLibraryA
0x461a04 VirtualAlloc
0x461a08 VirtualProtect
0x461a0c GetProcAddress
0x461a10 lstrlenA
0x461a14 lstrcatA
0x461a18 SetLastError
0x461a1c GetLastError
winspool.drv
0x54906e ConvertAnsiDevModeToUnicodeDevmode
EAT(Export Address Table) Library
0x403223 GetPage
kernel32.dll
0x461a00 LoadLibraryA
0x461a04 VirtualAlloc
0x461a08 VirtualProtect
0x461a0c GetProcAddress
0x461a10 lstrlenA
0x461a14 lstrcatA
0x461a18 SetLastError
0x461a1c GetLastError
winspool.drv
0x54906e ConvertAnsiDevModeToUnicodeDevmode
EAT(Export Address Table) Library
0x403223 GetPage