ScreenShot
| Created | 2021.08.14 09:38 | Machine | s1_win7_x6402 |
| Filename | wsd.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 25 detected (AIDetect, malware2, malicious, high confidence, ZexaF, iwW@aevH8xfH, Kryptik, Eldorado, Attribute, HighConfidence, HMBT, Tepfer, Obscure, CLASSIC, Siggen3, 14RNW0M, score, Azorult, Static AI, Suspicious PE, susgen, HMBK, confidence, 100%, QVM10) | ||
| md5 | 898f0ec3d9588199aa00da724447b5bb | ||
| sha256 | e139a350242af220a379940c1a667891161ff92bdcdbb5acd024076a27ddbf56 | ||
| ssdeep | 49152:QfQtjoZLBU0ZId3qgF6TuWrYWjvGyh8iw:Qf4oZ3INqgUT1rYWjuy | ||
| imphash | 62f5ddafa2c16d26eaa8112b2787e21c | ||
| impfuzzy | 48:mTzUbkYJq3mK8wQyMSaEBcftqPy29JSOPb:mVYIPL7M/EBcftqPyUJSOPb | ||
Network IP location
Signature (25cnts)
| Level | Description |
|---|---|
| danger | Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) |
| danger | Executed a process and injected code into it |
| warning | File has been identified by 25 AntiVirus engines on VirusTotal as malicious |
| watch | A process attempted to delay the analysis task. |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Communicates with host for which no DNS query was performed |
| watch | Creates a windows hook that monitors keyboard input (keylogger) |
| watch | Installs an hook procedure to monitor for mouse events |
| watch | Installs itself for autorun at Windows startup |
| watch | Looks for the Windows Idle Time to determine the uptime |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates hidden or system file |
| notice | Drops an executable to the user AppData folder |
| notice | Foreign language identified in PE resource |
| notice | Moves the original executable to a new location |
| notice | One or more potentially interesting buffers were extracted |
| notice | Potentially malicious URLs were found in the process memory dump |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Checks if process is being debugged by a debugger |
| info | This executable has a PDB path |
Rules (32cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Network_Downloader | File Downloader | memory |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | Code_injection | Code injection with CreateRemoteThread in a remote process | memory |
| notice | Create_Service | Create a windows service | memory |
| notice | Escalate_priviledges | Escalate priviledges | memory |
| notice | KeyLogger | Run a KeyLogger | memory |
| notice | Network_DGA | Communication using DGA | memory |
| notice | Network_DNS | Communications use DNS | memory |
| notice | network_smtp_raw | Communications smtp | memory |
| notice | Network_TCP_Socket | Communications over RAW Socket | memory |
| notice | ScreenShot | Take ScreenShot | memory |
| notice | Sniff_Audio | Record Audio | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | win_hook | Affect hook table | memory |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x429000 GetComputerNameA
0x429004 EnumResourceNamesW
0x429008 UnregisterWait
0x42900c SetPriorityClass
0x429010 WriteConsoleInputW
0x429014 SetFilePointer
0x429018 GetConsoleAliasesLengthW
0x42901c InterlockedIncrement
0x429020 InterlockedDecrement
0x429024 WaitNamedPipeA
0x429028 CompareFileTime
0x42902c SetEnvironmentVariableW
0x429030 CreateDirectoryW
0x429034 GlobalLock
0x429038 SetEvent
0x42903c FreeEnvironmentStringsA
0x429040 GetTickCount
0x429044 GetCommandLineA
0x429048 GlobalAlloc
0x42904c AddRefActCtx
0x429050 LoadLibraryW
0x429054 GetSystemWow64DirectoryW
0x429058 IsProcessorFeaturePresent
0x42905c CreateSemaphoreA
0x429060 ReadFile
0x429064 GetModuleFileNameW
0x429068 CompareStringW
0x42906c lstrlenW
0x429070 LCMapStringA
0x429074 GetFileSizeEx
0x429078 GetStartupInfoA
0x42907c OpenMutexW
0x429080 GetHandleInformation
0x429084 GetCurrentDirectoryW
0x429088 SetLastError
0x42908c GetProcAddress
0x429090 VirtualAlloc
0x429094 WriteProfileSectionA
0x429098 ReadFileEx
0x42909c CopyFileA
0x4290a0 GetPrivateProfileStringA
0x4290a4 LoadLibraryA
0x4290a8 OpenMutexA
0x4290ac GetConsoleScreenBufferInfo
0x4290b0 GetExitCodeThread
0x4290b4 SetCurrentDirectoryW
0x4290b8 PostQueuedCompletionStatus
0x4290bc FindAtomA
0x4290c0 CreateIoCompletionPort
0x4290c4 HeapSetInformation
0x4290c8 GetConsoleCursorInfo
0x4290cc FatalAppExitA
0x4290d0 GetCPInfoExA
0x4290d4 OpenSemaphoreW
0x4290d8 GetVersionExA
0x4290dc TlsAlloc
0x4290e0 GetSystemTime
0x4290e4 CopyFileExA
0x4290e8 GetLastError
0x4290ec MoveFileA
0x4290f0 HeapValidate
0x4290f4 IsBadReadPtr
0x4290f8 RaiseException
0x4290fc EnterCriticalSection
0x429100 LeaveCriticalSection
0x429104 TerminateProcess
0x429108 GetCurrentProcess
0x42910c UnhandledExceptionFilter
0x429110 SetUnhandledExceptionFilter
0x429114 IsDebuggerPresent
0x429118 RtlUnwind
0x42911c GetACP
0x429120 GetOEMCP
0x429124 GetCPInfo
0x429128 IsValidCodePage
0x42912c TlsGetValue
0x429130 GetModuleHandleW
0x429134 TlsSetValue
0x429138 GetCurrentThreadId
0x42913c TlsFree
0x429140 Sleep
0x429144 ExitProcess
0x429148 SetHandleCount
0x42914c GetStdHandle
0x429150 GetFileType
0x429154 DeleteCriticalSection
0x429158 QueryPerformanceCounter
0x42915c GetCurrentProcessId
0x429160 GetSystemTimeAsFileTime
0x429164 GetModuleFileNameA
0x429168 GetEnvironmentStrings
0x42916c FreeEnvironmentStringsW
0x429170 WideCharToMultiByte
0x429174 GetEnvironmentStringsW
0x429178 HeapDestroy
0x42917c HeapCreate
0x429180 HeapFree
0x429184 VirtualFree
0x429188 WriteFile
0x42918c HeapAlloc
0x429190 HeapSize
0x429194 HeapReAlloc
0x429198 DebugBreak
0x42919c OutputDebugStringA
0x4291a0 WriteConsoleW
0x4291a4 OutputDebugStringW
0x4291a8 MultiByteToWideChar
0x4291ac GetStringTypeA
0x4291b0 GetStringTypeW
0x4291b4 GetLocaleInfoA
0x4291b8 LCMapStringW
0x4291bc InitializeCriticalSectionAndSpinCount
0x4291c0 FlushFileBuffers
0x4291c4 GetConsoleCP
0x4291c8 GetConsoleMode
0x4291cc CloseHandle
0x4291d0 SetStdHandle
0x4291d4 WriteConsoleA
0x4291d8 GetConsoleOutputCP
0x4291dc CreateFileA
0x4291e0 GetModuleHandleA
EAT(Export Address Table) is none
KERNEL32.dll
0x429000 GetComputerNameA
0x429004 EnumResourceNamesW
0x429008 UnregisterWait
0x42900c SetPriorityClass
0x429010 WriteConsoleInputW
0x429014 SetFilePointer
0x429018 GetConsoleAliasesLengthW
0x42901c InterlockedIncrement
0x429020 InterlockedDecrement
0x429024 WaitNamedPipeA
0x429028 CompareFileTime
0x42902c SetEnvironmentVariableW
0x429030 CreateDirectoryW
0x429034 GlobalLock
0x429038 SetEvent
0x42903c FreeEnvironmentStringsA
0x429040 GetTickCount
0x429044 GetCommandLineA
0x429048 GlobalAlloc
0x42904c AddRefActCtx
0x429050 LoadLibraryW
0x429054 GetSystemWow64DirectoryW
0x429058 IsProcessorFeaturePresent
0x42905c CreateSemaphoreA
0x429060 ReadFile
0x429064 GetModuleFileNameW
0x429068 CompareStringW
0x42906c lstrlenW
0x429070 LCMapStringA
0x429074 GetFileSizeEx
0x429078 GetStartupInfoA
0x42907c OpenMutexW
0x429080 GetHandleInformation
0x429084 GetCurrentDirectoryW
0x429088 SetLastError
0x42908c GetProcAddress
0x429090 VirtualAlloc
0x429094 WriteProfileSectionA
0x429098 ReadFileEx
0x42909c CopyFileA
0x4290a0 GetPrivateProfileStringA
0x4290a4 LoadLibraryA
0x4290a8 OpenMutexA
0x4290ac GetConsoleScreenBufferInfo
0x4290b0 GetExitCodeThread
0x4290b4 SetCurrentDirectoryW
0x4290b8 PostQueuedCompletionStatus
0x4290bc FindAtomA
0x4290c0 CreateIoCompletionPort
0x4290c4 HeapSetInformation
0x4290c8 GetConsoleCursorInfo
0x4290cc FatalAppExitA
0x4290d0 GetCPInfoExA
0x4290d4 OpenSemaphoreW
0x4290d8 GetVersionExA
0x4290dc TlsAlloc
0x4290e0 GetSystemTime
0x4290e4 CopyFileExA
0x4290e8 GetLastError
0x4290ec MoveFileA
0x4290f0 HeapValidate
0x4290f4 IsBadReadPtr
0x4290f8 RaiseException
0x4290fc EnterCriticalSection
0x429100 LeaveCriticalSection
0x429104 TerminateProcess
0x429108 GetCurrentProcess
0x42910c UnhandledExceptionFilter
0x429110 SetUnhandledExceptionFilter
0x429114 IsDebuggerPresent
0x429118 RtlUnwind
0x42911c GetACP
0x429120 GetOEMCP
0x429124 GetCPInfo
0x429128 IsValidCodePage
0x42912c TlsGetValue
0x429130 GetModuleHandleW
0x429134 TlsSetValue
0x429138 GetCurrentThreadId
0x42913c TlsFree
0x429140 Sleep
0x429144 ExitProcess
0x429148 SetHandleCount
0x42914c GetStdHandle
0x429150 GetFileType
0x429154 DeleteCriticalSection
0x429158 QueryPerformanceCounter
0x42915c GetCurrentProcessId
0x429160 GetSystemTimeAsFileTime
0x429164 GetModuleFileNameA
0x429168 GetEnvironmentStrings
0x42916c FreeEnvironmentStringsW
0x429170 WideCharToMultiByte
0x429174 GetEnvironmentStringsW
0x429178 HeapDestroy
0x42917c HeapCreate
0x429180 HeapFree
0x429184 VirtualFree
0x429188 WriteFile
0x42918c HeapAlloc
0x429190 HeapSize
0x429194 HeapReAlloc
0x429198 DebugBreak
0x42919c OutputDebugStringA
0x4291a0 WriteConsoleW
0x4291a4 OutputDebugStringW
0x4291a8 MultiByteToWideChar
0x4291ac GetStringTypeA
0x4291b0 GetStringTypeW
0x4291b4 GetLocaleInfoA
0x4291b8 LCMapStringW
0x4291bc InitializeCriticalSectionAndSpinCount
0x4291c0 FlushFileBuffers
0x4291c4 GetConsoleCP
0x4291c8 GetConsoleMode
0x4291cc CloseHandle
0x4291d0 SetStdHandle
0x4291d4 WriteConsoleA
0x4291d8 GetConsoleOutputCP
0x4291dc CreateFileA
0x4291e0 GetModuleHandleA
EAT(Export Address Table) is none