ScreenShot
| Created | 2021.09.01 09:47 | Machine | s1_win7_x6401 |
| Filename | pattern.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 31 detected (AIDetect, malware2, malicious, high confidence, Unsafe, Save, ali2000010, confidence, FakeAlert, Eldorado, Attribute, HighConfidence, a variant of Generik, HMIXXKV, score, Vega, FileRepMetagen, Kryptik, CLASSIC, ztvag@0, R + Mal, EncPk, Zeppelin, GYYT0B, KVMH008, kcloud, Sabsik, Artemis, BScope, Static AI, Malicious PE, Qbot, ZexaF, AqW@ae6GONai) | ||
| md5 | dcef208fcdac3345c6899a478d16980f | ||
| sha256 | 824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc | ||
| ssdeep | 6144:iYdiLQNWloaXoLJYksETr0vpvejH6ols25A0LJjI4WHB/N7:BiLQqosgZs+8vejap0LJ6h | ||
| imphash | 940ad5caeeb0db96261588d30309b3ae | ||
| impfuzzy | 3:swBJAEPwEBJJ67EQaxRAAbsS9KTXzhAXw3aAXw39KU7XgkIulAXDn:dBJAEtwyRlb7GDMyReXgkI4yDn | ||
Network IP location
Signature (28cnts)
| Level | Description |
|---|---|
| danger | Drops 11099 unknown file mime types indicative of ransomware writing encrypted files back to disk |
| danger | Executed a process and injected code into it |
| danger | File has been identified by 31 AntiVirus engines on VirusTotal as malicious |
| warning | Generates some ICMP traffic |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Created a process named as a common system process |
| watch | Creates a thread using CreateRemoteThread in a non-child process indicative of process injection |
| watch | Installs itself for autorun at Windows startup |
| watch | Manipulates memory of a non-child process indicative of process injection |
| watch | Modifies boot configuration settings |
| watch | Network communications indicative of possible code injection originated from the process csrss.exe |
| watch | Potential code injection by writing to the memory of another process |
| watch | Removes the Shadow Copy to avoid recovery of the system |
| watch | Uses suspicious command line tools or Windows utilities |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Executes one or more WMI queries |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Looks up the external IP address |
| notice | Performs some HTTP requests |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (20cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | NPKI_Zero | File included NPKI | binaries (download) |
| danger | Win32_Trojan_Emotet_2_Zero | Win32 Trojan Emotet | binaries (download) |
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (download) |
| danger | Win_Trojan_Formbook_Zero | Used Formbook | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | Admin_Tool_IN_Zero | Admin Tool Sysinternals | binaries (download) |
| watch | ASPack_Zero | ASPack packed file | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| notice | anti_vm_detect | Possibly employs anti-virtualization techniques | binaries (download) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | JPEG_Format_Zero | JPEG Format | binaries (download) |
| info | Microsoft_Office_File_Zero | Microsoft Office File | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | PNG_Format_Zero | PNG Format | binaries (download) |
| info | Win32_Trojan_Gen_2_0904B0_Zero | Win32 Trojan Gen | binaries (download) |
Network (9cnts) ?
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Geo Location IP info online service (geoiptool.com)
ET POLICY Geo Location IP info online service (geoiptool.com)
PE API
IAT(Import Address Table) Library
kernel32.dll
0x458800 LoadLibraryA
0x458804 VirtualAlloc
0x458808 VirtualProtect
0x45880c GetProcAddress
0x458810 lstrlenA
0x458814 lstrcatA
winspool.drv
0x45881c EnumPrintersA
EAT(Export Address Table) is none
kernel32.dll
0x458800 LoadLibraryA
0x458804 VirtualAlloc
0x458808 VirtualProtect
0x45880c GetProcAddress
0x458810 lstrlenA
0x458814 lstrcatA
winspool.drv
0x45881c EnumPrintersA
EAT(Export Address Table) is none