ScreenShot
| Created | 2021.09.06 08:16 | Machine | s1_win7_x6401 |
| Filename | ann.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 8 detected (Unsafe, ZexaF, oyW@amJOujji, Malicious, score, Generic@ML, RDML, o96BRdaIcIgdtg31oSblTQ, Static AI, Malicious PE) | ||
| md5 | ab554a6a408e86cc9a0332dc9eecc186 | ||
| sha256 | f09cf54f58a869d12b74f761fcdd1436446a90ccbc43625b93bf9e0699e27277 | ||
| ssdeep | 6144:4HzaISCTsSeBSBGIrJC5242YIeAOzLwxdV:4HzaIfTISfNC0TY/xUd | ||
| imphash | 4bf525a95c960651ee1903cac916a093 | ||
| impfuzzy | 24:Jovu9+KyqRDDdu9RlJHHuOGOovAjV1/OC1tjzvHc+9JBliWPt1sp9TGcBVv1jMID:SK8JZBbOKZvHc+J3t1sp9Gat73mCvmXc | ||
Network IP location
Signature (6cnts)
| Level | Description |
|---|---|
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Expresses interest in specific running processes |
| notice | File has been identified by 8 AntiVirus engines on VirusTotal as malicious |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| info | Checks amount of memory in system |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (6cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win_Worm_Phorpiex | a worm which spreads via removable drives and network drives. | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x42a044 lstrcatW
0x42a048 GetFileAttributesW
0x42a04c CreateFileMappingW
0x42a050 MapViewOfFile
0x42a054 LoadLibraryA
0x42a058 UnmapViewOfFile
0x42a05c TerminateProcess
0x42a060 GetCurrentProcess
0x42a064 SetEnvironmentVariableW
0x42a068 CreateProcessW
0x42a06c SetErrorMode
0x42a070 SetUnhandledExceptionFilter
0x42a074 ExitProcess
0x42a078 CreateToolhelp32Snapshot
0x42a07c Process32FirstW
0x42a080 Process32NextW
0x42a084 GetProcAddress
0x42a088 GetModuleHandleW
0x42a08c lstrcmpiA
0x42a090 IsWow64Process
0x42a094 GetEnvironmentVariableW
0x42a098 Thread32First
0x42a09c Thread32Next
0x42a0a0 GetExitCodeProcess
0x42a0a4 WideCharToMultiByte
0x42a0a8 MultiByteToWideChar
0x42a0ac LocalAlloc
0x42a0b0 LocalFree
0x42a0b4 lstrcpyW
0x42a0b8 VirtualQuery
0x42a0bc Module32FirstW
0x42a0c0 ReadConsoleW
0x42a0c4 WriteConsoleW
0x42a0c8 SetStdHandle
0x42a0cc FreeEnvironmentStringsW
0x42a0d0 GetEnvironmentStringsW
0x42a0d4 GetCommandLineW
0x42a0d8 GetCommandLineA
0x42a0dc GetOEMCP
0x42a0e0 WaitForSingleObject
0x42a0e4 GetLastError
0x42a0e8 SetEndOfFile
0x42a0ec ReadFile
0x42a0f0 GetModuleFileNameW
0x42a0f4 VirtualAlloc
0x42a0f8 DeleteFileW
0x42a0fc GetFileAttributesExW
0x42a100 WriteFile
0x42a104 CreateFileW
0x42a108 CloseHandle
0x42a10c FindNextFileW
0x42a110 lstrcmpiW
0x42a114 Sleep
0x42a118 IsValidCodePage
0x42a11c FindFirstFileExW
0x42a120 FindClose
0x42a124 GetProcessHeap
0x42a128 GetCurrentProcessId
0x42a12c HeapSize
0x42a130 EnumSystemLocalesW
0x42a134 WaitForSingleObjectEx
0x42a138 GetCurrentThread
0x42a13c GetCurrentThreadId
0x42a140 QueryPerformanceCounter
0x42a144 EnterCriticalSection
0x42a148 LeaveCriticalSection
0x42a14c DeleteCriticalSection
0x42a150 SetLastError
0x42a154 InitializeCriticalSectionAndSpinCount
0x42a158 CreateEventW
0x42a15c TlsAlloc
0x42a160 TlsGetValue
0x42a164 TlsSetValue
0x42a168 TlsFree
0x42a16c GetSystemTimeAsFileTime
0x42a170 EncodePointer
0x42a174 DecodePointer
0x42a178 CompareStringW
0x42a17c LCMapStringW
0x42a180 GetLocaleInfoW
0x42a184 GetStringTypeW
0x42a188 GetCPInfo
0x42a18c SetEvent
0x42a190 ResetEvent
0x42a194 UnhandledExceptionFilter
0x42a198 IsProcessorFeaturePresent
0x42a19c IsDebuggerPresent
0x42a1a0 GetStartupInfoW
0x42a1a4 InitializeSListHead
0x42a1a8 GetThreadTimes
0x42a1ac FreeLibrary
0x42a1b0 LoadLibraryExW
0x42a1b4 RaiseException
0x42a1b8 RtlUnwind
0x42a1bc GetModuleHandleExW
0x42a1c0 HeapAlloc
0x42a1c4 HeapFree
0x42a1c8 HeapReAlloc
0x42a1cc GetStdHandle
0x42a1d0 GetACP
0x42a1d4 GetFileType
0x42a1d8 FlushFileBuffers
0x42a1dc GetConsoleCP
0x42a1e0 GetConsoleMode
0x42a1e4 SetFilePointerEx
0x42a1e8 IsValidLocale
0x42a1ec GetUserDefaultLCID
ADVAPI32.dll
0x42a000 SetEntriesInAclW
0x42a004 RegCloseKey
0x42a008 SetFileSecurityW
0x42a00c GetFileSecurityW
0x42a010 SetKernelObjectSecurity
0x42a014 SetSecurityDescriptorDacl
0x42a018 InitializeSecurityDescriptor
0x42a01c RegOpenKeyExW
0x42a020 GetExplicitEntriesFromAclW
0x42a024 GetSecurityDescriptorDacl
0x42a028 GetKernelObjectSecurity
0x42a02c RegEnumValueW
0x42a030 RegQueryInfoKeyW
0x42a034 RegDeleteValueW
PSAPI.DLL
0x42a1f4 GetModuleFileNameExW
0x42a1f8 EnumProcessModules
WINTRUST.dll
0x42a200 WinVerifyTrust
IPHLPAPI.DLL
0x42a03c GetExtendedTcpTable
EAT(Export Address Table) is none
KERNEL32.dll
0x42a044 lstrcatW
0x42a048 GetFileAttributesW
0x42a04c CreateFileMappingW
0x42a050 MapViewOfFile
0x42a054 LoadLibraryA
0x42a058 UnmapViewOfFile
0x42a05c TerminateProcess
0x42a060 GetCurrentProcess
0x42a064 SetEnvironmentVariableW
0x42a068 CreateProcessW
0x42a06c SetErrorMode
0x42a070 SetUnhandledExceptionFilter
0x42a074 ExitProcess
0x42a078 CreateToolhelp32Snapshot
0x42a07c Process32FirstW
0x42a080 Process32NextW
0x42a084 GetProcAddress
0x42a088 GetModuleHandleW
0x42a08c lstrcmpiA
0x42a090 IsWow64Process
0x42a094 GetEnvironmentVariableW
0x42a098 Thread32First
0x42a09c Thread32Next
0x42a0a0 GetExitCodeProcess
0x42a0a4 WideCharToMultiByte
0x42a0a8 MultiByteToWideChar
0x42a0ac LocalAlloc
0x42a0b0 LocalFree
0x42a0b4 lstrcpyW
0x42a0b8 VirtualQuery
0x42a0bc Module32FirstW
0x42a0c0 ReadConsoleW
0x42a0c4 WriteConsoleW
0x42a0c8 SetStdHandle
0x42a0cc FreeEnvironmentStringsW
0x42a0d0 GetEnvironmentStringsW
0x42a0d4 GetCommandLineW
0x42a0d8 GetCommandLineA
0x42a0dc GetOEMCP
0x42a0e0 WaitForSingleObject
0x42a0e4 GetLastError
0x42a0e8 SetEndOfFile
0x42a0ec ReadFile
0x42a0f0 GetModuleFileNameW
0x42a0f4 VirtualAlloc
0x42a0f8 DeleteFileW
0x42a0fc GetFileAttributesExW
0x42a100 WriteFile
0x42a104 CreateFileW
0x42a108 CloseHandle
0x42a10c FindNextFileW
0x42a110 lstrcmpiW
0x42a114 Sleep
0x42a118 IsValidCodePage
0x42a11c FindFirstFileExW
0x42a120 FindClose
0x42a124 GetProcessHeap
0x42a128 GetCurrentProcessId
0x42a12c HeapSize
0x42a130 EnumSystemLocalesW
0x42a134 WaitForSingleObjectEx
0x42a138 GetCurrentThread
0x42a13c GetCurrentThreadId
0x42a140 QueryPerformanceCounter
0x42a144 EnterCriticalSection
0x42a148 LeaveCriticalSection
0x42a14c DeleteCriticalSection
0x42a150 SetLastError
0x42a154 InitializeCriticalSectionAndSpinCount
0x42a158 CreateEventW
0x42a15c TlsAlloc
0x42a160 TlsGetValue
0x42a164 TlsSetValue
0x42a168 TlsFree
0x42a16c GetSystemTimeAsFileTime
0x42a170 EncodePointer
0x42a174 DecodePointer
0x42a178 CompareStringW
0x42a17c LCMapStringW
0x42a180 GetLocaleInfoW
0x42a184 GetStringTypeW
0x42a188 GetCPInfo
0x42a18c SetEvent
0x42a190 ResetEvent
0x42a194 UnhandledExceptionFilter
0x42a198 IsProcessorFeaturePresent
0x42a19c IsDebuggerPresent
0x42a1a0 GetStartupInfoW
0x42a1a4 InitializeSListHead
0x42a1a8 GetThreadTimes
0x42a1ac FreeLibrary
0x42a1b0 LoadLibraryExW
0x42a1b4 RaiseException
0x42a1b8 RtlUnwind
0x42a1bc GetModuleHandleExW
0x42a1c0 HeapAlloc
0x42a1c4 HeapFree
0x42a1c8 HeapReAlloc
0x42a1cc GetStdHandle
0x42a1d0 GetACP
0x42a1d4 GetFileType
0x42a1d8 FlushFileBuffers
0x42a1dc GetConsoleCP
0x42a1e0 GetConsoleMode
0x42a1e4 SetFilePointerEx
0x42a1e8 IsValidLocale
0x42a1ec GetUserDefaultLCID
ADVAPI32.dll
0x42a000 SetEntriesInAclW
0x42a004 RegCloseKey
0x42a008 SetFileSecurityW
0x42a00c GetFileSecurityW
0x42a010 SetKernelObjectSecurity
0x42a014 SetSecurityDescriptorDacl
0x42a018 InitializeSecurityDescriptor
0x42a01c RegOpenKeyExW
0x42a020 GetExplicitEntriesFromAclW
0x42a024 GetSecurityDescriptorDacl
0x42a028 GetKernelObjectSecurity
0x42a02c RegEnumValueW
0x42a030 RegQueryInfoKeyW
0x42a034 RegDeleteValueW
PSAPI.DLL
0x42a1f4 GetModuleFileNameExW
0x42a1f8 EnumProcessModules
WINTRUST.dll
0x42a200 WinVerifyTrust
IPHLPAPI.DLL
0x42a03c GetExtendedTcpTable
EAT(Export Address Table) is none