ScreenShot
| Created | 2021.09.11 15:20 | Machine | s1_win7_x6401 |
| Filename | pr.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 31 detected (malicious, high confidence, GenericKD, Attribute, HighConfidence, Zonidel, XPACK, kcloud, Phonzy, score, BScope, Tiggre, Mint, Zard, ai score=87, Unsafe, Generic@ML, RDMK, 2qDcxafKdfiFyvByQxZXjw, Static AI, Suspicious PE, PossibleThreat, Genetic) | ||
| md5 | 400c88f0603d79c08a3afda851994a52 | ||
| sha256 | ac836d33a1ee0cf140e455a4d0d4eca6f65a3ddb4e7673d113fe5f55ff73ba88 | ||
| ssdeep | 192:GmWTaP1T8qKGGoTTP1oynmz6TWS/u4Nn:xWTaP1TaOTb1coWS/nNn | ||
| imphash | 0ff2683f34ebbb5dddc196a1ae798848 | ||
| impfuzzy | 24:suoTB+5T0v+GE/aN/2MtIOgnloyBDuKm1/mIVU1we:suod+x02GNN3yOWoyB6Ko/Q | ||
Network IP location
Signature (6cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 31 AntiVirus engines on VirusTotal as malicious |
| watch | Attempts to remove evidence of file being downloaded from the Internet |
| watch | Installs itself for autorun at Windows startup |
| notice | A process attempted to delay the analysis task. |
| info | The executable uses a known packer |
| info | This executable has a PDB path |
Rules (4cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win_Worm_Phorpiex | a worm which spreads via removable drives and network drives. | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
SHLWAPI.dll
0x4020bc StrCmpNW
0x4020c0 PathFileExistsW
0x4020c4 StrStrIW
MSVCRT.dll
0x402074 _onexit
0x402078 __dllonexit
0x40207c _controlfp
0x402080 _except_handler3
0x402084 __set_app_type
0x402088 __p__fmode
0x40208c __p__commode
0x402090 _adjust_fdiv
0x402094 __setusermatherr
0x402098 _initterm
0x40209c __getmainargs
0x4020a0 _acmdln
0x4020a4 exit
0x4020a8 wcslen
0x4020ac wcscmp
0x4020b0 _XcptFilter
0x4020b4 _exit
KERNEL32.dll
0x402020 GetStartupInfoA
0x402024 GetModuleHandleA
0x402028 CreateMutexA
0x40202c GetLastError
0x402030 ExitProcess
0x402034 GetModuleFileNameW
0x402038 ExpandEnvironmentStringsW
0x40203c CopyFileW
0x402040 CreateThread
0x402044 Sleep
0x402048 ExitThread
0x40204c SetFileAttributesW
0x402050 DeleteFileW
0x402054 HeapFree
0x402058 HeapAlloc
0x40205c GetProcessHeap
0x402060 lstrcpyW
0x402064 QueryDosDeviceW
0x402068 GetDriveTypeW
0x40206c GetLogicalDrives
USER32.dll
0x4020cc wsprintfW
ADVAPI32.dll
0x402000 RegSetValueExW
0x402004 RegQueryValueExW
0x402008 RegOpenKeyExW
0x40200c RegQueryInfoKeyW
0x402010 RegEnumValueW
0x402014 RegDeleteValueW
0x402018 RegCloseKey
EAT(Export Address Table) is none
SHLWAPI.dll
0x4020bc StrCmpNW
0x4020c0 PathFileExistsW
0x4020c4 StrStrIW
MSVCRT.dll
0x402074 _onexit
0x402078 __dllonexit
0x40207c _controlfp
0x402080 _except_handler3
0x402084 __set_app_type
0x402088 __p__fmode
0x40208c __p__commode
0x402090 _adjust_fdiv
0x402094 __setusermatherr
0x402098 _initterm
0x40209c __getmainargs
0x4020a0 _acmdln
0x4020a4 exit
0x4020a8 wcslen
0x4020ac wcscmp
0x4020b0 _XcptFilter
0x4020b4 _exit
KERNEL32.dll
0x402020 GetStartupInfoA
0x402024 GetModuleHandleA
0x402028 CreateMutexA
0x40202c GetLastError
0x402030 ExitProcess
0x402034 GetModuleFileNameW
0x402038 ExpandEnvironmentStringsW
0x40203c CopyFileW
0x402040 CreateThread
0x402044 Sleep
0x402048 ExitThread
0x40204c SetFileAttributesW
0x402050 DeleteFileW
0x402054 HeapFree
0x402058 HeapAlloc
0x40205c GetProcessHeap
0x402060 lstrcpyW
0x402064 QueryDosDeviceW
0x402068 GetDriveTypeW
0x40206c GetLogicalDrives
USER32.dll
0x4020cc wsprintfW
ADVAPI32.dll
0x402000 RegSetValueExW
0x402004 RegQueryValueExW
0x402008 RegOpenKeyExW
0x40200c RegQueryInfoKeyW
0x402010 RegEnumValueW
0x402014 RegDeleteValueW
0x402018 RegCloseKey
EAT(Export Address Table) is none