ScreenShot
| Created | 2021.09.12 15:11 | Machine | s1_win7_x6402 |
| Filename | NiceProcessX64.bmp | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 11 detected (Cerbu, malicious, Static AI, Suspicious PE, Androm, susgen, Wacatac, score, Artemis) | ||
| md5 | 3f22bd82ee1b38f439e6354c60126d6d | ||
| sha256 | 265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a | ||
| ssdeep | 6144:ej4R3H20xSWLE2Sgct82tCOcfX+A5yF17s:ejcG72Et8Vf81 | ||
| imphash | 0056da32d722449e0387cffcb345ecd5 | ||
| impfuzzy | 24:aH8zx9lGDqTa702tRXCBgdlJnc+pl39/Oo+hvcGM1SOovbO9Z/8:aQpmPtRXCBg9c+ppopm3A | ||
Network IP location
Signature (7cnts)
| Level | Description |
|---|---|
| watch | File has been identified by 11 AntiVirus engines on VirusTotal as malicious |
| notice | A process attempted to delay the analysis task. |
| notice | Creates executable files on the filesystem |
| notice | Expresses interest in specific running processes |
| notice | Repeatedly searches for a not-found process |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (11cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE64 | (no description) | binaries (download) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x140019000 Process32First
0x140019008 WriteProcessMemory
0x140019010 SetPriorityClass
0x140019018 GetCurrentProcess
0x140019020 TerminateProcess
0x140019028 GetModuleHandleA
0x140019030 OpenProcess
0x140019038 CreateToolhelp32Snapshot
0x140019040 Sleep
0x140019048 GetTempPathA
0x140019050 K32GetModuleFileNameExA
0x140019058 Process32Next
0x140019060 CloseHandle
0x140019068 GetProcAddress
0x140019070 VirtualAllocEx
0x140019078 GetCurrentProcessId
0x140019080 CreateRemoteThread
0x140019088 K32EnumProcessModules
0x140019090 WriteConsoleW
0x140019098 RtlCaptureContext
0x1400190a0 RtlLookupFunctionEntry
0x1400190a8 RtlVirtualUnwind
0x1400190b0 UnhandledExceptionFilter
0x1400190b8 SetUnhandledExceptionFilter
0x1400190c0 IsProcessorFeaturePresent
0x1400190c8 IsDebuggerPresent
0x1400190d0 GetStartupInfoW
0x1400190d8 GetModuleHandleW
0x1400190e0 QueryPerformanceCounter
0x1400190e8 GetCurrentThreadId
0x1400190f0 GetSystemTimeAsFileTime
0x1400190f8 InitializeSListHead
0x140019100 RtlUnwindEx
0x140019108 RtlPcToFileHeader
0x140019110 RaiseException
0x140019118 GetLastError
0x140019120 SetLastError
0x140019128 EnterCriticalSection
0x140019130 LeaveCriticalSection
0x140019138 DeleteCriticalSection
0x140019140 InitializeCriticalSectionAndSpinCount
0x140019148 TlsAlloc
0x140019150 TlsGetValue
0x140019158 TlsSetValue
0x140019160 TlsFree
0x140019168 FreeLibrary
0x140019170 LoadLibraryExW
0x140019178 EncodePointer
0x140019180 ExitProcess
0x140019188 GetModuleHandleExW
0x140019190 GetModuleFileNameW
0x140019198 GetStdHandle
0x1400191a0 WriteFile
0x1400191a8 HeapFree
0x1400191b0 HeapAlloc
0x1400191b8 GetFileType
0x1400191c0 GetConsoleOutputCP
0x1400191c8 GetConsoleMode
0x1400191d0 GetFileSizeEx
0x1400191d8 SetFilePointerEx
0x1400191e0 FindClose
0x1400191e8 FindFirstFileExW
0x1400191f0 FindNextFileW
0x1400191f8 IsValidCodePage
0x140019200 GetACP
0x140019208 GetOEMCP
0x140019210 GetCPInfo
0x140019218 GetCommandLineA
0x140019220 GetCommandLineW
0x140019228 MultiByteToWideChar
0x140019230 WideCharToMultiByte
0x140019238 GetEnvironmentStringsW
0x140019240 FreeEnvironmentStringsW
0x140019248 LCMapStringW
0x140019250 GetProcessHeap
0x140019258 SetStdHandle
0x140019260 GetStringTypeW
0x140019268 CreateFileW
0x140019270 FlushFileBuffers
0x140019278 ReadFile
0x140019280 ReadConsoleW
0x140019288 HeapSize
0x140019290 HeapReAlloc
0x140019298 SetEndOfFile
EAT(Export Address Table) is none
KERNEL32.dll
0x140019000 Process32First
0x140019008 WriteProcessMemory
0x140019010 SetPriorityClass
0x140019018 GetCurrentProcess
0x140019020 TerminateProcess
0x140019028 GetModuleHandleA
0x140019030 OpenProcess
0x140019038 CreateToolhelp32Snapshot
0x140019040 Sleep
0x140019048 GetTempPathA
0x140019050 K32GetModuleFileNameExA
0x140019058 Process32Next
0x140019060 CloseHandle
0x140019068 GetProcAddress
0x140019070 VirtualAllocEx
0x140019078 GetCurrentProcessId
0x140019080 CreateRemoteThread
0x140019088 K32EnumProcessModules
0x140019090 WriteConsoleW
0x140019098 RtlCaptureContext
0x1400190a0 RtlLookupFunctionEntry
0x1400190a8 RtlVirtualUnwind
0x1400190b0 UnhandledExceptionFilter
0x1400190b8 SetUnhandledExceptionFilter
0x1400190c0 IsProcessorFeaturePresent
0x1400190c8 IsDebuggerPresent
0x1400190d0 GetStartupInfoW
0x1400190d8 GetModuleHandleW
0x1400190e0 QueryPerformanceCounter
0x1400190e8 GetCurrentThreadId
0x1400190f0 GetSystemTimeAsFileTime
0x1400190f8 InitializeSListHead
0x140019100 RtlUnwindEx
0x140019108 RtlPcToFileHeader
0x140019110 RaiseException
0x140019118 GetLastError
0x140019120 SetLastError
0x140019128 EnterCriticalSection
0x140019130 LeaveCriticalSection
0x140019138 DeleteCriticalSection
0x140019140 InitializeCriticalSectionAndSpinCount
0x140019148 TlsAlloc
0x140019150 TlsGetValue
0x140019158 TlsSetValue
0x140019160 TlsFree
0x140019168 FreeLibrary
0x140019170 LoadLibraryExW
0x140019178 EncodePointer
0x140019180 ExitProcess
0x140019188 GetModuleHandleExW
0x140019190 GetModuleFileNameW
0x140019198 GetStdHandle
0x1400191a0 WriteFile
0x1400191a8 HeapFree
0x1400191b0 HeapAlloc
0x1400191b8 GetFileType
0x1400191c0 GetConsoleOutputCP
0x1400191c8 GetConsoleMode
0x1400191d0 GetFileSizeEx
0x1400191d8 SetFilePointerEx
0x1400191e0 FindClose
0x1400191e8 FindFirstFileExW
0x1400191f0 FindNextFileW
0x1400191f8 IsValidCodePage
0x140019200 GetACP
0x140019208 GetOEMCP
0x140019210 GetCPInfo
0x140019218 GetCommandLineA
0x140019220 GetCommandLineW
0x140019228 MultiByteToWideChar
0x140019230 WideCharToMultiByte
0x140019238 GetEnvironmentStringsW
0x140019240 FreeEnvironmentStringsW
0x140019248 LCMapStringW
0x140019250 GetProcessHeap
0x140019258 SetStdHandle
0x140019260 GetStringTypeW
0x140019268 CreateFileW
0x140019270 FlushFileBuffers
0x140019278 ReadFile
0x140019280 ReadConsoleW
0x140019288 HeapSize
0x140019290 HeapReAlloc
0x140019298 SetEndOfFile
EAT(Export Address Table) is none