ScreenShot
| Created | 2021.09.14 15:38 | Machine | s1_win7_x6402 |
| Filename | admin.php | ||
| Type | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 15 detected (AIDetect, malware2, PsDownload, a variant of Generik, KNMGHYR, Artemis, skkoc, Malicious, score) | ||
| md5 | dcbcd8c4fcdd17079caa96f80be4dd04 | ||
| sha256 | 0bd512e81a4bf69155b9914b33aba5549cc61e3f5571da1810d99ceeda69b7ce | ||
| ssdeep | 768:lw5WvEXtn8qE2DmtylSJFEl4d/z/SbYZZRRMBe9TmzbXI20A:q5WvEdny2Dm8EJUchwzB1 | ||
| imphash | 32b1df407523bd5c4bab9e39f39c7353 | ||
| impfuzzy | 12:sUfHYZ8vhU43YPXJ1XJw2n2KW2f3WacaZaFafhaJ/a6haphaNDVdgn:sv8vaL+Ucg3WDIAihKZh8h4Tgn | ||
Network IP location
Signature (20cnts)
| Level | Description |
|---|---|
| danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
| watch | Communicates with host for which no DNS query was performed |
| watch | Deletes executed files from disk |
| watch | File has been identified by 15 AntiVirus engines on VirusTotal as malicious |
| watch | One or more non-whitelisted processes were created |
| watch | The process powershell.exe wrote an executable file to disk |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | Queries for the computername |
| info | This executable has a PDB path |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (11cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| info | Is_DotNET_DLL | (no description) | binaries (download) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsDLL | (no description) | binaries (upload) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | PowershellDI | Extract Download/Invoke calls from powershell script | scripts |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x10002000 WinExec
0x10002004 IsDebuggerPresent
0x10002008 InitializeSListHead
0x1000200c GetSystemTimeAsFileTime
0x10002010 GetCurrentThreadId
0x10002014 GetCurrentProcessId
0x10002018 QueryPerformanceCounter
0x1000201c IsProcessorFeaturePresent
0x10002020 TerminateProcess
0x10002024 GetCurrentProcess
0x10002028 SetUnhandledExceptionFilter
0x1000202c UnhandledExceptionFilter
VCRUNTIME140.dll
0x10002034 memset
0x10002038 _except_handler4_common
0x1000203c __std_type_info_destroy_list
api-ms-win-crt-runtime-l1-1-0.dll
0x10002044 _cexit
0x10002048 _seh_filter_dll
0x1000204c _initterm_e
0x10002050 _initterm
0x10002054 _initialize_narrow_environment
0x10002058 _initialize_onexit_table
0x1000205c _execute_onexit_table
0x10002060 _configure_narrow_argv
EAT(Export Address Table) is none
KERNEL32.dll
0x10002000 WinExec
0x10002004 IsDebuggerPresent
0x10002008 InitializeSListHead
0x1000200c GetSystemTimeAsFileTime
0x10002010 GetCurrentThreadId
0x10002014 GetCurrentProcessId
0x10002018 QueryPerformanceCounter
0x1000201c IsProcessorFeaturePresent
0x10002020 TerminateProcess
0x10002024 GetCurrentProcess
0x10002028 SetUnhandledExceptionFilter
0x1000202c UnhandledExceptionFilter
VCRUNTIME140.dll
0x10002034 memset
0x10002038 _except_handler4_common
0x1000203c __std_type_info_destroy_list
api-ms-win-crt-runtime-l1-1-0.dll
0x10002044 _cexit
0x10002048 _seh_filter_dll
0x1000204c _initterm_e
0x10002050 _initterm
0x10002054 _initialize_narrow_environment
0x10002058 _initialize_onexit_table
0x1000205c _execute_onexit_table
0x10002060 _configure_narrow_argv
EAT(Export Address Table) is none