ScreenShot
| Created | 2021.09.18 19:47 | Machine | s1_win7_x6402 |
| Filename | Update.exe2.rar | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 41 detected (malicious, high confidence, Babuk, Unsafe, Save, confidence, ZexaF, euW@a0wVUsc, Filecoder, Babyk, Ransomware, Maze, SMRD1, Static AI, Malicious PE, AGEN, ai score=85, score, R441290, GenericRXNS, BScope, Crypmod, CLASSIC, FilecoderProt, GdSda, susgen) | ||
| md5 | 093f098e70cc57a17d02323cbe6cd484 | ||
| sha256 | ae6020a06d2a95cbe91b439f4433e87d198547dec629ab0900ccfe17e729cff1 | ||
| ssdeep | 1536:PhkWBeG/LEOSsrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2Osf:LBe8dSsrQLOJgY8Zp8LHD4XWaNH71dLT | ||
| imphash | 202fa14f574c71c2f95878e40a79322d | ||
| impfuzzy | 24:/zKDDokSqQfc+dcOrUIjybBcVAlkxQJaOaad/brmTk9v4qKOoMq1j:rBfc+dDmcSk2Laad/hv46oM0 | ||
Network IP location
Signature (13cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 41 AntiVirus engines on VirusTotal as malicious |
| watch | Attempts to detect Cuckoo Sandbox through the presence of a file |
| watch | Drops 146 unknown file mime types indicative of ransomware writing encrypted files back to disk |
| watch | Removes the Shadow Copy to avoid recovery of the system |
| watch | Uses suspicious command line tools or Windows utilities |
| watch | Writes a potential ransom message to disk |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a suspicious process |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| info | Command line console output was observed |
| info | One or more processes crashed |
Rules (4cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x415028 OpenProcess
0x41502c GetTickCount
0x415030 GetModuleHandleA
0x415034 GetProcAddress
0x415038 LoadLibraryA
0x41503c lstrcmpW
0x415040 lstrlenW
0x415044 SetVolumeMountPointW
0x415048 CreateToolhelp32Snapshot
0x41504c Process32FirstW
0x415050 Process32NextW
0x415054 CreateFileW
0x415058 WriteFile
0x41505c InitializeCriticalSection
0x415060 EnterCriticalSection
0x415064 LeaveCriticalSection
0x415068 DeleteCriticalSection
0x41506c lstrlenA
0x415070 GetCommandLineW
0x415074 FindClose
0x415078 FindFirstFileW
0x41507c FindNextFileW
0x415080 GetFileSizeEx
0x415084 GetCurrentProcess
0x415088 ReadFile
0x41508c SetFileAttributesW
0x415090 SetFilePointerEx
0x415094 WaitForSingleObject
0x415098 CreateMutexA
0x41509c WaitForMultipleObjects
0x4150a0 GetCurrentProcessId
0x4150a4 ExitProcess
0x4150a8 CreateThread
0x4150ac ExitThread
0x4150b0 SetProcessShutdownParameters
0x4150b4 GetSystemInfo
0x4150b8 lstrcmpiW
0x4150bc lstrcpyW
0x4150c0 lstrcatW
0x4150c4 OpenMutexA
0x4150c8 MoveFileExW
0x4150cc WideCharToMultiByte
0x4150d0 HeapAlloc
0x4150d4 HeapFree
0x4150d8 GetProcessHeap
0x4150dc ReleaseSemaphore
0x4150e0 CreateSemaphoreA
0x4150e4 TerminateProcess
0x4150e8 Sleep
0x4150ec GetLastError
0x4150f0 CloseHandle
0x4150f4 GetVolumePathNamesForVolumeNameW
0x4150f8 GetDriveTypeW
0x4150fc FindVolumeClose
0x415100 FindNextVolumeW
0x415104 GetLogicalDrives
0x415108 FindFirstVolumeW
USER32.dll
0x415154 wsprintfA
ADVAPI32.dll
0x415000 QueryServiceStatusEx
0x415004 OpenSCManagerA
0x415008 EnumDependentServicesA
0x41500c ControlService
0x415010 CloseServiceHandle
0x415014 CryptAcquireContextW
0x415018 CryptReleaseContext
0x41501c CryptGenRandom
0x415020 OpenServiceA
SHELL32.dll
0x415144 SHEmptyRecycleBinA
0x415148 CommandLineToArgvW
0x41514c ShellExecuteW
NETAPI32.dll
0x415124 NetShareEnum
0x415128 NetApiBufferFree
RstrtMgr.DLL
0x415130 RmGetList
0x415134 RmStartSession
0x415138 RmEndSession
0x41513c RmRegisterResources
MPR.dll
0x415110 WNetCloseEnum
0x415114 WNetEnumResourceW
0x415118 WNetOpenEnumW
0x41511c WNetGetConnectionW
EAT(Export Address Table) is none
KERNEL32.dll
0x415028 OpenProcess
0x41502c GetTickCount
0x415030 GetModuleHandleA
0x415034 GetProcAddress
0x415038 LoadLibraryA
0x41503c lstrcmpW
0x415040 lstrlenW
0x415044 SetVolumeMountPointW
0x415048 CreateToolhelp32Snapshot
0x41504c Process32FirstW
0x415050 Process32NextW
0x415054 CreateFileW
0x415058 WriteFile
0x41505c InitializeCriticalSection
0x415060 EnterCriticalSection
0x415064 LeaveCriticalSection
0x415068 DeleteCriticalSection
0x41506c lstrlenA
0x415070 GetCommandLineW
0x415074 FindClose
0x415078 FindFirstFileW
0x41507c FindNextFileW
0x415080 GetFileSizeEx
0x415084 GetCurrentProcess
0x415088 ReadFile
0x41508c SetFileAttributesW
0x415090 SetFilePointerEx
0x415094 WaitForSingleObject
0x415098 CreateMutexA
0x41509c WaitForMultipleObjects
0x4150a0 GetCurrentProcessId
0x4150a4 ExitProcess
0x4150a8 CreateThread
0x4150ac ExitThread
0x4150b0 SetProcessShutdownParameters
0x4150b4 GetSystemInfo
0x4150b8 lstrcmpiW
0x4150bc lstrcpyW
0x4150c0 lstrcatW
0x4150c4 OpenMutexA
0x4150c8 MoveFileExW
0x4150cc WideCharToMultiByte
0x4150d0 HeapAlloc
0x4150d4 HeapFree
0x4150d8 GetProcessHeap
0x4150dc ReleaseSemaphore
0x4150e0 CreateSemaphoreA
0x4150e4 TerminateProcess
0x4150e8 Sleep
0x4150ec GetLastError
0x4150f0 CloseHandle
0x4150f4 GetVolumePathNamesForVolumeNameW
0x4150f8 GetDriveTypeW
0x4150fc FindVolumeClose
0x415100 FindNextVolumeW
0x415104 GetLogicalDrives
0x415108 FindFirstVolumeW
USER32.dll
0x415154 wsprintfA
ADVAPI32.dll
0x415000 QueryServiceStatusEx
0x415004 OpenSCManagerA
0x415008 EnumDependentServicesA
0x41500c ControlService
0x415010 CloseServiceHandle
0x415014 CryptAcquireContextW
0x415018 CryptReleaseContext
0x41501c CryptGenRandom
0x415020 OpenServiceA
SHELL32.dll
0x415144 SHEmptyRecycleBinA
0x415148 CommandLineToArgvW
0x41514c ShellExecuteW
NETAPI32.dll
0x415124 NetShareEnum
0x415128 NetApiBufferFree
RstrtMgr.DLL
0x415130 RmGetList
0x415134 RmStartSession
0x415138 RmEndSession
0x41513c RmRegisterResources
MPR.dll
0x415110 WNetCloseEnum
0x415114 WNetEnumResourceW
0x415118 WNetOpenEnumW
0x41511c WNetGetConnectionW
EAT(Export Address Table) is none