ScreenShot
| Created | 2021.09.24 09:16 | Machine | s1_win7_x6401 |
| Filename | xcvzn6sgATucn.cms | ||
| Type | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 7 detected (Artemis, Kryptik, HMOT, Malicious, Cridex, Static AI, Malicious PE, Outbreak) | ||
| md5 | 78f2458cc24af9604d6963087bf385bf | ||
| sha256 | 0c1d347f614bcd43d9628debcc924b3c3276e5fb2ff9307aeeeef2a7920ace25 | ||
| ssdeep | 6144:QGsKQRiAXtMXvUztJJjAeNa98ZrOaf4/OzuXWNTRczG8PWGw57Bp54U/0:9sfRpuXMztXdA+ZrOS4yuXk8OGC5Z/0 | ||
| imphash | 394f57e9c7a17ffe34906103fad8967f | ||
| impfuzzy | 48:DM5B3teS17M2c+ppXQ/MF2WKo/3muEDHna0HCcEH9G:DgteS17M2c+ppXZ2WKs3mLsG | ||
Network IP location
Signature (7cnts)
| Level | Description |
|---|---|
| watch | Looks for the Windows Idle Time to determine the uptime |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | File has been identified by 7 AntiVirus engines on VirusTotal as malicious |
| notice | Performs some HTTP requests |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Queries for the computername |
| info | This executable has a PDB path |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| info | IsDLL | (no description) | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (3cnts) ?
Suricata ids
ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)
ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x1002f078 SetFilePointerEx
0x1002f07c CloseHandle
0x1002f080 WriteConsoleW
0x1002f084 DecodePointer
0x1002f088 CreateSemaphoreW
0x1002f08c CreateProcessW
0x1002f090 VirtualProtectEx
0x1002f094 GetCurrentDirectoryW
0x1002f098 LoadLibraryW
0x1002f09c SetEvent
0x1002f0a0 GetSystemDirectoryW
0x1002f0a4 GetFileAttributesW
0x1002f0a8 GetTempPathW
0x1002f0ac GetEnvironmentVariableW
0x1002f0b0 GetCurrentProcess
0x1002f0b4 GetConsoleMode
0x1002f0b8 GetConsoleCP
0x1002f0bc FlushFileBuffers
0x1002f0c0 WriteFile
0x1002f0c4 SetStdHandle
0x1002f0c8 HeapReAlloc
0x1002f0cc HeapSize
0x1002f0d0 GetStringTypeW
0x1002f0d4 GetFileType
0x1002f0d8 GetStdHandle
0x1002f0dc GetProcessHeap
0x1002f0e0 FreeEnvironmentStringsW
0x1002f0e4 GetEnvironmentStringsW
0x1002f0e8 GetCommandLineW
0x1002f0ec GetCommandLineA
0x1002f0f0 GetCPInfo
0x1002f0f4 GetOEMCP
0x1002f0f8 GetACP
0x1002f0fc UnhandledExceptionFilter
0x1002f100 SetUnhandledExceptionFilter
0x1002f104 TerminateProcess
0x1002f108 IsProcessorFeaturePresent
0x1002f10c QueryPerformanceCounter
0x1002f110 GetCurrentProcessId
0x1002f114 GetCurrentThreadId
0x1002f118 GetSystemTimeAsFileTime
0x1002f11c InitializeSListHead
0x1002f120 IsDebuggerPresent
0x1002f124 GetStartupInfoW
0x1002f128 GetModuleHandleW
0x1002f12c RtlUnwind
0x1002f130 RaiseException
0x1002f134 InterlockedFlushSList
0x1002f138 GetLastError
0x1002f13c SetLastError
0x1002f140 EnterCriticalSection
0x1002f144 LeaveCriticalSection
0x1002f148 DeleteCriticalSection
0x1002f14c InitializeCriticalSectionAndSpinCount
0x1002f150 TlsAlloc
0x1002f154 TlsGetValue
0x1002f158 TlsSetValue
0x1002f15c TlsFree
0x1002f160 FreeLibrary
0x1002f164 GetProcAddress
0x1002f168 LoadLibraryExW
0x1002f16c ExitProcess
0x1002f170 GetModuleHandleExW
0x1002f174 GetModuleFileNameA
0x1002f178 MultiByteToWideChar
0x1002f17c WideCharToMultiByte
0x1002f180 HeapAlloc
0x1002f184 HeapFree
0x1002f188 LCMapStringW
0x1002f18c FindClose
0x1002f190 FindFirstFileExA
0x1002f194 FindNextFileA
0x1002f198 IsValidCodePage
0x1002f19c CreateFileW
ole32.dll
0x1002f1f8 CoCreateInstance
0x1002f1fc CoUninitialize
0x1002f200 CoTaskMemAlloc
0x1002f204 CoInitialize
0x1002f208 CoTaskMemFree
0x1002f20c CLSIDFromString
ADVAPI32.dll
0x1002f000 RegCloseKey
0x1002f004 OpenProcessToken
0x1002f008 RegisterServiceCtrlHandlerW
0x1002f00c FreeSid
0x1002f010 SetEntriesInAclW
0x1002f014 AdjustTokenPrivileges
0x1002f018 RegOpenKeyExW
0x1002f01c ControlService
0x1002f020 LookupPrivilegeValueW
0x1002f024 CreateServiceW
0x1002f028 InitializeSecurityDescriptor
0x1002f02c RegSetValueExW
0x1002f030 RegQueryValueExW
0x1002f034 SetSecurityDescriptorDacl
0x1002f038 RegEnumKeyW
0x1002f03c GetTokenInformation
0x1002f040 StartServiceCtrlDispatcherW
0x1002f044 DeleteService
0x1002f048 AllocateAndInitializeSid
0x1002f04c CloseServiceHandle
0x1002f050 SetServiceStatus
COMCTL32.dll
0x1002f058 ImageList_SetDragCursorImage
0x1002f05c ImageList_GetImageCount
0x1002f060 ImageList_Destroy
0x1002f064 ImageList_SetIconSize
0x1002f068 ImageList_Remove
0x1002f06c ImageList_AddMasked
0x1002f070 ImageList_SetBkColor
hlink.dll
0x1002f1a4 None
0x1002f1a8 None
0x1002f1ac None
0x1002f1b0 None
0x1002f1b4 None
0x1002f1b8 None
0x1002f1bc None
0x1002f1c0 None
0x1002f1c4 None
0x1002f1c8 None
0x1002f1cc None
0x1002f1d0 None
0x1002f1d4 None
0x1002f1d8 None
0x1002f1dc None
0x1002f1e0 None
0x1002f1e4 None
0x1002f1e8 None
0x1002f1ec None
0x1002f1f0 None
EAT(Export Address Table) Library
0x1000b6c0 Ledbad
0x1000ba20 Saidwind
0x1000b780 Successwork
KERNEL32.dll
0x1002f078 SetFilePointerEx
0x1002f07c CloseHandle
0x1002f080 WriteConsoleW
0x1002f084 DecodePointer
0x1002f088 CreateSemaphoreW
0x1002f08c CreateProcessW
0x1002f090 VirtualProtectEx
0x1002f094 GetCurrentDirectoryW
0x1002f098 LoadLibraryW
0x1002f09c SetEvent
0x1002f0a0 GetSystemDirectoryW
0x1002f0a4 GetFileAttributesW
0x1002f0a8 GetTempPathW
0x1002f0ac GetEnvironmentVariableW
0x1002f0b0 GetCurrentProcess
0x1002f0b4 GetConsoleMode
0x1002f0b8 GetConsoleCP
0x1002f0bc FlushFileBuffers
0x1002f0c0 WriteFile
0x1002f0c4 SetStdHandle
0x1002f0c8 HeapReAlloc
0x1002f0cc HeapSize
0x1002f0d0 GetStringTypeW
0x1002f0d4 GetFileType
0x1002f0d8 GetStdHandle
0x1002f0dc GetProcessHeap
0x1002f0e0 FreeEnvironmentStringsW
0x1002f0e4 GetEnvironmentStringsW
0x1002f0e8 GetCommandLineW
0x1002f0ec GetCommandLineA
0x1002f0f0 GetCPInfo
0x1002f0f4 GetOEMCP
0x1002f0f8 GetACP
0x1002f0fc UnhandledExceptionFilter
0x1002f100 SetUnhandledExceptionFilter
0x1002f104 TerminateProcess
0x1002f108 IsProcessorFeaturePresent
0x1002f10c QueryPerformanceCounter
0x1002f110 GetCurrentProcessId
0x1002f114 GetCurrentThreadId
0x1002f118 GetSystemTimeAsFileTime
0x1002f11c InitializeSListHead
0x1002f120 IsDebuggerPresent
0x1002f124 GetStartupInfoW
0x1002f128 GetModuleHandleW
0x1002f12c RtlUnwind
0x1002f130 RaiseException
0x1002f134 InterlockedFlushSList
0x1002f138 GetLastError
0x1002f13c SetLastError
0x1002f140 EnterCriticalSection
0x1002f144 LeaveCriticalSection
0x1002f148 DeleteCriticalSection
0x1002f14c InitializeCriticalSectionAndSpinCount
0x1002f150 TlsAlloc
0x1002f154 TlsGetValue
0x1002f158 TlsSetValue
0x1002f15c TlsFree
0x1002f160 FreeLibrary
0x1002f164 GetProcAddress
0x1002f168 LoadLibraryExW
0x1002f16c ExitProcess
0x1002f170 GetModuleHandleExW
0x1002f174 GetModuleFileNameA
0x1002f178 MultiByteToWideChar
0x1002f17c WideCharToMultiByte
0x1002f180 HeapAlloc
0x1002f184 HeapFree
0x1002f188 LCMapStringW
0x1002f18c FindClose
0x1002f190 FindFirstFileExA
0x1002f194 FindNextFileA
0x1002f198 IsValidCodePage
0x1002f19c CreateFileW
ole32.dll
0x1002f1f8 CoCreateInstance
0x1002f1fc CoUninitialize
0x1002f200 CoTaskMemAlloc
0x1002f204 CoInitialize
0x1002f208 CoTaskMemFree
0x1002f20c CLSIDFromString
ADVAPI32.dll
0x1002f000 RegCloseKey
0x1002f004 OpenProcessToken
0x1002f008 RegisterServiceCtrlHandlerW
0x1002f00c FreeSid
0x1002f010 SetEntriesInAclW
0x1002f014 AdjustTokenPrivileges
0x1002f018 RegOpenKeyExW
0x1002f01c ControlService
0x1002f020 LookupPrivilegeValueW
0x1002f024 CreateServiceW
0x1002f028 InitializeSecurityDescriptor
0x1002f02c RegSetValueExW
0x1002f030 RegQueryValueExW
0x1002f034 SetSecurityDescriptorDacl
0x1002f038 RegEnumKeyW
0x1002f03c GetTokenInformation
0x1002f040 StartServiceCtrlDispatcherW
0x1002f044 DeleteService
0x1002f048 AllocateAndInitializeSid
0x1002f04c CloseServiceHandle
0x1002f050 SetServiceStatus
COMCTL32.dll
0x1002f058 ImageList_SetDragCursorImage
0x1002f05c ImageList_GetImageCount
0x1002f060 ImageList_Destroy
0x1002f064 ImageList_SetIconSize
0x1002f068 ImageList_Remove
0x1002f06c ImageList_AddMasked
0x1002f070 ImageList_SetBkColor
hlink.dll
0x1002f1a4 None
0x1002f1a8 None
0x1002f1ac None
0x1002f1b0 None
0x1002f1b4 None
0x1002f1b8 None
0x1002f1bc None
0x1002f1c0 None
0x1002f1c4 None
0x1002f1c8 None
0x1002f1cc None
0x1002f1d0 None
0x1002f1d4 None
0x1002f1d8 None
0x1002f1dc None
0x1002f1e0 None
0x1002f1e4 None
0x1002f1e8 None
0x1002f1ec None
0x1002f1f0 None
EAT(Export Address Table) Library
0x1000b6c0 Ledbad
0x1000ba20 Saidwind
0x1000b780 Successwork