ScreenShot
| Created | 2021.10.02 13:02 | Machine | s1_win7_x6401 |
| Filename | mup.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 49 detected (AIDetect, malware2, Fwdisable, malicious, high confidence, GenericKD, Unsafe, Save, Phorpiex, confidence, 100%, Attribute, HighConfidence, KadrBot, Swkg, Malware@#1focjyur33i1g, emW@aCxrSb, AGEN, KVMH012, kcloud, GenericMC, Sabsik, score, GenericRXQF, ai score=80, R002H0CIS21, Generic@ML, RDMK, y7ivWWGuFPyeanKUnks+fg, Static AI, Malicious PE, SecurityProtection) | ||
| md5 | c532ac418f3e867907c2757a7ca56a53 | ||
| sha256 | 555513aa074aca680c4962f0078f43445a0d382e78046623d53203d8436bad99 | ||
| ssdeep | 1536:+3Mz8oy284usnjFzuNXoaSTM98qKH5Fn:FwofxFK5oagMNO5F | ||
| imphash | f104e80119f78ba5be523e1d9fb681d0 | ||
| impfuzzy | 96:nPjliR6viujULMjN9X19qmOPkfugkcRMx5EuU8DtKxFka:8k7x9FYuuvx5EuU8DQLP | ||
Network IP location
Signature (12cnts)
| Level | Description |
|---|---|
| danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
| danger | File has been identified by 49 AntiVirus engines on VirusTotal as malicious |
| danger | Disables Windows Security features |
| warning | Generates some ICMP traffic |
| watch | Attempts to remove evidence of file being downloaded from the Internet |
| watch | Communicates with host for which no DNS query was performed |
| watch | Installs itself for autorun at Windows startup |
| watch | Modifies security center warnings |
| notice | A process attempted to delay the analysis task. |
| notice | Communication to multiple IPs on high port numbers possibly indicative of a peer-to-peer (P2P) or non-standard command and control protocol |
| notice | Creates hidden or system file |
| info | Checks if process is being debugged by a debugger |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Admin_Tool_IN_Zero | Admin Tool Sysinternals | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (7cnts) ?
Suricata ids
PE API
IAT(Import Address Table) Library
WS2_32.dll
0x40f204 recvfrom
0x40f208 setsockopt
0x40f20c sendto
0x40f210 ind
0x40f214 ioctlsocket
0x40f218 WSAStartup
0x40f21c send
0x40f220 recv
0x40f224 WSACloseEvent
0x40f228 WSARecv
0x40f22c WSASend
0x40f230 WSAGetLastError
0x40f234 gethostname
0x40f238 connect
0x40f23c inet_ntoa
0x40f240 inet_addr
0x40f244 htons
0x40f248 getsockname
0x40f24c shutdown
0x40f250 socket
0x40f254 closesocket
0x40f258 gethostbyname
0x40f25c WSAEnumNetworkEvents
0x40f260 WSAEventSelect
0x40f264 listen
0x40f268 WSAWaitForMultipleEvents
0x40f26c getpeername
0x40f270 accept
0x40f274 WSAGetOverlappedResult
0x40f278 WSACreateEvent
0x40f27c WSASocketA
SHLWAPI.dll
0x40f160 PathFileExistsW
0x40f164 StrCmpNW
0x40f168 PathMatchSpecW
0x40f16c PathFindFileNameW
0x40f170 StrChrA
0x40f174 StrStrIA
0x40f178 StrCmpNIA
0x40f17c StrStrW
urlmon.dll
0x40f2e4 URLDownloadToFileW
WININET.dll
0x40f1d8 InternetReadFile
0x40f1dc InternetOpenUrlW
0x40f1e0 InternetOpenW
0x40f1e4 InternetCloseHandle
0x40f1e8 InternetOpenA
0x40f1ec HttpSendRequestA
0x40f1f0 HttpAddRequestHeadersA
0x40f1f4 HttpOpenRequestA
0x40f1f8 InternetConnectA
0x40f1fc InternetCrackUrlA
ntdll.dll
0x40f294 memcpy
0x40f298 _chkstk
0x40f29c _aulldiv
0x40f2a0 RtlUnwind
0x40f2a4 mbstowcs
0x40f2a8 RtlTimeToSecondsSince1980
0x40f2ac NtQuerySystemTime
0x40f2b0 NtQueryVirtualMemory
0x40f2b4 memmove
0x40f2b8 isdigit
0x40f2bc isalpha
0x40f2c0 _allshl
0x40f2c4 _aullshr
0x40f2c8 memset
msvcrt.dll
0x40f284 rand
0x40f288 srand
0x40f28c _vscprintf
KERNEL32.dll
0x40f028 GetLastError
0x40f02c CreateProcessW
0x40f030 GetLocaleInfoA
0x40f034 DuplicateHandle
0x40f038 DeleteCriticalSection
0x40f03c GetThreadPriority
0x40f040 SetThreadPriority
0x40f044 GetCurrentThread
0x40f048 GetCurrentProcess
0x40f04c InterlockedExchangeAdd
0x40f050 InterlockedIncrement
0x40f054 InterlockedExchange
0x40f058 WaitForSingleObject
0x40f05c InterlockedDecrement
0x40f060 GetCurrentProcessId
0x40f064 HeapSetInformation
0x40f068 GetSystemInfo
0x40f06c PostQueuedCompletionStatus
0x40f070 GetProcessHeaps
0x40f074 HeapValidate
0x40f078 HeapCreate
0x40f07c HeapFree
0x40f080 HeapAlloc
0x40f084 HeapReAlloc
0x40f088 ExpandEnvironmentStringsW
0x40f08c CreateThread
0x40f090 CreateMutexA
0x40f094 CreateEventA
0x40f098 ExitProcess
0x40f09c GetQueuedCompletionStatus
0x40f0a0 CreateIoCompletionPort
0x40f0a4 SetEvent
0x40f0a8 GetVolumeInformationW
0x40f0ac SetFileAttributesW
0x40f0b0 lstrcpyW
0x40f0b4 DeleteFileW
0x40f0b8 GetDiskFreeSpaceExW
0x40f0bc FindNextFileW
0x40f0c0 lstrcmpiW
0x40f0c4 QueryDosDeviceW
0x40f0c8 RemoveDirectoryW
0x40f0cc lstrlenA
0x40f0d0 GlobalLock
0x40f0d4 GetModuleHandleW
0x40f0d8 GetTickCount
0x40f0dc GlobalAlloc
0x40f0e0 Sleep
0x40f0e4 lstrcpynW
0x40f0e8 ExitThread
0x40f0ec MultiByteToWideChar
0x40f0f0 lstrlenW
0x40f0f4 GlobalUnlock
0x40f0f8 GetFileSize
0x40f0fc MapViewOfFile
0x40f100 UnmapViewOfFile
0x40f104 WriteFile
0x40f108 InitializeCriticalSection
0x40f10c LeaveCriticalSection
0x40f110 CreateFileW
0x40f114 FlushFileBuffers
0x40f118 EnterCriticalSection
0x40f11c CreateFileMappingW
0x40f120 CloseHandle
0x40f124 FindFirstFileW
0x40f128 GetDriveTypeW
0x40f12c MoveFileExW
0x40f130 CreateDirectoryW
0x40f134 GetLogicalDrives
0x40f138 CopyFileW
0x40f13c GetModuleFileNameW
0x40f140 lstrcmpW
0x40f144 FindClose
USER32.dll
0x40f184 RegisterClassExW
0x40f188 TranslateMessage
0x40f18c GetClipboardData
0x40f190 EmptyClipboard
0x40f194 ChangeClipboardChain
0x40f198 SetWindowLongW
0x40f19c DefWindowProcA
0x40f1a0 wsprintfW
0x40f1a4 SendMessageA
0x40f1a8 IsClipboardFormatAvailable
0x40f1ac CloseClipboard
0x40f1b0 GetMessageA
0x40f1b4 wvsprintfA
0x40f1b8 GetWindowLongW
0x40f1bc RegisterRawInputDevices
0x40f1c0 CreateWindowExW
0x40f1c4 DispatchMessageA
0x40f1c8 OpenClipboard
0x40f1cc SetClipboardData
0x40f1d0 SetClipboardViewer
ADVAPI32.dll
0x40f000 RegSetValueExW
0x40f004 CryptGenRandom
0x40f008 CryptReleaseContext
0x40f00c CryptAcquireContextW
0x40f010 RegQueryValueExW
0x40f014 RegOpenKeyExA
0x40f018 RegSetValueExA
0x40f01c RegCloseKey
0x40f020 RegOpenKeyExW
SHELL32.dll
0x40f158 ShellExecuteW
ole32.dll
0x40f2d0 CoInitializeEx
0x40f2d4 CoCreateInstance
0x40f2d8 CoInitialize
0x40f2dc CoUninitialize
OLEAUT32.dll
0x40f14c SysAllocString
0x40f150 SysFreeString
EAT(Export Address Table) is none
WS2_32.dll
0x40f204 recvfrom
0x40f208 setsockopt
0x40f20c sendto
0x40f210 ind
0x40f214 ioctlsocket
0x40f218 WSAStartup
0x40f21c send
0x40f220 recv
0x40f224 WSACloseEvent
0x40f228 WSARecv
0x40f22c WSASend
0x40f230 WSAGetLastError
0x40f234 gethostname
0x40f238 connect
0x40f23c inet_ntoa
0x40f240 inet_addr
0x40f244 htons
0x40f248 getsockname
0x40f24c shutdown
0x40f250 socket
0x40f254 closesocket
0x40f258 gethostbyname
0x40f25c WSAEnumNetworkEvents
0x40f260 WSAEventSelect
0x40f264 listen
0x40f268 WSAWaitForMultipleEvents
0x40f26c getpeername
0x40f270 accept
0x40f274 WSAGetOverlappedResult
0x40f278 WSACreateEvent
0x40f27c WSASocketA
SHLWAPI.dll
0x40f160 PathFileExistsW
0x40f164 StrCmpNW
0x40f168 PathMatchSpecW
0x40f16c PathFindFileNameW
0x40f170 StrChrA
0x40f174 StrStrIA
0x40f178 StrCmpNIA
0x40f17c StrStrW
urlmon.dll
0x40f2e4 URLDownloadToFileW
WININET.dll
0x40f1d8 InternetReadFile
0x40f1dc InternetOpenUrlW
0x40f1e0 InternetOpenW
0x40f1e4 InternetCloseHandle
0x40f1e8 InternetOpenA
0x40f1ec HttpSendRequestA
0x40f1f0 HttpAddRequestHeadersA
0x40f1f4 HttpOpenRequestA
0x40f1f8 InternetConnectA
0x40f1fc InternetCrackUrlA
ntdll.dll
0x40f294 memcpy
0x40f298 _chkstk
0x40f29c _aulldiv
0x40f2a0 RtlUnwind
0x40f2a4 mbstowcs
0x40f2a8 RtlTimeToSecondsSince1980
0x40f2ac NtQuerySystemTime
0x40f2b0 NtQueryVirtualMemory
0x40f2b4 memmove
0x40f2b8 isdigit
0x40f2bc isalpha
0x40f2c0 _allshl
0x40f2c4 _aullshr
0x40f2c8 memset
msvcrt.dll
0x40f284 rand
0x40f288 srand
0x40f28c _vscprintf
KERNEL32.dll
0x40f028 GetLastError
0x40f02c CreateProcessW
0x40f030 GetLocaleInfoA
0x40f034 DuplicateHandle
0x40f038 DeleteCriticalSection
0x40f03c GetThreadPriority
0x40f040 SetThreadPriority
0x40f044 GetCurrentThread
0x40f048 GetCurrentProcess
0x40f04c InterlockedExchangeAdd
0x40f050 InterlockedIncrement
0x40f054 InterlockedExchange
0x40f058 WaitForSingleObject
0x40f05c InterlockedDecrement
0x40f060 GetCurrentProcessId
0x40f064 HeapSetInformation
0x40f068 GetSystemInfo
0x40f06c PostQueuedCompletionStatus
0x40f070 GetProcessHeaps
0x40f074 HeapValidate
0x40f078 HeapCreate
0x40f07c HeapFree
0x40f080 HeapAlloc
0x40f084 HeapReAlloc
0x40f088 ExpandEnvironmentStringsW
0x40f08c CreateThread
0x40f090 CreateMutexA
0x40f094 CreateEventA
0x40f098 ExitProcess
0x40f09c GetQueuedCompletionStatus
0x40f0a0 CreateIoCompletionPort
0x40f0a4 SetEvent
0x40f0a8 GetVolumeInformationW
0x40f0ac SetFileAttributesW
0x40f0b0 lstrcpyW
0x40f0b4 DeleteFileW
0x40f0b8 GetDiskFreeSpaceExW
0x40f0bc FindNextFileW
0x40f0c0 lstrcmpiW
0x40f0c4 QueryDosDeviceW
0x40f0c8 RemoveDirectoryW
0x40f0cc lstrlenA
0x40f0d0 GlobalLock
0x40f0d4 GetModuleHandleW
0x40f0d8 GetTickCount
0x40f0dc GlobalAlloc
0x40f0e0 Sleep
0x40f0e4 lstrcpynW
0x40f0e8 ExitThread
0x40f0ec MultiByteToWideChar
0x40f0f0 lstrlenW
0x40f0f4 GlobalUnlock
0x40f0f8 GetFileSize
0x40f0fc MapViewOfFile
0x40f100 UnmapViewOfFile
0x40f104 WriteFile
0x40f108 InitializeCriticalSection
0x40f10c LeaveCriticalSection
0x40f110 CreateFileW
0x40f114 FlushFileBuffers
0x40f118 EnterCriticalSection
0x40f11c CreateFileMappingW
0x40f120 CloseHandle
0x40f124 FindFirstFileW
0x40f128 GetDriveTypeW
0x40f12c MoveFileExW
0x40f130 CreateDirectoryW
0x40f134 GetLogicalDrives
0x40f138 CopyFileW
0x40f13c GetModuleFileNameW
0x40f140 lstrcmpW
0x40f144 FindClose
USER32.dll
0x40f184 RegisterClassExW
0x40f188 TranslateMessage
0x40f18c GetClipboardData
0x40f190 EmptyClipboard
0x40f194 ChangeClipboardChain
0x40f198 SetWindowLongW
0x40f19c DefWindowProcA
0x40f1a0 wsprintfW
0x40f1a4 SendMessageA
0x40f1a8 IsClipboardFormatAvailable
0x40f1ac CloseClipboard
0x40f1b0 GetMessageA
0x40f1b4 wvsprintfA
0x40f1b8 GetWindowLongW
0x40f1bc RegisterRawInputDevices
0x40f1c0 CreateWindowExW
0x40f1c4 DispatchMessageA
0x40f1c8 OpenClipboard
0x40f1cc SetClipboardData
0x40f1d0 SetClipboardViewer
ADVAPI32.dll
0x40f000 RegSetValueExW
0x40f004 CryptGenRandom
0x40f008 CryptReleaseContext
0x40f00c CryptAcquireContextW
0x40f010 RegQueryValueExW
0x40f014 RegOpenKeyExA
0x40f018 RegSetValueExA
0x40f01c RegCloseKey
0x40f020 RegOpenKeyExW
SHELL32.dll
0x40f158 ShellExecuteW
ole32.dll
0x40f2d0 CoInitializeEx
0x40f2d4 CoCreateInstance
0x40f2d8 CoInitialize
0x40f2dc CoUninitialize
OLEAUT32.dll
0x40f14c SysAllocString
0x40f150 SysFreeString
EAT(Export Address Table) is none