ScreenShot
| Created | 2021.10.03 10:03 | Machine | s1_win7_x6401 |
| Filename | NetFrame.exe | ||
| Type | PE32+ executable (console) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | |||
| md5 | 935adaea999dc3ad0672636dced6011e | ||
| sha256 | 9b97b61edb6d9159517d77215d49a34647cd2e9737948a13bc20c4dcb989b005 | ||
| ssdeep | 12288:d2kZ+5tnBcwJtGx/Qm814wwgDgoaq79TFoPpAs:dz+5t73Gt/E4wwgMoa2TFBs | ||
| imphash | 6b35c0ef3cd6843d2ad9c31875c77f0e | ||
| impfuzzy | 48:FexOIVFyZ0u9ahYDcpVeLt6S1CBgPpkNgTvb3X9rt5S/:Fex+tEuDcpVeLt6S1CBgPpkavz1c | ||
Network IP location
Signature (17cnts)
| Level | Description |
|---|---|
| watch | Installs itself for autorun at Windows startup |
| watch | The process powershell.exe wrote an executable file to disk |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Performs some HTTP requests |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (9cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | Antivirus | Contains references to security software | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | Lnk_Format_Zero | LNK Format | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (6cnts) ?
Suricata ids
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x140049000 CreateDirectoryW
0x140049008 SizeofResource
0x140049010 HeapFree
0x140049018 lstrlenW
0x140049020 WriteFile
0x140049028 OutputDebugStringA
0x140049030 TerminateProcess
0x140049038 GetModuleFileNameW
0x140049040 CreateFileW
0x140049048 GetFileAttributesW
0x140049050 OpenProcess
0x140049058 SetFileAttributesW
0x140049060 CreateToolhelp32Snapshot
0x140049068 MultiByteToWideChar
0x140049070 Sleep
0x140049078 GetLastError
0x140049080 Process32NextW
0x140049088 lstrcatW
0x140049090 LockResource
0x140049098 DeleteFileW
0x1400490a0 Process32FirstW
0x1400490a8 CloseHandle
0x1400490b0 LoadLibraryW
0x1400490b8 CreateThread
0x1400490c0 LoadResource
0x1400490c8 FindResourceW
0x1400490d0 HeapAlloc
0x1400490d8 GetProcAddress
0x1400490e0 GetProcessHeap
0x1400490e8 CreateProcessW
0x1400490f0 GetModuleHandleW
0x1400490f8 CopyFileW
0x140049100 lstrcpyW
0x140049108 CreateProcessA
0x140049110 GetConsoleWindow
0x140049118 WriteConsoleW
0x140049120 HeapSize
0x140049128 SetEnvironmentVariableW
0x140049130 FreeEnvironmentStringsW
0x140049138 GetEnvironmentStringsW
0x140049140 GetOEMCP
0x140049148 GetACP
0x140049150 IsValidCodePage
0x140049158 GetTimeZoneInformation
0x140049160 HeapReAlloc
0x140049168 SetStdHandle
0x140049170 ReadConsoleW
0x140049178 EnumSystemLocalesW
0x140049180 GetUserDefaultLCID
0x140049188 IsValidLocale
0x140049190 GetLocaleInfoW
0x140049198 LCMapStringW
0x1400491a0 CompareStringW
0x1400491a8 CreateFileA
0x1400491b0 GetFileTime
0x1400491b8 LocalFileTimeToFileTime
0x1400491c0 SetFileTime
0x1400491c8 DosDateTimeToFileTime
0x1400491d0 ReadFile
0x1400491d8 SetFilePointer
0x1400491e0 FindClose
0x1400491e8 LocalFree
0x1400491f0 FormatMessageA
0x1400491f8 GetCurrentDirectoryW
0x140049200 FindFirstFileExW
0x140049208 FindNextFileW
0x140049210 GetFileAttributesExW
0x140049218 GetFileInformationByHandle
0x140049220 GetFullPathNameW
0x140049228 SetEndOfFile
0x140049230 SetFilePointerEx
0x140049238 AreFileApisANSI
0x140049240 MoveFileExW
0x140049248 GetFileInformationByHandleEx
0x140049250 WideCharToMultiByte
0x140049258 GetStringTypeW
0x140049260 EnterCriticalSection
0x140049268 LeaveCriticalSection
0x140049270 InitializeCriticalSectionEx
0x140049278 DeleteCriticalSection
0x140049280 EncodePointer
0x140049288 DecodePointer
0x140049290 LCMapStringEx
0x140049298 GetCPInfo
0x1400492a0 RtlCaptureContext
0x1400492a8 RtlLookupFunctionEntry
0x1400492b0 RtlVirtualUnwind
0x1400492b8 UnhandledExceptionFilter
0x1400492c0 SetUnhandledExceptionFilter
0x1400492c8 GetCurrentProcess
0x1400492d0 IsProcessorFeaturePresent
0x1400492d8 IsDebuggerPresent
0x1400492e0 GetStartupInfoW
0x1400492e8 QueryPerformanceCounter
0x1400492f0 GetCurrentProcessId
0x1400492f8 GetCurrentThreadId
0x140049300 GetSystemTimeAsFileTime
0x140049308 InitializeSListHead
0x140049310 RtlUnwindEx
0x140049318 RtlPcToFileHeader
0x140049320 RaiseException
0x140049328 SetLastError
0x140049330 InitializeCriticalSectionAndSpinCount
0x140049338 TlsAlloc
0x140049340 TlsGetValue
0x140049348 TlsSetValue
0x140049350 TlsFree
0x140049358 FreeLibrary
0x140049360 LoadLibraryExW
0x140049368 GetDriveTypeW
0x140049370 GetFileType
0x140049378 PeekNamedPipe
0x140049380 SystemTimeToTzSpecificLocalTime
0x140049388 FileTimeToSystemTime
0x140049390 ExitProcess
0x140049398 GetModuleHandleExW
0x1400493a0 GetStdHandle
0x1400493a8 GetCommandLineA
0x1400493b0 GetCommandLineW
0x1400493b8 GetFileSizeEx
0x1400493c0 FlushFileBuffers
0x1400493c8 GetConsoleOutputCP
0x1400493d0 GetConsoleMode
0x1400493d8 RtlUnwind
USER32.dll
0x140049400 ShowWindow
SHELL32.dll
0x1400493e8 SHGetSpecialFolderPathW
0x1400493f0 ShellExecuteW
ole32.dll
0x140049458 CoInitializeEx
0x140049460 CoCreateInstance
WININET.dll
0x140049410 InternetOpenW
0x140049418 HttpOpenRequestW
0x140049420 HttpSendRequestW
0x140049428 InternetCloseHandle
0x140049430 InternetConnectW
0x140049438 InternetReadFile
urlmon.dll
0x140049470 URLDownloadToFileW
dxgi.dll
0x140049448 CreateDXGIFactory
EAT(Export Address Table) is none
KERNEL32.dll
0x140049000 CreateDirectoryW
0x140049008 SizeofResource
0x140049010 HeapFree
0x140049018 lstrlenW
0x140049020 WriteFile
0x140049028 OutputDebugStringA
0x140049030 TerminateProcess
0x140049038 GetModuleFileNameW
0x140049040 CreateFileW
0x140049048 GetFileAttributesW
0x140049050 OpenProcess
0x140049058 SetFileAttributesW
0x140049060 CreateToolhelp32Snapshot
0x140049068 MultiByteToWideChar
0x140049070 Sleep
0x140049078 GetLastError
0x140049080 Process32NextW
0x140049088 lstrcatW
0x140049090 LockResource
0x140049098 DeleteFileW
0x1400490a0 Process32FirstW
0x1400490a8 CloseHandle
0x1400490b0 LoadLibraryW
0x1400490b8 CreateThread
0x1400490c0 LoadResource
0x1400490c8 FindResourceW
0x1400490d0 HeapAlloc
0x1400490d8 GetProcAddress
0x1400490e0 GetProcessHeap
0x1400490e8 CreateProcessW
0x1400490f0 GetModuleHandleW
0x1400490f8 CopyFileW
0x140049100 lstrcpyW
0x140049108 CreateProcessA
0x140049110 GetConsoleWindow
0x140049118 WriteConsoleW
0x140049120 HeapSize
0x140049128 SetEnvironmentVariableW
0x140049130 FreeEnvironmentStringsW
0x140049138 GetEnvironmentStringsW
0x140049140 GetOEMCP
0x140049148 GetACP
0x140049150 IsValidCodePage
0x140049158 GetTimeZoneInformation
0x140049160 HeapReAlloc
0x140049168 SetStdHandle
0x140049170 ReadConsoleW
0x140049178 EnumSystemLocalesW
0x140049180 GetUserDefaultLCID
0x140049188 IsValidLocale
0x140049190 GetLocaleInfoW
0x140049198 LCMapStringW
0x1400491a0 CompareStringW
0x1400491a8 CreateFileA
0x1400491b0 GetFileTime
0x1400491b8 LocalFileTimeToFileTime
0x1400491c0 SetFileTime
0x1400491c8 DosDateTimeToFileTime
0x1400491d0 ReadFile
0x1400491d8 SetFilePointer
0x1400491e0 FindClose
0x1400491e8 LocalFree
0x1400491f0 FormatMessageA
0x1400491f8 GetCurrentDirectoryW
0x140049200 FindFirstFileExW
0x140049208 FindNextFileW
0x140049210 GetFileAttributesExW
0x140049218 GetFileInformationByHandle
0x140049220 GetFullPathNameW
0x140049228 SetEndOfFile
0x140049230 SetFilePointerEx
0x140049238 AreFileApisANSI
0x140049240 MoveFileExW
0x140049248 GetFileInformationByHandleEx
0x140049250 WideCharToMultiByte
0x140049258 GetStringTypeW
0x140049260 EnterCriticalSection
0x140049268 LeaveCriticalSection
0x140049270 InitializeCriticalSectionEx
0x140049278 DeleteCriticalSection
0x140049280 EncodePointer
0x140049288 DecodePointer
0x140049290 LCMapStringEx
0x140049298 GetCPInfo
0x1400492a0 RtlCaptureContext
0x1400492a8 RtlLookupFunctionEntry
0x1400492b0 RtlVirtualUnwind
0x1400492b8 UnhandledExceptionFilter
0x1400492c0 SetUnhandledExceptionFilter
0x1400492c8 GetCurrentProcess
0x1400492d0 IsProcessorFeaturePresent
0x1400492d8 IsDebuggerPresent
0x1400492e0 GetStartupInfoW
0x1400492e8 QueryPerformanceCounter
0x1400492f0 GetCurrentProcessId
0x1400492f8 GetCurrentThreadId
0x140049300 GetSystemTimeAsFileTime
0x140049308 InitializeSListHead
0x140049310 RtlUnwindEx
0x140049318 RtlPcToFileHeader
0x140049320 RaiseException
0x140049328 SetLastError
0x140049330 InitializeCriticalSectionAndSpinCount
0x140049338 TlsAlloc
0x140049340 TlsGetValue
0x140049348 TlsSetValue
0x140049350 TlsFree
0x140049358 FreeLibrary
0x140049360 LoadLibraryExW
0x140049368 GetDriveTypeW
0x140049370 GetFileType
0x140049378 PeekNamedPipe
0x140049380 SystemTimeToTzSpecificLocalTime
0x140049388 FileTimeToSystemTime
0x140049390 ExitProcess
0x140049398 GetModuleHandleExW
0x1400493a0 GetStdHandle
0x1400493a8 GetCommandLineA
0x1400493b0 GetCommandLineW
0x1400493b8 GetFileSizeEx
0x1400493c0 FlushFileBuffers
0x1400493c8 GetConsoleOutputCP
0x1400493d0 GetConsoleMode
0x1400493d8 RtlUnwind
USER32.dll
0x140049400 ShowWindow
SHELL32.dll
0x1400493e8 SHGetSpecialFolderPathW
0x1400493f0 ShellExecuteW
ole32.dll
0x140049458 CoInitializeEx
0x140049460 CoCreateInstance
WININET.dll
0x140049410 InternetOpenW
0x140049418 HttpOpenRequestW
0x140049420 HttpSendRequestW
0x140049428 InternetCloseHandle
0x140049430 InternetConnectW
0x140049438 InternetReadFile
urlmon.dll
0x140049470 URLDownloadToFileW
dxgi.dll
0x140049448 CreateDXGIFactory
EAT(Export Address Table) is none