ScreenShot
| Created | 2021.10.07 16:33 | Machine | s1_win7_x6402 |
| Filename | sfx_123_209.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | |||
| md5 | 7b2ea8fcffd2ce8548c4be3e42dcb60f | ||
| sha256 | a8e1e13995a1af35365965d172b801e128f52da0afc6a6a6fc7180210614c2fc | ||
| ssdeep | 24576:4CRVwYkTdTFVbOSv9z1BHMK6UJy2gVibh8kBFnohBgyeT8ml0i:hUTTV1XHxJy2aiblBFohmye1 | ||
| imphash | eea3fc82590b00602b34e6722a08f9a9 | ||
| impfuzzy | 48:dBh8fTfKL2GO6pIDxLABc+0AnGHERKo45+hXUXC+09/KA/kSjqQSYxfn6gto/gls:dBh8frGvpIDxLABc+fGSHdJqCIdufw | ||
Network IP location
Signature (18cnts)
| Level | Description |
|---|---|
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | Executes one or more WMI queries |
| notice | Potentially malicious URLs were found in the process memory dump |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Terminates another process |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | Queries for the computername |
| info | This executable has a PDB path |
Rules (41cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Network_Downloader | File Downloader | memory |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| notice | Code_injection | Code injection with CreateRemoteThread in a remote process | memory |
| notice | Create_Service | Create a windows service | memory |
| notice | Escalate_priviledges | Escalate priviledges | memory |
| notice | Hijack_Network | Hijack network configuration | memory |
| notice | KeyLogger | Run a KeyLogger | memory |
| notice | local_credential_Steal | Steal credential | memory |
| notice | Network_DGA | Communication using DGA | memory |
| notice | Network_DNS | Communications use DNS | memory |
| notice | Network_FTP | Communications over FTP | memory |
| notice | Network_HTTP | Communications over HTTP | memory |
| notice | Network_P2P_Win | Communications over P2P network | memory |
| notice | Network_TCP_Socket | Communications over RAW Socket | memory |
| notice | Persistence | Install itself for autorun at Windows startup | memory |
| notice | ScreenShot | Take ScreenShot | memory |
| notice | Sniff_Audio | Record Audio | memory |
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | antisb_threatExpert | Anti-Sandbox checks for ThreatExpert | memory |
| info | Check_Dlls | (no description) | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerCheck__RemoteAPI | (no description) | memory |
| info | DebuggerException__ConsoleCtrl | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | win_hook | Affect hook table | memory |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
COMCTL32.dll
0x41d018 InitCommonControlsEx
SHLWAPI.dll
0x41d238 SHAutoComplete
KERNEL32.dll
0x41d048 CreateDirectoryW
0x41d04c FindClose
0x41d050 FindNextFileW
0x41d054 FindFirstFileW
0x41d058 GetVersionExW
0x41d05c GetCurrentDirectoryW
0x41d060 FoldStringW
0x41d064 GetFullPathNameW
0x41d068 GetModuleFileNameW
0x41d06c FindResourceW
0x41d070 GetModuleHandleW
0x41d074 FreeLibrary
0x41d078 GetProcAddress
0x41d07c LoadLibraryW
0x41d080 GetCurrentProcessId
0x41d084 GetLocaleInfoW
0x41d088 GetNumberFormatW
0x41d08c SetEnvironmentVariableW
0x41d090 ExpandEnvironmentStringsW
0x41d094 WaitForSingleObject
0x41d098 GetDateFormatW
0x41d09c GetTimeFormatW
0x41d0a0 FileTimeToSystemTime
0x41d0a4 FileTimeToLocalFileTime
0x41d0a8 GetExitCodeProcess
0x41d0ac GetTempPathW
0x41d0b0 MoveFileExW
0x41d0b4 UnmapViewOfFile
0x41d0b8 Sleep
0x41d0bc MapViewOfFile
0x41d0c0 GetCommandLineW
0x41d0c4 CreateFileMappingW
0x41d0c8 GetTickCount
0x41d0cc GetLocalTime
0x41d0d0 OpenFileMappingW
0x41d0d4 SystemTimeToFileTime
0x41d0d8 TzSpecificLocalTimeToSystemTime
0x41d0dc LocalFileTimeToFileTime
0x41d0e0 WideCharToMultiByte
0x41d0e4 MultiByteToWideChar
0x41d0e8 CompareStringW
0x41d0ec IsDBCSLeadByte
0x41d0f0 GetCPInfo
0x41d0f4 GlobalAlloc
0x41d0f8 SetCurrentDirectoryW
0x41d0fc DeleteFileW
0x41d100 GetConsoleOutputCP
0x41d104 WriteConsoleA
0x41d108 SetStdHandle
0x41d10c GetLocaleInfoA
0x41d110 GetStringTypeW
0x41d114 GetStringTypeA
0x41d118 LoadLibraryA
0x41d11c GetConsoleMode
0x41d120 GetConsoleCP
0x41d124 InitializeCriticalSectionAndSpinCount
0x41d128 QueryPerformanceCounter
0x41d12c SetHandleCount
0x41d130 GetEnvironmentStringsW
0x41d134 FreeEnvironmentStringsW
0x41d138 GetEnvironmentStrings
0x41d13c FreeEnvironmentStringsA
0x41d140 GetModuleHandleA
0x41d144 LCMapStringW
0x41d148 LCMapStringA
0x41d14c IsValidCodePage
0x41d150 GetOEMCP
0x41d154 GetACP
0x41d158 HeapSize
0x41d15c GetModuleFileNameA
0x41d160 ExitProcess
0x41d164 IsDebuggerPresent
0x41d168 SetUnhandledExceptionFilter
0x41d16c UnhandledExceptionFilter
0x41d170 GetCurrentProcess
0x41d174 TerminateProcess
0x41d178 InterlockedDecrement
0x41d17c GetCurrentThreadId
0x41d180 InterlockedIncrement
0x41d184 TlsFree
0x41d188 TlsSetValue
0x41d18c TlsAlloc
0x41d190 TlsGetValue
0x41d194 VirtualAlloc
0x41d198 EnterCriticalSection
0x41d19c LeaveCriticalSection
0x41d1a0 DeleteCriticalSection
0x41d1a4 VirtualFree
0x41d1a8 HeapCreate
0x41d1ac MoveFileW
0x41d1b0 SetFileAttributesW
0x41d1b4 GetFileAttributesW
0x41d1b8 SetFileTime
0x41d1bc ReadFile
0x41d1c0 GetFileType
0x41d1c4 SetEndOfFile
0x41d1c8 FlushFileBuffers
0x41d1cc SetFilePointer
0x41d1d0 GetStdHandle
0x41d1d4 CloseHandle
0x41d1d8 WriteFile
0x41d1dc CreateFileW
0x41d1e0 SetLastError
0x41d1e4 GetLastError
0x41d1e8 CreateFileA
0x41d1ec WriteConsoleW
0x41d1f0 GetStartupInfoA
0x41d1f4 GetCommandLineA
0x41d1f8 GetSystemTimeAsFileTime
0x41d1fc HeapAlloc
0x41d200 HeapReAlloc
0x41d204 RaiseException
0x41d208 RtlUnwind
0x41d20c HeapFree
USER32.dll
0x41d240 EnableWindow
0x41d244 GetDlgItem
0x41d248 ShowWindow
0x41d24c SetWindowLongW
0x41d250 GetDC
0x41d254 ReleaseDC
0x41d258 FindWindowExW
0x41d25c GetParent
0x41d260 MapWindowPoints
0x41d264 CreateWindowExW
0x41d268 UpdateWindow
0x41d26c LoadCursorW
0x41d270 RegisterClassExW
0x41d274 DefWindowProcW
0x41d278 DestroyWindow
0x41d27c CopyRect
0x41d280 CharUpperW
0x41d284 OemToCharBuffA
0x41d288 LoadIconW
0x41d28c LoadBitmapW
0x41d290 IsDialogMessageW
0x41d294 PostMessageW
0x41d298 GetSysColor
0x41d29c SetForegroundWindow
0x41d2a0 MessageBoxW
0x41d2a4 WaitForInputIdle
0x41d2a8 IsWindowVisible
0x41d2ac DialogBoxParamW
0x41d2b0 DestroyIcon
0x41d2b4 SetFocus
0x41d2b8 GetClassNameW
0x41d2bc SendDlgItemMessageW
0x41d2c0 EndDialog
0x41d2c4 GetDlgItemTextW
0x41d2c8 SetDlgItemTextW
0x41d2cc wvsprintfW
0x41d2d0 SendMessageW
0x41d2d4 PeekMessageW
0x41d2d8 GetMessageW
0x41d2dc TranslateMessage
0x41d2e0 DispatchMessageW
0x41d2e4 LoadStringW
0x41d2e8 GetWindowRect
0x41d2ec GetClientRect
0x41d2f0 SetWindowPos
0x41d2f4 GetWindowTextW
0x41d2f8 SetWindowTextW
0x41d2fc GetSystemMetrics
0x41d300 GetWindow
0x41d304 GetWindowLongW
0x41d308 IsWindow
GDI32.dll
0x41d020 GetDeviceCaps
0x41d024 CreateCompatibleDC
0x41d028 CreateCompatibleBitmap
0x41d02c SelectObject
0x41d030 StretchBlt
0x41d034 DeleteDC
0x41d038 GetObjectW
0x41d03c DeleteObject
0x41d040 CreateDIBSection
ADVAPI32.dll
0x41d000 RegCloseKey
0x41d004 RegOpenKeyExW
0x41d008 RegQueryValueExW
0x41d00c RegCreateKeyExW
0x41d010 RegSetValueExW
SHELL32.dll
0x41d214 SHBrowseForFolderW
0x41d218 SHGetMalloc
0x41d21c SHGetFolderLocation
0x41d220 SHFileOperationW
0x41d224 SHGetFileInfoW
0x41d228 ShellExecuteExW
0x41d22c SHChangeNotify
0x41d230 SHGetPathFromIDListW
ole32.dll
0x41d310 CLSIDFromString
0x41d314 CoCreateInstance
0x41d318 OleInitialize
0x41d31c OleUninitialize
0x41d320 CreateStreamOnHGlobal
EAT(Export Address Table) Library
COMCTL32.dll
0x41d018 InitCommonControlsEx
SHLWAPI.dll
0x41d238 SHAutoComplete
KERNEL32.dll
0x41d048 CreateDirectoryW
0x41d04c FindClose
0x41d050 FindNextFileW
0x41d054 FindFirstFileW
0x41d058 GetVersionExW
0x41d05c GetCurrentDirectoryW
0x41d060 FoldStringW
0x41d064 GetFullPathNameW
0x41d068 GetModuleFileNameW
0x41d06c FindResourceW
0x41d070 GetModuleHandleW
0x41d074 FreeLibrary
0x41d078 GetProcAddress
0x41d07c LoadLibraryW
0x41d080 GetCurrentProcessId
0x41d084 GetLocaleInfoW
0x41d088 GetNumberFormatW
0x41d08c SetEnvironmentVariableW
0x41d090 ExpandEnvironmentStringsW
0x41d094 WaitForSingleObject
0x41d098 GetDateFormatW
0x41d09c GetTimeFormatW
0x41d0a0 FileTimeToSystemTime
0x41d0a4 FileTimeToLocalFileTime
0x41d0a8 GetExitCodeProcess
0x41d0ac GetTempPathW
0x41d0b0 MoveFileExW
0x41d0b4 UnmapViewOfFile
0x41d0b8 Sleep
0x41d0bc MapViewOfFile
0x41d0c0 GetCommandLineW
0x41d0c4 CreateFileMappingW
0x41d0c8 GetTickCount
0x41d0cc GetLocalTime
0x41d0d0 OpenFileMappingW
0x41d0d4 SystemTimeToFileTime
0x41d0d8 TzSpecificLocalTimeToSystemTime
0x41d0dc LocalFileTimeToFileTime
0x41d0e0 WideCharToMultiByte
0x41d0e4 MultiByteToWideChar
0x41d0e8 CompareStringW
0x41d0ec IsDBCSLeadByte
0x41d0f0 GetCPInfo
0x41d0f4 GlobalAlloc
0x41d0f8 SetCurrentDirectoryW
0x41d0fc DeleteFileW
0x41d100 GetConsoleOutputCP
0x41d104 WriteConsoleA
0x41d108 SetStdHandle
0x41d10c GetLocaleInfoA
0x41d110 GetStringTypeW
0x41d114 GetStringTypeA
0x41d118 LoadLibraryA
0x41d11c GetConsoleMode
0x41d120 GetConsoleCP
0x41d124 InitializeCriticalSectionAndSpinCount
0x41d128 QueryPerformanceCounter
0x41d12c SetHandleCount
0x41d130 GetEnvironmentStringsW
0x41d134 FreeEnvironmentStringsW
0x41d138 GetEnvironmentStrings
0x41d13c FreeEnvironmentStringsA
0x41d140 GetModuleHandleA
0x41d144 LCMapStringW
0x41d148 LCMapStringA
0x41d14c IsValidCodePage
0x41d150 GetOEMCP
0x41d154 GetACP
0x41d158 HeapSize
0x41d15c GetModuleFileNameA
0x41d160 ExitProcess
0x41d164 IsDebuggerPresent
0x41d168 SetUnhandledExceptionFilter
0x41d16c UnhandledExceptionFilter
0x41d170 GetCurrentProcess
0x41d174 TerminateProcess
0x41d178 InterlockedDecrement
0x41d17c GetCurrentThreadId
0x41d180 InterlockedIncrement
0x41d184 TlsFree
0x41d188 TlsSetValue
0x41d18c TlsAlloc
0x41d190 TlsGetValue
0x41d194 VirtualAlloc
0x41d198 EnterCriticalSection
0x41d19c LeaveCriticalSection
0x41d1a0 DeleteCriticalSection
0x41d1a4 VirtualFree
0x41d1a8 HeapCreate
0x41d1ac MoveFileW
0x41d1b0 SetFileAttributesW
0x41d1b4 GetFileAttributesW
0x41d1b8 SetFileTime
0x41d1bc ReadFile
0x41d1c0 GetFileType
0x41d1c4 SetEndOfFile
0x41d1c8 FlushFileBuffers
0x41d1cc SetFilePointer
0x41d1d0 GetStdHandle
0x41d1d4 CloseHandle
0x41d1d8 WriteFile
0x41d1dc CreateFileW
0x41d1e0 SetLastError
0x41d1e4 GetLastError
0x41d1e8 CreateFileA
0x41d1ec WriteConsoleW
0x41d1f0 GetStartupInfoA
0x41d1f4 GetCommandLineA
0x41d1f8 GetSystemTimeAsFileTime
0x41d1fc HeapAlloc
0x41d200 HeapReAlloc
0x41d204 RaiseException
0x41d208 RtlUnwind
0x41d20c HeapFree
USER32.dll
0x41d240 EnableWindow
0x41d244 GetDlgItem
0x41d248 ShowWindow
0x41d24c SetWindowLongW
0x41d250 GetDC
0x41d254 ReleaseDC
0x41d258 FindWindowExW
0x41d25c GetParent
0x41d260 MapWindowPoints
0x41d264 CreateWindowExW
0x41d268 UpdateWindow
0x41d26c LoadCursorW
0x41d270 RegisterClassExW
0x41d274 DefWindowProcW
0x41d278 DestroyWindow
0x41d27c CopyRect
0x41d280 CharUpperW
0x41d284 OemToCharBuffA
0x41d288 LoadIconW
0x41d28c LoadBitmapW
0x41d290 IsDialogMessageW
0x41d294 PostMessageW
0x41d298 GetSysColor
0x41d29c SetForegroundWindow
0x41d2a0 MessageBoxW
0x41d2a4 WaitForInputIdle
0x41d2a8 IsWindowVisible
0x41d2ac DialogBoxParamW
0x41d2b0 DestroyIcon
0x41d2b4 SetFocus
0x41d2b8 GetClassNameW
0x41d2bc SendDlgItemMessageW
0x41d2c0 EndDialog
0x41d2c4 GetDlgItemTextW
0x41d2c8 SetDlgItemTextW
0x41d2cc wvsprintfW
0x41d2d0 SendMessageW
0x41d2d4 PeekMessageW
0x41d2d8 GetMessageW
0x41d2dc TranslateMessage
0x41d2e0 DispatchMessageW
0x41d2e4 LoadStringW
0x41d2e8 GetWindowRect
0x41d2ec GetClientRect
0x41d2f0 SetWindowPos
0x41d2f4 GetWindowTextW
0x41d2f8 SetWindowTextW
0x41d2fc GetSystemMetrics
0x41d300 GetWindow
0x41d304 GetWindowLongW
0x41d308 IsWindow
GDI32.dll
0x41d020 GetDeviceCaps
0x41d024 CreateCompatibleDC
0x41d028 CreateCompatibleBitmap
0x41d02c SelectObject
0x41d030 StretchBlt
0x41d034 DeleteDC
0x41d038 GetObjectW
0x41d03c DeleteObject
0x41d040 CreateDIBSection
ADVAPI32.dll
0x41d000 RegCloseKey
0x41d004 RegOpenKeyExW
0x41d008 RegQueryValueExW
0x41d00c RegCreateKeyExW
0x41d010 RegSetValueExW
SHELL32.dll
0x41d214 SHBrowseForFolderW
0x41d218 SHGetMalloc
0x41d21c SHGetFolderLocation
0x41d220 SHFileOperationW
0x41d224 SHGetFileInfoW
0x41d228 ShellExecuteExW
0x41d22c SHChangeNotify
0x41d230 SHGetPathFromIDListW
ole32.dll
0x41d310 CLSIDFromString
0x41d314 CoCreateInstance
0x41d318 OleInitialize
0x41d31c OleUninitialize
0x41d320 CreateStreamOnHGlobal
EAT(Export Address Table) Library