ScreenShot
| Created | 2021.10.18 09:34 | Machine | s1_win7_x6402 |
| Filename | search_hyperfs_212.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 35 detected (Qshell, malicious, high confidence, GenericKD, Unsafe, Cryprar, FileRepMalware, noname@0, Score, kcloud, Wacatac, Tnega, Artemis, ai score=100, Probably Heur, RARAutorun, R002H0DJG21, AbnormalScript, CLASSIC, RARAgent) | ||
| md5 | 816fb2a92609e69e339ee9677647b7f8 | ||
| sha256 | 999cc7c5be617332ac3863879df3a9e35ad950c1abc0d4dea4527c9fd201a75c | ||
| ssdeep | 49152:A6PaCYmJmOPRkgQVs9kv3ZJoGzlnJamHgLdWohu4D1jG:faCY4tPRkokvJrzlnJ1Hg/hL1a | ||
| imphash | ae9f6a32bb8b03dce37903edbc855ba1 | ||
| impfuzzy | 48:J9F2OcLKc1XFjRWDYgeBtDX+Kc+pnCHFa:JqFLKc1XF8EdBtDX+Kc+pnMFa | ||
Network IP location
Signature (18cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 35 AntiVirus engines on VirusTotal as malicious |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a suspicious process |
| notice | Drops an executable to the user AppData folder |
| notice | Executes one or more WMI queries |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Terminates another process |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Command line console output was observed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
| info | This executable has a PDB path |
Rules (40cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Network_Downloader | File Downloader | memory |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | Code_injection | Code injection with CreateRemoteThread in a remote process | memory |
| notice | Create_Service | Create a windows service | memory |
| notice | Escalate_priviledges | Escalate priviledges | memory |
| notice | KeyLogger | Run a KeyLogger | memory |
| notice | local_credential_Steal | Steal credential | memory |
| notice | Network_DGA | Communication using DGA | memory |
| notice | Network_DNS | Communications use DNS | memory |
| notice | Network_FTP | Communications over FTP | memory |
| notice | Network_HTTP | Communications over HTTP | memory |
| notice | Network_P2P_Win | Communications over P2P network | memory |
| notice | Network_TCP_Socket | Communications over RAW Socket | memory |
| notice | ScreenShot | Take ScreenShot | memory |
| notice | Sniff_Audio | Record Audio | memory |
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | antisb_threatExpert | Anti-Sandbox checks for ThreatExpert | memory |
| info | Check_Dlls | (no description) | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerCheck__RemoteAPI | (no description) | memory |
| info | DebuggerException__ConsoleCtrl | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | win_hook | Affect hook table | memory |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x428000 GetLastError
0x428004 SetLastError
0x428008 FormatMessageW
0x42800c GetFileType
0x428010 GetStdHandle
0x428014 WriteFile
0x428018 ReadFile
0x42801c FlushFileBuffers
0x428020 SetEndOfFile
0x428024 SetFilePointer
0x428028 SetFileTime
0x42802c CloseHandle
0x428030 CreateFileW
0x428034 CreateDirectoryW
0x428038 SetFileAttributesW
0x42803c GetFileAttributesW
0x428040 DeleteFileW
0x428044 MoveFileW
0x428048 FindClose
0x42804c FindFirstFileW
0x428050 FindNextFileW
0x428054 GetVersionExW
0x428058 GetCurrentDirectoryW
0x42805c GetFullPathNameW
0x428060 FoldStringW
0x428064 GetModuleFileNameW
0x428068 GetModuleHandleW
0x42806c FindResourceW
0x428070 FreeLibrary
0x428074 GetProcAddress
0x428078 GetCurrentProcessId
0x42807c ExitProcess
0x428080 SetThreadExecutionState
0x428084 Sleep
0x428088 LoadLibraryW
0x42808c GetSystemDirectoryW
0x428090 CompareStringW
0x428094 AllocConsole
0x428098 FreeConsole
0x42809c AttachConsole
0x4280a0 WriteConsoleW
0x4280a4 TzSpecificLocalTimeToSystemTime
0x4280a8 SystemTimeToFileTime
0x4280ac FileTimeToLocalFileTime
0x4280b0 LocalFileTimeToFileTime
0x4280b4 FileTimeToSystemTime
0x4280b8 GetCPInfo
0x4280bc IsDBCSLeadByte
0x4280c0 MultiByteToWideChar
0x4280c4 WideCharToMultiByte
0x4280c8 GlobalAlloc
0x4280cc LockResource
0x4280d0 GlobalLock
0x4280d4 GlobalUnlock
0x4280d8 GlobalFree
0x4280dc LoadResource
0x4280e0 SizeofResource
0x4280e4 SetCurrentDirectoryW
0x4280e8 GetExitCodeProcess
0x4280ec WaitForSingleObject
0x4280f0 GetLocalTime
0x4280f4 GetTickCount
0x4280f8 MapViewOfFile
0x4280fc UnmapViewOfFile
0x428100 CreateFileMappingW
0x428104 OpenFileMappingW
0x428108 GetCommandLineW
0x42810c SetEnvironmentVariableW
0x428110 ExpandEnvironmentStringsW
0x428114 GetTempPathW
0x428118 MoveFileExW
0x42811c GetLocaleInfoW
0x428120 GetTimeFormatW
0x428124 GetDateFormatW
0x428128 GetNumberFormatW
0x42812c SetFilePointerEx
0x428130 GetConsoleMode
0x428134 GetConsoleCP
0x428138 HeapSize
0x42813c SetStdHandle
0x428140 GetProcessHeap
0x428144 RaiseException
0x428148 GetSystemInfo
0x42814c VirtualProtect
0x428150 VirtualQuery
0x428154 LoadLibraryExA
0x428158 IsProcessorFeaturePresent
0x42815c IsDebuggerPresent
0x428160 UnhandledExceptionFilter
0x428164 SetUnhandledExceptionFilter
0x428168 GetStartupInfoW
0x42816c QueryPerformanceCounter
0x428170 GetCurrentThreadId
0x428174 GetSystemTimeAsFileTime
0x428178 InitializeSListHead
0x42817c GetCurrentProcess
0x428180 TerminateProcess
0x428184 RtlUnwind
0x428188 EncodePointer
0x42818c EnterCriticalSection
0x428190 LeaveCriticalSection
0x428194 DeleteCriticalSection
0x428198 InitializeCriticalSectionAndSpinCount
0x42819c TlsAlloc
0x4281a0 TlsGetValue
0x4281a4 TlsSetValue
0x4281a8 TlsFree
0x4281ac LoadLibraryExW
0x4281b0 QueryPerformanceFrequency
0x4281b4 GetModuleHandleExW
0x4281b8 GetModuleFileNameA
0x4281bc GetACP
0x4281c0 HeapFree
0x4281c4 HeapAlloc
0x4281c8 HeapReAlloc
0x4281cc GetStringTypeW
0x4281d0 LCMapStringW
0x4281d4 FindFirstFileExA
0x4281d8 FindNextFileA
0x4281dc IsValidCodePage
0x4281e0 GetOEMCP
0x4281e4 GetCommandLineA
0x4281e8 GetEnvironmentStringsW
0x4281ec FreeEnvironmentStringsW
0x4281f0 DecodePointer
gdiplus.dll
0x4281f8 GdiplusShutdown
0x4281fc GdiplusStartup
0x428200 GdipCreateHBITMAPFromBitmap
0x428204 GdipCreateBitmapFromStreamICM
0x428208 GdipCreateBitmapFromStream
0x42820c GdipDisposeImage
0x428210 GdipCloneImage
0x428214 GdipFree
0x428218 GdipAlloc
EAT(Export Address Table) Library
KERNEL32.dll
0x428000 GetLastError
0x428004 SetLastError
0x428008 FormatMessageW
0x42800c GetFileType
0x428010 GetStdHandle
0x428014 WriteFile
0x428018 ReadFile
0x42801c FlushFileBuffers
0x428020 SetEndOfFile
0x428024 SetFilePointer
0x428028 SetFileTime
0x42802c CloseHandle
0x428030 CreateFileW
0x428034 CreateDirectoryW
0x428038 SetFileAttributesW
0x42803c GetFileAttributesW
0x428040 DeleteFileW
0x428044 MoveFileW
0x428048 FindClose
0x42804c FindFirstFileW
0x428050 FindNextFileW
0x428054 GetVersionExW
0x428058 GetCurrentDirectoryW
0x42805c GetFullPathNameW
0x428060 FoldStringW
0x428064 GetModuleFileNameW
0x428068 GetModuleHandleW
0x42806c FindResourceW
0x428070 FreeLibrary
0x428074 GetProcAddress
0x428078 GetCurrentProcessId
0x42807c ExitProcess
0x428080 SetThreadExecutionState
0x428084 Sleep
0x428088 LoadLibraryW
0x42808c GetSystemDirectoryW
0x428090 CompareStringW
0x428094 AllocConsole
0x428098 FreeConsole
0x42809c AttachConsole
0x4280a0 WriteConsoleW
0x4280a4 TzSpecificLocalTimeToSystemTime
0x4280a8 SystemTimeToFileTime
0x4280ac FileTimeToLocalFileTime
0x4280b0 LocalFileTimeToFileTime
0x4280b4 FileTimeToSystemTime
0x4280b8 GetCPInfo
0x4280bc IsDBCSLeadByte
0x4280c0 MultiByteToWideChar
0x4280c4 WideCharToMultiByte
0x4280c8 GlobalAlloc
0x4280cc LockResource
0x4280d0 GlobalLock
0x4280d4 GlobalUnlock
0x4280d8 GlobalFree
0x4280dc LoadResource
0x4280e0 SizeofResource
0x4280e4 SetCurrentDirectoryW
0x4280e8 GetExitCodeProcess
0x4280ec WaitForSingleObject
0x4280f0 GetLocalTime
0x4280f4 GetTickCount
0x4280f8 MapViewOfFile
0x4280fc UnmapViewOfFile
0x428100 CreateFileMappingW
0x428104 OpenFileMappingW
0x428108 GetCommandLineW
0x42810c SetEnvironmentVariableW
0x428110 ExpandEnvironmentStringsW
0x428114 GetTempPathW
0x428118 MoveFileExW
0x42811c GetLocaleInfoW
0x428120 GetTimeFormatW
0x428124 GetDateFormatW
0x428128 GetNumberFormatW
0x42812c SetFilePointerEx
0x428130 GetConsoleMode
0x428134 GetConsoleCP
0x428138 HeapSize
0x42813c SetStdHandle
0x428140 GetProcessHeap
0x428144 RaiseException
0x428148 GetSystemInfo
0x42814c VirtualProtect
0x428150 VirtualQuery
0x428154 LoadLibraryExA
0x428158 IsProcessorFeaturePresent
0x42815c IsDebuggerPresent
0x428160 UnhandledExceptionFilter
0x428164 SetUnhandledExceptionFilter
0x428168 GetStartupInfoW
0x42816c QueryPerformanceCounter
0x428170 GetCurrentThreadId
0x428174 GetSystemTimeAsFileTime
0x428178 InitializeSListHead
0x42817c GetCurrentProcess
0x428180 TerminateProcess
0x428184 RtlUnwind
0x428188 EncodePointer
0x42818c EnterCriticalSection
0x428190 LeaveCriticalSection
0x428194 DeleteCriticalSection
0x428198 InitializeCriticalSectionAndSpinCount
0x42819c TlsAlloc
0x4281a0 TlsGetValue
0x4281a4 TlsSetValue
0x4281a8 TlsFree
0x4281ac LoadLibraryExW
0x4281b0 QueryPerformanceFrequency
0x4281b4 GetModuleHandleExW
0x4281b8 GetModuleFileNameA
0x4281bc GetACP
0x4281c0 HeapFree
0x4281c4 HeapAlloc
0x4281c8 HeapReAlloc
0x4281cc GetStringTypeW
0x4281d0 LCMapStringW
0x4281d4 FindFirstFileExA
0x4281d8 FindNextFileA
0x4281dc IsValidCodePage
0x4281e0 GetOEMCP
0x4281e4 GetCommandLineA
0x4281e8 GetEnvironmentStringsW
0x4281ec FreeEnvironmentStringsW
0x4281f0 DecodePointer
gdiplus.dll
0x4281f8 GdiplusShutdown
0x4281fc GdiplusStartup
0x428200 GdipCreateHBITMAPFromBitmap
0x428204 GdipCreateBitmapFromStreamICM
0x428208 GdipCreateBitmapFromStream
0x42820c GdipDisposeImage
0x428210 GdipCloneImage
0x428214 GdipFree
0x428218 GdipAlloc
EAT(Export Address Table) Library