ScreenShot
| Created | 2021.10.23 09:57 | Machine | s1_win7_x6403 |
| Filename | sdd.dll | ||
| Type | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 18 detected (malicious, high confidence, Artemis, Woreflint, Danabot, Eldorado, Attribute, HighConfidence, a variant of Generik, IMKXXZM, R + Mal, EncPk, 11JGA2V, kcloud, Casdet, Static AI, Malicious PE, Unsafe, Score, ZDlder, SBEO) | ||
| md5 | de8b54a938ac18f15cad804d79a0e19d | ||
| sha256 | 2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd | ||
| ssdeep | 49152:ZgZziYTt//YDt2Z/fZMdzUAOC5n+LlrxFTGWgKq:Z0ziYTKh2Z/f6AAOGarxFTG/v | ||
| imphash | e6d67d5cd426c018e8253fd545967c8b | ||
| impfuzzy | 48:AB2ltMS1Q65c+ppm/j+uFZct2GAo1t91KTLE6x90zSBDV:xtMS1v5c+ppm7XUgZlV | ||
Network IP location
Signature (39cnts)
| Level | Description |
|---|---|
| watch | Attempts to create or modify system certificates |
| watch | Checks the CPU name from registry |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Creates a suspicious Powershell process |
| watch | File has been identified by 18 AntiVirus engines on VirusTotal as malicious |
| watch | Harvests credentials from local email clients |
| watch | Harvests credentials from local FTP client softwares |
| watch | Harvests information related to installed instant messenger clients |
| watch | One or more non-whitelisted processes were created |
| watch | One or more of the buffers contains an embedded PE file |
| watch | The process powershell.exe wrote an executable file to disk |
| notice | A process attempted to delay the analysis task. |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Executes one or more WMI queries |
| notice | Executes one or more WMI queries which can be used to identify virtual machines |
| notice | One or more potentially interesting buffers were extracted |
| notice | Queries for potentially installed applications |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Starts servers listening |
| notice | Steals private information from local Internet browsers |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Command line console output was observed |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | This executable has a PDB path |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (10cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (upload) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsDLL | (no description) | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | Win32_Trojan_Gen_2_0904B0_Zero | Win32 Trojan Gen | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x4aa018 SetFileAttributesA
0x4aa01c CreateProcessA
0x4aa020 OutputDebugStringW
0x4aa024 WriteConsoleW
0x4aa028 GetFileSizeEx
0x4aa02c FlushFileBuffers
0x4aa030 HeapReAlloc
0x4aa034 HeapSize
0x4aa038 GetWindowsDirectoryA
0x4aa03c SetConsoleCtrlHandler
0x4aa040 GetProcessHeap
0x4aa044 SetEnvironmentVariableW
0x4aa048 FreeEnvironmentStringsW
0x4aa04c GetEnvironmentStringsW
0x4aa050 WideCharToMultiByte
0x4aa054 GetCommandLineW
0x4aa058 GetCommandLineA
0x4aa05c GetSystemDirectoryA
0x4aa060 OpenMutexA
0x4aa064 GetTempPathA
0x4aa068 VirtualProtect
0x4aa06c GetStringTypeW
0x4aa070 GetModuleFileNameA
0x4aa074 GetCPInfo
0x4aa078 GetOEMCP
0x4aa07c GetACP
0x4aa080 IsValidCodePage
0x4aa084 FindNextFileW
0x4aa088 FindFirstFileExW
0x4aa08c UnhandledExceptionFilter
0x4aa090 SetUnhandledExceptionFilter
0x4aa094 GetCurrentProcess
0x4aa098 TerminateProcess
0x4aa09c IsProcessorFeaturePresent
0x4aa0a0 QueryPerformanceCounter
0x4aa0a4 GetCurrentProcessId
0x4aa0a8 GetCurrentThreadId
0x4aa0ac GetSystemTimeAsFileTime
0x4aa0b0 InitializeSListHead
0x4aa0b4 IsDebuggerPresent
0x4aa0b8 GetStartupInfoW
0x4aa0bc GetModuleHandleW
0x4aa0c0 InterlockedPushEntrySList
0x4aa0c4 InterlockedFlushSList
0x4aa0c8 RtlUnwind
0x4aa0cc GetLastError
0x4aa0d0 SetLastError
0x4aa0d4 EnterCriticalSection
0x4aa0d8 LeaveCriticalSection
0x4aa0dc DeleteCriticalSection
0x4aa0e0 InitializeCriticalSectionAndSpinCount
0x4aa0e4 TlsAlloc
0x4aa0e8 TlsGetValue
0x4aa0ec TlsSetValue
0x4aa0f0 TlsFree
0x4aa0f4 FreeLibrary
0x4aa0f8 GetProcAddress
0x4aa0fc LoadLibraryExW
0x4aa100 EncodePointer
0x4aa104 RaiseException
0x4aa108 CreateFileW
0x4aa10c GetFileType
0x4aa110 CloseHandle
0x4aa114 ExitProcess
0x4aa118 GetModuleHandleExW
0x4aa11c GetModuleFileNameW
0x4aa120 WriteFile
0x4aa124 GetConsoleCP
0x4aa128 GetConsoleMode
0x4aa12c HeapFree
0x4aa130 HeapAlloc
0x4aa134 MultiByteToWideChar
0x4aa138 GetCurrentThread
0x4aa13c GetDateFormatW
0x4aa140 GetTimeFormatW
0x4aa144 CompareStringW
0x4aa148 LCMapStringW
0x4aa14c GetLocaleInfoW
0x4aa150 IsValidLocale
0x4aa154 GetUserDefaultLCID
0x4aa158 EnumSystemLocalesW
0x4aa15c SetStdHandle
0x4aa160 SetEndOfFile
0x4aa164 ReadFile
0x4aa168 ReadConsoleW
0x4aa16c SetFilePointerEx
0x4aa170 GetStdHandle
0x4aa174 GetFileAttributesExW
0x4aa178 SetFileAttributesW
0x4aa17c FindClose
0x4aa180 DecodePointer
USER32.dll
0x4aa188 InsertMenuItemA
0x4aa18c SetDlgItemInt
0x4aa190 GetSysColorBrush
0x4aa194 GetClientRect
0x4aa198 CreateDialogIndirectParamA
0x4aa19c ShowScrollBar
0x4aa1a0 DispatchMessageA
0x4aa1a4 GetWindowRect
0x4aa1a8 CreatePopupMenu
0x4aa1ac DialogBoxIndirectParamA
0x4aa1b0 GetForegroundWindow
0x4aa1b4 SetCursor
0x4aa1b8 GetDlgItemInt
GDI32.dll
0x4aa000 GetTextExtentPoint32A
0x4aa004 SetPixel
0x4aa008 PatBlt
0x4aa00c StretchBlt
0x4aa010 SelectObject
ole32.dll
0x4aa1c0 CoInitialize
0x4aa1c4 CoTaskMemAlloc
0x4aa1c8 CoRegisterClassObject
0x4aa1cc CoUninitialize
0x4aa1d0 CoTaskMemFree
EAT(Export Address Table) Library
0x435cd0 Bluestart
0x435e70 First
0x435d60 Surpriseten
KERNEL32.dll
0x4aa018 SetFileAttributesA
0x4aa01c CreateProcessA
0x4aa020 OutputDebugStringW
0x4aa024 WriteConsoleW
0x4aa028 GetFileSizeEx
0x4aa02c FlushFileBuffers
0x4aa030 HeapReAlloc
0x4aa034 HeapSize
0x4aa038 GetWindowsDirectoryA
0x4aa03c SetConsoleCtrlHandler
0x4aa040 GetProcessHeap
0x4aa044 SetEnvironmentVariableW
0x4aa048 FreeEnvironmentStringsW
0x4aa04c GetEnvironmentStringsW
0x4aa050 WideCharToMultiByte
0x4aa054 GetCommandLineW
0x4aa058 GetCommandLineA
0x4aa05c GetSystemDirectoryA
0x4aa060 OpenMutexA
0x4aa064 GetTempPathA
0x4aa068 VirtualProtect
0x4aa06c GetStringTypeW
0x4aa070 GetModuleFileNameA
0x4aa074 GetCPInfo
0x4aa078 GetOEMCP
0x4aa07c GetACP
0x4aa080 IsValidCodePage
0x4aa084 FindNextFileW
0x4aa088 FindFirstFileExW
0x4aa08c UnhandledExceptionFilter
0x4aa090 SetUnhandledExceptionFilter
0x4aa094 GetCurrentProcess
0x4aa098 TerminateProcess
0x4aa09c IsProcessorFeaturePresent
0x4aa0a0 QueryPerformanceCounter
0x4aa0a4 GetCurrentProcessId
0x4aa0a8 GetCurrentThreadId
0x4aa0ac GetSystemTimeAsFileTime
0x4aa0b0 InitializeSListHead
0x4aa0b4 IsDebuggerPresent
0x4aa0b8 GetStartupInfoW
0x4aa0bc GetModuleHandleW
0x4aa0c0 InterlockedPushEntrySList
0x4aa0c4 InterlockedFlushSList
0x4aa0c8 RtlUnwind
0x4aa0cc GetLastError
0x4aa0d0 SetLastError
0x4aa0d4 EnterCriticalSection
0x4aa0d8 LeaveCriticalSection
0x4aa0dc DeleteCriticalSection
0x4aa0e0 InitializeCriticalSectionAndSpinCount
0x4aa0e4 TlsAlloc
0x4aa0e8 TlsGetValue
0x4aa0ec TlsSetValue
0x4aa0f0 TlsFree
0x4aa0f4 FreeLibrary
0x4aa0f8 GetProcAddress
0x4aa0fc LoadLibraryExW
0x4aa100 EncodePointer
0x4aa104 RaiseException
0x4aa108 CreateFileW
0x4aa10c GetFileType
0x4aa110 CloseHandle
0x4aa114 ExitProcess
0x4aa118 GetModuleHandleExW
0x4aa11c GetModuleFileNameW
0x4aa120 WriteFile
0x4aa124 GetConsoleCP
0x4aa128 GetConsoleMode
0x4aa12c HeapFree
0x4aa130 HeapAlloc
0x4aa134 MultiByteToWideChar
0x4aa138 GetCurrentThread
0x4aa13c GetDateFormatW
0x4aa140 GetTimeFormatW
0x4aa144 CompareStringW
0x4aa148 LCMapStringW
0x4aa14c GetLocaleInfoW
0x4aa150 IsValidLocale
0x4aa154 GetUserDefaultLCID
0x4aa158 EnumSystemLocalesW
0x4aa15c SetStdHandle
0x4aa160 SetEndOfFile
0x4aa164 ReadFile
0x4aa168 ReadConsoleW
0x4aa16c SetFilePointerEx
0x4aa170 GetStdHandle
0x4aa174 GetFileAttributesExW
0x4aa178 SetFileAttributesW
0x4aa17c FindClose
0x4aa180 DecodePointer
USER32.dll
0x4aa188 InsertMenuItemA
0x4aa18c SetDlgItemInt
0x4aa190 GetSysColorBrush
0x4aa194 GetClientRect
0x4aa198 CreateDialogIndirectParamA
0x4aa19c ShowScrollBar
0x4aa1a0 DispatchMessageA
0x4aa1a4 GetWindowRect
0x4aa1a8 CreatePopupMenu
0x4aa1ac DialogBoxIndirectParamA
0x4aa1b0 GetForegroundWindow
0x4aa1b4 SetCursor
0x4aa1b8 GetDlgItemInt
GDI32.dll
0x4aa000 GetTextExtentPoint32A
0x4aa004 SetPixel
0x4aa008 PatBlt
0x4aa00c StretchBlt
0x4aa010 SelectObject
ole32.dll
0x4aa1c0 CoInitialize
0x4aa1c4 CoTaskMemAlloc
0x4aa1c8 CoRegisterClassObject
0x4aa1cc CoUninitialize
0x4aa1d0 CoTaskMemFree
EAT(Export Address Table) Library
0x435cd0 Bluestart
0x435e70 First
0x435d60 Surpriseten