popup

Report - instd.exe

task schedule Malicious Packer Malicious Library Code injection AntiDebug AntiVM PE File PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.11.01 17:59 Machine s1_win7_x6402
Filename instd.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
7
 Behavior Score
7.6
ZERO API file : clean
VT API (file) 46 detected (AIDetect, malware1, Malicious, high confidence, score, Unsafe, Save, Attribute, HighConfidence, a variant of Generik, HOTRTHM, Zenpak, UnclassifiedMalware@0, Upatre, kcloud, Sabsik, Artemis, ai score=100, BScope, Mufila, MachineLearning, Anomalous, R002H07JU21, Generic@ML, RDMK, 5Mo5Q4NVKDVk0zFMidBEzQ, ns9gDCep0oM, Static AI, Malicious PE, PossibleThreat, confidence)
md5 eea1c3d1ab9dd50b3dae826b35c8b138
sha256 7e148999439b83e74d823e98f7a82e4bd75d5e259e4c6351aabbb446eb9dfcc8
ssdeep 6144:lRqUj7H4qyEcBDcUGi9ghYW2bGj9Gz+NpYg5iYI5Lw6/30iEtE/6uz6HgNQHJxWU:lRq47H/tcBDcUG6ghSW9GiNpYJYI5U6M
imphash ca4c54abb883e5c1afbe2edfacafd15e
impfuzzy 12:/B+5QGu4Gv+GXR1y5hF89qAxDZ1mBZGqe:/B+5T0v+GGVFmDZ1gk
  Network IP location

Signature (17cnts)

Level Description
danger File has been identified by 46 AntiVirus engines on VirusTotal as malicious
watch Installs itself for autorun at Windows startup
watch One or more of the buffers contains an embedded PE file
watch Resumed a suspended thread in a remote process potentially indicative of process injection
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Expresses interest in specific running processes
notice One or more potentially interesting buffers were extracted
notice Searches running processes potentially to identify processes for sandbox evasion
notice The binary likely contains encrypted or compressed data indicative of a packer
notice Uses Windows utilities for basic Windows functionality
notice Yara rule detected in process memory
info Command line console output was observed
info Queries for the computername
info The executable uses a known packer

Rules (15cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (upload)
watch schtasks_Zero task schedule memory
notice Code_injection Code injection with CreateRemoteThread in a remote process memory
info anti_dbg Checks if being debugged memory
info Check_Dlls (no description) memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (0cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?

Suricata ids

PE API

IAT(Import Address Table) Library

MSVCRT.dll
 0x42f030 _controlfp
 0x42f034 _except_handler3
 0x42f038 __set_app_type
 0x42f03c __p__fmode
 0x42f040 __p__commode
 0x42f044 _adjust_fdiv
 0x42f048 __setusermatherr
 0x42f04c _initterm
 0x42f050 __wgetmainargs
 0x42f054 _wcmdln
 0x42f058 exit
 0x42f05c _XcptFilter
 0x42f060 _exit
 0x42f064 srand
 0x42f068 rand
 0x42f06c memset
KERNEL32.dll
 0x42f000 GetStartupInfoW
 0x42f004 GetModuleHandleW
 0x42f008 lstrcmpiW
 0x42f00c LoadLibraryA
 0x42f010 VirtualAlloc
 0x42f014 GetProcAddress
 0x42f018 VirtualAllocExNuma
 0x42f01c VirtualFree
 0x42f020 GetCurrentProcess
 0x42f024 ExitProcess
 0x42f028 GetSystemTimeAsFileTime

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure