ScreenShot
| Created | 2021.11.04 15:15 | Machine | s1_win7_x6403 |
| Filename | search_hyperfs_204.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 48 detected (Blocker, tqAl, malicious, high confidence, GenericKD, Cryprar, Unsafe, confidence, 100%, FileRepMalware, R + Troj, DwnLd, R06BC0WJH21, Static AI, Suspicious PE, lpqsu, ai score=86, kcloud, Sabsik, score, Artemis, Probably Heur, RARAutorun, AbnormalScript, CLASSIC, 1H0ZtLfSHyU, RARAgent, susgen) | ||
| md5 | 04571dd226f182ab814881b6eaaf8b00 | ||
| sha256 | 3a77893efb476ec95d3e340cf5b98f1bf39c77a4064be7c39475ef9ebd3aed1c | ||
| ssdeep | 49152:NtUl/WNQ393CBC4w8MlQdl29Mz6HAIk+AGhaylhPV:3FNQ3Bwwyo51AGhast | ||
| imphash | c127345c03c7eb109783c6cc61e16834 | ||
| impfuzzy | 24:dlJgvUZOB2QaeD7cSjRTT+VzjMn+cOvu9T/2DQMUt7dtDX+sDc+plmowWVLOoviK:A2OcLKcUR41YgeBtDX+Kc+pnCHFa | ||
Network IP location
Signature (18cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 48 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a suspicious process |
| notice | Drops an executable to the user AppData folder |
| notice | Executes one or more WMI queries |
| notice | Terminates another process |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Command line console output was observed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
| info | This executable has a PDB path |
Rules (40cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Network_Downloader | File Downloader | memory |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | Code_injection | Code injection with CreateRemoteThread in a remote process | memory |
| notice | Create_Service | Create a windows service | memory |
| notice | Escalate_priviledges | Escalate priviledges | memory |
| notice | KeyLogger | Run a KeyLogger | memory |
| notice | local_credential_Steal | Steal credential | memory |
| notice | Network_DGA | Communication using DGA | memory |
| notice | Network_DNS | Communications use DNS | memory |
| notice | Network_FTP | Communications over FTP | memory |
| notice | Network_HTTP | Communications over HTTP | memory |
| notice | Network_P2P_Win | Communications over P2P network | memory |
| notice | Network_TCP_Socket | Communications over RAW Socket | memory |
| notice | ScreenShot | Take ScreenShot | memory |
| notice | Sniff_Audio | Record Audio | memory |
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | antisb_threatExpert | Anti-Sandbox checks for ThreatExpert | memory |
| info | Check_Dlls | (no description) | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerCheck__RemoteAPI | (no description) | memory |
| info | DebuggerException__ConsoleCtrl | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | win_hook | Affect hook table | memory |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x425000 GetLastError
0x425004 SetLastError
0x425008 GetFileType
0x42500c GetStdHandle
0x425010 WriteFile
0x425014 ReadFile
0x425018 FlushFileBuffers
0x42501c SetEndOfFile
0x425020 SetFilePointer
0x425024 SetFileTime
0x425028 CloseHandle
0x42502c CreateFileW
0x425030 CreateDirectoryW
0x425034 SetFileAttributesW
0x425038 GetFileAttributesW
0x42503c DeleteFileW
0x425040 MoveFileW
0x425044 FindClose
0x425048 FindFirstFileW
0x42504c FindNextFileW
0x425050 GetVersionExW
0x425054 GetCurrentDirectoryW
0x425058 GetFullPathNameW
0x42505c FoldStringW
0x425060 GetModuleFileNameW
0x425064 GetModuleHandleW
0x425068 FindResourceW
0x42506c FreeLibrary
0x425070 GetProcAddress
0x425074 GetCurrentProcessId
0x425078 ExitProcess
0x42507c Sleep
0x425080 LoadLibraryW
0x425084 GetSystemDirectoryW
0x425088 CompareStringW
0x42508c AllocConsole
0x425090 FreeConsole
0x425094 AttachConsole
0x425098 WriteConsoleW
0x42509c TzSpecificLocalTimeToSystemTime
0x4250a0 SystemTimeToFileTime
0x4250a4 FileTimeToLocalFileTime
0x4250a8 LocalFileTimeToFileTime
0x4250ac FileTimeToSystemTime
0x4250b0 GetCPInfo
0x4250b4 IsDBCSLeadByte
0x4250b8 MultiByteToWideChar
0x4250bc WideCharToMultiByte
0x4250c0 GlobalAlloc
0x4250c4 GetTickCount
0x4250c8 LockResource
0x4250cc GlobalLock
0x4250d0 GlobalUnlock
0x4250d4 GlobalFree
0x4250d8 LoadResource
0x4250dc SizeofResource
0x4250e0 SetCurrentDirectoryW
0x4250e4 GetExitCodeProcess
0x4250e8 WaitForSingleObject
0x4250ec GetLocalTime
0x4250f0 MapViewOfFile
0x4250f4 UnmapViewOfFile
0x4250f8 CreateFileMappingW
0x4250fc OpenFileMappingW
0x425100 GetCommandLineW
0x425104 SetEnvironmentVariableW
0x425108 ExpandEnvironmentStringsW
0x42510c GetTempPathW
0x425110 MoveFileExW
0x425114 GetLocaleInfoW
0x425118 GetTimeFormatW
0x42511c GetDateFormatW
0x425120 GetNumberFormatW
0x425124 SetFilePointerEx
0x425128 GetConsoleMode
0x42512c GetConsoleCP
0x425130 HeapSize
0x425134 SetStdHandle
0x425138 GetProcessHeap
0x42513c RaiseException
0x425140 GetSystemInfo
0x425144 VirtualProtect
0x425148 VirtualQuery
0x42514c LoadLibraryExA
0x425150 IsProcessorFeaturePresent
0x425154 IsDebuggerPresent
0x425158 UnhandledExceptionFilter
0x42515c SetUnhandledExceptionFilter
0x425160 GetStartupInfoW
0x425164 QueryPerformanceCounter
0x425168 GetCurrentThreadId
0x42516c GetSystemTimeAsFileTime
0x425170 InitializeSListHead
0x425174 GetCurrentProcess
0x425178 TerminateProcess
0x42517c RtlUnwind
0x425180 EncodePointer
0x425184 EnterCriticalSection
0x425188 LeaveCriticalSection
0x42518c DeleteCriticalSection
0x425190 InitializeCriticalSectionAndSpinCount
0x425194 TlsAlloc
0x425198 TlsGetValue
0x42519c TlsSetValue
0x4251a0 TlsFree
0x4251a4 LoadLibraryExW
0x4251a8 QueryPerformanceFrequency
0x4251ac GetModuleHandleExW
0x4251b0 GetModuleFileNameA
0x4251b4 GetACP
0x4251b8 HeapFree
0x4251bc HeapAlloc
0x4251c0 HeapReAlloc
0x4251c4 GetStringTypeW
0x4251c8 LCMapStringW
0x4251cc FindFirstFileExA
0x4251d0 FindNextFileA
0x4251d4 IsValidCodePage
0x4251d8 GetOEMCP
0x4251dc GetCommandLineA
0x4251e0 GetEnvironmentStringsW
0x4251e4 FreeEnvironmentStringsW
0x4251e8 DecodePointer
gdiplus.dll
0x4251f0 GdiplusShutdown
0x4251f4 GdiplusStartup
0x4251f8 GdipCreateHBITMAPFromBitmap
0x4251fc GdipCreateBitmapFromStreamICM
0x425200 GdipCreateBitmapFromStream
0x425204 GdipDisposeImage
0x425208 GdipCloneImage
0x42520c GdipFree
0x425210 GdipAlloc
EAT(Export Address Table) Library
KERNEL32.dll
0x425000 GetLastError
0x425004 SetLastError
0x425008 GetFileType
0x42500c GetStdHandle
0x425010 WriteFile
0x425014 ReadFile
0x425018 FlushFileBuffers
0x42501c SetEndOfFile
0x425020 SetFilePointer
0x425024 SetFileTime
0x425028 CloseHandle
0x42502c CreateFileW
0x425030 CreateDirectoryW
0x425034 SetFileAttributesW
0x425038 GetFileAttributesW
0x42503c DeleteFileW
0x425040 MoveFileW
0x425044 FindClose
0x425048 FindFirstFileW
0x42504c FindNextFileW
0x425050 GetVersionExW
0x425054 GetCurrentDirectoryW
0x425058 GetFullPathNameW
0x42505c FoldStringW
0x425060 GetModuleFileNameW
0x425064 GetModuleHandleW
0x425068 FindResourceW
0x42506c FreeLibrary
0x425070 GetProcAddress
0x425074 GetCurrentProcessId
0x425078 ExitProcess
0x42507c Sleep
0x425080 LoadLibraryW
0x425084 GetSystemDirectoryW
0x425088 CompareStringW
0x42508c AllocConsole
0x425090 FreeConsole
0x425094 AttachConsole
0x425098 WriteConsoleW
0x42509c TzSpecificLocalTimeToSystemTime
0x4250a0 SystemTimeToFileTime
0x4250a4 FileTimeToLocalFileTime
0x4250a8 LocalFileTimeToFileTime
0x4250ac FileTimeToSystemTime
0x4250b0 GetCPInfo
0x4250b4 IsDBCSLeadByte
0x4250b8 MultiByteToWideChar
0x4250bc WideCharToMultiByte
0x4250c0 GlobalAlloc
0x4250c4 GetTickCount
0x4250c8 LockResource
0x4250cc GlobalLock
0x4250d0 GlobalUnlock
0x4250d4 GlobalFree
0x4250d8 LoadResource
0x4250dc SizeofResource
0x4250e0 SetCurrentDirectoryW
0x4250e4 GetExitCodeProcess
0x4250e8 WaitForSingleObject
0x4250ec GetLocalTime
0x4250f0 MapViewOfFile
0x4250f4 UnmapViewOfFile
0x4250f8 CreateFileMappingW
0x4250fc OpenFileMappingW
0x425100 GetCommandLineW
0x425104 SetEnvironmentVariableW
0x425108 ExpandEnvironmentStringsW
0x42510c GetTempPathW
0x425110 MoveFileExW
0x425114 GetLocaleInfoW
0x425118 GetTimeFormatW
0x42511c GetDateFormatW
0x425120 GetNumberFormatW
0x425124 SetFilePointerEx
0x425128 GetConsoleMode
0x42512c GetConsoleCP
0x425130 HeapSize
0x425134 SetStdHandle
0x425138 GetProcessHeap
0x42513c RaiseException
0x425140 GetSystemInfo
0x425144 VirtualProtect
0x425148 VirtualQuery
0x42514c LoadLibraryExA
0x425150 IsProcessorFeaturePresent
0x425154 IsDebuggerPresent
0x425158 UnhandledExceptionFilter
0x42515c SetUnhandledExceptionFilter
0x425160 GetStartupInfoW
0x425164 QueryPerformanceCounter
0x425168 GetCurrentThreadId
0x42516c GetSystemTimeAsFileTime
0x425170 InitializeSListHead
0x425174 GetCurrentProcess
0x425178 TerminateProcess
0x42517c RtlUnwind
0x425180 EncodePointer
0x425184 EnterCriticalSection
0x425188 LeaveCriticalSection
0x42518c DeleteCriticalSection
0x425190 InitializeCriticalSectionAndSpinCount
0x425194 TlsAlloc
0x425198 TlsGetValue
0x42519c TlsSetValue
0x4251a0 TlsFree
0x4251a4 LoadLibraryExW
0x4251a8 QueryPerformanceFrequency
0x4251ac GetModuleHandleExW
0x4251b0 GetModuleFileNameA
0x4251b4 GetACP
0x4251b8 HeapFree
0x4251bc HeapAlloc
0x4251c0 HeapReAlloc
0x4251c4 GetStringTypeW
0x4251c8 LCMapStringW
0x4251cc FindFirstFileExA
0x4251d0 FindNextFileA
0x4251d4 IsValidCodePage
0x4251d8 GetOEMCP
0x4251dc GetCommandLineA
0x4251e0 GetEnvironmentStringsW
0x4251e4 FreeEnvironmentStringsW
0x4251e8 DecodePointer
gdiplus.dll
0x4251f0 GdiplusShutdown
0x4251f4 GdiplusStartup
0x4251f8 GdipCreateHBITMAPFromBitmap
0x4251fc GdipCreateBitmapFromStreamICM
0x425200 GdipCreateBitmapFromStream
0x425204 GdipDisposeImage
0x425208 GdipCloneImage
0x42520c GdipFree
0x425210 GdipAlloc
EAT(Export Address Table) Library