ScreenShot
| Created | 2021.11.14 18:47 | Machine | s1_win7_x6403 |
| Filename | file.exe | ||
| Type | MS-DOS executable, MZ for MS-DOS | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 15 detected (malicious, high confidence, Unsafe, Save, GenKryptik, FNKE, SelfDel, Static AI, Malicious PE, InvalidSig, Sabsik, score, MachineLearning, Anomalous, susgen) | ||
| md5 | 8b9bce00bcd650b996c0d67d57675de7 | ||
| sha256 | bf45b415add34c4a9cfd28e2f0060a5771b452a290d4807cc66e5e0355b014c0 | ||
| ssdeep | 12288:KX35aOpOy0Pby7F5gjpsIpfWFsiWtYR03l/3pD2Q3RN9CjWglBe4dUKELgmLF:KhIDpWKtYSP5r9CqglBeYK | ||
| imphash | df4d137aff165851ceb794e4a2cb36f2 | ||
| impfuzzy | 24:DbLwFw1+UQ9J7g/XdfecDIeZm4ejeR4vnhM5+FpOovTjfXiAIij3wbasR:zD+UQDOSeZn7qhM5z4yAIy3m | ||
Network IP location
Signature (13cnts)
| Level | Description |
|---|---|
| watch | Attempts to identify installed AV products by installation directory |
| watch | Checks the CPU name from registry |
| watch | Creates an executable file in a user folder |
| watch | Deletes a large number of files from the system indicative of ransomware |
| watch | File has been identified by 15 AntiVirus engines on VirusTotal as malicious |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Creates a suspicious process |
| notice | Drops an executable to the user AppData folder |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Command line console output was observed |
| info | One or more processes crashed |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (15cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Emotet_2_Zero | Win32 Trojan Emotet | binaries (download) |
| danger | Win32_Trojan_Emotet_2_Zero | Win32 Trojan Emotet | binaries (upload) |
| danger | Win_Trojan_Formbook_Zero | Used Formbook | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | JPEG_Format_Zero | JPEG Format | binaries (download) |
| info | Microsoft_Office_File_Zero | Microsoft Office File | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | Win32_Trojan_Gen_2_0904B0_Zero | Win32 Trojan Gen | binaries (download) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
advapi32.dll
0x60dfad AllocateAndInitializeSid
0x60dfb1 RegOpenKeyExA
0x60dfb5 CheckTokenMembership
0x60dfb9 RegSaveKeyA
0x60dfbd RegCloseKey
0x60dfc1 FreeSid
0x60dfc5 RegQueryValueExA
cscdll.dll
0x60dfcd CSCFindNextFileW
kernel32.dll
0x60dfd5 RtlUnwind
0x60dfd9 GetCurrentProcessId
0x60dfdd DeleteCriticalSection
0x60dfe1 SetLastError
0x60dfe5 GetACP
0x60dfe9 QueryPerformanceCounter
0x60dfed GetOEMCP
0x60dff1 MultiByteToWideChar
0x60dff5 TlsAlloc
0x60dff9 WideCharToMultiByte
0x60dffd GetEnvironmentStringsW
0x60e001 GlobalAlloc
0x60e005 GetStringTypeW
0x60e009 FreeEnvironmentStringsW
0x60e00d HeapSize
0x60e011 HeapFree
0x60e015 SetUnhandledExceptionFilter
0x60e019 HeapAlloc
0x60e01d HeapReAlloc
0x60e021 InterlockedIncrement
0x60e025 VirtualFree
0x60e029 GetProcAddress
0x60e02d InitializeCriticalSection
0x60e031 CloseHandle
0x60e035 WriteFile
0x60e039 UnhandledExceptionFilter
0x60e03d GetLocaleInfoA
0x60e041 FreeLibrary
0x60e045 GetVersionExA
0x60e049 HeapDestroy
0x60e04d SetHandleCount
0x60e051 VirtualProtect
0x60e055 ExitProcess
0x60e059 WaitForSingleObject
0x60e05d IsDebuggerPresent
0x60e061 LCMapStringW
0x60e065 GetTickCount
0x60e069 Sleep
0x60e06d GetModuleHandleW
0x60e071 CreateProcessA
0x60e075 GetModuleHandleA
0x60e079 LeaveCriticalSection
0x60e07d GetFileType
0x60e081 InterlockedDecrement
0x60e085 GetStartupInfoA
0x60e089 TlsFree
0x60e08d GetStdHandle
0x60e091 GetProcessHeap
0x60e095 LCMapStringA
0x60e099 TlsGetValue
0x60e09d RaiseException
0x60e0a1 GetCurrentThreadId
0x60e0a5 TerminateProcess
0x60e0a9 GetCurrentProcess
0x60e0ad FreeEnvironmentStringsA
0x60e0b1 GetEnvironmentStrings
0x60e0b5 GetCommandLineA
0x60e0b9 HeapCreate
0x60e0bd VirtualAlloc
0x60e0c1 GetLastError
0x60e0c5 LoadLibraryA
0x60e0c9 EnterCriticalSection
0x60e0cd GetCPInfo
0x60e0d1 GetModuleFileNameA
0x60e0d5 TlsSetValue
0x60e0d9 WinExec
0x60e0dd GetStringTypeA
user32.dll
0x60e0e5 KillTimer
0x60e0e9 SetTimer
0x60e0ed GetMessageA
0x60e0f1 MessageBoxExA
version.dll
0x60e0f9 VerFindFileW
ws2_32.dll
0x60e101 socket
0x60e105 setsockopt
EAT(Export Address Table) is none
advapi32.dll
0x60dfad AllocateAndInitializeSid
0x60dfb1 RegOpenKeyExA
0x60dfb5 CheckTokenMembership
0x60dfb9 RegSaveKeyA
0x60dfbd RegCloseKey
0x60dfc1 FreeSid
0x60dfc5 RegQueryValueExA
cscdll.dll
0x60dfcd CSCFindNextFileW
kernel32.dll
0x60dfd5 RtlUnwind
0x60dfd9 GetCurrentProcessId
0x60dfdd DeleteCriticalSection
0x60dfe1 SetLastError
0x60dfe5 GetACP
0x60dfe9 QueryPerformanceCounter
0x60dfed GetOEMCP
0x60dff1 MultiByteToWideChar
0x60dff5 TlsAlloc
0x60dff9 WideCharToMultiByte
0x60dffd GetEnvironmentStringsW
0x60e001 GlobalAlloc
0x60e005 GetStringTypeW
0x60e009 FreeEnvironmentStringsW
0x60e00d HeapSize
0x60e011 HeapFree
0x60e015 SetUnhandledExceptionFilter
0x60e019 HeapAlloc
0x60e01d HeapReAlloc
0x60e021 InterlockedIncrement
0x60e025 VirtualFree
0x60e029 GetProcAddress
0x60e02d InitializeCriticalSection
0x60e031 CloseHandle
0x60e035 WriteFile
0x60e039 UnhandledExceptionFilter
0x60e03d GetLocaleInfoA
0x60e041 FreeLibrary
0x60e045 GetVersionExA
0x60e049 HeapDestroy
0x60e04d SetHandleCount
0x60e051 VirtualProtect
0x60e055 ExitProcess
0x60e059 WaitForSingleObject
0x60e05d IsDebuggerPresent
0x60e061 LCMapStringW
0x60e065 GetTickCount
0x60e069 Sleep
0x60e06d GetModuleHandleW
0x60e071 CreateProcessA
0x60e075 GetModuleHandleA
0x60e079 LeaveCriticalSection
0x60e07d GetFileType
0x60e081 InterlockedDecrement
0x60e085 GetStartupInfoA
0x60e089 TlsFree
0x60e08d GetStdHandle
0x60e091 GetProcessHeap
0x60e095 LCMapStringA
0x60e099 TlsGetValue
0x60e09d RaiseException
0x60e0a1 GetCurrentThreadId
0x60e0a5 TerminateProcess
0x60e0a9 GetCurrentProcess
0x60e0ad FreeEnvironmentStringsA
0x60e0b1 GetEnvironmentStrings
0x60e0b5 GetCommandLineA
0x60e0b9 HeapCreate
0x60e0bd VirtualAlloc
0x60e0c1 GetLastError
0x60e0c5 LoadLibraryA
0x60e0c9 EnterCriticalSection
0x60e0cd GetCPInfo
0x60e0d1 GetModuleFileNameA
0x60e0d5 TlsSetValue
0x60e0d9 WinExec
0x60e0dd GetStringTypeA
user32.dll
0x60e0e5 KillTimer
0x60e0e9 SetTimer
0x60e0ed GetMessageA
0x60e0f1 MessageBoxExA
version.dll
0x60e0f9 VerFindFileW
ws2_32.dll
0x60e101 socket
0x60e105 setsockopt
EAT(Export Address Table) is none