ScreenShot
| Created | 2022.06.30 10:07 | Machine | s1_win7_x6401 |
| Filename | up.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score | Not founds | Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 27 detected (malicious, high confidence, Graftor, ASPROTECT V2, X REGISTERED, > ALEXEY SOLODOVNIKOV, Asprotect, ZexaF, @RZaaaYM30lb, Attribute, HighConfidence, score, FileRepMalware, Misc, Generic ML PUA, Static AI, Suspicious PE, AGEN, Wacapew, TScope, GenAsa, XHPWPUxbPWE, ai score=76, confidence, 100%) | ||
| md5 | 20a89280ef6d5930572f1da62c770b3f | ||
| sha256 | d15c52b2289c24066bb3cea9f822f080b028636b223590606a2d1c479b59b96c | ||
| ssdeep | 98304:sZBFgb+AqHU+DTwl9zOHz7t1Q5RRlWY9HJ3CChZfYQmG/dhY97s5npS+:sFgb+A4U4TIqY5BZdwnGlhmA5nI+ | ||
| imphash | c9a3edae9204609d90d0770c3583acd8 | ||
| impfuzzy | 12:mDzjA9A+pZ1nd6wuRTf1E3xaZCdG4HWrMLYo01ZC3PwUK3EUe:mDnWA+pZ1swu7Eho4bHyXI3PwzE3 | ||
Network IP location
Signature (23cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 27 AntiVirus engines on VirusTotal as malicious |
| watch | Checks the presence of IDE drives in the registry |
| watch | Creates a windows hook that monitors keyboard input (keylogger) |
| watch | Detects Virtual Machines through their custom firmware |
| watch | Disables proxy possibly for traffic interception |
| watch | Expresses interest in specific running processes |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a shortcut to an executable file |
| notice | Creates executable files on the filesystem |
| notice | Foreign language identified in PE resource |
| notice | Performs some HTTP requests |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The executable uses a known packer |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | NPKI_Zero | File included NPKI | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | Lnk_Format_Zero | LNK Format | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (5cnts) ?
Suricata ids
PE API
IAT(Import Address Table) Library
kernel32.dll
0x322b9bf4 GetProcAddress
0x322b9bf8 GetModuleHandleA
0x322b9bfc LoadLibraryA
user32.dll
0x322b9f4a GetKeyboardType
advapi32.dll
0x322b9f52 RegQueryValueExA
oleaut32.dll
0x322b9f5a SysFreeString
advapi32.dll
0x322b9f62 RegSetValueExA
version.dll
0x322b9f6a VerQueryValueA
gdi32.dll
0x322b9f72 UnrealizeObject
user32.dll
0x322b9f7a CreateWindowExA
ole32.dll
0x322b9f82 IsEqualGUID
oleaut32.dll
0x322b9f8a SafeArrayPtrOfIndex
ole32.dll
0x322b9f92 CreateStreamOnHGlobal
oleaut32.dll
0x322b9f9a CreateErrorInfo
comctl32.dll
0x322b9fa2 ImageList_SetIconSize
shell32.dll
0x322b9faa Shell_NotifyIconA
wininet.dll
0x322b9fb2 InternetSetOptionA
urlmon.dll
0x322b9fba CoInternetCreateZoneManager
shell32.dll
0x322b9fc2 SHGetSpecialFolderLocation
wsock32.dll
0x322b9fca WSACleanup
winmm.dll
0x322b9fd2 timeGetTime
ntdll.dll
0x322b9fda NtReadVirtualMemory
ole32.dll
0x322b9fe2 PropVariantClear
advapi32.dll
0x322b9fea AddAccessAllowedAce
oleaut32.dll
0x322b9ff2 VariantChangeTypeEx
kernel32.dll
0x322b9ffa RaiseException
EAT(Export Address Table) is none
kernel32.dll
0x322b9bf4 GetProcAddress
0x322b9bf8 GetModuleHandleA
0x322b9bfc LoadLibraryA
user32.dll
0x322b9f4a GetKeyboardType
advapi32.dll
0x322b9f52 RegQueryValueExA
oleaut32.dll
0x322b9f5a SysFreeString
advapi32.dll
0x322b9f62 RegSetValueExA
version.dll
0x322b9f6a VerQueryValueA
gdi32.dll
0x322b9f72 UnrealizeObject
user32.dll
0x322b9f7a CreateWindowExA
ole32.dll
0x322b9f82 IsEqualGUID
oleaut32.dll
0x322b9f8a SafeArrayPtrOfIndex
ole32.dll
0x322b9f92 CreateStreamOnHGlobal
oleaut32.dll
0x322b9f9a CreateErrorInfo
comctl32.dll
0x322b9fa2 ImageList_SetIconSize
shell32.dll
0x322b9faa Shell_NotifyIconA
wininet.dll
0x322b9fb2 InternetSetOptionA
urlmon.dll
0x322b9fba CoInternetCreateZoneManager
shell32.dll
0x322b9fc2 SHGetSpecialFolderLocation
wsock32.dll
0x322b9fca WSACleanup
winmm.dll
0x322b9fd2 timeGetTime
ntdll.dll
0x322b9fda NtReadVirtualMemory
ole32.dll
0x322b9fe2 PropVariantClear
advapi32.dll
0x322b9fea AddAccessAllowedAce
oleaut32.dll
0x322b9ff2 VariantChangeTypeEx
kernel32.dll
0x322b9ffa RaiseException
EAT(Export Address Table) is none