ScreenShot
| Created | 2022.09.28 17:10 | Machine | s1_win7_x6401 |
| Filename | dingding.exe | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 40 detected (Malicious, score, Artemis, Rozena, Vy04, DeepScan, ABTrojan, IHFW, R002H0DIK22, Cobalt, uMmeEKArToU, Meterpreter, PatchedWinSwrort, lpmee, ASMalwS, Wacatac, Detected, ai score=100, Unsafe, TrojanX, Aplw, hV8nkBVTSYY, susgen, Chgt) | ||
| md5 | 62a4aa621e034dbdaaf2bef8f5a4aef0 | ||
| sha256 | b239b5d05aba2f98cbc955c1b88884495db53f5b3a3381b94db1aa76e3ed67a1 | ||
| ssdeep | 12288:nOYO68aew0lMKTKK4KKDyK5FZ1EEEEmEEE1EEEEEEEEEEElKK1KKK1KKK7:NOb2KTKK4KKDyK5FZ1EEEEmEEE1EEEEE | ||
| imphash | 974b46aac09fd69de98c5361efb17a61 | ||
| impfuzzy | 48:Yi2S1YtSEc+pp/Y6qnBS5E/KA/6UyCKSv09+SYJGzFsjr:OS1YtSEc+pp/Yb9MS | ||
Network IP location
Signature (8cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 40 AntiVirus engines on VirusTotal as malicious |
| watch | DEP was bypassed by marking part of the stack executable by the process dingding.exe |
| notice | A process attempted to delay the analysis task. |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Foreign language identified in PE resource |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | This executable has a PDB path |
Rules (6cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Admin_Tool_IN_Zero | Admin Tool Sysinternals | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x140013000 VirtualProtectEx
0x140013008 GetTempPathW
0x140013010 GetTempFileNameW
0x140013018 CreateFileW
0x140013020 GetLastError
0x140013028 GetFileAttributesExW
0x140013030 CloseHandle
0x140013038 Sleep
0x140013040 CreateThread
0x140013048 WriteConsoleW
0x140013050 SetFilePointerEx
0x140013058 GetConsoleMode
0x140013060 GetConsoleCP
0x140013068 FlushFileBuffers
0x140013070 HeapReAlloc
0x140013078 HeapSize
0x140013080 GetProcessHeap
0x140013088 GetStringTypeW
0x140013090 GetFileType
0x140013098 SetStdHandle
0x1400130a0 FreeEnvironmentStringsW
0x1400130a8 GetEnvironmentStringsW
0x1400130b0 WideCharToMultiByte
0x1400130b8 MultiByteToWideChar
0x1400130c0 GetCommandLineW
0x1400130c8 QueryPerformanceCounter
0x1400130d0 GetCurrentProcessId
0x1400130d8 GetCurrentThreadId
0x1400130e0 GetSystemTimeAsFileTime
0x1400130e8 InitializeSListHead
0x1400130f0 RtlCaptureContext
0x1400130f8 RtlLookupFunctionEntry
0x140013100 RtlVirtualUnwind
0x140013108 IsDebuggerPresent
0x140013110 UnhandledExceptionFilter
0x140013118 SetUnhandledExceptionFilter
0x140013120 GetStartupInfoW
0x140013128 IsProcessorFeaturePresent
0x140013130 GetModuleHandleW
0x140013138 RtlUnwindEx
0x140013140 SetLastError
0x140013148 EnterCriticalSection
0x140013150 LeaveCriticalSection
0x140013158 DeleteCriticalSection
0x140013160 InitializeCriticalSectionAndSpinCount
0x140013168 TlsAlloc
0x140013170 TlsGetValue
0x140013178 TlsSetValue
0x140013180 TlsFree
0x140013188 FreeLibrary
0x140013190 GetProcAddress
0x140013198 LoadLibraryExW
0x1400131a0 RaiseException
0x1400131a8 GetStdHandle
0x1400131b0 WriteFile
0x1400131b8 GetModuleFileNameW
0x1400131c0 GetCurrentProcess
0x1400131c8 ExitProcess
0x1400131d0 TerminateProcess
0x1400131d8 GetModuleHandleExW
0x1400131e0 LCMapStringW
0x1400131e8 HeapAlloc
0x1400131f0 HeapFree
0x1400131f8 FindClose
0x140013200 FindFirstFileExW
0x140013208 FindNextFileW
0x140013210 IsValidCodePage
0x140013218 GetACP
0x140013220 GetOEMCP
0x140013228 GetCPInfo
0x140013230 GetCommandLineA
USER32.dll
0x140013240 PostQuitMessage
0x140013248 EndPaint
0x140013250 BeginPaint
0x140013258 DefWindowProcW
0x140013260 DestroyWindow
0x140013268 DialogBoxParamW
0x140013270 UpdateWindow
0x140013278 ShowWindow
0x140013280 EndDialog
0x140013288 RegisterClassExW
0x140013290 LoadCursorW
0x140013298 LoadIconW
0x1400132a0 DispatchMessageW
0x1400132a8 TranslateMessage
0x1400132b0 TranslateAcceleratorW
0x1400132b8 GetMessageW
0x1400132c0 LoadAcceleratorsW
0x1400132c8 LoadStringW
0x1400132d0 CreateWindowExW
EAT(Export Address Table) is none
KERNEL32.dll
0x140013000 VirtualProtectEx
0x140013008 GetTempPathW
0x140013010 GetTempFileNameW
0x140013018 CreateFileW
0x140013020 GetLastError
0x140013028 GetFileAttributesExW
0x140013030 CloseHandle
0x140013038 Sleep
0x140013040 CreateThread
0x140013048 WriteConsoleW
0x140013050 SetFilePointerEx
0x140013058 GetConsoleMode
0x140013060 GetConsoleCP
0x140013068 FlushFileBuffers
0x140013070 HeapReAlloc
0x140013078 HeapSize
0x140013080 GetProcessHeap
0x140013088 GetStringTypeW
0x140013090 GetFileType
0x140013098 SetStdHandle
0x1400130a0 FreeEnvironmentStringsW
0x1400130a8 GetEnvironmentStringsW
0x1400130b0 WideCharToMultiByte
0x1400130b8 MultiByteToWideChar
0x1400130c0 GetCommandLineW
0x1400130c8 QueryPerformanceCounter
0x1400130d0 GetCurrentProcessId
0x1400130d8 GetCurrentThreadId
0x1400130e0 GetSystemTimeAsFileTime
0x1400130e8 InitializeSListHead
0x1400130f0 RtlCaptureContext
0x1400130f8 RtlLookupFunctionEntry
0x140013100 RtlVirtualUnwind
0x140013108 IsDebuggerPresent
0x140013110 UnhandledExceptionFilter
0x140013118 SetUnhandledExceptionFilter
0x140013120 GetStartupInfoW
0x140013128 IsProcessorFeaturePresent
0x140013130 GetModuleHandleW
0x140013138 RtlUnwindEx
0x140013140 SetLastError
0x140013148 EnterCriticalSection
0x140013150 LeaveCriticalSection
0x140013158 DeleteCriticalSection
0x140013160 InitializeCriticalSectionAndSpinCount
0x140013168 TlsAlloc
0x140013170 TlsGetValue
0x140013178 TlsSetValue
0x140013180 TlsFree
0x140013188 FreeLibrary
0x140013190 GetProcAddress
0x140013198 LoadLibraryExW
0x1400131a0 RaiseException
0x1400131a8 GetStdHandle
0x1400131b0 WriteFile
0x1400131b8 GetModuleFileNameW
0x1400131c0 GetCurrentProcess
0x1400131c8 ExitProcess
0x1400131d0 TerminateProcess
0x1400131d8 GetModuleHandleExW
0x1400131e0 LCMapStringW
0x1400131e8 HeapAlloc
0x1400131f0 HeapFree
0x1400131f8 FindClose
0x140013200 FindFirstFileExW
0x140013208 FindNextFileW
0x140013210 IsValidCodePage
0x140013218 GetACP
0x140013220 GetOEMCP
0x140013228 GetCPInfo
0x140013230 GetCommandLineA
USER32.dll
0x140013240 PostQuitMessage
0x140013248 EndPaint
0x140013250 BeginPaint
0x140013258 DefWindowProcW
0x140013260 DestroyWindow
0x140013268 DialogBoxParamW
0x140013270 UpdateWindow
0x140013278 ShowWindow
0x140013280 EndDialog
0x140013288 RegisterClassExW
0x140013290 LoadCursorW
0x140013298 LoadIconW
0x1400132a0 DispatchMessageW
0x1400132a8 TranslateMessage
0x1400132b0 TranslateAcceleratorW
0x1400132b8 GetMessageW
0x1400132c0 LoadAcceleratorsW
0x1400132c8 LoadStringW
0x1400132d0 CreateWindowExW
EAT(Export Address Table) is none