ScreenShot
| Created | 2022.12.02 10:07 | Machine | s1_win7_x6401 |
| Filename | nppshell.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | |||
| md5 | 82e1ab0738fc212612894ecca54bfa29 | ||
| sha256 | 32965cb1693c1e80c5033487e93a459b199e480e4615351e21debf178ae4270f | ||
| ssdeep | 49152:j7wnRC4ib98B8ou6kHWL97MqWuJzHImpkKQFkyOqv:4RC4ibSpuKnFomlQFkA | ||
| imphash | 8cba43c1bf0bf3e468808ba9c060bbfd | ||
| impfuzzy | 48:Y6YkrmpgdJO/93FXJG4YWcqeeuMHt530tHt:YrkrrdJsFFXJGbWcTedHt4 | ||
Network IP location
Signature (17cnts)
| Level | Description |
|---|---|
| watch | Communicates with host for which no DNS query was performed |
| watch | One or more of the buffers contains an embedded PE file |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Creates executable files on the filesystem |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Steals private information from local Internet browsers |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | This executable has a PDB path |
Rules (6cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | Win32_Trojan_Gen_2_0904B0_Zero | Win32 Trojan Gen | binaries (upload) |
Network (5cnts) ?
Suricata ids
ET INFO Dotted Quad Host ZIP Request
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x401000 ExitProcess
0x401004 GetCommandLineW
0x401008 lstrcmpA
0x40100c TlsGetValue
0x401010 HeapAlloc
0x401014 GetCurrentProcess
0x401018 GetTickCount
0x40101c GetCurrentThread
0x401020 GetProcessHeap
0x401024 IsBadReadPtr
0x401028 GetUserDefaultLangID
0x40102c GetCommandLineA
0x401030 GetConsoleCP
0x401034 LoadLibraryW
0x401038 Sleep
0x40103c GetProcessHandleCount
0x401040 HeapCreate
0x401044 GetAtomNameW
0x401048 GetBinaryTypeW
0x40104c VerifyVersionInfoW
0x401050 GetLastError
0x401054 SetLastError
0x401058 GetProcessHeaps
0x40105c IsValidCodePage
0x401060 GetCommMask
0x401064 GetModuleHandleA
0x401068 GetThreadId
0x40106c GetStringTypeW
0x401070 GetConsoleTitleW
0x401074 GetCurrentThreadId
0x401078 DeleteFileW
0x40107c GetCurrentProcessId
0x401080 GetThreadUILanguage
0x401084 CreateFileW
0x401088 WriteConsoleW
0x40108c FlushFileBuffers
0x401090 LCMapStringEx
0x401094 SetThreadStackGuarantee
0x401098 GetSystemInfo
0x40109c VirtualAlloc
0x4010a0 VirtualProtect
0x4010a4 VirtualQuery
0x4010a8 EncodePointer
0x4010ac DecodePointer
0x4010b0 ReadFile
0x4010b4 GetSystemTimeAsFileTime
0x4010b8 RaiseException
0x4010bc RtlUnwind
0x4010c0 IsDebuggerPresent
0x4010c4 IsProcessorFeaturePresent
0x4010c8 InterlockedDecrement
0x4010cc GetModuleHandleExW
0x4010d0 GetProcAddress
0x4010d4 AreFileApisANSI
0x4010d8 MultiByteToWideChar
0x4010dc GetStdHandle
0x4010e0 WriteFile
0x4010e4 GetModuleFileNameW
0x4010e8 EnterCriticalSection
0x4010ec LeaveCriticalSection
0x4010f0 GetFileType
0x4010f4 InitializeCriticalSectionAndSpinCount
0x4010f8 DeleteCriticalSection
0x4010fc InitOnceExecuteOnce
0x401100 GetStartupInfoW
0x401104 HeapSize
0x401108 GetConsoleMode
0x40110c ReadConsoleW
0x401110 InterlockedIncrement
0x401114 HeapFree
0x401118 SetFilePointer
0x40111c SetFilePointerEx
0x401120 CloseHandle
0x401124 QueryPerformanceCounter
0x401128 GetTickCount64
0x40112c GetEnvironmentStringsW
0x401130 FreeEnvironmentStringsW
0x401134 UnhandledExceptionFilter
0x401138 SetUnhandledExceptionFilter
0x40113c FlsAlloc
0x401140 FlsGetValue
0x401144 FlsSetValue
0x401148 FlsFree
0x40114c TerminateProcess
0x401150 GetModuleHandleW
0x401154 LoadLibraryExW
0x401158 GetACP
0x40115c GetOEMCP
0x401160 GetCPInfo
0x401164 OutputDebugStringW
0x401168 WideCharToMultiByte
0x40116c HeapReAlloc
0x401170 SetStdHandle
0x401174 SetEndOfFile
USER32.dll
0x40117c wsprintfW
0x401180 GetForegroundWindow
0x401184 GetSysColor
0x401188 MessageBoxW
ole32.dll
0x401190 CoGetCurrentProcess
EAT(Export Address Table) is none
KERNEL32.dll
0x401000 ExitProcess
0x401004 GetCommandLineW
0x401008 lstrcmpA
0x40100c TlsGetValue
0x401010 HeapAlloc
0x401014 GetCurrentProcess
0x401018 GetTickCount
0x40101c GetCurrentThread
0x401020 GetProcessHeap
0x401024 IsBadReadPtr
0x401028 GetUserDefaultLangID
0x40102c GetCommandLineA
0x401030 GetConsoleCP
0x401034 LoadLibraryW
0x401038 Sleep
0x40103c GetProcessHandleCount
0x401040 HeapCreate
0x401044 GetAtomNameW
0x401048 GetBinaryTypeW
0x40104c VerifyVersionInfoW
0x401050 GetLastError
0x401054 SetLastError
0x401058 GetProcessHeaps
0x40105c IsValidCodePage
0x401060 GetCommMask
0x401064 GetModuleHandleA
0x401068 GetThreadId
0x40106c GetStringTypeW
0x401070 GetConsoleTitleW
0x401074 GetCurrentThreadId
0x401078 DeleteFileW
0x40107c GetCurrentProcessId
0x401080 GetThreadUILanguage
0x401084 CreateFileW
0x401088 WriteConsoleW
0x40108c FlushFileBuffers
0x401090 LCMapStringEx
0x401094 SetThreadStackGuarantee
0x401098 GetSystemInfo
0x40109c VirtualAlloc
0x4010a0 VirtualProtect
0x4010a4 VirtualQuery
0x4010a8 EncodePointer
0x4010ac DecodePointer
0x4010b0 ReadFile
0x4010b4 GetSystemTimeAsFileTime
0x4010b8 RaiseException
0x4010bc RtlUnwind
0x4010c0 IsDebuggerPresent
0x4010c4 IsProcessorFeaturePresent
0x4010c8 InterlockedDecrement
0x4010cc GetModuleHandleExW
0x4010d0 GetProcAddress
0x4010d4 AreFileApisANSI
0x4010d8 MultiByteToWideChar
0x4010dc GetStdHandle
0x4010e0 WriteFile
0x4010e4 GetModuleFileNameW
0x4010e8 EnterCriticalSection
0x4010ec LeaveCriticalSection
0x4010f0 GetFileType
0x4010f4 InitializeCriticalSectionAndSpinCount
0x4010f8 DeleteCriticalSection
0x4010fc InitOnceExecuteOnce
0x401100 GetStartupInfoW
0x401104 HeapSize
0x401108 GetConsoleMode
0x40110c ReadConsoleW
0x401110 InterlockedIncrement
0x401114 HeapFree
0x401118 SetFilePointer
0x40111c SetFilePointerEx
0x401120 CloseHandle
0x401124 QueryPerformanceCounter
0x401128 GetTickCount64
0x40112c GetEnvironmentStringsW
0x401130 FreeEnvironmentStringsW
0x401134 UnhandledExceptionFilter
0x401138 SetUnhandledExceptionFilter
0x40113c FlsAlloc
0x401140 FlsGetValue
0x401144 FlsSetValue
0x401148 FlsFree
0x40114c TerminateProcess
0x401150 GetModuleHandleW
0x401154 LoadLibraryExW
0x401158 GetACP
0x40115c GetOEMCP
0x401160 GetCPInfo
0x401164 OutputDebugStringW
0x401168 WideCharToMultiByte
0x40116c HeapReAlloc
0x401170 SetStdHandle
0x401174 SetEndOfFile
USER32.dll
0x40117c wsprintfW
0x401180 GetForegroundWindow
0x401184 GetSysColor
0x401188 MessageBoxW
ole32.dll
0x401190 CoGetCurrentProcess
EAT(Export Address Table) is none