ScreenShot
| Created | 2022.12.19 10:03 | Machine | s1_win7_x6401 |
| Filename | WW20.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 32 detected (AIDetect, malware2, Mint, PrivateLoader, Artemis, Unsafe, Attribute, HighConfidence, malicious, high confidence, ADGH, score, PWSX, BadFile, Nekark, mexad, ai score=84, Sabsik, ZexaF, tw0@aW6jdQaQ, BScope, TrojanPSW, Arkei, WDDisabler, CLASSIC, Static AI, Suspicious PE, susgen) | ||
| md5 | 5debae710acc279440b0fb96ad7ba5ef | ||
| sha256 | b60004cf3b319182c85d8feeae4d3fc9d9f7cec8dd7740b1f7731f1d21cb11a8 | ||
| ssdeep | 49152:ojOcnDWdf0c37oGtkJ/5Hb4bd/nG78GDeYDCThetBdDdMJoTdtqhpP:mOcDaf0mkddod/nbGEadM | ||
| imphash | 02951e73b23a430852958a5fac567566 | ||
| impfuzzy | 96:/mX3QbcGtpxWtv746AJ1wtLCW/DGg5KzF0:oGYtv7QJEd | ||
Network IP location
Signature (34cnts)
| Level | Description |
|---|---|
| danger | Disables Windows Security features |
| danger | File has been identified by 32 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| watch | Found URLs in memory pointing to an IP address rather than a domain (potentially indicative of Command & Control traffic) |
| watch | Installs itself for autorun at Windows startup |
| watch | One or more non-whitelisted processes were created |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Uses Sysinternals tools in order to add additional command line functionality |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | An application raised an exception which may be indicative of an exploit crash |
| notice | An executable file was downloaded by the process ww20.exe |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Creates hidden or system file |
| notice | Drops a binary and executes it |
| notice | Expresses interest in specific running processes |
| notice | Foreign language identified in PE resource |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Looks up the external IP address |
| notice | Performs some HTTP requests |
| notice | Potentially malicious URLs were found in the process memory dump |
| notice | Resolves a suspicious Top Level Domain (TLD) |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Sends data using the HTTP POST Method |
| notice | Steals private information from local Internet browsers |
| notice | Terminates another process |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | Tries to locate where the browsers are installed |
Rules (50cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| warning | infoStealer_browser_Zero | browser info stealer | memory |
| watch | Chrome_User_Data_Check_Zero | Google Chrome User Data Check | memory |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Network_Downloader | File Downloader | memory |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | BitCoin | Perform crypto currency mining | memory |
| notice | Code_injection | Code injection with CreateRemoteThread in a remote process | memory |
| notice | Create_Service | Create a windows service | memory |
| notice | Escalate_priviledges | Escalate priviledges | memory |
| notice | Generic_PWS_Memory_Zero | PWS Memory | memory |
| notice | KeyLogger | Run a KeyLogger | memory |
| notice | local_credential_Steal | Steal credential | memory |
| notice | Network_DGA | Communication using DGA | memory |
| notice | Network_DNS | Communications use DNS | memory |
| notice | Network_FTP | Communications over FTP | memory |
| notice | Network_HTTP | Communications over HTTP | memory |
| notice | Network_P2P_Win | Communications over P2P network | memory |
| notice | Network_TCP_Socket | Communications over RAW Socket | memory |
| notice | Persistence | Install itself for autorun at Windows startup | memory |
| notice | ScreenShot | Take ScreenShot | memory |
| notice | Sniff_Audio | Record Audio | memory |
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | antisb_threatExpert | Anti-Sandbox checks for ThreatExpert | memory |
| info | Check_Dlls | (no description) | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerCheck__RemoteAPI | (no description) | memory |
| info | DebuggerException__ConsoleCtrl | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | PNG_Format_Zero | PNG Format | binaries (download) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | Virtual_currency_Zero | Virtual currency | memory |
| info | vmdetect | Possibly employs anti-virtualization techniques | memory |
| info | win_hook | Affect hook table | memory |
| info | Win_Trojan_agentTesla_Zero | Win.Trojan.agentTesla | memory |
Network (20cnts) ?
Suricata ids
SURICATA Applayer Mismatch protocol both directions
ET INFO Observed URL Shortening Service Domain (vk .com in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)
ET INFO Executable Download from dotted-quad Host
ET DROP Spamhaus DROP Listed Traffic Inbound group 9
ET INFO URL Shortening Service Domain in DNS Lookup (vk .com)
ET INFO TLS Handshake Failure
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET INFO Observed URL Shortening Service Domain (vk .com in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)
ET INFO Executable Download from dotted-quad Host
ET DROP Spamhaus DROP Listed Traffic Inbound group 9
ET INFO URL Shortening Service Domain in DNS Lookup (vk .com)
ET INFO TLS Handshake Failure
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x605020 InitializeCriticalSectionEx
0x605024 lstrlenA
0x605028 lstrcatA
0x60502c GetModuleHandleA
0x605030 SetCurrentDirectoryA
0x605034 Sleep
0x605038 GetModuleHandleExA
0x60503c GetFileAttributesA
0x605040 GetBinaryTypeA
0x605044 QueryFullProcessImageNameA
0x605048 GetSystemDirectoryA
0x60504c GlobalAlloc
0x605050 lstrcpyA
0x605054 SetFileAttributesA
0x605058 VerSetConditionMask
0x60505c WideCharToMultiByte
0x605060 VerifyVersionInfoW
0x605064 GetSystemTimeAsFileTime
0x605068 HeapFree
0x60506c HeapAlloc
0x605070 GetProcAddress
0x605074 lstrcpynA
0x605078 GetProcessHeap
0x60507c AreFileApisANSI
0x605080 TryEnterCriticalSection
0x605084 HeapCreate
0x605088 EnterCriticalSection
0x60508c GetFullPathNameW
0x605090 GetDiskFreeSpaceW
0x605094 OutputDebugStringA
0x605098 LockFile
0x60509c LeaveCriticalSection
0x6050a0 InitializeCriticalSection
0x6050a4 GetFullPathNameA
0x6050a8 SetEndOfFile
0x6050ac FindClose
0x6050b0 GetTempPathW
0x6050b4 CreateMutexW
0x6050b8 WaitForSingleObject
0x6050bc GetFileAttributesW
0x6050c0 GetCurrentThreadId
0x6050c4 UnmapViewOfFile
0x6050c8 HeapValidate
0x6050cc HeapSize
0x6050d0 MultiByteToWideChar
0x6050d4 GetTempPathA
0x6050d8 FormatMessageW
0x6050dc GetDiskFreeSpaceA
0x6050e0 GetFileAttributesExW
0x6050e4 OutputDebugStringW
0x6050e8 FlushViewOfFile
0x6050ec LoadLibraryA
0x6050f0 WaitForSingleObjectEx
0x6050f4 DeleteFileA
0x6050f8 DeleteFileW
0x6050fc HeapReAlloc
0x605100 GetSystemInfo
0x605104 LoadLibraryW
0x605108 HeapCompact
0x60510c HeapDestroy
0x605110 UnlockFile
0x605114 LocalFree
0x605118 LockFileEx
0x60511c GetFileSize
0x605120 DeleteCriticalSection
0x605124 GetCurrentProcessId
0x605128 SystemTimeToFileTime
0x60512c FreeLibrary
0x605130 GetSystemTime
0x605134 FormatMessageA
0x605138 CreateFileMappingW
0x60513c MapViewOfFile
0x605140 QueryPerformanceCounter
0x605144 GetTickCount
0x605148 FlushFileBuffers
0x60514c WriteConsoleW
0x605150 CloseHandle
0x605154 CreateFileA
0x605158 GetLastError
0x60515c CreateFileW
0x605160 SetFilePointer
0x605164 WriteFile
0x605168 UnlockFileEx
0x60516c ReadFile
0x605170 SetEnvironmentVariableW
0x605174 FreeEnvironmentStringsW
0x605178 GetEnvironmentStringsW
0x60517c GetCommandLineW
0x605180 GetCommandLineA
0x605184 GetOEMCP
0x605188 GetACP
0x60518c UnhandledExceptionFilter
0x605190 SetUnhandledExceptionFilter
0x605194 GetCurrentProcess
0x605198 TerminateProcess
0x60519c IsProcessorFeaturePresent
0x6051a0 InitializeSListHead
0x6051a4 InitializeCriticalSectionAndSpinCount
0x6051a8 SetEvent
0x6051ac ResetEvent
0x6051b0 CreateEventW
0x6051b4 GetModuleHandleW
0x6051b8 IsDebuggerPresent
0x6051bc GetStartupInfoW
0x6051c0 CreateDirectoryW
0x6051c4 FindFirstFileExW
0x6051c8 FindNextFileW
0x6051cc SetFilePointerEx
0x6051d0 GetFileInformationByHandleEx
0x6051d4 QueryPerformanceFrequency
0x6051d8 LCMapStringEx
0x6051dc EncodePointer
0x6051e0 DecodePointer
0x6051e4 GetCPInfo
0x6051e8 GetStringTypeW
0x6051ec SetLastError
0x6051f0 GetThreadTimes
0x6051f4 GetCurrentThread
0x6051f8 InterlockedPushEntrySList
0x6051fc RaiseException
0x605200 RtlUnwind
0x605204 TlsAlloc
0x605208 TlsGetValue
0x60520c TlsSetValue
0x605210 TlsFree
0x605214 LoadLibraryExW
0x605218 GetFileType
0x60521c ExitProcess
0x605220 GetModuleHandleExW
0x605224 CreateThread
0x605228 ExitThread
0x60522c FreeLibraryAndExitThread
0x605230 GetModuleFileNameW
0x605234 GetStdHandle
0x605238 GetConsoleMode
0x60523c ReadConsoleW
0x605240 GetConsoleOutputCP
0x605244 SetStdHandle
0x605248 CompareStringW
0x60524c LCMapStringW
0x605250 GetLocaleInfoW
0x605254 IsValidLocale
0x605258 GetUserDefaultLCID
0x60525c EnumSystemLocalesW
0x605260 GetFileSizeEx
0x605264 GetTimeZoneInformation
0x605268 IsValidCodePage
0x60526c VirtualQuery
USER32.dll
0x60527c CharNextA
ADVAPI32.dll
0x605000 RegCloseKey
0x605004 RegCreateKeyExA
0x605008 RegSetValueExA
0x60500c OpenProcessToken
0x605010 RegOpenKeyExA
0x605014 GetTokenInformation
0x605018 CryptReleaseContext
SHELL32.dll
0x605274 ShellExecuteA
ole32.dll
0x605284 CoCreateInstance
0x605288 CoInitializeEx
0x60528c CoUninitialize
EAT(Export Address Table) is none
KERNEL32.dll
0x605020 InitializeCriticalSectionEx
0x605024 lstrlenA
0x605028 lstrcatA
0x60502c GetModuleHandleA
0x605030 SetCurrentDirectoryA
0x605034 Sleep
0x605038 GetModuleHandleExA
0x60503c GetFileAttributesA
0x605040 GetBinaryTypeA
0x605044 QueryFullProcessImageNameA
0x605048 GetSystemDirectoryA
0x60504c GlobalAlloc
0x605050 lstrcpyA
0x605054 SetFileAttributesA
0x605058 VerSetConditionMask
0x60505c WideCharToMultiByte
0x605060 VerifyVersionInfoW
0x605064 GetSystemTimeAsFileTime
0x605068 HeapFree
0x60506c HeapAlloc
0x605070 GetProcAddress
0x605074 lstrcpynA
0x605078 GetProcessHeap
0x60507c AreFileApisANSI
0x605080 TryEnterCriticalSection
0x605084 HeapCreate
0x605088 EnterCriticalSection
0x60508c GetFullPathNameW
0x605090 GetDiskFreeSpaceW
0x605094 OutputDebugStringA
0x605098 LockFile
0x60509c LeaveCriticalSection
0x6050a0 InitializeCriticalSection
0x6050a4 GetFullPathNameA
0x6050a8 SetEndOfFile
0x6050ac FindClose
0x6050b0 GetTempPathW
0x6050b4 CreateMutexW
0x6050b8 WaitForSingleObject
0x6050bc GetFileAttributesW
0x6050c0 GetCurrentThreadId
0x6050c4 UnmapViewOfFile
0x6050c8 HeapValidate
0x6050cc HeapSize
0x6050d0 MultiByteToWideChar
0x6050d4 GetTempPathA
0x6050d8 FormatMessageW
0x6050dc GetDiskFreeSpaceA
0x6050e0 GetFileAttributesExW
0x6050e4 OutputDebugStringW
0x6050e8 FlushViewOfFile
0x6050ec LoadLibraryA
0x6050f0 WaitForSingleObjectEx
0x6050f4 DeleteFileA
0x6050f8 DeleteFileW
0x6050fc HeapReAlloc
0x605100 GetSystemInfo
0x605104 LoadLibraryW
0x605108 HeapCompact
0x60510c HeapDestroy
0x605110 UnlockFile
0x605114 LocalFree
0x605118 LockFileEx
0x60511c GetFileSize
0x605120 DeleteCriticalSection
0x605124 GetCurrentProcessId
0x605128 SystemTimeToFileTime
0x60512c FreeLibrary
0x605130 GetSystemTime
0x605134 FormatMessageA
0x605138 CreateFileMappingW
0x60513c MapViewOfFile
0x605140 QueryPerformanceCounter
0x605144 GetTickCount
0x605148 FlushFileBuffers
0x60514c WriteConsoleW
0x605150 CloseHandle
0x605154 CreateFileA
0x605158 GetLastError
0x60515c CreateFileW
0x605160 SetFilePointer
0x605164 WriteFile
0x605168 UnlockFileEx
0x60516c ReadFile
0x605170 SetEnvironmentVariableW
0x605174 FreeEnvironmentStringsW
0x605178 GetEnvironmentStringsW
0x60517c GetCommandLineW
0x605180 GetCommandLineA
0x605184 GetOEMCP
0x605188 GetACP
0x60518c UnhandledExceptionFilter
0x605190 SetUnhandledExceptionFilter
0x605194 GetCurrentProcess
0x605198 TerminateProcess
0x60519c IsProcessorFeaturePresent
0x6051a0 InitializeSListHead
0x6051a4 InitializeCriticalSectionAndSpinCount
0x6051a8 SetEvent
0x6051ac ResetEvent
0x6051b0 CreateEventW
0x6051b4 GetModuleHandleW
0x6051b8 IsDebuggerPresent
0x6051bc GetStartupInfoW
0x6051c0 CreateDirectoryW
0x6051c4 FindFirstFileExW
0x6051c8 FindNextFileW
0x6051cc SetFilePointerEx
0x6051d0 GetFileInformationByHandleEx
0x6051d4 QueryPerformanceFrequency
0x6051d8 LCMapStringEx
0x6051dc EncodePointer
0x6051e0 DecodePointer
0x6051e4 GetCPInfo
0x6051e8 GetStringTypeW
0x6051ec SetLastError
0x6051f0 GetThreadTimes
0x6051f4 GetCurrentThread
0x6051f8 InterlockedPushEntrySList
0x6051fc RaiseException
0x605200 RtlUnwind
0x605204 TlsAlloc
0x605208 TlsGetValue
0x60520c TlsSetValue
0x605210 TlsFree
0x605214 LoadLibraryExW
0x605218 GetFileType
0x60521c ExitProcess
0x605220 GetModuleHandleExW
0x605224 CreateThread
0x605228 ExitThread
0x60522c FreeLibraryAndExitThread
0x605230 GetModuleFileNameW
0x605234 GetStdHandle
0x605238 GetConsoleMode
0x60523c ReadConsoleW
0x605240 GetConsoleOutputCP
0x605244 SetStdHandle
0x605248 CompareStringW
0x60524c LCMapStringW
0x605250 GetLocaleInfoW
0x605254 IsValidLocale
0x605258 GetUserDefaultLCID
0x60525c EnumSystemLocalesW
0x605260 GetFileSizeEx
0x605264 GetTimeZoneInformation
0x605268 IsValidCodePage
0x60526c VirtualQuery
USER32.dll
0x60527c CharNextA
ADVAPI32.dll
0x605000 RegCloseKey
0x605004 RegCreateKeyExA
0x605008 RegSetValueExA
0x60500c OpenProcessToken
0x605010 RegOpenKeyExA
0x605014 GetTokenInformation
0x605018 CryptReleaseContext
SHELL32.dll
0x605274 ShellExecuteA
ole32.dll
0x605284 CoCreateInstance
0x605288 CoInitializeEx
0x60528c CoUninitialize
EAT(Export Address Table) is none