ScreenShot
| Created | 2023.03.05 04:11 | Machine | s1_win7_x6401 |
| Filename | vcruntime140.dll | ||
| Type | PE32 executable (DLL) (console) Intel 80386, for MS Windows | ||
| AI Score | Not founds | Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | |||
| md5 | 1b171f9a428c44acf85f89989007c328 | ||
| sha256 | 9d02e952396bdff3abfe5654e07b7a713c84268a225e11ed9a3bf338ed1e424c | ||
| ssdeep | 1536:l9j/j2886xv555et/MCsjw0BuRK3jteopUecbAdz86B+JfBL+eNv:l9j/j28V55At/zqw+IqLUecbAdz8lJrv | ||
| imphash | 6a84b7445ccacd5d29ac27de2745f356 | ||
| impfuzzy | 12:8MhaMa5vdFynRK3YPXJ1XJJYZ8vhUwAoDpuXnJqdhXRZqRZJlJoARlwV:8MhtsnyRpLE8vbjDpuXJkBczlJBl8 | ||
Network IP location
Signature (11cnts)
| Level | Description |
|---|---|
| watch | Communicates with host for which no DNS query was performed |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | An application raised an exception which may be indicative of an exploit crash |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | Performs some HTTP requests |
| notice | Potentially malicious URLs were found in the process memory dump |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | One or more processes crashed |
Rules (41cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Network_Downloader | File Downloader | memory |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| notice | Code_injection | Code injection with CreateRemoteThread in a remote process | memory |
| notice | Create_Service | Create a windows service | memory |
| notice | Escalate_priviledges | Escalate priviledges | memory |
| notice | Generic_PWS_Memory_Zero | PWS Memory | memory |
| notice | Hijack_Network | Hijack network configuration | memory |
| notice | KeyLogger | Run a KeyLogger | memory |
| notice | local_credential_Steal | Steal credential | memory |
| notice | Network_DGA | Communication using DGA | memory |
| notice | Network_DNS | Communications use DNS | memory |
| notice | Network_FTP | Communications over FTP | memory |
| notice | Network_HTTP | Communications over HTTP | memory |
| notice | Network_P2P_Win | Communications over P2P network | memory |
| notice | Network_TCP_Socket | Communications over RAW Socket | memory |
| notice | Persistence | Install itself for autorun at Windows startup | memory |
| notice | ScreenShot | Take ScreenShot | memory |
| notice | Sniff_Audio | Record Audio | memory |
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | antisb_threatExpert | Anti-Sandbox checks for ThreatExpert | memory |
| info | Check_Dlls | (no description) | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerCheck__RemoteAPI | (no description) | memory |
| info | DebuggerException__ConsoleCtrl | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | Microsoft_Office_File_Zero | Microsoft Office File | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | win_hook | Affect hook table | memory |
Suricata ids
ET POLICY PE EXE or DLL Windows file download HTTP
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
SURICATA HTTP unable to match response to request
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
SURICATA HTTP unable to match response to request
PE API
IAT(Import Address Table) Library
api-ms-win-crt-runtime-l1-1-0.dll
0x10010094 abort
0x10010098 terminate
api-ms-win-crt-heap-l1-1-0.dll
0x10010084 calloc
0x10010088 malloc
0x1001008c free
api-ms-win-crt-string-l1-1-0.dll
0x100100a8 strcpy_s
0x100100ac wcsncmp
api-ms-win-crt-stdio-l1-1-0.dll
0x100100a0 __stdio_common_vsprintf_s
api-ms-win-crt-convert-l1-1-0.dll
0x1001007c atol
KERNEL32.dll
0x10010000 DeleteCriticalSection
0x10010004 TerminateProcess
0x10010008 GetCurrentProcess
0x1001000c SetUnhandledExceptionFilter
0x10010010 UnhandledExceptionFilter
0x10010014 GetSystemTimeAsFileTime
0x10010018 GetCurrentThreadId
0x1001001c GetCurrentProcessId
0x10010020 QueryPerformanceCounter
0x10010024 IsProcessorFeaturePresent
0x10010028 GetModuleHandleW
0x1001002c GetModuleFileNameW
0x10010030 LoadLibraryExW
0x10010034 GetProcAddress
0x10010038 FreeLibrary
0x1001003c RtlUnwind
0x10010040 VirtualQuery
0x10010044 EncodePointer
0x10010048 InterlockedPushEntrySList
0x1001004c InterlockedFlushSList
0x10010050 RaiseException
0x10010054 EnterCriticalSection
0x10010058 LeaveCriticalSection
0x1001005c TlsSetValue
0x10010060 GetLastError
0x10010064 SetLastError
0x10010068 InitializeCriticalSectionAndSpinCount
0x1001006c TlsAlloc
0x10010070 TlsGetValue
0x10010074 TlsFree
EAT(Export Address Table) Library
0x1000d7a0 _CreateFrameInfo
0x10007680 _CxxThrowException
0x1000df30 _EH_prolog
0x1000d7d0 _FindAndUnlinkFrame
0x10005af0 _IsExceptionObjectToBeDestroyed
0x10003f63 _NLG_Dispatch2
0x10002707 _NLG_Return
0x10003f6d _NLG_Return2
0x10005b20 _SetWinRTOutOfMemoryExceptionCallback
0x10005b30 __AdjustPointer
0x10006a60 __BuildCatchObject
0x10006a70 __BuildCatchObjectHelper
0x10006a90 __CxxDetectRethrow
0x10006ae0 __CxxExceptionFilter
0x1000d8b0 __CxxFrameHandler
0x1000d8b0 __CxxFrameHandler2
0x1000d8b0 __CxxFrameHandler3
0x1000d8f0 __CxxLongjmpUnwind
0x10006c20 __CxxQueryExceptionSize
0x10006c30 __CxxRegisterExceptionObject
0x10006ce0 __CxxUnregisterExceptionObject
0x10005a40 __DestructExceptionObject
0x10005b60 __FrameUnwindFilter
0x10005bb0 __GetPlatformExceptionInfo
0x10007250 __RTCastToVoid
0x100072d0 __RTDynamicCast
0x100073d0 __RTtypeid
0x10006a80 __TypeMatch
0x10005c00 __current_exception
0x10005c10 __current_exception_context
0x10003d60 __intrinsic_setjmp
0x10005c20 __processing_throw
0x1000df80 __report_gsfailure
0x10007460 __std_exception_copy
0x100074d0 __std_exception_destroy
0x10005c30 __std_terminate
0x10007510 __std_type_info_compare
0x10007550 __std_type_info_destroy_list
0x10007580 __std_type_info_hash
0x100075b0 __std_type_info_name
0x10003f70 __telemetry_main_invoke_trigger
0x10003f70 __telemetry_main_return_trigger
0x1000d3e0 __unDName
0x1000d410 __unDNameEx
0x100076f0 __uncaught_exception
0x10007710 __uncaught_exceptions
0x10007d10 __vcrt_GetModuleFileNameW
0x10007d30 __vcrt_GetModuleHandleW
0x10007c60 __vcrt_InitializeCriticalSectionEx
0x10007d40 __vcrt_LoadLibraryExW
0x100045e0 _chkesp
0x10003928 _except_handler2
0x100039f8 _except_handler3
0x10004480 _except_handler4_common
0x10007d60 _get_purecall_handler
0x10007720 _get_unexpected
0x10003e30 _global_unwind2
0x10005c40 _is_exception_typeof
0x10003e96 _local_unwind2
0x10003b30 _local_unwind4
0x10003e20 _longjmpex
0x10007d80 _purecall
0x10003b04 _seh_longjmp_unwind
0x10003c08 _seh_longjmp_unwind4
0x10007da0 _set_purecall_handler
0x10007780 _set_se_translator
0x10003da0 _setjmp3
0x10003fd0 longjmp
0x10002730 memchr
0x10004a90 memcmp
0x100027e0 memcpy
0x10002d60 memmove
0x100032e0 memset
0x10007740 set_unexpected
0x10003440 strchr
0x10003570 strrchr
0x100036b0 strstr
0x10007760 unexpected
0x10003ff0 wcschr
0x100040c0 wcsrchr
0x10004170 wcsstr
api-ms-win-crt-runtime-l1-1-0.dll
0x10010094 abort
0x10010098 terminate
api-ms-win-crt-heap-l1-1-0.dll
0x10010084 calloc
0x10010088 malloc
0x1001008c free
api-ms-win-crt-string-l1-1-0.dll
0x100100a8 strcpy_s
0x100100ac wcsncmp
api-ms-win-crt-stdio-l1-1-0.dll
0x100100a0 __stdio_common_vsprintf_s
api-ms-win-crt-convert-l1-1-0.dll
0x1001007c atol
KERNEL32.dll
0x10010000 DeleteCriticalSection
0x10010004 TerminateProcess
0x10010008 GetCurrentProcess
0x1001000c SetUnhandledExceptionFilter
0x10010010 UnhandledExceptionFilter
0x10010014 GetSystemTimeAsFileTime
0x10010018 GetCurrentThreadId
0x1001001c GetCurrentProcessId
0x10010020 QueryPerformanceCounter
0x10010024 IsProcessorFeaturePresent
0x10010028 GetModuleHandleW
0x1001002c GetModuleFileNameW
0x10010030 LoadLibraryExW
0x10010034 GetProcAddress
0x10010038 FreeLibrary
0x1001003c RtlUnwind
0x10010040 VirtualQuery
0x10010044 EncodePointer
0x10010048 InterlockedPushEntrySList
0x1001004c InterlockedFlushSList
0x10010050 RaiseException
0x10010054 EnterCriticalSection
0x10010058 LeaveCriticalSection
0x1001005c TlsSetValue
0x10010060 GetLastError
0x10010064 SetLastError
0x10010068 InitializeCriticalSectionAndSpinCount
0x1001006c TlsAlloc
0x10010070 TlsGetValue
0x10010074 TlsFree
EAT(Export Address Table) Library
0x1000d7a0 _CreateFrameInfo
0x10007680 _CxxThrowException
0x1000df30 _EH_prolog
0x1000d7d0 _FindAndUnlinkFrame
0x10005af0 _IsExceptionObjectToBeDestroyed
0x10003f63 _NLG_Dispatch2
0x10002707 _NLG_Return
0x10003f6d _NLG_Return2
0x10005b20 _SetWinRTOutOfMemoryExceptionCallback
0x10005b30 __AdjustPointer
0x10006a60 __BuildCatchObject
0x10006a70 __BuildCatchObjectHelper
0x10006a90 __CxxDetectRethrow
0x10006ae0 __CxxExceptionFilter
0x1000d8b0 __CxxFrameHandler
0x1000d8b0 __CxxFrameHandler2
0x1000d8b0 __CxxFrameHandler3
0x1000d8f0 __CxxLongjmpUnwind
0x10006c20 __CxxQueryExceptionSize
0x10006c30 __CxxRegisterExceptionObject
0x10006ce0 __CxxUnregisterExceptionObject
0x10005a40 __DestructExceptionObject
0x10005b60 __FrameUnwindFilter
0x10005bb0 __GetPlatformExceptionInfo
0x10007250 __RTCastToVoid
0x100072d0 __RTDynamicCast
0x100073d0 __RTtypeid
0x10006a80 __TypeMatch
0x10005c00 __current_exception
0x10005c10 __current_exception_context
0x10003d60 __intrinsic_setjmp
0x10005c20 __processing_throw
0x1000df80 __report_gsfailure
0x10007460 __std_exception_copy
0x100074d0 __std_exception_destroy
0x10005c30 __std_terminate
0x10007510 __std_type_info_compare
0x10007550 __std_type_info_destroy_list
0x10007580 __std_type_info_hash
0x100075b0 __std_type_info_name
0x10003f70 __telemetry_main_invoke_trigger
0x10003f70 __telemetry_main_return_trigger
0x1000d3e0 __unDName
0x1000d410 __unDNameEx
0x100076f0 __uncaught_exception
0x10007710 __uncaught_exceptions
0x10007d10 __vcrt_GetModuleFileNameW
0x10007d30 __vcrt_GetModuleHandleW
0x10007c60 __vcrt_InitializeCriticalSectionEx
0x10007d40 __vcrt_LoadLibraryExW
0x100045e0 _chkesp
0x10003928 _except_handler2
0x100039f8 _except_handler3
0x10004480 _except_handler4_common
0x10007d60 _get_purecall_handler
0x10007720 _get_unexpected
0x10003e30 _global_unwind2
0x10005c40 _is_exception_typeof
0x10003e96 _local_unwind2
0x10003b30 _local_unwind4
0x10003e20 _longjmpex
0x10007d80 _purecall
0x10003b04 _seh_longjmp_unwind
0x10003c08 _seh_longjmp_unwind4
0x10007da0 _set_purecall_handler
0x10007780 _set_se_translator
0x10003da0 _setjmp3
0x10003fd0 longjmp
0x10002730 memchr
0x10004a90 memcmp
0x100027e0 memcpy
0x10002d60 memmove
0x100032e0 memset
0x10007740 set_unexpected
0x10003440 strchr
0x10003570 strrchr
0x100036b0 strstr
0x10007760 unexpected
0x10003ff0 wcschr
0x100040c0 wcsrchr
0x10004170 wcsstr