ScreenShot
| Created | 2023.03.15 08:50 | Machine | s1_win7_x6401 |
| Filename | sample2.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 60 detected (AIDetectNet, Windows, Ransomware, Lockbit, Malicious, score, LckbitRnsm, S21641235, Vbng, confidence, 100%, ZexaF, 7mW@aqwWnog, Eldorado, Filecoder, Lockbit2, jtuemz, CLASSIC, XPACK, SMYEBGW, high, dltk, ai score=89, GenKryptik, Detected, R487041, unsafe, gX+WzxBXukw, Static AI, Malicious PE, susgen, Genetic) | ||
| md5 | 41687e58130c8bdca248e1403e565afb | ||
| sha256 | fef1f9664fde9b23754c691b15a05fdc35a51a0ceb8a18fb9a5a0166e6377c69 | ||
| ssdeep | 24576:TLjr3s2nScu1i1tz3f++5kRzFxk7rMxNeR1R9qpdAF:Pjrc2So1Ff+B3k796W | ||
| imphash | 216df81b1ef7bc2aa8ec52bbeef137c9 | ||
| impfuzzy | 3:PS8VMKXBsMnKXBvLsaoJJSbooPLs3CJUgDWORKOHMWHuN3JAQ4wKWbsKy2KNLJ:q8VMKXWMnKXZom9iGNW1Z4wNbsKyTLJ | ||
Network IP location
Signature (13cnts)
| Level | Description |
|---|---|
| danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
| danger | File has been identified by 60 AntiVirus engines on VirusTotal as malicious |
| watch | Installs itself for autorun at Windows startup |
| watch | Writes a potential ransom message to disk |
| notice | A process attempted to delay the analysis task. |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a shortcut to an executable file |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| info | Checks amount of memory in system |
| info | Queries for the computername |
| info | Tries to locate where the browsers are installed |
Rules (4cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Antivirus | Contains references to security software | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
SHLWAPI.dll
0x4fa02c PathAppendW
ACTIVEDS.dll
0x4fa000 None
0x4fa004 None
KERNEL32.dll
0x4fa018 CreateProcessW
0x4fa01c GetSystemTime
0x4fa020 lstrlenW
0x4fa024 LocalFree
ADVAPI32.dll
0x4fa00c CheckTokenMembership
0x4fa010 CreateWellKnownSid
ole32.dll
0x4fa034 CoCreateInstance
0x4fa038 CoSetProxyBlanket
EAT(Export Address Table) is none
SHLWAPI.dll
0x4fa02c PathAppendW
ACTIVEDS.dll
0x4fa000 None
0x4fa004 None
KERNEL32.dll
0x4fa018 CreateProcessW
0x4fa01c GetSystemTime
0x4fa020 lstrlenW
0x4fa024 LocalFree
ADVAPI32.dll
0x4fa00c CheckTokenMembership
0x4fa010 CreateWellKnownSid
ole32.dll
0x4fa034 CoCreateInstance
0x4fa038 CoSetProxyBlanket
EAT(Export Address Table) is none