ScreenShot
| Created | 2023.03.24 17:51 | Machine | s1_win7_x6403 |
| Filename | ndt5tk.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 32 detected (AIDetectNet, malicious, high confidence, Artemis, Save, confidence, 100%, ZexaF, rzW@aG, HaBfi, Attribute, HighConfidence, Kryptik, HSQQ, score, PWSX, Generic ML PUA, high, AGEN, Sabsik, Casdet, YJ1Q9Z, Detected, unsafe, JdoWNMZvexC, Static AI, Suspicious PE, HSIR) | ||
| md5 | 9ce5895cf7087cd578519a76e9eadb7c | ||
| sha256 | d07f46238c95ae64bb95021846ae77c20bf7c8e4a6e4f02357f6d18382965989 | ||
| ssdeep | 12288:UmZH9f1IgJFbALOi5QGiPqcY4A8nMRUg27h606C:z9NXDGmYT8Pt6T | ||
| imphash | 41ad56f07b124d80f945c6cb685f87da | ||
| impfuzzy | 24:UcpVWZMS1jt7GhlJBl3eDoLoEOovbO3kFZMvtGMA+EZHu95:UcpVeMS1jt7GnpXc30FZGz | ||
Network IP location
Signature (16cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| danger | File has been identified by 32 AntiVirus engines on VirusTotal as malicious |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | One or more potentially interesting buffers were extracted |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (14cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | Generic_PWS_Memory_Zero | PWS Memory | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x424000 GetModuleHandleA
0x424004 MultiByteToWideChar
0x424008 GetStringTypeW
0x42400c WideCharToMultiByte
0x424010 EnterCriticalSection
0x424014 LeaveCriticalSection
0x424018 InitializeCriticalSectionEx
0x42401c DeleteCriticalSection
0x424020 EncodePointer
0x424024 DecodePointer
0x424028 LCMapStringEx
0x42402c GetCPInfo
0x424030 QueryPerformanceCounter
0x424034 GetCurrentProcessId
0x424038 GetCurrentThreadId
0x42403c GetSystemTimeAsFileTime
0x424040 InitializeSListHead
0x424044 IsDebuggerPresent
0x424048 UnhandledExceptionFilter
0x42404c SetUnhandledExceptionFilter
0x424050 GetStartupInfoW
0x424054 IsProcessorFeaturePresent
0x424058 GetModuleHandleW
0x42405c GetCurrentProcess
0x424060 TerminateProcess
0x424064 CreateFileW
0x424068 RaiseException
0x42406c RtlUnwind
0x424070 GetLastError
0x424074 SetLastError
0x424078 InitializeCriticalSectionAndSpinCount
0x42407c TlsAlloc
0x424080 TlsGetValue
0x424084 TlsSetValue
0x424088 TlsFree
0x42408c FreeLibrary
0x424090 GetProcAddress
0x424094 LoadLibraryExW
0x424098 GetStdHandle
0x42409c WriteFile
0x4240a0 GetModuleFileNameW
0x4240a4 ExitProcess
0x4240a8 GetModuleHandleExW
0x4240ac GetCommandLineA
0x4240b0 GetCommandLineW
0x4240b4 HeapAlloc
0x4240b8 HeapFree
0x4240bc CompareStringW
0x4240c0 LCMapStringW
0x4240c4 GetLocaleInfoW
0x4240c8 IsValidLocale
0x4240cc GetUserDefaultLCID
0x4240d0 EnumSystemLocalesW
0x4240d4 GetFileType
0x4240d8 GetFileSizeEx
0x4240dc SetFilePointerEx
0x4240e0 CloseHandle
0x4240e4 FlushFileBuffers
0x4240e8 GetConsoleOutputCP
0x4240ec GetConsoleMode
0x4240f0 ReadFile
0x4240f4 HeapReAlloc
0x4240f8 FindClose
0x4240fc FindFirstFileExW
0x424100 FindNextFileW
0x424104 IsValidCodePage
0x424108 GetACP
0x42410c GetOEMCP
0x424110 GetEnvironmentStringsW
0x424114 FreeEnvironmentStringsW
0x424118 SetEnvironmentVariableW
0x42411c SetStdHandle
0x424120 GetProcessHeap
0x424124 ReadConsoleW
0x424128 HeapSize
0x42412c WriteConsoleW
EAT(Export Address Table) is none
KERNEL32.dll
0x424000 GetModuleHandleA
0x424004 MultiByteToWideChar
0x424008 GetStringTypeW
0x42400c WideCharToMultiByte
0x424010 EnterCriticalSection
0x424014 LeaveCriticalSection
0x424018 InitializeCriticalSectionEx
0x42401c DeleteCriticalSection
0x424020 EncodePointer
0x424024 DecodePointer
0x424028 LCMapStringEx
0x42402c GetCPInfo
0x424030 QueryPerformanceCounter
0x424034 GetCurrentProcessId
0x424038 GetCurrentThreadId
0x42403c GetSystemTimeAsFileTime
0x424040 InitializeSListHead
0x424044 IsDebuggerPresent
0x424048 UnhandledExceptionFilter
0x42404c SetUnhandledExceptionFilter
0x424050 GetStartupInfoW
0x424054 IsProcessorFeaturePresent
0x424058 GetModuleHandleW
0x42405c GetCurrentProcess
0x424060 TerminateProcess
0x424064 CreateFileW
0x424068 RaiseException
0x42406c RtlUnwind
0x424070 GetLastError
0x424074 SetLastError
0x424078 InitializeCriticalSectionAndSpinCount
0x42407c TlsAlloc
0x424080 TlsGetValue
0x424084 TlsSetValue
0x424088 TlsFree
0x42408c FreeLibrary
0x424090 GetProcAddress
0x424094 LoadLibraryExW
0x424098 GetStdHandle
0x42409c WriteFile
0x4240a0 GetModuleFileNameW
0x4240a4 ExitProcess
0x4240a8 GetModuleHandleExW
0x4240ac GetCommandLineA
0x4240b0 GetCommandLineW
0x4240b4 HeapAlloc
0x4240b8 HeapFree
0x4240bc CompareStringW
0x4240c0 LCMapStringW
0x4240c4 GetLocaleInfoW
0x4240c8 IsValidLocale
0x4240cc GetUserDefaultLCID
0x4240d0 EnumSystemLocalesW
0x4240d4 GetFileType
0x4240d8 GetFileSizeEx
0x4240dc SetFilePointerEx
0x4240e0 CloseHandle
0x4240e4 FlushFileBuffers
0x4240e8 GetConsoleOutputCP
0x4240ec GetConsoleMode
0x4240f0 ReadFile
0x4240f4 HeapReAlloc
0x4240f8 FindClose
0x4240fc FindFirstFileExW
0x424100 FindNextFileW
0x424104 IsValidCodePage
0x424108 GetACP
0x42410c GetOEMCP
0x424110 GetEnvironmentStringsW
0x424114 FreeEnvironmentStringsW
0x424118 SetEnvironmentVariableW
0x42411c SetStdHandle
0x424120 GetProcessHeap
0x424124 ReadConsoleW
0x424128 HeapSize
0x42412c WriteConsoleW
EAT(Export Address Table) is none