ScreenShot
| Created | 2023.04.13 09:14 | Machine | s1_win7_x6401 |
| Filename | dsync.exe | ||
| Type | PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 16 detected (unsafe, Save, malicious, confidence, ZexaF, @NW@a4GZB5hG, Attribute, HighConfidence, score, high, Sabsik, 16LR1WK, Static AI, Suspicious PE) | ||
| md5 | cbffe8bea10e64e86ede27ab60f61038 | ||
| sha256 | 37ea3eb3f0479bf9a5ba2dbc1a8b3acaa0352410e38da1885f6a04ddfe3febc2 | ||
| ssdeep | 98304:U/tnlBUrVP0xvFjtL8YQ5ohhPPzYZw+G6tcQLfeQIqfM0O2c:6l2rVP0xvFjqToh1cy+G6tcQfeqHc | ||
| imphash | 76e44e43d1c5b3a5b77477dda19cfbb4 | ||
| impfuzzy | 48:ZfCCaGGVdLkBmXlNFJlPvm/GcaqN1fyGN6qL:ZfCCZG3QBYltlH2aqN1fyV4 | ||
Network IP location
Signature (20cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Appends a known multi-family ransomware file extension to files that have been encrypted |
| watch | Creates an Alternate Data Stream (ADS) |
| watch | Creates known Hkit Backdoor files |
| watch | Detects the presence of Wine emulator |
| watch | File has been identified by 16 AntiVirus engines on VirusTotal as malicious |
| watch | Manipulates memory of a non-child process indicative of process injection |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| watch | Uses Sysinternals tools in order to add additional command line functionality |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | One or more potentially interesting buffers were extracted |
| notice | Potentially malicious URLs were found in the process memory dump |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Steals private information from local Internet browsers |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Command line console output was observed |
| info | One or more processes crashed |
Rules (22cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | NPKI_Zero | File included NPKI | binaries (download) |
| watch | Antivirus | Contains references to security software | binaries (upload) |
| watch | ASPack_Zero | ASPack packed file | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| notice | Create_Service | Create a windows service | memory |
| notice | Escalate_priviledges | Escalate priviledges | memory |
| notice | Generic_PWS_Memory_Zero | PWS Memory | memory |
| notice | Network_DNS | Communications use DNS | memory |
| notice | Network_TCP_Socket | Communications over RAW Socket | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerException__ConsoleCtrl | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x4ee280 CloseHandle
0x4ee284 CreateDirectoryA
0x4ee288 CreateMutexA
0x4ee28c CreateSemaphoreW
0x4ee290 DeleteCriticalSection
0x4ee294 EnterCriticalSection
0x4ee298 ExitProcess
0x4ee29c FindClose
0x4ee2a0 FindFirstFileA
0x4ee2a4 FindNextFileA
0x4ee2a8 FreeLibrary
0x4ee2ac GetCommandLineA
0x4ee2b0 GetCurrentProcess
0x4ee2b4 GetCurrentThreadId
0x4ee2b8 GetFileSize
0x4ee2bc GetLastError
0x4ee2c0 GetModuleFileNameA
0x4ee2c4 GetModuleHandleA
0x4ee2c8 GetProcAddress
0x4ee2cc GetSystemDirectoryA
0x4ee2d0 InitializeCriticalSection
0x4ee2d4 InterlockedDecrement
0x4ee2d8 InterlockedExchange
0x4ee2dc InterlockedIncrement
0x4ee2e0 IsDBCSLeadByteEx
0x4ee2e4 LeaveCriticalSection
0x4ee2e8 LoadLibraryA
0x4ee2ec LoadResource
0x4ee2f0 LocalAlloc
0x4ee2f4 LockResource
0x4ee2f8 MultiByteToWideChar
0x4ee2fc Process32First
0x4ee300 Process32Next
0x4ee304 ReleaseSemaphore
0x4ee308 SetFileAttributesA
0x4ee30c SetLastError
0x4ee310 SetUnhandledExceptionFilter
0x4ee314 SizeofResource
0x4ee318 Sleep
0x4ee31c TlsAlloc
0x4ee320 TlsFree
0x4ee324 TlsGetValue
0x4ee328 TlsSetValue
0x4ee32c VirtualProtect
0x4ee330 VirtualQuery
0x4ee334 WaitForSingleObject
0x4ee338 WideCharToMultiByte
0x4ee33c lstrcatA
0x4ee340 lstrcmpA
0x4ee344 lstrcpyA
0x4ee348 lstrlenA
msvcrt.dll
0x4ee350 _fdopen
0x4ee354 _fstat
0x4ee358 _lseek
0x4ee35c _read
0x4ee360 _strdup
0x4ee364 _stricoll
0x4ee368 _write
msvcrt.dll
0x4ee370 __getmainargs
0x4ee374 __mb_cur_max
0x4ee378 __p__environ
0x4ee37c __p__fmode
0x4ee380 __set_app_type
0x4ee384 _cexit
0x4ee388 _errno
0x4ee38c _filbuf
0x4ee390 _flsbuf
0x4ee394 _fpreset
0x4ee398 _fullpath
0x4ee39c _iob
0x4ee3a0 _isctype
0x4ee3a4 _onexit
0x4ee3a8 _pctype
0x4ee3ac _setmode
0x4ee3b0 abort
0x4ee3b4 atexit
0x4ee3b8 atoi
0x4ee3bc calloc
0x4ee3c0 exit
0x4ee3c4 fclose
0x4ee3c8 fflush
0x4ee3cc fopen
0x4ee3d0 fputc
0x4ee3d4 fputs
0x4ee3d8 fread
0x4ee3dc free
0x4ee3e0 fseek
0x4ee3e4 ftell
0x4ee3e8 fwrite
0x4ee3ec getenv
0x4ee3f0 getwc
0x4ee3f4 iswctype
0x4ee3f8 localeconv
0x4ee3fc malloc
0x4ee400 mbstowcs
0x4ee404 memchr
0x4ee408 memcmp
0x4ee40c memcpy
0x4ee410 memmove
0x4ee414 memset
0x4ee418 printf
0x4ee41c putwc
0x4ee420 realloc
0x4ee424 setlocale
0x4ee428 setvbuf
0x4ee42c signal
0x4ee430 sprintf
0x4ee434 strchr
0x4ee438 strcmp
0x4ee43c strcoll
0x4ee440 strerror
0x4ee444 strftime
0x4ee448 strlen
0x4ee44c strstr
0x4ee450 strtod
0x4ee454 strtoul
0x4ee458 strxfrm
0x4ee45c tolower
0x4ee460 towlower
0x4ee464 towupper
0x4ee468 ungetc
0x4ee46c ungetwc
0x4ee470 vfprintf
0x4ee474 wcscoll
0x4ee478 wcsftime
0x4ee47c wcslen
0x4ee480 wcstombs
0x4ee484 wcsxfrm
OLE32.dll
0x4ee48c CoCreateInstance
0x4ee490 CoInitialize
0x4ee494 CoUninitialize
EAT(Export Address Table) is none
KERNEL32.dll
0x4ee280 CloseHandle
0x4ee284 CreateDirectoryA
0x4ee288 CreateMutexA
0x4ee28c CreateSemaphoreW
0x4ee290 DeleteCriticalSection
0x4ee294 EnterCriticalSection
0x4ee298 ExitProcess
0x4ee29c FindClose
0x4ee2a0 FindFirstFileA
0x4ee2a4 FindNextFileA
0x4ee2a8 FreeLibrary
0x4ee2ac GetCommandLineA
0x4ee2b0 GetCurrentProcess
0x4ee2b4 GetCurrentThreadId
0x4ee2b8 GetFileSize
0x4ee2bc GetLastError
0x4ee2c0 GetModuleFileNameA
0x4ee2c4 GetModuleHandleA
0x4ee2c8 GetProcAddress
0x4ee2cc GetSystemDirectoryA
0x4ee2d0 InitializeCriticalSection
0x4ee2d4 InterlockedDecrement
0x4ee2d8 InterlockedExchange
0x4ee2dc InterlockedIncrement
0x4ee2e0 IsDBCSLeadByteEx
0x4ee2e4 LeaveCriticalSection
0x4ee2e8 LoadLibraryA
0x4ee2ec LoadResource
0x4ee2f0 LocalAlloc
0x4ee2f4 LockResource
0x4ee2f8 MultiByteToWideChar
0x4ee2fc Process32First
0x4ee300 Process32Next
0x4ee304 ReleaseSemaphore
0x4ee308 SetFileAttributesA
0x4ee30c SetLastError
0x4ee310 SetUnhandledExceptionFilter
0x4ee314 SizeofResource
0x4ee318 Sleep
0x4ee31c TlsAlloc
0x4ee320 TlsFree
0x4ee324 TlsGetValue
0x4ee328 TlsSetValue
0x4ee32c VirtualProtect
0x4ee330 VirtualQuery
0x4ee334 WaitForSingleObject
0x4ee338 WideCharToMultiByte
0x4ee33c lstrcatA
0x4ee340 lstrcmpA
0x4ee344 lstrcpyA
0x4ee348 lstrlenA
msvcrt.dll
0x4ee350 _fdopen
0x4ee354 _fstat
0x4ee358 _lseek
0x4ee35c _read
0x4ee360 _strdup
0x4ee364 _stricoll
0x4ee368 _write
msvcrt.dll
0x4ee370 __getmainargs
0x4ee374 __mb_cur_max
0x4ee378 __p__environ
0x4ee37c __p__fmode
0x4ee380 __set_app_type
0x4ee384 _cexit
0x4ee388 _errno
0x4ee38c _filbuf
0x4ee390 _flsbuf
0x4ee394 _fpreset
0x4ee398 _fullpath
0x4ee39c _iob
0x4ee3a0 _isctype
0x4ee3a4 _onexit
0x4ee3a8 _pctype
0x4ee3ac _setmode
0x4ee3b0 abort
0x4ee3b4 atexit
0x4ee3b8 atoi
0x4ee3bc calloc
0x4ee3c0 exit
0x4ee3c4 fclose
0x4ee3c8 fflush
0x4ee3cc fopen
0x4ee3d0 fputc
0x4ee3d4 fputs
0x4ee3d8 fread
0x4ee3dc free
0x4ee3e0 fseek
0x4ee3e4 ftell
0x4ee3e8 fwrite
0x4ee3ec getenv
0x4ee3f0 getwc
0x4ee3f4 iswctype
0x4ee3f8 localeconv
0x4ee3fc malloc
0x4ee400 mbstowcs
0x4ee404 memchr
0x4ee408 memcmp
0x4ee40c memcpy
0x4ee410 memmove
0x4ee414 memset
0x4ee418 printf
0x4ee41c putwc
0x4ee420 realloc
0x4ee424 setlocale
0x4ee428 setvbuf
0x4ee42c signal
0x4ee430 sprintf
0x4ee434 strchr
0x4ee438 strcmp
0x4ee43c strcoll
0x4ee440 strerror
0x4ee444 strftime
0x4ee448 strlen
0x4ee44c strstr
0x4ee450 strtod
0x4ee454 strtoul
0x4ee458 strxfrm
0x4ee45c tolower
0x4ee460 towlower
0x4ee464 towupper
0x4ee468 ungetc
0x4ee46c ungetwc
0x4ee470 vfprintf
0x4ee474 wcscoll
0x4ee478 wcsftime
0x4ee47c wcslen
0x4ee480 wcstombs
0x4ee484 wcsxfrm
OLE32.dll
0x4ee48c CoCreateInstance
0x4ee490 CoInitialize
0x4ee494 CoUninitialize
EAT(Export Address Table) is none