Report - 4556qXbHiTtYxMXnMwXziAARUlvy.exe

Generic Malware UPX WinRAR Antivirus Malicious Library OS Processor Check PE32 PE File
ScreenShot
Created 2023.04.20 09:48 Machine s1_win7_x6403
Filename 4556qXbHiTtYxMXnMwXziAARUlvy.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
3
Behavior Score
5.8
ZERO API file : malware
VT API (file) 7 detected (AIDetect, malware2, PowerShell, Obfuscated, Z suspicious, Malicious, score, PSRunner, CLASSIC)
md5 a3b8de651df55988ae8f38dbbc734b0c
sha256 c9d2a196a3a7209755613e769531990104393b8e96971aa1d757e3ab84696f8b
ssdeep 6144:PgZiAEAO0sByNsAal3gVAWgS7/OhwjmWX+t4bfy:PgZXEAO/BUdG3gVdt7K7WX+t4bfy
imphash aac51396886833dc961fcd7aab7711e4
impfuzzy 48:J9jOXRgLy1XFjsX1Pfc++6W31YpZBtDXtuniLFH:JdcgLy1XFgX1Pfc++VG7BtDXtuniLFH
  Network IP location

Signature (17cnts)

Level Description
watch Creates a suspicious Powershell process
watch One or more non-whitelisted processes were created
watch The process powershell.exe wrote an executable file to disk
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates a shortcut to an executable file
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice File has been identified by 7 AntiVirus engines on VirusTotal as malicious
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Command line console output was observed
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info The file contains an unknown PE resource name possibly indicative of a packer
info This executable has a PDB path
info Uses Windows APIs to generate a cryptographic key

Rules (9cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (download)
watch Antivirus Contains references to security software binaries (download)
watch Antivirus Contains references to security software binaries (upload)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
watch Win32_WinRAR_SFX_Zero Win32 WinRAR SFX binaries (upload)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (0cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x434000 GetLastError
 0x434004 SetLastError
 0x434008 FormatMessageW
 0x43400c GetCurrentProcess
 0x434010 DeviceIoControl
 0x434014 SetFileTime
 0x434018 CloseHandle
 0x43401c CreateDirectoryW
 0x434020 RemoveDirectoryW
 0x434024 CreateFileW
 0x434028 DeleteFileW
 0x43402c CreateHardLinkW
 0x434030 GetShortPathNameW
 0x434034 GetLongPathNameW
 0x434038 MoveFileW
 0x43403c GetFileType
 0x434040 GetStdHandle
 0x434044 WriteFile
 0x434048 ReadFile
 0x43404c FlushFileBuffers
 0x434050 SetEndOfFile
 0x434054 SetFilePointer
 0x434058 GetCurrentProcessId
 0x43405c SetFileAttributesW
 0x434060 GetFileAttributesW
 0x434064 FindClose
 0x434068 FindFirstFileW
 0x43406c FindNextFileW
 0x434070 InterlockedDecrement
 0x434074 GetVersionExW
 0x434078 GetCurrentDirectoryW
 0x43407c GetFullPathNameW
 0x434080 FoldStringW
 0x434084 GetModuleFileNameW
 0x434088 GetModuleHandleW
 0x43408c FindResourceW
 0x434090 FreeLibrary
 0x434094 GetProcAddress
 0x434098 ExitProcess
 0x43409c SetThreadExecutionState
 0x4340a0 Sleep
 0x4340a4 LoadLibraryW
 0x4340a8 GetSystemDirectoryW
 0x4340ac CompareStringW
 0x4340b0 AllocConsole
 0x4340b4 FreeConsole
 0x4340b8 AttachConsole
 0x4340bc WriteConsoleW
 0x4340c0 GetProcessAffinityMask
 0x4340c4 CreateThread
 0x4340c8 SetThreadPriority
 0x4340cc InitializeCriticalSection
 0x4340d0 EnterCriticalSection
 0x4340d4 LeaveCriticalSection
 0x4340d8 DeleteCriticalSection
 0x4340dc SetEvent
 0x4340e0 ResetEvent
 0x4340e4 ReleaseSemaphore
 0x4340e8 WaitForSingleObject
 0x4340ec CreateEventW
 0x4340f0 CreateSemaphoreW
 0x4340f4 GetSystemTime
 0x4340f8 SystemTimeToTzSpecificLocalTime
 0x4340fc TzSpecificLocalTimeToSystemTime
 0x434100 SystemTimeToFileTime
 0x434104 FileTimeToLocalFileTime
 0x434108 LocalFileTimeToFileTime
 0x43410c FileTimeToSystemTime
 0x434110 GetCPInfo
 0x434114 IsDBCSLeadByte
 0x434118 MultiByteToWideChar
 0x43411c WideCharToMultiByte
 0x434120 GlobalAlloc
 0x434124 LockResource
 0x434128 GlobalLock
 0x43412c GlobalUnlock
 0x434130 GlobalFree
 0x434134 LoadResource
 0x434138 SizeofResource
 0x43413c SetCurrentDirectoryW
 0x434140 GetTimeFormatW
 0x434144 GetDateFormatW
 0x434148 GetExitCodeProcess
 0x43414c GetLocalTime
 0x434150 GetTickCount
 0x434154 MapViewOfFile
 0x434158 UnmapViewOfFile
 0x43415c CreateFileMappingW
 0x434160 OpenFileMappingW
 0x434164 GetCommandLineW
 0x434168 SetEnvironmentVariableW
 0x43416c ExpandEnvironmentStringsW
 0x434170 GetTempPathW
 0x434174 MoveFileExW
 0x434178 GetLocaleInfoW
 0x43417c GetNumberFormatW
 0x434180 DecodePointer
 0x434184 SetFilePointerEx
 0x434188 GetConsoleMode
 0x43418c GetConsoleCP
 0x434190 HeapSize
 0x434194 SetStdHandle
 0x434198 GetProcessHeap
 0x43419c FreeEnvironmentStringsW
 0x4341a0 GetEnvironmentStringsW
 0x4341a4 GetCommandLineA
 0x4341a8 GetOEMCP
 0x4341ac RaiseException
 0x4341b0 GetSystemInfo
 0x4341b4 VirtualProtect
 0x4341b8 VirtualQuery
 0x4341bc LoadLibraryExA
 0x4341c0 IsProcessorFeaturePresent
 0x4341c4 IsDebuggerPresent
 0x4341c8 UnhandledExceptionFilter
 0x4341cc SetUnhandledExceptionFilter
 0x4341d0 GetStartupInfoW
 0x4341d4 QueryPerformanceCounter
 0x4341d8 GetCurrentThreadId
 0x4341dc GetSystemTimeAsFileTime
 0x4341e0 InitializeSListHead
 0x4341e4 TerminateProcess
 0x4341e8 LocalFree
 0x4341ec RtlUnwind
 0x4341f0 EncodePointer
 0x4341f4 InitializeCriticalSectionAndSpinCount
 0x4341f8 TlsAlloc
 0x4341fc TlsGetValue
 0x434200 TlsSetValue
 0x434204 TlsFree
 0x434208 LoadLibraryExW
 0x43420c QueryPerformanceFrequency
 0x434210 GetModuleHandleExW
 0x434214 GetModuleFileNameA
 0x434218 GetACP
 0x43421c HeapFree
 0x434220 HeapReAlloc
 0x434224 HeapAlloc
 0x434228 GetStringTypeW
 0x43422c LCMapStringW
 0x434230 FindFirstFileExA
 0x434234 FindNextFileA
 0x434238 IsValidCodePage
OLEAUT32.dll
 0x434240 SysAllocString
 0x434244 SysFreeString
 0x434248 VariantClear
gdiplus.dll
 0x434250 GdipAlloc
 0x434254 GdipDisposeImage
 0x434258 GdipCloneImage
 0x43425c GdipCreateBitmapFromStream
 0x434260 GdipCreateBitmapFromStreamICM
 0x434264 GdipCreateHBITMAPFromBitmap
 0x434268 GdiplusStartup
 0x43426c GdiplusShutdown
 0x434270 GdipFree

EAT(Export Address Table) Library



Similarity measure (PE file only) - Checking for service failure