ScreenShot
| Created | 2023.04.22 08:58 | Machine | s1_win7_x6403 |
| Filename | 15.ocx | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 40 detected (AIDetect, malware1, 1FW@ayWS7Rl, malicious, confidence, Eldorado, Attribute, HighConfidence, high confidence, VMProtect, score, Black, Gen2, VirRansom, high, VMProtBad, Sabsik, Detected, ai score=86, unsafe, Probably Heur, ExeHeaderL, Generic@AI, RDML, y5yP5RBmy308VyocT0yznQ, Static AI, Malicious PE, susgen) | ||
| md5 | f43ab10a6a9570e4bdc2fd04aa3aa7c3 | ||
| sha256 | b970c327c2e8914749e73713d4dd743ae3907f0a66bd5c34806c6e5f23cf9aa3 | ||
| ssdeep | 98304:iYPGZ6Gqx5CyuqoEsgy6SDVpqyEAYOV+pyIXlmgCE660v2Pu0n:iKGqx5Cxq+gNSDzqFacpPM7Jk | ||
| imphash | 9bf5e17e8dfb1f9f2b1de532bded4f36 | ||
| impfuzzy | 6:AwAcvbMzLWEAcPh/MKGErBJAEf/JLGCZB:DQfP9TjAgZGCZB | ||
Network IP location
Signature (8cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 40 AntiVirus engines on VirusTotal as malicious |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is likely packed with VMProtect |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (4cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | VMProtect_Zero | VMProtect packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0xd39000 GetVersionExA
0xd39004 GetVersion
0xd39008 FindResourceExW
USER32.dll
0xd39010 GetUserObjectInformationW
KERNEL32.dll
0xd39018 GetModuleFileNameW
KERNEL32.dll
0xd39020 GetModuleHandleA
0xd39024 LoadLibraryA
0xd39028 LocalAlloc
0xd3902c LocalFree
0xd39030 GetModuleFileNameA
0xd39034 ExitProcess
EAT(Export Address Table) is none
KERNEL32.dll
0xd39000 GetVersionExA
0xd39004 GetVersion
0xd39008 FindResourceExW
USER32.dll
0xd39010 GetUserObjectInformationW
KERNEL32.dll
0xd39018 GetModuleFileNameW
KERNEL32.dll
0xd39020 GetModuleHandleA
0xd39024 LoadLibraryA
0xd39028 LocalAlloc
0xd3902c LocalFree
0xd39030 GetModuleFileNameA
0xd39034 ExitProcess
EAT(Export Address Table) is none