ScreenShot
Created | 2023.06.04 17:45 | Machine | s1_win7_x6401 |
Filename | 7e8e3c8b54a3dd86e1b6afb3300169b0f41449d860921fef25d1038c26215f3f6f88efa1616203fc5b51 | ||
Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : malware | ||
VT API (file) | 38 detected (AIDetectMalware, Mycop, malicious, high confidence, Lisk, Formbook, unsafe, Save, score, Autoit, jtxofu, FileRepMalware, Misc, Generic@AI, RDML, Do8YW8DjaaybOEABqA098w, Playtech, ai score=85, GrayWare, Wacapew, Wacatac, Sabsik, Detected, Artemis, PIFD, confidence) | ||
md5 | c4b9d83a65b7a0b05d7d24d4abcb29ae | ||
sha256 | 6333176aeff8e8bcf4afa893729e2264bd29ed4db5d0b8211eb92a4844b4002e | ||
ssdeep | 24576:UTbBv5rUe0cjGq9uFHK6c71E0GHSjLXFso0heHhv1ekNr2r0hspaAcKEYMI9IulL:mBJLSfo6i1IHSjrFs+vRngaAcwMItf | ||
imphash | 12e12319f1029ec4f8fcbed7e82df162 | ||
impfuzzy | 48:J9jOX5LKc1XFjsX1Pfc++6WQYgpZBtDXtunULFH:JdALKc1XFgX1Pfc++VVuBtDXtunULFH |
Network IP location
Signature (38cnts)
Level | Description |
---|---|
danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
danger | The process wscript.exe wrote an executable file to disk which it then attempted to execute |
danger | Executed a process and injected code into it |
danger | File has been identified by 38 AntiVirus engines on VirusTotal as malicious |
watch | Allocates execute permission to another process indicative of possible code injection |
watch | Collects information on the system (ipconfig |
watch | Installs itself for autorun at Windows startup |
watch | One or more non-whitelisted processes were created |
watch | One or more of the buffers contains an embedded PE file |
watch | Potential code injection by writing to the memory of another process |
watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
notice | A process created a hidden window |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | Checks adapter addresses which can be used to detect virtual network interfaces |
notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
notice | Connects to a Dynamic DNS Domain |
notice | Creates (office) documents on the filesystem |
notice | Creates a suspicious process |
notice | Creates executable files on the filesystem |
notice | Drops a binary and executes it |
notice | Drops an executable to the user AppData folder |
notice | One or more potentially interesting buffers were extracted |
notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
notice | Repeatedly searches for a not-found process |
notice | Searches running processes potentially to identify processes for sandbox evasion |
notice | The binary likely contains encrypted or compressed data indicative of a packer |
notice | Uses Windows utilities for basic Windows functionality |
notice | Yara rule detected in process memory |
info | Checks amount of memory in system |
info | Checks if process is being debugged by a debugger |
info | Command line console output was observed |
info | One or more processes crashed |
info | Queries for the computername |
info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
info | The file contains an unknown PE resource name possibly indicative of a packer |
info | This executable has a PDB path |
info | Uses Windows APIs to generate a cryptographic key |
Rules (20cnts)
Level | Name | Description | Collection |
---|---|---|---|
warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
warning | Suspicious_Obfuscation_Script_2 | Suspicious obfuscation script (e.g. executable files) | binaries (download) |
watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
watch | UPX_Zero | UPX packed file | binaries (download) |
watch | UPX_Zero | UPX packed file | binaries (upload) |
info | anti_dbg | Checks if being debugged | memory |
info | DebuggerCheck__GlobalFlags | (no description) | memory |
info | DebuggerCheck__QueryInfo | (no description) | memory |
info | DebuggerHiding__Active | (no description) | memory |
info | DebuggerHiding__Thread | (no description) | memory |
info | disable_dep | Bypass DEP | memory |
info | IsPE32 | (no description) | binaries (download) |
info | IsPE32 | (no description) | binaries (upload) |
info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
info | PE_Header_Zero | PE File Signature | binaries (download) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
info | SEH__vectored | (no description) | memory |
info | ThreadControl__Context | (no description) | memory |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x433000 GetLastError
0x433004 SetLastError
0x433008 FormatMessageW
0x43300c GetCurrentProcess
0x433010 DeviceIoControl
0x433014 SetFileTime
0x433018 CloseHandle
0x43301c CreateDirectoryW
0x433020 RemoveDirectoryW
0x433024 CreateFileW
0x433028 DeleteFileW
0x43302c CreateHardLinkW
0x433030 GetShortPathNameW
0x433034 GetLongPathNameW
0x433038 MoveFileW
0x43303c GetFileType
0x433040 GetStdHandle
0x433044 WriteFile
0x433048 ReadFile
0x43304c FlushFileBuffers
0x433050 SetEndOfFile
0x433054 SetFilePointer
0x433058 SetFileAttributesW
0x43305c GetFileAttributesW
0x433060 FindClose
0x433064 FindFirstFileW
0x433068 FindNextFileW
0x43306c InterlockedDecrement
0x433070 GetVersionExW
0x433074 GetCurrentDirectoryW
0x433078 GetFullPathNameW
0x43307c FoldStringW
0x433080 GetModuleFileNameW
0x433084 GetModuleHandleW
0x433088 FindResourceW
0x43308c FreeLibrary
0x433090 GetProcAddress
0x433094 GetCurrentProcessId
0x433098 ExitProcess
0x43309c SetThreadExecutionState
0x4330a0 Sleep
0x4330a4 LoadLibraryW
0x4330a8 GetSystemDirectoryW
0x4330ac CompareStringW
0x4330b0 AllocConsole
0x4330b4 FreeConsole
0x4330b8 AttachConsole
0x4330bc WriteConsoleW
0x4330c0 GetProcessAffinityMask
0x4330c4 CreateThread
0x4330c8 SetThreadPriority
0x4330cc InitializeCriticalSection
0x4330d0 EnterCriticalSection
0x4330d4 LeaveCriticalSection
0x4330d8 DeleteCriticalSection
0x4330dc SetEvent
0x4330e0 ResetEvent
0x4330e4 ReleaseSemaphore
0x4330e8 WaitForSingleObject
0x4330ec CreateEventW
0x4330f0 CreateSemaphoreW
0x4330f4 GetSystemTime
0x4330f8 SystemTimeToTzSpecificLocalTime
0x4330fc TzSpecificLocalTimeToSystemTime
0x433100 SystemTimeToFileTime
0x433104 FileTimeToLocalFileTime
0x433108 LocalFileTimeToFileTime
0x43310c FileTimeToSystemTime
0x433110 GetCPInfo
0x433114 IsDBCSLeadByte
0x433118 MultiByteToWideChar
0x43311c WideCharToMultiByte
0x433120 GlobalAlloc
0x433124 LockResource
0x433128 GlobalLock
0x43312c GlobalUnlock
0x433130 GlobalFree
0x433134 LoadResource
0x433138 SizeofResource
0x43313c SetCurrentDirectoryW
0x433140 GetExitCodeProcess
0x433144 GetLocalTime
0x433148 GetTickCount
0x43314c MapViewOfFile
0x433150 UnmapViewOfFile
0x433154 CreateFileMappingW
0x433158 OpenFileMappingW
0x43315c GetCommandLineW
0x433160 SetEnvironmentVariableW
0x433164 ExpandEnvironmentStringsW
0x433168 GetTempPathW
0x43316c MoveFileExW
0x433170 GetLocaleInfoW
0x433174 GetTimeFormatW
0x433178 GetDateFormatW
0x43317c GetNumberFormatW
0x433180 DecodePointer
0x433184 SetFilePointerEx
0x433188 GetConsoleMode
0x43318c GetConsoleCP
0x433190 HeapSize
0x433194 SetStdHandle
0x433198 GetProcessHeap
0x43319c FreeEnvironmentStringsW
0x4331a0 GetEnvironmentStringsW
0x4331a4 GetCommandLineA
0x4331a8 GetOEMCP
0x4331ac RaiseException
0x4331b0 GetSystemInfo
0x4331b4 VirtualProtect
0x4331b8 VirtualQuery
0x4331bc LoadLibraryExA
0x4331c0 IsProcessorFeaturePresent
0x4331c4 IsDebuggerPresent
0x4331c8 UnhandledExceptionFilter
0x4331cc SetUnhandledExceptionFilter
0x4331d0 GetStartupInfoW
0x4331d4 QueryPerformanceCounter
0x4331d8 GetCurrentThreadId
0x4331dc GetSystemTimeAsFileTime
0x4331e0 InitializeSListHead
0x4331e4 TerminateProcess
0x4331e8 LocalFree
0x4331ec RtlUnwind
0x4331f0 EncodePointer
0x4331f4 InitializeCriticalSectionAndSpinCount
0x4331f8 TlsAlloc
0x4331fc TlsGetValue
0x433200 TlsSetValue
0x433204 TlsFree
0x433208 LoadLibraryExW
0x43320c QueryPerformanceFrequency
0x433210 GetModuleHandleExW
0x433214 GetModuleFileNameA
0x433218 GetACP
0x43321c HeapFree
0x433220 HeapAlloc
0x433224 HeapReAlloc
0x433228 GetStringTypeW
0x43322c LCMapStringW
0x433230 FindFirstFileExA
0x433234 FindNextFileA
0x433238 IsValidCodePage
OLEAUT32.dll
0x433240 SysAllocString
0x433244 SysFreeString
0x433248 VariantClear
gdiplus.dll
0x433250 GdipAlloc
0x433254 GdipDisposeImage
0x433258 GdipCloneImage
0x43325c GdipCreateBitmapFromStream
0x433260 GdipCreateBitmapFromStreamICM
0x433264 GdipCreateHBITMAPFromBitmap
0x433268 GdiplusStartup
0x43326c GdiplusShutdown
0x433270 GdipFree
EAT(Export Address Table) Library
KERNEL32.dll
0x433000 GetLastError
0x433004 SetLastError
0x433008 FormatMessageW
0x43300c GetCurrentProcess
0x433010 DeviceIoControl
0x433014 SetFileTime
0x433018 CloseHandle
0x43301c CreateDirectoryW
0x433020 RemoveDirectoryW
0x433024 CreateFileW
0x433028 DeleteFileW
0x43302c CreateHardLinkW
0x433030 GetShortPathNameW
0x433034 GetLongPathNameW
0x433038 MoveFileW
0x43303c GetFileType
0x433040 GetStdHandle
0x433044 WriteFile
0x433048 ReadFile
0x43304c FlushFileBuffers
0x433050 SetEndOfFile
0x433054 SetFilePointer
0x433058 SetFileAttributesW
0x43305c GetFileAttributesW
0x433060 FindClose
0x433064 FindFirstFileW
0x433068 FindNextFileW
0x43306c InterlockedDecrement
0x433070 GetVersionExW
0x433074 GetCurrentDirectoryW
0x433078 GetFullPathNameW
0x43307c FoldStringW
0x433080 GetModuleFileNameW
0x433084 GetModuleHandleW
0x433088 FindResourceW
0x43308c FreeLibrary
0x433090 GetProcAddress
0x433094 GetCurrentProcessId
0x433098 ExitProcess
0x43309c SetThreadExecutionState
0x4330a0 Sleep
0x4330a4 LoadLibraryW
0x4330a8 GetSystemDirectoryW
0x4330ac CompareStringW
0x4330b0 AllocConsole
0x4330b4 FreeConsole
0x4330b8 AttachConsole
0x4330bc WriteConsoleW
0x4330c0 GetProcessAffinityMask
0x4330c4 CreateThread
0x4330c8 SetThreadPriority
0x4330cc InitializeCriticalSection
0x4330d0 EnterCriticalSection
0x4330d4 LeaveCriticalSection
0x4330d8 DeleteCriticalSection
0x4330dc SetEvent
0x4330e0 ResetEvent
0x4330e4 ReleaseSemaphore
0x4330e8 WaitForSingleObject
0x4330ec CreateEventW
0x4330f0 CreateSemaphoreW
0x4330f4 GetSystemTime
0x4330f8 SystemTimeToTzSpecificLocalTime
0x4330fc TzSpecificLocalTimeToSystemTime
0x433100 SystemTimeToFileTime
0x433104 FileTimeToLocalFileTime
0x433108 LocalFileTimeToFileTime
0x43310c FileTimeToSystemTime
0x433110 GetCPInfo
0x433114 IsDBCSLeadByte
0x433118 MultiByteToWideChar
0x43311c WideCharToMultiByte
0x433120 GlobalAlloc
0x433124 LockResource
0x433128 GlobalLock
0x43312c GlobalUnlock
0x433130 GlobalFree
0x433134 LoadResource
0x433138 SizeofResource
0x43313c SetCurrentDirectoryW
0x433140 GetExitCodeProcess
0x433144 GetLocalTime
0x433148 GetTickCount
0x43314c MapViewOfFile
0x433150 UnmapViewOfFile
0x433154 CreateFileMappingW
0x433158 OpenFileMappingW
0x43315c GetCommandLineW
0x433160 SetEnvironmentVariableW
0x433164 ExpandEnvironmentStringsW
0x433168 GetTempPathW
0x43316c MoveFileExW
0x433170 GetLocaleInfoW
0x433174 GetTimeFormatW
0x433178 GetDateFormatW
0x43317c GetNumberFormatW
0x433180 DecodePointer
0x433184 SetFilePointerEx
0x433188 GetConsoleMode
0x43318c GetConsoleCP
0x433190 HeapSize
0x433194 SetStdHandle
0x433198 GetProcessHeap
0x43319c FreeEnvironmentStringsW
0x4331a0 GetEnvironmentStringsW
0x4331a4 GetCommandLineA
0x4331a8 GetOEMCP
0x4331ac RaiseException
0x4331b0 GetSystemInfo
0x4331b4 VirtualProtect
0x4331b8 VirtualQuery
0x4331bc LoadLibraryExA
0x4331c0 IsProcessorFeaturePresent
0x4331c4 IsDebuggerPresent
0x4331c8 UnhandledExceptionFilter
0x4331cc SetUnhandledExceptionFilter
0x4331d0 GetStartupInfoW
0x4331d4 QueryPerformanceCounter
0x4331d8 GetCurrentThreadId
0x4331dc GetSystemTimeAsFileTime
0x4331e0 InitializeSListHead
0x4331e4 TerminateProcess
0x4331e8 LocalFree
0x4331ec RtlUnwind
0x4331f0 EncodePointer
0x4331f4 InitializeCriticalSectionAndSpinCount
0x4331f8 TlsAlloc
0x4331fc TlsGetValue
0x433200 TlsSetValue
0x433204 TlsFree
0x433208 LoadLibraryExW
0x43320c QueryPerformanceFrequency
0x433210 GetModuleHandleExW
0x433214 GetModuleFileNameA
0x433218 GetACP
0x43321c HeapFree
0x433220 HeapAlloc
0x433224 HeapReAlloc
0x433228 GetStringTypeW
0x43322c LCMapStringW
0x433230 FindFirstFileExA
0x433234 FindNextFileA
0x433238 IsValidCodePage
OLEAUT32.dll
0x433240 SysAllocString
0x433244 SysFreeString
0x433248 VariantClear
gdiplus.dll
0x433250 GdipAlloc
0x433254 GdipDisposeImage
0x433258 GdipCloneImage
0x43325c GdipCreateBitmapFromStream
0x433260 GdipCreateBitmapFromStreamICM
0x433264 GdipCreateHBITMAPFromBitmap
0x433268 GdiplusStartup
0x43326c GdiplusShutdown
0x433270 GdipFree
EAT(Export Address Table) Library