ScreenShot
| Created | 2023.06.11 22:54 | Machine | s1_win7_x6403 |
| Filename | uMM.exe | ||
| Type | PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 43 detected (Cobalt, GenericKD, Vzqi, ABRisk, NLGO, Attribute, HighConfidence, malicious, high confidence, ShellcodeRunner, score, Dkjl, PatchedWinSwrort, mewpb, Meterpreter, SWRORT, YXDFKZ, GenKD, ai score=88, CobaltStrike, Rozena, 4IE1HW, Detected, unsafe, Chgt, R002C0DF923, lRx2QUpcOxN, PossibleThreat, confidence, 100%) | ||
| md5 | 27c4f6ca1b49e3723ba158c9c268a526 | ||
| sha256 | 93896b303630422dc604fa9ce9dcf1ccd93f823cd90d46c2b55029ea004f1a41 | ||
| ssdeep | 384:v+pv2zG72HYdtLUF4ZENy+Tq25hcttCW:G2ALUJ9DW | ||
| imphash | b76b81f4a49e6d89fb9b3188ab53b9e6 | ||
| impfuzzy | 24:8fS1JmacJ8a0men0MG95XGDZoJlXoDqR9NuZn:8fS1bcJLe0RJGVoJlXoqTk | ||
Network IP location
Signature (5cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 43 AntiVirus engines on VirusTotal as malicious |
| danger | Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) |
| warning | Generates some ICMP traffic |
| watch | Communicates with host for which no DNS query was performed |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
Rules (2cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x409204 DeleteCriticalSection
0x40920c EnterCriticalSection
0x409214 EnumSystemLocalesW
0x40921c GetCurrentProcess
0x409224 GetCurrentProcessId
0x40922c GetCurrentThreadId
0x409234 GetLastError
0x40923c GetStartupInfoA
0x409244 GetSystemTimeAsFileTime
0x40924c GetTickCount
0x409254 HeapAlloc
0x40925c HeapCreate
0x409264 InitializeCriticalSection
0x40926c LeaveCriticalSection
0x409274 QueryPerformanceCounter
0x40927c RtlAddFunctionTable
0x409284 RtlCaptureContext
0x40928c RtlLookupFunctionEntry
0x409294 RtlVirtualUnwind
0x40929c SetUnhandledExceptionFilter
0x4092a4 Sleep
0x4092ac TerminateProcess
0x4092b4 TlsGetValue
0x4092bc UnhandledExceptionFilter
0x4092c4 VirtualProtect
0x4092cc VirtualQuery
msvcrt.dll
0x4092dc __C_specific_handler
0x4092e4 __getmainargs
0x4092ec __initenv
0x4092f4 __iob_func
0x4092fc __lconv_init
0x409304 __set_app_type
0x40930c __setusermatherr
0x409314 _acmdln
0x40931c _amsg_exit
0x409324 _cexit
0x40932c _fmode
0x409334 _initterm
0x40933c _onexit
0x409344 abort
0x40934c atoi
0x409354 calloc
0x40935c clock
0x409364 exit
0x40936c fprintf
0x409374 free
0x40937c fwrite
0x409384 malloc
0x40938c memcpy
0x409394 memmove
0x40939c signal
0x4093a4 sscanf
0x4093ac strlen
0x4093b4 strncmp
0x4093bc vfprintf
EAT(Export Address Table) is none
KERNEL32.dll
0x409204 DeleteCriticalSection
0x40920c EnterCriticalSection
0x409214 EnumSystemLocalesW
0x40921c GetCurrentProcess
0x409224 GetCurrentProcessId
0x40922c GetCurrentThreadId
0x409234 GetLastError
0x40923c GetStartupInfoA
0x409244 GetSystemTimeAsFileTime
0x40924c GetTickCount
0x409254 HeapAlloc
0x40925c HeapCreate
0x409264 InitializeCriticalSection
0x40926c LeaveCriticalSection
0x409274 QueryPerformanceCounter
0x40927c RtlAddFunctionTable
0x409284 RtlCaptureContext
0x40928c RtlLookupFunctionEntry
0x409294 RtlVirtualUnwind
0x40929c SetUnhandledExceptionFilter
0x4092a4 Sleep
0x4092ac TerminateProcess
0x4092b4 TlsGetValue
0x4092bc UnhandledExceptionFilter
0x4092c4 VirtualProtect
0x4092cc VirtualQuery
msvcrt.dll
0x4092dc __C_specific_handler
0x4092e4 __getmainargs
0x4092ec __initenv
0x4092f4 __iob_func
0x4092fc __lconv_init
0x409304 __set_app_type
0x40930c __setusermatherr
0x409314 _acmdln
0x40931c _amsg_exit
0x409324 _cexit
0x40932c _fmode
0x409334 _initterm
0x40933c _onexit
0x409344 abort
0x40934c atoi
0x409354 calloc
0x40935c clock
0x409364 exit
0x40936c fprintf
0x409374 free
0x40937c fwrite
0x409384 malloc
0x40938c memcpy
0x409394 memmove
0x40939c signal
0x4093a4 sscanf
0x4093ac strlen
0x4093b4 strncmp
0x4093bc vfprintf
EAT(Export Address Table) is none