ScreenShot
| Created | 2023.06.22 11:13 | Machine | s1_win7_x6403 |
| Filename | n0cjd0kc.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 51 detected (AIDetectMalware, Convagent, malicious, high confidence, FvY@IT@h, Strab, Artemis, RedLineStealer, Save, ABTrojan, MERI, Attribute, HighConfidence, Kryptik, HTVS, score, PWSX, Gencirc, Nekark, tefgk, Krypt, Wacatac, Detected, ai score=82, unsafe, Chgt, R002H09FH23, kCmbYub4GbM, GenKryptik, gOx3LMDzd8, Static AI, Suspicious PE, susgen, GKWD, confidence) | ||
| md5 | f09c7cd38fbc8b59264301db9c2d3991 | ||
| sha256 | 5ca29739c57c6cef856d92b3a51a2c8206ea41b2376f57590c4b3de678bae446 | ||
| ssdeep | 24576:pXf4S4R4PlsrxAjzfJ26GPFo6r/LZEKqX70xXkz4q9jTRJ69F8GtZr9+bqMwpKUi:k4PlsrxMzfJ26Gdo6r/LnqX7djWzNvI7 | ||
| imphash | 8ab6774378f2864e08787ded42b610d5 | ||
| impfuzzy | 24:/GLPZtuu9QHmUcpVWZsCrYtMS1DGhlJBlAeDoLoEOovbOIFuFZQvtGMAOW5:/GLPZacpVeZrYtMS1DGn2Xc3iuFZyFQ | ||
Network IP location
Signature (28cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 51 AntiVirus engines on VirusTotal as malicious |
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Communicates with host for which no DNS query was performed |
| watch | Manipulates memory of a non-child process indicative of process injection |
| watch | One or more non-whitelisted processes were created |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Looks up the external IP address |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (22cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | PowerShell | PowerShell script | scripts |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (8cnts) ?
Suricata ids
ET POLICY External IP Lookup ip-api.com
ET POLICY Microsoft user-agent automated process response to automated request
ET POLICY Microsoft user-agent automated process response to automated request
PE API
IAT(Import Address Table) Library
USER32.dll
0x44314c SetCapture
0x443150 DragDetect
0x443154 GetWindowRect
0x443158 SetRect
0x44315c ShowWindow
ole32.dll
0x443164 OleSetClipboard
0x443168 OleUninitialize
KERNEL32.dll
0x443000 TlsSetValue
0x443004 CreateFileW
0x443008 HeapSize
0x44300c ReadConsoleW
0x443010 GetProcessHeap
0x443014 SetStdHandle
0x443018 SetEnvironmentVariableW
0x44301c FreeEnvironmentStringsW
0x443020 GetEnvironmentStringsW
0x443024 VirtualProtect
0x443028 GetConsoleWindow
0x44302c WideCharToMultiByte
0x443030 MultiByteToWideChar
0x443034 GetStringTypeW
0x443038 EnterCriticalSection
0x44303c LeaveCriticalSection
0x443040 InitializeCriticalSectionEx
0x443044 DeleteCriticalSection
0x443048 EncodePointer
0x44304c DecodePointer
0x443050 LCMapStringEx
0x443054 GetLocaleInfoEx
0x443058 CompareStringEx
0x44305c GetCPInfo
0x443060 UnhandledExceptionFilter
0x443064 SetUnhandledExceptionFilter
0x443068 GetCurrentProcess
0x44306c TerminateProcess
0x443070 IsProcessorFeaturePresent
0x443074 QueryPerformanceCounter
0x443078 GetCurrentProcessId
0x44307c GetCurrentThreadId
0x443080 GetSystemTimeAsFileTime
0x443084 InitializeSListHead
0x443088 IsDebuggerPresent
0x44308c GetStartupInfoW
0x443090 GetModuleHandleW
0x443094 GetOEMCP
0x443098 RaiseException
0x44309c RtlUnwind
0x4430a0 GetLastError
0x4430a4 SetLastError
0x4430a8 InitializeCriticalSectionAndSpinCount
0x4430ac TlsAlloc
0x4430b0 TlsGetValue
0x4430b4 WriteConsoleW
0x4430b8 TlsFree
0x4430bc FreeLibrary
0x4430c0 GetProcAddress
0x4430c4 LoadLibraryExW
0x4430c8 GetStdHandle
0x4430cc WriteFile
0x4430d0 GetModuleFileNameW
0x4430d4 ExitProcess
0x4430d8 GetModuleHandleExW
0x4430dc GetCommandLineA
0x4430e0 GetCommandLineW
0x4430e4 HeapFree
0x4430e8 HeapAlloc
0x4430ec GetDateFormatW
0x4430f0 GetTimeFormatW
0x4430f4 CompareStringW
0x4430f8 LCMapStringW
0x4430fc GetLocaleInfoW
0x443100 IsValidLocale
0x443104 GetUserDefaultLCID
0x443108 EnumSystemLocalesW
0x44310c HeapReAlloc
0x443110 GetFileType
0x443114 GetFileSizeEx
0x443118 SetFilePointerEx
0x44311c CloseHandle
0x443120 FlushFileBuffers
0x443124 GetConsoleOutputCP
0x443128 GetConsoleMode
0x44312c ReadFile
0x443130 GetTimeZoneInformation
0x443134 FindClose
0x443138 FindFirstFileExW
0x44313c FindNextFileW
0x443140 IsValidCodePage
0x443144 GetACP
EAT(Export Address Table) is none
USER32.dll
0x44314c SetCapture
0x443150 DragDetect
0x443154 GetWindowRect
0x443158 SetRect
0x44315c ShowWindow
ole32.dll
0x443164 OleSetClipboard
0x443168 OleUninitialize
KERNEL32.dll
0x443000 TlsSetValue
0x443004 CreateFileW
0x443008 HeapSize
0x44300c ReadConsoleW
0x443010 GetProcessHeap
0x443014 SetStdHandle
0x443018 SetEnvironmentVariableW
0x44301c FreeEnvironmentStringsW
0x443020 GetEnvironmentStringsW
0x443024 VirtualProtect
0x443028 GetConsoleWindow
0x44302c WideCharToMultiByte
0x443030 MultiByteToWideChar
0x443034 GetStringTypeW
0x443038 EnterCriticalSection
0x44303c LeaveCriticalSection
0x443040 InitializeCriticalSectionEx
0x443044 DeleteCriticalSection
0x443048 EncodePointer
0x44304c DecodePointer
0x443050 LCMapStringEx
0x443054 GetLocaleInfoEx
0x443058 CompareStringEx
0x44305c GetCPInfo
0x443060 UnhandledExceptionFilter
0x443064 SetUnhandledExceptionFilter
0x443068 GetCurrentProcess
0x44306c TerminateProcess
0x443070 IsProcessorFeaturePresent
0x443074 QueryPerformanceCounter
0x443078 GetCurrentProcessId
0x44307c GetCurrentThreadId
0x443080 GetSystemTimeAsFileTime
0x443084 InitializeSListHead
0x443088 IsDebuggerPresent
0x44308c GetStartupInfoW
0x443090 GetModuleHandleW
0x443094 GetOEMCP
0x443098 RaiseException
0x44309c RtlUnwind
0x4430a0 GetLastError
0x4430a4 SetLastError
0x4430a8 InitializeCriticalSectionAndSpinCount
0x4430ac TlsAlloc
0x4430b0 TlsGetValue
0x4430b4 WriteConsoleW
0x4430b8 TlsFree
0x4430bc FreeLibrary
0x4430c0 GetProcAddress
0x4430c4 LoadLibraryExW
0x4430c8 GetStdHandle
0x4430cc WriteFile
0x4430d0 GetModuleFileNameW
0x4430d4 ExitProcess
0x4430d8 GetModuleHandleExW
0x4430dc GetCommandLineA
0x4430e0 GetCommandLineW
0x4430e4 HeapFree
0x4430e8 HeapAlloc
0x4430ec GetDateFormatW
0x4430f0 GetTimeFormatW
0x4430f4 CompareStringW
0x4430f8 LCMapStringW
0x4430fc GetLocaleInfoW
0x443100 IsValidLocale
0x443104 GetUserDefaultLCID
0x443108 EnumSystemLocalesW
0x44310c HeapReAlloc
0x443110 GetFileType
0x443114 GetFileSizeEx
0x443118 SetFilePointerEx
0x44311c CloseHandle
0x443120 FlushFileBuffers
0x443124 GetConsoleOutputCP
0x443128 GetConsoleMode
0x44312c ReadFile
0x443130 GetTimeZoneInformation
0x443134 FindClose
0x443138 FindFirstFileExW
0x44313c FindNextFileW
0x443140 IsValidCodePage
0x443144 GetACP
EAT(Export Address Table) is none