ScreenShot
| Created | 2023.06.26 10:10 | Machine | s1_win7_x6403 |
| Filename | staticlittlesource.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | |||
| md5 | ae9991a02aa20ebbc2cc3c0f40924442 | ||
| sha256 | 5c38a5dd3703b1c4b8c2466b18ce9f4c45ef4c9bf6c3096bee8b24d20ecd247a | ||
| ssdeep | 12288:PVon2T2h6bhdoDJdZuQU574H0HNfusW2wvpwSIDMUF3cTOq1Ni:PVT2oPaJfCAKfu1DBwjPcT51s | ||
| imphash | 1e5efd483892326cc4eeb97bc14a6266 | ||
| impfuzzy | 24:q4g+UcpVWZttlS1xGhlJBlCDoLoEOovbO3kFZMv5GMAkEZHu9n:FUcpVettlS1xGnVc30FZGp | ||
Network IP location
Signature (18cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Detects Avast Antivirus through the presence of a library |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | A process attempted to delay the analysis task. |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Executes one or more WMI queries |
| notice | Executes one or more WMI queries which can be used to identify virtual machines |
| notice | One or more potentially interesting buffers were extracted |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Command line console output was observed |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (15cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | ScreenShot | Take ScreenShot | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
USER32.dll
0x428144 UnloadKeyboardLayout
GDI32.dll
0x428000 GetAspectRatioFilterEx
0x428004 Ellipse
KERNEL32.dll
0x42800c CreateFileW
0x428010 FreeLibrary
0x428014 GetModuleHandleA
0x428018 FreeConsole
0x42801c GetModuleHandleW
0x428020 MultiByteToWideChar
0x428024 GetStringTypeW
0x428028 WideCharToMultiByte
0x42802c EnterCriticalSection
0x428030 LeaveCriticalSection
0x428034 InitializeCriticalSectionEx
0x428038 DeleteCriticalSection
0x42803c EncodePointer
0x428040 DecodePointer
0x428044 LCMapStringEx
0x428048 GetCPInfo
0x42804c IsProcessorFeaturePresent
0x428050 UnhandledExceptionFilter
0x428054 SetUnhandledExceptionFilter
0x428058 GetCurrentProcess
0x42805c TerminateProcess
0x428060 QueryPerformanceCounter
0x428064 GetCurrentProcessId
0x428068 GetCurrentThreadId
0x42806c GetSystemTimeAsFileTime
0x428070 InitializeSListHead
0x428074 IsDebuggerPresent
0x428078 GetStartupInfoW
0x42807c HeapSize
0x428080 RaiseException
0x428084 RtlUnwind
0x428088 GetLastError
0x42808c SetLastError
0x428090 InitializeCriticalSectionAndSpinCount
0x428094 TlsAlloc
0x428098 TlsGetValue
0x42809c TlsSetValue
0x4280a0 TlsFree
0x4280a4 WriteConsoleW
0x4280a8 GetProcAddress
0x4280ac LoadLibraryExW
0x4280b0 GetStdHandle
0x4280b4 WriteFile
0x4280b8 GetModuleFileNameW
0x4280bc ExitProcess
0x4280c0 GetModuleHandleExW
0x4280c4 GetCommandLineA
0x4280c8 GetCommandLineW
0x4280cc HeapAlloc
0x4280d0 HeapFree
0x4280d4 CompareStringW
0x4280d8 LCMapStringW
0x4280dc GetLocaleInfoW
0x4280e0 IsValidLocale
0x4280e4 GetUserDefaultLCID
0x4280e8 EnumSystemLocalesW
0x4280ec GetFileType
0x4280f0 CloseHandle
0x4280f4 FlushFileBuffers
0x4280f8 GetConsoleOutputCP
0x4280fc GetConsoleMode
0x428100 ReadFile
0x428104 GetFileSizeEx
0x428108 SetFilePointerEx
0x42810c ReadConsoleW
0x428110 HeapReAlloc
0x428114 FindClose
0x428118 FindFirstFileExW
0x42811c FindNextFileW
0x428120 IsValidCodePage
0x428124 GetACP
0x428128 GetOEMCP
0x42812c GetEnvironmentStringsW
0x428130 FreeEnvironmentStringsW
0x428134 SetEnvironmentVariableW
0x428138 SetStdHandle
0x42813c GetProcessHeap
EAT(Export Address Table) is none
USER32.dll
0x428144 UnloadKeyboardLayout
GDI32.dll
0x428000 GetAspectRatioFilterEx
0x428004 Ellipse
KERNEL32.dll
0x42800c CreateFileW
0x428010 FreeLibrary
0x428014 GetModuleHandleA
0x428018 FreeConsole
0x42801c GetModuleHandleW
0x428020 MultiByteToWideChar
0x428024 GetStringTypeW
0x428028 WideCharToMultiByte
0x42802c EnterCriticalSection
0x428030 LeaveCriticalSection
0x428034 InitializeCriticalSectionEx
0x428038 DeleteCriticalSection
0x42803c EncodePointer
0x428040 DecodePointer
0x428044 LCMapStringEx
0x428048 GetCPInfo
0x42804c IsProcessorFeaturePresent
0x428050 UnhandledExceptionFilter
0x428054 SetUnhandledExceptionFilter
0x428058 GetCurrentProcess
0x42805c TerminateProcess
0x428060 QueryPerformanceCounter
0x428064 GetCurrentProcessId
0x428068 GetCurrentThreadId
0x42806c GetSystemTimeAsFileTime
0x428070 InitializeSListHead
0x428074 IsDebuggerPresent
0x428078 GetStartupInfoW
0x42807c HeapSize
0x428080 RaiseException
0x428084 RtlUnwind
0x428088 GetLastError
0x42808c SetLastError
0x428090 InitializeCriticalSectionAndSpinCount
0x428094 TlsAlloc
0x428098 TlsGetValue
0x42809c TlsSetValue
0x4280a0 TlsFree
0x4280a4 WriteConsoleW
0x4280a8 GetProcAddress
0x4280ac LoadLibraryExW
0x4280b0 GetStdHandle
0x4280b4 WriteFile
0x4280b8 GetModuleFileNameW
0x4280bc ExitProcess
0x4280c0 GetModuleHandleExW
0x4280c4 GetCommandLineA
0x4280c8 GetCommandLineW
0x4280cc HeapAlloc
0x4280d0 HeapFree
0x4280d4 CompareStringW
0x4280d8 LCMapStringW
0x4280dc GetLocaleInfoW
0x4280e0 IsValidLocale
0x4280e4 GetUserDefaultLCID
0x4280e8 EnumSystemLocalesW
0x4280ec GetFileType
0x4280f0 CloseHandle
0x4280f4 FlushFileBuffers
0x4280f8 GetConsoleOutputCP
0x4280fc GetConsoleMode
0x428100 ReadFile
0x428104 GetFileSizeEx
0x428108 SetFilePointerEx
0x42810c ReadConsoleW
0x428110 HeapReAlloc
0x428114 FindClose
0x428118 FindFirstFileExW
0x42811c FindNextFileW
0x428120 IsValidCodePage
0x428124 GetACP
0x428128 GetOEMCP
0x42812c GetEnvironmentStringsW
0x428130 FreeEnvironmentStringsW
0x428134 SetEnvironmentVariableW
0x428138 SetStdHandle
0x42813c GetProcessHeap
EAT(Export Address Table) is none