ScreenShot
| Created | 2023.07.04 07:29 | Machine | s1_win7_x6401 |
| Filename | mmfqdf2p9r107.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | |||
| md5 | 47d27bb5f4a208f3081471d00e87d1e4 | ||
| sha256 | 618d5757cf057b15ac4608340b2c7f641bf56661da501b5084b0fa9212a1dcfd | ||
| ssdeep | 24576:wtpH9qTz57hM4/btkcXoTYMl6cexqJJnDIT69NyvONbeKtppAFZg+v:qM57hr7+MxqJJnsT69dbeKtp4 | ||
| imphash | 4170fdb8933a7ec27e3266f6fc460d37 | ||
| impfuzzy | 48:BoWJcpH+PdD99rxQSXtXlcGtfz2a633uFZGt:BoWJcpH+P5DrxHXtXlcGtfqaBk | ||
Network IP location
Signature (35cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| watch | A process attempted to delay the analysis task. |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Installs itself for autorun at Windows startup |
| watch | Looks for the Windows Idle Time to determine the uptime |
| watch | Manipulates memory of a non-child process indicative of process injection |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | The process powershell.exe wrote an executable file to disk |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | Creates hidden or system file |
| notice | Executes one or more WMI queries |
| notice | Executes one or more WMI queries which can be used to identify virtual machines |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Potentially malicious URLs were found in the process memory dump |
| notice | Terminates another process |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The executable uses a known packer |
| info | This executable has a PDB path |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (17cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | schtasks_Zero | task schedule | memory |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | vmdetect_misc | Following Rule is referenced from AlienVault's Yara rule repository.This rule contains additional processes and driver names. | memory |
Network (8cnts) ?
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
PE API
IAT(Import Address Table) Library
GDI32.dll
0x4b3000 GetDCBrushColor
KERNEL32.dll
0x4b3030 VirtualProtectEx
0x4b3034 FreeConsole
0x4b3038 RaiseException
0x4b303c InitializeSRWLock
0x4b3040 ReleaseSRWLockExclusive
0x4b3044 AcquireSRWLockExclusive
0x4b3048 EnterCriticalSection
0x4b304c LeaveCriticalSection
0x4b3050 InitializeCriticalSectionEx
0x4b3054 TryEnterCriticalSection
0x4b3058 DeleteCriticalSection
0x4b305c GetCurrentThreadId
0x4b3060 InitializeConditionVariable
0x4b3064 WakeConditionVariable
0x4b3068 WakeAllConditionVariable
0x4b306c SleepConditionVariableCS
0x4b3070 SleepConditionVariableSRW
0x4b3074 FormatMessageA
0x4b3078 InitOnceBeginInitialize
0x4b307c InitOnceComplete
0x4b3080 GetLastError
0x4b3084 FreeLibraryWhenCallbackReturns
0x4b3088 CreateThreadpoolWork
0x4b308c SubmitThreadpoolWork
0x4b3090 CloseThreadpoolWork
0x4b3094 GetModuleHandleExW
0x4b3098 RtlCaptureStackBackTrace
0x4b309c IsProcessorFeaturePresent
0x4b30a0 QueryPerformanceCounter
0x4b30a4 QueryPerformanceFrequency
0x4b30a8 SetFileInformationByHandle
0x4b30ac FlsAlloc
0x4b30b0 FlsGetValue
0x4b30b4 FlsSetValue
0x4b30b8 FlsFree
0x4b30bc InitOnceExecuteOnce
0x4b30c0 CreateEventExW
0x4b30c4 CreateSemaphoreExW
0x4b30c8 FlushProcessWriteBuffers
0x4b30cc GetCurrentProcessorNumber
0x4b30d0 GetSystemTimeAsFileTime
0x4b30d4 GetTickCount64
0x4b30d8 CreateThreadpoolTimer
0x4b30dc SetThreadpoolTimer
0x4b30e0 WaitForThreadpoolTimerCallbacks
0x4b30e4 CloseThreadpoolTimer
0x4b30e8 CreateThreadpoolWait
0x4b30ec SetThreadpoolWait
0x4b30f0 CloseThreadpoolWait
0x4b30f4 GetModuleHandleW
0x4b30f8 GetProcAddress
0x4b30fc GetFileInformationByHandleEx
0x4b3100 CreateSymbolicLinkW
0x4b3104 CloseHandle
0x4b3108 WaitForSingleObjectEx
0x4b310c Sleep
0x4b3110 SwitchToThread
0x4b3114 GetExitCodeThread
0x4b3118 GetNativeSystemInfo
0x4b311c LocalFree
0x4b3120 InitializeCriticalSectionAndSpinCount
0x4b3124 SetEvent
0x4b3128 ResetEvent
0x4b312c CreateEventW
0x4b3130 GetCurrentProcessId
0x4b3134 InitializeSListHead
0x4b3138 IsDebuggerPresent
0x4b313c UnhandledExceptionFilter
0x4b3140 SetUnhandledExceptionFilter
0x4b3144 GetStartupInfoW
0x4b3148 GetCurrentProcess
0x4b314c TerminateProcess
0x4b3150 WriteConsoleW
0x4b3154 RtlUnwind
0x4b3158 InterlockedPushEntrySList
0x4b315c InterlockedFlushSList
0x4b3160 SetLastError
0x4b3164 EncodePointer
0x4b3168 TlsAlloc
0x4b316c TlsGetValue
0x4b3170 TlsSetValue
0x4b3174 TlsFree
0x4b3178 FreeLibrary
0x4b317c LoadLibraryExW
0x4b3180 CreateThread
0x4b3184 ExitThread
0x4b3188 ResumeThread
0x4b318c FreeLibraryAndExitThread
0x4b3190 GetStdHandle
0x4b3194 WriteFile
0x4b3198 GetModuleFileNameW
0x4b319c ExitProcess
0x4b31a0 GetCommandLineA
0x4b31a4 GetCommandLineW
0x4b31a8 GetCurrentThread
0x4b31ac SetConsoleCtrlHandler
0x4b31b0 HeapFree
0x4b31b4 HeapAlloc
0x4b31b8 GetDateFormatW
0x4b31bc GetTimeFormatW
0x4b31c0 CompareStringW
0x4b31c4 LCMapStringW
0x4b31c8 GetLocaleInfoW
0x4b31cc IsValidLocale
0x4b31d0 GetUserDefaultLCID
0x4b31d4 EnumSystemLocalesW
0x4b31d8 GetFileType
0x4b31dc GetFileSizeEx
0x4b31e0 SetFilePointerEx
0x4b31e4 OutputDebugStringW
0x4b31e8 FindClose
0x4b31ec FindFirstFileExW
0x4b31f0 FindNextFileW
0x4b31f4 IsValidCodePage
0x4b31f8 GetACP
0x4b31fc GetOEMCP
0x4b3200 GetCPInfo
0x4b3204 MultiByteToWideChar
0x4b3208 WideCharToMultiByte
0x4b320c GetEnvironmentStringsW
0x4b3210 FreeEnvironmentStringsW
0x4b3214 SetEnvironmentVariableW
0x4b3218 SetStdHandle
0x4b321c GetStringTypeW
0x4b3220 GetProcessHeap
0x4b3224 FlushFileBuffers
0x4b3228 GetConsoleOutputCP
0x4b322c GetConsoleMode
0x4b3230 HeapSize
0x4b3234 HeapReAlloc
0x4b3238 ReadFile
0x4b323c ReadConsoleW
0x4b3240 CreateFileW
0x4b3244 DecodePointer
EAT(Export Address Table) is none
GDI32.dll
0x4b3000 GetDCBrushColor
KERNEL32.dll
0x4b3030 VirtualProtectEx
0x4b3034 FreeConsole
0x4b3038 RaiseException
0x4b303c InitializeSRWLock
0x4b3040 ReleaseSRWLockExclusive
0x4b3044 AcquireSRWLockExclusive
0x4b3048 EnterCriticalSection
0x4b304c LeaveCriticalSection
0x4b3050 InitializeCriticalSectionEx
0x4b3054 TryEnterCriticalSection
0x4b3058 DeleteCriticalSection
0x4b305c GetCurrentThreadId
0x4b3060 InitializeConditionVariable
0x4b3064 WakeConditionVariable
0x4b3068 WakeAllConditionVariable
0x4b306c SleepConditionVariableCS
0x4b3070 SleepConditionVariableSRW
0x4b3074 FormatMessageA
0x4b3078 InitOnceBeginInitialize
0x4b307c InitOnceComplete
0x4b3080 GetLastError
0x4b3084 FreeLibraryWhenCallbackReturns
0x4b3088 CreateThreadpoolWork
0x4b308c SubmitThreadpoolWork
0x4b3090 CloseThreadpoolWork
0x4b3094 GetModuleHandleExW
0x4b3098 RtlCaptureStackBackTrace
0x4b309c IsProcessorFeaturePresent
0x4b30a0 QueryPerformanceCounter
0x4b30a4 QueryPerformanceFrequency
0x4b30a8 SetFileInformationByHandle
0x4b30ac FlsAlloc
0x4b30b0 FlsGetValue
0x4b30b4 FlsSetValue
0x4b30b8 FlsFree
0x4b30bc InitOnceExecuteOnce
0x4b30c0 CreateEventExW
0x4b30c4 CreateSemaphoreExW
0x4b30c8 FlushProcessWriteBuffers
0x4b30cc GetCurrentProcessorNumber
0x4b30d0 GetSystemTimeAsFileTime
0x4b30d4 GetTickCount64
0x4b30d8 CreateThreadpoolTimer
0x4b30dc SetThreadpoolTimer
0x4b30e0 WaitForThreadpoolTimerCallbacks
0x4b30e4 CloseThreadpoolTimer
0x4b30e8 CreateThreadpoolWait
0x4b30ec SetThreadpoolWait
0x4b30f0 CloseThreadpoolWait
0x4b30f4 GetModuleHandleW
0x4b30f8 GetProcAddress
0x4b30fc GetFileInformationByHandleEx
0x4b3100 CreateSymbolicLinkW
0x4b3104 CloseHandle
0x4b3108 WaitForSingleObjectEx
0x4b310c Sleep
0x4b3110 SwitchToThread
0x4b3114 GetExitCodeThread
0x4b3118 GetNativeSystemInfo
0x4b311c LocalFree
0x4b3120 InitializeCriticalSectionAndSpinCount
0x4b3124 SetEvent
0x4b3128 ResetEvent
0x4b312c CreateEventW
0x4b3130 GetCurrentProcessId
0x4b3134 InitializeSListHead
0x4b3138 IsDebuggerPresent
0x4b313c UnhandledExceptionFilter
0x4b3140 SetUnhandledExceptionFilter
0x4b3144 GetStartupInfoW
0x4b3148 GetCurrentProcess
0x4b314c TerminateProcess
0x4b3150 WriteConsoleW
0x4b3154 RtlUnwind
0x4b3158 InterlockedPushEntrySList
0x4b315c InterlockedFlushSList
0x4b3160 SetLastError
0x4b3164 EncodePointer
0x4b3168 TlsAlloc
0x4b316c TlsGetValue
0x4b3170 TlsSetValue
0x4b3174 TlsFree
0x4b3178 FreeLibrary
0x4b317c LoadLibraryExW
0x4b3180 CreateThread
0x4b3184 ExitThread
0x4b3188 ResumeThread
0x4b318c FreeLibraryAndExitThread
0x4b3190 GetStdHandle
0x4b3194 WriteFile
0x4b3198 GetModuleFileNameW
0x4b319c ExitProcess
0x4b31a0 GetCommandLineA
0x4b31a4 GetCommandLineW
0x4b31a8 GetCurrentThread
0x4b31ac SetConsoleCtrlHandler
0x4b31b0 HeapFree
0x4b31b4 HeapAlloc
0x4b31b8 GetDateFormatW
0x4b31bc GetTimeFormatW
0x4b31c0 CompareStringW
0x4b31c4 LCMapStringW
0x4b31c8 GetLocaleInfoW
0x4b31cc IsValidLocale
0x4b31d0 GetUserDefaultLCID
0x4b31d4 EnumSystemLocalesW
0x4b31d8 GetFileType
0x4b31dc GetFileSizeEx
0x4b31e0 SetFilePointerEx
0x4b31e4 OutputDebugStringW
0x4b31e8 FindClose
0x4b31ec FindFirstFileExW
0x4b31f0 FindNextFileW
0x4b31f4 IsValidCodePage
0x4b31f8 GetACP
0x4b31fc GetOEMCP
0x4b3200 GetCPInfo
0x4b3204 MultiByteToWideChar
0x4b3208 WideCharToMultiByte
0x4b320c GetEnvironmentStringsW
0x4b3210 FreeEnvironmentStringsW
0x4b3214 SetEnvironmentVariableW
0x4b3218 SetStdHandle
0x4b321c GetStringTypeW
0x4b3220 GetProcessHeap
0x4b3224 FlushFileBuffers
0x4b3228 GetConsoleOutputCP
0x4b322c GetConsoleMode
0x4b3230 HeapSize
0x4b3234 HeapReAlloc
0x4b3238 ReadFile
0x4b323c ReadConsoleW
0x4b3240 CreateFileW
0x4b3244 DecodePointer
EAT(Export Address Table) is none