ScreenShot
| Created | 2023.07.05 17:34 | Machine | s1_win7_x6401 |
| Filename | setop.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | |||
| VT API (file) | 33 detected (AIDetectMalware, Lazy, GenericRXVX, As5t, Attribute, HighConfidence, Windows, Lobshot, ADYK, Malicious, score, DarkVNC, MalwareX, XPACK, Gen3, Siggen2, Wacapew, ai score=85, unsafe, lVmKEGZ4QoP, ZexaF, fu0@ai5jF9mi, confidence) | ||
| md5 | 7104f635a41839bac7835703f06f744e | ||
| sha256 | 88502f27ab03c34af7ceda2bb6fecda42ae227e74e8a5e52346db749e200d134 | ||
| ssdeep | 1536:auj56ycNa0SNndwAhRvTlrYZUkGnP3+RBJWPnhdTW8tBniRgR:auj5+NJINhRvTHlnP3+RB4pYwBi | ||
| imphash | 65624f92376796124f44332f088e6bfd | ||
| impfuzzy | 96:JEPqCywcp+ZQLP1ahUFE2qxAwXqR6n5OR0PF8h:9ZDEhiqCwa6n5vK | ||
Network IP location
Signature (16cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 33 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| watch | Deletes executed files from disk |
| watch | Installs itself for autorun at Windows startup |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | Creates a suspicious process |
| notice | Drops an executable to the user AppData folder |
| notice | Expresses interest in specific running processes |
| notice | Moves the original executable to a new location |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Steals private information from local Internet browsers |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Command line console output was observed |
| info | Queries for the computername |
Rules (38cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Network_Downloader | File Downloader | memory |
| notice | Code_injection | Code injection with CreateRemoteThread in a remote process | memory |
| notice | Create_Service | Create a windows service | memory |
| notice | Escalate_priviledges | Escalate priviledges | memory |
| notice | Generic_PWS_Memory_Zero | PWS Memory | memory |
| notice | KeyLogger | Run a KeyLogger | memory |
| notice | local_credential_Steal | Steal credential | memory |
| notice | Network_DGA | Communication using DGA | memory |
| notice | Network_DNS | Communications use DNS | memory |
| notice | Network_FTP | Communications over FTP | memory |
| notice | Network_HTTP | Communications over HTTP | memory |
| notice | Network_P2P_Win | Communications over P2P network | memory |
| notice | Network_TCP_Socket | Communications over RAW Socket | memory |
| notice | Persistence | Install itself for autorun at Windows startup | memory |
| notice | ScreenShot | Take ScreenShot | memory |
| notice | Sniff_Audio | Record Audio | memory |
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | antisb_threatExpert | Anti-Sandbox checks for ThreatExpert | memory |
| info | Check_Dlls | (no description) | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerCheck__RemoteAPI | (no description) | memory |
| info | DebuggerException__ConsoleCtrl | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | win_hook | Affect hook table | memory |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x410074 GlobalUnlock
0x410078 lstrcmpiA
0x41007c CreateDirectoryW
0x410080 WritePrivateProfileStringW
0x410084 GetPrivateProfileIntW
0x410088 AssignProcessToJobObject
0x41008c CreateJobObjectW
0x410090 SetFilePointer
0x410094 GetPrivateProfileSectionNamesW
0x410098 ResumeThread
0x41009c GetPrivateProfileStringW
0x4100a0 Sleep
0x4100a4 lstrcpyA
0x4100a8 GetCurrentProcessId
0x4100ac CreateProcessA
0x4100b0 TerminateJobObject
0x4100b4 lstrcmpiW
0x4100b8 GetCommandLineW
0x4100bc GetCurrentProcess
0x4100c0 TerminateProcess
0x4100c4 lstrcmpA
0x4100c8 SetFileAttributesW
0x4100cc ExitProcess
0x4100d0 lstrcmpW
0x4100d4 SetErrorMode
0x4100d8 ExitThread
0x4100dc SetUnhandledExceptionFilter
0x4100e0 FindFirstFileW
0x4100e4 FindNextFileW
0x4100e8 MapViewOfFile
0x4100ec FindClose
0x4100f0 TerminateThread
0x4100f4 CreateFileMappingW
0x4100f8 MoveFileW
0x4100fc GetVersionExW
0x410100 WaitForMultipleObjects
0x410104 FreeLibrary
0x410108 LoadLibraryExW
0x41010c EnterCriticalSection
0x410110 LeaveCriticalSection
0x410114 InitializeCriticalSection
0x410118 DeleteCriticalSection
0x41011c GetModuleFileNameW
0x410120 GetEnvironmentVariableA
0x410124 OpenProcess
0x410128 CreateToolhelp32Snapshot
0x41012c Process32NextW
0x410130 Process32FirstW
0x410134 CreateFileMappingA
0x410138 SetEnvironmentVariableA
0x41013c GetEnvironmentVariableW
0x410140 GetCurrentThreadId
0x410144 ProcessIdToSessionId
0x410148 GetTickCount64
0x41014c WTSGetActiveConsoleSessionId
0x410150 GetTempFileNameW
0x410154 lstrcpyW
0x410158 CopyFileW
0x41015c CreateProcessW
0x410160 GetFileSize
0x410164 MoveFileExW
0x410168 LocalFree
0x41016c GlobalLock
0x410170 GetProcAddress
0x410174 CreateThread
0x410178 CloseHandle
0x41017c DeleteFileW
0x410180 GlobalAlloc
0x410184 lstrcatW
0x410188 LoadLibraryA
0x41018c FlushViewOfFile
0x410190 GetLastError
0x410194 FormatMessageW
0x410198 GetModuleHandleA
0x41019c lstrcatA
0x4101a0 UnmapViewOfFile
0x4101a4 GetFileAttributesW
0x4101a8 CreateFileW
0x4101ac LocalAlloc
0x4101b0 WaitForSingleObject
0x4101b4 lstrlenA
0x4101b8 VirtualAlloc
0x4101bc GetTickCount
0x4101c0 lstrcpynW
0x4101c4 WriteFile
0x4101c8 lstrlenW
0x4101cc VirtualFree
0x4101d0 ReadFile
0x4101d4 ExpandEnvironmentStringsW
0x4101d8 GetWindowsDirectoryW
USER32.dll
0x4101ec GetProcessWindowStation
0x4101f0 GetDesktopWindow
0x4101f4 GetUserObjectInformationW
0x4101f8 GetThreadDesktop
0x4101fc MonitorFromWindow
0x410200 ToAscii
0x410204 SetForegroundWindow
0x410208 PtInRect
0x41020c OpenDesktopW
0x410210 MenuItemFromPoint
0x410214 HiliteMenuItem
0x410218 ActivateKeyboardLayout
0x41021c PrintWindow
0x410220 BringWindowToTop
0x410224 GetTopWindow
0x410228 CreateDesktopW
0x41022c SetWindowLongA
0x410230 VkKeyScanExA
0x410234 GetKeyboardState
0x410238 GetMenuItemCount
0x41023c SetActiveWindow
0x410240 SetWindowPos
0x410244 GetDC
0x410248 GetMenu
0x41024c GetWindow
0x410250 GetKeyboardLayoutList
0x410254 CloseWindow
0x410258 PostMessageW
0x41025c GetWindowRect
0x410260 SendMessageTimeoutW
0x410264 SendMessageTimeoutA
0x410268 ScreenToClient
0x41026c WindowFromPoint
0x410270 GetWindowPlacement
0x410274 IsWindow
0x410278 CloseDesktop
0x41027c GetKeyboardLayout
0x410280 MoveWindow
0x410284 SetFocus
0x410288 LoadKeyboardLayoutA
0x41028c SystemParametersInfoA
0x410290 GetParent
0x410294 IsWindowVisible
0x410298 SetThreadDesktop
0x41029c GetWindowLongA
0x4102a0 GetWindowTextW
0x4102a4 OemToCharA
0x4102a8 GetClassNameW
0x4102ac CharLowerA
0x4102b0 GetWindowThreadProcessId
0x4102b4 FindWindowExW
0x4102b8 PostMessageA
0x4102bc wsprintfA
0x4102c0 FindWindowW
0x4102c4 EnumDesktopWindows
0x4102c8 OpenClipboard
0x4102cc wvsprintfW
0x4102d0 CloseClipboard
0x4102d4 wvsprintfA
0x4102d8 GetClipboardData
0x4102dc SetClipboardData
0x4102e0 IsClipboardFormatAvailable
0x4102e4 EmptyClipboard
GDI32.dll
0x410040 BitBlt
0x410044 CreateCompatibleBitmap
0x410048 SelectObject
0x41004c CreateCompatibleDC
0x410050 CreateDCA
0x410054 GetDIBits
0x410058 DeleteObject
0x41005c CreateSolidBrush
0x410060 GetDeviceCaps
0x410064 CreatePen
0x410068 Rectangle
0x41006c DeleteDC
ADVAPI32.dll
0x410000 RegQueryValueA
0x410004 GetSidSubAuthorityCount
0x410008 GetSidSubAuthority
0x41000c OpenProcessToken
0x410010 RegQueryValueExW
0x410014 RegDeleteValueA
0x410018 RegDeleteValueW
0x41001c RegOpenKeyExW
0x410020 RegOpenKeyExA
0x410024 RegSetValueExA
0x410028 RegQueryValueExA
0x41002c RegCloseKey
0x410030 RegSetValueA
0x410034 RegEnumKeyA
0x410038 GetTokenInformation
SHELL32.dll
0x4101e0 ShellExecuteW
0x4101e4 SHGetFolderPathW
EAT(Export Address Table) is none
KERNEL32.dll
0x410074 GlobalUnlock
0x410078 lstrcmpiA
0x41007c CreateDirectoryW
0x410080 WritePrivateProfileStringW
0x410084 GetPrivateProfileIntW
0x410088 AssignProcessToJobObject
0x41008c CreateJobObjectW
0x410090 SetFilePointer
0x410094 GetPrivateProfileSectionNamesW
0x410098 ResumeThread
0x41009c GetPrivateProfileStringW
0x4100a0 Sleep
0x4100a4 lstrcpyA
0x4100a8 GetCurrentProcessId
0x4100ac CreateProcessA
0x4100b0 TerminateJobObject
0x4100b4 lstrcmpiW
0x4100b8 GetCommandLineW
0x4100bc GetCurrentProcess
0x4100c0 TerminateProcess
0x4100c4 lstrcmpA
0x4100c8 SetFileAttributesW
0x4100cc ExitProcess
0x4100d0 lstrcmpW
0x4100d4 SetErrorMode
0x4100d8 ExitThread
0x4100dc SetUnhandledExceptionFilter
0x4100e0 FindFirstFileW
0x4100e4 FindNextFileW
0x4100e8 MapViewOfFile
0x4100ec FindClose
0x4100f0 TerminateThread
0x4100f4 CreateFileMappingW
0x4100f8 MoveFileW
0x4100fc GetVersionExW
0x410100 WaitForMultipleObjects
0x410104 FreeLibrary
0x410108 LoadLibraryExW
0x41010c EnterCriticalSection
0x410110 LeaveCriticalSection
0x410114 InitializeCriticalSection
0x410118 DeleteCriticalSection
0x41011c GetModuleFileNameW
0x410120 GetEnvironmentVariableA
0x410124 OpenProcess
0x410128 CreateToolhelp32Snapshot
0x41012c Process32NextW
0x410130 Process32FirstW
0x410134 CreateFileMappingA
0x410138 SetEnvironmentVariableA
0x41013c GetEnvironmentVariableW
0x410140 GetCurrentThreadId
0x410144 ProcessIdToSessionId
0x410148 GetTickCount64
0x41014c WTSGetActiveConsoleSessionId
0x410150 GetTempFileNameW
0x410154 lstrcpyW
0x410158 CopyFileW
0x41015c CreateProcessW
0x410160 GetFileSize
0x410164 MoveFileExW
0x410168 LocalFree
0x41016c GlobalLock
0x410170 GetProcAddress
0x410174 CreateThread
0x410178 CloseHandle
0x41017c DeleteFileW
0x410180 GlobalAlloc
0x410184 lstrcatW
0x410188 LoadLibraryA
0x41018c FlushViewOfFile
0x410190 GetLastError
0x410194 FormatMessageW
0x410198 GetModuleHandleA
0x41019c lstrcatA
0x4101a0 UnmapViewOfFile
0x4101a4 GetFileAttributesW
0x4101a8 CreateFileW
0x4101ac LocalAlloc
0x4101b0 WaitForSingleObject
0x4101b4 lstrlenA
0x4101b8 VirtualAlloc
0x4101bc GetTickCount
0x4101c0 lstrcpynW
0x4101c4 WriteFile
0x4101c8 lstrlenW
0x4101cc VirtualFree
0x4101d0 ReadFile
0x4101d4 ExpandEnvironmentStringsW
0x4101d8 GetWindowsDirectoryW
USER32.dll
0x4101ec GetProcessWindowStation
0x4101f0 GetDesktopWindow
0x4101f4 GetUserObjectInformationW
0x4101f8 GetThreadDesktop
0x4101fc MonitorFromWindow
0x410200 ToAscii
0x410204 SetForegroundWindow
0x410208 PtInRect
0x41020c OpenDesktopW
0x410210 MenuItemFromPoint
0x410214 HiliteMenuItem
0x410218 ActivateKeyboardLayout
0x41021c PrintWindow
0x410220 BringWindowToTop
0x410224 GetTopWindow
0x410228 CreateDesktopW
0x41022c SetWindowLongA
0x410230 VkKeyScanExA
0x410234 GetKeyboardState
0x410238 GetMenuItemCount
0x41023c SetActiveWindow
0x410240 SetWindowPos
0x410244 GetDC
0x410248 GetMenu
0x41024c GetWindow
0x410250 GetKeyboardLayoutList
0x410254 CloseWindow
0x410258 PostMessageW
0x41025c GetWindowRect
0x410260 SendMessageTimeoutW
0x410264 SendMessageTimeoutA
0x410268 ScreenToClient
0x41026c WindowFromPoint
0x410270 GetWindowPlacement
0x410274 IsWindow
0x410278 CloseDesktop
0x41027c GetKeyboardLayout
0x410280 MoveWindow
0x410284 SetFocus
0x410288 LoadKeyboardLayoutA
0x41028c SystemParametersInfoA
0x410290 GetParent
0x410294 IsWindowVisible
0x410298 SetThreadDesktop
0x41029c GetWindowLongA
0x4102a0 GetWindowTextW
0x4102a4 OemToCharA
0x4102a8 GetClassNameW
0x4102ac CharLowerA
0x4102b0 GetWindowThreadProcessId
0x4102b4 FindWindowExW
0x4102b8 PostMessageA
0x4102bc wsprintfA
0x4102c0 FindWindowW
0x4102c4 EnumDesktopWindows
0x4102c8 OpenClipboard
0x4102cc wvsprintfW
0x4102d0 CloseClipboard
0x4102d4 wvsprintfA
0x4102d8 GetClipboardData
0x4102dc SetClipboardData
0x4102e0 IsClipboardFormatAvailable
0x4102e4 EmptyClipboard
GDI32.dll
0x410040 BitBlt
0x410044 CreateCompatibleBitmap
0x410048 SelectObject
0x41004c CreateCompatibleDC
0x410050 CreateDCA
0x410054 GetDIBits
0x410058 DeleteObject
0x41005c CreateSolidBrush
0x410060 GetDeviceCaps
0x410064 CreatePen
0x410068 Rectangle
0x41006c DeleteDC
ADVAPI32.dll
0x410000 RegQueryValueA
0x410004 GetSidSubAuthorityCount
0x410008 GetSidSubAuthority
0x41000c OpenProcessToken
0x410010 RegQueryValueExW
0x410014 RegDeleteValueA
0x410018 RegDeleteValueW
0x41001c RegOpenKeyExW
0x410020 RegOpenKeyExA
0x410024 RegSetValueExA
0x410028 RegQueryValueExA
0x41002c RegCloseKey
0x410030 RegSetValueA
0x410034 RegEnumKeyA
0x410038 GetTokenInformation
SHELL32.dll
0x4101e0 ShellExecuteW
0x4101e4 SHGetFolderPathW
EAT(Export Address Table) is none