ScreenShot
| Created | 2023.07.13 18:57 | Machine | s1_win7_x6403 |
| Filename | cc.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 19 detected (AIDetectMalware, malicious, high confidence, GenericRXWF, PWSX, RedLineNET, Artemis, Sabsik, R590429, BScope, susgen, GenKryptik, GLSM, confidence) | ||
| md5 | ebadf0b0222d1fbda47585fee0a067fd | ||
| sha256 | a7587381129a99402b9c9a027fe8ccbe57d10323371728b12b7e72435ac668c5 | ||
| ssdeep | 12288:DzrKXmGDS7wmLFawxmd4JLuifxmcSdFVhGb3Sn:DnFawx1BdSdPQa | ||
| imphash | 9e1d1a57b9e339b99446a84dd4baabba | ||
| impfuzzy | 48:SoWJcpH+PdD99rxQSXtXlbt8Ez2Qo3wuFZGo:SoWJcpH+P5DrxHXtXlbt8EqQQL | ||
Network IP location
Signature (25cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Executes one or more WMI queries |
| watch | File has been identified by 19 AntiVirus engines on VirusTotal as malicious |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Executes one or more WMI queries which can be used to identify virtual machines |
| notice | One or more potentially interesting buffers were extracted |
| notice | Queries for potentially installed applications |
| notice | Steals private information from local Internet browsers |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The executable uses a known packer |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (13cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
PE API
IAT(Import Address Table) Library
GDI32.dll
0x4b8030 GetDCBrushColor
COMCTL32.dll
0x4b8000 None
KERNEL32.dll
0x4b8060 GetModuleHandleA
0x4b8064 RaiseException
0x4b8068 InitializeSRWLock
0x4b806c ReleaseSRWLockExclusive
0x4b8070 AcquireSRWLockExclusive
0x4b8074 EnterCriticalSection
0x4b8078 LeaveCriticalSection
0x4b807c InitializeCriticalSectionEx
0x4b8080 TryEnterCriticalSection
0x4b8084 DeleteCriticalSection
0x4b8088 GetCurrentThreadId
0x4b808c InitializeConditionVariable
0x4b8090 WakeConditionVariable
0x4b8094 WakeAllConditionVariable
0x4b8098 SleepConditionVariableCS
0x4b809c SleepConditionVariableSRW
0x4b80a0 FormatMessageA
0x4b80a4 InitOnceBeginInitialize
0x4b80a8 InitOnceComplete
0x4b80ac GetLastError
0x4b80b0 FreeLibraryWhenCallbackReturns
0x4b80b4 CreateThreadpoolWork
0x4b80b8 SubmitThreadpoolWork
0x4b80bc CloseThreadpoolWork
0x4b80c0 GetModuleHandleExW
0x4b80c4 RtlCaptureStackBackTrace
0x4b80c8 IsProcessorFeaturePresent
0x4b80cc QueryPerformanceCounter
0x4b80d0 QueryPerformanceFrequency
0x4b80d4 SetFileInformationByHandle
0x4b80d8 FlsAlloc
0x4b80dc FlsGetValue
0x4b80e0 FlsSetValue
0x4b80e4 FlsFree
0x4b80e8 InitOnceExecuteOnce
0x4b80ec CreateEventExW
0x4b80f0 CreateSemaphoreExW
0x4b80f4 FlushProcessWriteBuffers
0x4b80f8 GetCurrentProcessorNumber
0x4b80fc GetSystemTimeAsFileTime
0x4b8100 GetTickCount64
0x4b8104 CreateThreadpoolTimer
0x4b8108 SetThreadpoolTimer
0x4b810c WaitForThreadpoolTimerCallbacks
0x4b8110 CloseThreadpoolTimer
0x4b8114 CreateThreadpoolWait
0x4b8118 SetThreadpoolWait
0x4b811c CloseThreadpoolWait
0x4b8120 GetModuleHandleW
0x4b8124 GetProcAddress
0x4b8128 GetFileInformationByHandleEx
0x4b812c CreateSymbolicLinkW
0x4b8130 CloseHandle
0x4b8134 WaitForSingleObjectEx
0x4b8138 Sleep
0x4b813c SwitchToThread
0x4b8140 GetExitCodeThread
0x4b8144 GetNativeSystemInfo
0x4b8148 LocalFree
0x4b814c InitializeCriticalSectionAndSpinCount
0x4b8150 SetEvent
0x4b8154 ResetEvent
0x4b8158 CreateEventW
0x4b815c IsDebuggerPresent
0x4b8160 UnhandledExceptionFilter
0x4b8164 SetUnhandledExceptionFilter
0x4b8168 GetStartupInfoW
0x4b816c GetCurrentProcess
0x4b8170 TerminateProcess
0x4b8174 GetCurrentProcessId
0x4b8178 InitializeSListHead
0x4b817c WriteConsoleW
0x4b8180 RtlUnwind
0x4b8184 InterlockedPushEntrySList
0x4b8188 InterlockedFlushSList
0x4b818c SetLastError
0x4b8190 EncodePointer
0x4b8194 TlsAlloc
0x4b8198 TlsGetValue
0x4b819c TlsSetValue
0x4b81a0 TlsFree
0x4b81a4 FreeLibrary
0x4b81a8 LoadLibraryExW
0x4b81ac CreateThread
0x4b81b0 ExitThread
0x4b81b4 ResumeThread
0x4b81b8 FreeLibraryAndExitThread
0x4b81bc ExitProcess
0x4b81c0 GetModuleFileNameW
0x4b81c4 GetStdHandle
0x4b81c8 WriteFile
0x4b81cc GetCommandLineA
0x4b81d0 GetCommandLineW
0x4b81d4 GetCurrentThread
0x4b81d8 SetConsoleCtrlHandler
0x4b81dc WideCharToMultiByte
0x4b81e0 HeapAlloc
0x4b81e4 HeapFree
0x4b81e8 GetDateFormatW
0x4b81ec GetTimeFormatW
0x4b81f0 CompareStringW
0x4b81f4 LCMapStringW
0x4b81f8 GetLocaleInfoW
0x4b81fc IsValidLocale
0x4b8200 GetUserDefaultLCID
0x4b8204 EnumSystemLocalesW
0x4b8208 GetFileType
0x4b820c GetFileSizeEx
0x4b8210 SetFilePointerEx
0x4b8214 FindClose
0x4b8218 FindFirstFileExW
0x4b821c FindNextFileW
0x4b8220 IsValidCodePage
0x4b8224 GetACP
0x4b8228 GetOEMCP
0x4b822c GetCPInfo
0x4b8230 MultiByteToWideChar
0x4b8234 GetEnvironmentStringsW
0x4b8238 FreeEnvironmentStringsW
0x4b823c SetEnvironmentVariableW
0x4b8240 GetProcessHeap
0x4b8244 OutputDebugStringW
0x4b8248 SetStdHandle
0x4b824c GetStringTypeW
0x4b8250 FlushFileBuffers
0x4b8254 GetConsoleOutputCP
0x4b8258 GetConsoleMode
0x4b825c HeapSize
0x4b8260 HeapReAlloc
0x4b8264 ReadFile
0x4b8268 ReadConsoleW
0x4b826c CreateFileW
0x4b8270 DecodePointer
EAT(Export Address Table) is none
GDI32.dll
0x4b8030 GetDCBrushColor
COMCTL32.dll
0x4b8000 None
KERNEL32.dll
0x4b8060 GetModuleHandleA
0x4b8064 RaiseException
0x4b8068 InitializeSRWLock
0x4b806c ReleaseSRWLockExclusive
0x4b8070 AcquireSRWLockExclusive
0x4b8074 EnterCriticalSection
0x4b8078 LeaveCriticalSection
0x4b807c InitializeCriticalSectionEx
0x4b8080 TryEnterCriticalSection
0x4b8084 DeleteCriticalSection
0x4b8088 GetCurrentThreadId
0x4b808c InitializeConditionVariable
0x4b8090 WakeConditionVariable
0x4b8094 WakeAllConditionVariable
0x4b8098 SleepConditionVariableCS
0x4b809c SleepConditionVariableSRW
0x4b80a0 FormatMessageA
0x4b80a4 InitOnceBeginInitialize
0x4b80a8 InitOnceComplete
0x4b80ac GetLastError
0x4b80b0 FreeLibraryWhenCallbackReturns
0x4b80b4 CreateThreadpoolWork
0x4b80b8 SubmitThreadpoolWork
0x4b80bc CloseThreadpoolWork
0x4b80c0 GetModuleHandleExW
0x4b80c4 RtlCaptureStackBackTrace
0x4b80c8 IsProcessorFeaturePresent
0x4b80cc QueryPerformanceCounter
0x4b80d0 QueryPerformanceFrequency
0x4b80d4 SetFileInformationByHandle
0x4b80d8 FlsAlloc
0x4b80dc FlsGetValue
0x4b80e0 FlsSetValue
0x4b80e4 FlsFree
0x4b80e8 InitOnceExecuteOnce
0x4b80ec CreateEventExW
0x4b80f0 CreateSemaphoreExW
0x4b80f4 FlushProcessWriteBuffers
0x4b80f8 GetCurrentProcessorNumber
0x4b80fc GetSystemTimeAsFileTime
0x4b8100 GetTickCount64
0x4b8104 CreateThreadpoolTimer
0x4b8108 SetThreadpoolTimer
0x4b810c WaitForThreadpoolTimerCallbacks
0x4b8110 CloseThreadpoolTimer
0x4b8114 CreateThreadpoolWait
0x4b8118 SetThreadpoolWait
0x4b811c CloseThreadpoolWait
0x4b8120 GetModuleHandleW
0x4b8124 GetProcAddress
0x4b8128 GetFileInformationByHandleEx
0x4b812c CreateSymbolicLinkW
0x4b8130 CloseHandle
0x4b8134 WaitForSingleObjectEx
0x4b8138 Sleep
0x4b813c SwitchToThread
0x4b8140 GetExitCodeThread
0x4b8144 GetNativeSystemInfo
0x4b8148 LocalFree
0x4b814c InitializeCriticalSectionAndSpinCount
0x4b8150 SetEvent
0x4b8154 ResetEvent
0x4b8158 CreateEventW
0x4b815c IsDebuggerPresent
0x4b8160 UnhandledExceptionFilter
0x4b8164 SetUnhandledExceptionFilter
0x4b8168 GetStartupInfoW
0x4b816c GetCurrentProcess
0x4b8170 TerminateProcess
0x4b8174 GetCurrentProcessId
0x4b8178 InitializeSListHead
0x4b817c WriteConsoleW
0x4b8180 RtlUnwind
0x4b8184 InterlockedPushEntrySList
0x4b8188 InterlockedFlushSList
0x4b818c SetLastError
0x4b8190 EncodePointer
0x4b8194 TlsAlloc
0x4b8198 TlsGetValue
0x4b819c TlsSetValue
0x4b81a0 TlsFree
0x4b81a4 FreeLibrary
0x4b81a8 LoadLibraryExW
0x4b81ac CreateThread
0x4b81b0 ExitThread
0x4b81b4 ResumeThread
0x4b81b8 FreeLibraryAndExitThread
0x4b81bc ExitProcess
0x4b81c0 GetModuleFileNameW
0x4b81c4 GetStdHandle
0x4b81c8 WriteFile
0x4b81cc GetCommandLineA
0x4b81d0 GetCommandLineW
0x4b81d4 GetCurrentThread
0x4b81d8 SetConsoleCtrlHandler
0x4b81dc WideCharToMultiByte
0x4b81e0 HeapAlloc
0x4b81e4 HeapFree
0x4b81e8 GetDateFormatW
0x4b81ec GetTimeFormatW
0x4b81f0 CompareStringW
0x4b81f4 LCMapStringW
0x4b81f8 GetLocaleInfoW
0x4b81fc IsValidLocale
0x4b8200 GetUserDefaultLCID
0x4b8204 EnumSystemLocalesW
0x4b8208 GetFileType
0x4b820c GetFileSizeEx
0x4b8210 SetFilePointerEx
0x4b8214 FindClose
0x4b8218 FindFirstFileExW
0x4b821c FindNextFileW
0x4b8220 IsValidCodePage
0x4b8224 GetACP
0x4b8228 GetOEMCP
0x4b822c GetCPInfo
0x4b8230 MultiByteToWideChar
0x4b8234 GetEnvironmentStringsW
0x4b8238 FreeEnvironmentStringsW
0x4b823c SetEnvironmentVariableW
0x4b8240 GetProcessHeap
0x4b8244 OutputDebugStringW
0x4b8248 SetStdHandle
0x4b824c GetStringTypeW
0x4b8250 FlushFileBuffers
0x4b8254 GetConsoleOutputCP
0x4b8258 GetConsoleMode
0x4b825c HeapSize
0x4b8260 HeapReAlloc
0x4b8264 ReadFile
0x4b8268 ReadConsoleW
0x4b826c CreateFileW
0x4b8270 DecodePointer
EAT(Export Address Table) is none