ScreenShot
| Created | 2023.07.17 16:43 | Machine | s1_win7_x6403 |
| Filename | NvProfileUpdate.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 33 detected (AIDetectMalware, malicious, high confidence, RedLineNET, GenericKD, unsafe, Vtfo, confidence, 100%, ZexaE, QGW@aq1x7Jdi, ABRisk, KSGQ, Attribute, HighConfidence, GenKryptik, GLWK, score, PWSX, RedLineSteal, ugxqv, Infected, Sabsik, Cordimik, Y8DLSH, Detected, GenericRXVT, StupidPInvoker, Chgt, Generic@AI, RDML, fXCblHBMcP, JG2vAglw, Redline, susgen) | ||
| md5 | 15eb8ad14a87788df162588c878c6789 | ||
| sha256 | f264b8399bdea1bdcbf1f2e70a1c185a8df97638ba9c171e51a5bf1ee0e748da | ||
| ssdeep | 12288:8n1st25/ZyKB9UyTLrY1XbYcF9u2qgqqytK/YTkALrPGGyf0a3yerTZ:6O25/7rYbFZqrKAJrGGyf09c | ||
| imphash | 366b889fbf8b867e33436fbbbc4d0c58 | ||
| impfuzzy | 48:gaDaxYWJcpH+zD9nsXtXOth1zSpU63TuFZ+b:gaDaxYWJcpH+X6XtXOth1GpUf6 | ||
Network IP location
Signature (28cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| danger | File has been identified by 33 AntiVirus engines on VirusTotal as malicious |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Executes one or more WMI queries |
| watch | Harvests credentials from local FTP client softwares |
| watch | Looks for the Windows Idle Time to determine the uptime |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Executes one or more WMI queries which can be used to identify virtual machines |
| notice | One or more potentially interesting buffers were extracted |
| notice | Queries for potentially installed applications |
| notice | Steals private information from local Internet browsers |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The executable uses a known packer |
| info | This executable has a PDB path |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (13cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
PE API
IAT(Import Address Table) Library
ole32.dll
0x4752bc CoCancelCall
ADVAPI32.dll
0x475000 DeregisterEventSource
KERNEL32.dll
0x475030 WriteConsoleW
0x475034 RaiseException
0x475038 Sleep
0x47503c LoadLibraryW
0x475040 CloseHandle
0x475044 WaitForSingleObjectEx
0x475048 SwitchToThread
0x47504c GetCurrentThreadId
0x475050 GetExitCodeThread
0x475054 GetNativeSystemInfo
0x475058 QueryPerformanceCounter
0x47505c QueryPerformanceFrequency
0x475060 InitializeSRWLock
0x475064 ReleaseSRWLockExclusive
0x475068 AcquireSRWLockExclusive
0x47506c EnterCriticalSection
0x475070 LeaveCriticalSection
0x475074 InitializeCriticalSectionEx
0x475078 TryEnterCriticalSection
0x47507c DeleteCriticalSection
0x475080 InitializeConditionVariable
0x475084 WakeConditionVariable
0x475088 WakeAllConditionVariable
0x47508c SleepConditionVariableCS
0x475090 SleepConditionVariableSRW
0x475094 FormatMessageA
0x475098 SetFileInformationByHandle
0x47509c FlsAlloc
0x4750a0 FlsGetValue
0x4750a4 FlsSetValue
0x4750a8 FlsFree
0x4750ac InitOnceExecuteOnce
0x4750b0 CreateEventExW
0x4750b4 CreateSemaphoreExW
0x4750b8 FlushProcessWriteBuffers
0x4750bc GetCurrentProcessorNumber
0x4750c0 GetSystemTimeAsFileTime
0x4750c4 GetTickCount64
0x4750c8 FreeLibraryWhenCallbackReturns
0x4750cc CreateThreadpoolWork
0x4750d0 SubmitThreadpoolWork
0x4750d4 CloseThreadpoolWork
0x4750d8 CreateThreadpoolTimer
0x4750dc SetThreadpoolTimer
0x4750e0 WaitForThreadpoolTimerCallbacks
0x4750e4 CloseThreadpoolTimer
0x4750e8 CreateThreadpoolWait
0x4750ec SetThreadpoolWait
0x4750f0 CloseThreadpoolWait
0x4750f4 GetModuleHandleW
0x4750f8 GetProcAddress
0x4750fc GetFileInformationByHandleEx
0x475100 CreateSymbolicLinkW
0x475104 LocalFree
0x475108 UnhandledExceptionFilter
0x47510c SetUnhandledExceptionFilter
0x475110 GetCurrentProcess
0x475114 TerminateProcess
0x475118 IsProcessorFeaturePresent
0x47511c GetCurrentProcessId
0x475120 InitializeSListHead
0x475124 IsDebuggerPresent
0x475128 GetStartupInfoW
0x47512c CreateFileW
0x475130 DecodePointer
0x475134 RtlUnwind
0x475138 InterlockedPushEntrySList
0x47513c InterlockedFlushSList
0x475140 GetLastError
0x475144 SetLastError
0x475148 EncodePointer
0x47514c InitializeCriticalSectionAndSpinCount
0x475150 TlsAlloc
0x475154 TlsGetValue
0x475158 TlsSetValue
0x47515c TlsFree
0x475160 FreeLibrary
0x475164 LoadLibraryExW
0x475168 CreateThread
0x47516c ExitThread
0x475170 ResumeThread
0x475174 FreeLibraryAndExitThread
0x475178 GetModuleHandleExW
0x47517c GetStdHandle
0x475180 WriteFile
0x475184 GetModuleFileNameW
0x475188 ExitProcess
0x47518c GetCommandLineA
0x475190 GetCommandLineW
0x475194 GetCurrentThread
0x475198 HeapAlloc
0x47519c HeapFree
0x4751a0 GetDateFormatW
0x4751a4 GetTimeFormatW
0x4751a8 CompareStringW
0x4751ac LCMapStringW
0x4751b0 GetLocaleInfoW
0x4751b4 IsValidLocale
0x4751b8 GetUserDefaultLCID
0x4751bc EnumSystemLocalesW
0x4751c0 SetConsoleCtrlHandler
0x4751c4 GetFileType
0x4751c8 GetFileSizeEx
0x4751cc SetFilePointerEx
0x4751d0 OutputDebugStringW
0x4751d4 FindClose
0x4751d8 FindFirstFileExW
0x4751dc FindNextFileW
0x4751e0 IsValidCodePage
0x4751e4 GetACP
0x4751e8 GetOEMCP
0x4751ec GetCPInfo
0x4751f0 MultiByteToWideChar
0x4751f4 WideCharToMultiByte
0x4751f8 GetEnvironmentStringsW
0x4751fc FreeEnvironmentStringsW
0x475200 SetEnvironmentVariableW
0x475204 SetStdHandle
0x475208 GetStringTypeW
0x47520c GetProcessHeap
0x475210 FlushFileBuffers
0x475214 GetConsoleOutputCP
0x475218 GetConsoleMode
0x47521c HeapSize
0x475220 HeapReAlloc
0x475224 ReadFile
0x475228 ReadConsoleW
EAT(Export Address Table) is none
ole32.dll
0x4752bc CoCancelCall
ADVAPI32.dll
0x475000 DeregisterEventSource
KERNEL32.dll
0x475030 WriteConsoleW
0x475034 RaiseException
0x475038 Sleep
0x47503c LoadLibraryW
0x475040 CloseHandle
0x475044 WaitForSingleObjectEx
0x475048 SwitchToThread
0x47504c GetCurrentThreadId
0x475050 GetExitCodeThread
0x475054 GetNativeSystemInfo
0x475058 QueryPerformanceCounter
0x47505c QueryPerformanceFrequency
0x475060 InitializeSRWLock
0x475064 ReleaseSRWLockExclusive
0x475068 AcquireSRWLockExclusive
0x47506c EnterCriticalSection
0x475070 LeaveCriticalSection
0x475074 InitializeCriticalSectionEx
0x475078 TryEnterCriticalSection
0x47507c DeleteCriticalSection
0x475080 InitializeConditionVariable
0x475084 WakeConditionVariable
0x475088 WakeAllConditionVariable
0x47508c SleepConditionVariableCS
0x475090 SleepConditionVariableSRW
0x475094 FormatMessageA
0x475098 SetFileInformationByHandle
0x47509c FlsAlloc
0x4750a0 FlsGetValue
0x4750a4 FlsSetValue
0x4750a8 FlsFree
0x4750ac InitOnceExecuteOnce
0x4750b0 CreateEventExW
0x4750b4 CreateSemaphoreExW
0x4750b8 FlushProcessWriteBuffers
0x4750bc GetCurrentProcessorNumber
0x4750c0 GetSystemTimeAsFileTime
0x4750c4 GetTickCount64
0x4750c8 FreeLibraryWhenCallbackReturns
0x4750cc CreateThreadpoolWork
0x4750d0 SubmitThreadpoolWork
0x4750d4 CloseThreadpoolWork
0x4750d8 CreateThreadpoolTimer
0x4750dc SetThreadpoolTimer
0x4750e0 WaitForThreadpoolTimerCallbacks
0x4750e4 CloseThreadpoolTimer
0x4750e8 CreateThreadpoolWait
0x4750ec SetThreadpoolWait
0x4750f0 CloseThreadpoolWait
0x4750f4 GetModuleHandleW
0x4750f8 GetProcAddress
0x4750fc GetFileInformationByHandleEx
0x475100 CreateSymbolicLinkW
0x475104 LocalFree
0x475108 UnhandledExceptionFilter
0x47510c SetUnhandledExceptionFilter
0x475110 GetCurrentProcess
0x475114 TerminateProcess
0x475118 IsProcessorFeaturePresent
0x47511c GetCurrentProcessId
0x475120 InitializeSListHead
0x475124 IsDebuggerPresent
0x475128 GetStartupInfoW
0x47512c CreateFileW
0x475130 DecodePointer
0x475134 RtlUnwind
0x475138 InterlockedPushEntrySList
0x47513c InterlockedFlushSList
0x475140 GetLastError
0x475144 SetLastError
0x475148 EncodePointer
0x47514c InitializeCriticalSectionAndSpinCount
0x475150 TlsAlloc
0x475154 TlsGetValue
0x475158 TlsSetValue
0x47515c TlsFree
0x475160 FreeLibrary
0x475164 LoadLibraryExW
0x475168 CreateThread
0x47516c ExitThread
0x475170 ResumeThread
0x475174 FreeLibraryAndExitThread
0x475178 GetModuleHandleExW
0x47517c GetStdHandle
0x475180 WriteFile
0x475184 GetModuleFileNameW
0x475188 ExitProcess
0x47518c GetCommandLineA
0x475190 GetCommandLineW
0x475194 GetCurrentThread
0x475198 HeapAlloc
0x47519c HeapFree
0x4751a0 GetDateFormatW
0x4751a4 GetTimeFormatW
0x4751a8 CompareStringW
0x4751ac LCMapStringW
0x4751b0 GetLocaleInfoW
0x4751b4 IsValidLocale
0x4751b8 GetUserDefaultLCID
0x4751bc EnumSystemLocalesW
0x4751c0 SetConsoleCtrlHandler
0x4751c4 GetFileType
0x4751c8 GetFileSizeEx
0x4751cc SetFilePointerEx
0x4751d0 OutputDebugStringW
0x4751d4 FindClose
0x4751d8 FindFirstFileExW
0x4751dc FindNextFileW
0x4751e0 IsValidCodePage
0x4751e4 GetACP
0x4751e8 GetOEMCP
0x4751ec GetCPInfo
0x4751f0 MultiByteToWideChar
0x4751f4 WideCharToMultiByte
0x4751f8 GetEnvironmentStringsW
0x4751fc FreeEnvironmentStringsW
0x475200 SetEnvironmentVariableW
0x475204 SetStdHandle
0x475208 GetStringTypeW
0x47520c GetProcessHeap
0x475210 FlushFileBuffers
0x475214 GetConsoleOutputCP
0x475218 GetConsoleMode
0x47521c HeapSize
0x475220 HeapReAlloc
0x475224 ReadFile
0x475228 ReadConsoleW
EAT(Export Address Table) is none