ScreenShot
| Created | 2023.07.22 21:47 | Machine | s1_win7_x6401 |
| Filename | payload.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 63 detected (Common, Androm, Doina, MauvaiseRI, S5242859, Patcher, Save, None, malicious, Kasidet, Scar, Eldorado, high confidence, score, Gamarue, lctq, ccmw, Andromeda, BotX, Gencirc, Ambler, bdftd, Swizzor, high, Randrew, B@7a247q, Detected, R299528, ai score=81, BScope, Blocker, unsafe, Genetic, RINyg41Xs7G, Static AI, Malicious PE, susgen, GenKryptik, DVPS, confidence, 100%) | ||
| md5 | 1dc2580260eb3d20bf700457ce0f235c | ||
| sha256 | b9a1bcaaa0067b1e242d7e56024590b579143c170280d136a588f1b60e4fd02a | ||
| ssdeep | 3072:+Tnc3PcvClNcy5jUg8ov5ZsxTFEDk2b97:iogCV5ySkEDk2B7 | ||
| imphash | 934381a85d55af4033da1a769f2cce1d | ||
| impfuzzy | 6:5vRKvROGy0PEPT2U8VKv5ASb0D4sIWM5GGXHGXnU6nuVRGTEGXVRoGXH5vBGUH0:d4Q1db6I5LwCXGXHX4GQGX5vB6 | ||
Network IP location
Signature (31cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 63 AntiVirus engines on VirusTotal as malicious |
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Attempts to modify Explorer settings to prevent hidden files from being displayed |
| watch | Attempts to remove evidence of file being downloaded from the Internet |
| watch | Code injection by writing an executable or DLL to the memory of another process |
| watch | Communicates with host for which no DNS query was performed |
| watch | Executes one or more WMI queries |
| watch | Installs itself for autorun at Windows startup |
| watch | Operates on local firewall's policies and settings |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | A process attempted to delay the analysis task. |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Repeatedly searches for a not-found process |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Sends data using the HTTP POST Method |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Queries for the computername |
| info | The executable uses a known packer |
Rules (13cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| notice | ScreenShot | Take ScreenShot | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (7cnts) ?
Suricata ids
ET INFO Observed DNS Query to .biz TLD
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 2
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 2
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x407000 GetCurrentDirectoryW
0x407004 SetCurrentDirectoryW
0x407008 GetShortPathNameW
0x40700c GetStartupInfoA
0x407010 GetModuleHandleA
0x407014 GetSystemDirectoryW
SHLWAPI.dll
0x407058 PathAppendW
MSVCRT.dll
0x40701c _exit
0x407020 _XcptFilter
0x407024 exit
0x407028 _acmdln
0x40702c __getmainargs
0x407030 _initterm
0x407034 __setusermatherr
0x407038 _adjust_fdiv
0x40703c __p__commode
0x407040 __p__fmode
0x407044 __set_app_type
0x407048 _except_handler3
0x40704c _controlfp
0x407050 memset
EAT(Export Address Table) is none
KERNEL32.dll
0x407000 GetCurrentDirectoryW
0x407004 SetCurrentDirectoryW
0x407008 GetShortPathNameW
0x40700c GetStartupInfoA
0x407010 GetModuleHandleA
0x407014 GetSystemDirectoryW
SHLWAPI.dll
0x407058 PathAppendW
MSVCRT.dll
0x40701c _exit
0x407020 _XcptFilter
0x407024 exit
0x407028 _acmdln
0x40702c __getmainargs
0x407030 _initterm
0x407034 __setusermatherr
0x407038 _adjust_fdiv
0x40703c __p__commode
0x407040 __p__fmode
0x407044 __set_app_type
0x407048 _except_handler3
0x40704c _controlfp
0x407050 memset
EAT(Export Address Table) is none