ScreenShot
| Created | 2023.08.10 07:50 | Machine | s1_win7_x6403 |
| Filename | defense.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | |||
| md5 | eb11d76f4db6786d48ef7ae3f6c3ad9a | ||
| sha256 | 4ceab10c2d3cdb9ae245f25c67fe95e5349d3c632d3b9140112e7d77720b5252 | ||
| ssdeep | 12288:8NVVyrGvaRlb2nZS1dUpSp3fHdSF9e+dy0p1i3v7fjAu1X:IVNPnZSXUpShf2c+dF1BuR | ||
| imphash | c4d010441c17e8245adced7fdcad59f4 | ||
| impfuzzy | 24:UeDWjO/2pNcxBQFQHuOovbOZyvDh/J3IeRT4KgKHk9pxjMBLvApCwuQ+u9OAwR1E:UOYcxB73uDjhcKgKH6YLYpCHA+/M | ||
Network IP location
Signature (11cnts)
| Level | Description |
|---|---|
| watch | Attempts to remove evidence of file being downloaded from the Internet |
| watch | Communicates with host for which no DNS query was performed |
| watch | Expresses interest in specific running processes |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | One or more potentially interesting buffers were extracted |
| notice | Repeatedly searches for a not-found process |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | This executable has a PDB path |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x415014 FreeLibrary
0x415018 GetProcAddress
0x41501c GetLastError
0x415020 LoadLibraryExW
0x415024 CreateFileA
0x415028 SetEndOfFile
0x41502c GetModuleFileNameW
0x415030 WideCharToMultiByte
0x415034 GetFileAttributesW
0x415038 ExpandEnvironmentStringsW
0x41503c MultiByteToWideChar
0x415040 HeapFree
0x415044 GetVersionExA
0x415048 HeapAlloc
0x41504c GetProcessHeap
0x415050 GetFullPathNameW
0x415054 EnterCriticalSection
0x415058 LeaveCriticalSection
0x41505c GetFullPathNameA
0x415060 GetCurrentProcess
0x415064 SetUnhandledExceptionFilter
0x415068 GetModuleHandleA
0x41506c ExitProcess
0x415070 WriteFile
0x415074 GetStdHandle
0x415078 GetModuleFileNameA
0x41507c FreeEnvironmentStringsA
0x415080 GetEnvironmentStrings
0x415084 FreeEnvironmentStringsW
0x415088 GetEnvironmentStringsW
0x41508c GetCommandLineA
0x415090 GetCommandLineW
0x415094 SetHandleCount
0x415098 GetFileType
0x41509c GetStartupInfoA
0x4150a0 DeleteCriticalSection
0x4150a4 TlsGetValue
0x4150a8 TlsAlloc
0x4150ac TlsSetValue
0x4150b0 TlsFree
0x4150b4 InterlockedIncrement
0x4150b8 SetLastError
0x4150bc GetCurrentThreadId
0x4150c0 InterlockedDecrement
0x4150c4 HeapDestroy
0x4150c8 HeapCreate
0x4150cc VirtualFree
0x4150d0 QueryPerformanceCounter
0x4150d4 GetTickCount
0x4150d8 GetCurrentProcessId
0x4150dc GetSystemTimeAsFileTime
0x4150e0 TerminateProcess
0x4150e4 UnhandledExceptionFilter
0x4150e8 IsDebuggerPresent
0x4150ec GetCPInfo
0x4150f0 GetACP
0x4150f4 GetOEMCP
0x4150f8 IsValidCodePage
0x4150fc Sleep
0x415100 VirtualAlloc
0x415104 HeapReAlloc
0x415108 RtlUnwind
0x41510c CloseHandle
0x415110 RaiseException
0x415114 GetDriveTypeA
0x415118 ReadFile
0x41511c SetFilePointer
0x415120 SetStdHandle
0x415124 LoadLibraryA
0x415128 InitializeCriticalSection
0x41512c GetConsoleCP
0x415130 GetConsoleMode
0x415134 LCMapStringA
0x415138 LCMapStringW
0x41513c GetStringTypeA
0x415140 GetStringTypeW
0x415144 GetLocaleInfoA
0x415148 GetCurrentDirectoryA
0x41514c FlushFileBuffers
0x415150 CompareStringA
0x415154 CompareStringW
0x415158 SetEnvironmentVariableA
0x41515c CreateFileW
0x415160 HeapSize
0x415164 WriteConsoleA
0x415168 GetConsoleOutputCP
0x41516c WriteConsoleW
0x415170 SetEnvironmentVariableW
USER32.dll
0x415178 MessageBoxW
ADVAPI32.dll
0x415000 RegQueryValueExW
0x415004 RegCloseKey
0x415008 RegEnumKeyExW
0x41500c RegOpenKeyExW
EAT(Export Address Table) is none
KERNEL32.dll
0x415014 FreeLibrary
0x415018 GetProcAddress
0x41501c GetLastError
0x415020 LoadLibraryExW
0x415024 CreateFileA
0x415028 SetEndOfFile
0x41502c GetModuleFileNameW
0x415030 WideCharToMultiByte
0x415034 GetFileAttributesW
0x415038 ExpandEnvironmentStringsW
0x41503c MultiByteToWideChar
0x415040 HeapFree
0x415044 GetVersionExA
0x415048 HeapAlloc
0x41504c GetProcessHeap
0x415050 GetFullPathNameW
0x415054 EnterCriticalSection
0x415058 LeaveCriticalSection
0x41505c GetFullPathNameA
0x415060 GetCurrentProcess
0x415064 SetUnhandledExceptionFilter
0x415068 GetModuleHandleA
0x41506c ExitProcess
0x415070 WriteFile
0x415074 GetStdHandle
0x415078 GetModuleFileNameA
0x41507c FreeEnvironmentStringsA
0x415080 GetEnvironmentStrings
0x415084 FreeEnvironmentStringsW
0x415088 GetEnvironmentStringsW
0x41508c GetCommandLineA
0x415090 GetCommandLineW
0x415094 SetHandleCount
0x415098 GetFileType
0x41509c GetStartupInfoA
0x4150a0 DeleteCriticalSection
0x4150a4 TlsGetValue
0x4150a8 TlsAlloc
0x4150ac TlsSetValue
0x4150b0 TlsFree
0x4150b4 InterlockedIncrement
0x4150b8 SetLastError
0x4150bc GetCurrentThreadId
0x4150c0 InterlockedDecrement
0x4150c4 HeapDestroy
0x4150c8 HeapCreate
0x4150cc VirtualFree
0x4150d0 QueryPerformanceCounter
0x4150d4 GetTickCount
0x4150d8 GetCurrentProcessId
0x4150dc GetSystemTimeAsFileTime
0x4150e0 TerminateProcess
0x4150e4 UnhandledExceptionFilter
0x4150e8 IsDebuggerPresent
0x4150ec GetCPInfo
0x4150f0 GetACP
0x4150f4 GetOEMCP
0x4150f8 IsValidCodePage
0x4150fc Sleep
0x415100 VirtualAlloc
0x415104 HeapReAlloc
0x415108 RtlUnwind
0x41510c CloseHandle
0x415110 RaiseException
0x415114 GetDriveTypeA
0x415118 ReadFile
0x41511c SetFilePointer
0x415120 SetStdHandle
0x415124 LoadLibraryA
0x415128 InitializeCriticalSection
0x41512c GetConsoleCP
0x415130 GetConsoleMode
0x415134 LCMapStringA
0x415138 LCMapStringW
0x41513c GetStringTypeA
0x415140 GetStringTypeW
0x415144 GetLocaleInfoA
0x415148 GetCurrentDirectoryA
0x41514c FlushFileBuffers
0x415150 CompareStringA
0x415154 CompareStringW
0x415158 SetEnvironmentVariableA
0x41515c CreateFileW
0x415160 HeapSize
0x415164 WriteConsoleA
0x415168 GetConsoleOutputCP
0x41516c WriteConsoleW
0x415170 SetEnvironmentVariableW
USER32.dll
0x415178 MessageBoxW
ADVAPI32.dll
0x415000 RegQueryValueExW
0x415004 RegCloseKey
0x415008 RegEnumKeyExW
0x41500c RegOpenKeyExW
EAT(Export Address Table) is none