ScreenShot
| Created | 2023.08.10 07:48 | Machine | s1_win7_x6401 |
| Filename | a3e34cp.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | |||
| md5 | 92031e02bc46932ace98fb8b54f261f4 | ||
| sha256 | 15767660942cc7c75ff800cfeb1b759f8194d3a1332a9fb024abdf4b86cfc9df | ||
| ssdeep | 98304:FgTOuxyekXIG+AM/M8MqPtPGp/6qWXCT5QYux3bWJvAi9nzDMeEuJW2wq73:l4KM/BMqPt8/lWSDucUPqr | ||
| imphash | 47d9e0a75345ea39609c757c684fd925 | ||
| impfuzzy | 6:AqFRgKLbGeuL16n9GjXA8VyH/JLGMZ/OiBJAEnERGDW:7RgRZg9Ww8sZGMZGqAJcDW | ||
Network IP location
Signature (20cnts)
| Level | Description |
|---|---|
| watch | Attempts to identify installed AV products by installation directory |
| watch | Communicates with host for which no DNS query was performed |
| watch | Installs itself for autorun at Windows startup |
| watch | Uses suspicious command line tools or Windows utilities |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks whether any human activity is being performed by constantly checking whether the foreground window changed |
| notice | Creates a suspicious process |
| notice | Drops a binary and executes it |
| notice | Drops an executable to the user AppData folder |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Sends data using the HTTP POST Method |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is likely packed with VMProtect |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks amount of memory in system |
| info | Command line console output was observed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (10cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| watch | VMProtect_Zero | VMProtect packed file | binaries (download) |
| watch | VMProtect_Zero | VMProtect packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x7a6000 GetVersionExW
ADVAPI32.dll
0x7a6008 RegCloseKey
SHELL32.dll
0x7a6010 SHGetFolderPathA
WININET.dll
0x7a6018 HttpOpenRequestA
KERNEL32.dll
0x7a6020 GetSystemTimeAsFileTime
USER32.dll
0x7a6028 CharUpperBuffW
KERNEL32.dll
0x7a6030 LocalAlloc
0x7a6034 LocalFree
0x7a6038 GetModuleFileNameW
0x7a603c ExitProcess
0x7a6040 LoadLibraryA
0x7a6044 GetModuleHandleA
0x7a6048 GetProcAddress
EAT(Export Address Table) is none
KERNEL32.dll
0x7a6000 GetVersionExW
ADVAPI32.dll
0x7a6008 RegCloseKey
SHELL32.dll
0x7a6010 SHGetFolderPathA
WININET.dll
0x7a6018 HttpOpenRequestA
KERNEL32.dll
0x7a6020 GetSystemTimeAsFileTime
USER32.dll
0x7a6028 CharUpperBuffW
KERNEL32.dll
0x7a6030 LocalAlloc
0x7a6034 LocalFree
0x7a6038 GetModuleFileNameW
0x7a603c ExitProcess
0x7a6040 LoadLibraryA
0x7a6044 GetModuleHandleA
0x7a6048 GetProcAddress
EAT(Export Address Table) is none