ScreenShot
| Created | 2023.08.11 08:54 | Machine | s1_win7_x6403 |
| Filename | 38h4tp20bm85.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | |||
| md5 | d525784068f44c8c06b97756f67bca48 | ||
| sha256 | f8125e4ec3ac9a91641133259d6096405cbb989fa716b533874bd248519be3b9 | ||
| ssdeep | 24576:ydBXwq3wYbKJxMZGmjBB/n0dSmsmIfKNzeAE/Nh/P0tqSQ:+XJbKJxM8MY0msmIfKtenn/PKqZ | ||
| imphash | c8cb7a778b504c2b41383b432dbd8883 | ||
| impfuzzy | 48:D1rIoWJcpH+PdD9vrxQSXtXqScGt/zba634uFZdLw:DNIoWJcpH+P51rxHXtXqScGt/PaiC | ||
Network IP location
Signature (29cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Appends a known CryptoMix ransomware file extension to files that have been encrypted |
| watch | Attempts to access Bitcoin/ALTCoin wallets |
| watch | Attempts to create or modify system certificates |
| watch | Executes one or more WMI queries |
| watch | Harvests credentials from local email clients |
| watch | Harvests credentials from local FTP client softwares |
| watch | Looks for the Windows Idle Time to determine the uptime |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Executes one or more WMI queries which can be used to identify virtual machines |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Resolves a suspicious Top Level Domain (TLD) |
| notice | Steals private information from local Internet browsers |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The executable uses a known packer |
| info | This executable has a PDB path |
Rules (16cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_PWS_Loki_m_Zero | Win32 PWS Loki | memory |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | Generic_PWS_Memory_Zero | PWS Memory | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | WMI_VM_Detect | Detection of Virtual Appliances through the use of WMI for use of evasion. | memory |
Network (4cnts) ?
Suricata ids
PE API
IAT(Import Address Table) Library
USER32.dll
0x51f318 SetWindowDisplayAffinity
GDI32.dll
0x51f030 RestoreDC
ADVAPI32.dll
0x51f000 EqualPrefixSid
KERNEL32.dll
0x51f060 CreateFileW
0x51f064 CompareStringEx
0x51f068 RaiseException
0x51f06c InitializeSRWLock
0x51f070 ReleaseSRWLockExclusive
0x51f074 AcquireSRWLockExclusive
0x51f078 EnterCriticalSection
0x51f07c LeaveCriticalSection
0x51f080 InitializeCriticalSectionEx
0x51f084 TryEnterCriticalSection
0x51f088 DeleteCriticalSection
0x51f08c GetCurrentThreadId
0x51f090 InitializeConditionVariable
0x51f094 WakeConditionVariable
0x51f098 WakeAllConditionVariable
0x51f09c SleepConditionVariableCS
0x51f0a0 SleepConditionVariableSRW
0x51f0a4 FormatMessageA
0x51f0a8 WideCharToMultiByte
0x51f0ac MultiByteToWideChar
0x51f0b0 GetStringTypeW
0x51f0b4 InitOnceBeginInitialize
0x51f0b8 InitOnceComplete
0x51f0bc GetLastError
0x51f0c0 FreeLibraryWhenCallbackReturns
0x51f0c4 CreateThreadpoolWork
0x51f0c8 SubmitThreadpoolWork
0x51f0cc CloseThreadpoolWork
0x51f0d0 GetModuleHandleExW
0x51f0d4 RtlCaptureStackBackTrace
0x51f0d8 IsProcessorFeaturePresent
0x51f0dc QueryPerformanceCounter
0x51f0e0 QueryPerformanceFrequency
0x51f0e4 SetFileInformationByHandle
0x51f0e8 FlsAlloc
0x51f0ec FlsGetValue
0x51f0f0 FlsSetValue
0x51f0f4 FlsFree
0x51f0f8 InitOnceExecuteOnce
0x51f0fc CreateEventExW
0x51f100 CreateSemaphoreExW
0x51f104 FlushProcessWriteBuffers
0x51f108 GetCurrentProcessorNumber
0x51f10c GetSystemTimeAsFileTime
0x51f110 GetTickCount64
0x51f114 CreateThreadpoolTimer
0x51f118 SetThreadpoolTimer
0x51f11c WaitForThreadpoolTimerCallbacks
0x51f120 CloseThreadpoolTimer
0x51f124 CreateThreadpoolWait
0x51f128 SetThreadpoolWait
0x51f12c CloseThreadpoolWait
0x51f130 GetModuleHandleW
0x51f134 GetProcAddress
0x51f138 GetFileInformationByHandleEx
0x51f13c CreateSymbolicLinkW
0x51f140 CloseHandle
0x51f144 WaitForSingleObjectEx
0x51f148 Sleep
0x51f14c SwitchToThread
0x51f150 GetExitCodeThread
0x51f154 GetNativeSystemInfo
0x51f158 LocalFree
0x51f15c EncodePointer
0x51f160 DecodePointer
0x51f164 LCMapStringEx
0x51f168 GetLocaleInfoEx
0x51f16c WriteConsoleW
0x51f170 GetCPInfo
0x51f174 InitializeCriticalSectionAndSpinCount
0x51f178 SetEvent
0x51f17c ResetEvent
0x51f180 CreateEventW
0x51f184 GetCurrentProcessId
0x51f188 InitializeSListHead
0x51f18c IsDebuggerPresent
0x51f190 UnhandledExceptionFilter
0x51f194 SetUnhandledExceptionFilter
0x51f198 GetStartupInfoW
0x51f19c GetCurrentProcess
0x51f1a0 TerminateProcess
0x51f1a4 HeapSize
0x51f1a8 RtlUnwind
0x51f1ac InterlockedPushEntrySList
0x51f1b0 InterlockedFlushSList
0x51f1b4 SetLastError
0x51f1b8 TlsAlloc
0x51f1bc TlsGetValue
0x51f1c0 TlsSetValue
0x51f1c4 TlsFree
0x51f1c8 FreeLibrary
0x51f1cc LoadLibraryExW
0x51f1d0 CreateThread
0x51f1d4 ExitThread
0x51f1d8 ResumeThread
0x51f1dc FreeLibraryAndExitThread
0x51f1e0 GetStdHandle
0x51f1e4 WriteFile
0x51f1e8 GetModuleFileNameW
0x51f1ec ExitProcess
0x51f1f0 GetCommandLineA
0x51f1f4 GetCommandLineW
0x51f1f8 GetCurrentThread
0x51f1fc HeapFree
0x51f200 SetConsoleCtrlHandler
0x51f204 GetDateFormatW
0x51f208 GetTimeFormatW
0x51f20c CompareStringW
0x51f210 LCMapStringW
0x51f214 GetLocaleInfoW
0x51f218 IsValidLocale
0x51f21c GetUserDefaultLCID
0x51f220 EnumSystemLocalesW
0x51f224 HeapAlloc
0x51f228 GetFileType
0x51f22c GetFileSizeEx
0x51f230 SetFilePointerEx
0x51f234 FlushFileBuffers
0x51f238 GetConsoleOutputCP
0x51f23c GetConsoleMode
0x51f240 ReadFile
0x51f244 ReadConsoleW
0x51f248 HeapReAlloc
0x51f24c GetTimeZoneInformation
0x51f250 OutputDebugStringW
0x51f254 FindClose
0x51f258 FindFirstFileExW
0x51f25c FindNextFileW
0x51f260 IsValidCodePage
0x51f264 GetACP
0x51f268 GetOEMCP
0x51f26c GetEnvironmentStringsW
0x51f270 FreeEnvironmentStringsW
0x51f274 SetEnvironmentVariableW
0x51f278 SetStdHandle
0x51f27c GetProcessHeap
EAT(Export Address Table) is none
USER32.dll
0x51f318 SetWindowDisplayAffinity
GDI32.dll
0x51f030 RestoreDC
ADVAPI32.dll
0x51f000 EqualPrefixSid
KERNEL32.dll
0x51f060 CreateFileW
0x51f064 CompareStringEx
0x51f068 RaiseException
0x51f06c InitializeSRWLock
0x51f070 ReleaseSRWLockExclusive
0x51f074 AcquireSRWLockExclusive
0x51f078 EnterCriticalSection
0x51f07c LeaveCriticalSection
0x51f080 InitializeCriticalSectionEx
0x51f084 TryEnterCriticalSection
0x51f088 DeleteCriticalSection
0x51f08c GetCurrentThreadId
0x51f090 InitializeConditionVariable
0x51f094 WakeConditionVariable
0x51f098 WakeAllConditionVariable
0x51f09c SleepConditionVariableCS
0x51f0a0 SleepConditionVariableSRW
0x51f0a4 FormatMessageA
0x51f0a8 WideCharToMultiByte
0x51f0ac MultiByteToWideChar
0x51f0b0 GetStringTypeW
0x51f0b4 InitOnceBeginInitialize
0x51f0b8 InitOnceComplete
0x51f0bc GetLastError
0x51f0c0 FreeLibraryWhenCallbackReturns
0x51f0c4 CreateThreadpoolWork
0x51f0c8 SubmitThreadpoolWork
0x51f0cc CloseThreadpoolWork
0x51f0d0 GetModuleHandleExW
0x51f0d4 RtlCaptureStackBackTrace
0x51f0d8 IsProcessorFeaturePresent
0x51f0dc QueryPerformanceCounter
0x51f0e0 QueryPerformanceFrequency
0x51f0e4 SetFileInformationByHandle
0x51f0e8 FlsAlloc
0x51f0ec FlsGetValue
0x51f0f0 FlsSetValue
0x51f0f4 FlsFree
0x51f0f8 InitOnceExecuteOnce
0x51f0fc CreateEventExW
0x51f100 CreateSemaphoreExW
0x51f104 FlushProcessWriteBuffers
0x51f108 GetCurrentProcessorNumber
0x51f10c GetSystemTimeAsFileTime
0x51f110 GetTickCount64
0x51f114 CreateThreadpoolTimer
0x51f118 SetThreadpoolTimer
0x51f11c WaitForThreadpoolTimerCallbacks
0x51f120 CloseThreadpoolTimer
0x51f124 CreateThreadpoolWait
0x51f128 SetThreadpoolWait
0x51f12c CloseThreadpoolWait
0x51f130 GetModuleHandleW
0x51f134 GetProcAddress
0x51f138 GetFileInformationByHandleEx
0x51f13c CreateSymbolicLinkW
0x51f140 CloseHandle
0x51f144 WaitForSingleObjectEx
0x51f148 Sleep
0x51f14c SwitchToThread
0x51f150 GetExitCodeThread
0x51f154 GetNativeSystemInfo
0x51f158 LocalFree
0x51f15c EncodePointer
0x51f160 DecodePointer
0x51f164 LCMapStringEx
0x51f168 GetLocaleInfoEx
0x51f16c WriteConsoleW
0x51f170 GetCPInfo
0x51f174 InitializeCriticalSectionAndSpinCount
0x51f178 SetEvent
0x51f17c ResetEvent
0x51f180 CreateEventW
0x51f184 GetCurrentProcessId
0x51f188 InitializeSListHead
0x51f18c IsDebuggerPresent
0x51f190 UnhandledExceptionFilter
0x51f194 SetUnhandledExceptionFilter
0x51f198 GetStartupInfoW
0x51f19c GetCurrentProcess
0x51f1a0 TerminateProcess
0x51f1a4 HeapSize
0x51f1a8 RtlUnwind
0x51f1ac InterlockedPushEntrySList
0x51f1b0 InterlockedFlushSList
0x51f1b4 SetLastError
0x51f1b8 TlsAlloc
0x51f1bc TlsGetValue
0x51f1c0 TlsSetValue
0x51f1c4 TlsFree
0x51f1c8 FreeLibrary
0x51f1cc LoadLibraryExW
0x51f1d0 CreateThread
0x51f1d4 ExitThread
0x51f1d8 ResumeThread
0x51f1dc FreeLibraryAndExitThread
0x51f1e0 GetStdHandle
0x51f1e4 WriteFile
0x51f1e8 GetModuleFileNameW
0x51f1ec ExitProcess
0x51f1f0 GetCommandLineA
0x51f1f4 GetCommandLineW
0x51f1f8 GetCurrentThread
0x51f1fc HeapFree
0x51f200 SetConsoleCtrlHandler
0x51f204 GetDateFormatW
0x51f208 GetTimeFormatW
0x51f20c CompareStringW
0x51f210 LCMapStringW
0x51f214 GetLocaleInfoW
0x51f218 IsValidLocale
0x51f21c GetUserDefaultLCID
0x51f220 EnumSystemLocalesW
0x51f224 HeapAlloc
0x51f228 GetFileType
0x51f22c GetFileSizeEx
0x51f230 SetFilePointerEx
0x51f234 FlushFileBuffers
0x51f238 GetConsoleOutputCP
0x51f23c GetConsoleMode
0x51f240 ReadFile
0x51f244 ReadConsoleW
0x51f248 HeapReAlloc
0x51f24c GetTimeZoneInformation
0x51f250 OutputDebugStringW
0x51f254 FindClose
0x51f258 FindFirstFileExW
0x51f25c FindNextFileW
0x51f260 IsValidCodePage
0x51f264 GetACP
0x51f268 GetOEMCP
0x51f26c GetEnvironmentStringsW
0x51f270 FreeEnvironmentStringsW
0x51f274 SetEnvironmentVariableW
0x51f278 SetStdHandle
0x51f27c GetProcessHeap
EAT(Export Address Table) is none