ScreenShot
| Created | 2023.09.08 09:12 | Machine | s1_win7_x6403 |
| Filename | zur.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | |||
| md5 | 014d9107275c5fcf6ac8ac397e53bb67 | ||
| sha256 | 50bd9fc914876e4e683b41a8dd61d60d3ac3934bf03b7d051e912fa9dcbc4f45 | ||
| ssdeep | 3072:F6c5x6PWbHdQsbI6/d1kCPMlzhk2Ww+19Zu3cgA81jID078nGhAbHDZc:FZ6PWb9nd1kCh2Eonp/AbjZ | ||
| imphash | 431b9eee3827e493b6144e5f38c219a4 | ||
| impfuzzy | 24:1tMS1+GhlJeDc+pl3eDoLoEOovbO3kPvRRZHu9oGMf:1tMS1+GOc+ppXc30n7 | ||
Network IP location
Signature (11cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Code injection by writing an executable or DLL to the memory of another process |
| watch | Detects Avast Antivirus through the presence of a library |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | One or more potentially interesting buffers were extracted |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (13cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x417000 UnhandledExceptionFilter
0x417004 SetUnhandledExceptionFilter
0x417008 GetCurrentProcess
0x41700c TerminateProcess
0x417010 IsProcessorFeaturePresent
0x417014 QueryPerformanceCounter
0x417018 GetCurrentProcessId
0x41701c GetCurrentThreadId
0x417020 GetSystemTimeAsFileTime
0x417024 InitializeSListHead
0x417028 IsDebuggerPresent
0x41702c GetStartupInfoW
0x417030 GetModuleHandleW
0x417034 WriteConsoleW
0x417038 RaiseException
0x41703c RtlUnwind
0x417040 GetLastError
0x417044 SetLastError
0x417048 EncodePointer
0x41704c EnterCriticalSection
0x417050 LeaveCriticalSection
0x417054 DeleteCriticalSection
0x417058 InitializeCriticalSectionAndSpinCount
0x41705c TlsAlloc
0x417060 TlsGetValue
0x417064 TlsSetValue
0x417068 TlsFree
0x41706c FreeLibrary
0x417070 GetProcAddress
0x417074 LoadLibraryExW
0x417078 GetStdHandle
0x41707c WriteFile
0x417080 GetModuleFileNameW
0x417084 ExitProcess
0x417088 GetModuleHandleExW
0x41708c GetCommandLineA
0x417090 GetCommandLineW
0x417094 HeapAlloc
0x417098 HeapFree
0x41709c CompareStringW
0x4170a0 LCMapStringW
0x4170a4 GetFileType
0x4170a8 FindClose
0x4170ac FindFirstFileExW
0x4170b0 FindNextFileW
0x4170b4 IsValidCodePage
0x4170b8 GetACP
0x4170bc GetOEMCP
0x4170c0 GetCPInfo
0x4170c4 MultiByteToWideChar
0x4170c8 WideCharToMultiByte
0x4170cc GetEnvironmentStringsW
0x4170d0 FreeEnvironmentStringsW
0x4170d4 SetEnvironmentVariableW
0x4170d8 SetStdHandle
0x4170dc GetStringTypeW
0x4170e0 GetProcessHeap
0x4170e4 FlushFileBuffers
0x4170e8 GetConsoleOutputCP
0x4170ec GetConsoleMode
0x4170f0 GetFileSizeEx
0x4170f4 SetFilePointerEx
0x4170f8 HeapSize
0x4170fc HeapReAlloc
0x417100 CloseHandle
0x417104 CreateFileW
0x417108 DecodePointer
EAT(Export Address Table) is none
KERNEL32.dll
0x417000 UnhandledExceptionFilter
0x417004 SetUnhandledExceptionFilter
0x417008 GetCurrentProcess
0x41700c TerminateProcess
0x417010 IsProcessorFeaturePresent
0x417014 QueryPerformanceCounter
0x417018 GetCurrentProcessId
0x41701c GetCurrentThreadId
0x417020 GetSystemTimeAsFileTime
0x417024 InitializeSListHead
0x417028 IsDebuggerPresent
0x41702c GetStartupInfoW
0x417030 GetModuleHandleW
0x417034 WriteConsoleW
0x417038 RaiseException
0x41703c RtlUnwind
0x417040 GetLastError
0x417044 SetLastError
0x417048 EncodePointer
0x41704c EnterCriticalSection
0x417050 LeaveCriticalSection
0x417054 DeleteCriticalSection
0x417058 InitializeCriticalSectionAndSpinCount
0x41705c TlsAlloc
0x417060 TlsGetValue
0x417064 TlsSetValue
0x417068 TlsFree
0x41706c FreeLibrary
0x417070 GetProcAddress
0x417074 LoadLibraryExW
0x417078 GetStdHandle
0x41707c WriteFile
0x417080 GetModuleFileNameW
0x417084 ExitProcess
0x417088 GetModuleHandleExW
0x41708c GetCommandLineA
0x417090 GetCommandLineW
0x417094 HeapAlloc
0x417098 HeapFree
0x41709c CompareStringW
0x4170a0 LCMapStringW
0x4170a4 GetFileType
0x4170a8 FindClose
0x4170ac FindFirstFileExW
0x4170b0 FindNextFileW
0x4170b4 IsValidCodePage
0x4170b8 GetACP
0x4170bc GetOEMCP
0x4170c0 GetCPInfo
0x4170c4 MultiByteToWideChar
0x4170c8 WideCharToMultiByte
0x4170cc GetEnvironmentStringsW
0x4170d0 FreeEnvironmentStringsW
0x4170d4 SetEnvironmentVariableW
0x4170d8 SetStdHandle
0x4170dc GetStringTypeW
0x4170e0 GetProcessHeap
0x4170e4 FlushFileBuffers
0x4170e8 GetConsoleOutputCP
0x4170ec GetConsoleMode
0x4170f0 GetFileSizeEx
0x4170f4 SetFilePointerEx
0x4170f8 HeapSize
0x4170fc HeapReAlloc
0x417100 CloseHandle
0x417104 CreateFileW
0x417108 DecodePointer
EAT(Export Address Table) is none