Report - promot_s.msi

Generic Malware Malicious Library CAB MSOffice File OS Processor Check

ScreenShot

Info
Location map


Created	2023.09.16 14:05	Machine	s1_win7_x6403
Filename	promot_s.msi
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 14:06:51 2020, Security: 0, Code page: 1252, Revision Number: {712FA1FF-5EDD-4B8A-A341-2
AI Score	Not founds	Behavior Score	4.2
ZERO API	file : mailcious
VT API (file)	4 detected (Generic@AI, RDML, 4BSI7VQWrlAjlQ6ssGNUhA, Artemis, Detected, WjexjofuRAT)
md5	96d99e6c2e7c358b9d663595d3af5f27
sha256	301432e6053a0f092e8f5137a97ef3543934e0f8e200bd0c7844886e4c72e7e9
ssdeep	393216:bQcblwAxiRsytVOtSOuySa3/B5Qw0a4/AlwZnb87:lbys0MSOuySuLQPa7gA
imphash
impfuzzy

Network IP location

Signature (11cnts)

Level	Description
watch	Attempts to create or modify system certificates
watch	One or more of the buffers contains an embedded PE file
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice	File has been identified by 4 AntiVirus engines on VirusTotal as malicious
notice	One or more potentially interesting buffers were extracted
notice	Performs some HTTP requests
notice	Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
info	Checks amount of memory in system
info	Checks if process is being debugged by a debugger
info	Queries for the computername

Rules (5cnts)

Level	Name	Description	Collection
warning	Generic_Malware_Zero	Generic Malware	binaries (upload)
watch	Malicious_Library_Zero	Malicious_Library	binaries (upload)
info	CAB_file_format	CAB archive file	binaries (upload)
info	Microsoft_Office_File_Zero	Microsoft Office File	binaries (upload)
info	OS_Processor_Check_Zero	OS Processor Check	binaries (upload)

Network (9cnts) ?

Request	CC	ASN Co	IP4	Rule ?	ZERO ?
http://apps.identrust.com/roots/dstrootcax3.p7c whois		Akamai International B.V.	23.67.53.17		clean
https://www.google-analytics.com/collect?v=1&tid=UA-380480-23&cid=%7B8088027B-4BB6-456E-A8C8-37F4AC853C35%7D&t=event&ec=Session&ea=Start&an=ImBatch&av=7.6.0&ul=en-GB&sr=1024x768&sc=start&z=42773 whois		GOOGLE	172.217.24.238		clean
www.highmotionsoftware.com whois		PRIVATESYSTEMS	104.193.111.101		clean
www.google-analytics.com whois		GOOGLE	216.239.38.178		clean
www.bolidesoft.com whois		PRIVATESYSTEMS	104.193.111.117		clean
104.193.111.101 whois		PRIVATESYSTEMS	104.193.111.101		clean
121.254.136.9 whois		LG DACOM Corporation	121.254.136.9		clean
172.217.24.238 whois		GOOGLE	172.217.24.238		clean
104.193.111.117 whois		PRIVATESYSTEMS	104.193.111.117		clean

Suricata ids

Similarity measure (PE file only) - Checking for service failure