ScreenShot
| Created | 2023.09.24 11:19 | Machine | s1_win7_x6401 |
| Filename | kus.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | |||
| md5 | 04513f64dd4834354625e24e2b0b44c7 | ||
| sha256 | 32e9982cdb36d4dec359589316d58ae57c886e9d72067352655b78415847877d | ||
| ssdeep | 6144:gu46fuYXChoQTjlFgLuCY1dRuAOCm9LvukGtA+w8y0:g7YzXChdTbv1bumLA+w8y | ||
| imphash | 383ebf01ac19979467e97d3debc83542 | ||
| impfuzzy | 24:MNcpVWcjeDvGtXGhlJBl39RPLOovbO3kFZMv1GMAkEZHu9J:MNcpV5jWGtXGnp3630FZGb | ||
Network IP location
Signature (13cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Code injection by writing an executable or DLL to the memory of another process |
| watch | Detects Avast Antivirus through the presence of a library |
| watch | Manipulates memory of a non-child process indicative of process injection |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | One or more potentially interesting buffers were extracted |
| notice | Terminates another process |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (13cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x425000 WideCharToMultiByte
0x425004 CloseHandle
0x425008 GetCurrentThreadId
0x42500c EnterCriticalSection
0x425010 LeaveCriticalSection
0x425014 InitializeCriticalSectionEx
0x425018 DeleteCriticalSection
0x42501c EncodePointer
0x425020 DecodePointer
0x425024 MultiByteToWideChar
0x425028 LCMapStringEx
0x42502c QueryPerformanceCounter
0x425030 GetSystemTimeAsFileTime
0x425034 GetModuleHandleW
0x425038 GetProcAddress
0x42503c GetStringTypeW
0x425040 GetCPInfo
0x425044 IsProcessorFeaturePresent
0x425048 GetCurrentProcessId
0x42504c InitializeSListHead
0x425050 IsDebuggerPresent
0x425054 UnhandledExceptionFilter
0x425058 SetUnhandledExceptionFilter
0x42505c GetStartupInfoW
0x425060 GetCurrentProcess
0x425064 TerminateProcess
0x425068 CreateFileW
0x42506c RaiseException
0x425070 RtlUnwind
0x425074 GetLastError
0x425078 SetLastError
0x42507c InitializeCriticalSectionAndSpinCount
0x425080 TlsAlloc
0x425084 TlsGetValue
0x425088 TlsSetValue
0x42508c TlsFree
0x425090 FreeLibrary
0x425094 LoadLibraryExW
0x425098 GetModuleHandleExW
0x42509c GetStdHandle
0x4250a0 WriteFile
0x4250a4 GetModuleFileNameW
0x4250a8 ExitProcess
0x4250ac GetCommandLineA
0x4250b0 GetCommandLineW
0x4250b4 HeapAlloc
0x4250b8 HeapFree
0x4250bc CompareStringW
0x4250c0 LCMapStringW
0x4250c4 GetLocaleInfoW
0x4250c8 IsValidLocale
0x4250cc GetUserDefaultLCID
0x4250d0 EnumSystemLocalesW
0x4250d4 GetFileType
0x4250d8 FlushFileBuffers
0x4250dc GetConsoleOutputCP
0x4250e0 GetConsoleMode
0x4250e4 ReadFile
0x4250e8 GetFileSizeEx
0x4250ec SetFilePointerEx
0x4250f0 ReadConsoleW
0x4250f4 HeapReAlloc
0x4250f8 FindClose
0x4250fc FindFirstFileExW
0x425100 FindNextFileW
0x425104 IsValidCodePage
0x425108 GetACP
0x42510c GetOEMCP
0x425110 GetEnvironmentStringsW
0x425114 FreeEnvironmentStringsW
0x425118 SetEnvironmentVariableW
0x42511c SetStdHandle
0x425120 GetProcessHeap
0x425124 HeapSize
0x425128 WriteConsoleW
EAT(Export Address Table) Library
0x402490 _uSGyuTYAStyA@12
KERNEL32.dll
0x425000 WideCharToMultiByte
0x425004 CloseHandle
0x425008 GetCurrentThreadId
0x42500c EnterCriticalSection
0x425010 LeaveCriticalSection
0x425014 InitializeCriticalSectionEx
0x425018 DeleteCriticalSection
0x42501c EncodePointer
0x425020 DecodePointer
0x425024 MultiByteToWideChar
0x425028 LCMapStringEx
0x42502c QueryPerformanceCounter
0x425030 GetSystemTimeAsFileTime
0x425034 GetModuleHandleW
0x425038 GetProcAddress
0x42503c GetStringTypeW
0x425040 GetCPInfo
0x425044 IsProcessorFeaturePresent
0x425048 GetCurrentProcessId
0x42504c InitializeSListHead
0x425050 IsDebuggerPresent
0x425054 UnhandledExceptionFilter
0x425058 SetUnhandledExceptionFilter
0x42505c GetStartupInfoW
0x425060 GetCurrentProcess
0x425064 TerminateProcess
0x425068 CreateFileW
0x42506c RaiseException
0x425070 RtlUnwind
0x425074 GetLastError
0x425078 SetLastError
0x42507c InitializeCriticalSectionAndSpinCount
0x425080 TlsAlloc
0x425084 TlsGetValue
0x425088 TlsSetValue
0x42508c TlsFree
0x425090 FreeLibrary
0x425094 LoadLibraryExW
0x425098 GetModuleHandleExW
0x42509c GetStdHandle
0x4250a0 WriteFile
0x4250a4 GetModuleFileNameW
0x4250a8 ExitProcess
0x4250ac GetCommandLineA
0x4250b0 GetCommandLineW
0x4250b4 HeapAlloc
0x4250b8 HeapFree
0x4250bc CompareStringW
0x4250c0 LCMapStringW
0x4250c4 GetLocaleInfoW
0x4250c8 IsValidLocale
0x4250cc GetUserDefaultLCID
0x4250d0 EnumSystemLocalesW
0x4250d4 GetFileType
0x4250d8 FlushFileBuffers
0x4250dc GetConsoleOutputCP
0x4250e0 GetConsoleMode
0x4250e4 ReadFile
0x4250e8 GetFileSizeEx
0x4250ec SetFilePointerEx
0x4250f0 ReadConsoleW
0x4250f4 HeapReAlloc
0x4250f8 FindClose
0x4250fc FindFirstFileExW
0x425100 FindNextFileW
0x425104 IsValidCodePage
0x425108 GetACP
0x42510c GetOEMCP
0x425110 GetEnvironmentStringsW
0x425114 FreeEnvironmentStringsW
0x425118 SetEnvironmentVariableW
0x42511c SetStdHandle
0x425120 GetProcessHeap
0x425124 HeapSize
0x425128 WriteConsoleW
EAT(Export Address Table) Library
0x402490 _uSGyuTYAStyA@12