ScreenShot
| Created | 2023.10.04 14:19 | Machine | s1_win7_x6401 |
| Filename | 4H.xll | ||
| Type | PE32+ executable (DLL) (GUI) x86-64 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | |||
| md5 | 31a57c5f8a6b8bd49f1ec6583c9ade36 | ||
| sha256 | 0b479e2c669f50aa7f3c93f8e32512696012f46d2c03c48627da9ad0016cdfd1 | ||
| ssdeep | 1536:f7pxSJsy6Nh5wFHssKjrtN/5jqzyCNwGXGhriUc45cmN:lYwNh5wFHssKXnxjNCNHGirmN | ||
| imphash | f599f6d6eed879ac9612841c28ee3418 | ||
| impfuzzy | 12:jYRJRJJoAR+hqR2qBrKHlJYasTqa91KddFQJqcsaGXZn:j8fjB+kTYliHx91SDcqcFGXZn | ||
Network IP location
Signature (9cnts)
| Level | Description |
|---|---|
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Creates a suspicious process |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Command line console output was observed |
| info | One or more processes crashed |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | IsDLL | (no description) | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x2b13711a4 CopyFileW
0x2b13711ac DeleteCriticalSection
0x2b13711b4 EnterCriticalSection
0x2b13711bc GetLastError
0x2b13711c4 InitializeCriticalSection
0x2b13711cc IsDBCSLeadByteEx
0x2b13711d4 LeaveCriticalSection
0x2b13711dc MultiByteToWideChar
0x2b13711e4 Sleep
0x2b13711ec TlsGetValue
0x2b13711f4 VirtualProtect
0x2b13711fc VirtualQuery
0x2b1371204 WinExec
msvcrt.dll
0x2b1371214 ___lc_codepage_func
0x2b137121c ___mb_cur_max_func
0x2b1371224 __iob_func
0x2b137122c _amsg_exit
0x2b1371234 _errno
0x2b137123c _initterm
0x2b1371244 _lock
0x2b137124c _unlock
0x2b1371254 abort
0x2b137125c calloc
0x2b1371264 free
0x2b137126c fwrite
0x2b1371274 getc
0x2b137127c islower
0x2b1371284 isspace
0x2b137128c isupper
0x2b1371294 isxdigit
0x2b137129c localeconv
0x2b13712a4 malloc
0x2b13712ac memcpy
0x2b13712b4 memset
0x2b13712bc realloc
0x2b13712c4 strcat
0x2b13712cc strlen
0x2b13712d4 strncmp
0x2b13712dc strtol
0x2b13712e4 strtoul
0x2b13712ec tolower
0x2b13712f4 ungetc
0x2b13712fc vfprintf
EAT(Export Address Table) Library
0x2b136b000 hash
0x2b1361470 xlAutoOpen
0x2b13613d0 xor_decrypt
KERNEL32.dll
0x2b13711a4 CopyFileW
0x2b13711ac DeleteCriticalSection
0x2b13711b4 EnterCriticalSection
0x2b13711bc GetLastError
0x2b13711c4 InitializeCriticalSection
0x2b13711cc IsDBCSLeadByteEx
0x2b13711d4 LeaveCriticalSection
0x2b13711dc MultiByteToWideChar
0x2b13711e4 Sleep
0x2b13711ec TlsGetValue
0x2b13711f4 VirtualProtect
0x2b13711fc VirtualQuery
0x2b1371204 WinExec
msvcrt.dll
0x2b1371214 ___lc_codepage_func
0x2b137121c ___mb_cur_max_func
0x2b1371224 __iob_func
0x2b137122c _amsg_exit
0x2b1371234 _errno
0x2b137123c _initterm
0x2b1371244 _lock
0x2b137124c _unlock
0x2b1371254 abort
0x2b137125c calloc
0x2b1371264 free
0x2b137126c fwrite
0x2b1371274 getc
0x2b137127c islower
0x2b1371284 isspace
0x2b137128c isupper
0x2b1371294 isxdigit
0x2b137129c localeconv
0x2b13712a4 malloc
0x2b13712ac memcpy
0x2b13712b4 memset
0x2b13712bc realloc
0x2b13712c4 strcat
0x2b13712cc strlen
0x2b13712d4 strncmp
0x2b13712dc strtol
0x2b13712e4 strtoul
0x2b13712ec tolower
0x2b13712f4 ungetc
0x2b13712fc vfprintf
EAT(Export Address Table) Library
0x2b136b000 hash
0x2b1361470 xlAutoOpen
0x2b13613d0 xor_decrypt