ScreenShot
| Created | 2023.10.28 12:46 | Machine | s1_win7_x6401 |
| Filename | setup.exe | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score | Not founds | Behavior Score |
|
| ZERO API | file : mailcious | ||
| VT API (file) | 5 detected (Artemis, malicious, confidence) | ||
| md5 | 9d3ff29bb3a7834ecab9d30a29f38bf4 | ||
| sha256 | c4355c12cdb30a5ab2fe97828b1b189abcef20d9b651be38fb61283f94aa9918 | ||
| ssdeep | 3072:dYQbijezGcxjdUC3zgLLWIpZegtfsE7PHAZ7EfY0m09w5F9e8YHpHOfYZGDQbHAi:doQRUCMLPpFtfsEDAZwfBmmMZIbZKUgi | ||
| imphash | fd5d9d1cbcf99ec36a28bc74087df1e8 | ||
| impfuzzy | 48:4yitCGmnBmWBFvGg8YtCSuE+Gv4J09wE1WX/KAHA/gXKs5ztC0x8TPq:4yitCGOBmovG9YtCSXNGwUK70x8TPq | ||
Network IP location
Signature (17cnts)
| Level | Description |
|---|---|
| watch | Creates a suspicious Powershell process |
| watch | The process powershell.exe wrote an executable file to disk |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | File has been identified by 5 AntiVirus engines on VirusTotal as malicious |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | WaitFor has been invoked (possibly to delay malicious activity) |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (9cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | Antivirus | Contains references to security software | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | PowerShell | PowerShell script | scripts |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x14002d050 SetFilePointer
0x14002d058 InitializeCriticalSectionEx
0x14002d060 GetCurrentThreadId
0x14002d068 HeapSize
0x14002d070 MultiByteToWideChar
0x14002d078 Sleep
0x14002d080 GetLastError
0x14002d088 LockResource
0x14002d090 HeapReAlloc
0x14002d098 CloseHandle
0x14002d0a0 RaiseException
0x14002d0a8 CreateThread
0x14002d0b0 FindResourceExW
0x14002d0b8 LoadResource
0x14002d0c0 FindResourceW
0x14002d0c8 HeapAlloc
0x14002d0d0 DecodePointer
0x14002d0d8 HeapDestroy
0x14002d0e0 GetProcAddress
0x14002d0e8 DeleteCriticalSection
0x14002d0f0 ExitProcess
0x14002d0f8 GetProcessHeap
0x14002d100 GetModuleHandleW
0x14002d108 LeaveCriticalSection
0x14002d110 WideCharToMultiByte
0x14002d118 SetConsoleOutputCP
0x14002d120 GetFileType
0x14002d128 lstrcmpiW
0x14002d130 LoadLibraryExW
0x14002d138 FlushFileBuffers
0x14002d140 CreateFileW
0x14002d148 GetConsoleMode
0x14002d150 SetFilePointerEx
0x14002d158 GetStringTypeW
0x14002d160 SetStdHandle
0x14002d168 LCMapStringW
0x14002d170 FlsFree
0x14002d178 GetModuleFileNameW
0x14002d180 ExpandEnvironmentStringsW
0x14002d188 WriteFile
0x14002d190 GetConsoleOutputCP
0x14002d198 EnterCriticalSection
0x14002d1a0 SetLastError
0x14002d1a8 HeapFree
0x14002d1b0 SizeofResource
0x14002d1b8 FreeLibrary
0x14002d1c0 ReadFile
0x14002d1c8 FlsSetValue
0x14002d1d0 FlsGetValue
0x14002d1d8 FlsAlloc
0x14002d1e0 FreeEnvironmentStringsW
0x14002d1e8 GetEnvironmentStringsW
0x14002d1f0 GetCPInfo
0x14002d1f8 GetOEMCP
0x14002d200 GetACP
0x14002d208 IsValidCodePage
0x14002d210 FindNextFileW
0x14002d218 FindFirstFileExW
0x14002d220 FindClose
0x14002d228 GetStdHandle
0x14002d230 WriteConsoleW
0x14002d238 GetModuleHandleExW
0x14002d240 GetCommandLineW
0x14002d248 GetCommandLineA
0x14002d250 RtlUnwind
0x14002d258 TlsFree
0x14002d260 TlsSetValue
0x14002d268 TlsGetValue
0x14002d270 TlsAlloc
0x14002d278 RtlPcToFileHeader
0x14002d280 RtlUnwindEx
0x14002d288 EncodePointer
0x14002d290 InitializeSListHead
0x14002d298 InterlockedPopEntrySList
0x14002d2a0 InterlockedPushEntrySList
0x14002d2a8 GetCurrentProcess
0x14002d2b0 FlushInstructionCache
0x14002d2b8 VirtualAlloc
0x14002d2c0 VirtualFree
0x14002d2c8 LoadLibraryExA
0x14002d2d0 IsDebuggerPresent
0x14002d2d8 OutputDebugStringW
0x14002d2e0 InitializeCriticalSectionAndSpinCount
0x14002d2e8 SetEvent
0x14002d2f0 ResetEvent
0x14002d2f8 WaitForSingleObjectEx
0x14002d300 CreateEventW
0x14002d308 RtlCaptureContext
0x14002d310 RtlLookupFunctionEntry
0x14002d318 RtlVirtualUnwind
0x14002d320 UnhandledExceptionFilter
0x14002d328 SetUnhandledExceptionFilter
0x14002d330 TerminateProcess
0x14002d338 IsProcessorFeaturePresent
0x14002d340 GetStartupInfoW
0x14002d348 QueryPerformanceCounter
0x14002d350 GetCurrentProcessId
0x14002d358 GetSystemTimeAsFileTime
USER32.dll
0x14002d3e0 SetWindowLongPtrW
0x14002d3e8 LoadCursorW
0x14002d3f0 TranslateMessage
0x14002d3f8 CharNextW
0x14002d400 PeekMessageW
0x14002d408 DispatchMessageW
0x14002d410 RegisterClassExW
0x14002d418 GetWindowLongPtrW
0x14002d420 MsgWaitForMultipleObjects
0x14002d428 UnregisterClassW
0x14002d430 CreateWindowExW
0x14002d438 DefWindowProcW
0x14002d440 CallWindowProcW
0x14002d448 MessageBoxW
0x14002d450 GetClassInfoExW
ADVAPI32.dll
0x14002d000 RegCloseKey
0x14002d008 RegQueryInfoKeyW
0x14002d010 RegDeleteKeyW
0x14002d018 RegCreateKeyExW
0x14002d020 RegEnumKeyExW
0x14002d028 RegSetValueExW
0x14002d030 RegOpenKeyExW
0x14002d038 RegDeleteValueW
0x14002d040 RegQueryValueExW
ole32.dll
0x14002d460 CoInitialize
0x14002d468 CoTaskMemAlloc
0x14002d470 StringFromGUID2
0x14002d478 CoGetObject
0x14002d480 CoCreateInstance
0x14002d488 CLSIDFromProgID
0x14002d490 CoTaskMemFree
0x14002d498 CoTaskMemRealloc
0x14002d4a0 CLSIDFromString
0x14002d4a8 CoGetInstanceFromFile
0x14002d4b0 CoUninitialize
OLEAUT32.dll
0x14002d368 LoadRegTypeLib
0x14002d370 VariantInit
0x14002d378 LoadTypeLib
0x14002d380 SysFreeString
0x14002d388 SysAllocString
0x14002d390 VariantCopy
0x14002d398 SysStringLen
0x14002d3a0 SafeArrayUnaccessData
0x14002d3a8 SysAllocStringLen
0x14002d3b0 LoadTypeLibEx
0x14002d3b8 VariantChangeType
0x14002d3c0 VariantClear
0x14002d3c8 VarUI4FromStr
0x14002d3d0 SafeArrayAccessData
EAT(Export Address Table) is none
KERNEL32.dll
0x14002d050 SetFilePointer
0x14002d058 InitializeCriticalSectionEx
0x14002d060 GetCurrentThreadId
0x14002d068 HeapSize
0x14002d070 MultiByteToWideChar
0x14002d078 Sleep
0x14002d080 GetLastError
0x14002d088 LockResource
0x14002d090 HeapReAlloc
0x14002d098 CloseHandle
0x14002d0a0 RaiseException
0x14002d0a8 CreateThread
0x14002d0b0 FindResourceExW
0x14002d0b8 LoadResource
0x14002d0c0 FindResourceW
0x14002d0c8 HeapAlloc
0x14002d0d0 DecodePointer
0x14002d0d8 HeapDestroy
0x14002d0e0 GetProcAddress
0x14002d0e8 DeleteCriticalSection
0x14002d0f0 ExitProcess
0x14002d0f8 GetProcessHeap
0x14002d100 GetModuleHandleW
0x14002d108 LeaveCriticalSection
0x14002d110 WideCharToMultiByte
0x14002d118 SetConsoleOutputCP
0x14002d120 GetFileType
0x14002d128 lstrcmpiW
0x14002d130 LoadLibraryExW
0x14002d138 FlushFileBuffers
0x14002d140 CreateFileW
0x14002d148 GetConsoleMode
0x14002d150 SetFilePointerEx
0x14002d158 GetStringTypeW
0x14002d160 SetStdHandle
0x14002d168 LCMapStringW
0x14002d170 FlsFree
0x14002d178 GetModuleFileNameW
0x14002d180 ExpandEnvironmentStringsW
0x14002d188 WriteFile
0x14002d190 GetConsoleOutputCP
0x14002d198 EnterCriticalSection
0x14002d1a0 SetLastError
0x14002d1a8 HeapFree
0x14002d1b0 SizeofResource
0x14002d1b8 FreeLibrary
0x14002d1c0 ReadFile
0x14002d1c8 FlsSetValue
0x14002d1d0 FlsGetValue
0x14002d1d8 FlsAlloc
0x14002d1e0 FreeEnvironmentStringsW
0x14002d1e8 GetEnvironmentStringsW
0x14002d1f0 GetCPInfo
0x14002d1f8 GetOEMCP
0x14002d200 GetACP
0x14002d208 IsValidCodePage
0x14002d210 FindNextFileW
0x14002d218 FindFirstFileExW
0x14002d220 FindClose
0x14002d228 GetStdHandle
0x14002d230 WriteConsoleW
0x14002d238 GetModuleHandleExW
0x14002d240 GetCommandLineW
0x14002d248 GetCommandLineA
0x14002d250 RtlUnwind
0x14002d258 TlsFree
0x14002d260 TlsSetValue
0x14002d268 TlsGetValue
0x14002d270 TlsAlloc
0x14002d278 RtlPcToFileHeader
0x14002d280 RtlUnwindEx
0x14002d288 EncodePointer
0x14002d290 InitializeSListHead
0x14002d298 InterlockedPopEntrySList
0x14002d2a0 InterlockedPushEntrySList
0x14002d2a8 GetCurrentProcess
0x14002d2b0 FlushInstructionCache
0x14002d2b8 VirtualAlloc
0x14002d2c0 VirtualFree
0x14002d2c8 LoadLibraryExA
0x14002d2d0 IsDebuggerPresent
0x14002d2d8 OutputDebugStringW
0x14002d2e0 InitializeCriticalSectionAndSpinCount
0x14002d2e8 SetEvent
0x14002d2f0 ResetEvent
0x14002d2f8 WaitForSingleObjectEx
0x14002d300 CreateEventW
0x14002d308 RtlCaptureContext
0x14002d310 RtlLookupFunctionEntry
0x14002d318 RtlVirtualUnwind
0x14002d320 UnhandledExceptionFilter
0x14002d328 SetUnhandledExceptionFilter
0x14002d330 TerminateProcess
0x14002d338 IsProcessorFeaturePresent
0x14002d340 GetStartupInfoW
0x14002d348 QueryPerformanceCounter
0x14002d350 GetCurrentProcessId
0x14002d358 GetSystemTimeAsFileTime
USER32.dll
0x14002d3e0 SetWindowLongPtrW
0x14002d3e8 LoadCursorW
0x14002d3f0 TranslateMessage
0x14002d3f8 CharNextW
0x14002d400 PeekMessageW
0x14002d408 DispatchMessageW
0x14002d410 RegisterClassExW
0x14002d418 GetWindowLongPtrW
0x14002d420 MsgWaitForMultipleObjects
0x14002d428 UnregisterClassW
0x14002d430 CreateWindowExW
0x14002d438 DefWindowProcW
0x14002d440 CallWindowProcW
0x14002d448 MessageBoxW
0x14002d450 GetClassInfoExW
ADVAPI32.dll
0x14002d000 RegCloseKey
0x14002d008 RegQueryInfoKeyW
0x14002d010 RegDeleteKeyW
0x14002d018 RegCreateKeyExW
0x14002d020 RegEnumKeyExW
0x14002d028 RegSetValueExW
0x14002d030 RegOpenKeyExW
0x14002d038 RegDeleteValueW
0x14002d040 RegQueryValueExW
ole32.dll
0x14002d460 CoInitialize
0x14002d468 CoTaskMemAlloc
0x14002d470 StringFromGUID2
0x14002d478 CoGetObject
0x14002d480 CoCreateInstance
0x14002d488 CLSIDFromProgID
0x14002d490 CoTaskMemFree
0x14002d498 CoTaskMemRealloc
0x14002d4a0 CLSIDFromString
0x14002d4a8 CoGetInstanceFromFile
0x14002d4b0 CoUninitialize
OLEAUT32.dll
0x14002d368 LoadRegTypeLib
0x14002d370 VariantInit
0x14002d378 LoadTypeLib
0x14002d380 SysFreeString
0x14002d388 SysAllocString
0x14002d390 VariantCopy
0x14002d398 SysStringLen
0x14002d3a0 SafeArrayUnaccessData
0x14002d3a8 SysAllocStringLen
0x14002d3b0 LoadTypeLibEx
0x14002d3b8 VariantChangeType
0x14002d3c0 VariantClear
0x14002d3c8 VarUI4FromStr
0x14002d3d0 SafeArrayAccessData
EAT(Export Address Table) is none