ScreenShot
| Created | 2023.11.02 17:02 | Machine | s1_win7_x6401 |
| Filename | Xiu2Xiu.exe | ||
| Type | PE32+ executable (console) x86-64, for MS Windows | ||
| AI Score | Not founds | Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | |||
| md5 | 07f36f03342b3b07ecfb8498d0e078a2 | ||
| sha256 | 97c2859888b248ad9fc8fafa81e2fc1582015fc0594f8adbd1cf20133e5ae8d9 | ||
| ssdeep | 196608:jMtvnp25MeTKHydYBBTAI7KzCnF8zDiiaFZjwAIXSzSoCmGnDh3pWSDAo:A1sWMdYBBTAIezu0GF+1CzS2Gn9gEA | ||
| imphash | 5de1290e779857f433670565a30c31e4 | ||
| impfuzzy | 24:QsXErTLOcjFhCgDru+J9v02tyXbUJncSl39/CuYoEOovw9RPvRzZHu9oGMc:QsXES2J97tyXbEcSpQuYctnu | ||
Network IP location
Signature (7cnts)
| Level | Description |
|---|---|
| watch | Deletes a large number of files from the system indicative of ransomware |
| watch | Drops a binary and executes it |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Creates executable files on the filesystem |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks amount of memory in system |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (19cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (download) |
| watch | ASPack_Zero | ASPack packed file | binaries (download) |
| watch | ASPack_Zero | ASPack packed file | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | anti_vm_detect | Possibly employs anti-virtualization techniques | binaries (download) |
| info | DllRegisterServer_Zero | execute regsvr32.exe | binaries (download) |
| info | ftp_command | ftp command | binaries (download) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE64 | (no description) | binaries (download) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | wget_command | wget command | binaries (download) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
SHELL32.dll
0x1400212c0 SHFileOperationW
0x1400212c8 SHGetFolderPathW
KERNEL32.dll
0x140021000 DeleteCriticalSection
0x140021008 HeapReAlloc
0x140021010 CreateDirectoryW
0x140021018 SetConsoleCtrlHandler
0x140021020 GetCommandLineW
0x140021028 WriteFile
0x140021030 TerminateProcess
0x140021038 GetModuleFileNameW
0x140021040 GetTempPathW
0x140021048 FindResourceA
0x140021050 WaitForSingleObject
0x140021058 CreateFileW
0x140021060 GetFileAttributesW
0x140021068 Sleep
0x140021070 GetLastError
0x140021078 LockResource
0x140021080 CloseHandle
0x140021088 LoadResource
0x140021090 GetProcAddress
0x140021098 SetEnvironmentVariableA
0x1400210a0 GetCurrentProcessId
0x1400210a8 CreateProcessW
0x1400210b0 WideCharToMultiByte
0x1400210b8 GetSystemTimeAsFileTime
0x1400210c0 FormatMessageA
0x1400210c8 GetExitCodeProcess
0x1400210d0 RtlCaptureContext
0x1400210d8 RtlLookupFunctionEntry
0x1400210e0 RtlVirtualUnwind
0x1400210e8 UnhandledExceptionFilter
0x1400210f0 SetUnhandledExceptionFilter
0x1400210f8 GetCurrentProcess
0x140021100 IsProcessorFeaturePresent
0x140021108 QueryPerformanceCounter
0x140021110 GetCurrentThreadId
0x140021118 InitializeSListHead
0x140021120 IsDebuggerPresent
0x140021128 GetStartupInfoW
0x140021130 GetModuleHandleW
0x140021138 HeapSize
0x140021140 RtlUnwindEx
0x140021148 SetLastError
0x140021150 EnterCriticalSection
0x140021158 LeaveCriticalSection
0x140021160 WriteConsoleW
0x140021168 InitializeCriticalSectionAndSpinCount
0x140021170 TlsAlloc
0x140021178 TlsGetValue
0x140021180 TlsSetValue
0x140021188 TlsFree
0x140021190 FreeLibrary
0x140021198 LoadLibraryExW
0x1400211a0 EncodePointer
0x1400211a8 RaiseException
0x1400211b0 RtlPcToFileHeader
0x1400211b8 ExitProcess
0x1400211c0 GetModuleHandleExW
0x1400211c8 GetCommandLineA
0x1400211d0 GetStdHandle
0x1400211d8 HeapAlloc
0x1400211e0 MultiByteToWideChar
0x1400211e8 HeapFree
0x1400211f0 FlsAlloc
0x1400211f8 FlsGetValue
0x140021200 FlsSetValue
0x140021208 FlsFree
0x140021210 CompareStringW
0x140021218 LCMapStringW
0x140021220 GetFileType
0x140021228 FindClose
0x140021230 FindFirstFileExW
0x140021238 FindNextFileW
0x140021240 IsValidCodePage
0x140021248 GetACP
0x140021250 GetOEMCP
0x140021258 GetCPInfo
0x140021260 GetEnvironmentStringsW
0x140021268 FreeEnvironmentStringsW
0x140021270 SetEnvironmentVariableW
0x140021278 SetStdHandle
0x140021280 GetStringTypeW
0x140021288 GetProcessHeap
0x140021290 FlushFileBuffers
0x140021298 GetConsoleOutputCP
0x1400212a0 GetConsoleMode
0x1400212a8 GetFileSizeEx
0x1400212b0 SetFilePointerEx
EAT(Export Address Table) is none
SHELL32.dll
0x1400212c0 SHFileOperationW
0x1400212c8 SHGetFolderPathW
KERNEL32.dll
0x140021000 DeleteCriticalSection
0x140021008 HeapReAlloc
0x140021010 CreateDirectoryW
0x140021018 SetConsoleCtrlHandler
0x140021020 GetCommandLineW
0x140021028 WriteFile
0x140021030 TerminateProcess
0x140021038 GetModuleFileNameW
0x140021040 GetTempPathW
0x140021048 FindResourceA
0x140021050 WaitForSingleObject
0x140021058 CreateFileW
0x140021060 GetFileAttributesW
0x140021068 Sleep
0x140021070 GetLastError
0x140021078 LockResource
0x140021080 CloseHandle
0x140021088 LoadResource
0x140021090 GetProcAddress
0x140021098 SetEnvironmentVariableA
0x1400210a0 GetCurrentProcessId
0x1400210a8 CreateProcessW
0x1400210b0 WideCharToMultiByte
0x1400210b8 GetSystemTimeAsFileTime
0x1400210c0 FormatMessageA
0x1400210c8 GetExitCodeProcess
0x1400210d0 RtlCaptureContext
0x1400210d8 RtlLookupFunctionEntry
0x1400210e0 RtlVirtualUnwind
0x1400210e8 UnhandledExceptionFilter
0x1400210f0 SetUnhandledExceptionFilter
0x1400210f8 GetCurrentProcess
0x140021100 IsProcessorFeaturePresent
0x140021108 QueryPerformanceCounter
0x140021110 GetCurrentThreadId
0x140021118 InitializeSListHead
0x140021120 IsDebuggerPresent
0x140021128 GetStartupInfoW
0x140021130 GetModuleHandleW
0x140021138 HeapSize
0x140021140 RtlUnwindEx
0x140021148 SetLastError
0x140021150 EnterCriticalSection
0x140021158 LeaveCriticalSection
0x140021160 WriteConsoleW
0x140021168 InitializeCriticalSectionAndSpinCount
0x140021170 TlsAlloc
0x140021178 TlsGetValue
0x140021180 TlsSetValue
0x140021188 TlsFree
0x140021190 FreeLibrary
0x140021198 LoadLibraryExW
0x1400211a0 EncodePointer
0x1400211a8 RaiseException
0x1400211b0 RtlPcToFileHeader
0x1400211b8 ExitProcess
0x1400211c0 GetModuleHandleExW
0x1400211c8 GetCommandLineA
0x1400211d0 GetStdHandle
0x1400211d8 HeapAlloc
0x1400211e0 MultiByteToWideChar
0x1400211e8 HeapFree
0x1400211f0 FlsAlloc
0x1400211f8 FlsGetValue
0x140021200 FlsSetValue
0x140021208 FlsFree
0x140021210 CompareStringW
0x140021218 LCMapStringW
0x140021220 GetFileType
0x140021228 FindClose
0x140021230 FindFirstFileExW
0x140021238 FindNextFileW
0x140021240 IsValidCodePage
0x140021248 GetACP
0x140021250 GetOEMCP
0x140021258 GetCPInfo
0x140021260 GetEnvironmentStringsW
0x140021268 FreeEnvironmentStringsW
0x140021270 SetEnvironmentVariableW
0x140021278 SetStdHandle
0x140021280 GetStringTypeW
0x140021288 GetProcessHeap
0x140021290 FlushFileBuffers
0x140021298 GetConsoleOutputCP
0x1400212a0 GetConsoleMode
0x1400212a8 GetFileSizeEx
0x1400212b0 SetFilePointerEx
EAT(Export Address Table) is none