ScreenShot
| Created | 2023.11.06 09:51 | Machine | s1_win7_x6401 |
| Filename | d-7 | ||
| Type | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 37 detected (AIDetectMalware, BadUpdate, malicious, high confidence, Zusy, NetLoader, Lotok, Vv4c, confidence, Attribute, HighConfidence, score, CLASSIC, Redcap, qzrdx, ai score=89, SwimSnake, Wacatac, Generic Dropper, unsafe, R002H07K223, PossibleThreat, RATX) | ||
| md5 | 802cf804f8e94474c805d2fba97c2f41 | ||
| sha256 | f112fdb86d608028f0018a03725b9b865e90bbb3f27d3427178935545cbc9d0e | ||
| ssdeep | 1536:awsdCFnE4Nz1/SXPtpoprAeDYxUfGKhK5O:awsAik1a4pGKhK5O | ||
| imphash | f61b3498a024e1606e5633ff05e57b42 | ||
| impfuzzy | 24:414ywa/2/2Jej0DC8lrMU7Kt0G7POovgk3cfS7yv5FQHOT4CrnQnAdATIij3wkgZ:22+8t0G7mccfSINcCrnBGTIy3/grdL | ||
Network IP location
Signature (19cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 37 AntiVirus engines on VirusTotal as malicious |
| watch | Attempts to modify UAC prompt behavior |
| watch | Communicates with host for which no DNS query was performed |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | An executable file was downloaded by the process rundll32.exe |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Drops a binary and executes it |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Repeatedly searches for a not-found process |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Queries for the computername |
Rules (20cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Network_Downloader | File Downloader | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsDLL | (no description) | binaries (upload) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | JPEG_Format_Zero | JPEG Format | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | zip_file_format | ZIP file format | binaries (download) |
Network (6cnts) ?
Suricata ids
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE JS/WSF Downloader Dec 08 2016 M7
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP
ET MALWARE JS/WSF Downloader Dec 08 2016 M7
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x1000e008 WriteFile
0x1000e00c CreateFileA
0x1000e010 LocalReAlloc
0x1000e014 LocalAlloc
0x1000e018 Sleep
0x1000e01c Process32Next
0x1000e020 Process32First
0x1000e024 CreateToolhelp32Snapshot
0x1000e028 GetLastError
0x1000e02c CreateDirectoryA
0x1000e030 GetFileAttributesA
0x1000e034 ExpandEnvironmentStringsA
0x1000e038 CreateMutexA
0x1000e03c OpenMutexA
0x1000e040 SetLastError
0x1000e044 VirtualAlloc
0x1000e048 VirtualFree
0x1000e04c LoadLibraryA
0x1000e050 GetProcAddress
0x1000e054 LocalFree
0x1000e058 HeapAlloc
0x1000e05c FlushFileBuffers
0x1000e060 WriteConsoleW
0x1000e064 GetConsoleOutputCP
0x1000e068 WriteConsoleA
0x1000e06c SetStdHandle
0x1000e070 InitializeCriticalSectionAndSpinCount
0x1000e074 GetConsoleMode
0x1000e078 GetConsoleCP
0x1000e07c SetFilePointer
0x1000e080 HeapSize
0x1000e084 HeapFree
0x1000e088 CloseHandle
0x1000e08c GetSystemTimeAsFileTime
0x1000e090 TerminateProcess
0x1000e094 GetCurrentProcess
0x1000e098 UnhandledExceptionFilter
0x1000e09c SetUnhandledExceptionFilter
0x1000e0a0 IsDebuggerPresent
0x1000e0a4 RaiseException
0x1000e0a8 RtlUnwind
0x1000e0ac HeapReAlloc
0x1000e0b0 MultiByteToWideChar
0x1000e0b4 WideCharToMultiByte
0x1000e0b8 GetCurrentThreadId
0x1000e0bc GetCommandLineA
0x1000e0c0 GetModuleHandleW
0x1000e0c4 TlsGetValue
0x1000e0c8 TlsAlloc
0x1000e0cc TlsSetValue
0x1000e0d0 TlsFree
0x1000e0d4 InterlockedIncrement
0x1000e0d8 InterlockedDecrement
0x1000e0dc GetCPInfo
0x1000e0e0 GetACP
0x1000e0e4 GetOEMCP
0x1000e0e8 IsValidCodePage
0x1000e0ec DeleteCriticalSection
0x1000e0f0 LeaveCriticalSection
0x1000e0f4 EnterCriticalSection
0x1000e0f8 HeapCreate
0x1000e0fc HeapDestroy
0x1000e100 ExitProcess
0x1000e104 GetStdHandle
0x1000e108 GetModuleFileNameA
0x1000e10c SetHandleCount
0x1000e110 GetFileType
0x1000e114 GetStartupInfoA
0x1000e118 FreeEnvironmentStringsA
0x1000e11c GetEnvironmentStrings
0x1000e120 FreeEnvironmentStringsW
0x1000e124 GetEnvironmentStringsW
0x1000e128 QueryPerformanceCounter
0x1000e12c GetTickCount
0x1000e130 GetCurrentProcessId
0x1000e134 LCMapStringA
0x1000e138 LCMapStringW
0x1000e13c GetStringTypeA
0x1000e140 GetStringTypeW
0x1000e144 GetLocaleInfoA
USER32.dll
0x1000e154 PostQuitMessage
0x1000e158 TranslateMessage
0x1000e15c DispatchMessageA
0x1000e160 KillTimer
0x1000e164 SetTimer
0x1000e168 GetMessageA
0x1000e16c MessageBoxW
0x1000e170 GetDesktopWindow
SHELL32.dll
0x1000e14c ShellExecuteExA
WININET.dll
0x1000e178 InternetReadFile
0x1000e17c InternetOpenA
0x1000e180 InternetOpenUrlA
0x1000e184 InternetCloseHandle
CRYPT32.dll
0x1000e000 CryptStringToBinaryA
EAT(Export Address Table) Library
0x100029b0 Edge
KERNEL32.dll
0x1000e008 WriteFile
0x1000e00c CreateFileA
0x1000e010 LocalReAlloc
0x1000e014 LocalAlloc
0x1000e018 Sleep
0x1000e01c Process32Next
0x1000e020 Process32First
0x1000e024 CreateToolhelp32Snapshot
0x1000e028 GetLastError
0x1000e02c CreateDirectoryA
0x1000e030 GetFileAttributesA
0x1000e034 ExpandEnvironmentStringsA
0x1000e038 CreateMutexA
0x1000e03c OpenMutexA
0x1000e040 SetLastError
0x1000e044 VirtualAlloc
0x1000e048 VirtualFree
0x1000e04c LoadLibraryA
0x1000e050 GetProcAddress
0x1000e054 LocalFree
0x1000e058 HeapAlloc
0x1000e05c FlushFileBuffers
0x1000e060 WriteConsoleW
0x1000e064 GetConsoleOutputCP
0x1000e068 WriteConsoleA
0x1000e06c SetStdHandle
0x1000e070 InitializeCriticalSectionAndSpinCount
0x1000e074 GetConsoleMode
0x1000e078 GetConsoleCP
0x1000e07c SetFilePointer
0x1000e080 HeapSize
0x1000e084 HeapFree
0x1000e088 CloseHandle
0x1000e08c GetSystemTimeAsFileTime
0x1000e090 TerminateProcess
0x1000e094 GetCurrentProcess
0x1000e098 UnhandledExceptionFilter
0x1000e09c SetUnhandledExceptionFilter
0x1000e0a0 IsDebuggerPresent
0x1000e0a4 RaiseException
0x1000e0a8 RtlUnwind
0x1000e0ac HeapReAlloc
0x1000e0b0 MultiByteToWideChar
0x1000e0b4 WideCharToMultiByte
0x1000e0b8 GetCurrentThreadId
0x1000e0bc GetCommandLineA
0x1000e0c0 GetModuleHandleW
0x1000e0c4 TlsGetValue
0x1000e0c8 TlsAlloc
0x1000e0cc TlsSetValue
0x1000e0d0 TlsFree
0x1000e0d4 InterlockedIncrement
0x1000e0d8 InterlockedDecrement
0x1000e0dc GetCPInfo
0x1000e0e0 GetACP
0x1000e0e4 GetOEMCP
0x1000e0e8 IsValidCodePage
0x1000e0ec DeleteCriticalSection
0x1000e0f0 LeaveCriticalSection
0x1000e0f4 EnterCriticalSection
0x1000e0f8 HeapCreate
0x1000e0fc HeapDestroy
0x1000e100 ExitProcess
0x1000e104 GetStdHandle
0x1000e108 GetModuleFileNameA
0x1000e10c SetHandleCount
0x1000e110 GetFileType
0x1000e114 GetStartupInfoA
0x1000e118 FreeEnvironmentStringsA
0x1000e11c GetEnvironmentStrings
0x1000e120 FreeEnvironmentStringsW
0x1000e124 GetEnvironmentStringsW
0x1000e128 QueryPerformanceCounter
0x1000e12c GetTickCount
0x1000e130 GetCurrentProcessId
0x1000e134 LCMapStringA
0x1000e138 LCMapStringW
0x1000e13c GetStringTypeA
0x1000e140 GetStringTypeW
0x1000e144 GetLocaleInfoA
USER32.dll
0x1000e154 PostQuitMessage
0x1000e158 TranslateMessage
0x1000e15c DispatchMessageA
0x1000e160 KillTimer
0x1000e164 SetTimer
0x1000e168 GetMessageA
0x1000e16c MessageBoxW
0x1000e170 GetDesktopWindow
SHELL32.dll
0x1000e14c ShellExecuteExA
WININET.dll
0x1000e178 InternetReadFile
0x1000e17c InternetOpenA
0x1000e180 InternetOpenUrlA
0x1000e184 InternetCloseHandle
CRYPT32.dll
0x1000e000 CryptStringToBinaryA
EAT(Export Address Table) Library
0x100029b0 Edge