ScreenShot
Created | 2023.11.07 07:46 | Machine | s1_win7_x6401 |
Filename | Services.exe | ||
Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : clean | ||
VT API (file) | |||
md5 | d9ce98a0b0029d26876ac86409bac27e | ||
sha256 | c6185a23c51b8ac77e6c1bdf2cd4a8d39b02af8b8027d4162cf9766d19cf87c8 | ||
ssdeep | 98304:T/kRk50qK5N7jdM2gOpqufwX9h+3dcWUWZJziS1hZUZyeYOth3fOCQb9GK1/49s:bokO9jdMxOUUwWdiWmS+JuZGKJ49 | ||
imphash | 5de3d424cd6789b476f93abd644dde5a | ||
impfuzzy | 6:/oPBT8ba1bK1eFML1KFjtlJoZ/OiBJAEnERGDW:gPBTBTOZGqAJcDW |
Network IP location
Signature (15cnts)
Level | Description |
---|---|
watch | Communicates with host for which no DNS query was performed |
watch | Network communications indicative of possible code injection originated from the process services.exe |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | Checks adapter addresses which can be used to detect virtual network interfaces |
notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
notice | Looks up the external IP address |
notice | One or more potentially interesting buffers were extracted |
notice | Performs some HTTP requests |
notice | Sends data using the HTTP POST Method |
notice | The binary likely contains encrypted or compressed data indicative of a packer |
notice | The executable is likely packed with VMProtect |
info | Checks amount of memory in system |
info | Collects information to fingerprint the system (MachineGuid |
info | One or more processes crashed |
info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (4cnts)
Level | Name | Description | Collection |
---|---|---|---|
watch | UPX_Zero | UPX packed file | binaries (upload) |
watch | VMProtect_Zero | VMProtect packed file | binaries (upload) |
info | IsPE32 | (no description) | binaries (upload) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (33cnts) ?
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET INFO TLS Handshake Failure
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET INFO TLS Handshake Failure
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x6e1000 CreateProcessA
ADVAPI32.dll
0x6e1008 CreateServiceA
SHELL32.dll
0x6e1010 SHGetSpecialFolderPathA
SETUPAPI.dll
0x6e1018 SetupDiGetClassDevsA
KERNEL32.dll
0x6e1020 GetSystemTimeAsFileTime
KERNEL32.dll
0x6e1028 HeapAlloc
0x6e102c HeapFree
0x6e1030 ExitProcess
0x6e1034 LoadLibraryA
0x6e1038 GetModuleHandleA
0x6e103c GetProcAddress
EAT(Export Address Table) is none
KERNEL32.dll
0x6e1000 CreateProcessA
ADVAPI32.dll
0x6e1008 CreateServiceA
SHELL32.dll
0x6e1010 SHGetSpecialFolderPathA
SETUPAPI.dll
0x6e1018 SetupDiGetClassDevsA
KERNEL32.dll
0x6e1020 GetSystemTimeAsFileTime
KERNEL32.dll
0x6e1028 HeapAlloc
0x6e102c HeapFree
0x6e1030 ExitProcess
0x6e1034 LoadLibraryA
0x6e1038 GetModuleHandleA
0x6e103c GetProcAddress
EAT(Export Address Table) is none