ScreenShot
| Created | 2023.11.11 16:30 | Machine | s1_win7_x6403 |
| Filename | 1111.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : mailcious | ||
| VT API (file) | |||
| md5 | 29b30699b114caf0dfb7854b2e9bb6bb | ||
| sha256 | 7855d1e9cd453e5b6fb7b129a111428fa34476999fe50193e334dc65405aa542 | ||
| ssdeep | 6144:qz/sh+qoOgjUFccbbsdZLKTQF7D2292sjUOpA5NzVhhj3mznBfSNHBdkpOjB1lf:9h+7ssdZLCs/IFw4NHkpCB1J | ||
| imphash | aaa97dcc7945614afae5716f8187b49b | ||
| impfuzzy | 24:WjKNDoAqlvMjOovS2cfzZ/J3IBtyFQ8RyvuT4blXnpG9KXGLG0vT4Hd95c/:SMCQcfzbutNucbZnpGMXGL9vsHC/ | ||
Network IP location
Signature (7cnts)
| Level | Description |
|---|---|
| danger | Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) |
| watch | Communicates with host for which no DNS query was performed |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (6cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x412000 WaitForSingleObject
0x412004 Sleep
0x412008 CreateThread
0x41200c lstrlenW
0x412010 VirtualProtect
0x412014 GetProcAddress
0x412018 LoadLibraryA
0x41201c VirtualAlloc
0x412020 GetModuleHandleA
0x412024 GetConsoleCP
0x412028 GetACP
0x41202c FreeConsole
0x412030 GetLastError
0x412034 HeapFree
0x412038 HeapAlloc
0x41203c RtlUnwind
0x412040 RaiseException
0x412044 GetCommandLineA
0x412048 HeapCreate
0x41204c VirtualFree
0x412050 DeleteCriticalSection
0x412054 LeaveCriticalSection
0x412058 EnterCriticalSection
0x41205c HeapReAlloc
0x412060 GetModuleHandleW
0x412064 ExitProcess
0x412068 WriteFile
0x41206c GetStdHandle
0x412070 GetModuleFileNameA
0x412074 TlsGetValue
0x412078 TlsAlloc
0x41207c TlsSetValue
0x412080 TlsFree
0x412084 InterlockedIncrement
0x412088 SetLastError
0x41208c GetCurrentThreadId
0x412090 InterlockedDecrement
0x412094 TerminateProcess
0x412098 GetCurrentProcess
0x41209c UnhandledExceptionFilter
0x4120a0 SetUnhandledExceptionFilter
0x4120a4 IsDebuggerPresent
0x4120a8 FreeEnvironmentStringsA
0x4120ac GetEnvironmentStrings
0x4120b0 FreeEnvironmentStringsW
0x4120b4 WideCharToMultiByte
0x4120b8 GetEnvironmentStringsW
0x4120bc SetHandleCount
0x4120c0 GetFileType
0x4120c4 GetStartupInfoA
0x4120c8 QueryPerformanceCounter
0x4120cc GetTickCount
0x4120d0 GetCurrentProcessId
0x4120d4 GetSystemTimeAsFileTime
0x4120d8 GetCPInfo
0x4120dc GetOEMCP
0x4120e0 IsValidCodePage
0x4120e4 InitializeCriticalSectionAndSpinCount
0x4120e8 HeapSize
0x4120ec LCMapStringA
0x4120f0 MultiByteToWideChar
0x4120f4 LCMapStringW
0x4120f8 GetStringTypeA
0x4120fc GetStringTypeW
0x412100 GetLocaleInfoA
GDI32.DLL
0x46e664 ImproveFramework
0x46e668 ReconfigureElement
0x46e66c ModifyEndpoint
0x46e670 UpdateFramework
0x46e674 AdjustProtocol
USER32.DLL
0x46e67c DeactivateElement
0x46e680 ModifyOperation
0x46e684 InnovateConfiguration
0x46e688 StreamlineInstrument
0x46e68c ImproveElement
ADVAPI32.DLL
0x46e694 ReconstructCapability
0x46e698 BuildConfiguration
0x46e69c AdjustProtocol
0x46e6a0 ReconfigureResource
0x46e6a4 EnhanceProtocol
0x46e6a8 ModifyFramework
0x46e6ac ModifyOperation
EAT(Export Address Table) is none
KERNEL32.dll
0x412000 WaitForSingleObject
0x412004 Sleep
0x412008 CreateThread
0x41200c lstrlenW
0x412010 VirtualProtect
0x412014 GetProcAddress
0x412018 LoadLibraryA
0x41201c VirtualAlloc
0x412020 GetModuleHandleA
0x412024 GetConsoleCP
0x412028 GetACP
0x41202c FreeConsole
0x412030 GetLastError
0x412034 HeapFree
0x412038 HeapAlloc
0x41203c RtlUnwind
0x412040 RaiseException
0x412044 GetCommandLineA
0x412048 HeapCreate
0x41204c VirtualFree
0x412050 DeleteCriticalSection
0x412054 LeaveCriticalSection
0x412058 EnterCriticalSection
0x41205c HeapReAlloc
0x412060 GetModuleHandleW
0x412064 ExitProcess
0x412068 WriteFile
0x41206c GetStdHandle
0x412070 GetModuleFileNameA
0x412074 TlsGetValue
0x412078 TlsAlloc
0x41207c TlsSetValue
0x412080 TlsFree
0x412084 InterlockedIncrement
0x412088 SetLastError
0x41208c GetCurrentThreadId
0x412090 InterlockedDecrement
0x412094 TerminateProcess
0x412098 GetCurrentProcess
0x41209c UnhandledExceptionFilter
0x4120a0 SetUnhandledExceptionFilter
0x4120a4 IsDebuggerPresent
0x4120a8 FreeEnvironmentStringsA
0x4120ac GetEnvironmentStrings
0x4120b0 FreeEnvironmentStringsW
0x4120b4 WideCharToMultiByte
0x4120b8 GetEnvironmentStringsW
0x4120bc SetHandleCount
0x4120c0 GetFileType
0x4120c4 GetStartupInfoA
0x4120c8 QueryPerformanceCounter
0x4120cc GetTickCount
0x4120d0 GetCurrentProcessId
0x4120d4 GetSystemTimeAsFileTime
0x4120d8 GetCPInfo
0x4120dc GetOEMCP
0x4120e0 IsValidCodePage
0x4120e4 InitializeCriticalSectionAndSpinCount
0x4120e8 HeapSize
0x4120ec LCMapStringA
0x4120f0 MultiByteToWideChar
0x4120f4 LCMapStringW
0x4120f8 GetStringTypeA
0x4120fc GetStringTypeW
0x412100 GetLocaleInfoA
GDI32.DLL
0x46e664 ImproveFramework
0x46e668 ReconfigureElement
0x46e66c ModifyEndpoint
0x46e670 UpdateFramework
0x46e674 AdjustProtocol
USER32.DLL
0x46e67c DeactivateElement
0x46e680 ModifyOperation
0x46e684 InnovateConfiguration
0x46e688 StreamlineInstrument
0x46e68c ImproveElement
ADVAPI32.DLL
0x46e694 ReconstructCapability
0x46e698 BuildConfiguration
0x46e69c AdjustProtocol
0x46e6a0 ReconfigureResource
0x46e6a4 EnhanceProtocol
0x46e6a8 ModifyFramework
0x46e6ac ModifyOperation
EAT(Export Address Table) is none