ScreenShot
| Created | 2023.11.21 07:57 | Machine | s1_win7_x6403 |
| Filename | hvupdater12.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 53 detected (AIDetectMalware, Crysan, GenericKD, Artemis, Save, Kryptik, malicious, Attribute, HighConfidence, high confidence, HUAJ, kdvnyc, PWSX, Gencirc, PackedNET, high, score, Static AI, Malicious PE, ai score=87, Znyonm, Detected, ABRisk, LZMT, hsyn, HeurC, KVMH008, AAET, ZgRAT, HPCXEK, R622793, ZexaF, FyY@a8IxLto, unsafe, Chgt, jrfVwNkjbiN, Zenpak, confidence, 100%) | ||
| md5 | 68392cd3b6d0900a123e3c474737a068 | ||
| sha256 | ebb20ee3f9c28aa7e7a1fe1cdc8371c56a17f2f17bf8d98139fea30915e2be0f | ||
| ssdeep | 12288:sqDRPOurL2/zntKd8TeaqZiKi4ZZTbnTCWSuEfDSjEITXEbbkVKB:PDRP5P2/zMaqZiKdTIuy4obbkVKB | ||
| imphash | 2fd03c0e50677cbfe09966e474b427b5 | ||
| impfuzzy | 48:NFQcfzdHeMc+jsJel2hlPb2+tPVClzSs6ctihkAvDl:8cfzd+Mc+jsJel2hlPb2mIlf0l | ||
Network IP location
Signature (16cnts)
| Level | Description |
|---|---|
| danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
| danger | File has been identified by 53 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| watch | Installs itself for autorun at Windows startup |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (6cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x40b000 TzSpecificLocalTimeToSystemTime
0x40b004 WaitForSingleObject
0x40b008 Sleep
0x40b00c CreateThread
0x40b010 lstrlenW
0x40b014 VirtualProtect
0x40b018 GetProcAddress
0x40b01c LoadLibraryA
0x40b020 VirtualAlloc
0x40b024 GetModuleHandleA
0x40b028 FreeConsole
0x40b02c GetLastError
0x40b030 HeapFree
0x40b034 HeapAlloc
0x40b038 GetCommandLineA
0x40b03c HeapCreate
0x40b040 VirtualFree
0x40b044 DeleteCriticalSection
0x40b048 LeaveCriticalSection
0x40b04c EnterCriticalSection
0x40b050 HeapReAlloc
0x40b054 GetModuleHandleW
0x40b058 ExitProcess
0x40b05c WriteFile
0x40b060 GetStdHandle
0x40b064 GetModuleFileNameA
0x40b068 SetUnhandledExceptionFilter
0x40b06c FreeEnvironmentStringsA
0x40b070 GetEnvironmentStrings
0x40b074 FreeEnvironmentStringsW
0x40b078 WideCharToMultiByte
0x40b07c GetEnvironmentStringsW
0x40b080 SetHandleCount
0x40b084 GetFileType
0x40b088 GetStartupInfoA
0x40b08c TlsGetValue
0x40b090 TlsAlloc
0x40b094 TlsSetValue
0x40b098 TlsFree
0x40b09c InterlockedIncrement
0x40b0a0 SetLastError
0x40b0a4 GetCurrentThreadId
0x40b0a8 InterlockedDecrement
0x40b0ac QueryPerformanceCounter
0x40b0b0 GetTickCount
0x40b0b4 GetCurrentProcessId
0x40b0b8 GetSystemTimeAsFileTime
0x40b0bc TerminateProcess
0x40b0c0 GetCurrentProcess
0x40b0c4 UnhandledExceptionFilter
0x40b0c8 IsDebuggerPresent
0x40b0cc InitializeCriticalSectionAndSpinCount
0x40b0d0 RtlUnwind
0x40b0d4 GetCPInfo
0x40b0d8 GetACP
0x40b0dc GetOEMCP
0x40b0e0 IsValidCodePage
0x40b0e4 HeapSize
0x40b0e8 GetLocaleInfoA
0x40b0ec LCMapStringA
0x40b0f0 MultiByteToWideChar
0x40b0f4 LCMapStringW
0x40b0f8 GetStringTypeA
0x40b0fc GetStringTypeW
NTDLL.DLL
0x4786fc PersonalizeEndpoint
0x478700 StreamlineCapability
0x478704 ModifyArtifact
0x478708 RefineComponent
0x47870c AdjustObject
0x478710 DeactivateComponent
0x478714 PersonalizeInstrument
0x478718 PersonalizeEndpoint
0x47871c EnhanceFramework
0x478720 ModernizeCapability
0x478724 AdjustInstrument
0x478728 OverhaulObject
0x47872c BuildInstrument
0x478730 AdjustEndpoint
0x478734 UpdateConfiguration
USER32.DLL
0x47873c ReconfigureComponent
0x478740 ModifyConfiguration
0x478744 EnhanceEndpoint
0x478748 EnhancePart
0x47874c StreamlineInstrument
0x478750 ModernizeOperation
0x478754 AdjustLayer
0x478758 RefineFramework
0x47875c ModifyProtocol
0x478760 RefinePart
0x478764 BuildCapability
0x478768 RefineObject
EAT(Export Address Table) is none
KERNEL32.dll
0x40b000 TzSpecificLocalTimeToSystemTime
0x40b004 WaitForSingleObject
0x40b008 Sleep
0x40b00c CreateThread
0x40b010 lstrlenW
0x40b014 VirtualProtect
0x40b018 GetProcAddress
0x40b01c LoadLibraryA
0x40b020 VirtualAlloc
0x40b024 GetModuleHandleA
0x40b028 FreeConsole
0x40b02c GetLastError
0x40b030 HeapFree
0x40b034 HeapAlloc
0x40b038 GetCommandLineA
0x40b03c HeapCreate
0x40b040 VirtualFree
0x40b044 DeleteCriticalSection
0x40b048 LeaveCriticalSection
0x40b04c EnterCriticalSection
0x40b050 HeapReAlloc
0x40b054 GetModuleHandleW
0x40b058 ExitProcess
0x40b05c WriteFile
0x40b060 GetStdHandle
0x40b064 GetModuleFileNameA
0x40b068 SetUnhandledExceptionFilter
0x40b06c FreeEnvironmentStringsA
0x40b070 GetEnvironmentStrings
0x40b074 FreeEnvironmentStringsW
0x40b078 WideCharToMultiByte
0x40b07c GetEnvironmentStringsW
0x40b080 SetHandleCount
0x40b084 GetFileType
0x40b088 GetStartupInfoA
0x40b08c TlsGetValue
0x40b090 TlsAlloc
0x40b094 TlsSetValue
0x40b098 TlsFree
0x40b09c InterlockedIncrement
0x40b0a0 SetLastError
0x40b0a4 GetCurrentThreadId
0x40b0a8 InterlockedDecrement
0x40b0ac QueryPerformanceCounter
0x40b0b0 GetTickCount
0x40b0b4 GetCurrentProcessId
0x40b0b8 GetSystemTimeAsFileTime
0x40b0bc TerminateProcess
0x40b0c0 GetCurrentProcess
0x40b0c4 UnhandledExceptionFilter
0x40b0c8 IsDebuggerPresent
0x40b0cc InitializeCriticalSectionAndSpinCount
0x40b0d0 RtlUnwind
0x40b0d4 GetCPInfo
0x40b0d8 GetACP
0x40b0dc GetOEMCP
0x40b0e0 IsValidCodePage
0x40b0e4 HeapSize
0x40b0e8 GetLocaleInfoA
0x40b0ec LCMapStringA
0x40b0f0 MultiByteToWideChar
0x40b0f4 LCMapStringW
0x40b0f8 GetStringTypeA
0x40b0fc GetStringTypeW
NTDLL.DLL
0x4786fc PersonalizeEndpoint
0x478700 StreamlineCapability
0x478704 ModifyArtifact
0x478708 RefineComponent
0x47870c AdjustObject
0x478710 DeactivateComponent
0x478714 PersonalizeInstrument
0x478718 PersonalizeEndpoint
0x47871c EnhanceFramework
0x478720 ModernizeCapability
0x478724 AdjustInstrument
0x478728 OverhaulObject
0x47872c BuildInstrument
0x478730 AdjustEndpoint
0x478734 UpdateConfiguration
USER32.DLL
0x47873c ReconfigureComponent
0x478740 ModifyConfiguration
0x478744 EnhanceEndpoint
0x478748 EnhancePart
0x47874c StreamlineInstrument
0x478750 ModernizeOperation
0x478754 AdjustLayer
0x478758 RefineFramework
0x47875c ModifyProtocol
0x478760 RefinePart
0x478764 BuildCapability
0x478768 RefineObject
EAT(Export Address Table) is none