ScreenShot
| Created | 2023.12.11 19:18 | Machine | s1_win7_x6401 |
| Filename | notepad.exe | ||
| Type | PE32+ executable (console) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 9 detected (AIDetectMalware, Malicious, Znyonm, CLOUD, ShellCodeF, confidence) | ||
| md5 | 1b89434edfa3a2a42b84a396ce4cb4b1 | ||
| sha256 | b244335bd56cc95ec18f0fdb1d353950161bec53b41daf3f07ee64dad9bdc890 | ||
| ssdeep | 98304:4gpcSgORBchpR75WpawLnn/zzSJZw2LwCXh4u:9cSBeCKJZu4 | ||
| imphash | 0cc2bb40da3ec52de191bea02a52b2f5 | ||
| impfuzzy | 96:NCW5W6ttEX7CAqnmkzc+blxQa6KXHCwJGJRqtWbxr:wW5W6tteuAO4JctWp | ||
Network IP location
Signature (11cnts)
| Level | Description |
|---|---|
| watch | The process powershell.exe wrote an executable file to disk |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | File has been identified by 9 AntiVirus engines on VirusTotal as malicious |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Queries for the computername |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (10cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Admin_Tool_IN_Zero | Admin Tool Sysinternals | binaries (upload) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | Antivirus | Contains references to security software | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
ADVAPI32.dll
0x4fc698 OpenProcessToken
0x4fc6a0 SystemFunction036
crypt.dll
0x4fc6b0 BCryptGenRandom
KERNEL32.dll
0x4fc6c0 AcquireSRWLockExclusive
0x4fc6c8 AcquireSRWLockShared
0x4fc6d0 AddVectoredExceptionHandler
0x4fc6d8 CancelIo
0x4fc6e0 CloseHandle
0x4fc6e8 CompareStringOrdinal
0x4fc6f0 CopyFileExW
0x4fc6f8 CreateDirectoryW
0x4fc700 CreateEventW
0x4fc708 CreateFileMappingA
0x4fc710 CreateFileW
0x4fc718 CreateHardLinkW
0x4fc720 CreateMutexA
0x4fc728 CreateNamedPipeW
0x4fc730 CreateProcessW
0x4fc738 CreateSymbolicLinkW
0x4fc740 CreateThread
0x4fc748 CreateToolhelp32Snapshot
0x4fc750 DeleteCriticalSection
0x4fc758 DeleteFileW
0x4fc760 DeviceIoControl
0x4fc768 DuplicateHandle
0x4fc770 EnterCriticalSection
0x4fc778 ExitProcess
0x4fc780 FindClose
0x4fc788 FindFirstFileW
0x4fc790 FindNextFileW
0x4fc798 FlushFileBuffers
0x4fc7a0 FormatMessageW
0x4fc7a8 FreeEnvironmentStringsW
0x4fc7b0 GetCommandLineW
0x4fc7b8 GetConsoleMode
0x4fc7c0 GetCurrentDirectoryW
0x4fc7c8 GetCurrentProcess
0x4fc7d0 GetCurrentProcessId
0x4fc7d8 GetCurrentThread
0x4fc7e0 GetCurrentThreadId
0x4fc7e8 GetEnvironmentStringsW
0x4fc7f0 GetEnvironmentVariableW
0x4fc7f8 GetExitCodeProcess
0x4fc800 GetFileAttributesW
0x4fc808 GetFileInformationByHandle
0x4fc810 GetFileInformationByHandleEx
0x4fc818 GetFileType
0x4fc820 GetFinalPathNameByHandleW
0x4fc828 GetFullPathNameW
0x4fc830 GetLastError
0x4fc838 GetModuleFileNameW
0x4fc840 GetModuleHandleA
0x4fc848 GetModuleHandleW
0x4fc850 GetOverlappedResult
0x4fc858 GetProcAddress
0x4fc860 GetProcessHeap
0x4fc868 GetProcessId
0x4fc870 GetStartupInfoA
0x4fc878 GetStdHandle
0x4fc880 GetSystemDirectoryW
0x4fc888 GetSystemInfo
0x4fc890 GetSystemTimeAsFileTime
0x4fc898 GetTempPathW
0x4fc8a0 GetTickCount
0x4fc8a8 GetWindowsDirectoryW
0x4fc8b0 HeapAlloc
0x4fc8b8 HeapFree
0x4fc8c0 HeapReAlloc
0x4fc8c8 InitOnceBeginInitialize
0x4fc8d0 InitOnceComplete
0x4fc8d8 InitializeCriticalSection
0x4fc8e0 LeaveCriticalSection
0x4fc8e8 LoadLibraryA
0x4fc8f0 MapViewOfFile
0x4fc8f8 Module32FirstW
0x4fc900 Module32NextW
0x4fc908 MoveFileExW
0x4fc910 MultiByteToWideChar
0x4fc918 QueryPerformanceCounter
0x4fc920 QueryPerformanceFrequency
0x4fc928 RaiseException
0x4fc930 ReadConsoleW
0x4fc938 ReadFile
0x4fc940 ReadFileEx
0x4fc948 ReleaseMutex
0x4fc950 ReleaseSRWLockExclusive
0x4fc958 ReleaseSRWLockShared
0x4fc960 RemoveDirectoryW
0x4fc968 RtlAddFunctionTable
0x4fc970 RtlCaptureContext
0x4fc978 RtlLookupFunctionEntry
0x4fc980 RtlUnwindEx
0x4fc988 RtlVirtualUnwind
0x4fc990 SetCurrentDirectoryW
0x4fc998 SetEnvironmentVariableW
0x4fc9a0 SetFileAttributesW
0x4fc9a8 SetFileInformationByHandle
0x4fc9b0 SetFilePointerEx
0x4fc9b8 SetFileTime
0x4fc9c0 SetHandleInformation
0x4fc9c8 SetLastError
0x4fc9d0 SetThreadStackGuarantee
0x4fc9d8 SetUnhandledExceptionFilter
0x4fc9e0 Sleep
0x4fc9e8 SleepConditionVariableSRW
0x4fc9f0 SleepEx
0x4fc9f8 SwitchToThread
0x4fca00 TerminateProcess
0x4fca08 TlsAlloc
0x4fca10 TlsFree
0x4fca18 TlsGetValue
0x4fca20 TlsSetValue
0x4fca28 TryAcquireSRWLockExclusive
0x4fca30 UnhandledExceptionFilter
0x4fca38 UnmapViewOfFile
0x4fca40 VirtualProtect
0x4fca48 VirtualQuery
0x4fca50 WaitForMultipleObjects
0x4fca58 WaitForSingleObject
0x4fca60 WaitForSingleObjectEx
0x4fca68 WakeAllConditionVariable
0x4fca70 WakeConditionVariable
0x4fca78 WideCharToMultiByte
0x4fca80 WriteConsoleW
0x4fca88 WriteFileEx
0x4fca90 __C_specific_handler
msvcrt.dll
0x4fcaa0 __getmainargs
0x4fcaa8 __initenv
0x4fcab0 __iob_func
0x4fcab8 __lconv_init
0x4fcac0 __set_app_type
0x4fcac8 __setusermatherr
0x4fcad0 _acmdln
0x4fcad8 _amsg_exit
0x4fcae0 _cexit
0x4fcae8 _fmode
0x4fcaf0 _fpreset
0x4fcaf8 _initterm
0x4fcb00 _onexit
0x4fcb08 abort
0x4fcb10 calloc
0x4fcb18 exit
0x4fcb20 fprintf
0x4fcb28 free
0x4fcb30 fwrite
0x4fcb38 malloc
0x4fcb40 memcmp
0x4fcb48 memcpy
0x4fcb50 memmove
0x4fcb58 memset
0x4fcb60 signal
0x4fcb68 strlen
0x4fcb70 strncmp
0x4fcb78 vfprintf
ntdll.dll
0x4fcb88 NtCreateFile
0x4fcb90 NtReadFile
0x4fcb98 NtWriteFile
0x4fcba0 RtlNtStatusToDosError
USERENV.dll
0x4fcbb0 GetUserProfileDirectoryW
WS2_32.dll
0x4fcbc0 WSACleanup
0x4fcbc8 WSADuplicateSocketW
0x4fcbd0 WSAGetLastError
0x4fcbd8 WSARecv
0x4fcbe0 WSASend
0x4fcbe8 WSASocketW
0x4fcbf0 WSAStartup
0x4fcbf8 accept
0x4fcc00 ind
0x4fcc08 closesocket
0x4fcc10 connect
0x4fcc18 freeaddrinfo
0x4fcc20 getaddrinfo
0x4fcc28 getpeername
0x4fcc30 getsockname
0x4fcc38 getsockopt
0x4fcc40 ioctlsocket
0x4fcc48 listen
0x4fcc50 recv
0x4fcc58 recvfrom
0x4fcc60 select
0x4fcc68 send
0x4fcc70 sendto
0x4fcc78 setsockopt
0x4fcc80 shutdown
EAT(Export Address Table) is none
ADVAPI32.dll
0x4fc698 OpenProcessToken
0x4fc6a0 SystemFunction036
crypt.dll
0x4fc6b0 BCryptGenRandom
KERNEL32.dll
0x4fc6c0 AcquireSRWLockExclusive
0x4fc6c8 AcquireSRWLockShared
0x4fc6d0 AddVectoredExceptionHandler
0x4fc6d8 CancelIo
0x4fc6e0 CloseHandle
0x4fc6e8 CompareStringOrdinal
0x4fc6f0 CopyFileExW
0x4fc6f8 CreateDirectoryW
0x4fc700 CreateEventW
0x4fc708 CreateFileMappingA
0x4fc710 CreateFileW
0x4fc718 CreateHardLinkW
0x4fc720 CreateMutexA
0x4fc728 CreateNamedPipeW
0x4fc730 CreateProcessW
0x4fc738 CreateSymbolicLinkW
0x4fc740 CreateThread
0x4fc748 CreateToolhelp32Snapshot
0x4fc750 DeleteCriticalSection
0x4fc758 DeleteFileW
0x4fc760 DeviceIoControl
0x4fc768 DuplicateHandle
0x4fc770 EnterCriticalSection
0x4fc778 ExitProcess
0x4fc780 FindClose
0x4fc788 FindFirstFileW
0x4fc790 FindNextFileW
0x4fc798 FlushFileBuffers
0x4fc7a0 FormatMessageW
0x4fc7a8 FreeEnvironmentStringsW
0x4fc7b0 GetCommandLineW
0x4fc7b8 GetConsoleMode
0x4fc7c0 GetCurrentDirectoryW
0x4fc7c8 GetCurrentProcess
0x4fc7d0 GetCurrentProcessId
0x4fc7d8 GetCurrentThread
0x4fc7e0 GetCurrentThreadId
0x4fc7e8 GetEnvironmentStringsW
0x4fc7f0 GetEnvironmentVariableW
0x4fc7f8 GetExitCodeProcess
0x4fc800 GetFileAttributesW
0x4fc808 GetFileInformationByHandle
0x4fc810 GetFileInformationByHandleEx
0x4fc818 GetFileType
0x4fc820 GetFinalPathNameByHandleW
0x4fc828 GetFullPathNameW
0x4fc830 GetLastError
0x4fc838 GetModuleFileNameW
0x4fc840 GetModuleHandleA
0x4fc848 GetModuleHandleW
0x4fc850 GetOverlappedResult
0x4fc858 GetProcAddress
0x4fc860 GetProcessHeap
0x4fc868 GetProcessId
0x4fc870 GetStartupInfoA
0x4fc878 GetStdHandle
0x4fc880 GetSystemDirectoryW
0x4fc888 GetSystemInfo
0x4fc890 GetSystemTimeAsFileTime
0x4fc898 GetTempPathW
0x4fc8a0 GetTickCount
0x4fc8a8 GetWindowsDirectoryW
0x4fc8b0 HeapAlloc
0x4fc8b8 HeapFree
0x4fc8c0 HeapReAlloc
0x4fc8c8 InitOnceBeginInitialize
0x4fc8d0 InitOnceComplete
0x4fc8d8 InitializeCriticalSection
0x4fc8e0 LeaveCriticalSection
0x4fc8e8 LoadLibraryA
0x4fc8f0 MapViewOfFile
0x4fc8f8 Module32FirstW
0x4fc900 Module32NextW
0x4fc908 MoveFileExW
0x4fc910 MultiByteToWideChar
0x4fc918 QueryPerformanceCounter
0x4fc920 QueryPerformanceFrequency
0x4fc928 RaiseException
0x4fc930 ReadConsoleW
0x4fc938 ReadFile
0x4fc940 ReadFileEx
0x4fc948 ReleaseMutex
0x4fc950 ReleaseSRWLockExclusive
0x4fc958 ReleaseSRWLockShared
0x4fc960 RemoveDirectoryW
0x4fc968 RtlAddFunctionTable
0x4fc970 RtlCaptureContext
0x4fc978 RtlLookupFunctionEntry
0x4fc980 RtlUnwindEx
0x4fc988 RtlVirtualUnwind
0x4fc990 SetCurrentDirectoryW
0x4fc998 SetEnvironmentVariableW
0x4fc9a0 SetFileAttributesW
0x4fc9a8 SetFileInformationByHandle
0x4fc9b0 SetFilePointerEx
0x4fc9b8 SetFileTime
0x4fc9c0 SetHandleInformation
0x4fc9c8 SetLastError
0x4fc9d0 SetThreadStackGuarantee
0x4fc9d8 SetUnhandledExceptionFilter
0x4fc9e0 Sleep
0x4fc9e8 SleepConditionVariableSRW
0x4fc9f0 SleepEx
0x4fc9f8 SwitchToThread
0x4fca00 TerminateProcess
0x4fca08 TlsAlloc
0x4fca10 TlsFree
0x4fca18 TlsGetValue
0x4fca20 TlsSetValue
0x4fca28 TryAcquireSRWLockExclusive
0x4fca30 UnhandledExceptionFilter
0x4fca38 UnmapViewOfFile
0x4fca40 VirtualProtect
0x4fca48 VirtualQuery
0x4fca50 WaitForMultipleObjects
0x4fca58 WaitForSingleObject
0x4fca60 WaitForSingleObjectEx
0x4fca68 WakeAllConditionVariable
0x4fca70 WakeConditionVariable
0x4fca78 WideCharToMultiByte
0x4fca80 WriteConsoleW
0x4fca88 WriteFileEx
0x4fca90 __C_specific_handler
msvcrt.dll
0x4fcaa0 __getmainargs
0x4fcaa8 __initenv
0x4fcab0 __iob_func
0x4fcab8 __lconv_init
0x4fcac0 __set_app_type
0x4fcac8 __setusermatherr
0x4fcad0 _acmdln
0x4fcad8 _amsg_exit
0x4fcae0 _cexit
0x4fcae8 _fmode
0x4fcaf0 _fpreset
0x4fcaf8 _initterm
0x4fcb00 _onexit
0x4fcb08 abort
0x4fcb10 calloc
0x4fcb18 exit
0x4fcb20 fprintf
0x4fcb28 free
0x4fcb30 fwrite
0x4fcb38 malloc
0x4fcb40 memcmp
0x4fcb48 memcpy
0x4fcb50 memmove
0x4fcb58 memset
0x4fcb60 signal
0x4fcb68 strlen
0x4fcb70 strncmp
0x4fcb78 vfprintf
ntdll.dll
0x4fcb88 NtCreateFile
0x4fcb90 NtReadFile
0x4fcb98 NtWriteFile
0x4fcba0 RtlNtStatusToDosError
USERENV.dll
0x4fcbb0 GetUserProfileDirectoryW
WS2_32.dll
0x4fcbc0 WSACleanup
0x4fcbc8 WSADuplicateSocketW
0x4fcbd0 WSAGetLastError
0x4fcbd8 WSARecv
0x4fcbe0 WSASend
0x4fcbe8 WSASocketW
0x4fcbf0 WSAStartup
0x4fcbf8 accept
0x4fcc00 ind
0x4fcc08 closesocket
0x4fcc10 connect
0x4fcc18 freeaddrinfo
0x4fcc20 getaddrinfo
0x4fcc28 getpeername
0x4fcc30 getsockname
0x4fcc38 getsockopt
0x4fcc40 ioctlsocket
0x4fcc48 listen
0x4fcc50 recv
0x4fcc58 recvfrom
0x4fcc60 select
0x4fcc68 send
0x4fcc70 sendto
0x4fcc78 setsockopt
0x4fcc80 shutdown
EAT(Export Address Table) is none