ScreenShot
| Created | 2023.12.11 19:53 | Machine | s1_win7_x6403 |
| Filename | autorun.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : mailcious | ||
| VT API (file) | |||
| md5 | 5d5ec23ea161feec9ef9e619dfe2d2d4 | ||
| sha256 | 91ebed23de3f93608b5ef767856ae4632c91b964f6e66a01eaa0bd5beb237452 | ||
| ssdeep | 6144:jdXkQuUQb8pzeCTPZAk81FNvOcpLTpBeRY8OsHRGs:jd0QHL/ | ||
| imphash | 1d4643eb641c675f46fd7eeac4073dc0 | ||
| impfuzzy | 24:WjKNDogMjOovg/J3JKnktsQFQ8RyvDkRT4QfalWM:PMCHhts3DgcQfaIM | ||
Network IP location
Signature (7cnts)
| Level | Description |
|---|---|
| danger | Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) |
| watch | Communicates with host for which no DNS query was performed |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (6cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x415000 WaitForSingleObject
0x415004 Sleep
0x415008 CreateThread
0x41500c lstrlenW
0x415010 VirtualProtect
0x415014 GetProcAddress
0x415018 LoadLibraryA
0x41501c VirtualAlloc
0x415020 GetModuleHandleA
0x415024 FreeConsole
0x415028 RtlUnwind
0x41502c RaiseException
0x415030 GetCommandLineA
0x415034 GetModuleHandleW
0x415038 TlsGetValue
0x41503c TlsAlloc
0x415040 TlsSetValue
0x415044 TlsFree
0x415048 InterlockedIncrement
0x41504c SetLastError
0x415050 GetCurrentThreadId
0x415054 GetLastError
0x415058 InterlockedDecrement
0x41505c HeapFree
0x415060 HeapAlloc
0x415064 TerminateProcess
0x415068 GetCurrentProcess
0x41506c UnhandledExceptionFilter
0x415070 SetUnhandledExceptionFilter
0x415074 IsDebuggerPresent
0x415078 ExitProcess
0x41507c WriteFile
0x415080 GetStdHandle
0x415084 GetModuleFileNameA
0x415088 FreeEnvironmentStringsA
0x41508c GetEnvironmentStrings
0x415090 FreeEnvironmentStringsW
0x415094 WideCharToMultiByte
0x415098 GetEnvironmentStringsW
0x41509c SetHandleCount
0x4150a0 GetFileType
0x4150a4 GetStartupInfoA
0x4150a8 DeleteCriticalSection
0x4150ac HeapCreate
0x4150b0 VirtualFree
0x4150b4 QueryPerformanceCounter
0x4150b8 GetTickCount
0x4150bc GetCurrentProcessId
0x4150c0 GetSystemTimeAsFileTime
0x4150c4 GetCPInfo
0x4150c8 GetACP
0x4150cc GetOEMCP
0x4150d0 IsValidCodePage
0x4150d4 LeaveCriticalSection
0x4150d8 EnterCriticalSection
0x4150dc HeapReAlloc
0x4150e0 HeapSize
0x4150e4 InitializeCriticalSectionAndSpinCount
0x4150e8 LCMapStringA
0x4150ec MultiByteToWideChar
0x4150f0 LCMapStringW
0x4150f4 GetStringTypeA
0x4150f8 GetStringTypeW
0x4150fc GetLocaleInfoA
EAT(Export Address Table) is none
KERNEL32.dll
0x415000 WaitForSingleObject
0x415004 Sleep
0x415008 CreateThread
0x41500c lstrlenW
0x415010 VirtualProtect
0x415014 GetProcAddress
0x415018 LoadLibraryA
0x41501c VirtualAlloc
0x415020 GetModuleHandleA
0x415024 FreeConsole
0x415028 RtlUnwind
0x41502c RaiseException
0x415030 GetCommandLineA
0x415034 GetModuleHandleW
0x415038 TlsGetValue
0x41503c TlsAlloc
0x415040 TlsSetValue
0x415044 TlsFree
0x415048 InterlockedIncrement
0x41504c SetLastError
0x415050 GetCurrentThreadId
0x415054 GetLastError
0x415058 InterlockedDecrement
0x41505c HeapFree
0x415060 HeapAlloc
0x415064 TerminateProcess
0x415068 GetCurrentProcess
0x41506c UnhandledExceptionFilter
0x415070 SetUnhandledExceptionFilter
0x415074 IsDebuggerPresent
0x415078 ExitProcess
0x41507c WriteFile
0x415080 GetStdHandle
0x415084 GetModuleFileNameA
0x415088 FreeEnvironmentStringsA
0x41508c GetEnvironmentStrings
0x415090 FreeEnvironmentStringsW
0x415094 WideCharToMultiByte
0x415098 GetEnvironmentStringsW
0x41509c SetHandleCount
0x4150a0 GetFileType
0x4150a4 GetStartupInfoA
0x4150a8 DeleteCriticalSection
0x4150ac HeapCreate
0x4150b0 VirtualFree
0x4150b4 QueryPerformanceCounter
0x4150b8 GetTickCount
0x4150bc GetCurrentProcessId
0x4150c0 GetSystemTimeAsFileTime
0x4150c4 GetCPInfo
0x4150c8 GetACP
0x4150cc GetOEMCP
0x4150d0 IsValidCodePage
0x4150d4 LeaveCriticalSection
0x4150d8 EnterCriticalSection
0x4150dc HeapReAlloc
0x4150e0 HeapSize
0x4150e4 InitializeCriticalSectionAndSpinCount
0x4150e8 LCMapStringA
0x4150ec MultiByteToWideChar
0x4150f0 LCMapStringW
0x4150f4 GetStringTypeA
0x4150f8 GetStringTypeW
0x4150fc GetLocaleInfoA
EAT(Export Address Table) is none