ScreenShot
| Created | 2023.12.12 07:52 | Machine | s1_win7_x6403 |
| Filename | cp.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | |||
| md5 | 7603117e8e1611e887b8c6fccbdb9d4e | ||
| sha256 | 04d6d3ec056f03179782070ab38d407197ff2e2fc5c943da11de18d0085b7f3b | ||
| ssdeep | 98304:wCUQbcTwemgpj6KqG6F6MNl4or9cOFOoKc3lZsuavzeh/QYU+LR87CiFj4:HtbCLpjfqx/j9dF3livQ/Y4R87dq | ||
| imphash | 379f1f8b44b71caf79408adefbc888c6 | ||
| impfuzzy | 12:jJzLqTBIZuyHoQ5kBZGoQtXJxZGb9AJcDfA5kLfP9m:dzQwuIoQ58QtXJHc9NDI5Q8 | ||
Network IP location
Signature (16cnts)
| Level | Description |
|---|---|
| watch | Communicates with host for which no DNS query was performed |
| watch | Installs itself for autorun at Windows startup |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Drops a binary and executes it |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is likely packed with VMProtect |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Command line console output was observed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (42cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Network_Downloader | File Downloader | memory |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| watch | VMProtect_Zero | VMProtect packed file | binaries (download) |
| watch | VMProtect_Zero | VMProtect packed file | binaries (upload) |
| notice | Code_injection | Code injection with CreateRemoteThread in a remote process | memory |
| notice | Create_Service | Create a windows service | memory |
| notice | Escalate_priviledges | Escalate priviledges | memory |
| notice | Generic_PWS_Memory_Zero | PWS Memory | memory |
| notice | KeyLogger | Run a KeyLogger | memory |
| notice | local_credential_Steal | Steal credential | memory |
| notice | Network_DGA | Communication using DGA | memory |
| notice | Network_DNS | Communications use DNS | memory |
| notice | Network_FTP | Communications over FTP | memory |
| notice | Network_HTTP | Communications over HTTP | memory |
| notice | Network_P2P_Win | Communications over P2P network | memory |
| notice | Network_TCP_Socket | Communications over RAW Socket | memory |
| notice | Persistence | Install itself for autorun at Windows startup | memory |
| notice | ScreenShot | Take ScreenShot | memory |
| notice | Sniff_Audio | Record Audio | memory |
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | antisb_threatExpert | Anti-Sandbox checks for ThreatExpert | memory |
| info | Check_Dlls | (no description) | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerCheck__RemoteAPI | (no description) | memory |
| info | DebuggerException__ConsoleCtrl | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | win_hook | Affect hook table | memory |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0xc84000 GetLastError
USER32.dll
0xc84008 SetClipboardData
ADVAPI32.dll
0xc84010 RegSetValueExA
SHELL32.dll
0xc84018 ShellExecuteExW
ole32.dll
0xc84020 CoTaskMemFree
WTSAPI32.dll
0xc84028 WTSSendMessageW
KERNEL32.dll
0xc84030 VirtualQuery
USER32.dll
0xc84038 GetProcessWindowStation
KERNEL32.dll
0xc84040 LocalAlloc
0xc84044 LocalFree
0xc84048 GetModuleFileNameW
0xc8404c GetProcessAffinityMask
0xc84050 SetProcessAffinityMask
0xc84054 SetThreadAffinityMask
0xc84058 Sleep
0xc8405c ExitProcess
0xc84060 FreeLibrary
0xc84064 LoadLibraryA
0xc84068 GetModuleHandleA
0xc8406c GetProcAddress
USER32.dll
0xc84074 GetProcessWindowStation
0xc84078 GetUserObjectInformationW
EAT(Export Address Table) is none
KERNEL32.dll
0xc84000 GetLastError
USER32.dll
0xc84008 SetClipboardData
ADVAPI32.dll
0xc84010 RegSetValueExA
SHELL32.dll
0xc84018 ShellExecuteExW
ole32.dll
0xc84020 CoTaskMemFree
WTSAPI32.dll
0xc84028 WTSSendMessageW
KERNEL32.dll
0xc84030 VirtualQuery
USER32.dll
0xc84038 GetProcessWindowStation
KERNEL32.dll
0xc84040 LocalAlloc
0xc84044 LocalFree
0xc84048 GetModuleFileNameW
0xc8404c GetProcessAffinityMask
0xc84050 SetProcessAffinityMask
0xc84054 SetThreadAffinityMask
0xc84058 Sleep
0xc8405c ExitProcess
0xc84060 FreeLibrary
0xc84064 LoadLibraryA
0xc84068 GetModuleHandleA
0xc8406c GetProcAddress
USER32.dll
0xc84074 GetProcessWindowStation
0xc84078 GetUserObjectInformationW
EAT(Export Address Table) is none