ScreenShot
| Created | 2024.01.13 19:09 | Machine | s1_win7_x6403 |
| Filename | mimi.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 7 detected (AIDetectMalware, Malicious, Generic@AI, RDML, ZlEyDMG7KKT34oKkEdD94A, gtuig, Casdet, grayware, confidence) | ||
| md5 | ef6177c0e5d8029c6de12f79aa21f7bc | ||
| sha256 | 5d10bfafc1a4af520431a31fa71ada83906661973fa5836a0a855ac5f800db21 | ||
| ssdeep | 384:EPUntRqbKOHPZDu6rdcFmrgkUKbEDSX1jIVL6kM7NsHl6j/fr7o:mIrqVSmwKbED3V2kM7NmlKXI | ||
| imphash | 9a54687f9a5b39af8944d1cdf0863f3a | ||
| impfuzzy | 96:nMS1g6dMbsciKGqjPzU318fFEfOopTgDlZ7NH2nW8ZPK6idEvOWMNgwcj9Pj3lQQ:PkSnp3eGPj3lQQ | ||
Network IP location
Signature (15cnts)
| Level | Description |
|---|---|
| watch | Expresses interest in specific running processes |
| watch | One or more non-whitelisted processes were created |
| watch | The process powershell.exe wrote an executable file to disk |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | File has been identified by 7 AntiVirus engines on VirusTotal as malicious |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | This executable has a PDB path |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (7cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | PowerShell | PowerShell script | scripts |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x404000 CreateFileW
0x404004 CreateToolhelp32Snapshot
0x404008 Process32NextW
0x40400c Process32FirstW
0x404010 SetUnhandledExceptionFilter
0x404014 GetCurrentProcess
0x404018 TerminateProcess
0x40401c IsProcessorFeaturePresent
0x404020 QueryPerformanceCounter
0x404024 GetCurrentProcessId
0x404028 GetCurrentThreadId
0x40402c GetSystemTimeAsFileTime
0x404030 InitializeSListHead
0x404034 IsDebuggerPresent
0x404038 GetModuleHandleW
0x40403c UnhandledExceptionFilter
MSVCP140.dll
0x404044 ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z
0x404048 ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEG_W@Z
0x40404c ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ
0x404050 ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ
0x404054 ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ
0x404058 ?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEXXZ
0x40405c ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV12@XZ
0x404060 ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEPADXZ
0x404064 ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z
0x404068 ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ
0x40406c ?put@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV12@_W@Z
0x404070 ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
0x404074 ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ
0x404078 ?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ
0x40407c ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ
0x404080 ?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JXZ
0x404084 ?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHXZ
0x404088 ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPAD_J@Z
0x40408c ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPBD_J@Z
0x404090 ?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEPAV12@PAD_J@Z
0x404094 ?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHXZ
0x404098 ?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEXABVlocale@2@@Z
0x40409c ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ
0x4040a0 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z
0x4040a4 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@K@Z
0x4040a8 ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z
0x4040ac ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@K@Z
0x4040b0 ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ
0x4040b4 ?getloc@ios_base@std@@QBE?AVlocale@2@XZ
0x4040b8 ?_Getcat@?$ctype@_W@std@@SAIPAPBVfacet@locale@2@PBV42@@Z
0x4040bc ?widen@?$ctype@_W@std@@QBE_WD@Z
0x4040c0 ??Bid@locale@std@@QAEIXZ
0x4040c4 ?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@D@Z
0x4040c8 ?widen@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QBE_WD@Z
0x4040cc ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z
0x4040d0 ?_Xlength_error@std@@YAXPBD@Z
0x4040d4 ?id@?$ctype@_W@std@@2V0locale@2@A
0x4040d8 ?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A
0x4040dc ?uncaught_exception@std@@YA_NXZ
0x4040e0 ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ
0x4040e4 ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
0x4040e8 ??0_Lockit@std@@QAE@H@Z
0x4040ec ??1_Lockit@std@@QAE@XZ
0x4040f0 ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEDD@Z
0x4040f4 ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z
VCRUNTIME140.dll
0x4040fc __current_exception
0x404100 __current_exception_context
0x404104 memset
0x404108 _except_handler4_common
0x40410c __std_terminate
0x404110 __std_exception_copy
0x404114 __std_exception_destroy
0x404118 __CxxFrameHandler3
0x40411c _CxxThrowException
0x404120 memmove
0x404124 memcpy
api-ms-win-crt-string-l1-1-0.dll
0x4041b4 _wcsicmp
api-ms-win-crt-runtime-l1-1-0.dll
0x404150 _initterm
0x404154 _initialize_onexit_table
0x404158 _register_onexit_function
0x40415c _crt_atexit
0x404160 _cexit
0x404164 _exit
0x404168 _controlfp_s
0x40416c terminate
0x404170 _get_initial_narrow_environment
0x404174 _initialize_narrow_environment
0x404178 _register_thread_local_exe_atexit_callback
0x40417c _initterm_e
0x404180 _configure_narrow_argv
0x404184 __p___argv
0x404188 _c_exit
0x40418c __p___argc
0x404190 _set_app_type
0x404194 _seh_filter_exe
0x404198 exit
0x40419c _invalid_parameter_noinfo_noreturn
0x4041a0 system
api-ms-win-crt-heap-l1-1-0.dll
0x40412c malloc
0x404130 free
0x404134 _callnewh
0x404138 _set_new_mode
api-ms-win-crt-math-l1-1-0.dll
0x404148 __setusermatherr
api-ms-win-crt-stdio-l1-1-0.dll
0x4041a8 __p__commode
0x4041ac _set_fmode
api-ms-win-crt-locale-l1-1-0.dll
0x404140 _configthreadlocale
EAT(Export Address Table) is none
KERNEL32.dll
0x404000 CreateFileW
0x404004 CreateToolhelp32Snapshot
0x404008 Process32NextW
0x40400c Process32FirstW
0x404010 SetUnhandledExceptionFilter
0x404014 GetCurrentProcess
0x404018 TerminateProcess
0x40401c IsProcessorFeaturePresent
0x404020 QueryPerformanceCounter
0x404024 GetCurrentProcessId
0x404028 GetCurrentThreadId
0x40402c GetSystemTimeAsFileTime
0x404030 InitializeSListHead
0x404034 IsDebuggerPresent
0x404038 GetModuleHandleW
0x40403c UnhandledExceptionFilter
MSVCP140.dll
0x404044 ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z
0x404048 ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEG_W@Z
0x40404c ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ
0x404050 ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ
0x404054 ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ
0x404058 ?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEXXZ
0x40405c ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV12@XZ
0x404060 ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEPADXZ
0x404064 ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z
0x404068 ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ
0x40406c ?put@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV12@_W@Z
0x404070 ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
0x404074 ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ
0x404078 ?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ
0x40407c ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ
0x404080 ?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JXZ
0x404084 ?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHXZ
0x404088 ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPAD_J@Z
0x40408c ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPBD_J@Z
0x404090 ?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEPAV12@PAD_J@Z
0x404094 ?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHXZ
0x404098 ?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEXABVlocale@2@@Z
0x40409c ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ
0x4040a0 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z
0x4040a4 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@K@Z
0x4040a8 ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z
0x4040ac ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@K@Z
0x4040b0 ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ
0x4040b4 ?getloc@ios_base@std@@QBE?AVlocale@2@XZ
0x4040b8 ?_Getcat@?$ctype@_W@std@@SAIPAPBVfacet@locale@2@PBV42@@Z
0x4040bc ?widen@?$ctype@_W@std@@QBE_WD@Z
0x4040c0 ??Bid@locale@std@@QAEIXZ
0x4040c4 ?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@D@Z
0x4040c8 ?widen@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QBE_WD@Z
0x4040cc ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z
0x4040d0 ?_Xlength_error@std@@YAXPBD@Z
0x4040d4 ?id@?$ctype@_W@std@@2V0locale@2@A
0x4040d8 ?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A
0x4040dc ?uncaught_exception@std@@YA_NXZ
0x4040e0 ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ
0x4040e4 ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
0x4040e8 ??0_Lockit@std@@QAE@H@Z
0x4040ec ??1_Lockit@std@@QAE@XZ
0x4040f0 ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEDD@Z
0x4040f4 ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z
VCRUNTIME140.dll
0x4040fc __current_exception
0x404100 __current_exception_context
0x404104 memset
0x404108 _except_handler4_common
0x40410c __std_terminate
0x404110 __std_exception_copy
0x404114 __std_exception_destroy
0x404118 __CxxFrameHandler3
0x40411c _CxxThrowException
0x404120 memmove
0x404124 memcpy
api-ms-win-crt-string-l1-1-0.dll
0x4041b4 _wcsicmp
api-ms-win-crt-runtime-l1-1-0.dll
0x404150 _initterm
0x404154 _initialize_onexit_table
0x404158 _register_onexit_function
0x40415c _crt_atexit
0x404160 _cexit
0x404164 _exit
0x404168 _controlfp_s
0x40416c terminate
0x404170 _get_initial_narrow_environment
0x404174 _initialize_narrow_environment
0x404178 _register_thread_local_exe_atexit_callback
0x40417c _initterm_e
0x404180 _configure_narrow_argv
0x404184 __p___argv
0x404188 _c_exit
0x40418c __p___argc
0x404190 _set_app_type
0x404194 _seh_filter_exe
0x404198 exit
0x40419c _invalid_parameter_noinfo_noreturn
0x4041a0 system
api-ms-win-crt-heap-l1-1-0.dll
0x40412c malloc
0x404130 free
0x404134 _callnewh
0x404138 _set_new_mode
api-ms-win-crt-math-l1-1-0.dll
0x404148 __setusermatherr
api-ms-win-crt-stdio-l1-1-0.dll
0x4041a8 __p__commode
0x4041ac _set_fmode
api-ms-win-crt-locale-l1-1-0.dll
0x404140 _configthreadlocale
EAT(Export Address Table) is none