ScreenShot
| Created | 2024.02.08 08:02 | Machine | s1_win7_x6401 |
| Filename | RUN.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | |||
| md5 | 1b8ceba270bcec714babe5a0862ef028 | ||
| sha256 | 3c38a9a5311b54cc70a2fa2c8ce11b9b0e539a4af490521eaaa174fb928a4095 | ||
| ssdeep | 384:45oKDQckRKDVbJapdKDGPGAPur1EYuKiaEx7hFKDGPGAIpEKDVbJrkiKDQ:Kz90PGtiYuKiaEDZPGv9 | ||
| imphash | 75f5fb4f557e495942156692dd4b4940 | ||
| impfuzzy | 24:n9w/wzjlwgOlVAukx3TTLnzEWFNmQ+1hwfG7gG+JTSwC:nq/wzZwgw+x3TTNFNml1hw+7gBJTSwC | ||
Network IP location
Signature (21cnts)
| Level | Description |
|---|---|
| watch | Communicates with host for which no DNS query was performed |
| watch | Installs itself for autorun at Windows startup |
| watch | Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe |
| watch | The process powershell.exe wrote an executable file to disk |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Poweshell is sending data to a remote host |
| notice | URL downloaded by powershell script |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | Queries for the computername |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (7cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | Admin_Tool_IN_Zero | Admin Tool Sysinternals | binaries (upload) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | PowerShell | PowerShell script | scripts |
PE API
IAT(Import Address Table) Library
MSVBVM60.DLL
0x401000 _CIcos
0x401004 _adj_fptan
0x401008 __vbaVarMove
0x40100c __vbaFreeVar
0x401010 __vbaLenBstr
0x401014 __vbaFreeVarList
0x401018 _adj_fdiv_m64
0x40101c None
0x401020 _adj_fprem1
0x401024 __vbaStrCat
0x401028 _adj_fdiv_m32
0x40102c _adj_fdiv_m16i
0x401030 _adj_fdivr_m16i
0x401034 _CIsin
0x401038 None
0x40103c __vbaChkstk
0x401040 EVENT_SINK_AddRef
0x401044 __vbaObjVar
0x401048 _adj_fpatan
0x40104c EVENT_SINK_Release
0x401050 _CIsqrt
0x401054 EVENT_SINK_QueryInterface
0x401058 __vbaExceptHandler
0x40105c None
0x401060 _adj_fprem
0x401064 _adj_fdivr_m64
0x401068 None
0x40106c __vbaFPException
0x401070 __vbaStrVarVal
0x401074 None
0x401078 _CIlog
0x40107c __vbaErrorOverflow
0x401080 _adj_fdiv_m32i
0x401084 _adj_fdivr_m32i
0x401088 __vbaStrCopy
0x40108c __vbaFreeStrList
0x401090 _adj_fdivr_m32
0x401094 _adj_fdiv_r
0x401098 None
0x40109c __vbaVarSetVar
0x4010a0 __vbaLateMemCall
0x4010a4 __vbaVarAdd
0x4010a8 _CIatan
0x4010ac __vbaStrMove
0x4010b0 _allmul
0x4010b4 _CItan
0x4010b8 _CIexp
0x4010bc __vbaFreeStr
EAT(Export Address Table) is none
MSVBVM60.DLL
0x401000 _CIcos
0x401004 _adj_fptan
0x401008 __vbaVarMove
0x40100c __vbaFreeVar
0x401010 __vbaLenBstr
0x401014 __vbaFreeVarList
0x401018 _adj_fdiv_m64
0x40101c None
0x401020 _adj_fprem1
0x401024 __vbaStrCat
0x401028 _adj_fdiv_m32
0x40102c _adj_fdiv_m16i
0x401030 _adj_fdivr_m16i
0x401034 _CIsin
0x401038 None
0x40103c __vbaChkstk
0x401040 EVENT_SINK_AddRef
0x401044 __vbaObjVar
0x401048 _adj_fpatan
0x40104c EVENT_SINK_Release
0x401050 _CIsqrt
0x401054 EVENT_SINK_QueryInterface
0x401058 __vbaExceptHandler
0x40105c None
0x401060 _adj_fprem
0x401064 _adj_fdivr_m64
0x401068 None
0x40106c __vbaFPException
0x401070 __vbaStrVarVal
0x401074 None
0x401078 _CIlog
0x40107c __vbaErrorOverflow
0x401080 _adj_fdiv_m32i
0x401084 _adj_fdivr_m32i
0x401088 __vbaStrCopy
0x40108c __vbaFreeStrList
0x401090 _adj_fdivr_m32
0x401094 _adj_fdiv_r
0x401098 None
0x40109c __vbaVarSetVar
0x4010a0 __vbaLateMemCall
0x4010a4 __vbaVarAdd
0x4010a8 _CIatan
0x4010ac __vbaStrMove
0x4010b0 _allmul
0x4010b4 _CItan
0x4010b8 _CIexp
0x4010bc __vbaFreeStr
EAT(Export Address Table) is none