ScreenShot
| Created | 2024.04.01 07:37 | Machine | s1_win7_x6401 |
| Filename | awpH6iP7gCYM.exe | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | |||
| md5 | 91aaa299c33ba5714ae1d0fe91caad64 | ||
| sha256 | 81866ba9249d43503a4905a8df592e577b341c74515eba7e16981d0e959234a7 | ||
| ssdeep | 12288:3efvxlWpC0EvHB7PAJ3lQ1kQCCEa04nOoHHKH2G++SxWvN6ie:OXjWM0cYfQ1LCBaOon22G++SxWV6ie | ||
| imphash | 167afe77d4c7c7c2076ad00416cf39fc | ||
| impfuzzy | 24:/IJbFrXjDjpD5KVMlj0jE6GNu9AL9mZbvnWgjTu5XWk/Kb52XGtvxCBc+pl39zJK:/8rX0S96/WV9WMXGtv4Bc+ppZJS39E0 | ||
Network IP location
Signature (18cnts)
| Level | Description |
|---|---|
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | The process powershell.exe wrote an executable file to disk |
| notice | A process attempted to delay the analysis task. |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Command line console output was observed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (41cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | Network_Downloader | File Downloader | memory |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | anti_vm_detect | Possibly employs anti-virtualization techniques | binaries (download) |
| notice | Code_injection | Code injection with CreateRemoteThread in a remote process | memory |
| notice | Create_Service | Create a windows service | memory |
| notice | Escalate_priviledges | Escalate priviledges | memory |
| notice | Generic_PWS_Memory_Zero | PWS Memory | memory |
| notice | KeyLogger | Run a KeyLogger | memory |
| notice | local_credential_Steal | Steal credential | memory |
| notice | Network_DGA | Communication using DGA | memory |
| notice | Network_DNS | Communications use DNS | memory |
| notice | Network_FTP | Communications over FTP | memory |
| notice | Network_HTTP | Communications over HTTP | memory |
| notice | Network_P2P_Win | Communications over P2P network | memory |
| notice | Network_TCP_Socket | Communications over RAW Socket | memory |
| notice | ScreenShot | Take ScreenShot | memory |
| notice | Sniff_Audio | Record Audio | memory |
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | antisb_threatExpert | Anti-Sandbox checks for ThreatExpert | memory |
| info | Check_Dlls | (no description) | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerCheck__RemoteAPI | (no description) | memory |
| info | DebuggerException__ConsoleCtrl | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | win_hook | Affect hook table | memory |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
crypt.dll
0x140038358 BCryptGenRandom
ADVAPI32.dll
0x140038000 SystemFunction036
KERNEL32.dll
0x140038010 InitializeSListHead
0x140038018 CloseHandle
0x140038020 Sleep
0x140038028 SetLastError
0x140038030 GetLastError
0x140038038 AddVectoredExceptionHandler
0x140038040 SetThreadStackGuarantee
0x140038048 GetProcessHeap
0x140038050 HeapAlloc
0x140038058 HeapFree
0x140038060 HeapReAlloc
0x140038068 GetModuleHandleA
0x140038070 GetProcAddress
0x140038078 GetCurrentThread
0x140038080 TryAcquireSRWLockExclusive
0x140038088 ReleaseSRWLockExclusive
0x140038090 GetStdHandle
0x140038098 GetConsoleMode
0x1400380a0 WaitForSingleObject
0x1400380a8 MultiByteToWideChar
0x1400380b0 WriteConsoleW
0x1400380b8 WaitForSingleObjectEx
0x1400380c0 LoadLibraryA
0x1400380c8 GetCurrentProcessId
0x1400380d0 CreateMutexA
0x1400380d8 GetCurrentProcess
0x1400380e0 ReleaseMutex
0x1400380e8 GetEnvironmentVariableW
0x1400380f0 RtlLookupFunctionEntry
0x1400380f8 GetModuleHandleW
0x140038100 FormatMessageW
0x140038108 GetTempPathW
0x140038110 CreateFileW
0x140038118 GetFullPathNameW
0x140038120 GetEnvironmentStringsW
0x140038128 FreeEnvironmentStringsW
0x140038130 CompareStringOrdinal
0x140038138 GetModuleFileNameW
0x140038140 GetSystemDirectoryW
0x140038148 GetWindowsDirectoryW
0x140038150 AcquireSRWLockExclusive
0x140038158 CreateProcessW
0x140038160 GetFileAttributesW
0x140038168 DuplicateHandle
0x140038170 CreateThread
0x140038178 CreateNamedPipeW
0x140038180 ReadFileEx
0x140038188 SleepEx
0x140038190 WriteFileEx
0x140038198 GetCurrentDirectoryW
0x1400381a0 RtlCaptureContext
0x1400381a8 AcquireSRWLockShared
0x1400381b0 ReleaseSRWLockShared
0x1400381b8 SetFilePointerEx
0x1400381c0 GetConsoleOutputCP
0x1400381c8 QueryPerformanceCounter
0x1400381d0 GetCurrentThreadId
0x1400381d8 GetSystemTimeAsFileTime
0x1400381e0 RtlVirtualUnwind
0x1400381e8 IsDebuggerPresent
0x1400381f0 UnhandledExceptionFilter
0x1400381f8 SetUnhandledExceptionFilter
0x140038200 GetStartupInfoW
0x140038208 IsProcessorFeaturePresent
0x140038210 RtlUnwindEx
0x140038218 EncodePointer
0x140038220 RaiseException
0x140038228 EnterCriticalSection
0x140038230 LeaveCriticalSection
0x140038238 DeleteCriticalSection
0x140038240 InitializeCriticalSectionAndSpinCount
0x140038248 TlsAlloc
0x140038250 TlsGetValue
0x140038258 TlsSetValue
0x140038260 TlsFree
0x140038268 FreeLibrary
0x140038270 LoadLibraryExW
0x140038278 RtlPcToFileHeader
0x140038280 WriteFile
0x140038288 ExitProcess
0x140038290 TerminateProcess
0x140038298 GetModuleHandleExW
0x1400382a0 GetCommandLineA
0x1400382a8 GetCommandLineW
0x1400382b0 FindClose
0x1400382b8 FindFirstFileExW
0x1400382c0 FindNextFileW
0x1400382c8 IsValidCodePage
0x1400382d0 GetACP
0x1400382d8 GetOEMCP
0x1400382e0 GetCPInfo
0x1400382e8 WideCharToMultiByte
0x1400382f0 SetEnvironmentVariableW
0x1400382f8 SetStdHandle
0x140038300 GetFileType
0x140038308 GetStringTypeW
0x140038310 FlsAlloc
0x140038318 FlsGetValue
0x140038320 FlsSetValue
0x140038328 FlsFree
0x140038330 CompareStringW
0x140038338 LCMapStringW
0x140038340 HeapSize
0x140038348 FlushFileBuffers
ntdll.dll
0x140038368 NtWriteFile
0x140038370 RtlNtStatusToDosError
EAT(Export Address Table) is none
crypt.dll
0x140038358 BCryptGenRandom
ADVAPI32.dll
0x140038000 SystemFunction036
KERNEL32.dll
0x140038010 InitializeSListHead
0x140038018 CloseHandle
0x140038020 Sleep
0x140038028 SetLastError
0x140038030 GetLastError
0x140038038 AddVectoredExceptionHandler
0x140038040 SetThreadStackGuarantee
0x140038048 GetProcessHeap
0x140038050 HeapAlloc
0x140038058 HeapFree
0x140038060 HeapReAlloc
0x140038068 GetModuleHandleA
0x140038070 GetProcAddress
0x140038078 GetCurrentThread
0x140038080 TryAcquireSRWLockExclusive
0x140038088 ReleaseSRWLockExclusive
0x140038090 GetStdHandle
0x140038098 GetConsoleMode
0x1400380a0 WaitForSingleObject
0x1400380a8 MultiByteToWideChar
0x1400380b0 WriteConsoleW
0x1400380b8 WaitForSingleObjectEx
0x1400380c0 LoadLibraryA
0x1400380c8 GetCurrentProcessId
0x1400380d0 CreateMutexA
0x1400380d8 GetCurrentProcess
0x1400380e0 ReleaseMutex
0x1400380e8 GetEnvironmentVariableW
0x1400380f0 RtlLookupFunctionEntry
0x1400380f8 GetModuleHandleW
0x140038100 FormatMessageW
0x140038108 GetTempPathW
0x140038110 CreateFileW
0x140038118 GetFullPathNameW
0x140038120 GetEnvironmentStringsW
0x140038128 FreeEnvironmentStringsW
0x140038130 CompareStringOrdinal
0x140038138 GetModuleFileNameW
0x140038140 GetSystemDirectoryW
0x140038148 GetWindowsDirectoryW
0x140038150 AcquireSRWLockExclusive
0x140038158 CreateProcessW
0x140038160 GetFileAttributesW
0x140038168 DuplicateHandle
0x140038170 CreateThread
0x140038178 CreateNamedPipeW
0x140038180 ReadFileEx
0x140038188 SleepEx
0x140038190 WriteFileEx
0x140038198 GetCurrentDirectoryW
0x1400381a0 RtlCaptureContext
0x1400381a8 AcquireSRWLockShared
0x1400381b0 ReleaseSRWLockShared
0x1400381b8 SetFilePointerEx
0x1400381c0 GetConsoleOutputCP
0x1400381c8 QueryPerformanceCounter
0x1400381d0 GetCurrentThreadId
0x1400381d8 GetSystemTimeAsFileTime
0x1400381e0 RtlVirtualUnwind
0x1400381e8 IsDebuggerPresent
0x1400381f0 UnhandledExceptionFilter
0x1400381f8 SetUnhandledExceptionFilter
0x140038200 GetStartupInfoW
0x140038208 IsProcessorFeaturePresent
0x140038210 RtlUnwindEx
0x140038218 EncodePointer
0x140038220 RaiseException
0x140038228 EnterCriticalSection
0x140038230 LeaveCriticalSection
0x140038238 DeleteCriticalSection
0x140038240 InitializeCriticalSectionAndSpinCount
0x140038248 TlsAlloc
0x140038250 TlsGetValue
0x140038258 TlsSetValue
0x140038260 TlsFree
0x140038268 FreeLibrary
0x140038270 LoadLibraryExW
0x140038278 RtlPcToFileHeader
0x140038280 WriteFile
0x140038288 ExitProcess
0x140038290 TerminateProcess
0x140038298 GetModuleHandleExW
0x1400382a0 GetCommandLineA
0x1400382a8 GetCommandLineW
0x1400382b0 FindClose
0x1400382b8 FindFirstFileExW
0x1400382c0 FindNextFileW
0x1400382c8 IsValidCodePage
0x1400382d0 GetACP
0x1400382d8 GetOEMCP
0x1400382e0 GetCPInfo
0x1400382e8 WideCharToMultiByte
0x1400382f0 SetEnvironmentVariableW
0x1400382f8 SetStdHandle
0x140038300 GetFileType
0x140038308 GetStringTypeW
0x140038310 FlsAlloc
0x140038318 FlsGetValue
0x140038320 FlsSetValue
0x140038328 FlsFree
0x140038330 CompareStringW
0x140038338 LCMapStringW
0x140038340 HeapSize
0x140038348 FlushFileBuffers
ntdll.dll
0x140038368 NtWriteFile
0x140038370 RtlNtStatusToDosError
EAT(Export Address Table) is none