ScreenShot
| Created | 2024.04.03 07:27 | Machine | s1_win7_x6403 |
| Filename | sys.exe | ||
| Type | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 20 detected (AIDetectMalware, RisePro, malicious, high confidence, score, unsafe, Vdn4, Attribute, HighConfidence, Artemis, PSWTroj, Znyonm, ZexaF, cLW@a0NJdgj, Static AI, Malicious PE, confidence) | ||
| md5 | a4702dad93dc851947aa6bd7b9652c46 | ||
| sha256 | 2cd378dd3e9c3ddb6196c7c8a9dc1c88ecf74b2371f1394bd01ff37857a8c7d5 | ||
| ssdeep | 24576:SyvFWZZO/TzAEuDtTVAxn+NZh0ocqB8J+zFX/DZCtkY:Tn+NZGolS+5/caY | ||
| imphash | 9f16b23518724d32f6bdada66281f695 | ||
| impfuzzy | 48:nlUMJJm6eFo+284I9QXiX1PnvZTXJGeJxNJlk1vm/GFqg5bIU9:n2MJJmJoH84I9QXiX1PvBJGeJxblmjqg | ||
Network IP location
Signature (34cnts)
| Level | Description |
|---|---|
| danger | Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) |
| warning | File has been identified by 20 AntiVirus engines on VirusTotal as malicious |
| watch | Appends a known CryptoMix ransomware file extension to files that have been encrypted |
| watch | Attempts to access Bitcoin/ALTCoin wallets |
| watch | Attempts to create or modify system certificates |
| watch | Checks the CPU name from registry |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Harvests credentials from local email clients |
| watch | Harvests credentials from local FTP client softwares |
| watch | Installs itself for autorun at Windows startup |
| watch | Uses Sysinternals tools in order to add additional command line functionality |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | An executable file was downloaded by the process sys.exe |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Drops a binary and executes it |
| notice | Drops an executable to the user AppData folder |
| notice | Looks up the external IP address |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Queries for potentially installed applications |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Steals private information from local Internet browsers |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Command line console output was observed |
| info | Queries for the computername |
| info | Tries to locate where the browsers are installed |
Rules (6cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | PNG_Format_Zero | PNG Format | binaries (download) |
| info | zip_file_format | ZIP file format | binaries (download) |
Network (7cnts) ?
Suricata ids
ET MALWARE RisePro TCP Heartbeat Packet
ET MALWARE [ANY.RUN] RisePro TCP (Token)
ET MALWARE [ANY.RUN] RisePro TCP (External IP)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE [ANY.RUN] RisePro TCP (Activity)
ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration)
ET MALWARE RisePro CnC Activity (Inbound)
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE RisePro CnC Activity (Outbound)
ET MALWARE [ANY.RUN] RisePro TCP (Token)
ET MALWARE [ANY.RUN] RisePro TCP (External IP)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE [ANY.RUN] RisePro TCP (Activity)
ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration)
ET MALWARE RisePro CnC Activity (Inbound)
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE RisePro CnC Activity (Outbound)
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x506224 AddVectoredExceptionHandler
0x506228 CloseHandle
0x50622c CreateEventA
0x506230 CreateSemaphoreA
0x506234 DeleteCriticalSection
0x506238 DuplicateHandle
0x50623c EnterCriticalSection
0x506240 FreeConsole
0x506244 FreeLibrary
0x506248 GetConsoleWindow
0x50624c GetCurrentProcess
0x506250 GetCurrentProcessId
0x506254 GetCurrentThread
0x506258 GetCurrentThreadId
0x50625c GetHandleInformation
0x506260 GetLastError
0x506264 GetModuleHandleA
0x506268 GetModuleHandleW
0x50626c GetProcAddress
0x506270 GetProcessAffinityMask
0x506274 GetProcessHeap
0x506278 GetSystemTimeAsFileTime
0x50627c GetThreadContext
0x506280 GetThreadPriority
0x506284 GetTickCount64
0x506288 HeapAlloc
0x50628c HeapFree
0x506290 InitializeCriticalSection
0x506294 IsDBCSLeadByteEx
0x506298 IsDebuggerPresent
0x50629c LeaveCriticalSection
0x5062a0 LoadLibraryA
0x5062a4 LoadLibraryW
0x5062a8 MultiByteToWideChar
0x5062ac OpenProcess
0x5062b0 OutputDebugStringA
0x5062b4 RaiseException
0x5062b8 ReleaseSemaphore
0x5062bc RemoveVectoredExceptionHandler
0x5062c0 ResetEvent
0x5062c4 ResumeThread
0x5062c8 SetEvent
0x5062cc SetLastError
0x5062d0 SetProcessAffinityMask
0x5062d4 SetThreadContext
0x5062d8 SetThreadPriority
0x5062dc SetUnhandledExceptionFilter
0x5062e0 Sleep
0x5062e4 SuspendThread
0x5062e8 TlsAlloc
0x5062ec TlsGetValue
0x5062f0 TlsSetValue
0x5062f4 TryEnterCriticalSection
0x5062f8 VirtualFreeEx
0x5062fc VirtualProtect
0x506300 VirtualQuery
0x506304 WaitForMultipleObjects
0x506308 WaitForSingleObject
0x50630c WideCharToMultiByte
msvcrt.dll
0x506314 __getmainargs
0x506318 __initenv
0x50631c __mb_cur_max
0x506320 __p__commode
0x506324 __p__fmode
0x506328 __set_app_type
0x50632c __setusermatherr
0x506330 _amsg_exit
0x506334 _beginthreadex
0x506338 _cexit
0x50633c _endthreadex
0x506340 _errno
0x506344 _initterm
0x506348 _iob
0x50634c _lock
0x506350 _onexit
0x506354 _setjmp3
0x506358 _ultoa
0x50635c _unlock
0x506360 abort
0x506364 atoi
0x506368 calloc
0x50636c exit
0x506370 fprintf
0x506374 fputc
0x506378 fputs
0x50637c free
0x506380 fwrite
0x506384 getenv
0x506388 localeconv
0x50638c longjmp
0x506390 malloc
0x506394 memchr
0x506398 memcmp
0x50639c memcpy
0x5063a0 memmove
0x5063a4 memset
0x5063a8 printf
0x5063ac rand
0x5063b0 realloc
0x5063b4 setlocale
0x5063b8 signal
0x5063bc strchr
0x5063c0 strcmp
0x5063c4 strerror
0x5063c8 strlen
0x5063cc strncmp
0x5063d0 strstr
0x5063d4 strtoul
0x5063d8 vfprintf
0x5063dc wcslen
0x5063e0 _strdup
0x5063e4 _read
USER32.dll
0x5063ec CharUpperA
0x5063f0 SetWindowPos
EAT(Export Address Table) is none
KERNEL32.dll
0x506224 AddVectoredExceptionHandler
0x506228 CloseHandle
0x50622c CreateEventA
0x506230 CreateSemaphoreA
0x506234 DeleteCriticalSection
0x506238 DuplicateHandle
0x50623c EnterCriticalSection
0x506240 FreeConsole
0x506244 FreeLibrary
0x506248 GetConsoleWindow
0x50624c GetCurrentProcess
0x506250 GetCurrentProcessId
0x506254 GetCurrentThread
0x506258 GetCurrentThreadId
0x50625c GetHandleInformation
0x506260 GetLastError
0x506264 GetModuleHandleA
0x506268 GetModuleHandleW
0x50626c GetProcAddress
0x506270 GetProcessAffinityMask
0x506274 GetProcessHeap
0x506278 GetSystemTimeAsFileTime
0x50627c GetThreadContext
0x506280 GetThreadPriority
0x506284 GetTickCount64
0x506288 HeapAlloc
0x50628c HeapFree
0x506290 InitializeCriticalSection
0x506294 IsDBCSLeadByteEx
0x506298 IsDebuggerPresent
0x50629c LeaveCriticalSection
0x5062a0 LoadLibraryA
0x5062a4 LoadLibraryW
0x5062a8 MultiByteToWideChar
0x5062ac OpenProcess
0x5062b0 OutputDebugStringA
0x5062b4 RaiseException
0x5062b8 ReleaseSemaphore
0x5062bc RemoveVectoredExceptionHandler
0x5062c0 ResetEvent
0x5062c4 ResumeThread
0x5062c8 SetEvent
0x5062cc SetLastError
0x5062d0 SetProcessAffinityMask
0x5062d4 SetThreadContext
0x5062d8 SetThreadPriority
0x5062dc SetUnhandledExceptionFilter
0x5062e0 Sleep
0x5062e4 SuspendThread
0x5062e8 TlsAlloc
0x5062ec TlsGetValue
0x5062f0 TlsSetValue
0x5062f4 TryEnterCriticalSection
0x5062f8 VirtualFreeEx
0x5062fc VirtualProtect
0x506300 VirtualQuery
0x506304 WaitForMultipleObjects
0x506308 WaitForSingleObject
0x50630c WideCharToMultiByte
msvcrt.dll
0x506314 __getmainargs
0x506318 __initenv
0x50631c __mb_cur_max
0x506320 __p__commode
0x506324 __p__fmode
0x506328 __set_app_type
0x50632c __setusermatherr
0x506330 _amsg_exit
0x506334 _beginthreadex
0x506338 _cexit
0x50633c _endthreadex
0x506340 _errno
0x506344 _initterm
0x506348 _iob
0x50634c _lock
0x506350 _onexit
0x506354 _setjmp3
0x506358 _ultoa
0x50635c _unlock
0x506360 abort
0x506364 atoi
0x506368 calloc
0x50636c exit
0x506370 fprintf
0x506374 fputc
0x506378 fputs
0x50637c free
0x506380 fwrite
0x506384 getenv
0x506388 localeconv
0x50638c longjmp
0x506390 malloc
0x506394 memchr
0x506398 memcmp
0x50639c memcpy
0x5063a0 memmove
0x5063a4 memset
0x5063a8 printf
0x5063ac rand
0x5063b0 realloc
0x5063b4 setlocale
0x5063b8 signal
0x5063bc strchr
0x5063c0 strcmp
0x5063c4 strerror
0x5063c8 strlen
0x5063cc strncmp
0x5063d0 strstr
0x5063d4 strtoul
0x5063d8 vfprintf
0x5063dc wcslen
0x5063e0 _strdup
0x5063e4 _read
USER32.dll
0x5063ec CharUpperA
0x5063f0 SetWindowPos
EAT(Export Address Table) is none