ScreenShot
Created | 2024.05.21 07:26 | Machine | s1_win7_x6401 |
Filename | oiii.exe | ||
Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
AI Score | Not founds | Behavior Score |
|
ZERO API | file : malware | ||
VT API (file) | 16 detected (malicious, high confidence, Artemis, CLASSIC, PSWTroj, Wacatac, Oader, Ogil) | ||
md5 | a59664f37c25edaa69c39a65490ed3a9 | ||
sha256 | 3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d | ||
ssdeep | 6144:Rj8KWXflIwycVYUcBrcisb765kohreOCSYA/U:+Kkfl3x0BrcdEkoWCc | ||
imphash | b5464cd11a888f8c2431f32a12ac9b22 | ||
impfuzzy | 24:dPf3jo/JFlcc+9JBldDBu02tMS1dgG59XoQjM+WvkZxCpOovbOPZw1:tf2ic+JEtMS1dgG5ZgkZn3e1 |
Network IP location
Signature (18cnts)
Level | Description |
---|---|
watch | Deletes a large number of files from the system indicative of ransomware |
watch | File has been identified by 16 AntiVirus engines on VirusTotal as malicious |
watch | Uses suspicious command line tools or Windows utilities |
notice | A process created a hidden window |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | An executable file was downloaded by the process oiii.exe |
notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
notice | Creates a suspicious process |
notice | Creates executable files on the filesystem |
notice | Drops an executable to the user AppData folder |
notice | One or more potentially interesting buffers were extracted |
notice | Performs some HTTP requests |
notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
info | Command line console output was observed |
info | One or more processes crashed |
info | Queries for the computername |
info | The file contains an unknown PE resource name possibly indicative of a packer |
info | This executable has a PDB path |
Rules (15cnts)
Level | Name | Description | Collection |
---|---|---|---|
danger | HermeticWiper_Zero | HermeticWiper | binaries (download) |
warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
watch | UPX_Zero | UPX packed file | binaries (download) |
watch | UPX_Zero | UPX packed file | binaries (upload) |
info | icon_file_format | icon file format | binaries (download) |
info | IsPE32 | (no description) | binaries (download) |
info | IsPE64 | (no description) | binaries (upload) |
info | JPEG_Format_Zero | JPEG Format | binaries (download) |
info | Microsoft_Office_File_Zero | Microsoft Office File | binaries (download) |
info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
info | PE_Header_Zero | PE File Signature | binaries (download) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
info | PNG_Format_Zero | PNG Format | binaries (download) |
Network (5cnts) ?
Suricata ids
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET POLICY PE EXE or DLL Windows file download HTTP
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x14002c000 SetInformationJobObject
0x14002c008 QueryInformationJobObject
0x14002c010 ReleaseSemaphore
0x14002c018 AssignProcessToJobObject
0x14002c020 GetModuleFileNameW
0x14002c028 CreateJobObjectW
0x14002c030 CreateMutexA
0x14002c038 WaitForSingleObject
0x14002c040 ReleaseMutex
0x14002c048 OpenSemaphoreA
0x14002c050 GetTempPathA
0x14002c058 GetLastError
0x14002c060 CloseHandle
0x14002c068 GetLocalTime
0x14002c070 CreateProcessW
0x14002c078 GetModuleHandleW
0x14002c080 CreateDirectoryA
0x14002c088 GetExitCodeProcess
0x14002c090 SetEndOfFile
0x14002c098 MultiByteToWideChar
0x14002c0a0 WideCharToMultiByte
0x14002c0a8 GetStringTypeW
0x14002c0b0 EnterCriticalSection
0x14002c0b8 LeaveCriticalSection
0x14002c0c0 DeleteCriticalSection
0x14002c0c8 SetLastError
0x14002c0d0 InitializeCriticalSectionAndSpinCount
0x14002c0d8 SwitchToThread
0x14002c0e0 TlsAlloc
0x14002c0e8 TlsGetValue
0x14002c0f0 TlsSetValue
0x14002c0f8 TlsFree
0x14002c100 GetSystemTimeAsFileTime
0x14002c108 GetProcAddress
0x14002c110 EncodePointer
0x14002c118 DecodePointer
0x14002c120 LCMapStringW
0x14002c128 GetLocaleInfoW
0x14002c130 GetCPInfo
0x14002c138 RtlCaptureContext
0x14002c140 RtlLookupFunctionEntry
0x14002c148 RtlVirtualUnwind
0x14002c150 UnhandledExceptionFilter
0x14002c158 SetUnhandledExceptionFilter
0x14002c160 GetCurrentProcess
0x14002c168 TerminateProcess
0x14002c170 IsProcessorFeaturePresent
0x14002c178 QueryPerformanceCounter
0x14002c180 GetCurrentProcessId
0x14002c188 GetCurrentThreadId
0x14002c190 InitializeSListHead
0x14002c198 IsDebuggerPresent
0x14002c1a0 GetStartupInfoW
0x14002c1a8 RtlPcToFileHeader
0x14002c1b0 RaiseException
0x14002c1b8 RtlUnwindEx
0x14002c1c0 FreeLibrary
0x14002c1c8 LoadLibraryExW
0x14002c1d0 GetStdHandle
0x14002c1d8 WriteFile
0x14002c1e0 ExitProcess
0x14002c1e8 GetModuleHandleExW
0x14002c1f0 HeapAlloc
0x14002c1f8 FlushFileBuffers
0x14002c200 GetConsoleCP
0x14002c208 GetConsoleMode
0x14002c210 HeapFree
0x14002c218 GetFileSizeEx
0x14002c220 SetFilePointerEx
0x14002c228 GetFileType
0x14002c230 IsValidLocale
0x14002c238 GetUserDefaultLCID
0x14002c240 EnumSystemLocalesW
0x14002c248 ReadFile
0x14002c250 ReadConsoleW
0x14002c258 HeapReAlloc
0x14002c260 FindClose
0x14002c268 FindFirstFileExW
0x14002c270 FindNextFileW
0x14002c278 IsValidCodePage
0x14002c280 GetACP
0x14002c288 GetOEMCP
0x14002c290 GetCommandLineA
0x14002c298 GetCommandLineW
0x14002c2a0 GetEnvironmentStringsW
0x14002c2a8 FreeEnvironmentStringsW
0x14002c2b0 SetStdHandle
0x14002c2b8 GetProcessHeap
0x14002c2c0 CreateFileW
0x14002c2c8 HeapSize
0x14002c2d0 WriteConsoleW
0x14002c2d8 RtlUnwind
EAT(Export Address Table) is none
KERNEL32.dll
0x14002c000 SetInformationJobObject
0x14002c008 QueryInformationJobObject
0x14002c010 ReleaseSemaphore
0x14002c018 AssignProcessToJobObject
0x14002c020 GetModuleFileNameW
0x14002c028 CreateJobObjectW
0x14002c030 CreateMutexA
0x14002c038 WaitForSingleObject
0x14002c040 ReleaseMutex
0x14002c048 OpenSemaphoreA
0x14002c050 GetTempPathA
0x14002c058 GetLastError
0x14002c060 CloseHandle
0x14002c068 GetLocalTime
0x14002c070 CreateProcessW
0x14002c078 GetModuleHandleW
0x14002c080 CreateDirectoryA
0x14002c088 GetExitCodeProcess
0x14002c090 SetEndOfFile
0x14002c098 MultiByteToWideChar
0x14002c0a0 WideCharToMultiByte
0x14002c0a8 GetStringTypeW
0x14002c0b0 EnterCriticalSection
0x14002c0b8 LeaveCriticalSection
0x14002c0c0 DeleteCriticalSection
0x14002c0c8 SetLastError
0x14002c0d0 InitializeCriticalSectionAndSpinCount
0x14002c0d8 SwitchToThread
0x14002c0e0 TlsAlloc
0x14002c0e8 TlsGetValue
0x14002c0f0 TlsSetValue
0x14002c0f8 TlsFree
0x14002c100 GetSystemTimeAsFileTime
0x14002c108 GetProcAddress
0x14002c110 EncodePointer
0x14002c118 DecodePointer
0x14002c120 LCMapStringW
0x14002c128 GetLocaleInfoW
0x14002c130 GetCPInfo
0x14002c138 RtlCaptureContext
0x14002c140 RtlLookupFunctionEntry
0x14002c148 RtlVirtualUnwind
0x14002c150 UnhandledExceptionFilter
0x14002c158 SetUnhandledExceptionFilter
0x14002c160 GetCurrentProcess
0x14002c168 TerminateProcess
0x14002c170 IsProcessorFeaturePresent
0x14002c178 QueryPerformanceCounter
0x14002c180 GetCurrentProcessId
0x14002c188 GetCurrentThreadId
0x14002c190 InitializeSListHead
0x14002c198 IsDebuggerPresent
0x14002c1a0 GetStartupInfoW
0x14002c1a8 RtlPcToFileHeader
0x14002c1b0 RaiseException
0x14002c1b8 RtlUnwindEx
0x14002c1c0 FreeLibrary
0x14002c1c8 LoadLibraryExW
0x14002c1d0 GetStdHandle
0x14002c1d8 WriteFile
0x14002c1e0 ExitProcess
0x14002c1e8 GetModuleHandleExW
0x14002c1f0 HeapAlloc
0x14002c1f8 FlushFileBuffers
0x14002c200 GetConsoleCP
0x14002c208 GetConsoleMode
0x14002c210 HeapFree
0x14002c218 GetFileSizeEx
0x14002c220 SetFilePointerEx
0x14002c228 GetFileType
0x14002c230 IsValidLocale
0x14002c238 GetUserDefaultLCID
0x14002c240 EnumSystemLocalesW
0x14002c248 ReadFile
0x14002c250 ReadConsoleW
0x14002c258 HeapReAlloc
0x14002c260 FindClose
0x14002c268 FindFirstFileExW
0x14002c270 FindNextFileW
0x14002c278 IsValidCodePage
0x14002c280 GetACP
0x14002c288 GetOEMCP
0x14002c290 GetCommandLineA
0x14002c298 GetCommandLineW
0x14002c2a0 GetEnvironmentStringsW
0x14002c2a8 FreeEnvironmentStringsW
0x14002c2b0 SetStdHandle
0x14002c2b8 GetProcessHeap
0x14002c2c0 CreateFileW
0x14002c2c8 HeapSize
0x14002c2d0 WriteConsoleW
0x14002c2d8 RtlUnwind
EAT(Export Address Table) is none