ScreenShot
| Created | 2024.06.01 08:31 | Machine | s1_win7_x6401 |
| Filename | setup.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 36 detected (AIDetectMalware, malicious, high confidence, score, Neoreklami, Graftor, Save, TrojanX, Tasker, CLASSIC, R002C0PEV24, moderate, Generic ML PUA, Outbreak, Detected, gtsph, ai score=86, Neoreblamy, Eldorado, ZexaF, @tW@aauFwcf, Static AI, Malicious SFX, susgen, grayware, confidence) | ||
| md5 | 89052e2c020f8f6f5287e10d134f0bd1 | ||
| sha256 | 164f70b0cec79bf164f0f98d48881ea213bc102ece7e6cf4fc60f50a775a32a3 | ||
| ssdeep | 196608:91O6+t8QqYo3W+/5rfhXte7sTa/E7sA7WZUS1yZoZ7I:3O638oGalLtTqZb1D5I | ||
| imphash | 3786a4cf8bfee8b4821db03449141df4 | ||
| impfuzzy | 48:oAUXy6Uy6U0wt8tAkSej5SU/Svn6GK/gRIA+MeQAcj2AqLJf+cYq989ZOwOo0lMr:oAwmdMexcj2rlf+nqSH7b0lMMQj | ||
Network IP location
Signature (27cnts)
| Level | Description |
|---|---|
| danger | Disables Windows Security features |
| danger | File has been identified by 36 AntiVirus engines on VirusTotal as malicious |
| watch | Checks the version of Bios |
| watch | Creates a suspicious Powershell process |
| watch | Detects VirtualBox using WNetGetProviderName trick |
| watch | One or more non-whitelisted processes were created |
| watch | Powershell script adds registry entries |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | The process powershell.exe wrote an executable file to disk |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Executes one or more WMI queries |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | WaitFor has been invoked (possibly to delay malicious activity) |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The executable uses a known packer |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (15cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | PowerShell | PowerShell script | scripts |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
OLEAUT32.dll
0x41b190 VariantClear
0x41b194 SysAllocString
USER32.dll
0x41b1a4 SendMessageA
0x41b1a8 SetTimer
0x41b1ac DialogBoxParamW
0x41b1b0 DialogBoxParamA
0x41b1b4 SetWindowLongA
0x41b1b8 GetWindowLongA
0x41b1bc SetWindowTextW
0x41b1c0 LoadIconA
0x41b1c4 LoadStringW
0x41b1c8 LoadStringA
0x41b1cc CharUpperW
0x41b1d0 CharUpperA
0x41b1d4 DestroyWindow
0x41b1d8 EndDialog
0x41b1dc PostMessageA
0x41b1e0 ShowWindow
0x41b1e4 MessageBoxW
0x41b1e8 GetDlgItem
0x41b1ec KillTimer
0x41b1f0 SetWindowTextA
SHELL32.dll
0x41b19c ShellExecuteExA
KERNEL32.dll
0x41b000 GetStringTypeW
0x41b004 GetStringTypeA
0x41b008 LCMapStringW
0x41b00c LCMapStringA
0x41b010 InterlockedIncrement
0x41b014 InterlockedDecrement
0x41b018 GetProcAddress
0x41b01c GetOEMCP
0x41b020 GetACP
0x41b024 GetCPInfo
0x41b028 IsBadCodePtr
0x41b02c IsBadReadPtr
0x41b030 GetFileType
0x41b034 SetHandleCount
0x41b038 GetEnvironmentStringsW
0x41b03c GetEnvironmentStrings
0x41b040 FreeEnvironmentStringsW
0x41b044 FreeEnvironmentStringsA
0x41b048 UnhandledExceptionFilter
0x41b04c HeapSize
0x41b050 GetCurrentProcess
0x41b054 TerminateProcess
0x41b058 IsBadWritePtr
0x41b05c HeapCreate
0x41b060 HeapDestroy
0x41b064 GetEnvironmentVariableA
0x41b068 SetUnhandledExceptionFilter
0x41b06c TlsAlloc
0x41b070 ExitProcess
0x41b074 GetVersion
0x41b078 GetCommandLineA
0x41b07c GetStartupInfoA
0x41b080 GetModuleHandleA
0x41b084 WaitForSingleObject
0x41b088 CloseHandle
0x41b08c CreateProcessA
0x41b090 SetCurrentDirectoryA
0x41b094 GetCommandLineW
0x41b098 GetVersionExA
0x41b09c LeaveCriticalSection
0x41b0a0 EnterCriticalSection
0x41b0a4 DeleteCriticalSection
0x41b0a8 MultiByteToWideChar
0x41b0ac WideCharToMultiByte
0x41b0b0 GetLastError
0x41b0b4 LoadLibraryA
0x41b0b8 AreFileApisANSI
0x41b0bc GetModuleFileNameA
0x41b0c0 GetModuleFileNameW
0x41b0c4 LocalFree
0x41b0c8 FormatMessageA
0x41b0cc FormatMessageW
0x41b0d0 GetWindowsDirectoryA
0x41b0d4 SetFileTime
0x41b0d8 CreateFileW
0x41b0dc SetLastError
0x41b0e0 SetFileAttributesA
0x41b0e4 RemoveDirectoryA
0x41b0e8 SetFileAttributesW
0x41b0ec RemoveDirectoryW
0x41b0f0 CreateDirectoryA
0x41b0f4 CreateDirectoryW
0x41b0f8 DeleteFileA
0x41b0fc DeleteFileW
0x41b100 lstrlenA
0x41b104 GetFullPathNameA
0x41b108 GetFullPathNameW
0x41b10c GetCurrentDirectoryA
0x41b110 GetTempPathA
0x41b114 GetTempFileNameA
0x41b118 FindClose
0x41b11c FindFirstFileA
0x41b120 FindFirstFileW
0x41b124 FindNextFileA
0x41b128 CreateFileA
0x41b12c GetFileSize
0x41b130 SetFilePointer
0x41b134 ReadFile
0x41b138 WriteFile
0x41b13c SetEndOfFile
0x41b140 GetStdHandle
0x41b144 WaitForMultipleObjects
0x41b148 Sleep
0x41b14c VirtualAlloc
0x41b150 VirtualFree
0x41b154 CreateEventA
0x41b158 SetEvent
0x41b15c ResetEvent
0x41b160 InitializeCriticalSection
0x41b164 RtlUnwind
0x41b168 RaiseException
0x41b16c HeapAlloc
0x41b170 HeapFree
0x41b174 HeapReAlloc
0x41b178 CreateThread
0x41b17c GetCurrentThreadId
0x41b180 TlsSetValue
0x41b184 TlsGetValue
0x41b188 ExitThread
EAT(Export Address Table) is none
OLEAUT32.dll
0x41b190 VariantClear
0x41b194 SysAllocString
USER32.dll
0x41b1a4 SendMessageA
0x41b1a8 SetTimer
0x41b1ac DialogBoxParamW
0x41b1b0 DialogBoxParamA
0x41b1b4 SetWindowLongA
0x41b1b8 GetWindowLongA
0x41b1bc SetWindowTextW
0x41b1c0 LoadIconA
0x41b1c4 LoadStringW
0x41b1c8 LoadStringA
0x41b1cc CharUpperW
0x41b1d0 CharUpperA
0x41b1d4 DestroyWindow
0x41b1d8 EndDialog
0x41b1dc PostMessageA
0x41b1e0 ShowWindow
0x41b1e4 MessageBoxW
0x41b1e8 GetDlgItem
0x41b1ec KillTimer
0x41b1f0 SetWindowTextA
SHELL32.dll
0x41b19c ShellExecuteExA
KERNEL32.dll
0x41b000 GetStringTypeW
0x41b004 GetStringTypeA
0x41b008 LCMapStringW
0x41b00c LCMapStringA
0x41b010 InterlockedIncrement
0x41b014 InterlockedDecrement
0x41b018 GetProcAddress
0x41b01c GetOEMCP
0x41b020 GetACP
0x41b024 GetCPInfo
0x41b028 IsBadCodePtr
0x41b02c IsBadReadPtr
0x41b030 GetFileType
0x41b034 SetHandleCount
0x41b038 GetEnvironmentStringsW
0x41b03c GetEnvironmentStrings
0x41b040 FreeEnvironmentStringsW
0x41b044 FreeEnvironmentStringsA
0x41b048 UnhandledExceptionFilter
0x41b04c HeapSize
0x41b050 GetCurrentProcess
0x41b054 TerminateProcess
0x41b058 IsBadWritePtr
0x41b05c HeapCreate
0x41b060 HeapDestroy
0x41b064 GetEnvironmentVariableA
0x41b068 SetUnhandledExceptionFilter
0x41b06c TlsAlloc
0x41b070 ExitProcess
0x41b074 GetVersion
0x41b078 GetCommandLineA
0x41b07c GetStartupInfoA
0x41b080 GetModuleHandleA
0x41b084 WaitForSingleObject
0x41b088 CloseHandle
0x41b08c CreateProcessA
0x41b090 SetCurrentDirectoryA
0x41b094 GetCommandLineW
0x41b098 GetVersionExA
0x41b09c LeaveCriticalSection
0x41b0a0 EnterCriticalSection
0x41b0a4 DeleteCriticalSection
0x41b0a8 MultiByteToWideChar
0x41b0ac WideCharToMultiByte
0x41b0b0 GetLastError
0x41b0b4 LoadLibraryA
0x41b0b8 AreFileApisANSI
0x41b0bc GetModuleFileNameA
0x41b0c0 GetModuleFileNameW
0x41b0c4 LocalFree
0x41b0c8 FormatMessageA
0x41b0cc FormatMessageW
0x41b0d0 GetWindowsDirectoryA
0x41b0d4 SetFileTime
0x41b0d8 CreateFileW
0x41b0dc SetLastError
0x41b0e0 SetFileAttributesA
0x41b0e4 RemoveDirectoryA
0x41b0e8 SetFileAttributesW
0x41b0ec RemoveDirectoryW
0x41b0f0 CreateDirectoryA
0x41b0f4 CreateDirectoryW
0x41b0f8 DeleteFileA
0x41b0fc DeleteFileW
0x41b100 lstrlenA
0x41b104 GetFullPathNameA
0x41b108 GetFullPathNameW
0x41b10c GetCurrentDirectoryA
0x41b110 GetTempPathA
0x41b114 GetTempFileNameA
0x41b118 FindClose
0x41b11c FindFirstFileA
0x41b120 FindFirstFileW
0x41b124 FindNextFileA
0x41b128 CreateFileA
0x41b12c GetFileSize
0x41b130 SetFilePointer
0x41b134 ReadFile
0x41b138 WriteFile
0x41b13c SetEndOfFile
0x41b140 GetStdHandle
0x41b144 WaitForMultipleObjects
0x41b148 Sleep
0x41b14c VirtualAlloc
0x41b150 VirtualFree
0x41b154 CreateEventA
0x41b158 SetEvent
0x41b15c ResetEvent
0x41b160 InitializeCriticalSection
0x41b164 RtlUnwind
0x41b168 RaiseException
0x41b16c HeapAlloc
0x41b170 HeapFree
0x41b174 HeapReAlloc
0x41b178 CreateThread
0x41b17c GetCurrentThreadId
0x41b180 TlsSetValue
0x41b184 TlsGetValue
0x41b188 ExitThread
EAT(Export Address Table) is none