ScreenShot
| Created | 2024.06.01 08:53 | Machine | s1_win7_x6401 |
| Filename | WxWorkMultiOpen.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 23 detected (AIDetectMalware, malicious, moderate confidence, score, BadFile, Unsafe, Save, Attribute, HighConfidence, Artemis, Generic@AI, RDML, RovDt5c8miygP7OCA115CQ, Generic ML PUA, Znyonm, Casdet, ZexaF, iuW@a0fNK4di, confidence) | ||
| md5 | 2ddfe23a170af97ebbfe8ccc260ef462 | ||
| sha256 | 56149c2caa7e4b648802d12d51fcd0d6523640925b44524d5261f193e7e217d6 | ||
| ssdeep | 3072:WVgniPw13ewPXAFFOCpOiAiZNYF4sn3zckV/N+Ag0FujTXfh9v2Vht:WVgnwotoFF1pWaNYKsnFEAOBJ2Vht | ||
| imphash | 198cae56a522dac5925be33cafddc4a6 | ||
| impfuzzy | 24:mDlOJvlq08zzBMUlcpVWZteS17M3JBl39XoEOovbO3kPvbEZHu9paBMI1/FzN:dAzncpVcteS17MPpZc30nQ/9N | ||
Network IP location
Signature (4cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 23 AntiVirus engines on VirusTotal as malicious |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| info | This executable has a PDB path |
Rules (7cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x41601c GetProcAddress
0x416020 VirtualAllocEx
0x416024 CreateRemoteThread
0x416028 VirtualFree
0x41602c VirtualAlloc
0x416030 DuplicateHandle
0x416034 MultiByteToWideChar
0x416038 CreateProcessW
0x41603c GetModuleFileNameW
0x416040 GetCurrentDirectoryA
0x416044 CloseHandle
0x416048 WideCharToMultiByte
0x41604c lstrcmpA
0x416050 Sleep
0x416054 CreateFileW
0x416058 Process32FirstW
0x41605c Process32NextW
0x416060 GetLastError
0x416064 CreateToolhelp32Snapshot
0x416068 OpenProcess
0x41606c GetModuleHandleA
0x416070 GetCurrentProcess
0x416074 HeapSize
0x416078 SetFilePointerEx
0x41607c WriteProcessMemory
0x416080 GetFileSizeEx
0x416084 GetConsoleMode
0x416088 GetConsoleOutputCP
0x41608c FlushFileBuffers
0x416090 EnterCriticalSection
0x416094 LeaveCriticalSection
0x416098 InitializeCriticalSectionEx
0x41609c DeleteCriticalSection
0x4160a0 EncodePointer
0x4160a4 DecodePointer
0x4160a8 GetStringTypeW
0x4160ac GetCPInfo
0x4160b0 UnhandledExceptionFilter
0x4160b4 SetUnhandledExceptionFilter
0x4160b8 TerminateProcess
0x4160bc IsProcessorFeaturePresent
0x4160c0 QueryPerformanceCounter
0x4160c4 GetCurrentProcessId
0x4160c8 GetCurrentThreadId
0x4160cc GetSystemTimeAsFileTime
0x4160d0 InitializeSListHead
0x4160d4 IsDebuggerPresent
0x4160d8 GetStartupInfoW
0x4160dc GetModuleHandleW
0x4160e0 RtlUnwind
0x4160e4 RaiseException
0x4160e8 SetLastError
0x4160ec InitializeCriticalSectionAndSpinCount
0x4160f0 TlsAlloc
0x4160f4 TlsGetValue
0x4160f8 TlsSetValue
0x4160fc TlsFree
0x416100 FreeLibrary
0x416104 LoadLibraryExW
0x416108 GetStdHandle
0x41610c WriteFile
0x416110 ExitProcess
0x416114 GetModuleHandleExW
0x416118 GetCommandLineA
0x41611c GetCommandLineW
0x416120 HeapAlloc
0x416124 HeapFree
0x416128 CompareStringW
0x41612c LCMapStringW
0x416130 GetFileType
0x416134 HeapReAlloc
0x416138 FindClose
0x41613c FindFirstFileExW
0x416140 FindNextFileW
0x416144 IsValidCodePage
0x416148 GetACP
0x41614c GetOEMCP
0x416150 GetEnvironmentStringsW
0x416154 FreeEnvironmentStringsW
0x416158 SetEnvironmentVariableW
0x41615c SetStdHandle
0x416160 GetProcessHeap
0x416164 WriteConsoleW
ADVAPI32.dll
0x416000 AdjustTokenPrivileges
0x416004 RegCloseKey
0x416008 RegOpenKeyExW
0x41600c RegQueryValueExW
0x416010 LookupPrivilegeValueW
0x416014 OpenProcessToken
EAT(Export Address Table) is none
KERNEL32.dll
0x41601c GetProcAddress
0x416020 VirtualAllocEx
0x416024 CreateRemoteThread
0x416028 VirtualFree
0x41602c VirtualAlloc
0x416030 DuplicateHandle
0x416034 MultiByteToWideChar
0x416038 CreateProcessW
0x41603c GetModuleFileNameW
0x416040 GetCurrentDirectoryA
0x416044 CloseHandle
0x416048 WideCharToMultiByte
0x41604c lstrcmpA
0x416050 Sleep
0x416054 CreateFileW
0x416058 Process32FirstW
0x41605c Process32NextW
0x416060 GetLastError
0x416064 CreateToolhelp32Snapshot
0x416068 OpenProcess
0x41606c GetModuleHandleA
0x416070 GetCurrentProcess
0x416074 HeapSize
0x416078 SetFilePointerEx
0x41607c WriteProcessMemory
0x416080 GetFileSizeEx
0x416084 GetConsoleMode
0x416088 GetConsoleOutputCP
0x41608c FlushFileBuffers
0x416090 EnterCriticalSection
0x416094 LeaveCriticalSection
0x416098 InitializeCriticalSectionEx
0x41609c DeleteCriticalSection
0x4160a0 EncodePointer
0x4160a4 DecodePointer
0x4160a8 GetStringTypeW
0x4160ac GetCPInfo
0x4160b0 UnhandledExceptionFilter
0x4160b4 SetUnhandledExceptionFilter
0x4160b8 TerminateProcess
0x4160bc IsProcessorFeaturePresent
0x4160c0 QueryPerformanceCounter
0x4160c4 GetCurrentProcessId
0x4160c8 GetCurrentThreadId
0x4160cc GetSystemTimeAsFileTime
0x4160d0 InitializeSListHead
0x4160d4 IsDebuggerPresent
0x4160d8 GetStartupInfoW
0x4160dc GetModuleHandleW
0x4160e0 RtlUnwind
0x4160e4 RaiseException
0x4160e8 SetLastError
0x4160ec InitializeCriticalSectionAndSpinCount
0x4160f0 TlsAlloc
0x4160f4 TlsGetValue
0x4160f8 TlsSetValue
0x4160fc TlsFree
0x416100 FreeLibrary
0x416104 LoadLibraryExW
0x416108 GetStdHandle
0x41610c WriteFile
0x416110 ExitProcess
0x416114 GetModuleHandleExW
0x416118 GetCommandLineA
0x41611c GetCommandLineW
0x416120 HeapAlloc
0x416124 HeapFree
0x416128 CompareStringW
0x41612c LCMapStringW
0x416130 GetFileType
0x416134 HeapReAlloc
0x416138 FindClose
0x41613c FindFirstFileExW
0x416140 FindNextFileW
0x416144 IsValidCodePage
0x416148 GetACP
0x41614c GetOEMCP
0x416150 GetEnvironmentStringsW
0x416154 FreeEnvironmentStringsW
0x416158 SetEnvironmentVariableW
0x41615c SetStdHandle
0x416160 GetProcessHeap
0x416164 WriteConsoleW
ADVAPI32.dll
0x416000 AdjustTokenPrivileges
0x416004 RegCloseKey
0x416008 RegOpenKeyExW
0x41600c RegQueryValueExW
0x416010 LookupPrivilegeValueW
0x416014 OpenProcessToken
EAT(Export Address Table) is none