ScreenShot
Created | 2024.06.01 09:01 | Machine | s1_win7_x6401 |
Filename | ld.exe | ||
Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : malware | ||
VT API (file) | 61 detected (Common, Mallox, malicious, high confidence, score, S33100643, NetLoader, Filecoder, Unsafe, Lazy, Behaviour, swkaa, Attribute, HighConfidence, Artemis, RansomX, Ransomware, knhmof, OutSider, CLASSIC, AGEN, hsdeh, Detected, CCCM, ABRisk, EOOZ, R648404, GdSda, IHsMoIPeGjo, Static AI, Suspicious PE, susgen, confidence, 100%) | ||
md5 | 71efe7a21da183c407682261612afc0f | ||
sha256 | 45a236e7aa80515aafb6c656c758faad6e77fb435b35bfa407aef3918212078d | ||
ssdeep | 6144:W0wmbI4/Z4SHvrxw6zaIST1w9wEPDasWxxsBhS37b8o6XCFyPwCMa6qnXxq/y:7zv66zaISTW9asWxxAh4IlXC4PUqBq/ | ||
imphash | cbe53f46121d600d26965890ee97a94a | ||
impfuzzy | 96:uCYVEMTjiImcsrEqFs1RtwW5lZBgPjY5jNc2K0PGLi:LeDvAVWsWD2YgB+ |
Network IP location
Signature (27cnts)
Level | Description |
---|---|
danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
danger | File has been identified by 61 AntiVirus engines on VirusTotal as malicious |
watch | A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations. |
watch | Communicates with host for which no DNS query was performed |
watch | Creates known Hupigon files |
watch | Enumerates services |
watch | Modifies boot configuration settings |
watch | Runs bcdedit commands specific to ransomware |
watch | Uses suspicious command line tools or Windows utilities |
watch | Writes a potential ransom message to disk |
notice | A process created a hidden window |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
notice | Creates a shortcut to an executable file |
notice | Creates a suspicious process |
notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
notice | Looks up the external IP address |
notice | Performs some HTTP requests |
notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
notice | Searches running processes potentially to identify processes for sandbox evasion |
notice | Sends data using the HTTP POST Method |
notice | Steals private information from local Internet browsers |
info | Checks amount of memory in system |
info | Command line console output was observed |
info | Queries for the computername |
info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
info | Tries to locate where the browsers are installed |
Rules (8cnts)
Level | Name | Description | Collection |
---|---|---|---|
warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
watch | Antivirus | Contains references to security software | binaries (upload) |
watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
watch | UPX_Zero | UPX packed file | binaries (upload) |
info | IsPE64 | (no description) | binaries (upload) |
info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (5cnts) ?
Suricata ids
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET DROP Spamhaus DROP Listed Traffic Inbound group 14
ET POLICY External IP Lookup api.ipify.org
ET MALWARE Win32/Filecoder.OJC CnC Checkin
ET DROP Spamhaus DROP Listed Traffic Inbound group 14
ET POLICY External IP Lookup api.ipify.org
ET MALWARE Win32/Filecoder.OJC CnC Checkin
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x1400530f8 TerminateThread
0x140053100 LoadLibraryA
0x140053108 CloseHandle
0x140053110 GetNativeSystemInfo
0x140053118 CreateThread
0x140053120 SetVolumeMountPointW
0x140053128 GetProcAddress
0x140053130 LocalFree
0x140053138 DeleteCriticalSection
0x140053140 ExitProcess
0x140053148 GetCurrentProcessId
0x140053150 GetModuleHandleW
0x140053158 CopyFileW
0x140053160 GetVolumePathNamesForVolumeNameW
0x140053168 lstrcpyW
0x140053170 SleepEx
0x140053178 GetDiskFreeSpaceExA
0x140053180 CreateEventA
0x140053188 FindNextVolumeW
0x140053190 lstrcmpiW
0x140053198 CreateIoCompletionPort
0x1400531a0 GetTickCount
0x1400531a8 lstrcmpW
0x1400531b0 GetDriveTypeW
0x1400531b8 GetComputerNameA
0x1400531c0 TerminateProcess
0x1400531c8 OpenProcess
0x1400531d0 CreateToolhelp32Snapshot
0x1400531d8 Process32NextW
0x1400531e0 QueryDosDeviceW
0x1400531e8 GetFinalPathNameByHandleW
0x1400531f0 K32GetModuleFileNameExW
0x1400531f8 DuplicateHandle
0x140053200 CreateEventW
0x140053208 GetWindowsDirectoryW
0x140053210 FindVolumeClose
0x140053218 GetFileType
0x140053220 GetTickCount64
0x140053228 GetCurrentThread
0x140053230 GetSystemTimeAsFileTime
0x140053238 ReadFile
0x140053240 GetFileSizeEx
0x140053248 SetEndOfFile
0x140053250 SetFileAttributesW
0x140053258 SetFilePointerEx
0x140053260 SleepConditionVariableCS
0x140053268 WakeConditionVariable
0x140053270 InitializeConditionVariable
0x140053278 GetSystemInfo
0x140053280 GlobalMemoryStatusEx
0x140053288 WriteConsoleW
0x140053290 ReadConsoleW
0x140053298 HeapSize
0x1400532a0 GetConsoleMode
0x1400532a8 GetConsoleOutputCP
0x1400532b0 FlushFileBuffers
0x1400532b8 GetDiskFreeSpaceExW
0x1400532c0 SetEvent
0x1400532c8 GetLastError
0x1400532d0 Sleep
0x1400532d8 MultiByteToWideChar
0x1400532e0 PostQueuedCompletionStatus
0x1400532e8 GetLocaleInfoA
0x1400532f0 GetModuleHandleA
0x1400532f8 GetCurrentThreadId
0x140053300 GetFileAttributesW
0x140053308 CreateFileW
0x140053310 WaitForSingleObject
0x140053318 FindClose
0x140053320 lstrlenA
0x140053328 GetQueuedCompletionStatus
0x140053330 SetErrorMode
0x140053338 InitializeCriticalSection
0x140053340 LeaveCriticalSection
0x140053348 WaitForMultipleObjects
0x140053350 GetModuleFileNameW
0x140053358 GetUserDefaultLangID
0x140053360 WriteFile
0x140053368 lstrlenW
0x140053370 GetCurrentProcess
0x140053378 FindNextFileW
0x140053380 GetCommandLineW
0x140053388 EnterCriticalSection
0x140053390 FindFirstVolumeW
0x140053398 FindFirstFileExW
0x1400533a0 GetLogicalDrives
0x1400533a8 MoveFileW
0x1400533b0 OutputDebugStringW
0x1400533b8 SetStdHandle
0x1400533c0 GetProcessHeap
0x1400533c8 FreeEnvironmentStringsW
0x1400533d0 GetEnvironmentStringsW
0x1400533d8 GetCommandLineA
0x1400533e0 GetOEMCP
0x1400533e8 GetACP
0x1400533f0 IsValidCodePage
0x1400533f8 EnumSystemLocalesW
0x140053400 GetUserDefaultLCID
0x140053408 IsValidLocale
0x140053410 GetLocaleInfoW
0x140053418 LCMapStringW
0x140053420 FlsFree
0x140053428 QueryPerformanceCounter
0x140053430 lstrcatW
0x140053438 FlsSetValue
0x140053440 FlsGetValue
0x140053448 FlsAlloc
0x140053450 HeapAlloc
0x140053458 HeapFree
0x140053460 HeapReAlloc
0x140053468 GetStdHandle
0x140053470 GetModuleHandleExW
0x140053478 LoadLibraryExW
0x140053480 FreeLibrary
0x140053488 TlsFree
0x140053490 TlsSetValue
0x140053498 RtlCaptureContext
0x1400534a0 RtlLookupFunctionEntry
0x1400534a8 RtlVirtualUnwind
0x1400534b0 UnhandledExceptionFilter
0x1400534b8 SetUnhandledExceptionFilter
0x1400534c0 IsProcessorFeaturePresent
0x1400534c8 ReleaseSRWLockExclusive
0x1400534d0 AcquireSRWLockExclusive
0x1400534d8 WakeAllConditionVariable
0x1400534e0 SleepConditionVariableSRW
0x1400534e8 IsDebuggerPresent
0x1400534f0 GetStartupInfoW
0x1400534f8 InitializeSListHead
0x140053500 GetStringTypeW
0x140053508 WideCharToMultiByte
0x140053510 InitializeCriticalSectionEx
0x140053518 EncodePointer
0x140053520 DecodePointer
0x140053528 LCMapStringEx
0x140053530 GetCPInfo
0x140053538 RtlUnwindEx
0x140053540 RtlPcToFileHeader
0x140053548 RaiseException
0x140053550 SetLastError
0x140053558 InitializeCriticalSectionAndSpinCount
0x140053560 TlsAlloc
0x140053568 TlsGetValue
USER32.dll
0x1400535f8 DefWindowProcW
0x140053600 GetCursorPos
0x140053608 CreateWindowExW
0x140053610 RegisterClassW
0x140053618 MessageBoxW
ADVAPI32.dll
0x140053000 OpenServiceW
0x140053008 CryptReleaseContext
0x140053010 OpenThreadToken
0x140053018 AllocateAndInitializeSid
0x140053020 SetEntriesInAclW
0x140053028 SetNamedSecurityInfoW
0x140053030 FreeSid
0x140053038 ControlService
0x140053040 EnumDependentServicesW
0x140053048 QueryServiceConfigW
0x140053050 ChangeServiceConfigW
0x140053058 EnumServicesStatusW
0x140053060 QueryServiceStatusEx
0x140053068 LookupPrivilegeValueW
0x140053070 AdjustTokenPrivileges
0x140053078 CreateServiceW
0x140053080 RegCloseKey
0x140053088 CryptAcquireContextW
0x140053090 CloseServiceHandle
0x140053098 RegQueryValueExA
0x1400530a0 CryptGenRandom
0x1400530a8 OpenSCManagerW
0x1400530b0 RegSetValueExW
0x1400530b8 OpenProcessToken
0x1400530c0 StartServiceW
0x1400530c8 RegOpenKeyExA
0x1400530d0 RegOpenKeyExW
0x1400530d8 GetTokenInformation
SHELL32.dll
0x140053590 CommandLineToArgvW
0x140053598 ShellExecuteW
crypt.dll
0x140053690 BCryptGenRandom
NETAPI32.dll
0x140053578 NetShareEnum
0x140053580 NetApiBufferFree
SHLWAPI.dll
0x1400535a8 wnsprintfA
0x1400535b0 StrCmpNIW
0x1400535b8 StrCmpNW
0x1400535c0 StrStrIW
0x1400535c8 PathFileExistsW
0x1400535d0 SHDeleteKeyW
0x1400535d8 UrlUnescapeA
0x1400535e0 UrlEscapeA
0x1400535e8 wnsprintfW
IPHLPAPI.DLL
0x1400530e8 GetIpNetTable
WS2_32.dll
0x140053680 inet_ntoa
WININET.dll
0x140053628 InternetQueryOptionW
0x140053630 HttpOpenRequestW
0x140053638 InternetOpenW
0x140053640 InternetCloseHandle
0x140053648 InternetConnectW
0x140053650 InternetSetOptionW
0x140053658 HttpSendRequestW
0x140053660 InternetCrackUrlW
0x140053668 InternetReadFile
0x140053670 InternetQueryDataAvailable
EAT(Export Address Table) is none
KERNEL32.dll
0x1400530f8 TerminateThread
0x140053100 LoadLibraryA
0x140053108 CloseHandle
0x140053110 GetNativeSystemInfo
0x140053118 CreateThread
0x140053120 SetVolumeMountPointW
0x140053128 GetProcAddress
0x140053130 LocalFree
0x140053138 DeleteCriticalSection
0x140053140 ExitProcess
0x140053148 GetCurrentProcessId
0x140053150 GetModuleHandleW
0x140053158 CopyFileW
0x140053160 GetVolumePathNamesForVolumeNameW
0x140053168 lstrcpyW
0x140053170 SleepEx
0x140053178 GetDiskFreeSpaceExA
0x140053180 CreateEventA
0x140053188 FindNextVolumeW
0x140053190 lstrcmpiW
0x140053198 CreateIoCompletionPort
0x1400531a0 GetTickCount
0x1400531a8 lstrcmpW
0x1400531b0 GetDriveTypeW
0x1400531b8 GetComputerNameA
0x1400531c0 TerminateProcess
0x1400531c8 OpenProcess
0x1400531d0 CreateToolhelp32Snapshot
0x1400531d8 Process32NextW
0x1400531e0 QueryDosDeviceW
0x1400531e8 GetFinalPathNameByHandleW
0x1400531f0 K32GetModuleFileNameExW
0x1400531f8 DuplicateHandle
0x140053200 CreateEventW
0x140053208 GetWindowsDirectoryW
0x140053210 FindVolumeClose
0x140053218 GetFileType
0x140053220 GetTickCount64
0x140053228 GetCurrentThread
0x140053230 GetSystemTimeAsFileTime
0x140053238 ReadFile
0x140053240 GetFileSizeEx
0x140053248 SetEndOfFile
0x140053250 SetFileAttributesW
0x140053258 SetFilePointerEx
0x140053260 SleepConditionVariableCS
0x140053268 WakeConditionVariable
0x140053270 InitializeConditionVariable
0x140053278 GetSystemInfo
0x140053280 GlobalMemoryStatusEx
0x140053288 WriteConsoleW
0x140053290 ReadConsoleW
0x140053298 HeapSize
0x1400532a0 GetConsoleMode
0x1400532a8 GetConsoleOutputCP
0x1400532b0 FlushFileBuffers
0x1400532b8 GetDiskFreeSpaceExW
0x1400532c0 SetEvent
0x1400532c8 GetLastError
0x1400532d0 Sleep
0x1400532d8 MultiByteToWideChar
0x1400532e0 PostQueuedCompletionStatus
0x1400532e8 GetLocaleInfoA
0x1400532f0 GetModuleHandleA
0x1400532f8 GetCurrentThreadId
0x140053300 GetFileAttributesW
0x140053308 CreateFileW
0x140053310 WaitForSingleObject
0x140053318 FindClose
0x140053320 lstrlenA
0x140053328 GetQueuedCompletionStatus
0x140053330 SetErrorMode
0x140053338 InitializeCriticalSection
0x140053340 LeaveCriticalSection
0x140053348 WaitForMultipleObjects
0x140053350 GetModuleFileNameW
0x140053358 GetUserDefaultLangID
0x140053360 WriteFile
0x140053368 lstrlenW
0x140053370 GetCurrentProcess
0x140053378 FindNextFileW
0x140053380 GetCommandLineW
0x140053388 EnterCriticalSection
0x140053390 FindFirstVolumeW
0x140053398 FindFirstFileExW
0x1400533a0 GetLogicalDrives
0x1400533a8 MoveFileW
0x1400533b0 OutputDebugStringW
0x1400533b8 SetStdHandle
0x1400533c0 GetProcessHeap
0x1400533c8 FreeEnvironmentStringsW
0x1400533d0 GetEnvironmentStringsW
0x1400533d8 GetCommandLineA
0x1400533e0 GetOEMCP
0x1400533e8 GetACP
0x1400533f0 IsValidCodePage
0x1400533f8 EnumSystemLocalesW
0x140053400 GetUserDefaultLCID
0x140053408 IsValidLocale
0x140053410 GetLocaleInfoW
0x140053418 LCMapStringW
0x140053420 FlsFree
0x140053428 QueryPerformanceCounter
0x140053430 lstrcatW
0x140053438 FlsSetValue
0x140053440 FlsGetValue
0x140053448 FlsAlloc
0x140053450 HeapAlloc
0x140053458 HeapFree
0x140053460 HeapReAlloc
0x140053468 GetStdHandle
0x140053470 GetModuleHandleExW
0x140053478 LoadLibraryExW
0x140053480 FreeLibrary
0x140053488 TlsFree
0x140053490 TlsSetValue
0x140053498 RtlCaptureContext
0x1400534a0 RtlLookupFunctionEntry
0x1400534a8 RtlVirtualUnwind
0x1400534b0 UnhandledExceptionFilter
0x1400534b8 SetUnhandledExceptionFilter
0x1400534c0 IsProcessorFeaturePresent
0x1400534c8 ReleaseSRWLockExclusive
0x1400534d0 AcquireSRWLockExclusive
0x1400534d8 WakeAllConditionVariable
0x1400534e0 SleepConditionVariableSRW
0x1400534e8 IsDebuggerPresent
0x1400534f0 GetStartupInfoW
0x1400534f8 InitializeSListHead
0x140053500 GetStringTypeW
0x140053508 WideCharToMultiByte
0x140053510 InitializeCriticalSectionEx
0x140053518 EncodePointer
0x140053520 DecodePointer
0x140053528 LCMapStringEx
0x140053530 GetCPInfo
0x140053538 RtlUnwindEx
0x140053540 RtlPcToFileHeader
0x140053548 RaiseException
0x140053550 SetLastError
0x140053558 InitializeCriticalSectionAndSpinCount
0x140053560 TlsAlloc
0x140053568 TlsGetValue
USER32.dll
0x1400535f8 DefWindowProcW
0x140053600 GetCursorPos
0x140053608 CreateWindowExW
0x140053610 RegisterClassW
0x140053618 MessageBoxW
ADVAPI32.dll
0x140053000 OpenServiceW
0x140053008 CryptReleaseContext
0x140053010 OpenThreadToken
0x140053018 AllocateAndInitializeSid
0x140053020 SetEntriesInAclW
0x140053028 SetNamedSecurityInfoW
0x140053030 FreeSid
0x140053038 ControlService
0x140053040 EnumDependentServicesW
0x140053048 QueryServiceConfigW
0x140053050 ChangeServiceConfigW
0x140053058 EnumServicesStatusW
0x140053060 QueryServiceStatusEx
0x140053068 LookupPrivilegeValueW
0x140053070 AdjustTokenPrivileges
0x140053078 CreateServiceW
0x140053080 RegCloseKey
0x140053088 CryptAcquireContextW
0x140053090 CloseServiceHandle
0x140053098 RegQueryValueExA
0x1400530a0 CryptGenRandom
0x1400530a8 OpenSCManagerW
0x1400530b0 RegSetValueExW
0x1400530b8 OpenProcessToken
0x1400530c0 StartServiceW
0x1400530c8 RegOpenKeyExA
0x1400530d0 RegOpenKeyExW
0x1400530d8 GetTokenInformation
SHELL32.dll
0x140053590 CommandLineToArgvW
0x140053598 ShellExecuteW
crypt.dll
0x140053690 BCryptGenRandom
NETAPI32.dll
0x140053578 NetShareEnum
0x140053580 NetApiBufferFree
SHLWAPI.dll
0x1400535a8 wnsprintfA
0x1400535b0 StrCmpNIW
0x1400535b8 StrCmpNW
0x1400535c0 StrStrIW
0x1400535c8 PathFileExistsW
0x1400535d0 SHDeleteKeyW
0x1400535d8 UrlUnescapeA
0x1400535e0 UrlEscapeA
0x1400535e8 wnsprintfW
IPHLPAPI.DLL
0x1400530e8 GetIpNetTable
WS2_32.dll
0x140053680 inet_ntoa
WININET.dll
0x140053628 InternetQueryOptionW
0x140053630 HttpOpenRequestW
0x140053638 InternetOpenW
0x140053640 InternetCloseHandle
0x140053648 InternetConnectW
0x140053650 InternetSetOptionW
0x140053658 HttpSendRequestW
0x140053660 InternetCrackUrlW
0x140053668 InternetReadFile
0x140053670 InternetQueryDataAvailable
EAT(Export Address Table) is none