ScreenShot
| Created | 2024.06.13 11:40 | Machine | s1_win7_x6401 |
| Filename | %E7%9B%AE%E5%BD%95%E8%A1%A8%E6%A0%BC%E5%90%8D%E5%8D%956018.exe | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 6 detected (malicious, high confidence, Detected, Sabsik) | ||
| md5 | 7d12d31bcf973c8e543610bce47f6bde | ||
| sha256 | 6b748bf5d80c1cb49f10bb72d07d310f0ec3a974d647848d762ce405acdcb07d | ||
| ssdeep | 3072:M/zTIW8A0wWU2X1FqDuRZPgI2w8hsva30JSK2ruOa5vJLXr1G48seWI:uTL8XwWWaIjX2kMJvOa5vJd8p | ||
| imphash | 66a76438aae4895269af9cbab80f4b40 | ||
| impfuzzy | 24:VmDaOOle0u//+1HRnlyv96J3XJT4NfjQzSgwd:+cu//+HK9aZcNfj+W | ||
Network IP location
Signature (16cnts)
| Level | Description |
|---|---|
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Communicates with host for which no DNS query was performed |
| watch | Connects to an IRC server |
| watch | Creates a thread using CreateRemoteThread in a non-child process indicative of process injection |
| watch | Expresses interest in specific running processes |
| watch | Manipulates memory of a non-child process indicative of process injection |
| watch | Network communications indicative of possible code injection originated from the process explorer.exe |
| watch | Potential code injection by writing to the memory of another process |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | An executable file was downloaded by the process %e7%9b%ae%e5%bd%95%e8%a1%a8%e6%a0%bc%e5%90%8d%e5%8d%956018.exe |
| notice | File has been identified by 6 AntiVirus engines on VirusTotal as malicious |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| info | One or more processes crashed |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
SURICATA Applayer Protocol detection skipped
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x140007000 LoadLibraryW
0x140007008 GetProcAddress
0x140007010 GetCommandLineW
0x140007018 GetStartupInfoW
0x140007020 GetLastError
0x140007028 HeapFree
0x140007030 EncodePointer
0x140007038 DecodePointer
0x140007040 HeapAlloc
0x140007048 RaiseException
0x140007050 RtlPcToFileHeader
0x140007058 SetUnhandledExceptionFilter
0x140007060 GetModuleHandleW
0x140007068 ExitProcess
0x140007070 WriteFile
0x140007078 GetStdHandle
0x140007080 GetModuleFileNameW
0x140007088 RtlUnwindEx
0x140007090 FreeEnvironmentStringsW
0x140007098 GetEnvironmentStringsW
0x1400070a0 SetHandleCount
0x1400070a8 InitializeCriticalSectionAndSpinCount
0x1400070b0 GetFileType
0x1400070b8 DeleteCriticalSection
0x1400070c0 FlsGetValue
0x1400070c8 FlsSetValue
0x1400070d0 FlsFree
0x1400070d8 SetLastError
0x1400070e0 GetCurrentThreadId
0x1400070e8 FlsAlloc
0x1400070f0 HeapSetInformation
0x1400070f8 GetVersion
0x140007100 HeapCreate
0x140007108 QueryPerformanceCounter
0x140007110 GetTickCount
0x140007118 GetCurrentProcessId
0x140007120 GetSystemTimeAsFileTime
0x140007128 Sleep
0x140007130 HeapSize
0x140007138 LeaveCriticalSection
0x140007140 EnterCriticalSection
0x140007148 UnhandledExceptionFilter
0x140007150 IsDebuggerPresent
0x140007158 RtlVirtualUnwind
0x140007160 RtlLookupFunctionEntry
0x140007168 RtlCaptureContext
0x140007170 TerminateProcess
0x140007178 GetCurrentProcess
0x140007180 GetCPInfo
0x140007188 GetACP
0x140007190 GetOEMCP
0x140007198 IsValidCodePage
0x1400071a0 HeapReAlloc
0x1400071a8 WideCharToMultiByte
0x1400071b0 LCMapStringW
0x1400071b8 MultiByteToWideChar
0x1400071c0 GetStringTypeW
USER32.dll
0x1400071d0 MessageBoxW
EAT(Export Address Table) is none
KERNEL32.dll
0x140007000 LoadLibraryW
0x140007008 GetProcAddress
0x140007010 GetCommandLineW
0x140007018 GetStartupInfoW
0x140007020 GetLastError
0x140007028 HeapFree
0x140007030 EncodePointer
0x140007038 DecodePointer
0x140007040 HeapAlloc
0x140007048 RaiseException
0x140007050 RtlPcToFileHeader
0x140007058 SetUnhandledExceptionFilter
0x140007060 GetModuleHandleW
0x140007068 ExitProcess
0x140007070 WriteFile
0x140007078 GetStdHandle
0x140007080 GetModuleFileNameW
0x140007088 RtlUnwindEx
0x140007090 FreeEnvironmentStringsW
0x140007098 GetEnvironmentStringsW
0x1400070a0 SetHandleCount
0x1400070a8 InitializeCriticalSectionAndSpinCount
0x1400070b0 GetFileType
0x1400070b8 DeleteCriticalSection
0x1400070c0 FlsGetValue
0x1400070c8 FlsSetValue
0x1400070d0 FlsFree
0x1400070d8 SetLastError
0x1400070e0 GetCurrentThreadId
0x1400070e8 FlsAlloc
0x1400070f0 HeapSetInformation
0x1400070f8 GetVersion
0x140007100 HeapCreate
0x140007108 QueryPerformanceCounter
0x140007110 GetTickCount
0x140007118 GetCurrentProcessId
0x140007120 GetSystemTimeAsFileTime
0x140007128 Sleep
0x140007130 HeapSize
0x140007138 LeaveCriticalSection
0x140007140 EnterCriticalSection
0x140007148 UnhandledExceptionFilter
0x140007150 IsDebuggerPresent
0x140007158 RtlVirtualUnwind
0x140007160 RtlLookupFunctionEntry
0x140007168 RtlCaptureContext
0x140007170 TerminateProcess
0x140007178 GetCurrentProcess
0x140007180 GetCPInfo
0x140007188 GetACP
0x140007190 GetOEMCP
0x140007198 IsValidCodePage
0x1400071a0 HeapReAlloc
0x1400071a8 WideCharToMultiByte
0x1400071b0 LCMapStringW
0x1400071b8 MultiByteToWideChar
0x1400071c0 GetStringTypeW
USER32.dll
0x1400071d0 MessageBoxW
EAT(Export Address Table) is none