ScreenShot
| Created | 2024.06.21 09:50 | Machine | s1_win7_x6403 |
| Filename | WezoAutoUP.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 51 detected (AIDetectMalware, lrP4, malicious, moderate confidence, score, AutoitDropper, Unsafe, V6xa, multiple detections, YahLover, AutoIt, Siggen5, R002C0PET24, high, Detected, CoinMiner, Hider, REXR@5364l6, Casdet, R2WKDE, IJBN, IMWorm, Sohanad, Chgt, Gajl, GenAsa, i9rai7w7, susgen, confidence, 100%) | ||
| md5 | 46748aff6fcab034d0affddc99c6d876 | ||
| sha256 | 82a9537d99a9ccc5c534dd87f642a7e77b594f7554c2ed7a32a1a9518634a42c | ||
| ssdeep | 6144:m68oipnnK9jqXEX52Ums+Tbxzbx9SmIqQyPodMUf8Dkzel6R8zHe1IH:WfnnK9zABs+TbFx9SXOPCf8DkqAR8zHB | ||
| imphash | 6058ac660564f64af764bdf1e4fe5d2b | ||
| impfuzzy | 12:VA/DzqYOZkKDD75maKxLAkcOcTQQnd3mxCHXT:V0DBaPD7VKxLAkcOs2k3T | ||
Network IP location
Signature (22cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 51 AntiVirus engines on VirusTotal as malicious |
| watch | Creates an executable file in a user folder |
| watch | Deletes executed files from disk |
| watch | Installs itself for autorun at Windows startup |
| watch | Uses Sysinternals tools in order to add additional command line functionality |
| notice | An executable file was downloaded by the process wezoautoup.exe |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | Expresses interest in specific running processes |
| notice | Performs some HTTP requests |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is compressed using UPX |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | One or more processes crashed |
| info | The executable uses a known packer |
Rules (21cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | CoinMiner_IN | CoinMiner | binaries (download) |
| danger | CoinMiner_IN | CoinMiner | binaries (upload) |
| danger | Win32_Trojan_Emotet_2_Zero | Win32 Trojan Emotet | binaries (download) |
| warning | AutoIt | autoit | binaries (download) |
| warning | AutoIt | autoit | binaries (upload) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| warning | Suspicious_Obfuscation_Script_2 | Suspicious obfuscation script (e.g. executable files) | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | MPRESS_Zero | MPRESS packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | IsPE64 | (no description) | binaries (download) |
| info | Microsoft_Office_File_Zero | Microsoft Office File | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (17cnts) ?
Suricata ids
ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile
ET INFO AutoIt User Agent Executable Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO AutoIt User-Agent Downloading ZIP
ET INFO AutoIt User Agent Executable Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO AutoIt User-Agent Downloading ZIP
PE API
IAT(Import Address Table) Library
KERNEL32.DLL
0x4cf18c LoadLibraryA
0x4cf190 GetProcAddress
0x4cf194 VirtualProtect
0x4cf198 VirtualAlloc
0x4cf19c VirtualFree
0x4cf1a0 ExitProcess
ADVAPI32.dll
0x4cf1a8 GetAce
COMCTL32.dll
0x4cf1b0 ImageList_Remove
COMDLG32.dll
0x4cf1b8 GetSaveFileNameW
GDI32.dll
0x4cf1c0 LineTo
MPR.dll
0x4cf1c8 WNetUseConnectionW
ole32.dll
0x4cf1d0 CoInitialize
OLEAUT32.dll
0x4cf1d8 SysFreeString
PSAPI.DLL
0x4cf1e0 EnumProcesses
SHELL32.dll
0x4cf1e8 DragFinish
USER32.dll
0x4cf1f0 GetDC
USERENV.dll
0x4cf1f8 LoadUserProfileW
VERSION.dll
0x4cf200 VerQueryValueW
WININET.dll
0x4cf208 FtpOpenFileW
WINMM.dll
0x4cf210 timeGetTime
WSOCK32.dll
0x4cf218 recv
EAT(Export Address Table) is none
KERNEL32.DLL
0x4cf18c LoadLibraryA
0x4cf190 GetProcAddress
0x4cf194 VirtualProtect
0x4cf198 VirtualAlloc
0x4cf19c VirtualFree
0x4cf1a0 ExitProcess
ADVAPI32.dll
0x4cf1a8 GetAce
COMCTL32.dll
0x4cf1b0 ImageList_Remove
COMDLG32.dll
0x4cf1b8 GetSaveFileNameW
GDI32.dll
0x4cf1c0 LineTo
MPR.dll
0x4cf1c8 WNetUseConnectionW
ole32.dll
0x4cf1d0 CoInitialize
OLEAUT32.dll
0x4cf1d8 SysFreeString
PSAPI.DLL
0x4cf1e0 EnumProcesses
SHELL32.dll
0x4cf1e8 DragFinish
USER32.dll
0x4cf1f0 GetDC
USERENV.dll
0x4cf1f8 LoadUserProfileW
VERSION.dll
0x4cf200 VerQueryValueW
WININET.dll
0x4cf208 FtpOpenFileW
WINMM.dll
0x4cf210 timeGetTime
WSOCK32.dll
0x4cf218 recv
EAT(Export Address Table) is none