ScreenShot
| Created | 2024.07.02 07:55 | Machine | s1_win7_x6403 |
| Filename | asec.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 45 detected (AIDetectMalware, WUDisable, auW@aqVSIZmi, V5ge, malicious, Disabler, Artemis, Nekark, kpcnio, CLOUD, sbdqz, Siggen28, R002C0XFU24, Zbot, Detected, ai score=86, MereTam, Znyonm, ABTrojan, LCGK, PossibleThreat, awL@qcKCX8VJ) | ||
| md5 | 8962b367891c933d896bc4ed9c2cffba | ||
| sha256 | 344764bb4750a81679062ca1db069004c61b64ec10a48cba4f91c306f9984aaf | ||
| ssdeep | 192:B16CytS3WGBZC3S+4TV+G99EalsDfxOCpJx3ptpJ+fl:B16CytS3WGBg3cTE05lsDc65Q | ||
| imphash | 22c0c61660a8e80d6f4e2f4b1206b0d6 | ||
| impfuzzy | 12:mD1ixKJNKF6GZ4GnXf3D1FWqj7UAa5XJwdqzTZBzhPPXJYsTd9wd9szudRgFRq2L:eixKktNnv5FQ71Bz9vUdKzudMk2L | ||
Network IP location
Signature (18cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 45 AntiVirus engines on VirusTotal as malicious |
| danger | Disables Windows Security features |
| danger | Stops Windows services |
| watch | Attempts to disable Windows Auto Updates |
| watch | Attempts to stop active services |
| watch | Creates a suspicious Powershell process |
| watch | Modifies security center warnings |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | Queries for the computername |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (6cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | PowerShell | PowerShell script | scripts |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
MSVCR90.dll
0x402054 _onexit
0x402058 _decode_pointer
0x40205c _except_handler4_common
0x402060 _lock
0x402064 _controlfp_s
0x402068 _crt_debugger_hook
0x40206c __dllonexit
0x402070 _unlock
0x402074 ?terminate@@YAXXZ
0x402078 __set_app_type
0x40207c _encode_pointer
0x402080 __p__fmode
0x402084 __p__commode
0x402088 _adjust_fdiv
0x40208c __setusermatherr
0x402090 _configthreadlocale
0x402094 _initterm_e
0x402098 _initterm
0x40209c _acmdln
0x4020a0 _ismbblead
0x4020a4 exit
0x4020a8 _XcptFilter
0x4020ac _exit
0x4020b0 _cexit
0x4020b4 __getmainargs
0x4020b8 _invoke_watson
0x4020bc _amsg_exit
KERNEL32.dll
0x402018 UnhandledExceptionFilter
0x40201c GetCurrentProcess
0x402020 TerminateProcess
0x402024 GetSystemTimeAsFileTime
0x402028 GetCurrentProcessId
0x40202c GetCurrentThreadId
0x402030 GetTickCount
0x402034 QueryPerformanceCounter
0x402038 SetUnhandledExceptionFilter
0x40203c GetStartupInfoA
0x402040 InterlockedCompareExchange
0x402044 InterlockedExchange
0x402048 Sleep
0x40204c IsDebuggerPresent
ADVAPI32.dll
0x402000 RegSetValueExA
0x402004 RegCloseKey
0x402008 RegCreateKeyExW
0x40200c RegOpenKeyExA
0x402010 RegOpenKeyExW
SHELL32.dll
0x4020c4 ShellExecuteW
EAT(Export Address Table) is none
MSVCR90.dll
0x402054 _onexit
0x402058 _decode_pointer
0x40205c _except_handler4_common
0x402060 _lock
0x402064 _controlfp_s
0x402068 _crt_debugger_hook
0x40206c __dllonexit
0x402070 _unlock
0x402074 ?terminate@@YAXXZ
0x402078 __set_app_type
0x40207c _encode_pointer
0x402080 __p__fmode
0x402084 __p__commode
0x402088 _adjust_fdiv
0x40208c __setusermatherr
0x402090 _configthreadlocale
0x402094 _initterm_e
0x402098 _initterm
0x40209c _acmdln
0x4020a0 _ismbblead
0x4020a4 exit
0x4020a8 _XcptFilter
0x4020ac _exit
0x4020b0 _cexit
0x4020b4 __getmainargs
0x4020b8 _invoke_watson
0x4020bc _amsg_exit
KERNEL32.dll
0x402018 UnhandledExceptionFilter
0x40201c GetCurrentProcess
0x402020 TerminateProcess
0x402024 GetSystemTimeAsFileTime
0x402028 GetCurrentProcessId
0x40202c GetCurrentThreadId
0x402030 GetTickCount
0x402034 QueryPerformanceCounter
0x402038 SetUnhandledExceptionFilter
0x40203c GetStartupInfoA
0x402040 InterlockedCompareExchange
0x402044 InterlockedExchange
0x402048 Sleep
0x40204c IsDebuggerPresent
ADVAPI32.dll
0x402000 RegSetValueExA
0x402004 RegCloseKey
0x402008 RegCreateKeyExW
0x40200c RegOpenKeyExA
0x402010 RegOpenKeyExW
SHELL32.dll
0x4020c4 ShellExecuteW
EAT(Export Address Table) is none