Report - winiti.exe

Generic Malware Malicious Library UPX Antivirus PE File PE32 DLL
ScreenShot
Created 2024.07.20 20:23 Machine s1_win7_x6401
Filename winiti.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
AI Score
5
Behavior Score
7.4
ZERO API file : malware
VT API (file) 53 detected (AIDetectMalware, Makoob, malicious, high confidence, score, Nemesis, Unsafe, GenericKD, V617, Attribute, HighConfidence, multiple detections, Artemis, TOPIS, veGkLztBtrN, AGEN, GULOADER, YXEGSZ, NSIS, Detected, ai score=81, Malware@#2m8rl4zevg3cd, KFDL, Eldorado, Chgt, Zimw, P582, confidence, 100%)
md5 6298475c0e4860db7568c5b231e3cca9
sha256 d9012cd07349eec687cb347232b55fa1cd308f89c433474bcfb63132cca908c9
ssdeep 12288:sCn4AyHnrx5KuwBPjaUQtbwDGno9FeCyp0seDwE:/nEnrxKBP2p+DGnykTpheD
imphash 671f2a1f8aee14d336bab98fea93d734
impfuzzy 48:rjxZvflKoE7pFEX/allLGOe4ztl8tA+tr8L5Sv0QxlV6U095/1xyACnBoKKQ504z:HxZn4WyOzd1N3RDZJMw
  Network IP location

Signature (19cnts)

Level Description
danger File has been identified by 53 AntiVirus engines on VirusTotal as malicious
watch Creates a suspicious Powershell process
watch The process powershell.exe wrote an executable file to disk
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates a shortcut to an executable file
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Drops an executable to the user AppData folder
notice Executes one or more WMI queries
notice Terminates another process
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Command line console output was observed
info One or more processes crashed
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info Uses Windows APIs to generate a cryptographic key

Rules (10cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (download)
watch Antivirus Contains references to security software binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)

Network (0cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?

Suricata ids

PE API

IAT(Import Address Table) Library

ADVAPI32.dll
 0x408000 RegEnumValueA
 0x408004 RegEnumKeyA
 0x408008 RegQueryValueExA
 0x40800c RegSetValueExA
 0x408010 RegCloseKey
 0x408014 RegDeleteValueA
 0x408018 RegDeleteKeyA
 0x40801c AdjustTokenPrivileges
 0x408020 LookupPrivilegeValueA
 0x408024 OpenProcessToken
 0x408028 RegOpenKeyExA
 0x40802c RegCreateKeyExA
SHELL32.dll
 0x408168 SHGetPathFromIDListA
 0x40816c SHBrowseForFolderA
 0x408170 SHGetFileInfoA
 0x408174 SHFileOperationA
 0x408178 ShellExecuteExA
ole32.dll
 0x40827c OleUninitialize
 0x408280 OleInitialize
 0x408284 IIDFromString
 0x408288 CoCreateInstance
 0x40828c CoTaskMemFree
COMCTL32.dll
 0x408034 ImageList_Destroy
 0x408038 None
 0x40803c ImageList_AddMasked
 0x408040 ImageList_Create
USER32.dll
 0x408180 SetDlgItemTextA
 0x408184 GetSystemMetrics
 0x408188 CreatePopupMenu
 0x40818c AppendMenuA
 0x408190 OpenClipboard
 0x408194 EmptyClipboard
 0x408198 SetClipboardData
 0x40819c CloseClipboard
 0x4081a0 IsWindowVisible
 0x4081a4 CallWindowProcA
 0x4081a8 GetMessagePos
 0x4081ac CheckDlgButton
 0x4081b0 LoadCursorA
 0x4081b4 SetCursor
 0x4081b8 GetSysColor
 0x4081bc SetWindowPos
 0x4081c0 GetWindowLongA
 0x4081c4 IsWindowEnabled
 0x4081c8 SetClassLongA
 0x4081cc GetSystemMenu
 0x4081d0 EnableMenuItem
 0x4081d4 GetWindowRect
 0x4081d8 ScreenToClient
 0x4081dc EndDialog
 0x4081e0 RegisterClassA
 0x4081e4 SystemParametersInfoA
 0x4081e8 CreateWindowExA
 0x4081ec GetDlgItemTextA
 0x4081f0 DialogBoxParamA
 0x4081f4 CharNextA
 0x4081f8 ExitWindowsEx
 0x4081fc DestroyWindow
 0x408200 CreateDialogParamA
 0x408204 SetTimer
 0x408208 SetWindowTextA
 0x40820c PostQuitMessage
 0x408210 SetForegroundWindow
 0x408214 ShowWindow
 0x408218 wsprintfA
 0x40821c SendMessageTimeoutA
 0x408220 FindWindowExA
 0x408224 IsWindow
 0x408228 GetDlgItem
 0x40822c SetWindowLongA
 0x408230 LoadImageA
 0x408234 GetDC
 0x408238 ReleaseDC
 0x40823c EnableWindow
 0x408240 InvalidateRect
 0x408244 SendMessageA
 0x408248 DefWindowProcA
 0x40824c BeginPaint
 0x408250 GetClientRect
 0x408254 FillRect
 0x408258 DrawTextA
 0x40825c EndPaint
 0x408260 MessageBoxIndirectA
 0x408264 CharPrevA
 0x408268 PeekMessageA
 0x40826c GetClassInfoA
 0x408270 DispatchMessageA
 0x408274 TrackPopupMenu
GDI32.dll
 0x408048 GetDeviceCaps
 0x40804c SetBkColor
 0x408050 SelectObject
 0x408054 DeleteObject
 0x408058 CreateBrushIndirect
 0x40805c CreateFontIndirectA
 0x408060 SetBkMode
 0x408064 SetTextColor
KERNEL32.dll
 0x40806c CreateFileA
 0x408070 GetTempFileNameA
 0x408074 ReadFile
 0x408078 RemoveDirectoryA
 0x40807c CreateProcessA
 0x408080 CreateDirectoryA
 0x408084 GetLastError
 0x408088 CreateThread
 0x40808c GlobalLock
 0x408090 GlobalUnlock
 0x408094 GetDiskFreeSpaceA
 0x408098 lstrcpynA
 0x40809c SetErrorMode
 0x4080a0 GetVersionExA
 0x4080a4 lstrlenA
 0x4080a8 GetCommandLineA
 0x4080ac GetTempPathA
 0x4080b0 GetWindowsDirectoryA
 0x4080b4 WriteFile
 0x4080b8 ExitProcess
 0x4080bc CopyFileA
 0x4080c0 GetCurrentProcess
 0x4080c4 GetModuleFileNameA
 0x4080c8 GetFileSize
 0x4080cc GetTickCount
 0x4080d0 Sleep
 0x4080d4 SetFileAttributesA
 0x4080d8 GetFileAttributesA
 0x4080dc SetCurrentDirectoryA
 0x4080e0 MoveFileA
 0x4080e4 GetFullPathNameA
 0x4080e8 GetShortPathNameA
 0x4080ec SearchPathA
 0x4080f0 CompareFileTime
 0x4080f4 SetFileTime
 0x4080f8 CloseHandle
 0x4080fc lstrcmpiA
 0x408100 lstrcmpA
 0x408104 ExpandEnvironmentStringsA
 0x408108 GlobalFree
 0x40810c GlobalAlloc
 0x408110 GetModuleHandleA
 0x408114 LoadLibraryExA
 0x408118 FreeLibrary
 0x40811c MultiByteToWideChar
 0x408120 WritePrivateProfileStringA
 0x408124 GetPrivateProfileStringA
 0x408128 SetFilePointer
 0x40812c FindClose
 0x408130 FindNextFileA
 0x408134 FindFirstFileA
 0x408138 DeleteFileA
 0x40813c MulDiv
 0x408140 lstrcpyA
 0x408144 MoveFileExA
 0x408148 lstrcatA
 0x40814c WideCharToMultiByte
 0x408150 GetSystemDirectoryA
 0x408154 GetProcAddress
 0x408158 GetExitCodeProcess
 0x40815c WaitForSingleObject
 0x408160 SetEnvironmentVariableA

EAT(Export Address Table) is none



Similarity measure (PE file only) - Checking for service failure