ScreenShot
| Created | 2024.07.31 21:37 | Machine | s1_win7_x6401 |
| Filename | dssdj.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows, InnoSetup self-extracting archive | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 1 detected (Unsafe, Score) | ||
| md5 | b78013e1727d77333e2780e95d064b4b | ||
| sha256 | 7ff9d82d8780e8ae1b5d4721cfd0556d4ae63be353466520ac0b3cd2c44ad2df | ||
| ssdeep | 49152:oVhaXlU8Nw3fXrBvMUB72TwjqJJZ/Zc2pLOicZmsnL:oVhaXlU821578JJZ/O2YcCL | ||
| imphash | e2c1f18f75da1944b68774c16f2adcef | ||
| impfuzzy | 48:8cfp1rcEX0gebRZZJv9oO0Gwt+Eu5F5T/lGdh:8cfpdcGNebRjh+F | ||
Network IP location
Signature (9cnts)
| Level | Description |
|---|---|
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | File has been identified by one AntiVirus engine on VirusTotal as malicious |
| notice | Queries for potentially installed applications |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| info | Checks amount of memory in system |
| info | One or more processes crashed |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (12cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | DllRegisterServer_Zero | execute regsvr32.exe | binaries (download) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | mzp_file_format | MZP(Delphi) file format | binaries (download) |
| info | mzp_file_format | MZP(Delphi) file format | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
kernel32.dll
0x4110b4 DeleteCriticalSection
0x4110b8 LeaveCriticalSection
0x4110bc EnterCriticalSection
0x4110c0 InitializeCriticalSection
0x4110c4 VirtualFree
0x4110c8 VirtualAlloc
0x4110cc LocalFree
0x4110d0 LocalAlloc
0x4110d4 WideCharToMultiByte
0x4110d8 TlsSetValue
0x4110dc TlsGetValue
0x4110e0 MultiByteToWideChar
0x4110e4 GetModuleHandleA
0x4110e8 GetLastError
0x4110ec GetCommandLineA
0x4110f0 WriteFile
0x4110f4 SetFilePointer
0x4110f8 SetEndOfFile
0x4110fc RtlUnwind
0x411100 ReadFile
0x411104 RaiseException
0x411108 GetStdHandle
0x41110c GetFileSize
0x411110 GetFileType
0x411114 ExitProcess
0x411118 CreateFileA
0x41111c CloseHandle
user32.dll
0x411124 MessageBoxA
oleaut32.dll
0x41112c VariantChangeTypeEx
0x411130 VariantCopyInd
0x411134 VariantClear
0x411138 SysStringLen
0x41113c SysAllocStringLen
advapi32.dll
0x411144 OpenProcessToken
0x411148 LookupPrivilegeValueA
kernel32.dll
0x411150 Sleep
0x411154 SetLastError
0x411158 SetErrorMode
0x41115c GetWindowsDirectoryA
0x411160 GetVersionExA
0x411164 GetTempFileNameA
0x411168 GetSystemDefaultLCID
0x41116c GetModuleFileNameA
0x411170 GetLocaleInfoA
0x411174 GetLastError
0x411178 GetFullPathNameA
0x41117c GetFileAttributesA
0x411180 GetExitCodeProcess
0x411184 GetEnvironmentVariableA
0x411188 GetCurrentProcess
0x41118c GetCommandLineA
0x411190 GetCPInfo
0x411194 FormatMessageA
0x411198 DeleteFileA
0x41119c CreateProcessA
0x4111a0 CloseHandle
user32.dll
0x4111a8 TranslateMessage
0x4111ac SetWindowLongA
0x4111b0 PeekMessageA
0x4111b4 MsgWaitForMultipleObjects
0x4111b8 MessageBoxA
0x4111bc LoadStringA
0x4111c0 GetSystemMetrics
0x4111c4 ExitWindowsEx
0x4111c8 DispatchMessageA
0x4111cc DestroyWindow
0x4111d0 CreateWindowExA
0x4111d4 CallWindowProcA
0x4111d8 CharPrevA
0x4111dc CharNextA
comctl32.dll
0x4111e4 InitCommonControls
advapi32.dll
0x4111ec AdjustTokenPrivileges
EAT(Export Address Table) is none
kernel32.dll
0x4110b4 DeleteCriticalSection
0x4110b8 LeaveCriticalSection
0x4110bc EnterCriticalSection
0x4110c0 InitializeCriticalSection
0x4110c4 VirtualFree
0x4110c8 VirtualAlloc
0x4110cc LocalFree
0x4110d0 LocalAlloc
0x4110d4 WideCharToMultiByte
0x4110d8 TlsSetValue
0x4110dc TlsGetValue
0x4110e0 MultiByteToWideChar
0x4110e4 GetModuleHandleA
0x4110e8 GetLastError
0x4110ec GetCommandLineA
0x4110f0 WriteFile
0x4110f4 SetFilePointer
0x4110f8 SetEndOfFile
0x4110fc RtlUnwind
0x411100 ReadFile
0x411104 RaiseException
0x411108 GetStdHandle
0x41110c GetFileSize
0x411110 GetFileType
0x411114 ExitProcess
0x411118 CreateFileA
0x41111c CloseHandle
user32.dll
0x411124 MessageBoxA
oleaut32.dll
0x41112c VariantChangeTypeEx
0x411130 VariantCopyInd
0x411134 VariantClear
0x411138 SysStringLen
0x41113c SysAllocStringLen
advapi32.dll
0x411144 OpenProcessToken
0x411148 LookupPrivilegeValueA
kernel32.dll
0x411150 Sleep
0x411154 SetLastError
0x411158 SetErrorMode
0x41115c GetWindowsDirectoryA
0x411160 GetVersionExA
0x411164 GetTempFileNameA
0x411168 GetSystemDefaultLCID
0x41116c GetModuleFileNameA
0x411170 GetLocaleInfoA
0x411174 GetLastError
0x411178 GetFullPathNameA
0x41117c GetFileAttributesA
0x411180 GetExitCodeProcess
0x411184 GetEnvironmentVariableA
0x411188 GetCurrentProcess
0x41118c GetCommandLineA
0x411190 GetCPInfo
0x411194 FormatMessageA
0x411198 DeleteFileA
0x41119c CreateProcessA
0x4111a0 CloseHandle
user32.dll
0x4111a8 TranslateMessage
0x4111ac SetWindowLongA
0x4111b0 PeekMessageA
0x4111b4 MsgWaitForMultipleObjects
0x4111b8 MessageBoxA
0x4111bc LoadStringA
0x4111c0 GetSystemMetrics
0x4111c4 ExitWindowsEx
0x4111c8 DispatchMessageA
0x4111cc DestroyWindow
0x4111d0 CreateWindowExA
0x4111d4 CallWindowProcA
0x4111d8 CharPrevA
0x4111dc CharNextA
comctl32.dll
0x4111e4 InitCommonControls
advapi32.dll
0x4111ec AdjustTokenPrivileges
EAT(Export Address Table) is none