ScreenShot
| Created | 2024.08.02 09:35 | Machine | s1_win7_x6401 |
| Filename | IMG_8729.scr | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 15 detected (malicious, moderate confidence, Attribute, HighConfidence, FileRepMalware, Misc, Demp, bqcy, YzY0On3Q9DfmGSYK, Siggen29, Wacatac, Outbreak) | ||
| md5 | 7a9e91cd05bb23625354d0f46066904c | ||
| sha256 | bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40 | ||
| ssdeep | 49152:BYyqyQ4SjTErF0JwHoLjhbi4zmkKm0W85GNLZLgKT/MNMNngOdTMnWAqkeKbr3kg:PgR2HoLtb | ||
| imphash | 047d98f937ae32f3e871dba356d02464 | ||
| impfuzzy | 24:aYOKojb+DW1mDrc+WcJBlM0qteTS1VgGYro6SZMv1jMAkpOovbOPZS:aYODarc+HOteTS1VgG0mZGF3k | ||
Network IP location
Signature (28cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| watch | A command shell or script process was created by an unexpected parent process |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Communicates with host for which no DNS query was performed |
| watch | Creates a thread using NtQueueApcThread in a remote process potentially indicative of process injection |
| watch | File has been identified by 15 AntiVirus engines on VirusTotal as malicious |
| watch | One or more non-whitelisted processes were created |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | An application raised an exception which may be indicative of an exploit crash |
| notice | Creates a suspicious process |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Potentially malicious URLs were found in the process memory dump |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | Tries to locate where the browsers are installed |
Rules (21cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (upload) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | anti_vm_detect | Possibly employs anti-virtualization techniques | binaries (upload) |
| notice | Code_injection | Code injection with CreateRemoteThread in a remote process | memory |
| notice | Network_HTTP | Communications over HTTP | memory |
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Suricata ids
ET DROP Spamhaus DROP Listed Traffic Inbound group 13
PE API
IAT(Import Address Table) Library
SHELL32.dll
0x1400e62c8 ShellExecuteExW
0x1400e62d0 SHGetSpecialFolderPathW
0x1400e62d8 SHGetFolderPathW
0x1400e62e0 SHGetKnownFolderPath
0x1400e62e8 ShellExecuteW
SHLWAPI.dll
0x1400e62f8 PathFileExistsW
KERNEL32.dll
0x1400e6000 IsProcessorFeaturePresent
0x1400e6008 SetEndOfFile
0x1400e6010 WriteConsoleW
0x1400e6018 HeapSize
0x1400e6020 CreateFileW
0x1400e6028 SetStdHandle
0x1400e6030 GetProcessHeap
0x1400e6038 DeleteFileW
0x1400e6040 CloseHandle
0x1400e6048 GetLastError
0x1400e6050 WaitForSingleObject
0x1400e6058 CreateMutexA
0x1400e6060 Sleep
0x1400e6068 GetExitCodeProcess
0x1400e6070 FreeLibrary
0x1400e6078 GetModuleFileNameW
0x1400e6080 GetProcAddress
0x1400e6088 LoadResource
0x1400e6090 LockResource
0x1400e6098 SizeofResource
0x1400e60a0 LoadLibraryA
0x1400e60a8 FindResourceA
0x1400e60b0 CopyFileW
0x1400e60b8 MultiByteToWideChar
0x1400e60c0 WideCharToMultiByte
0x1400e60c8 EnterCriticalSection
0x1400e60d0 LeaveCriticalSection
0x1400e60d8 DeleteCriticalSection
0x1400e60e0 EncodePointer
0x1400e60e8 DecodePointer
0x1400e60f0 SetLastError
0x1400e60f8 InitializeCriticalSectionAndSpinCount
0x1400e6100 TlsAlloc
0x1400e6108 TlsGetValue
0x1400e6110 TlsSetValue
0x1400e6118 TlsFree
0x1400e6120 GetSystemTimeAsFileTime
0x1400e6128 GetModuleHandleW
0x1400e6130 LCMapStringW
0x1400e6138 GetLocaleInfoW
0x1400e6140 GetStringTypeW
0x1400e6148 GetCPInfo
0x1400e6150 RtlCaptureContext
0x1400e6158 RtlLookupFunctionEntry
0x1400e6160 RtlVirtualUnwind
0x1400e6168 IsDebuggerPresent
0x1400e6170 UnhandledExceptionFilter
0x1400e6178 SetUnhandledExceptionFilter
0x1400e6180 GetStartupInfoW
0x1400e6188 RtlUnwind
0x1400e6190 GetCurrentProcess
0x1400e6198 TerminateProcess
0x1400e61a0 QueryPerformanceCounter
0x1400e61a8 GetCurrentProcessId
0x1400e61b0 GetCurrentThreadId
0x1400e61b8 InitializeSListHead
0x1400e61c0 RtlPcToFileHeader
0x1400e61c8 RaiseException
0x1400e61d0 RtlUnwindEx
0x1400e61d8 LoadLibraryExW
0x1400e61e0 ExitProcess
0x1400e61e8 GetModuleHandleExW
0x1400e61f0 GetStdHandle
0x1400e61f8 WriteFile
0x1400e6200 HeapFree
0x1400e6208 HeapAlloc
0x1400e6210 IsValidLocale
0x1400e6218 GetUserDefaultLCID
0x1400e6220 EnumSystemLocalesW
0x1400e6228 GetFileType
0x1400e6230 FlushFileBuffers
0x1400e6238 GetConsoleCP
0x1400e6240 GetConsoleMode
0x1400e6248 ReadFile
0x1400e6250 GetFileSizeEx
0x1400e6258 SetFilePointerEx
0x1400e6260 ReadConsoleW
0x1400e6268 HeapReAlloc
0x1400e6270 FindClose
0x1400e6278 FindFirstFileExW
0x1400e6280 FindNextFileW
0x1400e6288 IsValidCodePage
0x1400e6290 GetACP
0x1400e6298 GetOEMCP
0x1400e62a0 GetCommandLineA
0x1400e62a8 GetCommandLineW
0x1400e62b0 GetEnvironmentStringsW
0x1400e62b8 FreeEnvironmentStringsW
EAT(Export Address Table) is none
SHELL32.dll
0x1400e62c8 ShellExecuteExW
0x1400e62d0 SHGetSpecialFolderPathW
0x1400e62d8 SHGetFolderPathW
0x1400e62e0 SHGetKnownFolderPath
0x1400e62e8 ShellExecuteW
SHLWAPI.dll
0x1400e62f8 PathFileExistsW
KERNEL32.dll
0x1400e6000 IsProcessorFeaturePresent
0x1400e6008 SetEndOfFile
0x1400e6010 WriteConsoleW
0x1400e6018 HeapSize
0x1400e6020 CreateFileW
0x1400e6028 SetStdHandle
0x1400e6030 GetProcessHeap
0x1400e6038 DeleteFileW
0x1400e6040 CloseHandle
0x1400e6048 GetLastError
0x1400e6050 WaitForSingleObject
0x1400e6058 CreateMutexA
0x1400e6060 Sleep
0x1400e6068 GetExitCodeProcess
0x1400e6070 FreeLibrary
0x1400e6078 GetModuleFileNameW
0x1400e6080 GetProcAddress
0x1400e6088 LoadResource
0x1400e6090 LockResource
0x1400e6098 SizeofResource
0x1400e60a0 LoadLibraryA
0x1400e60a8 FindResourceA
0x1400e60b0 CopyFileW
0x1400e60b8 MultiByteToWideChar
0x1400e60c0 WideCharToMultiByte
0x1400e60c8 EnterCriticalSection
0x1400e60d0 LeaveCriticalSection
0x1400e60d8 DeleteCriticalSection
0x1400e60e0 EncodePointer
0x1400e60e8 DecodePointer
0x1400e60f0 SetLastError
0x1400e60f8 InitializeCriticalSectionAndSpinCount
0x1400e6100 TlsAlloc
0x1400e6108 TlsGetValue
0x1400e6110 TlsSetValue
0x1400e6118 TlsFree
0x1400e6120 GetSystemTimeAsFileTime
0x1400e6128 GetModuleHandleW
0x1400e6130 LCMapStringW
0x1400e6138 GetLocaleInfoW
0x1400e6140 GetStringTypeW
0x1400e6148 GetCPInfo
0x1400e6150 RtlCaptureContext
0x1400e6158 RtlLookupFunctionEntry
0x1400e6160 RtlVirtualUnwind
0x1400e6168 IsDebuggerPresent
0x1400e6170 UnhandledExceptionFilter
0x1400e6178 SetUnhandledExceptionFilter
0x1400e6180 GetStartupInfoW
0x1400e6188 RtlUnwind
0x1400e6190 GetCurrentProcess
0x1400e6198 TerminateProcess
0x1400e61a0 QueryPerformanceCounter
0x1400e61a8 GetCurrentProcessId
0x1400e61b0 GetCurrentThreadId
0x1400e61b8 InitializeSListHead
0x1400e61c0 RtlPcToFileHeader
0x1400e61c8 RaiseException
0x1400e61d0 RtlUnwindEx
0x1400e61d8 LoadLibraryExW
0x1400e61e0 ExitProcess
0x1400e61e8 GetModuleHandleExW
0x1400e61f0 GetStdHandle
0x1400e61f8 WriteFile
0x1400e6200 HeapFree
0x1400e6208 HeapAlloc
0x1400e6210 IsValidLocale
0x1400e6218 GetUserDefaultLCID
0x1400e6220 EnumSystemLocalesW
0x1400e6228 GetFileType
0x1400e6230 FlushFileBuffers
0x1400e6238 GetConsoleCP
0x1400e6240 GetConsoleMode
0x1400e6248 ReadFile
0x1400e6250 GetFileSizeEx
0x1400e6258 SetFilePointerEx
0x1400e6260 ReadConsoleW
0x1400e6268 HeapReAlloc
0x1400e6270 FindClose
0x1400e6278 FindFirstFileExW
0x1400e6280 FindNextFileW
0x1400e6288 IsValidCodePage
0x1400e6290 GetACP
0x1400e6298 GetOEMCP
0x1400e62a0 GetCommandLineA
0x1400e62a8 GetCommandLineW
0x1400e62b0 GetEnvironmentStringsW
0x1400e62b8 FreeEnvironmentStringsW
EAT(Export Address Table) is none