ScreenShot
| Created | 2024.08.05 07:49 | Machine | s1_win7_x6403 |
| Filename | 111.exe | ||
| Type | PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | |||
| md5 | 89b20c121c799ab935bca4ce11e94b5b | ||
| sha256 | 5d21f768784b90fb7cd102077b0119af94acc15e57664a6b5372b67997792364 | ||
| ssdeep | 384:va7YyEUQnBxYA1lq3VWFdhZVG0UgqGFNi:vFUaxYnkFfZVr | ||
| imphash | 3f071605b6b25d4e24602be1c4df49b5 | ||
| impfuzzy | 24:8fg1JlDzncJ8a0men0MG95XGDZykoDqx2ZC:8fg1jcJLe0RJGVykoqv | ||
Network IP location
Signature (7cnts)
| Level | Description |
|---|---|
| danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
| watch | Communicates with host for which no DNS query was performed |
| watch | Found potential shellcode being written to a memory region previously marked executable following DEP bypass in the process 111.exe |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| info | Checks amount of memory in system |
| info | One or more processes crashed |
Rules (2cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x40c218 DeleteCriticalSection
0x40c220 EnterCriticalSection
0x40c228 GetCurrentProcess
0x40c230 GetCurrentProcessId
0x40c238 GetCurrentThreadId
0x40c240 GetLastError
0x40c248 GetModuleHandleA
0x40c250 GetProcAddress
0x40c258 GetStartupInfoA
0x40c260 GetSystemTimeAsFileTime
0x40c268 GetTickCount
0x40c270 InitializeCriticalSection
0x40c278 LeaveCriticalSection
0x40c280 QueryPerformanceCounter
0x40c288 RtlAddFunctionTable
0x40c290 RtlCaptureContext
0x40c298 RtlLookupFunctionEntry
0x40c2a0 RtlVirtualUnwind
0x40c2a8 SetUnhandledExceptionFilter
0x40c2b0 Sleep
0x40c2b8 TerminateProcess
0x40c2c0 TlsGetValue
0x40c2c8 UnhandledExceptionFilter
0x40c2d0 VirtualProtect
0x40c2d8 VirtualQuery
msvcrt.dll
0x40c2e8 __C_specific_handler
0x40c2f0 __getmainargs
0x40c2f8 __initenv
0x40c300 __iob_func
0x40c308 __lconv_init
0x40c310 __set_app_type
0x40c318 __setusermatherr
0x40c320 _acmdln
0x40c328 _amsg_exit
0x40c330 _cexit
0x40c338 _fmode
0x40c340 _initterm
0x40c348 _onexit
0x40c350 abort
0x40c358 calloc
0x40c360 exit
0x40c368 fprintf
0x40c370 free
0x40c378 fwrite
0x40c380 malloc
0x40c388 memcmp
0x40c390 memcpy
0x40c398 rand
0x40c3a0 signal
0x40c3a8 strlen
0x40c3b0 strncmp
0x40c3b8 vfprintf
0x40c3c0 wcslen
RPCRT4.dll
0x40c3d0 UuidFromStringA
EAT(Export Address Table) is none
KERNEL32.dll
0x40c218 DeleteCriticalSection
0x40c220 EnterCriticalSection
0x40c228 GetCurrentProcess
0x40c230 GetCurrentProcessId
0x40c238 GetCurrentThreadId
0x40c240 GetLastError
0x40c248 GetModuleHandleA
0x40c250 GetProcAddress
0x40c258 GetStartupInfoA
0x40c260 GetSystemTimeAsFileTime
0x40c268 GetTickCount
0x40c270 InitializeCriticalSection
0x40c278 LeaveCriticalSection
0x40c280 QueryPerformanceCounter
0x40c288 RtlAddFunctionTable
0x40c290 RtlCaptureContext
0x40c298 RtlLookupFunctionEntry
0x40c2a0 RtlVirtualUnwind
0x40c2a8 SetUnhandledExceptionFilter
0x40c2b0 Sleep
0x40c2b8 TerminateProcess
0x40c2c0 TlsGetValue
0x40c2c8 UnhandledExceptionFilter
0x40c2d0 VirtualProtect
0x40c2d8 VirtualQuery
msvcrt.dll
0x40c2e8 __C_specific_handler
0x40c2f0 __getmainargs
0x40c2f8 __initenv
0x40c300 __iob_func
0x40c308 __lconv_init
0x40c310 __set_app_type
0x40c318 __setusermatherr
0x40c320 _acmdln
0x40c328 _amsg_exit
0x40c330 _cexit
0x40c338 _fmode
0x40c340 _initterm
0x40c348 _onexit
0x40c350 abort
0x40c358 calloc
0x40c360 exit
0x40c368 fprintf
0x40c370 free
0x40c378 fwrite
0x40c380 malloc
0x40c388 memcmp
0x40c390 memcpy
0x40c398 rand
0x40c3a0 signal
0x40c3a8 strlen
0x40c3b0 strncmp
0x40c3b8 vfprintf
0x40c3c0 wcslen
RPCRT4.dll
0x40c3d0 UuidFromStringA
EAT(Export Address Table) is none