ScreenShot
| Created | 2024.08.16 18:31 | Machine | s1_win7_x6401 |
| Filename | 베트남 녹지원 상춘재 행사 견적서.hwp .exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 55 detected (RunDll, tr9E, malicious, high confidence, score, PUPXAF, 479232K, unsafe, GenericKD, Kimusky, Attribute, HighConfidence, Kimsuky, Artemis, acja, hcruhh, Generic@AI, RDML, K6Ty4w3M9JwFVXLyEX, Siggen2, KSDOORLDR, ZJGL, Detected, ai score=100, Malware@#37fplx3tp6d8, ABTrojan, JOPL, R302020, ZexaF, DuW@aOvXtLdO, BScope, Ekjl, +lEZb2zXVaM, susgen) | ||
| md5 | 35d60d2723c649c97b414b3cb701df1c | ||
| sha256 | 6dfce07abc39e5d6aebd74a1850ad65cc6ce10a8540b551c4f6d441ec4cf48ab | ||
| ssdeep | 3072:Gbd/5pl6sI/8EOoulXCjiaOOsJpAG9BU1cdvjbE:sdrI/XOlVaOO4zUM0 | ||
| imphash | dbb84ac19de4e93b0d617121bb8e25a8 | ||
| impfuzzy | 24:K1ct9FzSVvghavMucOovTsV3JekhcoXDnvelEu1EZjtNVcxjMKv2Gk:K4XzyNtL1cseeu10t7cJk | ||
Network IP location
Signature (15cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 55 AntiVirus engines on VirusTotal as malicious |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Drops a binary and executes it |
| notice | Drops an executable to the user AppData folder |
| notice | Foreign language identified in PE resource |
| notice | Performs some HTTP requests |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | One or more processes crashed |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
| info | This executable has a PDB path |
Rules (19cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | DllRegisterServer_Zero | execute regsvr32.exe | binaries (download) |
| info | DllRegisterServer_Zero | execute regsvr32.exe | binaries (upload) |
| info | HWP_file_format | HWP Document File | binaries (download) |
| info | HWP_file_format | HWP Document File | binaries (upload) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | Microsoft_Office_File_Zero | Microsoft Office File | binaries (download) |
| info | Microsoft_Office_File_Zero | Microsoft Office File | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (5cnts) ?
Suricata ids
ET HUNTING Double User-Agent (User-Agent User-Agent)
PE API
IAT(Import Address Table) Library
SHELL32.dll
0x40a130 ShellExecuteA
0x40a134 SHGetFolderPathA
0x40a138 FindExecutableA
USER32.dll
0x40a140 LoadStringA
KERNEL32.dll
0x40a000 GetSystemTimeAsFileTime
0x40a004 CreateFileW
0x40a008 FlushFileBuffers
0x40a00c LCMapStringEx
0x40a010 CreateFileA
0x40a014 FindResourceA
0x40a018 LoadResource
0x40a01c GetProcessHeap
0x40a020 WriteFile
0x40a024 SizeofResource
0x40a028 lstrcatA
0x40a02c SetCurrentDirectoryA
0x40a030 GetLastError
0x40a034 LockResource
0x40a038 GetModuleFileNameA
0x40a03c GetCurrentDirectoryA
0x40a040 CloseHandle
0x40a044 GetTempPathA
0x40a048 lstrcpyA
0x40a04c GetCommandLineA
0x40a050 IsDebuggerPresent
0x40a054 IsProcessorFeaturePresent
0x40a058 EncodePointer
0x40a05c DecodePointer
0x40a060 HeapFree
0x40a064 HeapAlloc
0x40a068 RaiseException
0x40a06c SetLastError
0x40a070 InterlockedIncrement
0x40a074 InterlockedDecrement
0x40a078 GetCurrentThreadId
0x40a07c ExitProcess
0x40a080 GetModuleHandleExW
0x40a084 GetProcAddress
0x40a088 MultiByteToWideChar
0x40a08c GetStdHandle
0x40a090 GetModuleFileNameW
0x40a094 GetFileType
0x40a098 InitializeCriticalSectionAndSpinCount
0x40a09c DeleteCriticalSection
0x40a0a0 InitOnceExecuteOnce
0x40a0a4 GetStartupInfoW
0x40a0a8 QueryPerformanceCounter
0x40a0ac GetTickCount64
0x40a0b0 GetEnvironmentStringsW
0x40a0b4 FreeEnvironmentStringsW
0x40a0b8 WideCharToMultiByte
0x40a0bc UnhandledExceptionFilter
0x40a0c0 SetUnhandledExceptionFilter
0x40a0c4 FlsAlloc
0x40a0c8 FlsGetValue
0x40a0cc FlsSetValue
0x40a0d0 FlsFree
0x40a0d4 GetCurrentProcess
0x40a0d8 TerminateProcess
0x40a0dc GetModuleHandleW
0x40a0e0 EnterCriticalSection
0x40a0e4 LeaveCriticalSection
0x40a0e8 GetConsoleCP
0x40a0ec GetConsoleMode
0x40a0f0 SetFilePointerEx
0x40a0f4 IsValidCodePage
0x40a0f8 GetACP
0x40a0fc GetOEMCP
0x40a100 GetCPInfo
0x40a104 Sleep
0x40a108 LoadLibraryExW
0x40a10c OutputDebugStringW
0x40a110 LoadLibraryW
0x40a114 RtlUnwind
0x40a118 SetStdHandle
0x40a11c WriteConsoleW
0x40a120 GetStringTypeW
0x40a124 HeapReAlloc
0x40a128 HeapSize
EAT(Export Address Table) is none
SHELL32.dll
0x40a130 ShellExecuteA
0x40a134 SHGetFolderPathA
0x40a138 FindExecutableA
USER32.dll
0x40a140 LoadStringA
KERNEL32.dll
0x40a000 GetSystemTimeAsFileTime
0x40a004 CreateFileW
0x40a008 FlushFileBuffers
0x40a00c LCMapStringEx
0x40a010 CreateFileA
0x40a014 FindResourceA
0x40a018 LoadResource
0x40a01c GetProcessHeap
0x40a020 WriteFile
0x40a024 SizeofResource
0x40a028 lstrcatA
0x40a02c SetCurrentDirectoryA
0x40a030 GetLastError
0x40a034 LockResource
0x40a038 GetModuleFileNameA
0x40a03c GetCurrentDirectoryA
0x40a040 CloseHandle
0x40a044 GetTempPathA
0x40a048 lstrcpyA
0x40a04c GetCommandLineA
0x40a050 IsDebuggerPresent
0x40a054 IsProcessorFeaturePresent
0x40a058 EncodePointer
0x40a05c DecodePointer
0x40a060 HeapFree
0x40a064 HeapAlloc
0x40a068 RaiseException
0x40a06c SetLastError
0x40a070 InterlockedIncrement
0x40a074 InterlockedDecrement
0x40a078 GetCurrentThreadId
0x40a07c ExitProcess
0x40a080 GetModuleHandleExW
0x40a084 GetProcAddress
0x40a088 MultiByteToWideChar
0x40a08c GetStdHandle
0x40a090 GetModuleFileNameW
0x40a094 GetFileType
0x40a098 InitializeCriticalSectionAndSpinCount
0x40a09c DeleteCriticalSection
0x40a0a0 InitOnceExecuteOnce
0x40a0a4 GetStartupInfoW
0x40a0a8 QueryPerformanceCounter
0x40a0ac GetTickCount64
0x40a0b0 GetEnvironmentStringsW
0x40a0b4 FreeEnvironmentStringsW
0x40a0b8 WideCharToMultiByte
0x40a0bc UnhandledExceptionFilter
0x40a0c0 SetUnhandledExceptionFilter
0x40a0c4 FlsAlloc
0x40a0c8 FlsGetValue
0x40a0cc FlsSetValue
0x40a0d0 FlsFree
0x40a0d4 GetCurrentProcess
0x40a0d8 TerminateProcess
0x40a0dc GetModuleHandleW
0x40a0e0 EnterCriticalSection
0x40a0e4 LeaveCriticalSection
0x40a0e8 GetConsoleCP
0x40a0ec GetConsoleMode
0x40a0f0 SetFilePointerEx
0x40a0f4 IsValidCodePage
0x40a0f8 GetACP
0x40a0fc GetOEMCP
0x40a100 GetCPInfo
0x40a104 Sleep
0x40a108 LoadLibraryExW
0x40a10c OutputDebugStringW
0x40a110 LoadLibraryW
0x40a114 RtlUnwind
0x40a118 SetStdHandle
0x40a11c WriteConsoleW
0x40a120 GetStringTypeW
0x40a124 HeapReAlloc
0x40a128 HeapSize
EAT(Export Address Table) is none