ScreenShot
| Created | 2024.08.26 09:42 | Machine | s1_win7_x6403 |
| Filename | pyld611114.exe | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score | Not founds | Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 48 detected (AIDetectMalware, malicious, high confidence, score, Lazy, Vkk4, Attribute, HighConfidence, GenKryptik, GZFK, Artemis, Kryptik, CLOUD, Nekark, dzein, Siggen29, Detected, ai score=82, Phonzy, ABRisk, TIUU, Floxif, FileInfector, Chgt, R002H09HJ24, confidence, A9nj) | ||
| md5 | 43bce45d873189f9ae2767d89a1c46e0 | ||
| sha256 | 9ae4784f0b139619ca8fdadfa31b53b1cbf7cd2b45f74b7e4004e5a97e842291 | ||
| ssdeep | 393216:4PsdXtBcda7nzo7Vd7Qv1CPwDvt3uFRCvfxlXnwXAaGueVW3XSdEVB3:4ITkS6 | ||
| imphash | 7f0e1170ffadddb37aa500dea54d9334 | ||
| impfuzzy | 48:rv9txEYU2rXbc+eLtrTBgPpZiOZg35cKJ/X:rvTxfUcXbc+eLtrTBgPpZBscKVX | ||
Network IP location
Signature (23cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 48 AntiVirus engines on VirusTotal as malicious |
| watch | Created a service where a service was also not started |
| watch | Drops a binary and executes it |
| watch | Installs itself for autorun at Windows startup |
| watch | Powershell script adds registry entries |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | A process attempted to delay the analysis task. |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Potentially malicious URLs were found in the process memory dump |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Command line console output was observed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (54cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (download) |
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (upload) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | Network_Downloader | File Downloader | memory |
| watch | schtasks_Zero | task schedule | memory |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | Code_injection | Code injection with CreateRemoteThread in a remote process | memory |
| notice | Create_Service | Create a windows service | memory |
| notice | Escalate_priviledges | Escalate priviledges | memory |
| notice | Generic_PWS_Memory_Zero | PWS Memory | memory |
| notice | KeyLogger | Run a KeyLogger | memory |
| notice | local_credential_Steal | Steal credential | memory |
| notice | Network_DGA | Communication using DGA | memory |
| notice | Network_DNS | Communications use DNS | memory |
| notice | Network_FTP | Communications over FTP | memory |
| notice | Network_HTTP | Communications over HTTP | memory |
| notice | Network_P2P_Win | Communications over P2P network | memory |
| notice | network_smtp_raw | Communications smtp | memory |
| notice | Network_TCP_Socket | Communications over RAW Socket | memory |
| notice | ScreenShot | Take ScreenShot | memory |
| notice | Sniff_Audio | Record Audio | memory |
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | antisb_threatExpert | Anti-Sandbox checks for ThreatExpert | memory |
| info | Check_Dlls | (no description) | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerCheck__RemoteAPI | (no description) | memory |
| info | DebuggerException__ConsoleCtrl | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | ftp_command | ftp command | binaries (download) |
| info | ftp_command | ftp command | binaries (upload) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE64 | (no description) | binaries (download) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | PowerShell | PowerShell script | scripts |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | win_hook | Affect hook table | memory |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x14003e028 OpenProcess
0x14003e030 CreateToolhelp32Snapshot
0x14003e038 Process32NextW
0x14003e040 GetSystemDirectoryW
0x14003e048 CloseHandle
0x14003e050 CreateProcessW
0x14003e058 SetEndOfFile
0x14003e060 WaitForSingleObject
0x14003e068 GetModuleFileNameW
0x14003e070 TerminateProcess
0x14003e078 Process32FirstW
0x14003e080 GetModuleHandleExW
0x14003e088 MultiByteToWideChar
0x14003e090 LocalFree
0x14003e098 FormatMessageA
0x14003e0a0 GetLocaleInfoEx
0x14003e0a8 QueryPerformanceCounter
0x14003e0b0 QueryPerformanceFrequency
0x14003e0b8 GetStringTypeW
0x14003e0c0 CreateFileW
0x14003e0c8 FindClose
0x14003e0d0 FindFirstFileW
0x14003e0d8 FindFirstFileExW
0x14003e0e0 FindNextFileW
0x14003e0e8 GetFileAttributesExW
0x14003e0f0 SetFileInformationByHandle
0x14003e0f8 AreFileApisANSI
0x14003e100 GetLastError
0x14003e108 GetModuleHandleW
0x14003e110 GetProcAddress
0x14003e118 GetFileInformationByHandleEx
0x14003e120 WideCharToMultiByte
0x14003e128 Sleep
0x14003e130 GetCurrentThreadId
0x14003e138 CompareStringEx
0x14003e140 InitializeCriticalSectionEx
0x14003e148 GetSystemTimeAsFileTime
0x14003e150 EnterCriticalSection
0x14003e158 LeaveCriticalSection
0x14003e160 DeleteCriticalSection
0x14003e168 EncodePointer
0x14003e170 DecodePointer
0x14003e178 LCMapStringEx
0x14003e180 GetCPInfo
0x14003e188 RtlCaptureContext
0x14003e190 RtlLookupFunctionEntry
0x14003e198 RtlVirtualUnwind
0x14003e1a0 UnhandledExceptionFilter
0x14003e1a8 SetUnhandledExceptionFilter
0x14003e1b0 GetCurrentProcess
0x14003e1b8 IsProcessorFeaturePresent
0x14003e1c0 GetCurrentProcessId
0x14003e1c8 InitializeSListHead
0x14003e1d0 IsDebuggerPresent
0x14003e1d8 GetStartupInfoW
0x14003e1e0 RtlUnwindEx
0x14003e1e8 RtlPcToFileHeader
0x14003e1f0 RaiseException
0x14003e1f8 SetLastError
0x14003e200 InitializeCriticalSectionAndSpinCount
0x14003e208 TlsAlloc
0x14003e210 TlsGetValue
0x14003e218 TlsSetValue
0x14003e220 TlsFree
0x14003e228 FreeLibrary
0x14003e230 LoadLibraryExW
0x14003e238 GetStdHandle
0x14003e240 WriteFile
0x14003e248 ExitProcess
0x14003e250 GetFileSizeEx
0x14003e258 SetFilePointerEx
0x14003e260 GetFileType
0x14003e268 HeapAlloc
0x14003e270 FlushFileBuffers
0x14003e278 GetConsoleOutputCP
0x14003e280 GetConsoleMode
0x14003e288 HeapFree
0x14003e290 HeapReAlloc
0x14003e298 FlsAlloc
0x14003e2a0 FlsGetValue
0x14003e2a8 FlsSetValue
0x14003e2b0 FlsFree
0x14003e2b8 VirtualProtect
0x14003e2c0 LCMapStringW
0x14003e2c8 GetLocaleInfoW
0x14003e2d0 IsValidLocale
0x14003e2d8 GetUserDefaultLCID
0x14003e2e0 EnumSystemLocalesW
0x14003e2e8 ReadFile
0x14003e2f0 ReadConsoleW
0x14003e2f8 IsValidCodePage
0x14003e300 GetACP
0x14003e308 GetOEMCP
0x14003e310 GetCommandLineA
0x14003e318 GetCommandLineW
0x14003e320 GetEnvironmentStringsW
0x14003e328 FreeEnvironmentStringsW
0x14003e330 SetStdHandle
0x14003e338 GetProcessHeap
0x14003e340 HeapSize
0x14003e348 WriteConsoleW
0x14003e350 RtlUnwind
ADVAPI32.dll
0x14003e000 RegSetValueExW
0x14003e008 RegOpenKeyExW
0x14003e010 RegQueryValueExW
0x14003e018 RegCloseKey
EAT(Export Address Table) is none
KERNEL32.dll
0x14003e028 OpenProcess
0x14003e030 CreateToolhelp32Snapshot
0x14003e038 Process32NextW
0x14003e040 GetSystemDirectoryW
0x14003e048 CloseHandle
0x14003e050 CreateProcessW
0x14003e058 SetEndOfFile
0x14003e060 WaitForSingleObject
0x14003e068 GetModuleFileNameW
0x14003e070 TerminateProcess
0x14003e078 Process32FirstW
0x14003e080 GetModuleHandleExW
0x14003e088 MultiByteToWideChar
0x14003e090 LocalFree
0x14003e098 FormatMessageA
0x14003e0a0 GetLocaleInfoEx
0x14003e0a8 QueryPerformanceCounter
0x14003e0b0 QueryPerformanceFrequency
0x14003e0b8 GetStringTypeW
0x14003e0c0 CreateFileW
0x14003e0c8 FindClose
0x14003e0d0 FindFirstFileW
0x14003e0d8 FindFirstFileExW
0x14003e0e0 FindNextFileW
0x14003e0e8 GetFileAttributesExW
0x14003e0f0 SetFileInformationByHandle
0x14003e0f8 AreFileApisANSI
0x14003e100 GetLastError
0x14003e108 GetModuleHandleW
0x14003e110 GetProcAddress
0x14003e118 GetFileInformationByHandleEx
0x14003e120 WideCharToMultiByte
0x14003e128 Sleep
0x14003e130 GetCurrentThreadId
0x14003e138 CompareStringEx
0x14003e140 InitializeCriticalSectionEx
0x14003e148 GetSystemTimeAsFileTime
0x14003e150 EnterCriticalSection
0x14003e158 LeaveCriticalSection
0x14003e160 DeleteCriticalSection
0x14003e168 EncodePointer
0x14003e170 DecodePointer
0x14003e178 LCMapStringEx
0x14003e180 GetCPInfo
0x14003e188 RtlCaptureContext
0x14003e190 RtlLookupFunctionEntry
0x14003e198 RtlVirtualUnwind
0x14003e1a0 UnhandledExceptionFilter
0x14003e1a8 SetUnhandledExceptionFilter
0x14003e1b0 GetCurrentProcess
0x14003e1b8 IsProcessorFeaturePresent
0x14003e1c0 GetCurrentProcessId
0x14003e1c8 InitializeSListHead
0x14003e1d0 IsDebuggerPresent
0x14003e1d8 GetStartupInfoW
0x14003e1e0 RtlUnwindEx
0x14003e1e8 RtlPcToFileHeader
0x14003e1f0 RaiseException
0x14003e1f8 SetLastError
0x14003e200 InitializeCriticalSectionAndSpinCount
0x14003e208 TlsAlloc
0x14003e210 TlsGetValue
0x14003e218 TlsSetValue
0x14003e220 TlsFree
0x14003e228 FreeLibrary
0x14003e230 LoadLibraryExW
0x14003e238 GetStdHandle
0x14003e240 WriteFile
0x14003e248 ExitProcess
0x14003e250 GetFileSizeEx
0x14003e258 SetFilePointerEx
0x14003e260 GetFileType
0x14003e268 HeapAlloc
0x14003e270 FlushFileBuffers
0x14003e278 GetConsoleOutputCP
0x14003e280 GetConsoleMode
0x14003e288 HeapFree
0x14003e290 HeapReAlloc
0x14003e298 FlsAlloc
0x14003e2a0 FlsGetValue
0x14003e2a8 FlsSetValue
0x14003e2b0 FlsFree
0x14003e2b8 VirtualProtect
0x14003e2c0 LCMapStringW
0x14003e2c8 GetLocaleInfoW
0x14003e2d0 IsValidLocale
0x14003e2d8 GetUserDefaultLCID
0x14003e2e0 EnumSystemLocalesW
0x14003e2e8 ReadFile
0x14003e2f0 ReadConsoleW
0x14003e2f8 IsValidCodePage
0x14003e300 GetACP
0x14003e308 GetOEMCP
0x14003e310 GetCommandLineA
0x14003e318 GetCommandLineW
0x14003e320 GetEnvironmentStringsW
0x14003e328 FreeEnvironmentStringsW
0x14003e330 SetStdHandle
0x14003e338 GetProcessHeap
0x14003e340 HeapSize
0x14003e348 WriteConsoleW
0x14003e350 RtlUnwind
ADVAPI32.dll
0x14003e000 RegSetValueExW
0x14003e008 RegOpenKeyExW
0x14003e010 RegQueryValueExW
0x14003e018 RegCloseKey
EAT(Export Address Table) is none