ScreenShot
| Created | 2024.09.30 10:03 | Machine | s1_win7_x6401 |
| Filename | temp.exe | ||
| Type | PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 45 detected (AIDetectMalware, Malicious, score, Vd6m, confidence, Attribute, HighConfidence, high confidence, MalwareX, CLOUD, MeterpreterSC, xmayo, COBEACON, YXEI2Z, Detected, CobaltStrike, Meterpreter, Rozena, YL5W41, Artemis, Chgt, Sgil) | ||
| md5 | e5852100b1ecba5fce3684062e08ec7f | ||
| sha256 | 66a52de66fee86d212ada38411fedd95b4eba6a3975f7a2ce5f8535ecfefacfb | ||
| ssdeep | 1536:80UVLhHOnhCk96KN/ysvrS1MSNefO8DtVN:8DBC7hNasrS1MSNeftDt | ||
| imphash | 6ddb56a17b85852e3b74b88dc840b184 | ||
| impfuzzy | 24:8fjcDq+kLyJd5BlMblRf5XG6qKZVdd1TomvlxcqcCZEwL:8fn+k0JslJJG6qAVdd1T1vkqc/A | ||
Network IP location
Signature (5cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 45 AntiVirus engines on VirusTotal as malicious |
| watch | Manipulates memory of a non-child process indicative of process injection |
| watch | Potential code injection by writing to the memory of another process |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| info | One or more processes crashed |
Rules (4cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x140012258 DeleteCriticalSection
0x140012260 EnterCriticalSection
0x140012268 GetLastError
0x140012270 GetProcAddress
0x140012278 GetStartupInfoA
0x140012280 InitializeCriticalSection
0x140012288 IsDBCSLeadByteEx
0x140012290 LeaveCriticalSection
0x140012298 LoadLibraryA
0x1400122a0 MultiByteToWideChar
0x1400122a8 SetLastError
0x1400122b0 SetUnhandledExceptionFilter
0x1400122b8 Sleep
0x1400122c0 TlsAlloc
0x1400122c8 TlsGetValue
0x1400122d0 TlsSetValue
0x1400122d8 VirtualAlloc
0x1400122e0 VirtualFree
0x1400122e8 VirtualProtect
0x1400122f0 VirtualQuery
0x1400122f8 WideCharToMultiByte
msvcrt.dll
0x140012308 __C_specific_handler
0x140012310 ___lc_codepage_func
0x140012318 ___mb_cur_max_func
0x140012320 __getmainargs
0x140012328 __initenv
0x140012330 __iob_func
0x140012338 __set_app_type
0x140012340 __setusermatherr
0x140012348 _acmdln
0x140012350 _amsg_exit
0x140012358 _cexit
0x140012360 _commode
0x140012368 _errno
0x140012370 _fileno
0x140012378 _fmode
0x140012380 _initterm
0x140012388 _ismbblead
0x140012390 _lock
0x140012398 _onexit
0x1400123a0 _setmode
0x1400123a8 _unlock
0x1400123b0 abort
0x1400123b8 calloc
0x1400123c0 exit
0x1400123c8 fflush
0x1400123d0 fprintf
0x1400123d8 fputc
0x1400123e0 free
0x1400123e8 fwrite
0x1400123f0 localeconv
0x1400123f8 malloc
0x140012400 memcpy
0x140012408 memset
0x140012410 realloc
0x140012418 signal
0x140012420 strerror
0x140012428 strlen
0x140012430 strncmp
0x140012438 vfprintf
0x140012440 wcslen
USER32.dll
0x140012450 MessageBoxA
EAT(Export Address Table) is none
KERNEL32.dll
0x140012258 DeleteCriticalSection
0x140012260 EnterCriticalSection
0x140012268 GetLastError
0x140012270 GetProcAddress
0x140012278 GetStartupInfoA
0x140012280 InitializeCriticalSection
0x140012288 IsDBCSLeadByteEx
0x140012290 LeaveCriticalSection
0x140012298 LoadLibraryA
0x1400122a0 MultiByteToWideChar
0x1400122a8 SetLastError
0x1400122b0 SetUnhandledExceptionFilter
0x1400122b8 Sleep
0x1400122c0 TlsAlloc
0x1400122c8 TlsGetValue
0x1400122d0 TlsSetValue
0x1400122d8 VirtualAlloc
0x1400122e0 VirtualFree
0x1400122e8 VirtualProtect
0x1400122f0 VirtualQuery
0x1400122f8 WideCharToMultiByte
msvcrt.dll
0x140012308 __C_specific_handler
0x140012310 ___lc_codepage_func
0x140012318 ___mb_cur_max_func
0x140012320 __getmainargs
0x140012328 __initenv
0x140012330 __iob_func
0x140012338 __set_app_type
0x140012340 __setusermatherr
0x140012348 _acmdln
0x140012350 _amsg_exit
0x140012358 _cexit
0x140012360 _commode
0x140012368 _errno
0x140012370 _fileno
0x140012378 _fmode
0x140012380 _initterm
0x140012388 _ismbblead
0x140012390 _lock
0x140012398 _onexit
0x1400123a0 _setmode
0x1400123a8 _unlock
0x1400123b0 abort
0x1400123b8 calloc
0x1400123c0 exit
0x1400123c8 fflush
0x1400123d0 fprintf
0x1400123d8 fputc
0x1400123e0 free
0x1400123e8 fwrite
0x1400123f0 localeconv
0x1400123f8 malloc
0x140012400 memcpy
0x140012408 memset
0x140012410 realloc
0x140012418 signal
0x140012420 strerror
0x140012428 strlen
0x140012430 strncmp
0x140012438 vfprintf
0x140012440 wcslen
USER32.dll
0x140012450 MessageBoxA
EAT(Export Address Table) is none