ScreenShot
| Created | 2024.09.30 10:02 | Machine | s1_win7_x6401 |
| Filename | 63747acb643b84a943895e5f34d34858e4ad9a6e58cdf222e3e703d6666af0e7.exe.exe | ||
| Type | MS-DOS executable, MZ for MS-DOS | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 55 detected (AIDetectMalware, leZI, Malicious, score, GenericKD, Unsafe, Save, confidence, 100%, AgentT, DZEB, Attribute, HighConfidence, high confidence, TrojanX, Ransomware, Convagent, UG4z3p4iLQJ, Real Protect, high, Static AI, Malicious PE, Detected, GrayWare, EnigmaProtect, Swisyn, 9YXFF3, Eldorado, GenericRXWO, TScope, xjgj) | ||
| md5 | 9cfc9f5f8a781cbf07b23cc803b9d098 | ||
| sha256 | 63747acb643b84a943895e5f34d34858e4ad9a6e58cdf222e3e703d6666af0e7 | ||
| ssdeep | 12288:ltTuh645I8jWtJ8OgL27rd69bk5NCgGhSFB79gYhLIf6EQ9EYcw1Fk:lIg4kt0Kd6F6CNzYhUiEWEYcws | ||
| imphash | 5962c6b29ed5e50f362bf7495f752822 | ||
| impfuzzy | 6:tmVtERGDvZ/OiBJAEcXQwDLzRgSdn8BbMqtYbdPLvAWn:c2cDvZGqA9AwDXRgKQcPLvAW | ||
Network IP location
Signature (26cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 55 AntiVirus engines on VirusTotal as malicious |
| danger | Stops Windows services |
| watch | Attempts to modify Explorer settings to prevent hidden files from being displayed |
| watch | Checks for the presence of known devices from debuggers and forensic tools |
| watch | Checks for the presence of known windows from debuggers and forensic tools |
| watch | Creates a slightly modified copy of itself |
| watch | Expresses interest in specific running processes |
| watch | Installs itself for autorun at Windows startup |
| watch | Queries information on disks |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | A process attempted to delay the analysis task. |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Checks whether any human activity is being performed by constantly checking whether the foreground window changed |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Repeatedly searches for a not-found process |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The executable uses a known packer |
Rules (9cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | anti_vm_detect | Possibly employs anti-virtualization techniques | binaries (download) |
| notice | anti_vm_detect | Possibly employs anti-virtualization techniques | binaries (upload) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | Microsoft_Office_File_Zero | Microsoft Office File | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
kernel32.dll
0x6d90b4 VirtualAlloc
0x6d90b8 VirtualFree
0x6d90bc GetModuleHandleA
0x6d90c0 GetProcAddress
0x6d90c4 ExitProcess
0x6d90c8 LoadLibraryA
user32.dll
0x6d90d0 MessageBoxA
advapi32.dll
0x6d90d8 RegCloseKey
oleaut32.dll
0x6d90e0 SysFreeString
gdi32.dll
0x6d90e8 CreateFontA
shell32.dll
0x6d90f0 ShellExecuteA
version.dll
0x6d90f8 GetFileVersionInfoA
msvbvm60.dll
0x6d9100 EVENT_SINK_GetIDsOfNames
EAT(Export Address Table) is none
kernel32.dll
0x6d90b4 VirtualAlloc
0x6d90b8 VirtualFree
0x6d90bc GetModuleHandleA
0x6d90c0 GetProcAddress
0x6d90c4 ExitProcess
0x6d90c8 LoadLibraryA
user32.dll
0x6d90d0 MessageBoxA
advapi32.dll
0x6d90d8 RegCloseKey
oleaut32.dll
0x6d90e0 SysFreeString
gdi32.dll
0x6d90e8 CreateFontA
shell32.dll
0x6d90f0 ShellExecuteA
version.dll
0x6d90f8 GetFileVersionInfoA
msvbvm60.dll
0x6d9100 EVENT_SINK_GetIDsOfNames
EAT(Export Address Table) is none