ScreenShot
| Created | 2024.10.12 18:54 | Machine | s1_win7_x6401 |
| Filename | 0a839761915d.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | |||
| md5 | ff10eb7cecfd39dc309ed6cdda706f57 | ||
| sha256 | a460c28ef668daa443793a4a85494c0cd7da29f8a4148581515dc786d6fe4789 | ||
| ssdeep | 12288:xgEqNf5/1OXB1m15p6GsfTLgIRiA5GYNBA:Pq5wB1m15p6RLg6iA07 | ||
| imphash | 2bf5d9e2e4bbff197e62f5db8f2f3336 | ||
| impfuzzy | 24:wcpVWZttlS1wGhlJBlIeDoLoBDZMv5GMAkpOovbOPZG:wcpVettlS1wGnCXKZGk3w | ||
Network IP location
Signature (11cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Code injection by writing an executable or DLL to the memory of another process |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | One or more potentially interesting buffers were extracted |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | One or more processes crashed |
Rules (15cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | ScreenShot | Take ScreenShot | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x423000 TlsFree
0x423004 MultiByteToWideChar
0x423008 GetStringTypeW
0x42300c WideCharToMultiByte
0x423010 EnterCriticalSection
0x423014 LeaveCriticalSection
0x423018 InitializeCriticalSectionEx
0x42301c DeleteCriticalSection
0x423020 EncodePointer
0x423024 DecodePointer
0x423028 LCMapStringEx
0x42302c GetCPInfo
0x423030 IsProcessorFeaturePresent
0x423034 UnhandledExceptionFilter
0x423038 SetUnhandledExceptionFilter
0x42303c GetCurrentProcess
0x423040 TerminateProcess
0x423044 QueryPerformanceCounter
0x423048 GetCurrentProcessId
0x42304c GetCurrentThreadId
0x423050 GetSystemTimeAsFileTime
0x423054 InitializeSListHead
0x423058 IsDebuggerPresent
0x42305c GetStartupInfoW
0x423060 GetModuleHandleW
0x423064 CreateFileW
0x423068 RaiseException
0x42306c RtlUnwind
0x423070 GetLastError
0x423074 SetLastError
0x423078 InitializeCriticalSectionAndSpinCount
0x42307c TlsAlloc
0x423080 TlsGetValue
0x423084 TlsSetValue
0x423088 FreeLibrary
0x42308c GetProcAddress
0x423090 LoadLibraryExW
0x423094 GetStdHandle
0x423098 WriteFile
0x42309c GetModuleFileNameW
0x4230a0 ExitProcess
0x4230a4 GetModuleHandleExW
0x4230a8 HeapAlloc
0x4230ac HeapFree
0x4230b0 LCMapStringW
0x4230b4 GetLocaleInfoW
0x4230b8 IsValidLocale
0x4230bc GetUserDefaultLCID
0x4230c0 EnumSystemLocalesW
0x4230c4 GetFileType
0x4230c8 CloseHandle
0x4230cc FlushFileBuffers
0x4230d0 GetConsoleOutputCP
0x4230d4 GetConsoleMode
0x4230d8 ReadFile
0x4230dc GetFileSizeEx
0x4230e0 SetFilePointerEx
0x4230e4 ReadConsoleW
0x4230e8 HeapReAlloc
0x4230ec FindClose
0x4230f0 FindFirstFileExW
0x4230f4 FindNextFileW
0x4230f8 IsValidCodePage
0x4230fc GetACP
0x423100 GetOEMCP
0x423104 GetCommandLineA
0x423108 GetCommandLineW
0x42310c GetEnvironmentStringsW
0x423110 FreeEnvironmentStringsW
0x423114 SetStdHandle
0x423118 GetProcessHeap
0x42311c HeapSize
0x423120 WriteConsoleW
EAT(Export Address Table) is none
KERNEL32.dll
0x423000 TlsFree
0x423004 MultiByteToWideChar
0x423008 GetStringTypeW
0x42300c WideCharToMultiByte
0x423010 EnterCriticalSection
0x423014 LeaveCriticalSection
0x423018 InitializeCriticalSectionEx
0x42301c DeleteCriticalSection
0x423020 EncodePointer
0x423024 DecodePointer
0x423028 LCMapStringEx
0x42302c GetCPInfo
0x423030 IsProcessorFeaturePresent
0x423034 UnhandledExceptionFilter
0x423038 SetUnhandledExceptionFilter
0x42303c GetCurrentProcess
0x423040 TerminateProcess
0x423044 QueryPerformanceCounter
0x423048 GetCurrentProcessId
0x42304c GetCurrentThreadId
0x423050 GetSystemTimeAsFileTime
0x423054 InitializeSListHead
0x423058 IsDebuggerPresent
0x42305c GetStartupInfoW
0x423060 GetModuleHandleW
0x423064 CreateFileW
0x423068 RaiseException
0x42306c RtlUnwind
0x423070 GetLastError
0x423074 SetLastError
0x423078 InitializeCriticalSectionAndSpinCount
0x42307c TlsAlloc
0x423080 TlsGetValue
0x423084 TlsSetValue
0x423088 FreeLibrary
0x42308c GetProcAddress
0x423090 LoadLibraryExW
0x423094 GetStdHandle
0x423098 WriteFile
0x42309c GetModuleFileNameW
0x4230a0 ExitProcess
0x4230a4 GetModuleHandleExW
0x4230a8 HeapAlloc
0x4230ac HeapFree
0x4230b0 LCMapStringW
0x4230b4 GetLocaleInfoW
0x4230b8 IsValidLocale
0x4230bc GetUserDefaultLCID
0x4230c0 EnumSystemLocalesW
0x4230c4 GetFileType
0x4230c8 CloseHandle
0x4230cc FlushFileBuffers
0x4230d0 GetConsoleOutputCP
0x4230d4 GetConsoleMode
0x4230d8 ReadFile
0x4230dc GetFileSizeEx
0x4230e0 SetFilePointerEx
0x4230e4 ReadConsoleW
0x4230e8 HeapReAlloc
0x4230ec FindClose
0x4230f0 FindFirstFileExW
0x4230f4 FindNextFileW
0x4230f8 IsValidCodePage
0x4230fc GetACP
0x423100 GetOEMCP
0x423104 GetCommandLineA
0x423108 GetCommandLineW
0x42310c GetEnvironmentStringsW
0x423110 FreeEnvironmentStringsW
0x423114 SetStdHandle
0x423118 GetProcessHeap
0x42311c HeapSize
0x423120 WriteConsoleW
EAT(Export Address Table) is none