ScreenShot
| Created | 2024.10.16 11:14 | Machine | s1_win7_x6403 |
| Filename | service.exe | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 11 detected (AIDetectMalware, Unsafe, Tflower, malicious, confidence, high confidence) | ||
| md5 | d44e2b02979b3331e0eb2fab9e96196e | ||
| sha256 | 22fb4c9c67ccdfcd03136a651aaa697c448d86f2a156bd4ef0113adfc2948635 | ||
| ssdeep | 24576:aoqNaMikG4YtrhhdMS3HjaTJTO3eVq5ZzSicg9Z/On7DMNAnB7IbKn1o3wtjW0cV:TvA+qU2Ju5zf0PIW1oS2 | ||
| imphash | 36c66603aaac9755a6698f59059e1970 | ||
| impfuzzy | 24:V0DpFHHuOGOovqt/MU3KAWffcpVWa87a02tVrBg3JBlmV/VdFv7FZ7OgL9LcyZgQ:GHBrWffcpVT8StVrBgPmTtBZ7Og9g+S2 | ||
Network IP location
Signature (29cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Code injection by writing an executable or DLL to the memory of another process |
| watch | Communicates with host for which no DNS query was performed |
| watch | Creates a thread using CreateRemoteThread in a non-child process indicative of process injection |
| watch | Expresses interest in specific running processes |
| watch | File has been identified by 11 AntiVirus engines on VirusTotal as malicious |
| watch | Installs itself for autorun at Windows startup |
| watch | Manipulates memory of a non-child process indicative of process injection |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | The process powershell.exe wrote an executable file to disk |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | A process attempted to delay the analysis task. |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | One or more potentially interesting buffers were extracted |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (21cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | Code_injection | Code injection with CreateRemoteThread in a remote process | memory |
| notice | Network_TCP_Socket | Communications over RAW Socket | memory |
| notice | ScreenShot | Take ScreenShot | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE64 | (no description) | binaries (upload) |
| info | lnk_file_format | Microsoft Windows Shortcut File Format | binaries (download) |
| info | Lnk_Format_Zero | LNK Format | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x1400a3010 LoadLibraryA
0x1400a3018 GetProcAddress
0x1400a3020 FreeLibrary
0x1400a3028 GetLastError
0x1400a3030 WideCharToMultiByte
0x1400a3038 CreateFileW
0x1400a3040 SetStdHandle
0x1400a3048 MultiByteToWideChar
0x1400a3050 GetModuleHandleA
0x1400a3058 FreeEnvironmentStringsW
0x1400a3060 GetEnvironmentStringsW
0x1400a3068 GetCommandLineW
0x1400a3070 GetCommandLineA
0x1400a3078 GetOEMCP
0x1400a3080 GetACP
0x1400a3088 IsValidCodePage
0x1400a3090 FindNextFileW
0x1400a3098 FindFirstFileExW
0x1400a30a0 FindClose
0x1400a30a8 ReadConsoleW
0x1400a30b0 ReadFile
0x1400a30b8 GetConsoleMode
0x1400a30c0 GetConsoleOutputCP
0x1400a30c8 FlushFileBuffers
0x1400a30d0 SetFilePointerEx
0x1400a30d8 GetFileSizeEx
0x1400a30e0 ReleaseSRWLockExclusive
0x1400a30e8 AcquireSRWLockExclusive
0x1400a30f0 TryAcquireSRWLockExclusive
0x1400a30f8 GetCurrentThreadId
0x1400a3100 CloseHandle
0x1400a3108 GetStringTypeW
0x1400a3110 EnterCriticalSection
0x1400a3118 LeaveCriticalSection
0x1400a3120 InitializeCriticalSectionEx
0x1400a3128 DeleteCriticalSection
0x1400a3130 EncodePointer
0x1400a3138 DecodePointer
0x1400a3140 QueryPerformanceCounter
0x1400a3148 LCMapStringEx
0x1400a3150 FlsAlloc
0x1400a3158 FlsGetValue
0x1400a3160 FlsSetValue
0x1400a3168 FlsFree
0x1400a3170 GetSystemTimeAsFileTime
0x1400a3178 GetModuleHandleW
0x1400a3180 GetCPInfo
0x1400a3188 RtlCaptureContext
0x1400a3190 RtlLookupFunctionEntry
0x1400a3198 RtlVirtualUnwind
0x1400a31a0 UnhandledExceptionFilter
0x1400a31a8 SetUnhandledExceptionFilter
0x1400a31b0 GetCurrentProcess
0x1400a31b8 TerminateProcess
0x1400a31c0 IsProcessorFeaturePresent
0x1400a31c8 IsDebuggerPresent
0x1400a31d0 GetStartupInfoW
0x1400a31d8 GetCurrentProcessId
0x1400a31e0 InitializeSListHead
0x1400a31e8 RtlUnwindEx
0x1400a31f0 RtlPcToFileHeader
0x1400a31f8 RaiseException
0x1400a3200 SetLastError
0x1400a3208 InitializeCriticalSectionAndSpinCount
0x1400a3210 TlsAlloc
0x1400a3218 TlsGetValue
0x1400a3220 TlsSetValue
0x1400a3228 TlsFree
0x1400a3230 LoadLibraryExW
0x1400a3238 GetModuleFileNameW
0x1400a3240 GetModuleHandleExW
0x1400a3248 ExitProcess
0x1400a3250 CreateThread
0x1400a3258 ExitThread
0x1400a3260 FreeLibraryAndExitThread
0x1400a3268 HeapAlloc
0x1400a3270 HeapSize
0x1400a3278 HeapValidate
0x1400a3280 GetSystemInfo
0x1400a3288 GetStdHandle
0x1400a3290 WriteFile
0x1400a3298 GetFileType
0x1400a32a0 OutputDebugStringW
0x1400a32a8 WriteConsoleW
0x1400a32b0 LCMapStringW
0x1400a32b8 GetLocaleInfoW
0x1400a32c0 IsValidLocale
0x1400a32c8 GetUserDefaultLCID
0x1400a32d0 EnumSystemLocalesW
0x1400a32d8 DeleteFileW
0x1400a32e0 HeapFree
0x1400a32e8 HeapReAlloc
0x1400a32f0 HeapQueryInformation
0x1400a32f8 GetProcessHeap
0x1400a3300 RtlUnwind
USER32.dll
0x1400a3310 GetDC
GDI32.dll
0x1400a3000 GetDIBits
gdiplus.dll
0x1400a3368 GdipAlloc
0x1400a3370 GdipCreateBitmapFromHBITMAP
0x1400a3378 GdipDisposeImage
0x1400a3380 GdipFree
0x1400a3388 GdipSaveImageToFile
0x1400a3390 GdipCloneImage
0x1400a3398 GdiplusStartup
0x1400a33a0 GdiplusShutdown
WS2_32.dll
0x1400a3320 send
0x1400a3328 socket
0x1400a3330 inet_addr
0x1400a3338 recv
0x1400a3340 htons
0x1400a3348 WSAStartup
0x1400a3350 closesocket
0x1400a3358 connect
EAT(Export Address Table) is none
KERNEL32.dll
0x1400a3010 LoadLibraryA
0x1400a3018 GetProcAddress
0x1400a3020 FreeLibrary
0x1400a3028 GetLastError
0x1400a3030 WideCharToMultiByte
0x1400a3038 CreateFileW
0x1400a3040 SetStdHandle
0x1400a3048 MultiByteToWideChar
0x1400a3050 GetModuleHandleA
0x1400a3058 FreeEnvironmentStringsW
0x1400a3060 GetEnvironmentStringsW
0x1400a3068 GetCommandLineW
0x1400a3070 GetCommandLineA
0x1400a3078 GetOEMCP
0x1400a3080 GetACP
0x1400a3088 IsValidCodePage
0x1400a3090 FindNextFileW
0x1400a3098 FindFirstFileExW
0x1400a30a0 FindClose
0x1400a30a8 ReadConsoleW
0x1400a30b0 ReadFile
0x1400a30b8 GetConsoleMode
0x1400a30c0 GetConsoleOutputCP
0x1400a30c8 FlushFileBuffers
0x1400a30d0 SetFilePointerEx
0x1400a30d8 GetFileSizeEx
0x1400a30e0 ReleaseSRWLockExclusive
0x1400a30e8 AcquireSRWLockExclusive
0x1400a30f0 TryAcquireSRWLockExclusive
0x1400a30f8 GetCurrentThreadId
0x1400a3100 CloseHandle
0x1400a3108 GetStringTypeW
0x1400a3110 EnterCriticalSection
0x1400a3118 LeaveCriticalSection
0x1400a3120 InitializeCriticalSectionEx
0x1400a3128 DeleteCriticalSection
0x1400a3130 EncodePointer
0x1400a3138 DecodePointer
0x1400a3140 QueryPerformanceCounter
0x1400a3148 LCMapStringEx
0x1400a3150 FlsAlloc
0x1400a3158 FlsGetValue
0x1400a3160 FlsSetValue
0x1400a3168 FlsFree
0x1400a3170 GetSystemTimeAsFileTime
0x1400a3178 GetModuleHandleW
0x1400a3180 GetCPInfo
0x1400a3188 RtlCaptureContext
0x1400a3190 RtlLookupFunctionEntry
0x1400a3198 RtlVirtualUnwind
0x1400a31a0 UnhandledExceptionFilter
0x1400a31a8 SetUnhandledExceptionFilter
0x1400a31b0 GetCurrentProcess
0x1400a31b8 TerminateProcess
0x1400a31c0 IsProcessorFeaturePresent
0x1400a31c8 IsDebuggerPresent
0x1400a31d0 GetStartupInfoW
0x1400a31d8 GetCurrentProcessId
0x1400a31e0 InitializeSListHead
0x1400a31e8 RtlUnwindEx
0x1400a31f0 RtlPcToFileHeader
0x1400a31f8 RaiseException
0x1400a3200 SetLastError
0x1400a3208 InitializeCriticalSectionAndSpinCount
0x1400a3210 TlsAlloc
0x1400a3218 TlsGetValue
0x1400a3220 TlsSetValue
0x1400a3228 TlsFree
0x1400a3230 LoadLibraryExW
0x1400a3238 GetModuleFileNameW
0x1400a3240 GetModuleHandleExW
0x1400a3248 ExitProcess
0x1400a3250 CreateThread
0x1400a3258 ExitThread
0x1400a3260 FreeLibraryAndExitThread
0x1400a3268 HeapAlloc
0x1400a3270 HeapSize
0x1400a3278 HeapValidate
0x1400a3280 GetSystemInfo
0x1400a3288 GetStdHandle
0x1400a3290 WriteFile
0x1400a3298 GetFileType
0x1400a32a0 OutputDebugStringW
0x1400a32a8 WriteConsoleW
0x1400a32b0 LCMapStringW
0x1400a32b8 GetLocaleInfoW
0x1400a32c0 IsValidLocale
0x1400a32c8 GetUserDefaultLCID
0x1400a32d0 EnumSystemLocalesW
0x1400a32d8 DeleteFileW
0x1400a32e0 HeapFree
0x1400a32e8 HeapReAlloc
0x1400a32f0 HeapQueryInformation
0x1400a32f8 GetProcessHeap
0x1400a3300 RtlUnwind
USER32.dll
0x1400a3310 GetDC
GDI32.dll
0x1400a3000 GetDIBits
gdiplus.dll
0x1400a3368 GdipAlloc
0x1400a3370 GdipCreateBitmapFromHBITMAP
0x1400a3378 GdipDisposeImage
0x1400a3380 GdipFree
0x1400a3388 GdipSaveImageToFile
0x1400a3390 GdipCloneImage
0x1400a3398 GdiplusStartup
0x1400a33a0 GdiplusShutdown
WS2_32.dll
0x1400a3320 send
0x1400a3328 socket
0x1400a3330 inet_addr
0x1400a3338 recv
0x1400a3340 htons
0x1400a3348 WSAStartup
0x1400a3350 closesocket
0x1400a3358 connect
EAT(Export Address Table) is none