ScreenShot
| Created | 2024.10.16 17:38 | Machine | s1_win7_x6403_us |
| Filename | challenge_2.exe | ||
| Type | PE32+ executable (console) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | |||
| md5 | c9e30fa664bd602e6e77bf6c4280d3b6 | ||
| sha256 | 917b1a12f2c39533f5f132589bf7b0ec87e020fb623c4518e7d21629806d4148 | ||
| ssdeep | 1536:8R4WpCTbXoJAj+adM9uws/H6BSVX/dYdrdCgZzt68it/wIJ2NIJCQpxN:8RvpCTToJivMs/HZVvdy7id/p2NIYQ | ||
| imphash | 40f22e5e5c25d1a437c02d115ebb6713 | ||
| impfuzzy | 48:n8fA1J6n18EkDbviNg0/9UPwLSV0QSSXA7lZL4gDnBSA:n8fA1J6n18//viNg0/9UJQDL4IBV | ||
Network IP location
Signature (7cnts)
| Level | Description |
|---|---|
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Creates a thread using CreateRemoteThread in a non-child process indicative of process injection |
| watch | Manipulates memory of a non-child process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
Rules (4cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x140006b40 AddVectoredExceptionHandler
0x140006b48 CloseHandle
0x140006b50 CreateEventW
0x140006b58 CreateFileW
0x140006b60 CreateToolhelp32Snapshot
0x140006b68 DeleteCriticalSection
0x140006b70 EnterCriticalSection
0x140006b78 FindResourceW
0x140006b80 GetCurrentProcess
0x140006b88 GetCurrentProcessId
0x140006b90 GetCurrentThreadId
0x140006b98 GetLastError
0x140006ba0 GetModuleHandleW
0x140006ba8 GetProcAddress
0x140006bb0 GetStartupInfoW
0x140006bb8 GetSystemTimeAsFileTime
0x140006bc0 InitializeCriticalSectionAndSpinCount
0x140006bc8 InitializeSListHead
0x140006bd0 IsDebuggerPresent
0x140006bd8 IsProcessorFeaturePresent
0x140006be0 LeaveCriticalSection
0x140006be8 LoadResource
0x140006bf0 LockResource
0x140006bf8 Process32FirstW
0x140006c00 Process32NextW
0x140006c08 QueryPerformanceCounter
0x140006c10 ReadFile
0x140006c18 ResetEvent
0x140006c20 RtlCaptureContext
0x140006c28 RtlLookupFunctionEntry
0x140006c30 RtlVirtualUnwind
0x140006c38 SetEvent
0x140006c40 SetUnhandledExceptionFilter
0x140006c48 Sleep
0x140006c50 TerminateProcess
0x140006c58 UnhandledExceptionFilter
0x140006c60 VirtualAlloc
0x140006c68 VirtualProtect
0x140006c70 WaitForSingleObjectEx
0x140006c78 WaitNamedPipeW
0x140006c80 WriteFile
MSVCP140.dll
0x140006c90 ?_Xlength_error@std@@YAXPEBD@Z
VCRUNTIME140.dll
0x140006ca0 _CxxThrowException
0x140006ca8 __C_specific_handler
0x140006cb0 __CxxFrameHandler3
0x140006cb8 __current_exception
0x140006cc0 __current_exception_context
0x140006cc8 __std_exception_copy
0x140006cd0 __std_exception_destroy
0x140006cd8 __std_type_info_destroy_list
0x140006ce0 memcpy
0x140006ce8 memmove
0x140006cf0 memset
0x140006cf8 strstr
api-ms-win-crt-stdio-l1-1-0.dll
0x140006d08 __acrt_iob_func
0x140006d10 __p__commode
0x140006d18 __stdio_common_vfprintf
0x140006d20 __stdio_common_vfwprintf
0x140006d28 _set_fmode
0x140006d30 fgets
api-ms-win-crt-runtime-l1-1-0.dll
0x140006d40 __p___argc
0x140006d48 __p___argv
0x140006d50 _c_exit
0x140006d58 _cexit
0x140006d60 _configure_narrow_argv
0x140006d68 _crt_at_quick_exit
0x140006d70 _crt_atexit
0x140006d78 _execute_onexit_table
0x140006d80 _exit
0x140006d88 _get_initial_narrow_environment
0x140006d90 _initialize_narrow_environment
0x140006d98 _initialize_onexit_table
0x140006da0 _initterm
0x140006da8 _initterm_e
0x140006db0 _invalid_parameter_noinfo_noreturn
0x140006db8 _register_onexit_function
0x140006dc0 _register_thread_local_exe_atexit_callback
0x140006dc8 _seh_filter_dll
0x140006dd0 _seh_filter_exe
0x140006dd8 _set_app_type
0x140006de0 exit
0x140006de8 terminate
api-ms-win-crt-heap-l1-1-0.dll
0x140006df8 _callnewh
0x140006e00 _set_new_mode
0x140006e08 free
0x140006e10 malloc
api-ms-win-crt-convert-l1-1-0.dll
0x140006e20 mbstowcs
0x140006e28 wcstombs
api-ms-win-crt-string-l1-1-0.dll
0x140006e38 strcmp
0x140006e40 strlen
0x140006e48 strncmp
0x140006e50 strnlen
0x140006e58 tolower
0x140006e60 wcscmp
0x140006e68 wcslen
api-ms-win-crt-math-l1-1-0.dll
0x140006e78 __setusermatherr
api-ms-win-crt-locale-l1-1-0.dll
0x140006e88 _configthreadlocale
EAT(Export Address Table) is none
KERNEL32.dll
0x140006b40 AddVectoredExceptionHandler
0x140006b48 CloseHandle
0x140006b50 CreateEventW
0x140006b58 CreateFileW
0x140006b60 CreateToolhelp32Snapshot
0x140006b68 DeleteCriticalSection
0x140006b70 EnterCriticalSection
0x140006b78 FindResourceW
0x140006b80 GetCurrentProcess
0x140006b88 GetCurrentProcessId
0x140006b90 GetCurrentThreadId
0x140006b98 GetLastError
0x140006ba0 GetModuleHandleW
0x140006ba8 GetProcAddress
0x140006bb0 GetStartupInfoW
0x140006bb8 GetSystemTimeAsFileTime
0x140006bc0 InitializeCriticalSectionAndSpinCount
0x140006bc8 InitializeSListHead
0x140006bd0 IsDebuggerPresent
0x140006bd8 IsProcessorFeaturePresent
0x140006be0 LeaveCriticalSection
0x140006be8 LoadResource
0x140006bf0 LockResource
0x140006bf8 Process32FirstW
0x140006c00 Process32NextW
0x140006c08 QueryPerformanceCounter
0x140006c10 ReadFile
0x140006c18 ResetEvent
0x140006c20 RtlCaptureContext
0x140006c28 RtlLookupFunctionEntry
0x140006c30 RtlVirtualUnwind
0x140006c38 SetEvent
0x140006c40 SetUnhandledExceptionFilter
0x140006c48 Sleep
0x140006c50 TerminateProcess
0x140006c58 UnhandledExceptionFilter
0x140006c60 VirtualAlloc
0x140006c68 VirtualProtect
0x140006c70 WaitForSingleObjectEx
0x140006c78 WaitNamedPipeW
0x140006c80 WriteFile
MSVCP140.dll
0x140006c90 ?_Xlength_error@std@@YAXPEBD@Z
VCRUNTIME140.dll
0x140006ca0 _CxxThrowException
0x140006ca8 __C_specific_handler
0x140006cb0 __CxxFrameHandler3
0x140006cb8 __current_exception
0x140006cc0 __current_exception_context
0x140006cc8 __std_exception_copy
0x140006cd0 __std_exception_destroy
0x140006cd8 __std_type_info_destroy_list
0x140006ce0 memcpy
0x140006ce8 memmove
0x140006cf0 memset
0x140006cf8 strstr
api-ms-win-crt-stdio-l1-1-0.dll
0x140006d08 __acrt_iob_func
0x140006d10 __p__commode
0x140006d18 __stdio_common_vfprintf
0x140006d20 __stdio_common_vfwprintf
0x140006d28 _set_fmode
0x140006d30 fgets
api-ms-win-crt-runtime-l1-1-0.dll
0x140006d40 __p___argc
0x140006d48 __p___argv
0x140006d50 _c_exit
0x140006d58 _cexit
0x140006d60 _configure_narrow_argv
0x140006d68 _crt_at_quick_exit
0x140006d70 _crt_atexit
0x140006d78 _execute_onexit_table
0x140006d80 _exit
0x140006d88 _get_initial_narrow_environment
0x140006d90 _initialize_narrow_environment
0x140006d98 _initialize_onexit_table
0x140006da0 _initterm
0x140006da8 _initterm_e
0x140006db0 _invalid_parameter_noinfo_noreturn
0x140006db8 _register_onexit_function
0x140006dc0 _register_thread_local_exe_atexit_callback
0x140006dc8 _seh_filter_dll
0x140006dd0 _seh_filter_exe
0x140006dd8 _set_app_type
0x140006de0 exit
0x140006de8 terminate
api-ms-win-crt-heap-l1-1-0.dll
0x140006df8 _callnewh
0x140006e00 _set_new_mode
0x140006e08 free
0x140006e10 malloc
api-ms-win-crt-convert-l1-1-0.dll
0x140006e20 mbstowcs
0x140006e28 wcstombs
api-ms-win-crt-string-l1-1-0.dll
0x140006e38 strcmp
0x140006e40 strlen
0x140006e48 strncmp
0x140006e50 strnlen
0x140006e58 tolower
0x140006e60 wcscmp
0x140006e68 wcslen
api-ms-win-crt-math-l1-1-0.dll
0x140006e78 __setusermatherr
api-ms-win-crt-locale-l1-1-0.dll
0x140006e88 _configthreadlocale
EAT(Export Address Table) is none