ScreenShot
| Created | 2024.10.21 14:42 | Machine | s1_win7_x6401 |
| Filename | 63e909b3647d.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | |||
| md5 | 744a21bfdc5743226790594eb481aab6 | ||
| sha256 | 97ed40b91925c0d2496394515fbd52bf4c1c7a886de35d2c0c50b7f5c89395e7 | ||
| ssdeep | 12288:8diUHNM4pf4OQz3NCSo7I9S3uzIdd9Fk46FaiPKS:eHhpAOQxZjtI9L6k | ||
| imphash | de48de5d6e0f4635b5910437a0f3a073 | ||
| impfuzzy | 24:vcpVWcZtlS1wGhlJBl3eDoLoBDZMv5GMAkpOovbOPZG:vcpV5ZtlS1wGnpXKZGk3w | ||
Network IP location
Signature (12cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Code injection by writing an executable or DLL to the memory of another process |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | One or more potentially interesting buffers were extracted |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | One or more processes crashed |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (15cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | ScreenShot | Take ScreenShot | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x422000 AddAtomW
0x422004 WideCharToMultiByte
0x422008 EnterCriticalSection
0x42200c LeaveCriticalSection
0x422010 InitializeCriticalSectionEx
0x422014 DeleteCriticalSection
0x422018 EncodePointer
0x42201c DecodePointer
0x422020 MultiByteToWideChar
0x422024 LCMapStringEx
0x422028 GetStringTypeW
0x42202c GetCPInfo
0x422030 IsProcessorFeaturePresent
0x422034 UnhandledExceptionFilter
0x422038 SetUnhandledExceptionFilter
0x42203c GetCurrentProcess
0x422040 TerminateProcess
0x422044 QueryPerformanceCounter
0x422048 GetCurrentProcessId
0x42204c GetCurrentThreadId
0x422050 GetSystemTimeAsFileTime
0x422054 InitializeSListHead
0x422058 IsDebuggerPresent
0x42205c GetStartupInfoW
0x422060 GetModuleHandleW
0x422064 CreateFileW
0x422068 RaiseException
0x42206c RtlUnwind
0x422070 GetLastError
0x422074 SetLastError
0x422078 InitializeCriticalSectionAndSpinCount
0x42207c TlsAlloc
0x422080 TlsGetValue
0x422084 TlsSetValue
0x422088 TlsFree
0x42208c FreeLibrary
0x422090 GetProcAddress
0x422094 LoadLibraryExW
0x422098 GetStdHandle
0x42209c WriteFile
0x4220a0 GetModuleFileNameW
0x4220a4 ExitProcess
0x4220a8 GetModuleHandleExW
0x4220ac HeapAlloc
0x4220b0 HeapFree
0x4220b4 LCMapStringW
0x4220b8 GetLocaleInfoW
0x4220bc IsValidLocale
0x4220c0 GetUserDefaultLCID
0x4220c4 EnumSystemLocalesW
0x4220c8 GetFileType
0x4220cc CloseHandle
0x4220d0 FlushFileBuffers
0x4220d4 GetConsoleOutputCP
0x4220d8 GetConsoleMode
0x4220dc ReadFile
0x4220e0 GetFileSizeEx
0x4220e4 SetFilePointerEx
0x4220e8 ReadConsoleW
0x4220ec HeapReAlloc
0x4220f0 FindClose
0x4220f4 FindFirstFileExW
0x4220f8 FindNextFileW
0x4220fc IsValidCodePage
0x422100 GetACP
0x422104 GetOEMCP
0x422108 GetCommandLineA
0x42210c GetCommandLineW
0x422110 GetEnvironmentStringsW
0x422114 FreeEnvironmentStringsW
0x422118 SetStdHandle
0x42211c GetProcessHeap
0x422120 HeapSize
0x422124 WriteConsoleW
EAT(Export Address Table) Library
0x403ecf _ReturnDataValidator@8
KERNEL32.dll
0x422000 AddAtomW
0x422004 WideCharToMultiByte
0x422008 EnterCriticalSection
0x42200c LeaveCriticalSection
0x422010 InitializeCriticalSectionEx
0x422014 DeleteCriticalSection
0x422018 EncodePointer
0x42201c DecodePointer
0x422020 MultiByteToWideChar
0x422024 LCMapStringEx
0x422028 GetStringTypeW
0x42202c GetCPInfo
0x422030 IsProcessorFeaturePresent
0x422034 UnhandledExceptionFilter
0x422038 SetUnhandledExceptionFilter
0x42203c GetCurrentProcess
0x422040 TerminateProcess
0x422044 QueryPerformanceCounter
0x422048 GetCurrentProcessId
0x42204c GetCurrentThreadId
0x422050 GetSystemTimeAsFileTime
0x422054 InitializeSListHead
0x422058 IsDebuggerPresent
0x42205c GetStartupInfoW
0x422060 GetModuleHandleW
0x422064 CreateFileW
0x422068 RaiseException
0x42206c RtlUnwind
0x422070 GetLastError
0x422074 SetLastError
0x422078 InitializeCriticalSectionAndSpinCount
0x42207c TlsAlloc
0x422080 TlsGetValue
0x422084 TlsSetValue
0x422088 TlsFree
0x42208c FreeLibrary
0x422090 GetProcAddress
0x422094 LoadLibraryExW
0x422098 GetStdHandle
0x42209c WriteFile
0x4220a0 GetModuleFileNameW
0x4220a4 ExitProcess
0x4220a8 GetModuleHandleExW
0x4220ac HeapAlloc
0x4220b0 HeapFree
0x4220b4 LCMapStringW
0x4220b8 GetLocaleInfoW
0x4220bc IsValidLocale
0x4220c0 GetUserDefaultLCID
0x4220c4 EnumSystemLocalesW
0x4220c8 GetFileType
0x4220cc CloseHandle
0x4220d0 FlushFileBuffers
0x4220d4 GetConsoleOutputCP
0x4220d8 GetConsoleMode
0x4220dc ReadFile
0x4220e0 GetFileSizeEx
0x4220e4 SetFilePointerEx
0x4220e8 ReadConsoleW
0x4220ec HeapReAlloc
0x4220f0 FindClose
0x4220f4 FindFirstFileExW
0x4220f8 FindNextFileW
0x4220fc IsValidCodePage
0x422100 GetACP
0x422104 GetOEMCP
0x422108 GetCommandLineA
0x42210c GetCommandLineW
0x422110 GetEnvironmentStringsW
0x422114 FreeEnvironmentStringsW
0x422118 SetStdHandle
0x42211c GetProcessHeap
0x422120 HeapSize
0x422124 WriteConsoleW
EAT(Export Address Table) Library
0x403ecf _ReturnDataValidator@8