ScreenShot
| Created | 2024.10.28 11:15 | Machine | s1_win7_x6401 |
| Filename | osupdater.exe | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 56 detected (AIDetectMalware, Androm, Malicious, score, Artemis, Unsafe, Vllf, confidence, 100%, Attribute, HighConfidence, high confidence, MalwareX, vsub, Nekark, uGYVIXwGFbQ, bnyag, Siggen29, AMADEY, YXEJWZ, moderate, Static AI, Malicious PE, Detected, Wacatac, Malware@#22ml15uqhw2se, Sabsik, Tnaket, Chgt, Gencirc, Tinukebot, B9nj) | ||
| md5 | b611b18150ff90f659198e46c7f2b74f | ||
| sha256 | 0fbad12595c3ecd37ed2249d25161c3935485a2c761c104e58973841becd0517 | ||
| ssdeep | 6144:ty72/oopck5kxnvEL3T0Lq5TmSqMLMHgo2TWnF+v:tyQoomYEg9qrHgo2anAv | ||
| imphash | 32fbf5b10b16ec517b227ff71a382b38 | ||
| impfuzzy | 48:oAMHhNYuL5lX6ZbKoyh6OgqcpV69g8YyFZ7:oAMHhNYuLvX6Zmo26RqcpV+g8Yyz | ||
Network IP location
Signature (23cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 56 AntiVirus engines on VirusTotal as malicious |
| danger | Executed a process and injected code into it |
| watch | Attempts to disable SPDY support in Firefox to improve web infostealing capability |
| watch | Attempts to modify Explorer settings to prevent hidden files from being displayed |
| watch | Installs itself for autorun at Windows startup |
| watch | Modifies the Firefox configuration file |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Creates hidden or system file |
| notice | One or more potentially interesting buffers were extracted |
| notice | Repeatedly searches for a not-found process |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
Rules (24cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | Code_injection | Code injection with CreateRemoteThread in a remote process | memory |
| notice | Escalate_priviledges | Escalate priviledges | memory |
| notice | Network_HTTP | Communications over HTTP | memory |
| notice | Persistence | Install itself for autorun at Windows startup | memory |
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE64 | (no description) | binaries (upload) |
| info | lnk_file_format | Microsoft Windows Shortcut File Format | binaries (download) |
| info | Lnk_Format_Zero | LNK Format | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | vmdetect_misc | Following Rule is referenced from AlienVault's Yara rule repository.This rule contains additional processes and driver names. | memory |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
OLEAUT32.dll
0x1400203b0 VariantClear
KERNEL32.dll
0x140020000 EnumSystemLocalesEx
0x140020008 IsValidLocaleName
0x140020010 LCMapStringEx
0x140020018 GetUserDefaultLocaleName
0x140020020 FreeEnvironmentStringsW
0x140020028 GetEnvironmentStringsW
0x140020030 QueryPerformanceCounter
0x140020038 FlsFree
0x140020040 FlsSetValue
0x140020048 FlsGetValue
0x140020050 FlsAlloc
0x140020058 SetUnhandledExceptionFilter
0x140020060 UnhandledExceptionFilter
0x140020068 RtlVirtualUnwind
0x140020070 RtlCaptureContext
0x140020078 LoadLibraryExW
0x140020080 ReadConsoleW
0x140020088 SetStdHandle
0x140020090 WriteConsoleW
0x140020098 OutputDebugStringW
0x1400200a0 LocalFree
0x1400200a8 GetTickCount64
0x1400200b0 SetEndOfFile
0x1400200b8 GetConsoleMode
0x1400200c0 GetConsoleCP
0x1400200c8 FlushFileBuffers
0x1400200d0 SetFilePointerEx
0x1400200d8 GetThreadContext
0x1400200e0 GetTempFileNameW
0x1400200e8 GetFileSize
0x1400200f0 SetThreadContext
0x1400200f8 SetFilePointer
0x140020100 FreeLibrary
0x140020108 GetCurrentProcess
0x140020110 WaitForSingleObject
0x140020118 WriteFile
0x140020120 OpenProcess
0x140020128 GetSystemDirectoryW
0x140020130 LoadLibraryW
0x140020138 GetModuleFileNameW
0x140020140 CreateFileW
0x140020148 GetTempPathW
0x140020150 GetLastError
0x140020158 GetProcAddress
0x140020160 VirtualAllocEx
0x140020168 LoadLibraryA
0x140020170 GetModuleHandleA
0x140020178 lstrcatW
0x140020180 Wow64SetThreadContext
0x140020188 CloseHandle
0x140020190 WriteProcessMemory
0x140020198 ResumeThread
0x1400201a0 Wow64GetThreadContext
0x1400201a8 CreateThread
0x1400201b0 HeapAlloc
0x1400201b8 GetProcessHeap
0x1400201c0 Sleep
0x1400201c8 CreateRemoteThread
0x1400201d0 CreateToolhelp32Snapshot
0x1400201d8 VirtualProtectEx
0x1400201e0 VirtualProtect
0x1400201e8 ExitProcess
0x1400201f0 CreateMutexA
0x1400201f8 HeapReAlloc
0x140020200 CreateFileA
0x140020208 FindFirstFileW
0x140020210 MapViewOfFile
0x140020218 UnmapViewOfFile
0x140020220 CompareFileTime
0x140020228 HeapFree
0x140020230 GetModuleHandleW
0x140020238 GetProcessTimes
0x140020240 GetFileAttributesA
0x140020248 TerminateProcess
0x140020250 ReadFile
0x140020258 lstrcatA
0x140020260 MultiByteToWideChar
0x140020268 CreateDirectoryA
0x140020270 CopyFileA
0x140020278 SetFileAttributesA
0x140020280 Process32FirstW
0x140020288 CreateFileMappingA
0x140020290 GetModuleFileNameA
0x140020298 Process32NextW
0x1400202a0 IsDebuggerPresent
0x1400202a8 FindNextFileW
0x1400202b0 DeleteFileW
0x1400202b8 ExpandEnvironmentStringsW
0x1400202c0 WideCharToMultiByte
0x1400202c8 GetStringTypeW
0x1400202d0 EncodePointer
0x1400202d8 DecodePointer
0x1400202e0 EnterCriticalSection
0x1400202e8 LeaveCriticalSection
0x1400202f0 InitializeCriticalSectionEx
0x1400202f8 DeleteCriticalSection
0x140020300 GetLocaleInfoEx
0x140020308 GetCPInfo
0x140020310 IsProcessorFeaturePresent
0x140020318 GetSystemTimeAsFileTime
0x140020320 GetCommandLineW
0x140020328 RtlPcToFileHeader
0x140020330 RaiseException
0x140020338 RtlLookupFunctionEntry
0x140020340 RtlUnwindEx
0x140020348 InitializeCriticalSectionAndSpinCount
0x140020350 GetModuleHandleExW
0x140020358 HeapSize
0x140020360 IsValidCodePage
0x140020368 GetACP
0x140020370 GetOEMCP
0x140020378 SetLastError
0x140020380 GetCurrentThreadId
0x140020388 GetStdHandle
0x140020390 GetFileType
0x140020398 InitOnceExecuteOnce
0x1400203a0 GetStartupInfoW
EAT(Export Address Table) is none
OLEAUT32.dll
0x1400203b0 VariantClear
KERNEL32.dll
0x140020000 EnumSystemLocalesEx
0x140020008 IsValidLocaleName
0x140020010 LCMapStringEx
0x140020018 GetUserDefaultLocaleName
0x140020020 FreeEnvironmentStringsW
0x140020028 GetEnvironmentStringsW
0x140020030 QueryPerformanceCounter
0x140020038 FlsFree
0x140020040 FlsSetValue
0x140020048 FlsGetValue
0x140020050 FlsAlloc
0x140020058 SetUnhandledExceptionFilter
0x140020060 UnhandledExceptionFilter
0x140020068 RtlVirtualUnwind
0x140020070 RtlCaptureContext
0x140020078 LoadLibraryExW
0x140020080 ReadConsoleW
0x140020088 SetStdHandle
0x140020090 WriteConsoleW
0x140020098 OutputDebugStringW
0x1400200a0 LocalFree
0x1400200a8 GetTickCount64
0x1400200b0 SetEndOfFile
0x1400200b8 GetConsoleMode
0x1400200c0 GetConsoleCP
0x1400200c8 FlushFileBuffers
0x1400200d0 SetFilePointerEx
0x1400200d8 GetThreadContext
0x1400200e0 GetTempFileNameW
0x1400200e8 GetFileSize
0x1400200f0 SetThreadContext
0x1400200f8 SetFilePointer
0x140020100 FreeLibrary
0x140020108 GetCurrentProcess
0x140020110 WaitForSingleObject
0x140020118 WriteFile
0x140020120 OpenProcess
0x140020128 GetSystemDirectoryW
0x140020130 LoadLibraryW
0x140020138 GetModuleFileNameW
0x140020140 CreateFileW
0x140020148 GetTempPathW
0x140020150 GetLastError
0x140020158 GetProcAddress
0x140020160 VirtualAllocEx
0x140020168 LoadLibraryA
0x140020170 GetModuleHandleA
0x140020178 lstrcatW
0x140020180 Wow64SetThreadContext
0x140020188 CloseHandle
0x140020190 WriteProcessMemory
0x140020198 ResumeThread
0x1400201a0 Wow64GetThreadContext
0x1400201a8 CreateThread
0x1400201b0 HeapAlloc
0x1400201b8 GetProcessHeap
0x1400201c0 Sleep
0x1400201c8 CreateRemoteThread
0x1400201d0 CreateToolhelp32Snapshot
0x1400201d8 VirtualProtectEx
0x1400201e0 VirtualProtect
0x1400201e8 ExitProcess
0x1400201f0 CreateMutexA
0x1400201f8 HeapReAlloc
0x140020200 CreateFileA
0x140020208 FindFirstFileW
0x140020210 MapViewOfFile
0x140020218 UnmapViewOfFile
0x140020220 CompareFileTime
0x140020228 HeapFree
0x140020230 GetModuleHandleW
0x140020238 GetProcessTimes
0x140020240 GetFileAttributesA
0x140020248 TerminateProcess
0x140020250 ReadFile
0x140020258 lstrcatA
0x140020260 MultiByteToWideChar
0x140020268 CreateDirectoryA
0x140020270 CopyFileA
0x140020278 SetFileAttributesA
0x140020280 Process32FirstW
0x140020288 CreateFileMappingA
0x140020290 GetModuleFileNameA
0x140020298 Process32NextW
0x1400202a0 IsDebuggerPresent
0x1400202a8 FindNextFileW
0x1400202b0 DeleteFileW
0x1400202b8 ExpandEnvironmentStringsW
0x1400202c0 WideCharToMultiByte
0x1400202c8 GetStringTypeW
0x1400202d0 EncodePointer
0x1400202d8 DecodePointer
0x1400202e0 EnterCriticalSection
0x1400202e8 LeaveCriticalSection
0x1400202f0 InitializeCriticalSectionEx
0x1400202f8 DeleteCriticalSection
0x140020300 GetLocaleInfoEx
0x140020308 GetCPInfo
0x140020310 IsProcessorFeaturePresent
0x140020318 GetSystemTimeAsFileTime
0x140020320 GetCommandLineW
0x140020328 RtlPcToFileHeader
0x140020330 RaiseException
0x140020338 RtlLookupFunctionEntry
0x140020340 RtlUnwindEx
0x140020348 InitializeCriticalSectionAndSpinCount
0x140020350 GetModuleHandleExW
0x140020358 HeapSize
0x140020360 IsValidCodePage
0x140020368 GetACP
0x140020370 GetOEMCP
0x140020378 SetLastError
0x140020380 GetCurrentThreadId
0x140020388 GetStdHandle
0x140020390 GetFileType
0x140020398 InitOnceExecuteOnce
0x1400203a0 GetStartupInfoW
EAT(Export Address Table) is none