ScreenShot
| Created | 2024.11.11 09:42 | Machine | s1_win7_x6401 |
| Filename | crypted.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | |||
| VT API (file) | 43 detected (AIDetectMalware, Sodinokibi, Malicious, score, GenericKD, Unsafe, confidence, 100%, Attribute, HighConfidence, high confidence, GenKryptik, HDQC, Xpaj, Stelpak, CLOUD, Lumma, Static AI, Malicious PE, Detected, GrayWare, Wacapew, HeurC, KVMH008, Malware@#2468x9xuyh07c, Sabsik, ABTrojan, AVEH, R678257, Krypt, RansomGen) | ||
| md5 | e1d09be68de1be491cdb2870bfc90854 | ||
| sha256 | 6b2c384e64992914ec049762e153d4592c7dc2511b8cc079843c4d8195210c23 | ||
| ssdeep | 24576:W6hD7LpDPaCoflmQMOsaED7biogA/kItUbLA8ouzEgKl8QDj7:jTp7oLlx+7bc2kI+bLPEDl3Dj7 | ||
| imphash | edcf314155b6a0d1898757c320d085ee | ||
| impfuzzy | 24:Pw+2WDoejtWOovbOGMUD1uBvgJWDpZWylnjBLPOXlEu9PJUsYjh:PwDQoKx361GhZxJjBbO1+sE | ||
Network IP location
Signature (14cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 43 AntiVirus engines on VirusTotal as malicious |
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Code injection by writing an executable or DLL to the memory of another process |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | One or more potentially interesting buffers were extracted |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Command line console output was observed |
| info | One or more processes crashed |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (15cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | ScreenShot | Take ScreenShot | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
USER32.dll
0x4e05b0 AddClipboardFormatListener
KERNEL32.dll
0x4e05b8 CloseHandle
0x4e05bc CompareStringW
0x4e05c0 CreateEventW
0x4e05c4 CreateFileW
0x4e05c8 DecodePointer
0x4e05cc DeleteCriticalSection
0x4e05d0 EncodePointer
0x4e05d4 EnterCriticalSection
0x4e05d8 EnumSystemLocalesW
0x4e05dc ExitProcess
0x4e05e0 FindClose
0x4e05e4 FindFirstFileExW
0x4e05e8 FindNextFileW
0x4e05ec FlushFileBuffers
0x4e05f0 FreeEnvironmentStringsW
0x4e05f4 FreeLibrary
0x4e05f8 GetACP
0x4e05fc GetCPInfo
0x4e0600 GetCommandLineA
0x4e0604 GetCommandLineW
0x4e0608 GetConsoleMode
0x4e060c GetConsoleOutputCP
0x4e0610 GetCurrentProcess
0x4e0614 GetCurrentProcessId
0x4e0618 GetCurrentThreadId
0x4e061c GetEnvironmentStringsW
0x4e0620 GetFileSizeEx
0x4e0624 GetFileType
0x4e0628 GetLastError
0x4e062c GetLocaleInfoW
0x4e0630 GetModuleFileNameW
0x4e0634 GetModuleHandleExW
0x4e0638 GetModuleHandleW
0x4e063c GetOEMCP
0x4e0640 GetProcAddress
0x4e0644 GetProcessHeap
0x4e0648 GetStartupInfoW
0x4e064c GetStdHandle
0x4e0650 GetStringTypeW
0x4e0654 GetSystemTimeAsFileTime
0x4e0658 GetUserDefaultLCID
0x4e065c HeapAlloc
0x4e0660 HeapFree
0x4e0664 HeapReAlloc
0x4e0668 HeapSize
0x4e066c InitializeCriticalSectionAndSpinCount
0x4e0670 InitializeCriticalSectionEx
0x4e0674 InitializeSListHead
0x4e0678 IsDebuggerPresent
0x4e067c IsProcessorFeaturePresent
0x4e0680 IsValidCodePage
0x4e0684 IsValidLocale
0x4e0688 LCMapStringEx
0x4e068c LCMapStringW
0x4e0690 LeaveCriticalSection
0x4e0694 LoadLibraryExW
0x4e0698 MultiByteToWideChar
0x4e069c QueryPerformanceCounter
0x4e06a0 RaiseException
0x4e06a4 ReadConsoleW
0x4e06a8 ReadFile
0x4e06ac ResetEvent
0x4e06b0 RtlUnwind
0x4e06b4 SetEndOfFile
0x4e06b8 SetEnvironmentVariableW
0x4e06bc SetEvent
0x4e06c0 SetFilePointerEx
0x4e06c4 SetLastError
0x4e06c8 SetStdHandle
0x4e06cc SetUnhandledExceptionFilter
0x4e06d0 TerminateProcess
0x4e06d4 TlsAlloc
0x4e06d8 TlsFree
0x4e06dc TlsGetValue
0x4e06e0 TlsSetValue
0x4e06e4 UnhandledExceptionFilter
0x4e06e8 WaitForSingleObjectEx
0x4e06ec WideCharToMultiByte
0x4e06f0 WriteConsoleW
0x4e06f4 WriteFile
EAT(Export Address Table) is none
USER32.dll
0x4e05b0 AddClipboardFormatListener
KERNEL32.dll
0x4e05b8 CloseHandle
0x4e05bc CompareStringW
0x4e05c0 CreateEventW
0x4e05c4 CreateFileW
0x4e05c8 DecodePointer
0x4e05cc DeleteCriticalSection
0x4e05d0 EncodePointer
0x4e05d4 EnterCriticalSection
0x4e05d8 EnumSystemLocalesW
0x4e05dc ExitProcess
0x4e05e0 FindClose
0x4e05e4 FindFirstFileExW
0x4e05e8 FindNextFileW
0x4e05ec FlushFileBuffers
0x4e05f0 FreeEnvironmentStringsW
0x4e05f4 FreeLibrary
0x4e05f8 GetACP
0x4e05fc GetCPInfo
0x4e0600 GetCommandLineA
0x4e0604 GetCommandLineW
0x4e0608 GetConsoleMode
0x4e060c GetConsoleOutputCP
0x4e0610 GetCurrentProcess
0x4e0614 GetCurrentProcessId
0x4e0618 GetCurrentThreadId
0x4e061c GetEnvironmentStringsW
0x4e0620 GetFileSizeEx
0x4e0624 GetFileType
0x4e0628 GetLastError
0x4e062c GetLocaleInfoW
0x4e0630 GetModuleFileNameW
0x4e0634 GetModuleHandleExW
0x4e0638 GetModuleHandleW
0x4e063c GetOEMCP
0x4e0640 GetProcAddress
0x4e0644 GetProcessHeap
0x4e0648 GetStartupInfoW
0x4e064c GetStdHandle
0x4e0650 GetStringTypeW
0x4e0654 GetSystemTimeAsFileTime
0x4e0658 GetUserDefaultLCID
0x4e065c HeapAlloc
0x4e0660 HeapFree
0x4e0664 HeapReAlloc
0x4e0668 HeapSize
0x4e066c InitializeCriticalSectionAndSpinCount
0x4e0670 InitializeCriticalSectionEx
0x4e0674 InitializeSListHead
0x4e0678 IsDebuggerPresent
0x4e067c IsProcessorFeaturePresent
0x4e0680 IsValidCodePage
0x4e0684 IsValidLocale
0x4e0688 LCMapStringEx
0x4e068c LCMapStringW
0x4e0690 LeaveCriticalSection
0x4e0694 LoadLibraryExW
0x4e0698 MultiByteToWideChar
0x4e069c QueryPerformanceCounter
0x4e06a0 RaiseException
0x4e06a4 ReadConsoleW
0x4e06a8 ReadFile
0x4e06ac ResetEvent
0x4e06b0 RtlUnwind
0x4e06b4 SetEndOfFile
0x4e06b8 SetEnvironmentVariableW
0x4e06bc SetEvent
0x4e06c0 SetFilePointerEx
0x4e06c4 SetLastError
0x4e06c8 SetStdHandle
0x4e06cc SetUnhandledExceptionFilter
0x4e06d0 TerminateProcess
0x4e06d4 TlsAlloc
0x4e06d8 TlsFree
0x4e06dc TlsGetValue
0x4e06e0 TlsSetValue
0x4e06e4 UnhandledExceptionFilter
0x4e06e8 WaitForSingleObjectEx
0x4e06ec WideCharToMultiByte
0x4e06f0 WriteConsoleW
0x4e06f4 WriteFile
EAT(Export Address Table) is none