ScreenShot
| Created | 2024.11.22 15:43 | Machine | s1_win7_x6403 |
| Filename | %E5%B7%85%E3%82%BD%E5%B3%B0[%E9%95%BF%E4%B9%85]3.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows, PECompact2 compressed | ||
| AI Score | Not founds | Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | |||
| md5 | e516566b25ae853edd6aad00854d782a | ||
| sha256 | 9cb2b6cafc2c6ec61d2f997789e7a923d71b8663f57a531820d958971f8a8e84 | ||
| ssdeep | 393216:aT903qKSVL/D0mOWBLGZz1cVeN1zSuCK+RO4b61B2YpLlsmb2wIoV1Keejdnd:ah0OVL/rBLGp1JdCr6zRlsm1IoV1G9d | ||
| imphash | 7b4d49c70225aa517dec64af974a1c3d | ||
| impfuzzy | 12:VA/D5zuBs4N5dZiXuBs3JMniuvcEERH4oH9:V0D5zuNb0WHsxl9 | ||
Network IP location
Signature (23cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Checks the CPU name from registry |
| watch | Checks the version of Bios |
| watch | Detects the presence of Wine emulator |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | A process attempted to delay the analysis task. |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks whether any human activity is being performed by constantly checking whether the foreground window changed |
| notice | Foreign language identified in PE resource |
| notice | One or more potentially interesting buffers were extracted |
| notice | Potentially malicious URLs were found in the process memory dump |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable uses a known packer |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
| info | Tries to locate where the browsers are installed |
Rules (21cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| notice | Code_injection | Code injection with CreateRemoteThread in a remote process | memory |
| notice | KeyLogger | Run a KeyLogger | memory |
| notice | Network_HTTP | Communications over HTTP | memory |
| notice | Network_SSL | Communications over SSL | memory |
| notice | Network_TCP_Socket | Communications over RAW Socket | memory |
| notice | ScreenShot | Take ScreenShot | memory |
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | win_hook | Affect hook table | memory |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
kernel32.dll
0x30d0a20 LoadLibraryA
0x30d0a24 GetProcAddress
0x30d0a28 VirtualAlloc
0x30d0a2c VirtualFree
USER32.dll
0x30d0a34 LoadImageW
GDI32.dll
0x30d0a3c GetTextExtentPoint32W
MSIMG32.dll
0x30d0a44 AlphaBlend
COMDLG32.dll
0x30d0a4c GetFileTitleA
WINSPOOL.DRV
0x30d0a54 OpenPrinterA
ADVAPI32.dll
0x30d0a5c OpenThreadToken
SHELL32.dll
0x30d0a64 SHAppBarMessage
COMCTL32.dll
0x30d0a6c InitCommonControlsEx
SHLWAPI.dll
0x30d0a74 PathRemoveExtensionA
ole32.dll
0x30d0a7c OleSetContainedObject
OLEAUT32.dll
0x30d0a84 SafeArrayDestroy
oledlg.dll
0x30d0a8c None
WINMM.dll
0x30d0a94 PlaySoundA
gdiplus.dll
0x30d0a9c GdipGetImagePaletteSize
PSAPI.DLL
0x30d0aa4 GetModuleBaseNameA
OLEACC.dll
0x30d0aac LresultFromObject
IMM32.dll
0x30d0ab4 ImmReleaseContext
EAT(Export Address Table) is none
kernel32.dll
0x30d0a20 LoadLibraryA
0x30d0a24 GetProcAddress
0x30d0a28 VirtualAlloc
0x30d0a2c VirtualFree
USER32.dll
0x30d0a34 LoadImageW
GDI32.dll
0x30d0a3c GetTextExtentPoint32W
MSIMG32.dll
0x30d0a44 AlphaBlend
COMDLG32.dll
0x30d0a4c GetFileTitleA
WINSPOOL.DRV
0x30d0a54 OpenPrinterA
ADVAPI32.dll
0x30d0a5c OpenThreadToken
SHELL32.dll
0x30d0a64 SHAppBarMessage
COMCTL32.dll
0x30d0a6c InitCommonControlsEx
SHLWAPI.dll
0x30d0a74 PathRemoveExtensionA
ole32.dll
0x30d0a7c OleSetContainedObject
OLEAUT32.dll
0x30d0a84 SafeArrayDestroy
oledlg.dll
0x30d0a8c None
WINMM.dll
0x30d0a94 PlaySoundA
gdiplus.dll
0x30d0a9c GdipGetImagePaletteSize
PSAPI.DLL
0x30d0aa4 GetModuleBaseNameA
OLEACC.dll
0x30d0aac LresultFromObject
IMM32.dll
0x30d0ab4 ImmReleaseContext
EAT(Export Address Table) is none