ScreenShot
| Created | 2024.12.07 11:31 | Machine | s1_win7_x6401 |
| Filename | WAT Fix.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows, UPX compressed | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 58 detected (AIDetectMalware, Hacktool, KMSAuto, malicious, moderate confidence, score, Winactivator, Unsafe, Vsd5, R potentially unsafe, FileRepPup, Tool, Dunik, CLOUD, PrivacyRisk, WatFix, Activator, Generic Reputation PUA, lyzl, Detected, ai score=100, AutoKMS, TMYC, Activation, ZexaF, QmNfa8VZ1Qoi, Neshta, FileInfector, Gencirc, Igent, bZeZ8X, susgen, confidence, 100%) | ||
| md5 | 0a1023d7fd543f6b73ad2a4ca553bba1 | ||
| sha256 | d2bef451a44457ef4b1da38982f568e1e75402fbd2fedc6eaa5f761cd6a5e751 | ||
| ssdeep | 12288:B1MX89GjRX3rtCqHTNSnSoSGDVryXhJh7zIuU1On4xLIuWV355FXw/+e4wCu+2Gb:TMs9mRXbnNSnkqIuWV355FXw/+e4wCuK | ||
| imphash | b1e8eb7760736462773774d39bf9187b | ||
| impfuzzy | 6:dBJAEHGDzyRlbRmVOZ/EwRgDZRXac9KJAmnoNLbS4QMyyTc3:VA/DzqYOZ9RgdxhmQC4QITU | ||
Network IP location
Signature (22cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 58 AntiVirus engines on VirusTotal as malicious |
| watch | Attempts to stop active services |
| watch | Modifies boot configuration settings |
| watch | Uses suspicious command line tools or Windows utilities |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Executes one or more WMI queries |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is compressed using UPX |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Command line console output was observed |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable uses a known packer |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (upload) |
| watch | Antivirus | Contains references to security software | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.DLL
0x589724 LoadLibraryA
0x589728 GetProcAddress
0x58972c VirtualProtect
0x589730 VirtualAlloc
0x589734 VirtualFree
0x589738 ExitProcess
ADVAPI32.dll
0x589740 RegCloseKey
iphlpapi.dll
0x589748 GetAdaptersInfo
ole32.dll
0x589750 CoInitialize
OLEAUT32.dll
0x589758 SysFreeString
SHELL32.dll
0x589760 SHGetMalloc
USER32.dll
0x589768 GetDC
VERSION.dll
0x589770 VerQueryValueW
EAT(Export Address Table) is none
KERNEL32.DLL
0x589724 LoadLibraryA
0x589728 GetProcAddress
0x58972c VirtualProtect
0x589730 VirtualAlloc
0x589734 VirtualFree
0x589738 ExitProcess
ADVAPI32.dll
0x589740 RegCloseKey
iphlpapi.dll
0x589748 GetAdaptersInfo
ole32.dll
0x589750 CoInitialize
OLEAUT32.dll
0x589758 SysFreeString
SHELL32.dll
0x589760 SHGetMalloc
USER32.dll
0x589768 GetDC
VERSION.dll
0x589770 VerQueryValueW
EAT(Export Address Table) is none