ScreenShot
| Created | 2025.02.11 11:03 | Machine | s1_win7_x6401 |
| Filename | UN8QxIq.exe | ||
| Type | PE32+ executable (console) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 9 detected (Save, malicious, confidence, Attribute, HighConfidence, high confidence, Kryptik@AI, RDML, 08mR8iq7OsjpVBW+gMya3Q, Static AI, Suspicious PE, Artemis) | ||
| md5 | 04c35b787b10661350e076a7d9ffa1bc | ||
| sha256 | d6fa01630b0e150b05f0240f0404e8d4150c400e3b1aadb4249efc45283d618e | ||
| ssdeep | 6144:qIXSbPRUwqjvAxtNDtTrheNiq+X/+sS/o9:/XgRUweIxtNlHq+V | ||
| imphash | 2668c56ed187d07e3269e27d61659ac7 | ||
| impfuzzy | 24:WqkXu9QHkxsBKAW4jDYc+Wch02thTBg3JBl39ro6LOovbOxv4GM+9RFZ8jiCc99Z:Txs/W4Qc+5JthTBgPpZO3RdFZ193Jh | ||
Network IP location
Signature (14cnts)
| Level | Description |
|---|---|
| watch | Creates a suspicious Powershell process |
| watch | The process powershell.exe wrote an executable file to disk |
| notice | A process attempted to delay the analysis task. |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | File has been identified by 9 AntiVirus engines on VirusTotal as malicious |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Queries for the computername |
| info | This executable has a PDB path |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (9cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | PowerShell | PowerShell script | scripts |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x140031020 CreateDirectoryA
0x140031028 HeapSize
0x140031030 CreateFileW
0x140031038 GetConsoleWindow
0x140031040 GetLastError
0x140031048 WriteConsoleW
0x140031050 SetEndOfFile
0x140031058 GetModuleFileNameA
0x140031060 GetProcessHeap
0x140031068 SetStdHandle
0x140031070 SetEnvironmentVariableW
0x140031078 FreeEnvironmentStringsW
0x140031080 GetEnvironmentStringsW
0x140031088 GetOEMCP
0x140031090 GetACP
0x140031098 IsValidCodePage
0x1400310a0 QueryPerformanceCounter
0x1400310a8 QueryPerformanceFrequency
0x1400310b0 WideCharToMultiByte
0x1400310b8 GetCurrentThreadId
0x1400310c0 ReleaseSRWLockExclusive
0x1400310c8 AcquireSRWLockExclusive
0x1400310d0 TryAcquireSRWLockExclusive
0x1400310d8 Sleep
0x1400310e0 CloseHandle
0x1400310e8 InitializeCriticalSectionEx
0x1400310f0 GetSystemTimeAsFileTime
0x1400310f8 GetModuleHandleW
0x140031100 GetProcAddress
0x140031108 EnterCriticalSection
0x140031110 LeaveCriticalSection
0x140031118 DeleteCriticalSection
0x140031120 EncodePointer
0x140031128 DecodePointer
0x140031130 MultiByteToWideChar
0x140031138 LCMapStringEx
0x140031140 WakeAllConditionVariable
0x140031148 GetStringTypeW
0x140031150 GetCPInfo
0x140031158 RtlCaptureContext
0x140031160 RtlLookupFunctionEntry
0x140031168 RtlVirtualUnwind
0x140031170 UnhandledExceptionFilter
0x140031178 SetUnhandledExceptionFilter
0x140031180 GetCurrentProcess
0x140031188 TerminateProcess
0x140031190 IsProcessorFeaturePresent
0x140031198 GetCurrentProcessId
0x1400311a0 InitializeSListHead
0x1400311a8 IsDebuggerPresent
0x1400311b0 GetStartupInfoW
0x1400311b8 RtlUnwindEx
0x1400311c0 RtlPcToFileHeader
0x1400311c8 RaiseException
0x1400311d0 SetLastError
0x1400311d8 InitializeCriticalSectionAndSpinCount
0x1400311e0 TlsAlloc
0x1400311e8 TlsGetValue
0x1400311f0 TlsSetValue
0x1400311f8 TlsFree
0x140031200 FreeLibrary
0x140031208 LoadLibraryExW
0x140031210 ExitProcess
0x140031218 GetModuleHandleExW
0x140031220 CreateThread
0x140031228 ExitThread
0x140031230 FreeLibraryAndExitThread
0x140031238 GetStdHandle
0x140031240 WriteFile
0x140031248 GetModuleFileNameW
0x140031250 GetCommandLineA
0x140031258 GetCommandLineW
0x140031260 GetFileSizeEx
0x140031268 SetFilePointerEx
0x140031270 GetFileType
0x140031278 HeapAlloc
0x140031280 FlushFileBuffers
0x140031288 GetConsoleOutputCP
0x140031290 GetConsoleMode
0x140031298 HeapFree
0x1400312a0 FlsAlloc
0x1400312a8 FlsGetValue
0x1400312b0 FlsSetValue
0x1400312b8 FlsFree
0x1400312c0 CompareStringW
0x1400312c8 LCMapStringW
0x1400312d0 GetLocaleInfoW
0x1400312d8 IsValidLocale
0x1400312e0 GetUserDefaultLCID
0x1400312e8 EnumSystemLocalesW
0x1400312f0 WaitForSingleObject
0x1400312f8 GetExitCodeProcess
0x140031300 CreateProcessW
0x140031308 GetFileAttributesExW
0x140031310 ReadFile
0x140031318 ReadConsoleW
0x140031320 HeapReAlloc
0x140031328 FindClose
0x140031330 FindFirstFileExW
0x140031338 FindNextFileW
0x140031340 RtlUnwind
USER32.dll
0x140031368 GetAsyncKeyState
0x140031370 ShowWindow
ADVAPI32.dll
0x140031000 FreeSid
0x140031008 CheckTokenMembership
0x140031010 AllocateAndInitializeSid
SHELL32.dll
0x140031350 ShellExecuteExA
0x140031358 ShellExecuteA
WININET.dll
0x140031380 InternetOpenUrlA
0x140031388 InternetCloseHandle
0x140031390 InternetOpenA
0x140031398 InternetReadFile
EAT(Export Address Table) is none
KERNEL32.dll
0x140031020 CreateDirectoryA
0x140031028 HeapSize
0x140031030 CreateFileW
0x140031038 GetConsoleWindow
0x140031040 GetLastError
0x140031048 WriteConsoleW
0x140031050 SetEndOfFile
0x140031058 GetModuleFileNameA
0x140031060 GetProcessHeap
0x140031068 SetStdHandle
0x140031070 SetEnvironmentVariableW
0x140031078 FreeEnvironmentStringsW
0x140031080 GetEnvironmentStringsW
0x140031088 GetOEMCP
0x140031090 GetACP
0x140031098 IsValidCodePage
0x1400310a0 QueryPerformanceCounter
0x1400310a8 QueryPerformanceFrequency
0x1400310b0 WideCharToMultiByte
0x1400310b8 GetCurrentThreadId
0x1400310c0 ReleaseSRWLockExclusive
0x1400310c8 AcquireSRWLockExclusive
0x1400310d0 TryAcquireSRWLockExclusive
0x1400310d8 Sleep
0x1400310e0 CloseHandle
0x1400310e8 InitializeCriticalSectionEx
0x1400310f0 GetSystemTimeAsFileTime
0x1400310f8 GetModuleHandleW
0x140031100 GetProcAddress
0x140031108 EnterCriticalSection
0x140031110 LeaveCriticalSection
0x140031118 DeleteCriticalSection
0x140031120 EncodePointer
0x140031128 DecodePointer
0x140031130 MultiByteToWideChar
0x140031138 LCMapStringEx
0x140031140 WakeAllConditionVariable
0x140031148 GetStringTypeW
0x140031150 GetCPInfo
0x140031158 RtlCaptureContext
0x140031160 RtlLookupFunctionEntry
0x140031168 RtlVirtualUnwind
0x140031170 UnhandledExceptionFilter
0x140031178 SetUnhandledExceptionFilter
0x140031180 GetCurrentProcess
0x140031188 TerminateProcess
0x140031190 IsProcessorFeaturePresent
0x140031198 GetCurrentProcessId
0x1400311a0 InitializeSListHead
0x1400311a8 IsDebuggerPresent
0x1400311b0 GetStartupInfoW
0x1400311b8 RtlUnwindEx
0x1400311c0 RtlPcToFileHeader
0x1400311c8 RaiseException
0x1400311d0 SetLastError
0x1400311d8 InitializeCriticalSectionAndSpinCount
0x1400311e0 TlsAlloc
0x1400311e8 TlsGetValue
0x1400311f0 TlsSetValue
0x1400311f8 TlsFree
0x140031200 FreeLibrary
0x140031208 LoadLibraryExW
0x140031210 ExitProcess
0x140031218 GetModuleHandleExW
0x140031220 CreateThread
0x140031228 ExitThread
0x140031230 FreeLibraryAndExitThread
0x140031238 GetStdHandle
0x140031240 WriteFile
0x140031248 GetModuleFileNameW
0x140031250 GetCommandLineA
0x140031258 GetCommandLineW
0x140031260 GetFileSizeEx
0x140031268 SetFilePointerEx
0x140031270 GetFileType
0x140031278 HeapAlloc
0x140031280 FlushFileBuffers
0x140031288 GetConsoleOutputCP
0x140031290 GetConsoleMode
0x140031298 HeapFree
0x1400312a0 FlsAlloc
0x1400312a8 FlsGetValue
0x1400312b0 FlsSetValue
0x1400312b8 FlsFree
0x1400312c0 CompareStringW
0x1400312c8 LCMapStringW
0x1400312d0 GetLocaleInfoW
0x1400312d8 IsValidLocale
0x1400312e0 GetUserDefaultLCID
0x1400312e8 EnumSystemLocalesW
0x1400312f0 WaitForSingleObject
0x1400312f8 GetExitCodeProcess
0x140031300 CreateProcessW
0x140031308 GetFileAttributesExW
0x140031310 ReadFile
0x140031318 ReadConsoleW
0x140031320 HeapReAlloc
0x140031328 FindClose
0x140031330 FindFirstFileExW
0x140031338 FindNextFileW
0x140031340 RtlUnwind
USER32.dll
0x140031368 GetAsyncKeyState
0x140031370 ShowWindow
ADVAPI32.dll
0x140031000 FreeSid
0x140031008 CheckTokenMembership
0x140031010 AllocateAndInitializeSid
SHELL32.dll
0x140031350 ShellExecuteExA
0x140031358 ShellExecuteA
WININET.dll
0x140031380 InternetOpenUrlA
0x140031388 InternetCloseHandle
0x140031390 InternetOpenA
0x140031398 InternetReadFile
EAT(Export Address Table) is none