ScreenShot
Created | 2021.03.09 15:15 | Machine | s1_win7_x6401 |
Filename | simo_exe_ws1011706983.exe | ||
Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : malware | ||
VT API (file) | 68 detected (AIDetect, malware1, malicious, high confidence, GenericKD, Bifrose, Unsafe, Bitforse, FraudAlert, Save, XKFY, Backdrop, enscfe, Refroso, dejg, R + Mal, Bifrost, ~Q@7opw, djjg, Static AI, Malicious PE, score, SScope, Buzus, ai score=100, Midgare, CLASSIC, GenAsa, 4E42FGF2k2Y, NTA2, confidence, 100%) | ||
md5 | 6021e09784d4b8ca5450fe6010c6e543 | ||
sha256 | 3f67801d69dfd76bf2ecf24de6f0047e94350a1b8c47783702417e3555bac40f | ||
ssdeep | 768:Z+h7TzTBziifTeiZSVWihwEknh0L7OTLeNfQflCHCMhEIV9sQwNQwuLkPTFz7wa3:kZ/nEkh8OTKNRHCML7iQHLkbFzW7A | ||
imphash | 8afbf9211984274dc7a21b630ecae242 | ||
impfuzzy | 3:sU9KTXzhAXwSx2AEZsSqHQL3wBO71MO/OywSW+RAKkAbsSd1EL/KfOAXLsS9KnJS:HGDmEue31Z/OOy0bOLEOAPIwD3 |
Network IP location
Signature (13cnts)
Level | Description |
---|---|
danger | File has been identified by 68 AntiVirus engines on VirusTotal as malicious |
watch | Allocates execute permission to another process indicative of possible code injection |
watch | Creates a thread using CreateRemoteThread in a non-child process indicative of process injection |
watch | Expresses interest in specific running processes |
watch | Manipulates memory of a non-child process indicative of process injection |
watch | Potential code injection by writing to the memory of another process |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | One or more potentially interesting buffers were extracted |
notice | Potentially malicious URLs were found in the process memory dump |
notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
notice | Searches running processes potentially to identify processes for sandbox evasion |
notice | The binary likely contains encrypted or compressed data indicative of a packer |
notice | Yara rule detected in process memory |
Rules (52cnts)
Level | Name | Description | Collection |
---|---|---|---|
notice | Str_Win32_Http_API | Match Windows Http API call | memory |
notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
info | anti_dbg | Checks if being debugged | memory |
info | antisb_threatExpert | Anti-Sandbox checks for ThreatExpert | memory |
info | Check_Dlls | (no description) | memory |
info | DebuggerCheck__GlobalFlags | (no description) | memory |
info | DebuggerCheck__QueryInfo | (no description) | memory |
info | DebuggerCheck__RemoteAPI | (no description) | memory |
info | DebuggerException__ConsoleCtrl | (no description) | memory |
info | DebuggerException__SetConsoleCtrl | (no description) | memory |
info | DebuggerHiding__Active | (no description) | memory |
info | DebuggerHiding__Thread | (no description) | memory |
info | disable_dep | Bypass DEP | memory |
info | IsPE32 | (no description) | binaries (upload) |
info | PE_Header_Zero | PE File Signature Zero | binaries (upload) |
info | SEH__vectored | (no description) | memory |
info | ThreadControl__Context | (no description) | memory |
info | win_hook | Affect hook table | memory |
info | create_com_service | Create a COM server | memory |
info | create_service | Create a windows service | memory |
info | cred_local | Steal credential | memory |
info | escalate_priv | Escalade priviledges | memory |
info | HasOverlay | Overlay Check | binaries (upload) |
info | HasRichSignature | Rich Signature Check | binaries (upload) |
info | hijack_network | Hijack network configuration | memory |
info | inject_thread | Code injection with CreateRemoteThread in a remote process | memory |
info | IsPacked | Entropy Check | binaries (upload) |
info | IsWindowsGUI | (no description) | binaries (upload) |
info | keylogger | Run a keylogger | memory |
info | migrate_apc | APC queue tasks migration | memory |
info | network_dga | Communication using dga | memory |
info | network_dns | Communications use DNS | memory |
info | network_dropper | File downloader/dropper | memory |
info | network_dyndns | Communications dyndns network | memory |
info | network_ftp | Communications over FTP | memory |
info | network_http | Communications over HTTP | memory |
info | network_p2p_win | Communications over P2P network | memory |
info | network_tcp_listen | Listen for incoming communication | memory |
info | network_tcp_socket | Communications over RAW socket | memory |
info | network_udp_sock | Communications over UDP network | memory |
info | rat_webcam | Remote Administration toolkit using webcam | memory |
info | screenshot | Take screenshot | memory |
info | sniff_audio | Record Audio | memory |
info | spreading_file | Malware can spread east-west file | memory |
info | spreading_share | Malware can spread east-west using share drive | memory |
info | Str_Win32_Wininet_Library | Match Windows Inet API library declaration | memory |
info | Str_Win32_Winsock2_Library | Match Winsock 2 API library declaration | memory |
info | win_files_operation | Affect private profile | memory |
info | win_mutex | Create or check mutex | memory |
info | win_private_profile | Affect private profile | memory |
info | win_registry | Affect system registries | memory |
info | win_token | Affect system token | memory |
Network (0cnts) ?
Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x401000 GetProcAddress
0x401004 GetModuleHandleA
0x401008 GetTickCount
0x40100c HeapAlloc
0x401010 ExitProcess
0x401014 GetStartupInfoA
0x401018 GetCommandLineA
0x40101c GetProcessHeap
USER32.dll
0x401024 MessageBoxA
EAT(Export Address Table) is none
KERNEL32.dll
0x401000 GetProcAddress
0x401004 GetModuleHandleA
0x401008 GetTickCount
0x40100c HeapAlloc
0x401010 ExitProcess
0x401014 GetStartupInfoA
0x401018 GetCommandLineA
0x40101c GetProcessHeap
USER32.dll
0x401024 MessageBoxA
EAT(Export Address Table) is none