ScreenShot
| Created | 2021.03.17 13:51 | Machine | s1_win7_x6401 |
| Filename | update.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 51 detected (AIDetect, malware2, malicious, high confidence, GenericKD, Unsafe, Save, Starter, ali2000005, confidence, NISE, Attribute, HighConfidence, multiple detections, Autoit, ilnnue, ARTEMIS, USMANB621, TrojanAitInject, Gen8, Ymacco, score, ai score=82, AvsArher, bS9LKk, Obfuscated, susgen, multiple, detections, HgIASOgA) | ||
| md5 | 01c615395a542dead29b178a9bc00894 | ||
| sha256 | 118b89c768bf2982d0be23ac9f157eaa81756adb30126e56290e54609915526e | ||
| ssdeep | 12288:OYV6MorX7qzuC3QHO9FQVHPF51jgcBLcMm/YX1EvoZsAOkxQ40dNH3uyX1ST:tBXu9HGaVHFjmwFioZYD40fb1k | ||
| imphash | fc6683d30d9f25244a50fd5357825e79 | ||
| impfuzzy | 12:VA/DzqYOZkKDHLB78r4B3ExjLAkcOaiTQQnd3mxCHH:V0DBaPHLB7PxExjLAkcOV2kn | ||
Network IP location
Signature (16cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 51 AntiVirus engines on VirusTotal as malicious |
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Installs itself for autorun at Windows startup |
| watch | Manipulates memory of a non-child process indicative of process injection |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | One or more potentially interesting buffers were extracted |
| notice | Potentially malicious URLs were found in the process memory dump |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is compressed using UPX |
| notice | Yara rule detected in process memory |
| info | Checks if process is being debugged by a debugger |
Rules (56cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | antisb_threatExpert | Anti-Sandbox checks for ThreatExpert | memory |
| info | Check_Dlls | (no description) | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerCheck__RemoteAPI | (no description) | memory |
| info | DebuggerException__ConsoleCtrl | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature Zero | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | win_hook | Affect hook table | memory |
| info | create_com_service | Create a COM server | memory |
| info | create_service | Create a windows service | memory |
| info | cred_local | Steal credential | memory |
| info | escalate_priv | Escalade priviledges | memory |
| info | HasOverlay | Overlay Check | binaries (upload) |
| info | HasRichSignature | Rich Signature Check | binaries (upload) |
| info | hijack_network | Hijack network configuration | memory |
| info | inject_thread | Code injection with CreateRemoteThread in a remote process | memory |
| info | IsPacked | Entropy Check | binaries (upload) |
| info | IsWindowsGUI | (no description) | binaries (upload) |
| info | keylogger | Run a keylogger | memory |
| info | migrate_apc | APC queue tasks migration | memory |
| info | network_dga | Communication using dga | memory |
| info | network_dns | Communications use DNS | memory |
| info | network_dropper | File downloader/dropper | memory |
| info | network_ftp | Communications over FTP | memory |
| info | network_http | Communications over HTTP | memory |
| info | network_irc | Communications over IRC network | memory |
| info | network_p2p_win | Communications over P2P network | memory |
| info | network_tcp_listen | Listen for incoming communication | memory |
| info | network_tcp_socket | Communications over RAW socket | memory |
| info | network_toredo | Communications over Toredo network | memory |
| info | network_udp_sock | Communications over UDP network | memory |
| info | screenshot | Take screenshot | binaries (upload) |
| info | screenshot | Take screenshot | memory |
| info | sniff_audio | Record Audio | memory |
| info | spreading_file | Malware can spread east-west file | memory |
| info | spreading_share | Malware can spread east-west using share drive | memory |
| info | Str_Win32_Wininet_Library | Match Windows Inet API library declaration | binaries (upload) |
| info | Str_Win32_Wininet_Library | Match Windows Inet API library declaration | memory |
| info | Str_Win32_Winsock2_Library | Match Winsock 2 API library declaration | binaries (upload) |
| info | Str_Win32_Winsock2_Library | Match Winsock 2 API library declaration | memory |
| info | win_files_operation | Affect private profile | memory |
| info | win_mutex | Create or check mutex | memory |
| info | win_private_profile | Affect private profile | memory |
| info | win_registry | Affect system registries | memory |
| info | win_token | Affect system token | memory |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.DLL
0x4f66c0 LoadLibraryA
0x4f66c4 GetProcAddress
0x4f66c8 VirtualProtect
0x4f66cc VirtualAlloc
0x4f66d0 VirtualFree
0x4f66d4 ExitProcess
ADVAPI32.dll
0x4f66dc GetAce
COMCTL32.dll
0x4f66e4 ImageList_Remove
COMDLG32.dll
0x4f66ec GetOpenFileNameW
GDI32.dll
0x4f66f4 LineTo
IPHLPAPI.DLL
0x4f66fc IcmpSendEcho
MPR.dll
0x4f6704 WNetUseConnectionW
ole32.dll
0x4f670c CoGetObject
OLEAUT32.dll
0x4f6714 VariantInit
PSAPI.DLL
0x4f671c GetProcessMemoryInfo
SHELL32.dll
0x4f6724 DragFinish
USER32.dll
0x4f672c GetDC
USERENV.dll
0x4f6734 LoadUserProfileW
UxTheme.dll
0x4f673c IsThemeActive
VERSION.dll
0x4f6744 VerQueryValueW
WININET.dll
0x4f674c FtpOpenFileW
WINMM.dll
0x4f6754 timeGetTime
WSOCK32.dll
0x4f675c connect
EAT(Export Address Table) is none
KERNEL32.DLL
0x4f66c0 LoadLibraryA
0x4f66c4 GetProcAddress
0x4f66c8 VirtualProtect
0x4f66cc VirtualAlloc
0x4f66d0 VirtualFree
0x4f66d4 ExitProcess
ADVAPI32.dll
0x4f66dc GetAce
COMCTL32.dll
0x4f66e4 ImageList_Remove
COMDLG32.dll
0x4f66ec GetOpenFileNameW
GDI32.dll
0x4f66f4 LineTo
IPHLPAPI.DLL
0x4f66fc IcmpSendEcho
MPR.dll
0x4f6704 WNetUseConnectionW
ole32.dll
0x4f670c CoGetObject
OLEAUT32.dll
0x4f6714 VariantInit
PSAPI.DLL
0x4f671c GetProcessMemoryInfo
SHELL32.dll
0x4f6724 DragFinish
USER32.dll
0x4f672c GetDC
USERENV.dll
0x4f6734 LoadUserProfileW
UxTheme.dll
0x4f673c IsThemeActive
VERSION.dll
0x4f6744 VerQueryValueW
WININET.dll
0x4f674c FtpOpenFileW
WINMM.dll
0x4f6754 timeGetTime
WSOCK32.dll
0x4f675c connect
EAT(Export Address Table) is none