ScreenShot
| Created | 2021.03.17 22:48 | Machine | s1_win7_x6401 |
| Filename | NotepadPlus.txt | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 7 detected (malicious, confidence, Xaparo, CLOUD, score) | ||
| md5 | e83b5f2b03ffe236917d448f42937528 | ||
| sha256 | 978a48a2dabf47b1f89f176583063b5b52f68ef81dc48e6f4acf38a16ef3680f | ||
| ssdeep | 12288:gqFIlDHGjf9HdagGizzBwQQGPJM5r6rC25NRHQTqW:9Wsjf9GizzBwx185NRwTqW | ||
| imphash | 425c54b6507d90a6e2c9eaf3ecf04a80 | ||
| impfuzzy | 48:k5/ZAKotdLjnHQG8kkpI1pCKKZutOdY4F9axq+t0GasJFd:1r8kkpcDyutl4F99+t0G7Fd | ||
Network IP location
Signature (14cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Expresses interest in specific running processes |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | File has been identified by 7 AntiVirus engines on VirusTotal as malicious |
| notice | One or more potentially interesting buffers were extracted |
| notice | Repeatedly searches for a not-found process |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (12cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check Signature Zero | binaries (upload) |
| info | PE_Header_Zero | PE File Signature Zero | binaries (upload) |
| info | escalate_priv | Escalade priviledges | binaries (upload) |
| info | HasDigitalSignature | DigitalSignature Check | binaries (upload) |
| info | HasOverlay | Overlay Check | binaries (upload) |
| info | HasRichSignature | Rich Signature Check | binaries (upload) |
| info | IsPacked | Entropy Check | binaries (upload) |
| info | IsWindowsGUI | (no description) | binaries (upload) |
| info | win_files_operation | Affect private profile | binaries (upload) |
| info | win_registry | Affect system registries | binaries (upload) |
| info | win_token | Affect system token | binaries (upload) |
PE API
IAT(Import Address Table) Library
USER32.dll
0x42821c MessageBoxA
0x428220 ExitWindowsEx
0x428224 EnumWindows
0x428228 IsIconic
0x42822c ShowWindow
0x428230 SetForegroundWindow
0x428234 GetLastActivePopup
0x428238 IsWindowVisible
0x42823c GetWindowThreadProcessId
0x428240 MonitorFromPoint
0x428244 MessageBoxW
ADVAPI32.dll
0x428000 LookupPrivilegeValueA
0x428004 AdjustTokenPrivileges
0x428008 RegEnumKeyExA
0x42800c RegOpenKeyExA
0x428010 RegQueryValueExA
0x428014 RegCreateKeyExA
0x428018 RegSetValueExA
0x42801c RegCloseKey
0x428020 OpenProcessToken
KERNEL32.dll
0x428028 GetStringTypeW
0x42802c GetStringTypeA
0x428030 LCMapStringA
0x428034 SetStdHandle
0x428038 InitializeCriticalSectionAndSpinCount
0x42803c QueryPerformanceCounter
0x428040 GetTimeZoneInformation
0x428044 GetLocaleInfoA
0x428048 CompareStringA
0x42804c CompareStringW
0x428050 SetEndOfFile
0x428054 WriteConsoleA
0x428058 InitializeCriticalSection
0x42805c GetLastError
0x428060 CreateFileW
0x428064 SetFilePointer
0x428068 WriteFile
0x42806c ReadFile
0x428070 GetProcAddress
0x428074 LoadLibraryA
0x428078 GetUserDefaultLCID
0x42807c CloseHandle
0x428080 CreateFileA
0x428084 CreateDirectoryA
0x428088 GetLongPathNameW
0x42808c ExitProcess
0x428090 RemoveDirectoryA
0x428094 FindClose
0x428098 FindNextFileA
0x42809c DeleteFileA
0x4280a0 FindFirstFileA
0x4280a4 WideCharToMultiByte
0x4280a8 MultiByteToWideChar
0x4280ac AreFileApisANSI
0x4280b0 FindFirstFileW
0x4280b4 GetShortPathNameA
0x4280b8 GetModuleFileNameA
0x4280bc GetShortPathNameW
0x4280c0 GetModuleFileNameW
0x4280c4 GetCurrentProcessId
0x4280c8 GetLongPathNameA
0x4280cc GetWindowsDirectoryA
0x4280d0 GetEnvironmentVariableA
0x4280d4 GetTempPathA
0x4280d8 GetWindowsDirectoryW
0x4280dc GetEnvironmentVariableW
0x4280e0 GetTempPathW
0x4280e4 GetTempFileNameA
0x4280e8 GetFullPathNameW
0x4280ec GetFullPathNameA
0x4280f0 LoadLibraryW
0x4280f4 FreeEnvironmentStringsW
0x4280f8 GetEnvironmentStringsW
0x4280fc FreeEnvironmentStringsA
0x428100 GetEnvironmentStrings
0x428104 GetConsoleOutputCP
0x428108 DuplicateHandle
0x42810c GetCurrentProcess
0x428110 TerminateProcess
0x428114 GetExitCodeProcess
0x428118 WaitForSingleObject
0x42811c CreateProcessA
0x428120 SetEnvironmentVariableA
0x428124 SearchPathA
0x428128 GetSystemTimeAsFileTime
0x42812c EnterCriticalSection
0x428130 GetProcessHeap
0x428134 LeaveCriticalSection
0x428138 Sleep
0x42813c GetMailslotInfo
0x428140 CreateThread
0x428144 CreateMailslotA
0x428148 GetCommandLineW
0x42814c CreateSemaphoreA
0x428150 SizeofResource
0x428154 LockResource
0x428158 LoadResource
0x42815c FindResourceA
0x428160 GetTickCount
0x428164 AllocConsole
0x428168 GetModuleHandleA
0x42816c GetVersionExA
0x428170 LoadLibraryExA
0x428174 CreateProcessW
0x428178 SetCurrentDirectoryW
0x42817c UnhandledExceptionFilter
0x428180 SetUnhandledExceptionFilter
0x428184 IsDebuggerPresent
0x428188 RaiseException
0x42818c RtlUnwind
0x428190 CreateDirectoryW
0x428194 RemoveDirectoryW
0x428198 HeapAlloc
0x42819c HeapFree
0x4281a0 WriteConsoleW
0x4281a4 GetFileType
0x4281a8 GetStdHandle
0x4281ac GetCommandLineA
0x4281b0 GetStartupInfoA
0x4281b4 GetModuleHandleW
0x4281b8 TlsGetValue
0x4281bc TlsAlloc
0x4281c0 TlsSetValue
0x4281c4 TlsFree
0x4281c8 InterlockedIncrement
0x4281cc SetLastError
0x4281d0 GetCurrentThreadId
0x4281d4 InterlockedDecrement
0x4281d8 HeapSize
0x4281dc GetConsoleCP
0x4281e0 GetConsoleMode
0x4281e4 FlushFileBuffers
0x4281e8 DeleteCriticalSection
0x4281ec SetHandleCount
0x4281f0 GetCPInfo
0x4281f4 GetACP
0x4281f8 GetOEMCP
0x4281fc IsValidCodePage
0x428200 VirtualFree
0x428204 VirtualAlloc
0x428208 HeapReAlloc
0x42820c HeapCreate
0x428210 LCMapStringW
0x428214 SetEnvironmentVariableW
EAT(Export Address Table) is none
USER32.dll
0x42821c MessageBoxA
0x428220 ExitWindowsEx
0x428224 EnumWindows
0x428228 IsIconic
0x42822c ShowWindow
0x428230 SetForegroundWindow
0x428234 GetLastActivePopup
0x428238 IsWindowVisible
0x42823c GetWindowThreadProcessId
0x428240 MonitorFromPoint
0x428244 MessageBoxW
ADVAPI32.dll
0x428000 LookupPrivilegeValueA
0x428004 AdjustTokenPrivileges
0x428008 RegEnumKeyExA
0x42800c RegOpenKeyExA
0x428010 RegQueryValueExA
0x428014 RegCreateKeyExA
0x428018 RegSetValueExA
0x42801c RegCloseKey
0x428020 OpenProcessToken
KERNEL32.dll
0x428028 GetStringTypeW
0x42802c GetStringTypeA
0x428030 LCMapStringA
0x428034 SetStdHandle
0x428038 InitializeCriticalSectionAndSpinCount
0x42803c QueryPerformanceCounter
0x428040 GetTimeZoneInformation
0x428044 GetLocaleInfoA
0x428048 CompareStringA
0x42804c CompareStringW
0x428050 SetEndOfFile
0x428054 WriteConsoleA
0x428058 InitializeCriticalSection
0x42805c GetLastError
0x428060 CreateFileW
0x428064 SetFilePointer
0x428068 WriteFile
0x42806c ReadFile
0x428070 GetProcAddress
0x428074 LoadLibraryA
0x428078 GetUserDefaultLCID
0x42807c CloseHandle
0x428080 CreateFileA
0x428084 CreateDirectoryA
0x428088 GetLongPathNameW
0x42808c ExitProcess
0x428090 RemoveDirectoryA
0x428094 FindClose
0x428098 FindNextFileA
0x42809c DeleteFileA
0x4280a0 FindFirstFileA
0x4280a4 WideCharToMultiByte
0x4280a8 MultiByteToWideChar
0x4280ac AreFileApisANSI
0x4280b0 FindFirstFileW
0x4280b4 GetShortPathNameA
0x4280b8 GetModuleFileNameA
0x4280bc GetShortPathNameW
0x4280c0 GetModuleFileNameW
0x4280c4 GetCurrentProcessId
0x4280c8 GetLongPathNameA
0x4280cc GetWindowsDirectoryA
0x4280d0 GetEnvironmentVariableA
0x4280d4 GetTempPathA
0x4280d8 GetWindowsDirectoryW
0x4280dc GetEnvironmentVariableW
0x4280e0 GetTempPathW
0x4280e4 GetTempFileNameA
0x4280e8 GetFullPathNameW
0x4280ec GetFullPathNameA
0x4280f0 LoadLibraryW
0x4280f4 FreeEnvironmentStringsW
0x4280f8 GetEnvironmentStringsW
0x4280fc FreeEnvironmentStringsA
0x428100 GetEnvironmentStrings
0x428104 GetConsoleOutputCP
0x428108 DuplicateHandle
0x42810c GetCurrentProcess
0x428110 TerminateProcess
0x428114 GetExitCodeProcess
0x428118 WaitForSingleObject
0x42811c CreateProcessA
0x428120 SetEnvironmentVariableA
0x428124 SearchPathA
0x428128 GetSystemTimeAsFileTime
0x42812c EnterCriticalSection
0x428130 GetProcessHeap
0x428134 LeaveCriticalSection
0x428138 Sleep
0x42813c GetMailslotInfo
0x428140 CreateThread
0x428144 CreateMailslotA
0x428148 GetCommandLineW
0x42814c CreateSemaphoreA
0x428150 SizeofResource
0x428154 LockResource
0x428158 LoadResource
0x42815c FindResourceA
0x428160 GetTickCount
0x428164 AllocConsole
0x428168 GetModuleHandleA
0x42816c GetVersionExA
0x428170 LoadLibraryExA
0x428174 CreateProcessW
0x428178 SetCurrentDirectoryW
0x42817c UnhandledExceptionFilter
0x428180 SetUnhandledExceptionFilter
0x428184 IsDebuggerPresent
0x428188 RaiseException
0x42818c RtlUnwind
0x428190 CreateDirectoryW
0x428194 RemoveDirectoryW
0x428198 HeapAlloc
0x42819c HeapFree
0x4281a0 WriteConsoleW
0x4281a4 GetFileType
0x4281a8 GetStdHandle
0x4281ac GetCommandLineA
0x4281b0 GetStartupInfoA
0x4281b4 GetModuleHandleW
0x4281b8 TlsGetValue
0x4281bc TlsAlloc
0x4281c0 TlsSetValue
0x4281c4 TlsFree
0x4281c8 InterlockedIncrement
0x4281cc SetLastError
0x4281d0 GetCurrentThreadId
0x4281d4 InterlockedDecrement
0x4281d8 HeapSize
0x4281dc GetConsoleCP
0x4281e0 GetConsoleMode
0x4281e4 FlushFileBuffers
0x4281e8 DeleteCriticalSection
0x4281ec SetHandleCount
0x4281f0 GetCPInfo
0x4281f4 GetACP
0x4281f8 GetOEMCP
0x4281fc IsValidCodePage
0x428200 VirtualFree
0x428204 VirtualAlloc
0x428208 HeapReAlloc
0x42820c HeapCreate
0x428210 LCMapStringW
0x428214 SetEnvironmentVariableW
EAT(Export Address Table) is none