ScreenShot
| Created | 2021.03.21 17:06 | Machine | s1_win7_x6402 |
| Filename | Practical3.exe | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 42 detected (malicious, high confidence, Ransomware, Ryuk, Eldorado, Filecoder, score, RansomX, Jabaxsta, CLASSIC, A + Troj, AGEN, cpxqa, Ryukran, R234901, ai score=86, Unsafe, Static AI, Malicious PE, confidence, susgen) | ||
| md5 | 8819d7f8069d35e71902025d801b44dd | ||
| sha256 | 98ece6bcafa296326654db862140520afc19cfa0b4a76a5950deedb2618097ab | ||
| ssdeep | 3072:b+hfiA0PJ/lmL4a17VnAy5jtZXDkIVT49RQwo:i4AK/lmkaFVz7QQw | ||
| imphash | 3d84250cdbe08a9921b4fb008881914b | ||
| impfuzzy | 24:/zx543jOBDyPO3OwJlf02teS17V/lmGc+Co8vR0OoviZqjM9rra2zTkKjN:rAOoRuteS17V/lc+CpB7rzHjN | ||
Network IP location
Signature (20cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 42 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| watch | Deletes executed files from disk |
| watch | Found URLs related to Tor in process memory dump (e.g. onion services |
| watch | Uses Sysinternals tools in order to add additional command line functionality |
| notice | A process created a hidden window |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Executes one or more WMI queries |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Potentially malicious URLs were found in the process memory dump |
| notice | Sends data using the HTTP POST Method |
| notice | Terminates another process |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Command line console output was observed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | This executable has a PDB path |
Rules (59cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Antivirus | Contains references to security software | binaries (upload) |
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | antisb_threatExpert | Anti-Sandbox checks for ThreatExpert | memory |
| info | Check_Dlls | (no description) | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerCheck__RemoteAPI | (no description) | memory |
| info | DebuggerException__ConsoleCtrl | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check Signature Zero | binaries (upload) |
| info | PE_Header_Zero | PE File Signature Zero | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | vmdetect | Possibly employs anti-virtualization techniques | memory |
| info | win_hook | Affect hook table | memory |
| info | create_com_service | Create a COM server | memory |
| info | create_service | Create a windows service | memory |
| info | cred_ff | Steal Firefox credential | memory |
| info | cred_local | Steal credential | memory |
| info | escalate_priv | Escalade priviledges | binaries (upload) |
| info | escalate_priv | Escalade priviledges | memory |
| info | HasDebugData | DebugData Check | binaries (upload) |
| info | HasRichSignature | Rich Signature Check | binaries (upload) |
| info | hijack_network | Hijack network configuration | memory |
| info | inject_thread | Code injection with CreateRemoteThread in a remote process | binaries (upload) |
| info | inject_thread | Code injection with CreateRemoteThread in a remote process | memory |
| info | IsWindowsGUI | (no description) | binaries (upload) |
| info | keylogger | Run a keylogger | memory |
| info | migrate_apc | APC queue tasks migration | memory |
| info | network_dga | Communication using dga | memory |
| info | network_dns | Communications use DNS | memory |
| info | network_dropper | File downloader/dropper | memory |
| info | network_ftp | Communications over FTP | memory |
| info | network_http | Communications over HTTP | memory |
| info | network_irc | Communications over IRC network | memory |
| info | network_p2p_win | Communications over P2P network | memory |
| info | network_tcp_listen | Listen for incoming communication | memory |
| info | network_tcp_socket | Communications over RAW socket | memory |
| info | network_toredo | Communications over Toredo network | memory |
| info | network_udp_sock | Communications over UDP network | memory |
| info | screenshot | Take screenshot | memory |
| info | sniff_audio | Record Audio | memory |
| info | spreading_file | Malware can spread east-west file | memory |
| info | spreading_share | Malware can spread east-west using share drive | memory |
| info | Str_Win32_Wininet_Library | Match Windows Inet API library declaration | memory |
| info | Str_Win32_Winsock2_Library | Match Winsock 2 API library declaration | memory |
| info | win_files_operation | Affect private profile | binaries (upload) |
| info | win_files_operation | Affect private profile | memory |
| info | win_mutex | Create or check mutex | memory |
| info | win_private_profile | Affect private profile | memory |
| info | win_registry | Affect system registries | memory |
| info | win_token | Affect system token | binaries (upload) |
| info | win_token | Affect system token | memory |
Network (6cnts) ?
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO EXE - Served Attached HTTP
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO EXE - Served Attached HTTP
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x140018048 OpenProcess
0x140018050 CreateToolhelp32Snapshot
0x140018058 Sleep
0x140018060 GetLastError
0x140018068 Process32NextW
0x140018070 GetCurrentThread
0x140018078 LoadLibraryA
0x140018080 GlobalAlloc
0x140018088 DeleteFileW
0x140018090 Process32FirstW
0x140018098 GetModuleHandleA
0x1400180a0 CloseHandle
0x1400180a8 HeapAlloc
0x1400180b0 GetWindowsDirectoryW
0x1400180b8 GetProcAddress
0x1400180c0 VirtualAllocEx
0x1400180c8 LocalFree
0x1400180d0 GetProcessHeap
0x1400180d8 FreeLibrary
0x1400180e0 CreateRemoteThread
0x1400180e8 VirtualFreeEx
0x1400180f0 GetVersionExW
0x1400180f8 CreateFileW
0x140018100 GetModuleFileNameW
0x140018108 GetCurrentProcess
0x140018110 GetCommandLineW
0x140018118 SetLastError
0x140018120 HeapFree
0x140018128 GlobalFree
0x140018130 WriteConsoleW
0x140018138 SetFilePointerEx
0x140018140 HeapReAlloc
0x140018148 HeapSize
0x140018150 RtlCaptureContext
0x140018158 RtlLookupFunctionEntry
0x140018160 RtlVirtualUnwind
0x140018168 UnhandledExceptionFilter
0x140018170 SetUnhandledExceptionFilter
0x140018178 TerminateProcess
0x140018180 IsProcessorFeaturePresent
0x140018188 QueryPerformanceCounter
0x140018190 GetCurrentProcessId
0x140018198 GetCurrentThreadId
0x1400181a0 GetSystemTimeAsFileTime
0x1400181a8 InitializeSListHead
0x1400181b0 IsDebuggerPresent
0x1400181b8 GetStartupInfoW
0x1400181c0 GetModuleHandleW
0x1400181c8 RtlUnwindEx
0x1400181d0 RaiseException
0x1400181d8 InitializeCriticalSectionAndSpinCount
0x1400181e0 TlsAlloc
0x1400181e8 TlsGetValue
0x1400181f0 TlsSetValue
0x1400181f8 TlsFree
0x140018200 LoadLibraryExW
0x140018208 EnterCriticalSection
0x140018210 LeaveCriticalSection
0x140018218 DeleteCriticalSection
0x140018220 ExitProcess
0x140018228 GetModuleHandleExW
0x140018230 GetStdHandle
0x140018238 WriteFile
0x140018240 GetModuleFileNameA
0x140018248 MultiByteToWideChar
0x140018250 WideCharToMultiByte
0x140018258 GetACP
0x140018260 LCMapStringW
0x140018268 GetFileType
0x140018270 FindClose
0x140018278 FindFirstFileExA
0x140018280 FindNextFileA
0x140018288 IsValidCodePage
0x140018290 GetOEMCP
0x140018298 GetCPInfo
0x1400182a0 GetCommandLineA
0x1400182a8 GetEnvironmentStringsW
0x1400182b0 FreeEnvironmentStringsW
0x1400182b8 SetStdHandle
0x1400182c0 GetStringTypeW
0x1400182c8 FlushFileBuffers
0x1400182d0 GetConsoleCP
0x1400182d8 GetConsoleMode
0x1400182e0 WriteProcessMemory
ADVAPI32.dll
0x140018000 SystemFunction036
0x140018008 LookupPrivilegeValueW
0x140018010 AdjustTokenPrivileges
0x140018018 ImpersonateSelf
0x140018020 OpenProcessToken
0x140018028 OpenThreadToken
0x140018030 LookupAccountSidW
0x140018038 GetTokenInformation
SHELL32.dll
0x1400182f0 CommandLineToArgvW
0x1400182f8 ShellExecuteW
0x140018300 ShellExecuteA
EAT(Export Address Table) is none
KERNEL32.dll
0x140018048 OpenProcess
0x140018050 CreateToolhelp32Snapshot
0x140018058 Sleep
0x140018060 GetLastError
0x140018068 Process32NextW
0x140018070 GetCurrentThread
0x140018078 LoadLibraryA
0x140018080 GlobalAlloc
0x140018088 DeleteFileW
0x140018090 Process32FirstW
0x140018098 GetModuleHandleA
0x1400180a0 CloseHandle
0x1400180a8 HeapAlloc
0x1400180b0 GetWindowsDirectoryW
0x1400180b8 GetProcAddress
0x1400180c0 VirtualAllocEx
0x1400180c8 LocalFree
0x1400180d0 GetProcessHeap
0x1400180d8 FreeLibrary
0x1400180e0 CreateRemoteThread
0x1400180e8 VirtualFreeEx
0x1400180f0 GetVersionExW
0x1400180f8 CreateFileW
0x140018100 GetModuleFileNameW
0x140018108 GetCurrentProcess
0x140018110 GetCommandLineW
0x140018118 SetLastError
0x140018120 HeapFree
0x140018128 GlobalFree
0x140018130 WriteConsoleW
0x140018138 SetFilePointerEx
0x140018140 HeapReAlloc
0x140018148 HeapSize
0x140018150 RtlCaptureContext
0x140018158 RtlLookupFunctionEntry
0x140018160 RtlVirtualUnwind
0x140018168 UnhandledExceptionFilter
0x140018170 SetUnhandledExceptionFilter
0x140018178 TerminateProcess
0x140018180 IsProcessorFeaturePresent
0x140018188 QueryPerformanceCounter
0x140018190 GetCurrentProcessId
0x140018198 GetCurrentThreadId
0x1400181a0 GetSystemTimeAsFileTime
0x1400181a8 InitializeSListHead
0x1400181b0 IsDebuggerPresent
0x1400181b8 GetStartupInfoW
0x1400181c0 GetModuleHandleW
0x1400181c8 RtlUnwindEx
0x1400181d0 RaiseException
0x1400181d8 InitializeCriticalSectionAndSpinCount
0x1400181e0 TlsAlloc
0x1400181e8 TlsGetValue
0x1400181f0 TlsSetValue
0x1400181f8 TlsFree
0x140018200 LoadLibraryExW
0x140018208 EnterCriticalSection
0x140018210 LeaveCriticalSection
0x140018218 DeleteCriticalSection
0x140018220 ExitProcess
0x140018228 GetModuleHandleExW
0x140018230 GetStdHandle
0x140018238 WriteFile
0x140018240 GetModuleFileNameA
0x140018248 MultiByteToWideChar
0x140018250 WideCharToMultiByte
0x140018258 GetACP
0x140018260 LCMapStringW
0x140018268 GetFileType
0x140018270 FindClose
0x140018278 FindFirstFileExA
0x140018280 FindNextFileA
0x140018288 IsValidCodePage
0x140018290 GetOEMCP
0x140018298 GetCPInfo
0x1400182a0 GetCommandLineA
0x1400182a8 GetEnvironmentStringsW
0x1400182b0 FreeEnvironmentStringsW
0x1400182b8 SetStdHandle
0x1400182c0 GetStringTypeW
0x1400182c8 FlushFileBuffers
0x1400182d0 GetConsoleCP
0x1400182d8 GetConsoleMode
0x1400182e0 WriteProcessMemory
ADVAPI32.dll
0x140018000 SystemFunction036
0x140018008 LookupPrivilegeValueW
0x140018010 AdjustTokenPrivileges
0x140018018 ImpersonateSelf
0x140018020 OpenProcessToken
0x140018028 OpenThreadToken
0x140018030 LookupAccountSidW
0x140018038 GetTokenInformation
SHELL32.dll
0x1400182f0 CommandLineToArgvW
0x1400182f8 ShellExecuteW
0x140018300 ShellExecuteA
EAT(Export Address Table) is none