ScreenShot
| Created | 2021.03.28 12:05 | Machine | s1_win7_x6401 |
| Filename | def.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 33 detected (GenericKD, Unsafe, Ymacco, KillAV, xahhhi, FileRepMalware, Malicious, gyfuy, ai score=80, score, Wacatac, HykCI3wA) | ||
| md5 | 04a666d7cf692764645f28189bdb2e70 | ||
| sha256 | 79dd688046ef9f26ed0cf633cab305f18b46ce7affaa396813a9587ac2918bb0 | ||
| ssdeep | 3072:X8FHdppuOf+wMSHjnywM0vY9t8Qkh+nXeuS:MFPMOf+wMAywM0EJksnXJS | ||
| imphash | 12f12d364f5f6a801e52c9dce28d1965 | ||
| impfuzzy | 48:oAUXyI6U0wt8tAkACSej5SU/Svn6GK/gR6Ucx02GFXGZqAYFv08sOaOz9G9mYwGn:oAYmRRGFXGZqAYZ08sZsgLwG3f/ | ||
Network IP location
Signature (16cnts)
| Level | Description |
|---|---|
| danger | Disables Windows Security features |
| danger | File has been identified by 33 AntiVirus engines on VirusTotal as malicious |
| danger | Stops Windows services |
| watch | Attempts to modify UAC prompt behavior |
| watch | Creates known SpyNet files |
| watch | Deletes executed files from disk |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The executable uses a known packer |
Rules (6cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature Zero | binaries (upload) |
| info | HasOverlay | Overlay Check | binaries (upload) |
| info | HasRichSignature | Rich Signature Check | binaries (upload) |
| info | IsWindowsGUI | (no description) | binaries (upload) |
| info | win_files_operation | Affect private profile | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
OLEAUT32.dll
0x416150 VariantClear
0x416154 SysAllocString
USER32.dll
0x416164 SendMessageA
0x416168 SetTimer
0x41616c KillTimer
0x416170 DialogBoxParamA
0x416174 SetWindowLongA
0x416178 GetWindowLongA
0x41617c SetWindowTextW
0x416180 SetWindowTextA
0x416184 LoadIconA
0x416188 LoadStringW
0x41618c LoadStringA
0x416190 CharUpperW
0x416194 CharUpperA
0x416198 DestroyWindow
0x41619c EndDialog
0x4161a0 PostMessageA
0x4161a4 ShowWindow
0x4161a8 MessageBoxW
0x4161ac GetDlgItem
0x4161b0 DialogBoxParamW
SHELL32.dll
0x41615c ShellExecuteExA
MSVCRT.dll
0x4160e8 _controlfp
0x4160ec __set_app_type
0x4160f0 __p__fmode
0x4160f4 __p__commode
0x4160f8 _adjust_fdiv
0x4160fc __setusermatherr
0x416100 _initterm
0x416104 __getmainargs
0x416108 _acmdln
0x41610c exit
0x416110 _XcptFilter
0x416114 _exit
0x416118 _onexit
0x41611c __dllonexit
0x416120 ??1type_info@@UAE@XZ
0x416124 _except_handler3
0x416128 _beginthreadex
0x41612c memcpy
0x416130 free
0x416134 malloc
0x416138 _CxxThrowException
0x41613c _purecall
0x416140 memmove
0x416144 __CxxFrameHandler
0x416148 memcmp
KERNEL32.dll
0x416000 GetCommandLineW
0x416004 GetStartupInfoA
0x416008 GetModuleHandleA
0x41600c InitializeCriticalSection
0x416010 ResetEvent
0x416014 SetEvent
0x416018 CreateEventA
0x41601c VirtualFree
0x416020 VirtualAlloc
0x416024 Sleep
0x416028 WaitForMultipleObjects
0x41602c GetStdHandle
0x416030 SetEndOfFile
0x416034 WriteFile
0x416038 ReadFile
0x41603c SetFilePointer
0x416040 GetFileSize
0x416044 CreateFileA
0x416048 FindNextFileA
0x41604c FindFirstFileW
0x416050 FindFirstFileA
0x416054 FindClose
0x416058 GetTempFileNameA
0x41605c GetTempPathA
0x416060 GetCurrentDirectoryA
0x416064 GetFullPathNameW
0x416068 GetFullPathNameA
0x41606c lstrlenA
0x416070 DeleteFileW
0x416074 DeleteFileA
0x416078 CreateDirectoryW
0x41607c CreateDirectoryA
0x416080 RemoveDirectoryW
0x416084 SetFileAttributesW
0x416088 RemoveDirectoryA
0x41608c SetFileAttributesA
0x416090 SetLastError
0x416094 CreateFileW
0x416098 SetFileTime
0x41609c GetWindowsDirectoryA
0x4160a0 FormatMessageW
0x4160a4 FormatMessageA
0x4160a8 LocalFree
0x4160ac GetModuleFileNameW
0x4160b0 GetModuleFileNameA
0x4160b4 AreFileApisANSI
0x4160b8 GetLastError
0x4160bc WideCharToMultiByte
0x4160c0 MultiByteToWideChar
0x4160c4 DeleteCriticalSection
0x4160c8 WaitForSingleObject
0x4160cc CloseHandle
0x4160d0 CreateProcessA
0x4160d4 SetCurrentDirectoryA
0x4160d8 GetVersionExA
0x4160dc LeaveCriticalSection
0x4160e0 EnterCriticalSection
EAT(Export Address Table) is none
OLEAUT32.dll
0x416150 VariantClear
0x416154 SysAllocString
USER32.dll
0x416164 SendMessageA
0x416168 SetTimer
0x41616c KillTimer
0x416170 DialogBoxParamA
0x416174 SetWindowLongA
0x416178 GetWindowLongA
0x41617c SetWindowTextW
0x416180 SetWindowTextA
0x416184 LoadIconA
0x416188 LoadStringW
0x41618c LoadStringA
0x416190 CharUpperW
0x416194 CharUpperA
0x416198 DestroyWindow
0x41619c EndDialog
0x4161a0 PostMessageA
0x4161a4 ShowWindow
0x4161a8 MessageBoxW
0x4161ac GetDlgItem
0x4161b0 DialogBoxParamW
SHELL32.dll
0x41615c ShellExecuteExA
MSVCRT.dll
0x4160e8 _controlfp
0x4160ec __set_app_type
0x4160f0 __p__fmode
0x4160f4 __p__commode
0x4160f8 _adjust_fdiv
0x4160fc __setusermatherr
0x416100 _initterm
0x416104 __getmainargs
0x416108 _acmdln
0x41610c exit
0x416110 _XcptFilter
0x416114 _exit
0x416118 _onexit
0x41611c __dllonexit
0x416120 ??1type_info@@UAE@XZ
0x416124 _except_handler3
0x416128 _beginthreadex
0x41612c memcpy
0x416130 free
0x416134 malloc
0x416138 _CxxThrowException
0x41613c _purecall
0x416140 memmove
0x416144 __CxxFrameHandler
0x416148 memcmp
KERNEL32.dll
0x416000 GetCommandLineW
0x416004 GetStartupInfoA
0x416008 GetModuleHandleA
0x41600c InitializeCriticalSection
0x416010 ResetEvent
0x416014 SetEvent
0x416018 CreateEventA
0x41601c VirtualFree
0x416020 VirtualAlloc
0x416024 Sleep
0x416028 WaitForMultipleObjects
0x41602c GetStdHandle
0x416030 SetEndOfFile
0x416034 WriteFile
0x416038 ReadFile
0x41603c SetFilePointer
0x416040 GetFileSize
0x416044 CreateFileA
0x416048 FindNextFileA
0x41604c FindFirstFileW
0x416050 FindFirstFileA
0x416054 FindClose
0x416058 GetTempFileNameA
0x41605c GetTempPathA
0x416060 GetCurrentDirectoryA
0x416064 GetFullPathNameW
0x416068 GetFullPathNameA
0x41606c lstrlenA
0x416070 DeleteFileW
0x416074 DeleteFileA
0x416078 CreateDirectoryW
0x41607c CreateDirectoryA
0x416080 RemoveDirectoryW
0x416084 SetFileAttributesW
0x416088 RemoveDirectoryA
0x41608c SetFileAttributesA
0x416090 SetLastError
0x416094 CreateFileW
0x416098 SetFileTime
0x41609c GetWindowsDirectoryA
0x4160a0 FormatMessageW
0x4160a4 FormatMessageA
0x4160a8 LocalFree
0x4160ac GetModuleFileNameW
0x4160b0 GetModuleFileNameA
0x4160b4 AreFileApisANSI
0x4160b8 GetLastError
0x4160bc WideCharToMultiByte
0x4160c0 MultiByteToWideChar
0x4160c4 DeleteCriticalSection
0x4160c8 WaitForSingleObject
0x4160cc CloseHandle
0x4160d0 CreateProcessA
0x4160d4 SetCurrentDirectoryA
0x4160d8 GetVersionExA
0x4160dc LeaveCriticalSection
0x4160e0 EnterCriticalSection
EAT(Export Address Table) is none