ScreenShot
| Created | 2021.03.29 18:29 | Machine | s1_win7_x6402 |
| Filename | ss.exe | ||
| Type | PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 30 detected (Bulz, GoClr, Eldorado, a variant of WinGo, Malicious, FileRepMalware, seskhr, WinGo, Cobalt, Unsafe, Score, 100%, Wacatac, R373439, Artemis, ai score=80, confidence) | ||
| md5 | 92068f4e5a7e704caf1fad1665121757 | ||
| sha256 | 4411d8a69230284cb6238a2e8cf29878afbbef90935bb94d1a6f8d59af30c6cc | ||
| ssdeep | 49152:zFH0XcONJ1ipWN59v8qwofIlrfPou6nJTppIq7MYurLSnpqDstXL5xDgPMNXQiEU:eXcONJ1qT4 | ||
| imphash | 4035d2883e01d64f3e7a9dccb1d63af5 | ||
| impfuzzy | 24:UbVjhN5O+VuT2oLtXOr6kwmDruMztxdEr6UP:K5O+VAXOmGx0nP | ||
Network IP location
Signature (20cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| danger | File has been identified by 30 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| watch | Creates a suspicious Powershell process |
| watch | Detects the presence of Wine emulator |
| watch | The process powershell.exe wrote an executable file to disk |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Command line console output was observed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (29cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Antivirus | Contains references to security software | binaries (download) |
| info | IsPE64 | (no description) | binaries (download) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature Zero | binaries (download) |
| info | PE_Header_Zero | PE File Signature Zero | binaries (upload) |
| info | create_service | Create a windows service | binaries (download) |
| info | create_service | Create a windows service | binaries (upload) |
| info | escalate_priv | Escalade priviledges | binaries (download) |
| info | escalate_priv | Escalade priviledges | binaries (upload) |
| info | IsWindowsGUI | (no description) | binaries (download) |
| info | IsWindowsGUI | (no description) | binaries (upload) |
| info | network_dns | Communications use DNS | binaries (download) |
| info | network_dns | Communications use DNS | binaries (upload) |
| info | network_tcp_listen | Listen for incoming communication | binaries (download) |
| info | network_tcp_listen | Listen for incoming communication | binaries (upload) |
| info | network_tcp_socket | Communications over RAW socket | binaries (download) |
| info | network_tcp_socket | Communications over RAW socket | binaries (upload) |
| info | network_udp_sock | Communications over UDP network | binaries (download) |
| info | network_udp_sock | Communications over UDP network | binaries (upload) |
| info | Str_Win32_Winsock2_Library | Match Winsock 2 API library declaration | binaries (download) |
| info | Str_Win32_Winsock2_Library | Match Winsock 2 API library declaration | binaries (upload) |
| info | win_files_operation | Affect private profile | binaries (download) |
| info | win_files_operation | Affect private profile | binaries (upload) |
| info | win_mutex | Create or check mutex | binaries (download) |
| info | win_mutex | Create or check mutex | binaries (upload) |
| info | win_registry | Affect system registries | binaries (download) |
| info | win_registry | Affect system registries | binaries (upload) |
| info | win_token | Affect system token | binaries (download) |
| info | win_token | Affect system token | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
kernel32.dll
0x9ed020 WriteFile
0x9ed028 WriteConsoleW
0x9ed030 WaitForMultipleObjects
0x9ed038 WaitForSingleObject
0x9ed040 VirtualQuery
0x9ed048 VirtualFree
0x9ed050 VirtualAlloc
0x9ed058 SwitchToThread
0x9ed060 SuspendThread
0x9ed068 Sleep
0x9ed070 SetWaitableTimer
0x9ed078 SetUnhandledExceptionFilter
0x9ed080 SetProcessPriorityBoost
0x9ed088 SetEvent
0x9ed090 SetErrorMode
0x9ed098 SetConsoleCtrlHandler
0x9ed0a0 ResumeThread
0x9ed0a8 PostQueuedCompletionStatus
0x9ed0b0 LoadLibraryA
0x9ed0b8 LoadLibraryW
0x9ed0c0 SetThreadContext
0x9ed0c8 GetThreadContext
0x9ed0d0 GetSystemInfo
0x9ed0d8 GetSystemDirectoryA
0x9ed0e0 GetStdHandle
0x9ed0e8 GetQueuedCompletionStatusEx
0x9ed0f0 GetProcessAffinityMask
0x9ed0f8 GetProcAddress
0x9ed100 GetEnvironmentStringsW
0x9ed108 GetConsoleMode
0x9ed110 FreeEnvironmentStringsW
0x9ed118 ExitProcess
0x9ed120 DuplicateHandle
0x9ed128 CreateWaitableTimerExW
0x9ed130 CreateThread
0x9ed138 CreateIoCompletionPort
0x9ed140 CreateEventA
0x9ed148 CloseHandle
0x9ed150 AddVectoredExceptionHandler
EAT(Export Address Table) is none
kernel32.dll
0x9ed020 WriteFile
0x9ed028 WriteConsoleW
0x9ed030 WaitForMultipleObjects
0x9ed038 WaitForSingleObject
0x9ed040 VirtualQuery
0x9ed048 VirtualFree
0x9ed050 VirtualAlloc
0x9ed058 SwitchToThread
0x9ed060 SuspendThread
0x9ed068 Sleep
0x9ed070 SetWaitableTimer
0x9ed078 SetUnhandledExceptionFilter
0x9ed080 SetProcessPriorityBoost
0x9ed088 SetEvent
0x9ed090 SetErrorMode
0x9ed098 SetConsoleCtrlHandler
0x9ed0a0 ResumeThread
0x9ed0a8 PostQueuedCompletionStatus
0x9ed0b0 LoadLibraryA
0x9ed0b8 LoadLibraryW
0x9ed0c0 SetThreadContext
0x9ed0c8 GetThreadContext
0x9ed0d0 GetSystemInfo
0x9ed0d8 GetSystemDirectoryA
0x9ed0e0 GetStdHandle
0x9ed0e8 GetQueuedCompletionStatusEx
0x9ed0f0 GetProcessAffinityMask
0x9ed0f8 GetProcAddress
0x9ed100 GetEnvironmentStringsW
0x9ed108 GetConsoleMode
0x9ed110 FreeEnvironmentStringsW
0x9ed118 ExitProcess
0x9ed120 DuplicateHandle
0x9ed128 CreateWaitableTimerExW
0x9ed130 CreateThread
0x9ed138 CreateIoCompletionPort
0x9ed140 CreateEventA
0x9ed148 CloseHandle
0x9ed150 AddVectoredExceptionHandler
EAT(Export Address Table) is none