Report - Practical3.exe

Antivirus
ScreenShot
Created 2021.03.30 17:13 Machine s1_win7_x6401
Filename Practical3.exe
Type PE32+ executable (GUI) x86-64, for MS Windows
AI Score
5
Behavior Score
5.0
ZERO API file : clean
VT API (file) 48 detected (malicious, high confidence, Ryuk, H8oAChsA, Ransomware, confidence, Genasom, ali1000102, Eldorado, Filecoder, RansomX, Jabaxsta, CLOUD, Inject4, A + Troj, Static AI, Malicious PE, cpxqa, AGEN, ai score=86, score, Ryukran, R234901, Unsafe, GenAsa, IN2Q8puX4gM, susgen)
md5 8819d7f8069d35e71902025d801b44dd
sha256 98ece6bcafa296326654db862140520afc19cfa0b4a76a5950deedb2618097ab
ssdeep 3072:b+hfiA0PJ/lmL4a17VnAy5jtZXDkIVT49RQwo:i4AK/lmkaFVz7QQw
imphash 3d84250cdbe08a9921b4fb008881914b
impfuzzy 24:/zx543jOBDyPO3OwJlf02teS17V/lmGc+Co8vR0OoviZqjM9rra2zTkKjN:rAOoRuteS17V/lc+CpB7rzHjN
  Network IP location

Signature (12cnts)

Level Description
danger File has been identified by 48 AntiVirus engines on VirusTotal as malicious
watch Deletes executed files from disk
watch Uses Sysinternals tools in order to add additional command line functionality
notice A process created a hidden window
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Executes one or more WMI queries
notice Uses Windows utilities for basic Windows functionality
info Checks amount of memory in system
info Command line console output was observed
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info This executable has a PDB path

Rules (11cnts)

Level Name Description Collection
watch Antivirus Contains references to security software binaries (upload)
info IsPE64 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check Signature Zero binaries (upload)
info PE_Header_Zero PE File Signature Zero binaries (upload)
info escalate_priv Escalade priviledges binaries (upload)
info HasDebugData DebugData Check binaries (upload)
info HasRichSignature Rich Signature Check binaries (upload)
info inject_thread Code injection with CreateRemoteThread in a remote process binaries (upload)
info IsWindowsGUI (no description) binaries (upload)
info win_files_operation Affect private profile binaries (upload)
info win_token Affect system token binaries (upload)

Network (0cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x140018048 OpenProcess
 0x140018050 CreateToolhelp32Snapshot
 0x140018058 Sleep
 0x140018060 GetLastError
 0x140018068 Process32NextW
 0x140018070 GetCurrentThread
 0x140018078 LoadLibraryA
 0x140018080 GlobalAlloc
 0x140018088 DeleteFileW
 0x140018090 Process32FirstW
 0x140018098 GetModuleHandleA
 0x1400180a0 CloseHandle
 0x1400180a8 HeapAlloc
 0x1400180b0 GetWindowsDirectoryW
 0x1400180b8 GetProcAddress
 0x1400180c0 VirtualAllocEx
 0x1400180c8 LocalFree
 0x1400180d0 GetProcessHeap
 0x1400180d8 FreeLibrary
 0x1400180e0 CreateRemoteThread
 0x1400180e8 VirtualFreeEx
 0x1400180f0 GetVersionExW
 0x1400180f8 CreateFileW
 0x140018100 GetModuleFileNameW
 0x140018108 GetCurrentProcess
 0x140018110 GetCommandLineW
 0x140018118 SetLastError
 0x140018120 HeapFree
 0x140018128 GlobalFree
 0x140018130 WriteConsoleW
 0x140018138 SetFilePointerEx
 0x140018140 HeapReAlloc
 0x140018148 HeapSize
 0x140018150 RtlCaptureContext
 0x140018158 RtlLookupFunctionEntry
 0x140018160 RtlVirtualUnwind
 0x140018168 UnhandledExceptionFilter
 0x140018170 SetUnhandledExceptionFilter
 0x140018178 TerminateProcess
 0x140018180 IsProcessorFeaturePresent
 0x140018188 QueryPerformanceCounter
 0x140018190 GetCurrentProcessId
 0x140018198 GetCurrentThreadId
 0x1400181a0 GetSystemTimeAsFileTime
 0x1400181a8 InitializeSListHead
 0x1400181b0 IsDebuggerPresent
 0x1400181b8 GetStartupInfoW
 0x1400181c0 GetModuleHandleW
 0x1400181c8 RtlUnwindEx
 0x1400181d0 RaiseException
 0x1400181d8 InitializeCriticalSectionAndSpinCount
 0x1400181e0 TlsAlloc
 0x1400181e8 TlsGetValue
 0x1400181f0 TlsSetValue
 0x1400181f8 TlsFree
 0x140018200 LoadLibraryExW
 0x140018208 EnterCriticalSection
 0x140018210 LeaveCriticalSection
 0x140018218 DeleteCriticalSection
 0x140018220 ExitProcess
 0x140018228 GetModuleHandleExW
 0x140018230 GetStdHandle
 0x140018238 WriteFile
 0x140018240 GetModuleFileNameA
 0x140018248 MultiByteToWideChar
 0x140018250 WideCharToMultiByte
 0x140018258 GetACP
 0x140018260 LCMapStringW
 0x140018268 GetFileType
 0x140018270 FindClose
 0x140018278 FindFirstFileExA
 0x140018280 FindNextFileA
 0x140018288 IsValidCodePage
 0x140018290 GetOEMCP
 0x140018298 GetCPInfo
 0x1400182a0 GetCommandLineA
 0x1400182a8 GetEnvironmentStringsW
 0x1400182b0 FreeEnvironmentStringsW
 0x1400182b8 SetStdHandle
 0x1400182c0 GetStringTypeW
 0x1400182c8 FlushFileBuffers
 0x1400182d0 GetConsoleCP
 0x1400182d8 GetConsoleMode
 0x1400182e0 WriteProcessMemory
ADVAPI32.dll
 0x140018000 SystemFunction036
 0x140018008 LookupPrivilegeValueW
 0x140018010 AdjustTokenPrivileges
 0x140018018 ImpersonateSelf
 0x140018020 OpenProcessToken
 0x140018028 OpenThreadToken
 0x140018030 LookupAccountSidW
 0x140018038 GetTokenInformation
SHELL32.dll
 0x1400182f0 CommandLineToArgvW
 0x1400182f8 ShellExecuteW
 0x140018300 ShellExecuteA

EAT(Export Address Table) is none



Similarity measure (PE file only) - Checking for service failure