Known DLLs API Calls Possible Trojan Functionality

advapi32.dll clbcatq.dll combase.dll COMDLG32.dll difxapi.dll GetSystemDirectoryA File system traversal and file
gdi32.dll gdiplus.dll IMAGEHLP.dll IMM32.dll kernel32.dll GetDriveTypeA manipulation such as
LPK.dll MSCTF.dll MSVCRT.dll NORMALIZ.dll NSI.dll GetLogicalDrives creating, editing, deleting, or
ole32.dll OLEAUT32.dll PSAPI.DLL rpcrt4.dll sechost.dll DeleteFileA searching for files
Setupapi.dll SHELL32.dll SHLWAPI.dll user32.dll WLDAP32.dll FindNextFileA
Wow64.dll Wow64cpu.dll Wow64win.dll WS2_32.dll FindFirstFileA
CreateFileA
Investigate WriteFileA
Sort on Filter on IIOCs
Hunt w/ IIOC IIOC Tab levels present CopyFileA
"Level" (page 2)
from 0 up TerminateProcessA Process termination,
Process32First enumeration, or creation
Filter on Process32Next
Global Whitelisting Investigate Whitelist
IIOCs ShellExecuteA
Modules on by score benign files
(page 2) CreateProcessA
RegSetValueA Registry
RegDeleteKeyA enumeration/manipulation
No Sort on Examine
Processes RegCreateKeyExA
whitelisting scores arguments RegOpenKeyExA
RegQueryInfoKeyA
RegCloseKeyA
DLLs and
Whitelisting Investigate Whitelist RegisterServiceCtrlHandlerA Windows service
Drivers & CreateServiceA enumeration/creation/config
on by score benign files
Services StartServiceA
QueryServiceStatus
SetServiceStatus
Examine OpenSCManagerA
No
Autoruns like InternetReadFile HTTP related API calls
whitelisting InternetOpenA
processes InternetConnectA
InternetConnectA
InternetOpenUrlA
HttpSendRequestA
HttpOpenRequestA
File Analysis Columns Tracking Analysis Columns Tasks Analysis Columns Autoruns Analysis Columns
Filename Source Module Filename Source Module Filename Source Module Filename
File size Event Event Event
Machine Count Target Module Filename Target Module Filename Target Module Filename
Packed Target Module Path Target Module Path Target Module Path
Signature Source Command Line Arguments Arguments
Full Path Hidden Registry Path Registry Path
Days Since Compilation
Section Names
Hidden
Instant IOCs Potential Impact
Suspicious SVCHOST running A running SVCHOST.exe module that is not signed by Microsoft
Suspicious services registry entry An ACCESS DENIED message from a @ImagePath or @ServiceDll entry
Hidden & Beacon The file or directory the process is running from is hidden from the user and the module is contacting the internet at regular intervals

Suspect thread & Network access Threads in floating code or where or threads whose service table was hooked. Could indicate process injection of malicious code
that contacts the network
Floating code & suspect thread A thread in floating code indicates process injection of malware. PlugX and Duqu 2.0 are two
Examples of malware that will use this technique to hide from User space tools
Suspect thread & Hooking Thread in floating code or where or threads whose service table was hooked that hooks another module. Could represent rootkit
activities
Floating module in browser process A module that has no image on disk and is loaded into a browser could represent memory resident malware from an exploit or code
injection from another module.
Unsigned run key present once in An unsigned Registry Run key that is not found elsewhere in the environment. This could represent an advanced adversary with a
environment beachhead in the environment or commodity malware.

Written by blacklisted module A previously blacklisted module that writes a new module. If there is an ongoing investigation and the malware has been identified this
represents the attacker dropping more tools or malware onto the system.
Services in program data A Windows service should never be run out of the ProgramData directory and is nearly always malicious.

Unsigned creates remote thread An unsigned module creating a remote thread is an indicator of code injection. This can be a Trojans method of hiding from User land
tools or password dumping if the target process is
lsass.exe
Unsigned copy itself as AutoStart This is indicative of a dropper entrenching itself in the filesystem and then registering an autorun mechanism

Unsigned writes executable to startup This is indicative of a dropper entrenching itself in the filesystem by unpacking a Trojan to the startup directory
directory

Directory hidden Module exists within a hidden directory, a common way to hide from User land tools.
Runs NET.EXE Cmd.exe will likely have many hits for this IOC but reconnaissance batch files or small executables running recon commands will execute
this
Runs AT.EXE Indicates possibly lateral movement. If cmd.exe is triggered, the analyst should pivot into the host and examine the Tasks under Scan
Data to get the arguments and determine severity.
Runs CMD.EXE There will be many hits for this IOC. Explorer.exe and vmwaretools.exe will run cmd.exe for legitimate purposes. Other modules running
cmd.exe should be examined especially if they are HTTP daemons, scripting language interpreters like powershell.exe, cscript.exe or
wmiprsrve.exe.
Unsigned writes executable to UNC This is indicative of lateral movement in the environment but could also be benign. Examine what binaries were copied over and to what
directories on the remote host
Autorun unsigned ServiceDLL Service DLL’s are generally digitally signed by the authoring organization. Printer and camera drivers often show up with this IOC but
there shouldn’t be many to sort through
Floating module in OS process A module that has no image on disk and is loaded into an OS process could represent code
injection
Floating module & Network access A module in memory that has no image on disk. This could represent memory resident only malware. Oftentimes it is an AV product

Reads document Many legitimate applications will be reading documents. The analyst should examine the binaries reading the documents as this could
indicate packaging and staging of exfil data