Report - loadetc.exe

AntiDebug AntiVM PE File PE32
ScreenShot
Created 2021.09.15 09:37 Machine s1_win7_x6402
Filename loadetc.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
9
Behavior Score
8.2
ZERO API file : malware
VT API (file) 38 detected (malicious, high confidence, Artemis, Unsafe, Save, confidence, ZexaF, auW@aqugTtpi, Attribute, HighConfidence, Tiny, MalwareX, Huzp, Score, XPACK, KVMH017, kcloud, Sabsik, ai score=87, Generic@ML, RDMK, ymjbG3a0zhHo1Vz5kgmlLQ, Static AI, Malicious PE, susgen)
md5 2bd18b0ce7aa8dfaee0e922090aae138
sha256 e11a90704ac0ea7eacb7d9eeda4a6db1e6fb3f21402d06429617f9af69d0a1b8
ssdeep 96:2qUneX10H8fJTIbuAFo+7Ptboynun/AqyCtGdYX7E:aeX7aP1oynW/A0eG
imphash d4fccbf39f0b0e9e3b5577d3527b4e69
impfuzzy 12:I4sX5vBNGx4Gv+GXRzGy5GgYLwbISZOoS3fQAEsy27QDuKmRgFyS:W5vBUVv+GdySZO0N/2kDuKmML
  Network IP location

Signature (19cnts)

Level Description
danger File has been identified by 38 AntiVirus engines on VirusTotal as malicious
watch Attempts to remove evidence of file being downloaded from the Internet
watch Communicates with host for which no DNS query was performed
watch Installs itself for autorun at Windows startup
watch Resumed a suspended thread in a remote process potentially indicative of process injection
notice A process attempted to delay the analysis task.
notice A process created a hidden window
notice An executable file was downloaded by the process loadetc.exe
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Creates hidden or system file
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice Uses Windows utilities for basic Windows functionality
notice Yara rule detected in process memory
info Checks amount of memory in system
info Command line console output was observed
info The executable uses a known packer
info This executable has a PDB path

Rules (11cnts)

Level Name Description Collection
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerException__SetConsoleCtrl (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (3cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://185.215.113.84/ec.exe Unknown 185.215.113.84 clean
185.215.113.84 Unknown 185.215.113.84 malware
172.67.188.154 US CLOUDFLARENET 172.67.188.154 clean

Suricata ids

PE API

IAT(Import Address Table) Library

SHLWAPI.dll
 0x402090 PathFileExistsW
MSVCRT.dll
 0x402040 __set_app_type
 0x402044 _except_handler3
 0x402048 __p__fmode
 0x40204c _controlfp
 0x402050 __p__commode
 0x402054 _adjust_fdiv
 0x402058 __setusermatherr
 0x40205c _initterm
 0x402060 __getmainargs
 0x402064 _acmdln
 0x402068 exit
 0x40206c _XcptFilter
 0x402070 _exit
 0x402074 srand
 0x402078 wcslen
 0x40207c rand
 0x402080 memset
WININET.dll
 0x4020a0 InternetCloseHandle
 0x4020a4 InternetOpenUrlW
 0x4020a8 InternetOpenW
 0x4020ac InternetReadFile
urlmon.dll
 0x4020b4 URLDownloadToFileW
KERNEL32.dll
 0x402010 DeleteFileW
 0x402014 WriteFile
 0x402018 Sleep
 0x40201c CreateFileW
 0x402020 GetModuleHandleA
 0x402024 CreateProcessW
 0x402028 CloseHandle
 0x40202c SetFileAttributesW
 0x402030 GetStartupInfoA
 0x402034 GetTickCount
 0x402038 ExpandEnvironmentStringsW
USER32.dll
 0x402098 wsprintfW
ADVAPI32.dll
 0x402000 RegSetValueExW
 0x402004 RegCloseKey
 0x402008 RegOpenKeyExW
SHELL32.dll
 0x402088 ShellExecuteW

EAT(Export Address Table) is none



Similarity measure (PE file only) - Checking for service failure