Report - Inv_LCC_Scan_4.exe

UPX OS Processor Check PE64 PE File
ScreenShot
Created 2023.07.14 17:08 Machine s1_win7_x6402
Filename Inv_LCC_Scan_4.exe
Type PE32+ executable (GUI) x86-64, for MS Windows
AI Score
5
Behavior Score
2.4
ZERO API file : clean
VT API (file) 17 detected (malicious, high confidence, Artemis, confidence, 100%, Attribute, HighConfidence, score, BotX, IcedId, enzyp, high, Static AI, Suspicious PE, Tnega, unsafe)
md5 01f50ef4b9419013f3a3967d7ed734cf
sha256 d7394ece4ab3dc614805ceab5e5686e0e401cf992b2770e4cc2bada501243281
ssdeep 24576:mKCS1UmzJqqToGm7dHxi+7wHePbpb9ocj:mKCe1YdHxi+c+p
imphash c39052992f948249dbbd41cc36bb9262
impfuzzy 24:ZdS+N4ivJwK0qtvnDdJhc+Ll49ZXjMOjuG:pJwytdc+L25qG
  Network IP location

Signature (6cnts)

Level Description
watch File has been identified by 17 AntiVirus engines on VirusTotal as malicious
notice A process attempted to delay the analysis task.
notice Allocates read-write-execute memory (usually to unpack itself)
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
info The executable contains unknown PE section names indicative of a packer (could be a false positive)

Rules (4cnts)

Level Name Description Collection
watch UPX_Zero UPX packed file binaries (upload)
info IsPE64 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (3cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://skofilldrom.com/ NL DIGITALOCEAN-ASN 64.225.70.62 clean
skofilldrom.com NL DIGITALOCEAN-ASN 64.225.70.62 clean
64.225.70.62 NL DIGITALOCEAN-ASN 64.225.70.62 clean

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x14000d000 GetProcessHeap
 0x14000d008 CreateFileA
 0x14000d010 CloseHandle
 0x14000d018 GetLastError
 0x14000d020 HeapWalk
 0x14000d028 CreateActCtxA
 0x14000d030 ActivateActCtx
 0x14000d038 DeactivateActCtx
 0x14000d040 FindFirstFileA
 0x14000d048 FindNextFileA
 0x14000d050 FindClose
 0x14000d058 GetWindowsDirectoryA
 0x14000d060 ReadFile
 0x14000d068 CreateFileMappingA
 0x14000d070 CreateNamedPipeA
 0x14000d078 PeekNamedPipe
 0x14000d080 ExitProcess
 0x14000d088 VirtualAlloc
 0x14000d090 RtlCaptureContext
 0x14000d098 RtlLookupFunctionEntry
 0x14000d0a0 RtlVirtualUnwind
 0x14000d0a8 IsDebuggerPresent
 0x14000d0b0 UnhandledExceptionFilter
 0x14000d0b8 SetUnhandledExceptionFilter
 0x14000d0c0 GetCurrentProcess
 0x14000d0c8 TerminateProcess
 0x14000d0d0 IsProcessorFeaturePresent
 0x14000d0d8 WriteConsoleW
 0x14000d0e0 HeapFree
 0x14000d0e8 GetModuleHandleW
 0x14000d0f0 GetProcAddress
 0x14000d0f8 HeapAlloc
 0x14000d100 MultiByteToWideChar
 0x14000d108 WideCharToMultiByte
 0x14000d110 SetLastError
 0x14000d118 GetACP
 0x14000d120 EnterCriticalSection
 0x14000d128 LeaveCriticalSection
 0x14000d130 DeleteCriticalSection
 0x14000d138 GetStringTypeW
 0x14000d140 CreateFileW
 0x14000d148 GetCPInfo
 0x14000d150 InitializeCriticalSectionAndSpinCount
 0x14000d158 TlsGetValue
 0x14000d160 TlsSetValue
 0x14000d168 FreeLibrary
 0x14000d170 LoadLibraryExW
 0x14000d178 LCMapStringW
 0x14000d180 IsValidCodePage
 0x14000d188 GetOEMCP
 0x14000d190 SetStdHandle
 0x14000d198 GetModuleHandleExW
 0x14000d1a0 WriteFile
 0x14000d1a8 GetConsoleCP
 0x14000d1b0 GetConsoleMode
 0x14000d1b8 SetFilePointerEx
 0x14000d1c0 FlushFileBuffers
 0x14000d1c8 RaiseException
 0x14000d1d0 HeapSize
 0x14000d1d8 HeapReAlloc
 0x14000d1e0 CreateEventW
 0x14000d1e8 RtlUnwindEx

EAT(Export Address Table) is none



Similarity measure (PE file only) - Checking for service failure