Report - ucejekudcp.exe

UPX Malicious Library AntiDebug AntiVM OS Processor Check PE File PE32
ScreenShot
Created 2023.08.07 08:30 Machine s1_win7_x6403
Filename ucejekudcp.exe
Type PE32 executable (console) Intel 80386, for MS Windows
AI Score
4
Behavior Score
12.2
ZERO API file : malware
VT API (file) 50 detected (AIDetectMalware, malicious, high confidence, Lazy, Kryptik, V0e7, confidence, 100%, ZexaE, sTW@aenTsyk, Eldorado, Attribute, HighConfidence, HUBU, score, PWSX, Dkjl, RedLineSteal, lyeib, AMADEY, YXDHCZ, RedlineStealer, Wacatac, Redline, NEAW, Detected, R595266, Artemis, ai score=80, unsafe, Chgt, LItuFRxLQGJ, susgen)
md5 2ddbd7e7fdf9bf2edfa375ad6fe2f6f5
sha256 9354c11be1fbde7607e1139a9fecff5269d7f8dba8f6fbe35c950074bc0cdefe
ssdeep 12288:dTVIe2S3HqYM7d6197u0cyUWf5GIkB1DlGul3VbCb2mGmPPNru7+glPm5PozTjuM:/3HqX7d6197u1yVUl3VuamXPNc+ipp
imphash 615d351e86cf9798ef889916ae080d96
impfuzzy 24:ugD69scpVXZsCrYtMS14GzplJBl3ELoEOovbOZFuFZMvtGMAHTq+lEZHu93:e9scpVJZrYtMS14GzPpSc3fuFZGl4
  Network IP location

Signature (27cnts)

Level Description
danger File has been identified by 50 AntiVirus engines on VirusTotal as malicious
danger Executed a process and injected code into it
watch Allocates execute permission to another process indicative of possible code injection
watch Collects information about installed applications
watch Communicates with host for which no DNS query was performed
watch Executes one or more WMI queries
watch Harvests credentials from local FTP client softwares
watch One or more of the buffers contains an embedded PE file
watch Potential code injection by writing to the memory of another process
watch Resumed a suspended thread in a remote process potentially indicative of process injection
watch Used NtSetContextThread to modify a thread in a remote process indicative of process injection
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Executes one or more WMI queries which can be used to identify virtual machines
notice One or more potentially interesting buffers were extracted
notice Queries for potentially installed applications
notice Steals private information from local Internet browsers
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Command line console output was observed
info One or more processes crashed
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info The executable uses a known packer
info Tries to locate where the browsers are installed
info Uses Windows APIs to generate a cryptographic key

Rules (13cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (1cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
176.123.9.85 MD Alexhost Srl 176.123.9.85 mailcious

Suricata ids

PE API

IAT(Import Address Table) Library

USER32.dll
 0x4bc200 SetWindowDisplayAffinity
GDI32.dll
 0x4bc000 AngleArc
 0x4bc004 RestoreDC
KERNEL32.dll
 0x4bc034 CreateFileW
 0x4bc038 GetProcAddress
 0x4bc03c FormatMessageA
 0x4bc040 WideCharToMultiByte
 0x4bc044 MultiByteToWideChar
 0x4bc048 GetStringTypeW
 0x4bc04c EnterCriticalSection
 0x4bc050 LeaveCriticalSection
 0x4bc054 InitializeCriticalSectionEx
 0x4bc058 DeleteCriticalSection
 0x4bc05c LocalFree
 0x4bc060 EncodePointer
 0x4bc064 DecodePointer
 0x4bc068 LCMapStringEx
 0x4bc06c GetLocaleInfoEx
 0x4bc070 CompareStringEx
 0x4bc074 GetCPInfo
 0x4bc078 UnhandledExceptionFilter
 0x4bc07c SetUnhandledExceptionFilter
 0x4bc080 GetCurrentProcess
 0x4bc084 TerminateProcess
 0x4bc088 IsProcessorFeaturePresent
 0x4bc08c QueryPerformanceCounter
 0x4bc090 GetCurrentProcessId
 0x4bc094 GetCurrentThreadId
 0x4bc098 GetSystemTimeAsFileTime
 0x4bc09c InitializeSListHead
 0x4bc0a0 IsDebuggerPresent
 0x4bc0a4 GetStartupInfoW
 0x4bc0a8 GetModuleHandleW
 0x4bc0ac HeapSize
 0x4bc0b0 RaiseException
 0x4bc0b4 RtlUnwind
 0x4bc0b8 InterlockedPushEntrySList
 0x4bc0bc InterlockedFlushSList
 0x4bc0c0 GetLastError
 0x4bc0c4 SetLastError
 0x4bc0c8 InitializeCriticalSectionAndSpinCount
 0x4bc0cc TlsAlloc
 0x4bc0d0 TlsGetValue
 0x4bc0d4 TlsSetValue
 0x4bc0d8 TlsFree
 0x4bc0dc FreeLibrary
 0x4bc0e0 WriteConsoleW
 0x4bc0e4 LoadLibraryExW
 0x4bc0e8 GetStdHandle
 0x4bc0ec WriteFile
 0x4bc0f0 GetModuleFileNameW
 0x4bc0f4 ExitProcess
 0x4bc0f8 GetModuleHandleExW
 0x4bc0fc GetCommandLineA
 0x4bc100 GetCommandLineW
 0x4bc104 GetCurrentThread
 0x4bc108 HeapFree
 0x4bc10c HeapAlloc
 0x4bc110 GetDateFormatW
 0x4bc114 GetTimeFormatW
 0x4bc118 CompareStringW
 0x4bc11c LCMapStringW
 0x4bc120 GetLocaleInfoW
 0x4bc124 IsValidLocale
 0x4bc128 GetUserDefaultLCID
 0x4bc12c EnumSystemLocalesW
 0x4bc130 GetFileType
 0x4bc134 GetFileSizeEx
 0x4bc138 SetFilePointerEx
 0x4bc13c CloseHandle
 0x4bc140 FlushFileBuffers
 0x4bc144 GetConsoleOutputCP
 0x4bc148 GetConsoleMode
 0x4bc14c ReadFile
 0x4bc150 HeapReAlloc
 0x4bc154 SetConsoleCtrlHandler
 0x4bc158 GetTimeZoneInformation
 0x4bc15c OutputDebugStringW
 0x4bc160 FindClose
 0x4bc164 FindFirstFileExW
 0x4bc168 FindNextFileW
 0x4bc16c IsValidCodePage
 0x4bc170 GetACP
 0x4bc174 GetOEMCP
 0x4bc178 GetEnvironmentStringsW
 0x4bc17c FreeEnvironmentStringsW
 0x4bc180 SetEnvironmentVariableW
 0x4bc184 SetStdHandle
 0x4bc188 GetProcessHeap
 0x4bc18c ReadConsoleW

EAT(Export Address Table) is none



Similarity measure (PE file only) - Checking for service failure