Report - lve5.exe

UPX PE32 PE File

ScreenShot

Info
Location map


Created	2023.12.19 07:40	Machine	s1_win7_x6403
Filename	lve5.exe
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
AI Score	9	Behavior Score	4.4
ZERO API	file : malware
VT API (file)
md5	82182c7f430666ecd80649a3c9d4b06a
sha256	f9a0484222a37b48f410a2a1b6cfc204d0c6a3f722ca69aa0773c2c4f67bea35
ssdeep	3072:AyIpG2/iDbYyEXcFHUZUMgJUYF+JddZCqNC:lIposRcF0Z9gJh+bd9N
imphash	e58ab46f2a279ded0846d81bf0fa21f7
impfuzzy	3:swBJAEPwS9KTXzhAXwEQaxRAAbsEBJJ67EGV21MOB:dBJAEHGDzyRlbRmVOZB

Network IP location

Signature (11cnts)

Level	Description
watch	Expresses interest in specific running processes
watch	Installs itself for autorun at Windows startup
notice	Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice	Creates a service
notice	Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
notice	Repeatedly searches for a not-found process
notice	Searches running processes potentially to identify processes for sandbox evasion
notice	The binary likely contains encrypted or compressed data indicative of a packer
notice	The executable is compressed using UPX
info	Checks amount of memory in system
info	The executable uses a known packer

Rules (3cnts)

Level	Name	Description	Collection
watch	UPX_Zero	UPX packed file	binaries (upload)
info	IsPE32	(no description)	binaries (upload)
info	PE_Header_Zero	PE File Signature	binaries (upload)

Network (2cnts) ?

Request	CC	ASN Co	IP4	Rule ?	ZERO ?
www.996m2m2.top whois		PEGTECHINC	163.197.245.130		clean
163.197.245.130 whois		PEGTECHINC	163.197.245.130		mailcious

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.DLL
0x463028 LoadLibraryA
0x46302c GetProcAddress
0x463030 VirtualProtect
0x463034 VirtualAlloc
0x463038 VirtualFree
0x46303c ExitProcess

EAT(Export Address Table) is none

Similarity measure (PE file only) - Checking for service failure