Malware analysis lc.exe Malicious activity | ANY.RUN

Add for printing

File name:	lc.exe
Full analysis:	https://app.any.run/tasks/5de8f592-deb5-471d-98ec-a7be5edf0560
Verdict:	Malicious activity
Analysis date:	April 02, 2024, 14:41:25
OS:	Ubuntu 22.04.2
MIME:	application/x-dosexec
File info:	PE32+ executable (console) x86-64, for MS Windows
MD5:	A814F356AD4061DCEC4EB4A07558C9EE
SHA1:	61AA0BBB10904033ACE49BD511D3B887A4E72E71
SHA256:	EFFEE5D56EE23683BDE67D995A72EF3D2EBA8ECB454366E80C07545F0993644F
SSDEEP:	48:YOWWMMEisaiRKssdKcbzMQIxEYJWKKK0xUuVyfvV3xsY3QKfihahikmrio:/hsC1OJfLw+DV3Q

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Executes commands using command-line interpreter
  - apt (PID: 9417)
  - gnome-terminal-server (PID: 9298)
  - apt (PID: 9332)
- Checks DMI information (probably VM detection)
  - systemd-hostnamed (PID: 9283)
- Reads information about logins, logouts, and login attempts
  - bash (PID: 9316)
INFO
No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Generic Win/DOS Executable (50)
.exe	\|	DOS Executable Generic (49.9)

EXIF

EXE

MachineType:	AMD AMD64
TimeStamp:	2024:04:01 17:31:47+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.35
CodeSize:	1024
InitializedDataSize:	2048
UninitializedDataSize:	-
EntryPoint:	0x1250
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows command line

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

272

Monitored processes

50

Malicious processes

0

Suspicious processes

0

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
9262	/bin/sh -c "DISPLAY=:0 sudo -iu user nautilus \"/tmp/lc\.exe\" "	/bin/sh	—	any-guest-agent
User: root Integrity Level: UNKNOWN Exit code: 9291
9263	sudo -iu user nautilus /tmp/lc.exe	/usr/bin/sudo	—	sh
User: root Integrity Level: UNKNOWN Exit code: 209
9264	nautilus /tmp/lc.exe	/usr/bin/nautilus	—	sudo
User: user Integrity Level: UNKNOWN Exit code: 1214
9265	/usr/bin/locale-check C.UTF-8	/usr/bin/locale-check	—	nautilus
User: user Integrity Level: UNKNOWN Exit code: 0
9283	/lib/systemd/systemd-hostnamed	/lib/systemd/systemd-hostnamed	—	systemd
User: root Integrity Level: UNKNOWN Exit code: 496
9291	/usr/bin/python3 /usr/bin/gnome-terminal	/usr/bin/gnome-terminal	—	gnome-shell
User: user Integrity Level: UNKNOWN Exit code: 209
9293	/usr/bin/gnome-terminal.real	/usr/bin/gnome-terminal.real	—	gnome-terminal
User: user Integrity Level: UNKNOWN Exit code: 1214
9298	/usr/libexec/gnome-terminal-server	/usr/libexec/gnome-terminal-server	—	systemd
User: user Integrity Level: UNKNOWN Exit code: 416
9316	bash	/bin/bash	—	gnome-terminal-server
User: user Integrity Level: UNKNOWN Exit code: 416
9317	/bin/sh /usr/bin/lesspipe	/usr/bin/lesspipe	—	bash
User: user Integrity Level: UNKNOWN Exit code: 1214

Add for printing

Executable files

0

Suspicious files

0

Text files

0

Unknown types

0

Dropped files

PID	Process	Filename		Type
9264	nautilus	/home/user/.local/share/nautilus/tags/meta.db-wal		—
		MD5:—	SHA256:—
9264	nautilus	/home/user/.local/share/nautilus/tags/meta.db-shm		—
		MD5:—	SHA256:—
9264	nautilus	/home/user/.local/share/nautilus/tags/.meta.isrunning		—
		MD5:—	SHA256:—
9332	apt	/var/cache/apt/archives/partial/.apt-acquire-privs-test.MT3rJ3		—
		MD5:—	SHA256:—
9332	apt	/var/cache/apt/archives/partial/.apt-acquire-privs-test.PRJJzB		—
		MD5:—	SHA256:—
9332	apt	/var/cache/apt/archives/partial/.apt-acquire-privs-test.WlVmxG		—
		MD5:—	SHA256:—
9332	apt	/var/cache/apt/archives/partial/.apt-acquire-privs-test.jJbIOu		—
		MD5:—	SHA256:—
9332	apt	/var/cache/apt/archives/partial/.apt-acquire-privs-test.AI58AB		—
		MD5:—	SHA256:—
9332	apt	/var/cache/apt/archives/partial/.apt-acquire-privs-test.8HZSOe		—
		MD5:—	SHA256:—
9332	apt	/var/cache/apt/archives/partial/.apt-acquire-privs-test.uK53Um		—
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

420

TCP/UDP connections

34

DNS requests

16

Threats

416

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	185.125.190.36:80	http://ie.archive.ubuntu.com/ubuntu/pool/main/g/gcc-12/gcc-12-base_12.3.0-1ubuntu1%7e22.04_i386.deb	unknown	binary	19.6 Kb	unknown
—	—	GET	—	185.125.190.36:80	http://ie.archive.ubuntu.com/ubuntu/pool/main/x/xz-utils/liblzma5_5.2.5-2ubuntu1_i386.deb	unknown	—	—	unknown
—	—	GET	—	185.125.190.36:80	http://ie.archive.ubuntu.com/ubuntu/pool/main/libc/libcap2/libcap2_2.44-1ubuntu0.22.04.1_i386.deb	unknown	—	—	unknown
—	—	GET	—	185.125.190.36:80	http://ie.archive.ubuntu.com/ubuntu/pool/main/g/glibc/libc6_2.35-0ubuntu3.5_i386.deb	unknown	—	—	unknown
—	—	GET	—	185.125.190.36:80	http://ie.archive.ubuntu.com/ubuntu/pool/main/libz/libzstd/libzstd1_1.4.8%2bdfsg-3build1_i386.deb	unknown	—	—	unknown
—	—	GET	—	185.125.190.36:80	http://ie.archive.ubuntu.com/ubuntu/pool/main/g/gcc-12/libgcc-s1_12.3.0-1ubuntu1%7e22.04_i386.deb	unknown	—	—	unknown
—	—	GET	—	185.125.190.36:80	http://ie.archive.ubuntu.com/ubuntu/pool/main/libx/libxcrypt/libcrypt1_4.4.27-1_i386.deb	unknown	—	—	unknown
—	—	GET	—	185.125.190.36:80	http://ie.archive.ubuntu.com/ubuntu/pool/main/libg/libgpg-error/libgpg-error0_1.43-3_i386.deb	unknown	—	—	unknown
—	—	GET	—	185.125.190.36:80	http://ie.archive.ubuntu.com/ubuntu/pool/main/l/lz4/liblz4-1_1.9.3-2build2_i386.deb	unknown	—	—	unknown
—	—	GET	—	185.125.190.36:80	http://ie.archive.ubuntu.com/ubuntu/pool/main/libg/libgcrypt20/libgcrypt20_1.9.4-3ubuntu3_i386.deb	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	224.0.0.251:5353	—	—	—	unknown
—	—	185.125.190.48:80	—	Canonical Group Limited	GB	unknown
—	—	212.102.56.179:443	—	Datacamp Limited	DE	unknown
—	—	156.146.33.138:443	—	Datacamp Limited	DE	unknown
—	—	185.125.188.55:443	api.snapcraft.io	Canonical Group Limited	GB	unknown
—	—	185.125.188.58:443	api.snapcraft.io	Canonical Group Limited	GB	unknown
—	—	185.125.190.36:80	ie.archive.ubuntu.com	Canonical Group Limited	GB	unknown
—	—	91.189.91.83:80	ie.archive.ubuntu.com	Canonical Group Limited	US	unknown

DNS requests

Domain	IP	Reputation
65.100.168.192.in-addr.arpa	—	unknown
api.snapcraft.io	185.125.188.55 185.125.188.59 185.125.188.54 185.125.188.58	unknown
connectivity-check.ubuntu.com	2620:2d:4002:1::198 2620:2d:4002:1::196 2620:2d:4000:1::97 2620:2d:4000:1::2b 2001:67c:1562::23 2620:2d:4000:1::96 2620:2d:4000:1::2a 2620:2d:4000:1::22 2620:2d:4000:1::23 2620:2d:4000:1::98 2001:67c:1562::24 2620:2d:4002:1::197	unknown
_http._tcp.ie.archive.ubuntu.com	—	unknown
ie.archive.ubuntu.com	185.125.190.36 91.189.91.83 91.189.91.82 185.125.190.39 91.189.91.81 2620:2d:4002:1::101 2620:2d:4000:1::16 2620:2d:4000:1::19 2620:2d:4002:1::103 2620:2d:4002:1::102	unknown

Threats

PID	Process	Class	Message
—	—	Not Suspicious Traffic	ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management
—	—	Not Suspicious Traffic	ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management
—	—	Not Suspicious Traffic	ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management
—	—	Not Suspicious Traffic	ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management
—	—	Not Suspicious Traffic	ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management
—	—	Not Suspicious Traffic	ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management
—	—	Not Suspicious Traffic	ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management
—	—	Not Suspicious Traffic	ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management
—	—	Not Suspicious Traffic	ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management
—	—	Not Suspicious Traffic	ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management

Add for printing

No debug info

General Info

lc.exe

A814F356AD4061DCEC4EB4A07558C9EE

61AA0BBB10904033ACE49BD511D3B887A4E72E71

EFFEE5D56EE23683BDE67D995A72EF3D2EBA8ECB454366E80C07545F0993644F

48:YOWWMMEisaiRKssdKcbzMQIxEYJWKKK0xUuVyfvV3xsY3QKfihahikmrio:/hsC1OJfLw+DV3Q

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

SUSPICIOUS

Executes commands using command-line interpreter

Checks DMI information (probably VM detection)

Reads information about logins, logouts, and login attempts

INFO

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings