Windows Analysis Report
SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe
Analysis ID:	1433050
MD5:	a19187b62c78200ed29449c41f872ac6
SHA1:	1e2bbb0ae156513bc070657f02ca2e7440847a37
SHA256:	87eb7f02f97c135ae0d2e28201bbf91575f69e625cc483886020cf8cc678c79a
Tags:	exe
Infos:

Detection

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Found direct / indirect Syscall (likely to bypass EDR)

Hides threads from debuggers

Machine Learning detection for sample

Query firmware table information (likely to detect VMs)

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Creates a process in suspended mode (likely to inject code)

Entry point lies outside standard sections

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	ReversingLabs: Detection: 31%
Source: SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Virustotal: Detection: 41%			Perma Link

Machine Learning detection for sample

Source: SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe

Joe Sandbox ML: detected

Source: SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe, 00000000.00000002.2115644955.000000014007C000.00000002.00000001.01000000.00000006.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_46d88a26-2

Source: unknown

HTTPS traffic detected: 104.26.0.5:443 -> 192.168.2.5:49708 version: TLS 1.2

Source:	Binary string: Z:\Development\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\x64\Release\XBundlerTlsHelper.pdb source: SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe, 00000000.00000002.2116203527.0000000141EA2000.00000040.00000001.01000000.00000006.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe, 00000000.00000002.2116203527.00000001420D6000.00000040.00000001.01000000.00000006.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe, 00000000.00000002.2116203527.00000001420D6000.00000040.00000001.01000000.00000006.sdmp

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 104.26.0.5 104.26.0.5

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: ce5f3254611a8c095a3d821d44539877

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: keyauth.win

Source: SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe, 00000000.00000002.2115438203.00000000004EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://keyauth.win/api/1.2/
Source: SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe, 00000000.00000002.2115438203.00000000004EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://keyauth.win/api/1.2/L
Source: SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe, 00000000.00000002.2115438203.00000000004EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://keyauth.win/api/1.2/y=

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708

Source: unknown

HTTPS traffic detected: 104.26.0.5:443 -> 192.168.2.5:49708 version: TLS 1.2

One or more processes crash

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4712 -s 516

Source: SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe

Static PE information: Section: .reloc ZLIB complexity 1.5

Source: classification engine

Classification label: mal84.evad.winEXE@18/1@1/2

Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6164:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6300:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7148:120:WilError_03

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\cf61b6f6-cc49-4c74-9e0c-ecd7a63a3e68

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	ReversingLabs: Detection: 31%
Source: SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Virustotal: Detection: 41%

Source: SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe

String found in binary or memory: iphlpapi.dllif_nametoindexkernel32LoadLibraryExA\/AddDllDirectory

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe" MD5 \| find /i /v "md5" \| find /i /v "certutil"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -hashfile "C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe" MD5
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i /v "md5"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i /v "certutil"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4712 -s 516
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe" MD5 \| find /i /v "md5" \| find /i /v "certutil"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -hashfile "C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe" MD5	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i /v "md5"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i /v "certutil"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 5	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certca.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\timeout.exe	Section loaded: version.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe

Static file information: File size 37365264 > 1048576

Source: SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe

Static PE information: Raw size of .boot is bigger than: 0x100000 < 0x2304c00

Source:	Binary string: Z:\Development\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\x64\Release\XBundlerTlsHelper.pdb source: SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe, 00000000.00000002.2116203527.0000000141EA2000.00000040.00000001.01000000.00000006.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe, 00000000.00000002.2116203527.00000001420D6000.00000040.00000001.01000000.00000006.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe, 00000000.00000002.2116203527.00000001420D6000.00000040.00000001.01000000.00000006.sdmp

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .boot

PE file contains sections with non-standard names

Source: SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Static PE information: section name: .themida
Source: SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Static PE information: section name: .boot

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Window searched: window name: RegmonClass	Jump to behavior

Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe

File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Jump to behavior

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\timeout.exe TID: 1576

Thread sleep count: 34 > 30

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe, 00000000.00000002.2115438203.00000000004EC000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe

System information queried: ModuleInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Process queried: DebugFlags	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Process queried: DebugObjectHandle	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe

Memory protected: page execute and read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	NtQueryInformationProcess: Indirect: 0x14259EAF8	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	NtQuerySystemInformation: Indirect: 0x1424CD11B	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	NtQueryInformationProcess: Indirect: 0x14255F38B	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	NtSetInformationThread: Indirect: 0x142592491	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe" MD5 \| find /i /v "md5" \| find /i /v "certutil"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -hashfile "C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe" MD5	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i /v "md5"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i /v "certutil"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 5	Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.26.0.5	keyauth.win	United States		13335	CLOUDFLARENETUS	false

Private

IP
127.0.0.1

Contacted Domains

Name	IP	Active
keyauth.win	104.26.0.5	true

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	ReversingLabs: Detection: 31%
Source: SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Virustotal: Detection: 41%			Perma Link

Machine Learning detection for sample

Source: SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe

Joe Sandbox ML: detected

Source: SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe, 00000000.00000002.2115644955.000000014007C000.00000002.00000001.01000000.00000006.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_46d88a26-2

Source: unknown

HTTPS traffic detected: 104.26.0.5:443 -> 192.168.2.5:49708 version: TLS 1.2

Source:	Binary string: Z:\Development\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\x64\Release\XBundlerTlsHelper.pdb source: SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe, 00000000.00000002.2116203527.0000000141EA2000.00000040.00000001.01000000.00000006.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe, 00000000.00000002.2116203527.00000001420D6000.00000040.00000001.01000000.00000006.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe, 00000000.00000002.2116203527.00000001420D6000.00000040.00000001.01000000.00000006.sdmp

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 104.26.0.5 104.26.0.5

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: ce5f3254611a8c095a3d821d44539877

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: keyauth.win

Source: SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe, 00000000.00000002.2115438203.00000000004EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://keyauth.win/api/1.2/
Source: SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe, 00000000.00000002.2115438203.00000000004EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://keyauth.win/api/1.2/L
Source: SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe, 00000000.00000002.2115438203.00000000004EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://keyauth.win/api/1.2/y=

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708

Source: unknown

HTTPS traffic detected: 104.26.0.5:443 -> 192.168.2.5:49708 version: TLS 1.2

One or more processes crash

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4712 -s 516

Source: SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe

Static PE information: Section: .reloc ZLIB complexity 1.5

Source: classification engine

Classification label: mal84.evad.winEXE@18/1@1/2

Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6164:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6300:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7148:120:WilError_03

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\cf61b6f6-cc49-4c74-9e0c-ecd7a63a3e68

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	ReversingLabs: Detection: 31%
Source: SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Virustotal: Detection: 41%

Source: SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe

String found in binary or memory: iphlpapi.dllif_nametoindexkernel32LoadLibraryExA\/AddDllDirectory

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe" MD5 \| find /i /v "md5" \| find /i /v "certutil"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -hashfile "C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe" MD5
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i /v "md5"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i /v "certutil"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4712 -s 516
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe" MD5 \| find /i /v "md5" \| find /i /v "certutil"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -hashfile "C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe" MD5	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i /v "md5"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i /v "certutil"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 5	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certca.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\timeout.exe	Section loaded: version.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe

Static file information: File size 37365264 > 1048576

Source: SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe

Static PE information: Raw size of .boot is bigger than: 0x100000 < 0x2304c00

Source:	Binary string: Z:\Development\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\x64\Release\XBundlerTlsHelper.pdb source: SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe, 00000000.00000002.2116203527.0000000141EA2000.00000040.00000001.01000000.00000006.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe, 00000000.00000002.2116203527.00000001420D6000.00000040.00000001.01000000.00000006.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe, 00000000.00000002.2116203527.00000001420D6000.00000040.00000001.01000000.00000006.sdmp

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .boot

PE file contains sections with non-standard names

Source: SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Static PE information: section name: .themida
Source: SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Static PE information: section name: .boot

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Window searched: window name: RegmonClass	Jump to behavior

Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe

File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Jump to behavior

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\timeout.exe TID: 1576

Thread sleep count: 34 > 30

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe, 00000000.00000002.2115438203.00000000004EC000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe

System information queried: ModuleInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Process queried: DebugFlags	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Process queried: DebugObjectHandle	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe

Memory protected: page execute and read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	NtQueryInformationProcess: Indirect: 0x14259EAF8	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	NtQuerySystemInformation: Indirect: 0x1424CD11B	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	NtQueryInformationProcess: Indirect: 0x14255F38B	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	NtSetInformationThread: Indirect: 0x142592491	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe" MD5 \| find /i /v "md5" \| find /i /v "certutil"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -hashfile "C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe" MD5	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i /v "md5"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i /v "certutil"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 5	Jump to behavior

ID:	1433050
Product:	CloudBasic
Start time:	02:23:11
Start date:	29.04.2024
Sample:	SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	a19187b62c78200ed29449c41f872ac6
SHA1:	1e2bbb0ae156513bc070657f02ca2e7440847a37
SHA256:	87eb7f02f97c135ae0d2e28201bbf91575f69e625cc483886020cf8cc678c79a
Filetype:	Win64 Executable Console (202006/5) 92.65%

Windows Analysis Report
SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Windows Analysis Report SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Windows Analysis Report
SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe