Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exe

Overview

General Information

Sample Name:SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exe
Analysis ID:1345561
MD5:b794418cce0beacb8eab531605e194b7
SHA1:859a978d7252563cffd21140a6869f0f685f8f6d
SHA256:a94ed8371035cbc5f21d14be02444b5d85cf2d4feeba9a869ec3a446222721df
Tags:exe
Infos:

Detection

NSISDropper
Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected NSISDropper
Machine Learning detection for sample
Uses 32bit PE files
AV process strings found (often used to terminate AV products)
One or more processes crash
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Checks if the current process is being debugged
Detected potential crypto function
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Found large amount of non-executed APIs
Contains functionality which may be used to detect a debugger (GetProcessHeap)

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exe (PID: 6536 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exe MD5: B794418CCE0BEACB8EAB531605E194B7)
    • WerFault.exe (PID: 5352 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6536 -s 228 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1674381918.0000000000570000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_NSISDropperYara detected NSISDropperJoe Security
    00000000.00000002.1674331641.000000000042E000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_NSISDropperYara detected NSISDropperJoe Security

      Sigma Signatures

      No Sigma rule has matched

      Snort Signatures

      No Snort rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Multi AV Scanner detection for submitted file
      Source: SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exeReversingLabs: Detection: 26%
      Source: SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exeVirustotal: Detection: 33%Perma Link
      Machine Learning detection for sample
      Source: SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exeJoe Sandbox ML: detected
      Source: SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: Amcache.hve.3.drString found in binary or memory: http://upx.sf.net
      Source: SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6536 -s 228
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exeCode function: 0_2_0041286A0_2_0041286A
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exeCode function: 0_2_004220320_2_00422032
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exeCode function: 0_2_004200E80_2_004200E8
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exeCode function: 0_2_0042188A0_2_0042188A
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exeCode function: 0_2_004130B70_2_004130B7
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exeCode function: 0_2_004123760_2_00412376
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exeCode function: 0_2_004213180_2_00421318
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exeCode function: 0_2_0040EB330_2_0040EB33
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exeCode function: 0_2_004164C00_2_004164C0
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exeCode function: 0_2_004134EC0_2_004134EC
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exeCode function: 0_2_00412C820_2_00412C82
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exeCode function: 0_2_00417C9B0_2_00417C9B
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exeCode function: 0_2_004174B00_2_004174B0
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exeCode function: 0_2_0040ED860_2_0040ED86
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exeCode function: 0_2_00420DA60_2_00420DA6
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exeCode function: 0_2_0042364C0_2_0042364C
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exeCode function: 0_2_004167270_2_00416727
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exeCode function: 0_2_005708B70_2_005708B7
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exeCode function: 0_2_00570B610_2_00570B61
      Source: SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exeReversingLabs: Detection: 26%
      Source: SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exeVirustotal: Detection: 33%
      Source: SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exe
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6536 -s 228
      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6536
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exeCommand line argument: pRB0_2_00401190
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exeCommand line argument: pRB0_2_00401190
      Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\93699842-8f8b-4701-b591-80b24c5333aaJump to behavior
      Source: classification engineClassification label: mal60.troj.winEXE@2/5@0/0
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exeCode function: 0_2_0041540A push ecx; ret 0_2_0041541D
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exeCode function: 0_2_00417495 push ecx; ret 0_2_004174A8
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exeCode function: 0_2_00416727 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00416727
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exeAPI coverage: 6.5 %
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exeCode function: 0_2_005707DA GetSystemInfo,0_2_005707DA
      Source: Amcache.hve.3.drBinary or memory string: VMware
      Source: Amcache.hve.3.drBinary or memory string: VMware Virtual USB Mouse
      Source: Amcache.hve.3.drBinary or memory string: vmci.syshbin
      Source: Amcache.hve.3.drBinary or memory string: VMware, Inc.
      Source: Amcache.hve.3.drBinary or memory string: VMware20,1hbin@
      Source: Amcache.hve.3.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
      Source: Amcache.hve.3.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
      Source: Amcache.hve.3.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
      Source: Amcache.hve.3.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
      Source: Amcache.hve.3.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
      Source: Amcache.hve.3.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
      Source: Amcache.hve.3.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
      Source: Amcache.hve.3.drBinary or memory string: vmci.sys
      Source: Amcache.hve.3.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
      Source: Amcache.hve.3.drBinary or memory string: vmci.syshbin`
      Source: Amcache.hve.3.drBinary or memory string: \driver\vmci,\driver\pci
      Source: Amcache.hve.3.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
      Source: Amcache.hve.3.drBinary or memory string: VMware20,1
      Source: Amcache.hve.3.drBinary or memory string: Microsoft Hyper-V Generation Counter
      Source: Amcache.hve.3.drBinary or memory string: NECVMWar VMware SATA CD00
      Source: Amcache.hve.3.drBinary or memory string: VMware Virtual disk SCSI Disk Device
      Source: Amcache.hve.3.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
      Source: Amcache.hve.3.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
      Source: Amcache.hve.3.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
      Source: Amcache.hve.3.drBinary or memory string: VMware PCI VMCI Bus Device
      Source: Amcache.hve.3.drBinary or memory string: VMware VMCI Bus Device
      Source: Amcache.hve.3.drBinary or memory string: VMware Virtual RAM
      Source: Amcache.hve.3.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
      Source: Amcache.hve.3.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exeCode function: 0_2_0041A0B2 IsDebuggerPresent,0_2_0041A0B2
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exeCode function: 0_2_0057005F mov eax, dword ptr fs:[00000030h]0_2_0057005F
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exeCode function: 0_2_0057017B mov eax, dword ptr fs:[00000030h]0_2_0057017B
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exeCode function: 0_2_00570109 mov eax, dword ptr fs:[00000030h]0_2_00570109
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exeCode function: 0_2_0057013E mov eax, dword ptr fs:[00000030h]0_2_0057013E
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exeCode function: 0_2_0041EC7F EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_0041EC7F
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exeCode function: 0_2_004177BD GetProcessHeap,0_2_004177BD
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exeCode function: 0_2_004169E3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004169E3
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exeCode function: 0_2_004169B2 SetUnhandledExceptionFilter,0_2_004169B2
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,0_2_0041F826
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exeCode function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,0_2_0041F8A9
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exeCode function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,0_2_0041FA9E
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exeCode function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_0041FBC8
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exeCode function: GetLocaleInfoW,_GetPrimaryLen,0_2_0041FC75
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,0_2_0041CCD1
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exeCode function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,0_2_0041FCDF
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exeCode function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,0_2_0041F4F5
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exeCode function: EnumSystemLocalesW,0_2_00416D50
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exeCode function: GetLocaleInfoW,0_2_00416D8D
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exeCode function: EnumSystemLocalesW,0_2_0041F769
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,0_2_0041F7A9
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exeCode function: 0_2_00419F1D GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00419F1D
      Source: Amcache.hve.3.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
      Source: Amcache.hve.3.drBinary or memory string: msmpeng.exe
      Source: Amcache.hve.3.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
      Source: Amcache.hve.3.drBinary or memory string: MsMpEng.exe

      Stealing of Sensitive Information

      barindex
      Yara detected NSISDropper
      Source: Yara matchFile source: 00000000.00000002.1674381918.0000000000570000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.1674331641.000000000042E000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY

      Remote Access Functionality

      barindex
      Yara detected NSISDropper
      Source: Yara matchFile source: 00000000.00000002.1674381918.0000000000570000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.1674331641.000000000042E000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpactResource DevelopmentReconnaissance
      Valid Accounts2
      Command and Scripting Interpreter      		Path Interception1
      Process Injection      		1
      Virtualization/Sandbox Evasion      		OS Credential Dumping1
      System Time Discovery      		Remote Services1
      Archive Collected Data      		Exfiltration Over Other Network Medium1
      Encrypted Channel      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationAbuse Accessibility FeaturesAcquire InfrastructureGather Victim Identity Information
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
      Process Injection      		LSASS Memory51
      Security Software Discovery      		Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataSIM Card SwapObtain Device Cloud BackupsNetwork Denial of ServiceDomainsCredentials
      Domain AccountsAtLogon Script (Windows)Logon Script (Windows)1
      Obfuscated Files or Information      		Security Account Manager1
      Virtualization/Sandbox Evasion      		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyData Encrypted for ImpactDNS ServerEmail Addresses
      Local AccountsCronLogin HookLogin HookBinary PaddingNTDS13
      System Information Discovery      		Distributed Component Object ModelInput CaptureTraffic DuplicationProtocol ImpersonationData DestructionVirtual Private ServerEmployee Names

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.