Edit tour

Windows Analysis Report
SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.31436.29895.exe

Overview

General Information

Sample name:	SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.31436.29895.exe
Analysis ID:	1391081
MD5:	2a8518bc555d20abc4ca174860dac87b
SHA1:	9a62af62097e126dc4045e0f9eef0a61a4679975
SHA256:	ca36b4b2faee3ef5cfbe935b75bc9926b6ddf5c2ab8df43e4a29e5c96bb01eae
Tags:	exe
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Detected potential crypto function

One or more processes crash

PE file does not import any functions

Tries to load missing DLLs

Uses 32bit PE files

Classification

Process Tree

System is w10x64

SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.31436.29895.exe (PID: 4780 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.31436.29895.exe MD5: 2A8518BC555D20ABC4CA174860DAC87B)

WerFault.exe (PID: 4540 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 236 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.31436.29895.exe

ReversingLabs: Detection: 18%

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.31436.29895.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: Amcache.hve.4.dr	String found in binary or memory: http://upx.sf.net
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.31436.29895.exe	String found in binary or memory: http://www.clamav.net

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.31436.29895.exe	Code function: 0_2_0040C8F4	0_2_0040C8F4
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.31436.29895.exe	Code function: 0_2_004090A8	0_2_004090A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.31436.29895.exe	Code function: 0_2_00411DD8	0_2_00411DD8
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.31436.29895.exe	Code function: 0_2_004085EC	0_2_004085EC
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.31436.29895.exe	Code function: 0_2_00409E48	0_2_00409E48
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.31436.29895.exe	Code function: 0_2_004096C4	0_2_004096C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.31436.29895.exe	Code function: 0_2_0040BB25	0_2_0040BB25
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.31436.29895.exe	Code function: 0_2_0041132C	0_2_0041132C
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.31436.29895.exe	Code function: 0_2_0040FB98	0_2_0040FB98
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.31436.29895.exe	Code function: 0_2_004127B4	0_2_004127B4

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.31436.29895.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 236

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.31436.29895.exe

Static PE information: No import functions for PE file found

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.31436.29895.exe

Section loaded: apphelp.dll

Jump to behavior

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.31436.29895.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal48.winEXE@2/5@0/0

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4780

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\6fde14b4-e535-4776-bf9f-6d7befc3a6df

Jump to behavior

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.31436.29895.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.31436.29895.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.31436.29895.exe

ReversingLabs: Detection: 18%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.31436.29895.exe C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.31436.29895.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.31436.29895.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 236

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.31436.29895.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.31436.29895.exe

Code function: 0_2_00401000 LdrInitializeThunk,

0_2_00401000

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	1 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.31436.29895.exe	18%	ReversingLabs

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.clamav.net	SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.31436.29895.exe	false		high
http://upx.sf.net	Amcache.hve.4.dr	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1391081
Start date and time:	2024-02-12 20:38:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.31436.29895.exe
Detection:	MAL
Classification:	mal48.winEXE@2/5@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 1 Number of non-executed functions: 10
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.65.92
Excluded domains from analysis (whitelisted): client.wns.windows.com, onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
VT rate limit hit for: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.31436.29895.exe

Simulations

Behavior and APIs

Time	Type	Description
20:39:09	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_0c57672e7cfd9f6c5592dfeabe7936895a9ce21_8f52b1cc_a2296afc-3fdd-41c9-b2c7-b7ebd5d52e4e\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6858708794731979
Encrypted:	false
SSDEEP:	96:arZ0FB4n+e4Rs23hMyoI7Jf7QXIDcQvc6QcEVcw3cE/jt5+HbHg6ZAX/d5FMT2S0:5kWRA0BU/wjEzuiFgZ24IO8T
MD5:	1EC853332B630045CEA133036ACD2522
SHA1:	CF27855E1D7957EB6D87CF21FE1A294BB08C9DF2
SHA-256:	521BAA8A2F157C220C72CFF3DE2532EAD0A9A2C96C6E1D367D98D7D86936D684
SHA-512:	E4793B2D296F10A486703138FD4C42D708BC85B60834897DDAC882E1027408294553885FD6D722926CB62A80D4E5C584178ABF009D74D78F90E0798B7C83B09A
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.2.2.4.0.3.4.7.6.5.1.8.9.4.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.2.2.4.0.3.4.8.3.5.5.0.3.7.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.2.2.9.6.a.f.c.-.3.f.d.d.-.4.1.c.9.-.b.2.c.7.-.b.7.e.b.d.5.d.5.2.e.4.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.4.f.1.e.2.3.b.-.a.a.6.d.-.4.f.5.5.-.a.d.d.5.-.5.8.0.f.1.b.2.a.f.8.9.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...W.3.2...X.p.a.c.k...E...g.e.n...E.l.d.o.r.a.d.o...3.1.4.3.6...2.9.8.9.5...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.2.a.c.-.0.0.0.1.-.0.0.1.5.-.1.b.3.f.-.6.b.2.4.e.b.5.d.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.d.4.9.0.0.2.6.f.9.7.b.4.e.9.b.3.f.4.a.a.d.1.e.b.e.9.d.2.7.3.2.7.0.0.0.0.f.f.f.f.!.0.0.0.0.9.a.6.2.a.f.6.2.0.9.7.e.1.2.6.d.c.4.0.4.5.e.0.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD635.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon Feb 12 19:39:07 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	18574
Entropy (8bit):	1.9536097266107357
Encrypted:	false
SSDEEP:	96:5Q8+E36avjRGrvk5SCi7nymbnrKVkjS68LWx4Wqm7ijJKLWIkWIwR8I4T/N2UW:FQaAk55OTbl7xFiTV2UW
MD5:	C2019AA11DF777B79167FE470DD634DB
SHA1:	B69D2C804F2EB9F8BEC4E09A1BB382D71D9698DB
SHA-256:	1D9CF2D0BD6C46DE8FD785B756445816316F38F61661D127C201BAAF404DEB69
SHA-512:	D6F73B6173C5AA8507382F08BE5FDEF2601FADC29CB47789A78931ED479B43A2DD694C8C8B9C21E77965FD1F4F6D691576766E4B8491B102915E2128069F556E
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........s.e............4...............<.......T...............T.......8...........T................>......................................................................................................eJ......L.......GenuineIntel............T............s.e.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD6C3.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8498
Entropy (8bit):	3.704643001989887
Encrypted:	false
SSDEEP:	192:R6l7wVeJXA6jmuLe6Y2DLSU9IGgmf3ga4/prp89b0bmsf026jm:R6lXJQ6SD6YGSU9LgmfwC0bFfW6
MD5:	973EF55CEA27DBC52B6810CF680E04BA
SHA1:	7E3575DAAE642CD1E2A9B45BA01F639904EB6F13
SHA-256:	E97908A576BA2E75B62B8A2E35210996AB3048F7A27360970626A9B0C08D7351
SHA-512:	949DB764A08C4449F9A8DD1874FDA24B02F9CCED9F22B7FD5E03750F642741F860E66C5F8A53B78BE9D36E360A9DBC3C120DEE7CFF41AFD2D6683097587CCA6F
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.7.8.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD702.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4834
Entropy (8bit):	4.582417091032146
Encrypted:	false
SSDEEP:	48:cvIwWl8zswJg77aI9NyWpW8VYpYm8M4JIGFdG+q8mqu+CVd:uIjf2I7rT7VVJ7Ggu+CVd
MD5:	881FABC75945DF01E82C6C6365543423
SHA1:	FA520A98680980886A8B870F2144E3009E67214A
SHA-256:	CDE18337E80E6FEBB44854AA356660542CC9A00B10A541CA4C79201603B9FA01
SHA-512:	E790EBEC841EE7B31C21943A79C9C0FC3742B9E94AD649C98EC7DCD3484E1FC5DFD3183C681AE63D9EC314809466C79BAC2BD166FB98E7F0FF9A474D6664F19C
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="190721" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.468893983166473
Encrypted:	false
SSDEEP:	6144:IzZfpi6ceLPx9skLmb0fGZWSP3aJG8nAgeiJRMMhA2zX4WABluuNDjDH5S:eZHtGZWOKnMM6bFp9j4
MD5:	4613AE7FCED93BD26C27ADBE1A445954
SHA1:	F8C2B30CB9ECF29451166A5FA895374B6FDCEDBE
SHA-256:	9F216CA7D8F9846CC850B61C65217BF6818FFD8B7DB7C6F071AF6BC1DA740731
SHA-512:	647222A1083CCFD18EA6939814141A555D8F7244F03CEB95615C0A011D7A61B8F45E53078474361EA0B4BA79CB99C910C1682992FE23F1C9242A4356D7E5187A
Malicious:	false
Reputation:	low
Preview:	regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..$.].........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	4.77957059900157
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.31436.29895.exe
File size:	131'072 bytes
MD5:	2a8518bc555d20abc4ca174860dac87b
SHA1:	9a62af62097e126dc4045e0f9eef0a61a4679975
SHA256:	ca36b4b2faee3ef5cfbe935b75bc9926b6ddf5c2ab8df43e4a29e5c96bb01eae
SHA512:	2328a0e7d15b7db058ee6a38374baec9376e8f0f2b8630b4ca41f3f8d618c9ad3c56041a295a3920c9b0150538c82a17a78af255b38c693421911d83f7f9bbf4
SSDEEP:	1536:cb4lwkb00XQu/CD/jbld3xbvj3LNvjFkWUDEqTDEmtYhBX53:ciD0Xu/I/jbl1xbvj3pCDTTptGBJ
TLSH:	A9D36C0293EA81B1EC82CB70506CE77AD67FFF445A39B19B8B4D0DAC7470A10A615F76
File Content Preview:	MZ......................@...............................................!.L.!This file was created by ClamAV for internal use and should not be run...ClamAV - A GPL virus scanner - http://www.clamav.net..$...PE..L...CLAM.................0...p.............

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x401000
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x4D414C43 [Thu Jan 27 10:43:15 2011 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
call 00007FC519594AF2h
push eax
call 00007FC57F514BF2h
add byte ptr [eax], al
add byte ptr [eax], al
nop
push ebp
mov ebp, esp
push ebx
push esi
push edi
mov edi, dword ptr [ebp+10h]
mov ebx, dword ptr [ebp+0Ch]
mov esi, dword ptr [ebp+08h]
mov edx, ebx
push dword ptr [ebp+14h]
push 004140E5h
push 00000000h
push 00000000h
mov eax, esi
mov ecx, edi
call 00007FC5D5754AF2h
sub ebx, 00000110h
je 00007FC559324AE7h
dec ebx
je 00007FC559324AF6h
jmp 00007FC559324B39h
push dword ptr [ebp+14h]
push 00000066h
push esi
call 00007FC513534BF2h
mov eax, 00000001h
jmp 00007FC559324B29h
and di, FFFFh
dec di
je 00007FC559324AE9h
dec di
je 00007FC559324B05h
jmp 00007FC559324B12h
push 00000080h
push 004150CCh
push 00000065h
push esi
call 00007FC583534BF2h
push 00000001h
push esi
call 00007FC565534BF2h
mov eax, 00000001h
jmp 00007FC559324AF7h
push 00000000h
push esi
call 00007FC565534BF2h
mov eax, 00000001h
jmp 00007FC559324AE8h
xor eax, eax
jmp 00007FC559324AE4h
xor eax, eax
pop edi
pop esi
pop ebx
pop ebp
retn 0010h
push ebp
mov ebp, esp
push ebx
push esi
push edi
mov edi, dword ptr [ebp+10h]
mov ebx, dword ptr [ebp+0Ch]
mov esi, dword ptr [ebp+08h]
mov edx, ebx
push dword ptr [ebp+14h]
push 004140F2h
push 00000000h
push 00000000h
mov eax, esi
mov ecx, edi
call 00007FC559754AF2h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1b000	0xf9f	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1c000	0x3e00	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x13000	0x13000	8e4687f48362c6bb4a8b4eb5fefd3436	False	0.511731599506579	data	6.365876753702773	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x14000	0x7000	0x7000	ee8362501daf70fe4e38d5a272e469bc	False	0.045654296875	data	0.6347747239254509	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x1b000	0x1000	0x1000	620f0b67a91f7f74151bc5be745b7110	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x1c000	0x4000	0x4000	66fe23fddf1df979ae204b613ca8efeb	False	0.172607421875	data	2.7134958733993177	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.31436.29895.exePID: 4780, Parent PID: 4004

General

Target ID:	0
Start time:	20:39:07
Start date:	12/02/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.31436.29895.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.31436.29895.exe
Imagebase:	0x400000
File size:	131'072 bytes
MD5 hash:	2A8518BC555D20ABC4CA174860DAC87B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 4540, Parent PID: 4780

General

Target ID:	4
Start time:	20:39:07
Start date:	12/02/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 236
Imagebase:	0xa30000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.31436.29895.exePID: 4780, Parent PID: 4004COMMON

Execution Graph

Execution Coverage:	0.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	100%
Total number of Nodes:	2
Total number of Limit Nodes:	0

Executed Functions

Function 00401000 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 00401000

Strings

GETPASSWORD1, xrefs: 00401024

Memory Dump Source

Source File: 00000000.00000002.2185248689.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2185233453.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185267166.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185281685.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185281685.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: InitializeThunk
String ID: GETPASSWORD1
API String ID: 2994545307-3292211884
Opcode ID: d10e16f1c9460ce873a536f6dab904b010554a3a6bd8842c9cdd7f714ae7a78a
Instruction ID: 9369351bf247ffcb7071f3bd38900d834f4330a234b9d2efde69ab9dba09dbc5
Opcode Fuzzy Hash: d10e16f1c9460ce873a536f6dab904b010554a3a6bd8842c9cdd7f714ae7a78a
Instruction Fuzzy Hash: 36014931744384B7E63119348C51FEF6615AB46B20F104233FB917A2E0C5BE8DC221AE

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040C8F4 Relevance: 3.4, Strings: 2, Instructions: 933COMMON

Download Yara Rule

Strings

0, xrefs: 0040D498
{, xrefs: 0040C9E6

Memory Dump Source

Source File: 00000000.00000002.2185248689.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2185233453.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185267166.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185281685.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185281685.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 0${
API String ID: 0-3977606544
Opcode ID: e23d7ea2f1b59b7c1970bda853cea72c8e33995cf77c4b0649a12edcb9e9030b
Instruction ID: 849a15ebc036da4caece411ef95c9e82703c2f23f8bebedeb6ea530809ba9d63
Opcode Fuzzy Hash: e23d7ea2f1b59b7c1970bda853cea72c8e33995cf77c4b0649a12edcb9e9030b
Instruction Fuzzy Hash: 66925970908285DADF25CB74C8C47EFBBB1AF00324F0847BAC8696A2D5D778598DCB59

Uniqueness

Uniqueness Score: -1.00%

Function 00411DD8 Relevance: 1.6, Strings: 1, Instructions: 376COMMON

Download Yara Rule

Strings

, xrefs: 00411FF4

Memory Dump Source

Source File: 00000000.00000002.2185248689.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2185233453.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185267166.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185281685.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185281685.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 04d51d203adec4cacfdabf44ab0e353060f379a98ce79e73b01a80fc61575fa4
Instruction ID: e5cd32928c651fde325229c9e2d5bf92c2eb9c17ebc76a5817a6c0cabe59f00b
Opcode Fuzzy Hash: 04d51d203adec4cacfdabf44ab0e353060f379a98ce79e73b01a80fc61575fa4
Instruction Fuzzy Hash: 5AF1A571A006098BDB14CF69C580ADEB7F2BF88310F14C67AC926DB395DB74E986CB54

Uniqueness

Uniqueness Score: -1.00%

Function 004085EC Relevance: 1.4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

taA, xrefs: 004085EF

Memory Dump Source

Source File: 00000000.00000002.2185248689.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2185233453.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185267166.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185281685.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185281685.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: taA
API String ID: 0-3515101822
Opcode ID: 8dac01987c027e25e68b65fdc667cbc28652a89359f1c660fcc3989953a1273a
Instruction ID: 36e62ae3f99718de5c31de33e312e67151c6637a0300a77c030d4bf68eb9f317
Opcode Fuzzy Hash: 8dac01987c027e25e68b65fdc667cbc28652a89359f1c660fcc3989953a1273a
Instruction Fuzzy Hash: 9A217C31718612478728DDAD8CF006BE693FBCF301357C6BDC686A7749CA6468168794

Uniqueness

Uniqueness Score: -1.00%

Function 0041132C Relevance: .5, Instructions: 498COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2185248689.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2185233453.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185267166.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185281685.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185281685.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 397cf535c09c40913cbd57cc171b127a0fa0e4a05c8052c92425243d5f8b12db
Instruction ID: 947e67a9b245b543ea15b2664000deb53573dece29489d31a54ade2c6d9e5ce4
Opcode Fuzzy Hash: 397cf535c09c40913cbd57cc171b127a0fa0e4a05c8052c92425243d5f8b12db
Instruction Fuzzy Hash: 222297705086408FDB14CF18C8D46AA77E2AF85315F0886BEDDA98F3EAD638D845CF55

Uniqueness

Uniqueness Score: -1.00%

Function 004090A8 Relevance: .4, Instructions: 413COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2185248689.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2185233453.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185267166.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185281685.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185281685.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5f1a13c5fd44b760c90e595ebbd9387e31a9cb3b72f51995e3d2b0b4af69776
Instruction ID: c63f3746d1b0237b599681d726ebd0e2f89529b821ad6be24f9e7347f98c966c
Opcode Fuzzy Hash: d5f1a13c5fd44b760c90e595ebbd9387e31a9cb3b72f51995e3d2b0b4af69776
Instruction Fuzzy Hash: 9122D7B55083908FC361CF24C190956FBF0BF99350F5ACA9AD9D88B312D235E946DFA2

Uniqueness

Uniqueness Score: -1.00%

Function 00409E48 Relevance: .4, Instructions: 399COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2185248689.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2185233453.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185267166.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185281685.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185281685.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22e6943751cac1ada075f55f3eb7713643433e42b260a4a4902e342d28b3881a
Instruction ID: 07dc002f3d52eedce12653127bb7efe16b01348d2eafe9e57afbbf23674df3db
Opcode Fuzzy Hash: 22e6943751cac1ada075f55f3eb7713643433e42b260a4a4902e342d28b3881a
Instruction Fuzzy Hash: D40249379052298FCB24EF88D844019B3A6EBC4324F5F89A8C9946F256D335FE17CB85

Uniqueness

Uniqueness Score: -1.00%

Function 004096C4 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2185248689.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2185233453.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185267166.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185281685.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185281685.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0d5912511f44629991d468fe1552ec6147ad10df12b47be70167e135c2d30d1
Instruction ID: 35c0643af421c48e1126c43c4f2acbe6ca21531091a467e4cddd057b0b5b6143
Opcode Fuzzy Hash: f0d5912511f44629991d468fe1552ec6147ad10df12b47be70167e135c2d30d1
Instruction Fuzzy Hash: 3E91836265E2D19AD71A5F3D39B02E66E420BB7340F4DC1BEC4C997397C8274819C3AE

Uniqueness

Uniqueness Score: -1.00%

Function 004127B4 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2185248689.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2185233453.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185267166.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185281685.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185281685.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4e30c0c234346b961a9b66eee0992bc4134a3fc2a2dc42995b051fd2b4abaa7
Instruction ID: f6b229eee3ed7f9cf3419e504efff186d7444f1aa2679d60c5e551655d74f35c
Opcode Fuzzy Hash: c4e30c0c234346b961a9b66eee0992bc4134a3fc2a2dc42995b051fd2b4abaa7
Instruction Fuzzy Hash: 81716C70704F0A4BE321A63CDD903EF73C19B51724F50072AD5B9C73C1EB98AA96979A

Uniqueness

Uniqueness Score: -1.00%

Function 0040BB25 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2185248689.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2185233453.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185267166.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185281685.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185281685.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dc288b1a20d14500094c5b1fc8b9e3c518a339597420f0901aadddb9015d62f
Instruction ID: 00b07f77e08e6e388afc03622c41616326fc8b3bdcb9f53c3b7d922871ba43d3
Opcode Fuzzy Hash: 1dc288b1a20d14500094c5b1fc8b9e3c518a339597420f0901aadddb9015d62f
Instruction Fuzzy Hash: 7F81D170608381CBD778CF29C995BDAB7E2FBC9314F148A2ED58DD2690D7349841CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040FB98 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2185248689.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2185233453.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185267166.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185281685.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185281685.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 662ad900b130d8c6c716cc74c0087b1ae92929a9feef180fde69f85da04d6323
Instruction ID: 2e88bbdd44f2febc6cfdf6e195563bf059aa4013457babe3a85ae63370bfefb0
Opcode Fuzzy Hash: 662ad900b130d8c6c716cc74c0087b1ae92929a9feef180fde69f85da04d6323
Instruction Fuzzy Hash: B661B0706047158FD328CF29C480796B7E2FF98304F18827EC85ACB7A5DB35A85ACB95

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.31436.29895.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_0c57672e7cfd9f6c5592dfeabe7936895a9ce21_8f52b1cc_a2296afc-3fdd-41c9-b2c7-b7ebd5d52e4e\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD635.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD6C3.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD702.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.31436.29895.exePID: 4780, Parent PID: 4004

General

Chronological Activities

Analysis Process: WerFault.exePID: 4540, Parent PID: 4780

General

Chronological Activities

Disassembly

Windows Analysis Report
SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.31436.29895.exe

Function 00401000 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62
libraryCOMMON