Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan-Downloader.8862.17468.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Trojan-Downloader.8862.17468.exe
Analysis ID:	1417315
MD5:	99e6eb18c870372dd39f1f3e491f91b1
SHA1:	3248418514e5a21f66cb43b8eef1be5925177bde
SHA256:	34a1b86d7355b5effffa36faa80c432a86f4ba6b3164cb35f5abe0d65cfbfa4d
Tags:	exe
Infos:

Detection

Score:	24
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Machine Learning detection for sample

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

PE file contains more sections than normal

PE file contains sections with non-standard names

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Tries to load missing DLLs

Uses 32bit PE files

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Trojan-Downloader.8862.17468.exe (PID: 7416 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.8862.17468.exe" MD5: 99E6EB18C870372DD39F1F3E491F91B1)

conhost.exe (PID: 7424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Machine Learning detection for sample

Source: SecuriteInfo.com.Trojan-Downloader.8862.17468.exe

Joe Sandbox ML: detected

Source: SecuriteInfo.com.Trojan-Downloader.8862.17468.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.8862.17468.exe

Code function: 0_2_00403740 FindFirstFileA,_errno,GetLastError,_errno,_errno,_errno,_errno,_errno,

0_2_00403740

Source: SecuriteInfo.com.Trojan-Downloader.8862.17468.exe

Static PE information: Number of sections : 13 > 10

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.8862.17468.exe

Section loaded: apphelp.dll

Jump to behavior

Source: SecuriteInfo.com.Trojan-Downloader.8862.17468.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: sus24.winEXE@2/1@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7424:120:WilError_03

Source: SecuriteInfo.com.Trojan-Downloader.8862.17468.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.8862.17468.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.8862.17468.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.8862.17468.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.8862.17468.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.8862.17468.exe

Code function: 0_2_00401340 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,atexit,

0_2_00401340

Source: SecuriteInfo.com.Trojan-Downloader.8862.17468.exe	Static PE information: section name: /4
Source: SecuriteInfo.com.Trojan-Downloader.8862.17468.exe	Static PE information: section name: /14
Source: SecuriteInfo.com.Trojan-Downloader.8862.17468.exe	Static PE information: section name: /29
Source: SecuriteInfo.com.Trojan-Downloader.8862.17468.exe	Static PE information: section name: /41
Source: SecuriteInfo.com.Trojan-Downloader.8862.17468.exe	Static PE information: section name: /55
Source: SecuriteInfo.com.Trojan-Downloader.8862.17468.exe	Static PE information: section name: /67

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.8862.17468.exe

Code function: 0_2_00403740 FindFirstFileA,_errno,GetLastError,_errno,_errno,_errno,_errno,_errno,

0_2_00403740

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.8862.17468.exe

API call chain: ExitProcess graph end node

graph_0-2196

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.8862.17468.exe

Code function: 0_2_00401340 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,atexit,

0_2_00401340

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.8862.17468.exe

Code function: 0_2_004011B0 SetUnhandledExceptionFilter,_iob,_setmode,_setmode,_setmode,__p__fmode,__p__environ,_cexit,ExitProcess,

0_2_004011B0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.8862.17468.exe

Code function: 0_2_00401A30 cpuid

0_2_00401A30

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Process Injection	1 Process Injection	OS Credential Dumping	1 File and Directory Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 DLL Side-Loading	LSASS Memory	11 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Trojan-Downloader.8862.17468.exe	8%	ReversingLabs
SecuriteInfo.com.Trojan-Downloader.8862.17468.exe	100%	Joe Sandbox ML

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1417315
Start date and time:	2024-03-28 23:26:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Trojan-Downloader.8862.17468.exe
Detection:	SUS
Classification:	sus24.winEXE@2/1@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 10 Number of non-executed functions: 13
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: SecuriteInfo.com.Trojan-Downloader.8862.17468.exe

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.8862.17468.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	31
Entropy (8bit):	3.6277635530073993
Encrypted:	false
SSDEEP:	3:ORy+itAfKDFEFCn:OgQCn
MD5:	964EFF64A51AF8DB20BECE26DD2B39F3
SHA1:	A2612CEF7266E3F1C380B1A9FDECAB5F00CE6073
SHA-256:	9D3441098B428BE6F44D4233972274F95243D28B16AAD5FEE03F74282EE8BAFC
SHA-512:	E4CDDB2C3BE983319831C7405C265BBC1D1FFF46CA782178D391C34C9E7D4B102EEC68505E648A2932C889FEC2BF368C0FAD73A1BADCB6ECFACF3E6E152CA676
Malicious:	false
Reputation:	low
Preview:	Enter the element of matrix A:

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	5.4934523510370195
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% VXD Driver (31/22) 0.00% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Trojan-Downloader.8862.17468.exe
File size:	42'131 bytes
MD5:	99e6eb18c870372dd39f1f3e491f91b1
SHA1:	3248418514e5a21f66cb43b8eef1be5925177bde
SHA256:	34a1b86d7355b5effffa36faa80c432a86f4ba6b3164cb35f5abe0d65cfbfa4d
SHA512:	a6aa188f57679fb8f9f4bd411439d4d213a6b7b3dd4164ca10a6d5133b97aceb4188340c62514ddb1307702a2b70faea21eb9d377988085750af9db3941eadc6
SSDEEP:	768:3YOEz+OJApuvBkBsMPP3lLuzZPKqhLJrMb9Lqp1m:33OQ0MPP3lLuBZh94bMp1m
TLSH:	03132959BE254CFBE652533E84E7C7762B3CF1814A235B73BB30B7305B236922099256
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...#..e.t...................J...............@....@.................................;......... ............................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4012e0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x65C4A823 [Thu Feb 8 10:08:35 2024 UTC]
TLS Callbacks:	0x401c30, 0x401be0
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	56c331205a2e6363b4ccdec1da40351f

Entrypoint Preview

Instruction
sub esp, 1Ch
mov dword ptr [esp], 00000001h
call dword ptr [004081A4h]
call 00007F280D067A40h
lea esi, dword ptr [esi+00h]
lea edi, dword ptr [edi+00000000h]
sub esp, 1Ch
mov dword ptr [esp], 00000002h
call dword ptr [004081A4h]
call 00007F280D067A20h
lea esi, dword ptr [esi+00h]
lea edi, dword ptr [edi+00000000h]
jmp dword ptr [004081D0h]
lea esi, dword ptr [esi+00h]
lea edi, dword ptr [edi+00000000h]
jmp dword ptr [004081C0h]
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
push ebp
mov ebp, esp
push esi
push ebx
sub esp, 10h
mov dword ptr [esp], 00405000h
call 00007F280D06A579h
sub esp, 04h
test eax, eax
je 00007F280D067C37h
mov dword ptr [esp], 00405000h
mov ebx, eax
call 00007F280D06A540h
sub esp, 04h
mov dword ptr [0040706Ch], eax
mov dword ptr [esp+04h], 00405013h
mov dword ptr [esp], ebx
call 00007F280D06A540h
sub esp, 08h
mov esi, eax
mov dword ptr [esp+04h], 00405029h
mov dword ptr [esp], ebx
call 00007F280D06A52Bh
sub esp, 08h
mov dword ptr [00404000h], eax
test esi, esi
je 00007F280D067B93h
mov dword ptr [eax+eax+00h], 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8000	0x610	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xa004	0x18	.tls
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8138	0xe8	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2dd4	0x2e00	5cbe7e759756a71f646c0fcf1e05ce36	False	0.5927309782608695	data	6.1538599317700875	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x4000	0x1c	0x200	d89f9efdf44dfc0fef0f600a751cae91	False	0.06640625	data	0.22238947047324953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x5000	0x334	0x400	1f6c8c301177286fa2ea6e6996103a5d	False	0.287109375	data	4.3307263094543105	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
/4	0x6000	0x9a4	0xa00	2ef5bb8b8d5d8f69a9f4d2a746a02ebd	False	0.40234375	data	4.737333206976317	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.bss	0x7000	0x70	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x8000	0x610	0x800	4683f9bb6e8c63dd4e8f793abfb8b73e	False	0.3466796875	data	3.852133765200072	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x9000	0x18	0x200	17d084ee7451e1c529b6e85ffe0e484e	False	0.046875	data	0.11836963125913882	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0xa000	0x20	0x200	f7a419142b47f1a6560b6d595ae80d75	False	0.05859375	data	0.22482003450968063	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
/14	0xb000	0x38	0x200	5fd56bc0994aea5b06b96c32ceb28153	False	0.068359375	Matlab v4 mat-file (little endian) *, rows 2, columns 262144	0.2162069074398449	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/29	0xc000	0x1cff	0x1e00	9dd3ed288bbcdbfc9f8a3e8efe1d4937	False	0.458984375	data	5.767661662979606	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/41	0xe000	0x12f	0x200	0f209b8eeedb4402bcc92889fdf74aaa	False	0.361328125	data	3.0440842995585107	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/55	0xf000	0x1c8	0x200	3ad1a8bd3879141b28ddd7918aebccb9	False	0.462890625	data	4.31030910283884	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/67	0x10000	0x38	0x200	be5fe801bf243a22e4111b7e3e8a7fe3	False	0.1171875	data	0.6745765448489234	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
KERNEL32.dll	DeleteCriticalSection, EnterCriticalSection, ExitProcess, FindClose, FindFirstFileA, FindNextFileA, FreeLibrary, GetCommandLineA, GetLastError, GetModuleHandleA, GetProcAddress, InitializeCriticalSection, LeaveCriticalSection, LoadLibraryA, SetUnhandledExceptionFilter, TlsGetValue, VirtualProtect, VirtualQuery
msvcrt.dll	_getch, _strdup, _stricoll
msvcrt.dll	__getmainargs, __mb_cur_max, __p__environ, __p__fmode, __set_app_type, _cexit, _errno, _fpreset, _fullpath, _iob, _isctype, _onexit, _pctype, _setmode, abort, atexit, calloc, free, fwrite, malloc, mbstowcs, memcpy, printf, putchar, puts, realloc, scanf, setlocale, signal, strcoll, strlen, tolower, vfprintf, wcstombs

Target ID:	0
Start time:	23:26:54
Start date:	28/03/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.8862.17468.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.8862.17468.exe"
Imagebase:	0x400000
File size:	42'131 bytes
MD5 hash:	99E6EB18C870372DD39F1F3E491F91B1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	23:26:54
Start date:	28/03/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	6.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.4%
Total number of Nodes:	535
Total number of Limit Nodes:	16

Executed Functions

Function 00403740 Relevance: 12.1, APIs: 8, Instructions: 64
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileA.KERNEL32 ref: 00403755
_errno.MSVCRT ref: 004037BE
GetLastError.KERNEL32 ref: 004037C5
_errno.MSVCRT ref: 004037D1
_errno.MSVCRT ref: 004037DE
_errno.MSVCRT ref: 004037E8

Memory Dump Source

Source File: 00000000.00000002.2865434871.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2865422523.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2865448416.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2865461002.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2865475171.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: _errno$ErrorFileFindFirstLast
String ID:
API String ID: 2068755524-0
Opcode ID: 6065e16887977d959ba446ceeb7a6ab7c81ace2f1ae18caa5962314715c5d684
Instruction ID: 1d17b7681d177df455f3f1dc273843f1f50ae7a7502d0f7e8a06dd6acde50feb
Opcode Fuzzy Hash: 6065e16887977d959ba446ceeb7a6ab7c81ace2f1ae18caa5962314715c5d684
Instruction Fuzzy Hash: 6C110DF51082108AEB10AF75D8813A67F98AF41346F14847BE451EF3C2D27D8645C3B6

Uniqueness

Uniqueness Score: -1.00%

Function 004011B0 Relevance: 12.1, APIs: 8, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetUnhandledExceptionFilter.KERNEL32(?,?,?,?,004012F5), ref: 004011E3
_setmode.MSVCRT ref: 00401220
_setmode.MSVCRT ref: 00401234
_setmode.MSVCRT ref: 00401248
__p__fmode.MSVCRT ref: 0040124D
__p__environ.MSVCRT ref: 00401267
_cexit.MSVCRT ref: 0040128A
ExitProcess.KERNEL32(?,?,?,?,?,004012F5), ref: 00401292

Memory Dump Source

Source File: 00000000.00000002.2865434871.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2865422523.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2865448416.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2865461002.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2865475171.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: _setmode$ExceptionExitFilterProcessUnhandled__p__environ__p__fmode_cexit
String ID:
API String ID: 3476844589-0
Opcode ID: bc8c1e66f09b0931d7dd195dcaa60a323bbe3d20910e0d7d1c1d24e5f5cbd8eb
Instruction ID: cc34db2bdfaa55d26d79c29d544db5e231f1e39a8984247bbb583bf4e851bc86
Opcode Fuzzy Hash: bc8c1e66f09b0931d7dd195dcaa60a323bbe3d20910e0d7d1c1d24e5f5cbd8eb
Instruction Fuzzy Hash: 6121FAB59087009FD700FF79D58560A7BE4BF49748F00893EF984F73A2D638A9408B5A

Uniqueness

Uniqueness Score: -1.00%

Function 00402960 Relevance: 40.9, APIs: 22, Strings: 1, Instructions: 645stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00402980
memcpy.MSVCRT ref: 004029A7

Part of subcall function 00403340: setlocale.MSVCRT ref: 00403358
Part of subcall function 00403340: _strdup.MSVCRT ref: 00403366
Part of subcall function 00403340: setlocale.MSVCRT ref: 0040337C
Part of subcall function 00403340: wcstombs.MSVCRT ref: 004033A7
Part of subcall function 00403340: realloc.MSVCRT ref: 004033BB
Part of subcall function 00403340: wcstombs.MSVCRT ref: 004033D4
Part of subcall function 00403340: setlocale.MSVCRT ref: 004033E4
Part of subcall function 00403340: free.MSVCRT ref: 004033EC

Part of subcall function 00402360: malloc.MSVCRT ref: 0040237B

strlen.MSVCRT ref: 00402CD6
strlen.MSVCRT ref: 00402EC6
_strdup.MSVCRT ref: 00402F10

Part of subcall function 00402960: strlen.MSVCRT ref: 00402A31

Strings

\, xrefs: 0040310E

Memory Dump Source

Source File: 00000000.00000002.2865434871.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2865422523.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2865448416.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2865461002.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2865475171.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: strlen$setlocale$_strdupwcstombs$freemallocmemcpyrealloc
String ID: \
API String ID: 3818432545-2967466578
Opcode ID: d254b9f817a2bcdcc832043df61dec7398999cc28db53cc347704f5b257f651f
Instruction ID: 671ef5f6b5ae1afef096c624a78a6bef2a646ecf7b4523d2d9aec984ecb265f7
Opcode Fuzzy Hash: d254b9f817a2bcdcc832043df61dec7398999cc28db53cc347704f5b257f651f
Instruction Fuzzy Hash: EE42C171E082558FDB10DFA9C1883AEBBF1AF44304F18807BE885BB3C1D37999429B95

Uniqueness

Uniqueness Score: -1.00%

Function 00403340 Relevance: 27.3, APIs: 18, Instructions: 272
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

setlocale.MSVCRT ref: 00403358
_strdup.MSVCRT ref: 00403366
setlocale.MSVCRT ref: 0040337C
wcstombs.MSVCRT ref: 004033A7
realloc.MSVCRT ref: 004033BB
wcstombs.MSVCRT ref: 004033D4
setlocale.MSVCRT ref: 004033E4
free.MSVCRT ref: 004033EC
mbstowcs.MSVCRT ref: 0040341A
mbstowcs.MSVCRT ref: 00403444
wcstombs.MSVCRT ref: 00403533
realloc.MSVCRT ref: 0040354A
wcstombs.MSVCRT ref: 00403564
wcstombs.MSVCRT ref: 0040361F
setlocale.MSVCRT ref: 0040363B
free.MSVCRT ref: 00403643
setlocale.MSVCRT ref: 004036AB
free.MSVCRT ref: 004036B3

Memory Dump Source

Source File: 00000000.00000002.2865434871.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2865422523.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2865448416.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2865461002.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2865475171.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: setlocalewcstombs$free$mbstowcsrealloc$_strdup
String ID:
API String ID: 2891164732-0
Opcode ID: 842cec03313bb9a768754cf361a167b3bc9370abfea6f28439ccfa7d5dfaf393
Instruction ID: b8db9ef4120310223e4f0c8ba590ae7914f320c6de6de4b4764861e7f51f1b6e
Opcode Fuzzy Hash: 842cec03313bb9a768754cf361a167b3bc9370abfea6f28439ccfa7d5dfaf393
Instruction Fuzzy Hash: 3EB1C3709042259ACB24AF65C44527BFFF9EF54706F44843FE884BB391E3399A85C78A

Uniqueness

Uniqueness Score: -1.00%

Function 00401460 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

printf.MSVCRT ref: 00401478
printf.MSVCRT ref: 004014F4
scanf.MSVCRT ref: 0040153D
puts.MSVCRT ref: 00401602
printf.MSVCRT ref: 00401646
putchar.MSVCRT ref: 00401664
_getch.MSVCRT ref: 0040167B

Strings

Enter the element of matrix A: , xrefs: 00401471
Addition of two matrices is, xrefs: 004015FB
%d, xrefs: 0040163F
Enter the element of matrix B: , xrefs: 004014ED

Memory Dump Source

Source File: 00000000.00000002.2865434871.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2865422523.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2865448416.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2865461002.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2865475171.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: printf$_getchputcharputsscanf
String ID: %d$Addition of two matrices is$Enter the element of matrix A: $Enter the element of matrix B:
API String ID: 1626964533-1635575425
Opcode ID: 12d43d35ee0bd4b21a615cfa3b273a351d1a9835eff8d03e87a0fa7bb2d57a52
Instruction ID: 0f936875b1b060473c74d03a11f0d853f708935b9433a9e4fc109f0080084346
Opcode Fuzzy Hash: 12d43d35ee0bd4b21a615cfa3b273a351d1a9835eff8d03e87a0fa7bb2d57a52
Instruction Fuzzy Hash: BD51E271708340DFD3749F49C84679BB6E1AFC6318F29C82E94C9E6290D67884898F5B

Uniqueness

Uniqueness Score: -1.00%

Function 00401690 Relevance: 19.5, APIs: 3, Strings: 8, Instructions: 257
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCommandLineA.KERNEL32 ref: 004016A6
strlen.MSVCRT ref: 004016B3

Strings

', xrefs: 0040190D
@, xrefs: 00401870
*, xrefs: 00401725
", xrefs: 0040172E
?, xrefs: 0040170D
\, xrefs: 004017D0
', xrefs: 0040171C
[, xrefs: 004017E2

Memory Dump Source

Source File: 00000000.00000002.2865434871.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2865422523.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2865448416.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2865461002.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2865475171.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CommandLinestrlen
String ID: "$'$'$*$?$@$[$\
API String ID: 3702654222-871974141
Opcode ID: 1630d56af8fe825cb52b746c05e3e4fb3716930e96fbea616a6e41b4f1dfe627
Instruction ID: 591ae76485eb7b8a5aae4190c7b4819bd8dd7253fb8f02e9b76f0748732428d7
Opcode Fuzzy Hash: 1630d56af8fe825cb52b746c05e3e4fb3716930e96fbea616a6e41b4f1dfe627
Instruction Fuzzy Hash: EAA1B071A18305CFDB15CF68C8447AEBBE2BB44344F18853AE845F73A1E7389945CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 004031F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

glob-1.0-mingw32, xrefs: 0040320E, 0040321D

Memory Dump Source

Source File: 00000000.00000002.2865434871.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2865422523.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2865448416.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2865461002.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2865475171.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: glob-1.0-mingw32
API String ID: 0-3253302226
Opcode ID: 680acc8efdb5f26930de6df637e7e16ccdffa9684d376cd8aa0efc8f562424ed
Instruction ID: 9b6625b1beadd874c166757b1fcabbc8dac9a67ed8a5df1ccf95d766dfdead67
Opcode Fuzzy Hash: 680acc8efdb5f26930de6df637e7e16ccdffa9684d376cd8aa0efc8f562424ed
Instruction Fuzzy Hash: D5219FB2E042148BCB109FA988452AEBFB9EF85301F0484BFD84177381D77C9A41CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00403810 Relevance: 4.6, APIs: 3, Instructions: 53
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindNextFileA.KERNEL32 ref: 00403825
GetLastError.KERNEL32 ref: 00403892
_errno.MSVCRT ref: 0040389C

Memory Dump Source

Source File: 00000000.00000002.2865434871.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2865422523.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2865448416.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2865461002.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2865475171.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorFileFindLastNext_errno
String ID:
API String ID: 2804278807-0
Opcode ID: 14ada7d36821330d4adb80cf875026dcd964a13f817f57457775d3ee5a20c034
Instruction ID: 289a74dd08d723566d0560508b3de26646d88688c5a2a5ee1807a2dab1f2fb5c
Opcode Fuzzy Hash: 14ada7d36821330d4adb80cf875026dcd964a13f817f57457775d3ee5a20c034
Instruction Fuzzy Hash: 440188725042504BDF50AF79ACC12A6BBD4AF41756F08C8BBE858DE386E23DC948C3A5

Uniqueness

Uniqueness Score: -1.00%

Function 00403AD0 Relevance: 4.5, APIs: 3, Instructions: 21
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindClose.KERNEL32(?,?,?,?,?,00402F5B), ref: 00403AE5
free.MSVCRT(?,?,?,?,?,?,00402F5B), ref: 00403AF4
_errno.MSVCRT ref: 00403B00

Memory Dump Source

Source File: 00000000.00000002.2865434871.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2865422523.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2865448416.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2865461002.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2865475171.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseFind_errnofree
String ID:
API String ID: 1660445202-0
Opcode ID: eecca25b770a738e83ff0b1e74635ec2342580d001e20752e53b2817692bb7d4
Instruction ID: 17f20279e9d7b349f04075f4cc6b87f495ac3ef6c2a517f0ef329dcf35a79c67
Opcode Fuzzy Hash: eecca25b770a738e83ff0b1e74635ec2342580d001e20752e53b2817692bb7d4
Instruction Fuzzy Hash: C7E04F716042004BD7007F7588827173EA86F00319F000A7EE890AB2C3E77C96448696

Uniqueness

Uniqueness Score: -1.00%

Function 004012E0 Relevance: 3.0, APIs: 2, Instructions: 12
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 004012EA

Part of subcall function 004011B0: SetUnhandledExceptionFilter.KERNEL32(?,?,?,?,004012F5), ref: 004011E3
Part of subcall function 004011B0: _setmode.MSVCRT ref: 00401220
Part of subcall function 004011B0: _setmode.MSVCRT ref: 00401234
Part of subcall function 004011B0: _setmode.MSVCRT ref: 00401248
Part of subcall function 004011B0: __p__fmode.MSVCRT ref: 0040124D
Part of subcall function 004011B0: __p__environ.MSVCRT ref: 00401267
Part of subcall function 004011B0: _cexit.MSVCRT ref: 0040128A
Part of subcall function 004011B0: ExitProcess.KERNEL32(?,?,?,?,?,004012F5), ref: 00401292

__set_app_type.MSVCRT ref: 0040130A

Memory Dump Source

Source File: 00000000.00000002.2865434871.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2865422523.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2865448416.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2865461002.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2865475171.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: _setmode$__set_app_type$ExceptionExitFilterProcessUnhandled__p__environ__p__fmode_cexit
String ID:
API String ID: 2461648636-0
Opcode ID: 4f2a6a6c2dbb4742eff141a9edd744cfa2f4a8b8e8b533109d40fc2ce58dc959
Instruction ID: 14ef5bbc4013a3bb529eb038fc4242e813a41595c16fb46b3ef901d9de0fdf76
Opcode Fuzzy Hash: 4f2a6a6c2dbb4742eff141a9edd744cfa2f4a8b8e8b533109d40fc2ce58dc959
Instruction Fuzzy Hash: E7D04C314005118FD7047F64CA06399B774BF04304F45062CD5953B051CBB835568BD9

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00401340 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 58
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 0040134F
LoadLibraryA.KERNEL32 ref: 00401368
GetProcAddress.KERNEL32 ref: 00401380
GetProcAddress.KERNEL32 ref: 00401395
GetModuleHandleA.KERNEL32 ref: 004013C7
GetProcAddress.KERNEL32 ref: 004013E3
atexit.MSVCRT ref: 00401401

Strings

libgcj-16.dll, xrefs: 004013C0
__register_frame_info, xrefs: 00401375
_Jv_RegisterClasses, xrefs: 004013D8
libgcc_s_dw2-1.dll, xrefs: 00401348, 0040135F
__deregister_frame_info, xrefs: 0040138A

Memory Dump Source

Source File: 00000000.00000002.2865434871.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2865422523.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2865448416.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2865461002.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2865475171.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$HandleModule$LibraryLoadatexit
String ID: _Jv_RegisterClasses$__deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll$libgcj-16.dll
API String ID: 2016387483-548026336
Opcode ID: c704f1be39f1e37c1d383a94129219c5346b1fb09e334ada66df5bd6c05bddc1
Instruction ID: 6c7b7aa4c45bae774636915f4c02217523ef55571564832312475bcbfc6dd809
Opcode Fuzzy Hash: c704f1be39f1e37c1d383a94129219c5346b1fb09e334ada66df5bd6c05bddc1
Instruction Fuzzy Hash: 9C114CB18047008AD700BF79A95531FBEE8EF80748F41893FD9847B6A5E77C85489B9B

Uniqueness

Uniqueness Score: -1.00%

Function 00401A30 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2865434871.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2865422523.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2865448416.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2865461002.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2865475171.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c109b914e246866c18af00eae8f597a565d5c7776f425b395473f41a8873c9e7
Instruction ID: 52ef34c4338b48cac8443578fbfb313151a4eab097be7f4b1653fdafb6699387
Opcode Fuzzy Hash: c109b914e246866c18af00eae8f597a565d5c7776f425b395473f41a8873c9e7
Instruction Fuzzy Hash: 3921B438A1930206F375855D4984B9765A6A748314F148B3DDD48E23F5E7BDDC94D60C

Uniqueness

Uniqueness Score: -1.00%

Function 00401F00 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 84
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fwrite.MSVCRT ref: 00401F2C
vfprintf.MSVCRT ref: 00401F40
abort.MSVCRT(?,?,?,00400000,?,00402040), ref: 00401F45
VirtualQuery.KERNEL32 ref: 00401F70
memcpy.MSVCRT ref: 00401F99
VirtualProtect.KERNEL32 ref: 00401FCF
memcpy.MSVCRT ref: 00401FEA
VirtualProtect.KERNEL32 ref: 00402018

Strings

Mingw runtime failure:, xrefs: 00401F1E
@, xrefs: 00401FB8

Memory Dump Source

Source File: 00000000.00000002.2865434871.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2865422523.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2865448416.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2865461002.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2865475171.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Virtual$Protectmemcpy$Queryabortfwritevfprintf
String ID: @$Mingw runtime failure:
API String ID: 978211760-2549925133
Opcode ID: 63cb5d4d9c49b31943c7cabe371228aac632c333256667df449ee8983d4b2439
Instruction ID: 949fb00c6dd0f9b2eef533ffb8d5a47ea5e5b80155e9735439ee40d307d8d258
Opcode Fuzzy Hash: 63cb5d4d9c49b31943c7cabe371228aac632c333256667df449ee8983d4b2439
Instruction Fuzzy Hash: 7C31E2B5908301ABD300EF2AD18451FBFE8FF88758F51892EF488A7351D378D9448B86

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 12.1, APIs: 8, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

signal.MSVCRT ref: 00401033
signal.MSVCRT ref: 00401088
signal.MSVCRT ref: 0040110A
signal.MSVCRT ref: 00401198

Memory Dump Source

Source File: 00000000.00000002.2865434871.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2865422523.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2865448416.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2865461002.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2865475171.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: signal
String ID:
API String ID: 1946981877-0
Opcode ID: 7a0068215a308f4732318d69c05a4b8ceef0cd86b93fb0489289c140bef6a384
Instruction ID: 6d751a4b22520b5f96daf2b980fc81a6c377f0741ed6e71d6ac997525177e5ce
Opcode Fuzzy Hash: 7a0068215a308f4732318d69c05a4b8ceef0cd86b93fb0489289c140bef6a384
Instruction Fuzzy Hash: 8531EC701082409AE7207F68854032F7AD4BF46368F114A2FE4E9E76E1C7BE89C49B5B

Uniqueness

Uniqueness Score: -1.00%

Function 004038C0 Relevance: 10.6, APIs: 7, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_fullpath.MSVCRT ref: 004038F5
malloc.MSVCRT ref: 004039BC
memcpy.MSVCRT ref: 004039DF
_errno.MSVCRT ref: 00403A40
_errno.MSVCRT ref: 00403A5C

Memory Dump Source

Source File: 00000000.00000002.2865434871.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2865422523.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2865448416.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2865461002.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2865475171.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: _errno$_fullpathmallocmemcpy
String ID:
API String ID: 3274612330-0
Opcode ID: 80bf99418ccf6c991d114150a8d08ad12fb6cfa4f4960c761e34034eb3845287
Instruction ID: 02b346d9af18bab043850609542a31bc54b8d4c529629321441929d5ac3935cd
Opcode Fuzzy Hash: 80bf99418ccf6c991d114150a8d08ad12fb6cfa4f4960c761e34034eb3845287
Instruction Fuzzy Hash: 1241B2712446008BE7149F29C8423ABBFD9EF81306F08457ED8C5E73D5D6BC9A49CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00402A59 Relevance: 9.2, APIs: 6, Instructions: 173
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strlen.MSVCRT ref: 00402B0E
memcpy.MSVCRT ref: 00402BA9
strlen.MSVCRT ref: 00402BB1
_strdup.MSVCRT ref: 00402BFC
strcoll.MSVCRT ref: 00402C43
_stricoll.MSVCRT ref: 00402C65
malloc.MSVCRT ref: 00402C86
free.MSVCRT ref: 00402FCA
malloc.MSVCRT ref: 004030EC

Memory Dump Source

Source File: 00000000.00000002.2865434871.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2865422523.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2865448416.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2865461002.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2865475171.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: mallocstrlen$_strdup_stricollfreememcpystrcoll
String ID:
API String ID: 248952651-0
Opcode ID: d8754236ed8e364691b84d2c88c9f80e423247d17623405b245f4231c0212f30
Instruction ID: 08a0fd8c2e5ca12b7bdeaef617f604f1b7e7ee5ac1f6481a1200751a95de282c
Opcode Fuzzy Hash: d8754236ed8e364691b84d2c88c9f80e423247d17623405b245f4231c0212f30
Instruction Fuzzy Hash: 3F61AE71A046158FDB10DFA9C5887AEBBF5AF44344F08846AE884FB3C5E778E942CB45

Uniqueness

Uniqueness Score: -1.00%

Function 004023D0 Relevance: 7.7, APIs: 6, Instructions: 219
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

tolower.MSVCRT ref: 00402465
tolower.MSVCRT ref: 00402473
tolower.MSVCRT ref: 0040250E
tolower.MSVCRT ref: 0040251C

Memory Dump Source

Source File: 00000000.00000002.2865434871.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2865422523.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2865448416.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2865461002.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2865475171.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: tolower
String ID:
API String ID: 3025214199-0
Opcode ID: 6719ac4daa759019d79bfce8ce04f3372a78dc03506be0be376abf6b3b0c1063
Instruction ID: a81fc12b9ee1c7063405177c8739200d7760df72685fdf90ced3215254d2fe7a
Opcode Fuzzy Hash: 6719ac4daa759019d79bfce8ce04f3372a78dc03506be0be376abf6b3b0c1063
Instruction Fuzzy Hash: EE61497290C7715BC7208E199A98237B7D2AB95308F19053BDCD8B73C1E2BEDD06468E

Uniqueness

Uniqueness Score: -1.00%

Function 00402F97 Relevance: 7.6, APIs: 5, Instructions: 116stringCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00402BA9
strlen.MSVCRT ref: 00402BB1
_strdup.MSVCRT ref: 00402BFC
_stricoll.MSVCRT ref: 00402C65

Memory Dump Source

Source File: 00000000.00000002.2865434871.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2865422523.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2865448416.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2865461002.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2865475171.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: _strdup_stricollmemcpystrlen
String ID:
API String ID: 2607129539-0
Opcode ID: 9018d6cf707ffdf8f07b661f52ffb291c681b2810a7b69c682a24e1c64297ada
Instruction ID: d71dd7615fda14a95ef3b29b4518fc98d20dfa3179d7bc44472367c9f757130e
Opcode Fuzzy Hash: 9018d6cf707ffdf8f07b661f52ffb291c681b2810a7b69c682a24e1c64297ada
Instruction Fuzzy Hash: 10419972A042168FEB10DF65C58476EBBF4AF84344F08843EE849E7385E7B8E9418B45

Uniqueness

Uniqueness Score: -1.00%

Function 00403499 Relevance: 7.6, APIs: 5, Instructions: 72COMMON

Download Yara Rule

APIs

wcstombs.MSVCRT ref: 004033A7
realloc.MSVCRT ref: 004033BB
wcstombs.MSVCRT ref: 004033D4
setlocale.MSVCRT ref: 004033E4
free.MSVCRT ref: 004033EC
wcstombs.MSVCRT ref: 00403533
realloc.MSVCRT ref: 0040354A
wcstombs.MSVCRT ref: 00403564
setlocale.MSVCRT ref: 0040363B
free.MSVCRT ref: 00403643

Memory Dump Source

Source File: 00000000.00000002.2865434871.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2865422523.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2865448416.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2865461002.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2865475171.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: wcstombs$freereallocsetlocale
String ID:
API String ID: 3931877334-0
Opcode ID: 95925751906ea966532d4c5daf27802f654785aaf8b3a49df95e5109afa0b982
Instruction ID: 01481f6565fbb979d07ef51ab7fce0d251f4b462bffd751db3137c099cdbb841
Opcode Fuzzy Hash: 95925751906ea966532d4c5daf27802f654785aaf8b3a49df95e5109afa0b982
Instruction Fuzzy Hash: 342191719042218AC724AF25C04127BFBF5EF54742F45847FD488BB395E33D4A45CB86

Uniqueness

Uniqueness Score: -1.00%

Function 00401FA9 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32 ref: 00401FCF
memcpy.MSVCRT ref: 00401FEA
VirtualProtect.KERNEL32 ref: 00402018

Strings

@, xrefs: 00401FB8

Memory Dump Source

Source File: 00000000.00000002.2865434871.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2865422523.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2865448416.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2865461002.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2865475171.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ProtectVirtual$memcpy
String ID: @
API String ID: 1565840913-2766056989
Opcode ID: 8d252d25fe1c20e18a0e9059222ddfbadd53fe7b677d0296d521c2b5e1af80c6
Instruction ID: 1515267de7205155f00f6b89abbb6998ce5e0b3f8fe5bf111ce5678d567db4fa
Opcode Fuzzy Hash: 8d252d25fe1c20e18a0e9059222ddfbadd53fe7b677d0296d521c2b5e1af80c6
Instruction Fuzzy Hash: B2019EB5A09305AFD300EF29C18451EFBE4BBC8748F508D2EF498A3355D238EA448F86

Uniqueness

Uniqueness Score: -1.00%

Function 00401F50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 00401F70
memcpy.MSVCRT ref: 00401F99
VirtualProtect.KERNEL32 ref: 00401FCF
memcpy.MSVCRT ref: 00401FEA
VirtualProtect.KERNEL32 ref: 00402018

Strings

VirtualQuery failed for %d bytes at address %p, xrefs: 00402034

Memory Dump Source

Source File: 00000000.00000002.2865434871.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2865422523.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2865448416.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2865461002.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2865475171.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Virtual$Protectmemcpy$Query
String ID: VirtualQuery failed for %d bytes at address %p
API String ID: 228986436-2206166143
Opcode ID: f62dac0b9a3062a423fa3c163e80d535b95fe3e206b7b59b5cb10d34fba3f95c
Instruction ID: 34d4f9c65f6a2e62e0752d28737b077b0a2ff2b46a6ceaf3c835014f57e5dca2
Opcode Fuzzy Hash: f62dac0b9a3062a423fa3c163e80d535b95fe3e206b7b59b5cb10d34fba3f95c
Instruction Fuzzy Hash: 31F06DB15083019AE700AF2AD58461FBEE8AF85788F44883FF588E7390D778C844CA56

Uniqueness

Uniqueness Score: -1.00%

Function 00401DB2 Relevance: 5.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00401DE7
free.MSVCRT ref: 00401E39
LeaveCriticalSection.KERNEL32 ref: 00401E45

Memory Dump Source

Source File: 00000000.00000002.2865434871.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2865422523.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2865448416.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2865461002.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2865475171.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$EnterLeavefree
String ID:
API String ID: 4020351045-0
Opcode ID: ce89cf8867c83ee85bf93860b8b68e9c2f5707871ded9d6f50f470d8c8619972
Instruction ID: 8a1e2841a1e5dee81b6bf65f3e5ed8008b88dbbaf0e603b2087b64a219312124
Opcode Fuzzy Hash: ce89cf8867c83ee85bf93860b8b68e9c2f5707871ded9d6f50f470d8c8619972
Instruction Fuzzy Hash: 7F015EB1A082018BD700FF78C48161AB7E5BB40344F54467AE949B7392E738A9558BDB

Uniqueness

Uniqueness Score: -1.00%

Function 00401CD0 Relevance: 5.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,00401EF5,?,?,?,?,?,?,00401C18), ref: 00401CDC
TlsGetValue.KERNEL32(?,?,?,?,?,00401EF5,?,?,?,?,?,?,00401C18), ref: 00401CF5
GetLastError.KERNEL32(?,?,?,?,?,?,00401EF5,?,?,?,?,?,?,00401C18), ref: 00401CFF
LeaveCriticalSection.KERNEL32(?,?,?,?,?,00401EF5,?,?,?,?,?,?,00401C18), ref: 00401D22

Memory Dump Source

Source File: 00000000.00000002.2865434871.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2865422523.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2865448416.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2865461002.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2865475171.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: 09253a92432b929bdf472611891abed093f068ec65f6174facd7f73ca65bdbcd
Instruction ID: 967e7495848f225d727a210b3cb25ece8d10fa3814ced657effa8d026b94d064
Opcode Fuzzy Hash: 09253a92432b929bdf472611891abed093f068ec65f6174facd7f73ca65bdbcd
Instruction Fuzzy Hash: F7F0BEF19082505BDB00BFB995C261B7AA85E00304F05017EED807B397E73CEE04C6AB

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Trojan-Downloader.8862.17468.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: SecuriteInfo.com.Trojan-Downloader.8862.17468.exePID: 7416, Parent PID: 2580

General

Chronological Activities

Analysis Process: conhost.exePID: 7424, Parent PID: 7416

General

Chronological Activities

Disassembly

Analysis Process: SecuriteInfo.com.Trojan-Downloader.8862.17468.exePID: 7416, Parent PID: 2580COMMON

Execution Graph

Graph

Executed Functions

Function 00403740 Relevance: 12.1, APIs: 8, Instructions: 64fileCOMMON

Control-flow Graph

Windows Analysis Report
SecuriteInfo.com.Trojan-Downloader.8862.17468.exe

Function 00403740 Relevance: 12.1, APIs: 8, Instructions: 64
fileCOMMON

Function 004011B0 Relevance: 12.1, APIs: 8, Instructions: 59
COMMON

Function 00403340 Relevance: 27.3, APIs: 18, Instructions: 272
COMMON

Function 00401460 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 113
COMMON

Function 00401690 Relevance: 19.5, APIs: 3, Strings: 8, Instructions: 257
stringCOMMON

Function 004031F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77
COMMON

Function 00403810 Relevance: 4.6, APIs: 3, Instructions: 53
fileCOMMON

Function 00403AD0 Relevance: 4.5, APIs: 3, Instructions: 21
COMMON

Function 004012E0 Relevance: 3.0, APIs: 2, Instructions: 12
COMMON

Function 00401340 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 58
libraryloaderCOMMON

Function 00401F00 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 84
memoryfileCOMMON

Function 00401000 Relevance: 12.1, APIs: 8, Instructions: 82
COMMON

Function 004038C0 Relevance: 10.6, APIs: 7, Instructions: 121
COMMON

Function 00402A59 Relevance: 9.2, APIs: 6, Instructions: 173
stringCOMMON

Function 004023D0 Relevance: 7.7, APIs: 6, Instructions: 219
COMMON