Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.Win32.647.23647.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Trojan.Win32.647.23647.exe
Analysis ID:	1417316
MD5:	5da5d327d44645e0f3eb50b13a562927
SHA1:	a75c81577273a8636241299f5f28af46e524250a
SHA256:	aa2d947e869e13f0f09bc5762690f56967e03392f9720d83f03b67601958cd7b
Tags:	exe
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Machine Learning detection for sample

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

PE file contains more sections than normal

PE file contains sections with non-standard names

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Tries to load missing DLLs

Uses 32bit PE files

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Trojan.Win32.647.23647.exe (PID: 4456 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.647.23647.exe" MD5: 5DA5D327D44645E0F3EB50B13A562927)

conhost.exe (PID: 2624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Trojan.Win32.647.23647.exe

ReversingLabs: Detection: 18%

Machine Learning detection for sample

Source: SecuriteInfo.com.Trojan.Win32.647.23647.exe

Joe Sandbox ML: detected

Source: SecuriteInfo.com.Trojan.Win32.647.23647.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.647.23647.exe

Code function: 0_2_004035C0 FindFirstFileA,_errno,GetLastError,_errno,_errno,_errno,_errno,_errno,

0_2_004035C0

Source: SecuriteInfo.com.Trojan.Win32.647.23647.exe

Static PE information: Number of sections : 13 > 10

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.647.23647.exe

Section loaded: apphelp.dll

Jump to behavior

Source: SecuriteInfo.com.Trojan.Win32.647.23647.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal52.winEXE@2/1@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2624:120:WilError_03

Source: SecuriteInfo.com.Trojan.Win32.647.23647.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.647.23647.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Trojan.Win32.647.23647.exe

ReversingLabs: Detection: 18%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.647.23647.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.647.23647.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.647.23647.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.647.23647.exe

Code function: 0_2_00401340 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,atexit,

0_2_00401340

Source: SecuriteInfo.com.Trojan.Win32.647.23647.exe	Static PE information: section name: /4
Source: SecuriteInfo.com.Trojan.Win32.647.23647.exe	Static PE information: section name: /14
Source: SecuriteInfo.com.Trojan.Win32.647.23647.exe	Static PE information: section name: /29
Source: SecuriteInfo.com.Trojan.Win32.647.23647.exe	Static PE information: section name: /41
Source: SecuriteInfo.com.Trojan.Win32.647.23647.exe	Static PE information: section name: /55
Source: SecuriteInfo.com.Trojan.Win32.647.23647.exe	Static PE information: section name: /67

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.647.23647.exe

Code function: 0_2_004035C0 FindFirstFileA,_errno,GetLastError,_errno,_errno,_errno,_errno,_errno,

0_2_004035C0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.647.23647.exe

API call chain: ExitProcess graph end node

graph_0-2179

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.647.23647.exe

Code function: 0_2_00401340 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,atexit,

0_2_00401340

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.647.23647.exe

Code function: 0_2_004011B0 SetUnhandledExceptionFilter,_iob,_setmode,_setmode,_setmode,__p__fmode,__p__environ,_cexit,ExitProcess,

0_2_004011B0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.647.23647.exe

Code function: 0_2_004018B0 cpuid

0_2_004018B0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Process Injection	1 Process Injection	OS Credential Dumping	1 File and Directory Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 DLL Side-Loading	LSASS Memory	11 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Trojan.Win32.647.23647.exe	18%	ReversingLabs
SecuriteInfo.com.Trojan.Win32.647.23647.exe	100%	Joe Sandbox ML

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1417316
Start date and time:	2024-03-28 23:26:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 43s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Trojan.Win32.647.23647.exe
Detection:	MAL
Classification:	mal52.winEXE@2/1@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 10 Number of non-executed functions: 13
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: SecuriteInfo.com.Trojan.Win32.647.23647.exe

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.647.23647.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	21
Entropy (8bit):	3.7849418274376423
Encrypted:	false
SSDEEP:	3:ORyKX5lFov:OgKJfy
MD5:	F4480AD20ADAD31BFF18944B191D437D
SHA1:	E5C31ABBC0C9209E4C1E033EE2FC674F83DFC7B4
SHA-256:	A788B23643C585A49C9CCB466602AD480D621FDBA38E8F848AF6B0AEFF4B35A7
SHA-512:	52373444EC6D59152D9CE069E771AE87266F150A42D42D8275ED6AC474E7B42400EC9A23F5FEB311C20BA7B4BBD13CE48455F48C5C5A7521C8EE0B0D7F271B18
Malicious:	false
Reputation:	low
Preview:	Enter Your marks : ..

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	5.503082078649661
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% VXD Driver (31/22) 0.00% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Trojan.Win32.647.23647.exe
File size:	41'532 bytes
MD5:	5da5d327d44645e0f3eb50b13a562927
SHA1:	a75c81577273a8636241299f5f28af46e524250a
SHA256:	aa2d947e869e13f0f09bc5762690f56967e03392f9720d83f03b67601958cd7b
SHA512:	155974b1aabe9a1f1381bf0f01e10c7c08e5b37a52900440b862d2dfabc70f4272aeabbb059f25e779c3cdd9fd72bfe8d6d25bb6ddc8654dc3bcc07832b787a3
SSDEEP:	768:T9yEQ+O9qhwfJPP3lLuzZPKqfgSpo7TEpOm:TNO7fJPP3lLuBZfvoMpOm
TLSH:	0A132B59BE254CE7EA52533E90E7C7762B3CF1814A2357B3BB30F7345B236922099246
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....`Se.r...................H...............@....@..................................!........ ............................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4012e0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x655360C1 [Tue Nov 14 11:57:53 2023 UTC]
TLS Callbacks:	0x401ab0, 0x401a60
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	26b67a10d8c2bb0006e66dce8bce4de4

Entrypoint Preview

Instruction
sub esp, 1Ch
mov dword ptr [esp], 00000001h
call dword ptr [004081A0h]
call 00007FC67CC4BEE0h
lea esi, dword ptr [esi+00h]
lea edi, dword ptr [edi+00000000h]
sub esp, 1Ch
mov dword ptr [esp], 00000002h
call dword ptr [004081A0h]
call 00007FC67CC4BEC0h
lea esi, dword ptr [esi+00h]
lea edi, dword ptr [edi+00000000h]
jmp dword ptr [004081CCh]
lea esi, dword ptr [esi+00h]
lea edi, dword ptr [edi+00000000h]
jmp dword ptr [004081BCh]
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
push ebp
mov ebp, esp
push esi
push ebx
sub esp, 10h
mov dword ptr [esp], 00405000h
call 00007FC67CC4E891h
sub esp, 04h
test eax, eax
je 00007FC67CC4C0D7h
mov dword ptr [esp], 00405000h
mov ebx, eax
call 00007FC67CC4E858h
sub esp, 04h
mov dword ptr [0040706Ch], eax
mov dword ptr [esp+04h], 00405013h
mov dword ptr [esp], ebx
call 00007FC67CC4E858h
sub esp, 08h
mov esi, eax
mov dword ptr [esp+04h], 00405029h
mov dword ptr [esp], ebx
call 00007FC67CC4E843h
sub esp, 08h
mov dword ptr [00404000h], eax
test esi, esi
je 00007FC67CC4C033h
mov dword ptr [eax+eax+00h], 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8000	0x5fc	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xa004	0x18	.tls
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8134	0xe4	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2c44	0x2e00	7e44456434b13387b3cdd5516472f9d4	False	0.5824558423913043	data	6.056359577312629	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x4000	0x1c	0x200	aa0c67885995cb2f131fee901ab81215	False	0.064453125	data	0.2170088308205865	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x5000	0x348	0x400	5fec0274a0d878017b2ed5d1f6182432	False	0.2890625	data	4.427614253673753	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
/4	0x6000	0x9a4	0xa00	a4c1816ef572f540837a6cfc50427d20	False	0.403125	data	4.7433180021581185	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.bss	0x7000	0x70	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x8000	0x5fc	0x600	7dac5c2460eaadba57421c19881ec332	False	0.455078125	data	4.672867796055926	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x9000	0x18	0x200	fce7bf42962f0498d618cd11fcfcd656	False	0.04296875	data	0.11446338125913882	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0xa000	0x20	0x200	f7a419142b47f1a6560b6d595ae80d75	False	0.05859375	data	0.22482003450968063	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
/14	0xb000	0x38	0x200	a034497a547445685ba164e554dc6554	False	0.068359375	Matlab v4 mat-file (little endian) *, rows 2, columns 262144	0.2162069074398449	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/29	0xc000	0x1cff	0x1e00	53cb59d25d60be4bbfab895e53a06ba9	False	0.4591145833333333	data	5.766420282091756	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/41	0xe000	0x12f	0x200	0f209b8eeedb4402bcc92889fdf74aaa	False	0.361328125	data	3.0440842995585107	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/55	0xf000	0x1c8	0x200	6c09e0eb7c561a751ad2952f47d39462	False	0.466796875	data	4.317359181890475	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/67	0x10000	0x38	0x200	734d11dce143bc9d2ed59f25f83dbd10	False	0.1171875	data	0.6745765448489234	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
KERNEL32.dll	DeleteCriticalSection, EnterCriticalSection, ExitProcess, FindClose, FindFirstFileA, FindNextFileA, FreeLibrary, GetCommandLineA, GetLastError, GetModuleHandleA, GetProcAddress, InitializeCriticalSection, LeaveCriticalSection, LoadLibraryA, SetUnhandledExceptionFilter, TlsGetValue, VirtualProtect, VirtualQuery
msvcrt.dll	_getch, _strdup, _stricoll
msvcrt.dll	__getmainargs, __mb_cur_max, __p__environ, __p__fmode, __set_app_type, _cexit, _errno, _fpreset, _fullpath, _iob, _isctype, _onexit, _pctype, _setmode, abort, atexit, calloc, free, fwrite, malloc, mbstowcs, memcpy, printf, puts, realloc, scanf, setlocale, signal, strcoll, strlen, tolower, vfprintf, wcstombs

Target ID:	0
Start time:	23:26:55
Start date:	28/03/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.647.23647.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.647.23647.exe"
Imagebase:	0x400000
File size:	41'532 bytes
MD5 hash:	5DA5D327D44645E0F3EB50B13A562927
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	23:26:55
Start date:	28/03/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	6.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.5%
Total number of Nodes:	525
Total number of Limit Nodes:	17

Executed Functions

Function 004035C0 Relevance: 12.1, APIs: 8, Instructions: 64
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileA.KERNEL32 ref: 004035D5
_errno.MSVCRT ref: 0040363E
GetLastError.KERNEL32 ref: 00403645
_errno.MSVCRT ref: 00403651
_errno.MSVCRT ref: 0040365E
_errno.MSVCRT ref: 00403668

Memory Dump Source

Source File: 00000000.00000002.3225725879.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3225687026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225739462.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225753029.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225778374.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: _errno$ErrorFileFindFirstLast
String ID:
API String ID: 2068755524-0
Opcode ID: 669f1757dc3b3fc43b26ff937e4f10940cf2c93c3446a07653364a7d88f5781a
Instruction ID: 371098f65dc1a003ad173e09b32eff5aa51a7c338e23a89b072d8afb899e72e3
Opcode Fuzzy Hash: 669f1757dc3b3fc43b26ff937e4f10940cf2c93c3446a07653364a7d88f5781a
Instruction Fuzzy Hash: BC11C370504281AADB20AF6598813A67FA89F0230AF14497BE455EF3C2D23D8A45C77A

Uniqueness

Uniqueness Score: -1.00%

Function 004011B0 Relevance: 12.1, APIs: 8, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetUnhandledExceptionFilter.KERNEL32(?,?,?,?,004012F5), ref: 004011E3
_setmode.MSVCRT ref: 00401220
_setmode.MSVCRT ref: 00401234
_setmode.MSVCRT ref: 00401248
__p__fmode.MSVCRT ref: 0040124D
__p__environ.MSVCRT ref: 00401267
_cexit.MSVCRT ref: 0040128A
ExitProcess.KERNEL32(?,?,?,?,?,004012F5), ref: 00401292

Memory Dump Source

Source File: 00000000.00000002.3225725879.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3225687026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225739462.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225753029.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225778374.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: _setmode$ExceptionExitFilterProcessUnhandled__p__environ__p__fmode_cexit
String ID:
API String ID: 3476844589-0
Opcode ID: 53db8dd73e4143d63e2a8ba2970246ce225b7af6a3196907f6d323f87185455c
Instruction ID: d72e2ffdaedad33e1947e8f101b4d3e94a853f7d9ce34c840223ef1d40754608
Opcode Fuzzy Hash: 53db8dd73e4143d63e2a8ba2970246ce225b7af6a3196907f6d323f87185455c
Instruction Fuzzy Hash: 6621BEB49083009FC700FF79D58571A7BF4BB44749F01893EF984A73A2D638E9408B5A

Uniqueness

Uniqueness Score: -1.00%

Function 004027E0 Relevance: 40.9, APIs: 22, Strings: 1, Instructions: 645stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00402800
memcpy.MSVCRT ref: 00402827

Part of subcall function 004031C0: setlocale.MSVCRT ref: 004031D8
Part of subcall function 004031C0: _strdup.MSVCRT ref: 004031E6
Part of subcall function 004031C0: setlocale.MSVCRT ref: 004031FC
Part of subcall function 004031C0: wcstombs.MSVCRT ref: 00403227
Part of subcall function 004031C0: realloc.MSVCRT ref: 0040323B
Part of subcall function 004031C0: wcstombs.MSVCRT ref: 00403254
Part of subcall function 004031C0: setlocale.MSVCRT ref: 00403264
Part of subcall function 004031C0: free.MSVCRT ref: 0040326C

Part of subcall function 004021E0: malloc.MSVCRT ref: 004021FB

strlen.MSVCRT ref: 00402B56
strlen.MSVCRT ref: 00402D46
_strdup.MSVCRT ref: 00402D90

Part of subcall function 004027E0: strlen.MSVCRT ref: 004028B1

Strings

\, xrefs: 00402F8E

Memory Dump Source

Source File: 00000000.00000002.3225725879.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3225687026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225739462.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225753029.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225778374.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: strlen$setlocale$_strdupwcstombs$freemallocmemcpyrealloc
String ID: \
API String ID: 3818432545-2967466578
Opcode ID: bf2e9a33ee385246a5e726968e2670ed68b512822a645633e983a226808f4b2c
Instruction ID: f7c4d56a1def01e487e18b97462b6953fd953782c94f2c8c6698f02ec31ec9fb
Opcode Fuzzy Hash: bf2e9a33ee385246a5e726968e2670ed68b512822a645633e983a226808f4b2c
Instruction Fuzzy Hash: 1342A070E082598FDB10DF69C6883AEBBF1AF45304F18807BD885BB3C1D6B89946DB55

Uniqueness

Uniqueness Score: -1.00%

Function 004031C0 Relevance: 27.3, APIs: 18, Instructions: 272
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

setlocale.MSVCRT ref: 004031D8
_strdup.MSVCRT ref: 004031E6
setlocale.MSVCRT ref: 004031FC
wcstombs.MSVCRT ref: 00403227
realloc.MSVCRT ref: 0040323B
wcstombs.MSVCRT ref: 00403254
setlocale.MSVCRT ref: 00403264
free.MSVCRT ref: 0040326C
mbstowcs.MSVCRT ref: 0040329A
mbstowcs.MSVCRT ref: 004032C4
wcstombs.MSVCRT ref: 004033B3
realloc.MSVCRT ref: 004033CA
wcstombs.MSVCRT ref: 004033E4
wcstombs.MSVCRT ref: 0040349F
setlocale.MSVCRT ref: 004034BB
free.MSVCRT ref: 004034C3
setlocale.MSVCRT ref: 0040352B
free.MSVCRT ref: 00403533

Memory Dump Source

Source File: 00000000.00000002.3225725879.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3225687026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225739462.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225753029.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225778374.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: setlocalewcstombs$free$mbstowcsrealloc$_strdup
String ID:
API String ID: 2891164732-0
Opcode ID: a5c146f895751ce46dd296d5b494c651f26ac00f9944b822d7e0999137e2a235
Instruction ID: 40adb021d158c18649ece7a37feb0e941fc87d5bd5ad69d9897163f11d1d1676
Opcode Fuzzy Hash: a5c146f895751ce46dd296d5b494c651f26ac00f9944b822d7e0999137e2a235
Instruction Fuzzy Hash: 79B192709042119ACB20AF69C04527BFFF9EF54746F45843FE884AB395D37C9A81CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 00401460 Relevance: 21.0, APIs: 7, Strings: 5, Instructions: 43
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

puts.MSVCRT ref: 00401475
scanf.MSVCRT ref: 00401489
printf.MSVCRT ref: 004014A6
printf.MSVCRT ref: 004014C5
_getch.MSVCRT ref: 004014FF

Strings

Congratulations You Score B, xrefs: 004014DD
You Score, xrefs: 004014F3
Congratulations You Scored A+, xrefs: 0040149F
Enter Your marks : , xrefs: 0040146E
Congratulations You Scored A, xrefs: 004014BE

Memory Dump Source

Source File: 00000000.00000002.3225725879.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3225687026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225739462.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225753029.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225778374.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: printf$_getchputsscanf
String ID: Congratulations You Score B$Congratulations You Scored A$Congratulations You Scored A+$Enter Your marks : $You Score
API String ID: 2115921670-2025592187
Opcode ID: b932db7c7a7741f3e8838323fa253a3ec55f060c6d651820103ab23b3ea54cd4
Instruction ID: 42c9d011f56b38aebb2e94b059ef6975df2774cab68e3f7eeea72dc63eafc9e5
Opcode Fuzzy Hash: b932db7c7a7741f3e8838323fa253a3ec55f060c6d651820103ab23b3ea54cd4
Instruction Fuzzy Hash: 5E0163B45086018FC310FF69818251EBAE9AF84704F11883FF5D4E7392D778E9459B5B

Uniqueness

Uniqueness Score: -1.00%

Function 00401510 Relevance: 19.5, APIs: 3, Strings: 8, Instructions: 257
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCommandLineA.KERNEL32 ref: 00401526
strlen.MSVCRT ref: 00401533

Strings

[, xrefs: 00401662
?, xrefs: 0040158D
", xrefs: 004015AE
', xrefs: 0040159C
\, xrefs: 00401650
', xrefs: 0040178D
*, xrefs: 004015A5
@, xrefs: 004016F0

Memory Dump Source

Source File: 00000000.00000002.3225725879.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3225687026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225739462.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225753029.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225778374.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CommandLinestrlen
String ID: "$'$'$*$?$@$[$\
API String ID: 3702654222-871974141
Opcode ID: 54248f7eee61f554d6b1e29ceea7301c96936e32eabb161f69548cf2e2d0d1d5
Instruction ID: 649cefbd34846f052767c5fe26fc9bc87414e0295a4b6ecd7b0744b1a0c35929
Opcode Fuzzy Hash: 54248f7eee61f554d6b1e29ceea7301c96936e32eabb161f69548cf2e2d0d1d5
Instruction Fuzzy Hash: 89A1B131A153059FDB14CF68C8447AEBBE5BB84344F18893BE805BB3E1E73DA8458B59

Uniqueness

Uniqueness Score: -1.00%

Function 00403070 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

glob-1.0-mingw32, xrefs: 0040308E, 0040309D

Memory Dump Source

Source File: 00000000.00000002.3225725879.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3225687026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225739462.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225753029.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225778374.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: glob-1.0-mingw32
API String ID: 0-3253302226
Opcode ID: 91db1f21d5caf0d1092b715b71575d704ead6d3f3ef464a9053aa9f2822a6975
Instruction ID: 0bf6c4ba439b1e656da5ce24ac592a0af884758246d5de274d7322822dc00290
Opcode Fuzzy Hash: 91db1f21d5caf0d1092b715b71575d704ead6d3f3ef464a9053aa9f2822a6975
Instruction Fuzzy Hash: 4A2192B1E053148BCB109F65D8412AFBFA9EB84345F04457FD8817B385D77D9A01CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00403690 Relevance: 4.6, APIs: 3, Instructions: 53
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindNextFileA.KERNEL32 ref: 004036A5
GetLastError.KERNEL32 ref: 00403712
_errno.MSVCRT ref: 0040371C

Memory Dump Source

Source File: 00000000.00000002.3225725879.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3225687026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225739462.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225753029.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225778374.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorFileFindLastNext_errno
String ID:
API String ID: 2804278807-0
Opcode ID: 919dca5208603c892f2dbd29dad48e6ee4ea88f39cc7174e3d1124df62c65a3b
Instruction ID: 2948ca51cbe3ba5848bda780a5274403fb83759a178190ed3841c296b90d70ed
Opcode Fuzzy Hash: 919dca5208603c892f2dbd29dad48e6ee4ea88f39cc7174e3d1124df62c65a3b
Instruction Fuzzy Hash: 9701CCB11142508BDF20AF69AC813A6BBA4AB41316F048877E854CF386D13DC948C3A5

Uniqueness

Uniqueness Score: -1.00%

Function 00403950 Relevance: 4.5, APIs: 3, Instructions: 21
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindClose.KERNEL32(?,?,?,?,?,00402DDB), ref: 00403965
free.MSVCRT(?,?,?,?,?,?,00402DDB), ref: 00403974
_errno.MSVCRT ref: 00403980

Memory Dump Source

Source File: 00000000.00000002.3225725879.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3225687026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225739462.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225753029.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225778374.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseFind_errnofree
String ID:
API String ID: 1660445202-0
Opcode ID: ebdf78731baae18c225b6199ab28957a3a1a6b78532bce2a1df12eb213fd9001
Instruction ID: fffb0495af5d0f490038b68a1280320a6fee90704095772e495875c0c9d0a5c4
Opcode Fuzzy Hash: ebdf78731baae18c225b6199ab28957a3a1a6b78532bce2a1df12eb213fd9001
Instruction Fuzzy Hash: E3E04FB06002005BC7007F75888262A7AAC6B00319F500A7EEC90AB3C3E67DD6448796

Uniqueness

Uniqueness Score: -1.00%

Function 004012E0 Relevance: 3.0, APIs: 2, Instructions: 12
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 004012EA

Part of subcall function 004011B0: SetUnhandledExceptionFilter.KERNEL32(?,?,?,?,004012F5), ref: 004011E3
Part of subcall function 004011B0: _setmode.MSVCRT ref: 00401220
Part of subcall function 004011B0: _setmode.MSVCRT ref: 00401234
Part of subcall function 004011B0: _setmode.MSVCRT ref: 00401248
Part of subcall function 004011B0: __p__fmode.MSVCRT ref: 0040124D
Part of subcall function 004011B0: __p__environ.MSVCRT ref: 00401267
Part of subcall function 004011B0: _cexit.MSVCRT ref: 0040128A
Part of subcall function 004011B0: ExitProcess.KERNEL32(?,?,?,?,?,004012F5), ref: 00401292

__set_app_type.MSVCRT ref: 0040130A

Memory Dump Source

Source File: 00000000.00000002.3225725879.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3225687026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225739462.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225753029.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225778374.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: _setmode$__set_app_type$ExceptionExitFilterProcessUnhandled__p__environ__p__fmode_cexit
String ID:
API String ID: 2461648636-0
Opcode ID: 2c9611c86d375737f3294eaaae10524f5bae7ae70e105ff36550091d33167dda
Instruction ID: bf46d9fc090ff86c76a88e5dd760ab8fd44dbb74fc9dad89e7279624f68ad66e
Opcode Fuzzy Hash: 2c9611c86d375737f3294eaaae10524f5bae7ae70e105ff36550091d33167dda
Instruction Fuzzy Hash: B7D04C314105118FD7047F64C905399B774BF04304F45062CD5953B051CBB835568BD5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00401340 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 58
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 0040134F
LoadLibraryA.KERNEL32 ref: 00401368
GetProcAddress.KERNEL32 ref: 00401380
GetProcAddress.KERNEL32 ref: 00401395
GetModuleHandleA.KERNEL32 ref: 004013C7
GetProcAddress.KERNEL32 ref: 004013E3
atexit.MSVCRT ref: 00401401

Strings

libgcc_s_dw2-1.dll, xrefs: 00401348, 0040135F
__deregister_frame_info, xrefs: 0040138A
__register_frame_info, xrefs: 00401375
libgcj-16.dll, xrefs: 004013C0
_Jv_RegisterClasses, xrefs: 004013D8

Memory Dump Source

Source File: 00000000.00000002.3225725879.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3225687026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225739462.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225753029.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225778374.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$HandleModule$LibraryLoadatexit
String ID: _Jv_RegisterClasses$__deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll$libgcj-16.dll
API String ID: 2016387483-548026336
Opcode ID: 0b8aade3fde43aa36ae309f32731af7b31cb5136b079e8ceea5029fc56d28762
Instruction ID: 3d7346ee2e00a71030f91a6f464cef648dbeafef80c9a26da859abf06b3d38f9
Opcode Fuzzy Hash: 0b8aade3fde43aa36ae309f32731af7b31cb5136b079e8ceea5029fc56d28762
Instruction Fuzzy Hash: 32114CB18146008AD3107F79A54531FBEE8EB80358F41C93FD984B76E6E77C95488B9B

Uniqueness

Uniqueness Score: -1.00%

Function 004018B0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3225725879.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3225687026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225739462.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225753029.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225778374.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c109b914e246866c18af00eae8f597a565d5c7776f425b395473f41a8873c9e7
Instruction ID: 3b19c15fdec688c81ddd56327c215687e0bc839a41b3c63a712ba846f9e5dd49
Opcode Fuzzy Hash: c109b914e246866c18af00eae8f597a565d5c7776f425b395473f41a8873c9e7
Instruction Fuzzy Hash: 8A21E9B891830206F375812D45A4B976596AB88314F14CF3EDD89F23F5E6BDCC84D25D

Uniqueness

Uniqueness Score: -1.00%

Function 00401D80 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 84
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fwrite.MSVCRT ref: 00401DAC
vfprintf.MSVCRT ref: 00401DC0
abort.MSVCRT(?,?,?,00400000,?,00401EC0), ref: 00401DC5
VirtualQuery.KERNEL32 ref: 00401DF0
memcpy.MSVCRT ref: 00401E19
VirtualProtect.KERNEL32 ref: 00401E4F
memcpy.MSVCRT ref: 00401E6A
VirtualProtect.KERNEL32 ref: 00401E98

Strings

@, xrefs: 00401E38
Mingw runtime failure:, xrefs: 00401D9E

Memory Dump Source

Source File: 00000000.00000002.3225725879.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3225687026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225739462.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225753029.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225778374.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Virtual$Protectmemcpy$Queryabortfwritevfprintf
String ID: @$Mingw runtime failure:
API String ID: 978211760-2549925133
Opcode ID: c895ff84ac444e6cb333387a194e1dbaee8a351f515177a3a79ebc2bdf5cba8d
Instruction ID: b07010e80c18f83a3b6a9e7b97a0af10a0527475b5fc3be1fb31c7d97c7871fc
Opcode Fuzzy Hash: c895ff84ac444e6cb333387a194e1dbaee8a351f515177a3a79ebc2bdf5cba8d
Instruction Fuzzy Hash: 1331D8B1908300ABD700EF29C18455EBFE4FB88758F54892EF888A7351D378E944CF86

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 12.1, APIs: 8, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

signal.MSVCRT ref: 00401033
signal.MSVCRT ref: 00401088
signal.MSVCRT ref: 0040110A
signal.MSVCRT ref: 00401198

Memory Dump Source

Source File: 00000000.00000002.3225725879.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3225687026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225739462.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225753029.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225778374.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: signal
String ID:
API String ID: 1946981877-0
Opcode ID: de9cbfd1ef1e3ceb9d3ee9bd81d224a2f75af3acbc53af3d901795d048397e0b
Instruction ID: d891a4db85e30001896d3fbe297763bf09acc41f283bfb92fe67324157bb9c9e
Opcode Fuzzy Hash: de9cbfd1ef1e3ceb9d3ee9bd81d224a2f75af3acbc53af3d901795d048397e0b
Instruction Fuzzy Hash: EC31F0701042409AD7107F68C55032F76D4BF46328F114A2FE5EAA77E1C7BE99C49B5B

Uniqueness

Uniqueness Score: -1.00%

Function 00403740 Relevance: 10.6, APIs: 7, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_fullpath.MSVCRT ref: 00403775
malloc.MSVCRT ref: 0040383C
memcpy.MSVCRT ref: 0040385F
_errno.MSVCRT ref: 004038C0
_errno.MSVCRT ref: 004038DC

Memory Dump Source

Source File: 00000000.00000002.3225725879.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3225687026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225739462.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225753029.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225778374.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: _errno$_fullpathmallocmemcpy
String ID:
API String ID: 3274612330-0
Opcode ID: 7da50a46ac18c5c2f6b33e12b133f3965081750469ead042506ea48951c81455
Instruction ID: 4af33658bb00c89703334fbe9a8fdcefb4a966d9eed4752abe242e6eff333988
Opcode Fuzzy Hash: 7da50a46ac18c5c2f6b33e12b133f3965081750469ead042506ea48951c81455
Instruction Fuzzy Hash: 4341B9B12146048BE314AF29C8463ABBFE9EF8130AF08857FE484D73D5D67C9649C756

Uniqueness

Uniqueness Score: -1.00%

Function 004028D9 Relevance: 9.2, APIs: 6, Instructions: 173
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strlen.MSVCRT ref: 0040298E
memcpy.MSVCRT ref: 00402A29
strlen.MSVCRT ref: 00402A31
_strdup.MSVCRT ref: 00402A7C
strcoll.MSVCRT ref: 00402AC3
_stricoll.MSVCRT ref: 00402AE5
malloc.MSVCRT ref: 00402B06
free.MSVCRT ref: 00402E4A
malloc.MSVCRT ref: 00402F6C

Memory Dump Source

Source File: 00000000.00000002.3225725879.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3225687026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225739462.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225753029.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225778374.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: mallocstrlen$_strdup_stricollfreememcpystrcoll
String ID:
API String ID: 248952651-0
Opcode ID: 3f825d32b2822a0950214fdef15d9f8de30d188b35ae9da0f80d9bbbb2ce3ae4
Instruction ID: c940cda574fdb61d1a8ddc1332b5a3b6e04917dbaa72d05352c9d3370c8b57a5
Opcode Fuzzy Hash: 3f825d32b2822a0950214fdef15d9f8de30d188b35ae9da0f80d9bbbb2ce3ae4
Instruction Fuzzy Hash: 74615EB1E046158FDB10DFA9C5887AEBBF5AF44304F08806AD845BB3C1E7B89945CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00402250 Relevance: 7.7, APIs: 6, Instructions: 219
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

tolower.MSVCRT ref: 004022E5
tolower.MSVCRT ref: 004022F3
tolower.MSVCRT ref: 0040238E
tolower.MSVCRT ref: 0040239C

Memory Dump Source

Source File: 00000000.00000002.3225725879.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3225687026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225739462.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225753029.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225778374.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: tolower
String ID:
API String ID: 3025214199-0
Opcode ID: 6719ac4daa759019d79bfce8ce04f3372a78dc03506be0be376abf6b3b0c1063
Instruction ID: 7938ae60ccf90282a35d1dece3e6afbd4eae6d6882d9831f8228313fa22bf4fa
Opcode Fuzzy Hash: 6719ac4daa759019d79bfce8ce04f3372a78dc03506be0be376abf6b3b0c1063
Instruction Fuzzy Hash: F8614B7290C3654BC7208E69528823BB7D6AA95308F29057FDCD8B73C1D2BDDD06478E

Uniqueness

Uniqueness Score: -1.00%

Function 00402E17 Relevance: 7.6, APIs: 5, Instructions: 116stringCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00402A29
strlen.MSVCRT ref: 00402A31
_strdup.MSVCRT ref: 00402A7C
_stricoll.MSVCRT ref: 00402AE5

Memory Dump Source

Source File: 00000000.00000002.3225725879.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3225687026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225739462.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225753029.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225778374.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: _strdup_stricollmemcpystrlen
String ID:
API String ID: 2607129539-0
Opcode ID: 10194c166aab9f644bf78b6c4f5d2663e036dd8df70d3dc86c71cf3e5e2e0b27
Instruction ID: 9a6ffdb9edf4cdc698f360754d8511005578a5416c4149af5aa91ceb33d8cfc2
Opcode Fuzzy Hash: 10194c166aab9f644bf78b6c4f5d2663e036dd8df70d3dc86c71cf3e5e2e0b27
Instruction Fuzzy Hash: 074158B1A046158FEB20DF65C68476ABBE5AF84304F08803EE846E73C1E7B8D941CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00403319 Relevance: 7.6, APIs: 5, Instructions: 72COMMON

Download Yara Rule

APIs

wcstombs.MSVCRT ref: 00403227
realloc.MSVCRT ref: 0040323B
wcstombs.MSVCRT ref: 00403254
setlocale.MSVCRT ref: 00403264
free.MSVCRT ref: 0040326C
wcstombs.MSVCRT ref: 004033B3
realloc.MSVCRT ref: 004033CA
wcstombs.MSVCRT ref: 004033E4
setlocale.MSVCRT ref: 004034BB
free.MSVCRT ref: 004034C3

Memory Dump Source

Source File: 00000000.00000002.3225725879.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3225687026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225739462.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225753029.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225778374.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: wcstombs$freereallocsetlocale
String ID:
API String ID: 3931877334-0
Opcode ID: 49c059103394049b7c26c526e13725fb6568a3b4e1352e05fd0d844e3df41df5
Instruction ID: 9528a7c7e1963642edba6784e4b6eecba9cec4aa3d5e2047d2aa6cf195f73bac
Opcode Fuzzy Hash: 49c059103394049b7c26c526e13725fb6568a3b4e1352e05fd0d844e3df41df5
Instruction Fuzzy Hash: 92213D70A042128ACB14EF69C04126BFBF5EF54746F45C47FE888AB395E7395A41CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 00401E29 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32 ref: 00401E4F
memcpy.MSVCRT ref: 00401E6A
VirtualProtect.KERNEL32 ref: 00401E98

Strings

@, xrefs: 00401E38

Memory Dump Source

Source File: 00000000.00000002.3225725879.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3225687026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225739462.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225753029.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225778374.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ProtectVirtual$memcpy
String ID: @
API String ID: 1565840913-2766056989
Opcode ID: 37cc7b31f1e88f7fd985d33849442490a2727a97b4f80a0618785e668ac4f907
Instruction ID: 8ecbee79872c90a970716d8d7e8c2dbe2cee1077042f5dd3d471bcaa97f3a684
Opcode Fuzzy Hash: 37cc7b31f1e88f7fd985d33849442490a2727a97b4f80a0618785e668ac4f907
Instruction Fuzzy Hash: 850152B5608305AFD340EF29C18451EFBE0BBC8758F50892EF898A7355D234EA55CF86

Uniqueness

Uniqueness Score: -1.00%

Function 00401DD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 00401DF0
memcpy.MSVCRT ref: 00401E19
VirtualProtect.KERNEL32 ref: 00401E4F
memcpy.MSVCRT ref: 00401E6A
VirtualProtect.KERNEL32 ref: 00401E98

Strings

VirtualQuery failed for %d bytes at address %p, xrefs: 00401EB4

Memory Dump Source

Source File: 00000000.00000002.3225725879.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3225687026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225739462.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225753029.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225778374.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Virtual$Protectmemcpy$Query
String ID: VirtualQuery failed for %d bytes at address %p
API String ID: 228986436-2206166143
Opcode ID: 382b95ee4e5450d667b0a9e147f3505df596c4f3e4b51953a0c3a314b4e4836e
Instruction ID: ce1460d7593363e8c7c595ec3ed0f7062eb867f900c14c878a2e83a9b7478d98
Opcode Fuzzy Hash: 382b95ee4e5450d667b0a9e147f3505df596c4f3e4b51953a0c3a314b4e4836e
Instruction Fuzzy Hash: BEF01DB15043009AE700AF2AD58451FBEE8AF85794F44883FF888E73A1D778D8448B96

Uniqueness

Uniqueness Score: -1.00%

Function 00401C32 Relevance: 5.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00401C67
free.MSVCRT ref: 00401CB9
LeaveCriticalSection.KERNEL32 ref: 00401CC5

Memory Dump Source

Source File: 00000000.00000002.3225725879.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3225687026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225739462.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225753029.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225778374.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$EnterLeavefree
String ID:
API String ID: 4020351045-0
Opcode ID: b28d79d2ae087a490513ab2c34ca23639612d7eeaa493a175103de9d073e0e60
Instruction ID: d8d8080e6f9e14dbceee176eddbba765e9271608f6b84d07801669502c1d6d9f
Opcode Fuzzy Hash: b28d79d2ae087a490513ab2c34ca23639612d7eeaa493a175103de9d073e0e60
Instruction Fuzzy Hash: 31011EB1A482018FE700FF74D48562ABBE5BB40304F15867EE945F7392E738E9519B8B

Uniqueness

Uniqueness Score: -1.00%

Function 00401B50 Relevance: 5.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,00401D75,?,?,?,?,?,?,00401A98), ref: 00401B5C
TlsGetValue.KERNEL32(?,?,?,?,?,00401D75,?,?,?,?,?,?,00401A98), ref: 00401B75
GetLastError.KERNEL32(?,?,?,?,?,?,00401D75,?,?,?,?,?,?,00401A98), ref: 00401B7F
LeaveCriticalSection.KERNEL32(?,?,?,?,?,00401D75,?,?,?,?,?,?,00401A98), ref: 00401BA2

Memory Dump Source

Source File: 00000000.00000002.3225725879.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3225687026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225739462.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225753029.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225778374.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: 4a8bf40b5d4a20c4336136f9297d4a5283dd8369256c4447f972f73e295122a5
Instruction ID: 4d16860b71b5d85e06f3d7e22a9a031ba67d64ec54dc3716248cb0e71f7e2987
Opcode Fuzzy Hash: 4a8bf40b5d4a20c4336136f9297d4a5283dd8369256c4447f972f73e295122a5
Instruction Fuzzy Hash: AFF090B19042104ADB10BF7596C561B7AB85E00348F05017AED40AB297E73CB905C6AB

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Trojan.Win32.647.23647.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: SecuriteInfo.com.Trojan.Win32.647.23647.exePID: 4456, Parent PID: 1028

General

Chronological Activities

Analysis Process: conhost.exePID: 2624, Parent PID: 4456

General

Chronological Activities

Disassembly

Analysis Process: SecuriteInfo.com.Trojan.Win32.647.23647.exePID: 4456, Parent PID: 1028COMMON

Execution Graph

Graph

Executed Functions

Function 004035C0 Relevance: 12.1, APIs: 8, Instructions: 64fileCOMMON

Control-flow Graph

Windows Analysis Report
SecuriteInfo.com.Trojan.Win32.647.23647.exe

Function 004035C0 Relevance: 12.1, APIs: 8, Instructions: 64
fileCOMMON

Function 004011B0 Relevance: 12.1, APIs: 8, Instructions: 59
COMMON

Function 004031C0 Relevance: 27.3, APIs: 18, Instructions: 272
COMMON

Function 00401460 Relevance: 21.0, APIs: 7, Strings: 5, Instructions: 43
COMMON

Function 00401510 Relevance: 19.5, APIs: 3, Strings: 8, Instructions: 257
stringCOMMON

Function 00403070 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77
COMMON

Function 00403690 Relevance: 4.6, APIs: 3, Instructions: 53
fileCOMMON

Function 00403950 Relevance: 4.5, APIs: 3, Instructions: 21
COMMON

Function 004012E0 Relevance: 3.0, APIs: 2, Instructions: 12
COMMON

Function 00401340 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 58
libraryloaderCOMMON

Function 00401D80 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 84
memoryfileCOMMON

Function 00401000 Relevance: 12.1, APIs: 8, Instructions: 82
COMMON

Function 00403740 Relevance: 10.6, APIs: 7, Instructions: 121
COMMON

Function 004028D9 Relevance: 9.2, APIs: 6, Instructions: 173
stringCOMMON

Function 00402250 Relevance: 7.7, APIs: 6, Instructions: 219
COMMON