Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe
Analysis ID:	1427172
MD5:	6f23976152226e51911822cec434d823
SHA1:	4ad1937a39bd1ca37f8956fdd4b08ca28d679c91
SHA256:	75b1e14c1d1eb5d692d67a59ee0676b768351f4f0da6451d157b1cc3399009e8
Tags:	exe
Infos:

Detection

Score:	42
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Creates a process in suspended mode (likely to inject code)

Enables debug privileges

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe (PID: 7264 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe" MD5: 6F23976152226E51911822CEC434D823)

conhost.exe (PID: 7272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7320 cmdline: C:\Windows\system32\cmd.exe /c color F2 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 7384 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im Gift2.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

taskkill.exe (PID: 7400 cmdline: taskkill /f /im Gift2.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe	ReversingLabs: Detection: 42%
Source: SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe	Virustotal: Detection: 54%			Perma Link

Source: SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\iccp_\source\repos\ConsoleApplication1\Release\ConsoleApplication1.pdb source: SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe
Source:	Binary string: C:\Users\iccp_\source\repos\ConsoleApplication1\Release\ConsoleApplication1.pdb source: SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe

Source: SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal42.winEXE@8/1@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7272:120:WilError_03

Source: SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "Gift2.exe")

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe	ReversingLabs: Detection: 42%
Source: SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe	Virustotal: Detection: 54%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c color F2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im Gift2.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im Gift2.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c color F2	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im Gift2.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im Gift2.exe	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe	Automated click: OK
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe	Automated click: OK
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe	Automated click: OK
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Users\iccp_\source\repos\ConsoleApplication1\Release\ConsoleApplication1.pdb source: SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe
Source:	Binary string: C:\Users\iccp_\source\repos\ConsoleApplication1\Release\ConsoleApplication1.pdb source: SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe

Source: SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe

Code function: 0_2_002B1D76 push ecx; ret

0_2_002B1D89

Source: C:\Windows\SysWOW64\taskkill.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe

Code function: 0_2_002B1B0A IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_002B1B0A

Source: C:\Windows\SysWOW64\taskkill.exe

Process token adjusted: Debug

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe	Code function: 0_2_002B1B0A IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_002B1B0A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe	Code function: 0_2_002B1681 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_002B1681
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe	Code function: 0_2_002B1C6C SetUnhandledExceptionFilter,	0_2_002B1C6C

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c color F2	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im Gift2.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im Gift2.exe	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im Gift2.exe

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe

Code function: 0_2_002B1DBA cpuid

0_2_002B1DBA

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe

Code function: 0_2_002B19F3 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_002B19F3

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe

Code function: 0_2_002B1160 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,

0_2_002B1160

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Process Injection	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	13 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe	42%	ReversingLabs	Win32.Trojan.Generic
SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe	55%	Virustotal		Browse
SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe	100%	Avira	TR/Agent.igzea

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1427172
Start date and time:	2024-04-17 07:32:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 5s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe
Detection:	MAL
Classification:	mal42.winEXE@8/1@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 3 Number of non-executed functions: 5
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
07:33:04	API Interceptor	1x Sleep call for process: SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe modified

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	94
Entropy (8bit):	4.929120899342838
Encrypted:	false
SSDEEP:	3:tl+ztIQBV53l0uGVEXmq2i6yBWEv:n+zttBV5V0uGVimq2iLHv
MD5:	7D5FB6114CEE641B44C41194DF38C233
SHA1:	2FAA3B6AC8CA5DF2F5B89C6BB369DCDC641C7045
SHA-256:	C0A29947CBA0BBE037BDBD8190EE1A7A50E6DC16D8739425879F9858A858D264
SHA-512:	582BA5C25314622B5FF3FCEE5F654CD9C159B72657220205876D62D63E9181102ED4E8D8DCD7036A27D8383044F3BC4851BCFAAFAFD12A985588F7A83B13D145
Malicious:	false
Reputation:	low
Preview:	.................................................................................

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	5.321778000695748
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe
File size:	14'848 bytes
MD5:	6f23976152226e51911822cec434d823
SHA1:	4ad1937a39bd1ca37f8956fdd4b08ca28d679c91
SHA256:	75b1e14c1d1eb5d692d67a59ee0676b768351f4f0da6451d157b1cc3399009e8
SHA512:	6957e385c560fdb63f3a60c3467932ccf0f99126e74cd64d217816f3d4dc0c9a043702d947e6b7d5ac54014621b139180e8ff9231d43dcf4ef46717329c6a9d9
SSDEEP:	384:0bubLBWKupIDaGUIYzHjoaulzun7xN/fBz:3kpIDadIYzT7xN
TLSH:	7C621943BB848972C76113B03477B66AD63BB9601FD49783AB95A6950F750C0F433B1E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........[xd.[xd.[xd.R...Wxd...a.Hxd...`.Wxd...g.Zxd...e._xd...e.^xd.[xe..xd...m.Zxd.....Zxd.[x..Zxd...f.Zxd.Rich[xd.........PE..L..

File Icon


Icon Hash:	00503333460c1004

Static PE Info

General

Entrypoint:	0x401677
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x5E189B78 [Fri Jan 10 15:42:48 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	87a7ccd365a74668ac9b2126968e31a6

Entrypoint Preview

Instruction
call 00007F30F8BED7A9h
jmp 00007F30F8BED259h
push ebp
mov ebp, esp
push 00000000h
call dword ptr [00403028h]
push dword ptr [ebp+08h]
call dword ptr [0040302Ch]
push C0000409h
call dword ptr [00403024h]
push eax
call dword ptr [00403020h]
pop ebp
ret
push ebp
mov ebp, esp
sub esp, 00000324h
push 00000017h
call 00007F30F8BEDD78h
test eax, eax
je 00007F30F8BED3E7h
push 00000002h
pop ecx
int 29h
mov dword ptr [00405118h], eax
mov dword ptr [00405114h], ecx
mov dword ptr [00405110h], edx
mov dword ptr [0040510Ch], ebx
mov dword ptr [00405108h], esi
mov dword ptr [00405104h], edi
mov word ptr [00405130h], ss
mov word ptr [00405124h], cs
mov word ptr [00405100h], ds
mov word ptr [004050FCh], es
mov word ptr [004050F8h], fs
mov word ptr [004050F4h], gs
pushfd
pop dword ptr [00405128h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [0040511Ch], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [00405120h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [0040512Ch], eax
mov eax, dword ptr [ebp-00000324h]
mov dword ptr [00405068h], 00010001h

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x37f4	0xdc	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6000	0xcf0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7000	0x1d0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x32d0	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x3340	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3000	0x110	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x113b	0x1200	a6ebfcfb9badea8fdd488dfc59ff2add	False	0.630859375	data	6.140214571585226	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x3000	0x1152	0x1200	669bd81bca14d2c79c1cee89e9a48faf	False	0.4212239583333333	data	5.092617121296803	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x5000	0x384	0x200	550b6d19eefd3a6f89a89a9be78fdbaf	False	0.0546875	data	0.2804011676589459	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x6000	0xcf0	0xe00	bf2156bf655e393d64a3ca68ba2d4e39	False	0.1953125	data	2.756166303526463	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x7000	0x1d0	0x200	7b494a992f1720a3e897c9d6826eab32	False	0.904296875	data	5.964178796417213	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x60f0	0xa68	Device independent bitmap graphic, 64 x 128 x 4, image size 2560	English	United States	0.1373873873873874
RT_GROUP_ICON	0x6b58	0x14	data	English	United States	1.15
RT_MANIFEST	0x6b70	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
KERNEL32.dll	Sleep, IsDebuggerPresent, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, GetCurrentProcessId, QueryPerformanceCounter, IsProcessorFeaturePresent, TerminateProcess, GetCurrentProcess, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetModuleHandleW
USER32.dll	MessageBoxA
MSVCP140.dll	?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z, ?get@?$basic_istream@DU?$char_traits@D@std@@@std@@QAEHXZ, ?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A, ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z, ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEDD@Z, ?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@D@Z, ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ, ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z, ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ, ?uncaught_exception@std@@YA_NXZ
VCRUNTIME140.dll	__current_exception_context, memset, _except_handler4_common, __current_exception, __std_terminate, __CxxFrameHandler3
api-ms-win-crt-filesystem-l1-1-0.dll	remove
api-ms-win-crt-runtime-l1-1-0.dll	exit, _initialize_onexit_table, _register_onexit_function, _register_thread_local_exe_atexit_callback, _controlfp_s, terminate, _c_exit, _initterm_e, _exit, _initterm, _cexit, __p___argv, __p___argc, _initialize_narrow_environment, _configure_narrow_argv, _crt_atexit, _seh_filter_exe, _set_app_type, system, _get_initial_narrow_environment
api-ms-win-crt-math-l1-1-0.dll	__setusermatherr
api-ms-win-crt-stdio-l1-1-0.dll	_set_fmode, __p__commode
api-ms-win-crt-locale-l1-1-0.dll	_configthreadlocale
api-ms-win-crt-heap-l1-1-0.dll	_set_new_mode

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	07:33:00
Start date:	17/04/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe"
Imagebase:	0x2b0000
File size:	14'848 bytes
MD5 hash:	6F23976152226E51911822CEC434D823
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	07:33:00
Start date:	17/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	07:33:00
Start date:	17/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c color F2
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	07:33:04
Start date:	17/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c taskkill /f /im Gift2.exe
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	07:33:04
Start date:	17/04/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /f /im Gift2.exe
Imagebase:	0x900000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	21.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	7.3%
Total number of Nodes:	124
Total number of Limit Nodes:	7

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 002B1000 Relevance: 33.3, APIs: 11, Strings: 8, Instructions: 64
windowprocesssleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

system.API-MS-WIN-CRT-RUNTIME-L1-1-0(color F2), ref: 002B1013
MessageBoxA.USER32(00000000,002B3164,002B3158,00000000), ref: 002B102C

Part of subcall function 002B11B0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000004,00000000), ref: 002B1396
Part of subcall function 002B11B0: ?uncaught_exception@std@@YA_NXZ.MSVCP140 ref: 002B13A3
Part of subcall function 002B11B0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP140 ref: 002B13B2

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP140(002B13F0), ref: 002B1049
Sleep.KERNELBASE(00002710), ref: 002B1054

Part of subcall function 002B11B0: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ.MSVCP140(?,75C50660,7676C730), ref: 002B1274
Part of subcall function 002B11B0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP140(00000000,?,75C50660,7676C730), ref: 002B12DD

system.API-MS-WIN-CRT-RUNTIME-L1-1-0(taskkill /f /im Gift2.exe), ref: 002B106F

Part of subcall function 002B11B0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z.MSVCP140(?,000000FF,00000000,?,75C50660,7676C730), ref: 002B1306
Part of subcall function 002B11B0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP140(?), ref: 002B1332

MessageBoxA.USER32(00000000,002B3208,^_^,00000000), ref: 002B1092
remove.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(D:\Gift2.exe), ref: 002B109F
remove.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(D:\Gift_Protector.exe), ref: 002B10A9
MessageBoxA.USER32(00000000,002B3270,Tips,00000000), ref: 002B10BC
MessageBoxA.USER32(00000000,Bye ^_^,002B3148,00000000), ref: 002B10CC
?get@?$basic_istream@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP140 ref: 002B10D4

Strings

^_^, xrefs: 002B1086
Tips, xrefs: 002B10B0
Bye ^_^, xrefs: 002B10C5
taskkill /f /im Gift2.exe, xrefs: 002B106A
D:\Gift_Protector.exe, xrefs: 002B10A4
1+, xrefs: 002B107A
D:\Gift2.exe, xrefs: 002B109A
color F2, xrefs: 002B100E

Memory Dump Source

Source File: 00000000.00000002.2935220085.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.2935196368.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2935236246.00000000002B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2935255921.00000000002B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_SecuriteInfo.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$Message$?sputc@?$basic_streambuf@V01@removesystem$??6?$basic_ostream@?flush@?$basic_ostream@?get@?$basic_istream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@Osfx@?$basic_ostream@SleepV01@@V12@
String ID: Bye ^_^$D:\Gift2.exe$D:\Gift_Protector.exe$Tips$^_^$color F2$taskkill /f /im Gift2.exe$1+
API String ID: 663692276-1637155831
Opcode ID: 35729c04ee84feedbea4f71f5ca3f90e75db1c8c2a18dca0660ca3988b838283
Instruction ID: f4fce0bb0a8bd5f1d8995555bafb305219fec477391300154acaf4b20cad610c
Opcode Fuzzy Hash: 35729c04ee84feedbea4f71f5ca3f90e75db1c8c2a18dca0660ca3988b838283
Instruction Fuzzy Hash: 4E1191317F421477D200F7AC7C1BFC676189F86FA1F044621FA09622D0D8E0BB348A66

Uniqueness

Uniqueness Score: -1.00%

Function 002B11B0 Relevance: 10.7, APIs: 7, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ.MSVCP140(?,75C50660,7676C730), ref: 002B1274
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP140(00000000,?,75C50660,7676C730), ref: 002B12DD
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z.MSVCP140(?,000000FF,00000000,?,75C50660,7676C730), ref: 002B1306
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP140(?), ref: 002B1332
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000004,00000000), ref: 002B1396
?uncaught_exception@std@@YA_NXZ.MSVCP140 ref: 002B13A3
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP140 ref: 002B13B2

Memory Dump Source

Source File: 00000000.00000002.2935220085.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.2935196368.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2935236246.00000000002B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2935255921.00000000002B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_SecuriteInfo.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?sputc@?$basic_streambuf@$?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@Osfx@?$basic_ostream@V12@
String ID:
API String ID: 1492985063-0
Opcode ID: 493dbaadf0932e7aa4c4a8c19bcfc77034f5ed099af0a928dc2b73d94e0a3767
Instruction ID: 9e2a1afd76827fe8e2f18caa6464f1a9427858c3fe1af7db845e5b1f9712edaa
Opcode Fuzzy Hash: 493dbaadf0932e7aa4c4a8c19bcfc77034f5ed099af0a928dc2b73d94e0a3767
Instruction Fuzzy Hash: 2F719C35A102158FCB14CF58D9A4BA9BBF1BF49354F598298DC15EB3A2D731EC25CB40

Uniqueness

Uniqueness Score: -1.00%

Function 002B13F0 Relevance: 4.5, APIs: 3, Instructions: 19
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEDD@Z.MSVCP140(0000000A), ref: 002B1400
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@D@Z.MSVCP140 ref: 002B140C
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ.MSVCP140 ref: 002B1414

Memory Dump Source

Source File: 00000000.00000002.2935220085.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.2935196368.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2935236246.00000000002B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2935255921.00000000002B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_SecuriteInfo.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$V12@$?flush@?$basic_ostream@?put@?$basic_ostream@?widen@?$basic_ios@
String ID:
API String ID: 1875450691-0
Opcode ID: 8f56973cfe5dda65162210000cababfaff4ddbb02a23f2fbe0180c4a83425b95
Instruction ID: 1500856adba929424b1e6507e6caaa6bddc2b33cb5991b80d2a216928c942681
Opcode Fuzzy Hash: 8f56973cfe5dda65162210000cababfaff4ddbb02a23f2fbe0180c4a83425b95
Instruction Fuzzy Hash: 83D05B353402349BC604EB4CFC5CA6C77A8EF49B517044509F946C7351CB359B1187D5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 002B1DBA Relevance: 1.6, APIs: 1, Instructions: 144
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 002B1DD0

Memory Dump Source

Source File: 00000000.00000002.2935220085.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.2935196368.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2935236246.00000000002B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2935255921.00000000002B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_SecuriteInfo.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 7c7f9541e41c8b4233fb727ec391531b7a073a1b14b686d2ffa10a88962656ec
Instruction ID: 1e7e029c59f8d447190f1caa81eebfb0298d554ae8600269376bfb8fc742f2a9
Opcode Fuzzy Hash: 7c7f9541e41c8b4233fb727ec391531b7a073a1b14b686d2ffa10a88962656ec
Instruction Fuzzy Hash: 2A5192B1D20715CBEB15CF54E8957A9B7F0FB48390F648A6AD811EB350D3B4E960CB90

Uniqueness

Uniqueness Score: -1.00%

Function 002B1C6C Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00001C78,002B14E8), ref: 002B1C71

Memory Dump Source

Source File: 00000000.00000002.2935220085.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.2935196368.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2935236246.00000000002B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2935255921.00000000002B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 61cf2d66a301a2a21a4d6bfe6c766e0e51809c8603de8ef53ade96716e19b437
Instruction ID: 268a73a7fe9c8f5f58c4d61b8cb5038ca120e040db959f02f09901a07abe4a23
Opcode Fuzzy Hash: 61cf2d66a301a2a21a4d6bfe6c766e0e51809c8603de8ef53ade96716e19b437
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 002B1160 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2935220085.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.2935196368.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2935236246.00000000002B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2935255921.00000000002B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a60e91c44719e0bd2beabc187d436a6996f266cb19cff68a8c1e963e81129974
Instruction ID: 71c37f99c97ac498ecd77d6e3e8e3e0cf801b9a3b2e16643d59ea160b805c8fc
Opcode Fuzzy Hash: a60e91c44719e0bd2beabc187d436a6996f266cb19cff68a8c1e963e81129974
Instruction Fuzzy Hash: 5FF01535644A48DFC714DF18D990F65B7E8EB09B14F1446ADE91A8BBA1DB36A800CA40

Uniqueness

Uniqueness Score: -1.00%

Function 002B1430 Relevance: 13.6, APIs: 9, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_set_app_type.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000001), ref: 002B1433
_set_fmode.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001), ref: 002B143E
__p__commode.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001), ref: 002B144A
__RTC_Initialize.LIBCMT ref: 002B1462
_configure_narrow_argv.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,002B1D02), ref: 002B1477

Part of subcall function 002B1A98: InitializeSListHead.KERNEL32(002B5358,002B1487), ref: 002B1A9D

__setusermatherr.API-MS-WIN-CRT-MATH-L1-1-0(Function_00001A8B), ref: 002B1495
_configthreadlocale.API-MS-WIN-CRT-LOCALE-L1-1-0(00000000), ref: 002B14B0
_initialize_narrow_environment.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 002B14BF
___scrt_fastfail.LIBCMT ref: 002B14D5

Memory Dump Source

Source File: 00000000.00000002.2935220085.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.2935196368.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2935236246.00000000002B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2935255921.00000000002B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_SecuriteInfo.jbxd

Similarity

API ID: Initialize$HeadList___scrt_fastfail__p__commode__setusermatherr_configthreadlocale_configure_narrow_argv_initialize_narrow_environment_set_app_type_set_fmode
String ID:
API String ID: 1979175733-0
Opcode ID: 13f2405d8610a04c015e69bf39719ea070162a3a33119ae536e0575e07247256
Instruction ID: 29b950db6757a54802de685ac6d3535bb65f9cd6941949f363c1c335a972bb35
Opcode Fuzzy Hash: 13f2405d8610a04c015e69bf39719ea070162a3a33119ae536e0575e07247256
Instruction Fuzzy Hash: D201CD5193371320DA203BF20833AEF06A81F413E0BD54851B804AA4C3EE55F875CDB3

Uniqueness

Uniqueness Score: -1.00%

Function 002B1C78 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__current_exception.VCRUNTIME140 ref: 002B1CB7
__current_exception_context.VCRUNTIME140 ref: 002B1CC1
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 002B1CC8

Strings

csm, xrefs: 002B1C82

Memory Dump Source

Source File: 00000000.00000002.2935220085.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.2935196368.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2935236246.00000000002B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2935255921.00000000002B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_SecuriteInfo.jbxd

Similarity

API ID: __current_exception__current_exception_contextterminate
String ID: csm
API String ID: 2542180945-1018135373
Opcode ID: 4bddf418a0423be7ddbd91b8a9e592eab66874cdac81dfaf63a8a0d0ab8db705
Instruction ID: 7a3bd88c3f93a46f155a28cefbe4d2f21a1f93ed6c95498db7211334c76c5464
Opcode Fuzzy Hash: 4bddf418a0423be7ddbd91b8a9e592eab66874cdac81dfaf63a8a0d0ab8db705
Instruction Fuzzy Hash: 10F0A7314703068B8B316F69905409EBB6DBE623A13E80A17E854DB6A0C770ED71CBD3

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exePID: 7264, Parent PID: 2580

General

Chronological Activities

Analysis Process: conhost.exePID: 7272, Parent PID: 7264

General

Chronological Activities

Analysis Process: cmd.exePID: 7320, Parent PID: 7264

General

Windows Analysis Report
SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe

Function 002B1000 Relevance: 33.3, APIs: 11, Strings: 8, Instructions: 64
windowprocesssleepCOMMON

Function 002B11B0 Relevance: 10.7, APIs: 7, Instructions: 184
COMMON

Function 002B13F0 Relevance: 4.5, APIs: 3, Instructions: 19
COMMON

Function 002B1DBA Relevance: 1.6, APIs: 1, Instructions: 144
COMMON

Function 002B1430 Relevance: 13.6, APIs: 9, Instructions: 56
COMMON

Function 002B1C78 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31
COMMON