Edit tour
Windows
Analysis Report
SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe
Overview
General Information
Detection
Score: | 30 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 40% |
Signatures
Antivirus detection for dropped file
Modifies the DNS server
Modifies the windows firewall
Uses netsh to modify the Windows network and firewall settings
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read device registry values (via SetupAPI)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the driver directory
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops certificate files (DER)
Enables driver privileges
Enables security privileges
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
JA3 SSL client fingerprint seen in connection with other malware
Modifies existing windows services
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries device information via Setup API
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Classification
Analysis Advice
Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox |
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior |
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--") |
- System is w10x64
- SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe (PID: 4544 cmdline:
"C:\Users\ user\Deskt op\Securit eInfo.com. Heuristic. HEUR.AGEN. 1319028.18 822.21071. exe" MD5: 35A00AE36EE03F200BAD5A922AFACD04) - SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp (PID: 2680 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-83J 31.tmp\Sec uriteInfo. com.Heuris tic.HEUR.A GEN.131902 8.18822.21 071.tmp" / SL5="$2040 4,1488690, 832512,C:\ Users\user \Desktop\S ecuriteInf o.com.Heur istic.HEUR .AGEN.1319 028.18822. 21071.exe" MD5: 74F03B0063ABA7C8CC9A8D4FED6B2381) - pvextra.exe (PID: 2912 cmdline:
"C:\Progra m Files (x 86)\PairVP N\pvextra. exe" /d MD5: CB12C48A9D14A5018DD07BBB8E71AC9A) - netsh.exe (PID: 5236 cmdline:
"netsh.exe " advfirew all firewa ll add rul e name="Pa irVPN" dir =in action =allow pro gram="C:\P rogram Fil es (x86)\P airVPN\Pai rVPN.exe" enable=yes MD5: 4E89A1A088BE715D6C946E55AB07C7DF) - conhost.exe (PID: 2632 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- svchost.exe (PID: 5328 cmdline:
C:\Windows \system32\ svchost.ex e -k DcomL aunch -p - s DeviceIn stall MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - drvinst.exe (PID: 2852 cmdline:
DrvInst.ex e "4" "0" "C:\Users\ user\AppDa ta\Local\T emp\{c8205 cf6-48e0-7 848-82c9-7 c315d28ffc 2}\pveth.i nf" "9" "4 ec797a8f" "000000000 0000100" " WinSta0\De fault" "00 0000000000 0170" "208 " "c:\prog ram files (x86)\pair vpn\pveth" MD5: 294990C88B9D1FE0A54A1FA8BF4324D9) - drvinst.exe (PID: 6440 cmdline:
DrvInst.ex e "2" "211 " "ROOT\PV ETH\0000" "C:\Window s\INF\oem4 .inf" "oem 4.inf:1f6a 2eb2072903 9e:pveth.n di:1.8.3.0 :pveth," " 4ec797a8f" "00000000 00000100" MD5: 294990C88B9D1FE0A54A1FA8BF4324D9)
- svchost.exe (PID: 2216 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s N etSetupSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- cleanup
⊘No configs have been found
⊘No yara matches
Source: | Author: vburov: |
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira: |
Source: | Static PE information: |
Source: | Window detected: |