Windows Analysis Report
SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe

Overview

General Information

Sample name: SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe
Analysis ID: 1427718
MD5: 80c97cfbc49ce4c6f39493ab42edb7aa
SHA1: 8974e0027f4002b916d771c7a440a207e7c9c102
SHA256: 232be72fe20e9d89ac11dddc9ff262fe283044e37ad9abd2a076b784a8e8fa4c
Tags: exe
Infos:

Detection

Customer Loader
Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Customer Loader
Machine Learning detection for sample
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Enables debug privileges
May sleep (evasive loops) to hinder dynamic analysis
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe ReversingLabs: Detection: 87%
Machine Learning detection for sample
Source: SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Joe Sandbox ML: detected
Source: SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: kyliansuperm92139124.shop replaycode: Server failure (2)
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown DNS traffic detected: queries for: kyliansuperm92139124.shop
Source: SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe, 00000000.00000002.2076741590.000001E221723000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://go.mic
Source: SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe, 00000000.00000002.2077669632.000001E223251000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe, 00000000.00000002.2077669632.000001E2232EA000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe, 00000000.00000002.2077669632.000001E223251000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://kyliansuperm92139124.shop
Source: SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe, 00000000.00000002.2077669632.000001E223251000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://kyliansuperm92139124.shop/customer/809
PE file does not import any functions
Source: SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe, 00000000.00000000.1984123602.000001E221502000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilename vs SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe
Source: SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Binary or memory string: OriginalFilename vs SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe
Source: SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe, .cs Cryptographic APIs: 'CreateDecryptor'
Source: SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe, .cs Cryptographic APIs: 'TransformFinalBlock'
Source: SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe, .cs Base64 encoded string: 'wptFkG0ATOUpMhL79wADQIlA3Wv41kVfbeMWaWFijOya0ybGEH5tlNtP74JTZbB0'
Source: classification engine Classification label: mal60.troj.winEXE@1/1@4/0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe.log Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Mutant created: NULL
Source: SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe ReversingLabs: Detection: 87%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Section loaded: wintypes.dll Jump to behavior
Source: SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
Yara detected Customer Loader
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe PID: 3060, type: MEMORYSTR
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Memory allocated: 1E221850000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Memory allocated: 1E23B250000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe TID: 3012 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe TID: 2136 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe, 00000000.00000002.2076741590.000001E221723000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Enables debug privileges
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Memory allocated: page read and write | page guard Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1427718 Sample: SecuriteInfo.com.Win64.PWSX... Startdate: 18/04/2024 Architecture: WINDOWS Score: 60 8 kyliansuperm92139124.shop 2->8 10 Multi AV Scanner detection for submitted file 2->10 12 Yara detected Customer Loader 2->12 14 Machine Learning detection for sample 2->14 6 SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe 14 3 2->6         started        signatures3 process4
No contacted IP infos

Contacted Domains

Name IP Active
kyliansuperm92139124.shop unknown unknown