Edit tour
Windows
Analysis Report
SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe
Overview
General Information
Detection
Score: | 60 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Machine Learning detection for dropped file
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Sigma detected: CurrentVersion Autorun Keys Modification
Too many similar processes found
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
- SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe (PID: 1828 cmdline:
"C:\Users\ user\Deskt op\Securit eInfo.com. Heuristic. HEUR.AGEN. 1343277.70 61.14046.e xe" MD5: 42DC58FBC7050C3E083AC79205A0AA75) - setup.exe (PID: 7000 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\setup. exe" MD5: 97D098FFE698F9400EF166FC53F86B4A) - Pinball.exe (PID: 500 cmdline:
C:\Users\u ser\AppDat a\Roaming\ Pinball\Pi nball.exe MD5: 161915D7FFED531ADF1F43791864D6C1) - Pinball.exe (PID: 5204 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Pinball\P inball.exe " MD5: 161915D7FFED531ADF1F43791864D6C1) - Pinball.exe (PID: 6184 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Pinball\P inball.exe " MD5: 161915D7FFED531ADF1F43791864D6C1) - Pinball.exe (PID: 4816 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Pinball\P inball.exe " MD5: 161915D7FFED531ADF1F43791864D6C1) - Pinball.exe (PID: 416 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Pinball\P inball.exe " MD5: 161915D7FFED531ADF1F43791864D6C1) - Pinball.exe (PID: 4020 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Pinball\P inball.exe " MD5: 161915D7FFED531ADF1F43791864D6C1) - Pinball.exe (PID: 3792 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Pinball\P inball.exe " MD5: 161915D7FFED531ADF1F43791864D6C1) - Pinball.exe (PID: 6304 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Pinball\P inball.exe " MD5: 161915D7FFED531ADF1F43791864D6C1) - Pinball.exe (PID: 6808 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Pinball\P inball.exe " MD5: 161915D7FFED531ADF1F43791864D6C1) - Pinball.exe (PID: 4548 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Pinball\P inball.exe " MD5: 161915D7FFED531ADF1F43791864D6C1) - Pinball.exe (PID: 3552 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Pinball\P inball.exe " MD5: 161915D7FFED531ADF1F43791864D6C1) - Pinball.exe (PID: 1864 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Pinball\P inball.exe " MD5: 161915D7FFED531ADF1F43791864D6C1) - Pinball.exe (PID: 5036 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Pinball\P inball.exe " MD5: 161915D7FFED531ADF1F43791864D6C1) - Pinball.exe (PID: 5504 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Pinball\P inball.exe " MD5: 161915D7FFED531ADF1F43791864D6C1) - Pinball.exe (PID: 5372 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Pinball\P inball.exe " MD5: 161915D7FFED531ADF1F43791864D6C1) - Pinball.exe (PID: 4160 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Pinball\P inball.exe " MD5: 161915D7FFED531ADF1F43791864D6C1) - Pinball.exe (PID: 7060 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Pinball\P inball.exe " MD5: 161915D7FFED531ADF1F43791864D6C1) - Pinball.exe (PID: 1016 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Pinball\P inball.exe " MD5: 161915D7FFED531ADF1F43791864D6C1) - Pinball.exe (PID: 6112 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Pinball\P inball.exe " MD5: 161915D7FFED531ADF1F43791864D6C1) - Pinball.exe (PID: 3496 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Pinball\P inball.exe " MD5: 161915D7FFED531ADF1F43791864D6C1) - Pinball.exe (PID: 1808 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Pinball\P inball.exe " MD5: 161915D7FFED531ADF1F43791864D6C1) - Pinball.exe (PID: 2168 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Pinball\P inball.exe " MD5: 161915D7FFED531ADF1F43791864D6C1) - Pinball.exe (PID: 2128 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Pinball\P inball.exe " MD5: 161915D7FFED531ADF1F43791864D6C1) - Pinball.exe (PID: 5268 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Pinball\P inball.exe " MD5: 161915D7FFED531ADF1F43791864D6C1) - Pinball.exe (PID: 4040 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Pinball\P inball.exe " MD5: 161915D7FFED531ADF1F43791864D6C1) - Pinball.exe (PID: 5032 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Pinball\P inball.exe " MD5: 161915D7FFED531ADF1F43791864D6C1) - Pinball.exe (PID: 4032 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Pinball\P inball.exe " MD5: 161915D7FFED531ADF1F43791864D6C1) - Pinball.exe (PID: 6268 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Pinball\P inball.exe " MD5: 161915D7FFED531ADF1F43791864D6C1) - Pinball.exe (PID: 6768 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Pinball\P inball.exe " MD5: 161915D7FFED531ADF1F43791864D6C1) - Pinball.exe (PID: 6080 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Pinball\P inball.exe " MD5: 161915D7FFED531ADF1F43791864D6C1) - Pinball.exe (PID: 4552 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Pinball\P inball.exe " MD5: 161915D7FFED531ADF1F43791864D6C1) - Pinball.exe (PID: 4324 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Pinball\P inball.exe " MD5: 161915D7FFED531ADF1F43791864D6C1) - Pinball.exe (PID: 4416 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Pinball\P inball.exe " MD5: 161915D7FFED531ADF1F43791864D6C1)
- Pinball.exe (PID: 6352 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Pinball\P inball.exe " MD5: 161915D7FFED531ADF1F43791864D6C1)
- cleanup
⊘No configs have been found
⊘No yara matches
Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): |
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira: |
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: |
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | Registry value created: | Jump to behavior |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Directory queried: |
Source: | Code function: | 0_2_00405B6F | |
Source: | Code function: | 0_2_00406724 | |
Source: | Code function: | 0_2_004027AA | |
Source: | Code function: | 3_2_00405B4A | |
Source: | Code function: | 3_2_004066FF | |
Source: | Code function: | 3_2_004027AA |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Code function: | 0_2_0040560C |
Source: | Process created: |
Source: | Code function: | 0_2_100010D0 |
Source: | Code function: | 0_2_004034F1 | |
Source: | Code function: | 3_2_004034CC |
Source: | Code function: | 0_2_004073D5 | |
Source: | Code function: | 0_2_00406BFE | |
Source: | Code function: | 3_2_00406A88 | |
Source: | Code function: | 6_2_02F94F58 | |
Source: | Code function: | 6_2_02F91049 | |
Source: | Code function: | 6_2_05AA5F38 | |
Source: | Code function: | 6_2_05AA6808 | |
Source: | Code function: | 6_2_05AA57F0 | |
Source: | Code function: | 6_2_05AA7B20 | |
Source: | Code function: | 6_2_05AA7B11 | |
Source: | Code function: | 6_2_067E2F88 | |
Source: | Code function: | 8_2_01634F58 | |
Source: | Code function: | 9_2_02704F58 | |
Source: | Code function: | 10_2_021F4F58 | |
Source: | Code function: | 10_2_021F3860 | |
Source: | Code function: | 13_2_00934F58 | |
Source: | Code function: | 13_2_00933860 | |
Source: | Code function: | 15_2_014D4F58 | |
Source: | Code function: | 15_2_014D3860 | |
Source: | Code function: | 15_2_014D44C9 | |
Source: | Code function: | 15_2_014D1049 | |
Source: | Code function: | 18_2_02ED4F58 | |
Source: | Code function: | 18_2_02ED3860 | |
Source: | Code function: | 18_2_02ED1049 | |
Source: | Code function: | 24_2_00984F58 | |
Source: | Code function: | 24_2_00983860 | |
Source: | Code function: | 31_2_00B04F58 | |
Source: | Code function: | 31_2_00B03865 | |
Source: | Code function: | 31_2_00B01049 | |
Source: | Code function: | 35_2_00904F58 | |
Source: | Code function: | 35_2_00903860 | |
Source: | Code function: | 36_2_00C14F58 | |
Source: | Code function: | 36_2_00C13860 |
Source: | Dropped File: |
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: |
Source: | Base64 encoded string: |