Windows Analysis Report
SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe

Overview

General Information

Sample name: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe
Analysis ID: 1428437
MD5: b696181ac3dcb8cf23d3ac6c0dafed12
SHA1: a95f75df30086eca2ae0c72b0681ceae1507a41d
SHA256: 487f4df71699ada1abc071283823f9f248238e0033c596ec9c50cdb4e1a102c3
Tags: exe
Infos:

Detection

Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Detected potential crypto function
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe ReversingLabs: Detection: 65%
Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\Michael\Documents\Visual Studio 2005\Projects\stockChartUserUpdate2017\obj\Debug\stockChartUserUpdate.pdb source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe

Networking
barindex
Yara detected Generic Downloader
Source: Yara match File source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe, type: SAMPLE
Source: Yara match File source: 0.0.SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe.1ff84540000.0.unpack, type: UNPACKEDPE
Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe String found in binary or memory: http://itax.twca.com.tw/ecplus/ecplus_UCA_2018_sha1.crl0_
Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe String found in binary or memory: http://itax.twca.com.tw/xmlrca/TaiCARootCA_2012.crl0
Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe, 00000000.00000002.3256414378.000001FF86331000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://stock88168.500.com.tw//aps//
Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe, 00000000.00000002.3256414378.000001FF86331000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.stock5168.n9s.com//aps//
Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe, 00000000.00000002.3256414378.000001FF86331000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.stock88168.com.tw//aps//
Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe String found in binary or memory: http://www.stock88168.com.tw//aps//Ghttp://www.stock5168.n9s.com//aps//Ghttp://stock88168.500.com.tw
Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe String found in binary or memory: http://www.stock88168.com.tw//program//ShowMyPC1.exe
Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe String found in binary or memory: http://www.twca.com.tw/0
Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe String found in binary or memory: https://www.globalsign.com/repository/0
Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe String found in binary or memory: https://www.stock881688.com.tw/
Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe String found in binary or memory: https://www.twca.com.tw/0L
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe Code function: 0_2_00007FF848F10B5D 0_2_00007FF848F10B5D
PE / OLE file has an invalid certificate
Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe, 00000000.00000000.2004352849.000001FF8454A000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamestockChartUserUpdate.exe" vs SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe
Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe Binary or memory string: OriginalFilenamestockChartUserUpdate.exe" vs SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe
Source: classification engine Classification label: mal60.troj.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe Mutant created: NULL
Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe ReversingLabs: Detection: 65%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe Section loaded: wintypes.dll Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\Michael\Documents\Visual Studio 2005\Projects\stockChartUserUpdate2017\obj\Debug\stockChartUserUpdate.pdb source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe Memory allocated: 1FF84880000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe Memory allocated: 1FF9E330000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe Memory allocated: page read and write | page guard Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1428437 Sample: SecuriteInfo.com.Win32.Rans... Startdate: 18/04/2024 Architecture: WINDOWS Score: 60 7 Antivirus / Scanner detection for submitted sample 2->7 9 Multi AV Scanner detection for submitted file 2->9 11 Yara detected Generic Downloader 2->11 5 SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe 2 2->5         started        process3
No contacted IP infos