Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe
Analysis ID:	1428437
MD5:	b696181ac3dcb8cf23d3ac6c0dafed12
SHA1:	a95f75df30086eca2ae0c72b0681ceae1507a41d
SHA256:	487f4df71699ada1abc071283823f9f248238e0033c596ec9c50cdb4e1a102c3
Tags:	exe
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Detected potential crypto function

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe (PID: 3784 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe" MD5: B696181AC3DCB8CF23D3AC6C0DAFED12)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe.1ff84540000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe

ReversingLabs: Detection: 65%

Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Users\Michael\Documents\Visual Studio 2005\Projects\stockChartUserUpdate2017\obj\Debug\stockChartUserUpdate.pdb source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe

Networking

Yara detected Generic Downloader

Source: Yara match	File source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe, type: SAMPLE
Source: Yara match	File source: 0.0.SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe.1ff84540000.0.unpack, type: UNPACKEDPE

Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	String found in binary or memory: http://itax.twca.com.tw/ecplus/ecplus_UCA_2018_sha1.crl0_
Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	String found in binary or memory: http://itax.twca.com.tw/xmlrca/TaiCARootCA_2012.crl0
Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe, 00000000.00000002.3256414378.000001FF86331000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://stock88168.500.com.tw//aps//
Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe, 00000000.00000002.3256414378.000001FF86331000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.stock5168.n9s.com//aps//
Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe, 00000000.00000002.3256414378.000001FF86331000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.stock88168.com.tw//aps//
Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	String found in binary or memory: http://www.stock88168.com.tw//aps//Ghttp://www.stock5168.n9s.com//aps//Ghttp://stock88168.500.com.tw
Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	String found in binary or memory: http://www.stock88168.com.tw//program//ShowMyPC1.exe
Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	String found in binary or memory: http://www.twca.com.tw/0
Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	String found in binary or memory: https://www.globalsign.com/repository/0
Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	String found in binary or memory: https://www.stock881688.com.tw/
Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	String found in binary or memory: https://www.twca.com.tw/0L

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe

Code function: 0_2_00007FF848F10B5D

0_2_00007FF848F10B5D

Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe

Static PE information: invalid certificate

Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe, 00000000.00000000.2004352849.000001FF8454A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamestockChartUserUpdate.exe" vs SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe
Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	Binary or memory string: OriginalFilenamestockChartUserUpdate.exe" vs SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe

Source: classification engine

Classification label: mal60.troj.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe

Mutant created: NULL

Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe

ReversingLabs: Detection: 65%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	Section loaded: wintypes.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\Users\Michael\Documents\Visual Studio 2005\Projects\stockChartUserUpdate2017\obj\Debug\stockChartUserUpdate.pdb source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	Memory allocated: 1FF84880000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	Memory allocated: 1FF9E330000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 Virtualization/Sandbox Evasion	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	12 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	66%	ReversingLabs	ByteCode-MSIL.Ransomware.Crypren
SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	100%	Avira	TR/Crypren.jinae

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://www.stock5168.n9s.com//aps//	SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe, 00000000.00000002.3256414378.000001FF86331000.00000004.00000800.00020000.00000000.sdmp	false	high
http://itax.twca.com.tw/xmlrca/TaiCARootCA_2012.crl0	SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	false	unknown
http://www.twca.com.tw/0	SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	false	unknown
http://itax.twca.com.tw/ecplus/ecplus_UCA_2018_sha1.crl0_	SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	false	unknown
http://www.stock88168.com.tw//aps//	SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe, 00000000.00000002.3256414378.000001FF86331000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://www.twca.com.tw/0L	SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	false	unknown
http://www.stock88168.com.tw//program//ShowMyPC1.exe	SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	false	unknown
http://stock88168.500.com.tw//aps//	SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe, 00000000.00000002.3256414378.000001FF86331000.00000004.00000800.00020000.00000000.sdmp	false	unknown
http://www.stock88168.com.tw//aps//Ghttp://www.stock5168.n9s.com//aps//Ghttp://stock88168.500.com.tw	SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	false	unknown
https://www.stock881688.com.tw/	SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe	false	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1428437
Start date and time:	2024-04-18 23:31:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe
Detection:	MAL
Classification:	mal60.troj.winEXE@1/0@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 9 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe, PID 3784 because it is empty
VT rate limit hit for: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.785185552621054
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.96% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe
File size:	54'760 bytes
MD5:	b696181ac3dcb8cf23d3ac6c0dafed12
SHA1:	a95f75df30086eca2ae0c72b0681ceae1507a41d
SHA256:	487f4df71699ada1abc071283823f9f248238e0033c596ec9c50cdb4e1a102c3
SHA512:	3fd5e0ccca8cb5ab7692a9c11c4249766f1e36d23a24d5b8c7398202fc614c45857cead23f80e68cbe2d206bb6c1afebc95b91c6cafebd6e40af400a8dd567d5
SSDEEP:	768:rFiF95SufAKLJ48ms1u4SSFLgSvD2cBSzeq/YcaPCIA+jkNlTb:QJszequK1HNb
TLSH:	E4337B4323EE1317FABA17FD49E094295F70E166EC81EB5E381C54E82B237959B40E1B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Qe.........."...0..p...0........... ........... ..............................?.....`................................

File Icon


Icon Hash:	6c626353256262b2

Static PE Info

General

Entrypoint:	0x11008816
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x11000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6551E489 [Mon Nov 13 08:55:37 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=TaiCA Secure CA, OU=Certification Service Provider, O=TAIWAN-CA.COM Inc., C=TW
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	20/12/2022 01:44:23 17/01/2024 16:59:59
Subject Chain	E=@@, CN=B122018080, OU=The Capital Group, OU=RA-TheCapital, O=Certification Service Provider, O=TaiCA Secure CA, C=TW
Version:	3
Thumbprint MD5:	EFD39909A096EAA2A075DC0BD42150C0
Thumbprint SHA-1:	DE2BA519DCB4F4659135E49D42BFEE4140CA3E4C
Thumbprint SHA-256:	83C276FE5020BD1D50B412E0A6A30AC8781DFE82DDE619174E284774F1839880
Serial:	7EAC7FBF

Entrypoint Preview

Instruction
jmp dword ptr [11002000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x87c4	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa000	0x1d30	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xb000	0x25e8
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x868c	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x681c	0x7000	469018cbe177436e1d37cf425bfb0b99	False	0.41796875	data	5.726790140605667	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xa000	0x1d30	0x2000	ebbfbcee161da4c73a8a5d72b7025a61	False	0.4444580078125	data	6.3795842109194645	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc000	0xc	0x1000	8174595332082d1f42dad937dae3d7e5	False	0.008544921875	data	0.013126943721219527	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xa100	0xca8	Device independent bitmap graphic, 32 x 64 x 24, image size 3200	0.5265432098765432
RT_GROUP_ICON	0xadb8	0x14	data	1.15
RT_VERSION	0xaddc	0x33a	data	0.4213075060532688
RT_MANIFEST	0xb128	0xc03	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.4627642276422764

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exePID: 3784, Parent PID: 1028

General

Target ID:	0
Start time:	23:31:55
Start date:	18/04/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe"
Imagebase:	0x1ff84540000
File size:	54'760 bytes
MD5 hash:	B696181AC3DCB8CF23D3AC6C0DAFED12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exePID: 3784, Parent PID: 1028COMMON

Executed Functions

Function 00007FF848F10B5D Relevance: .6, Instructions: 607COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3258352619.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 490eaec030b93641740eb72c7ca15f5bd18c2a2243eab516a732a1e833319677
Instruction ID: 250f8deeb5c0cb38e2f522bb4ac2a538cf7c7fb92751c8979df154601e9c7e4e
Opcode Fuzzy Hash: 490eaec030b93641740eb72c7ca15f5bd18c2a2243eab516a732a1e833319677
Instruction Fuzzy Hash: DE227230A19A8ECFDB89EF18C454AA577F1FF59344F2445BAD409CB296CF36A842CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F13441 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3258352619.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 928ea0d6eb40737a09ab7d935cff7767324b2a4376a36da463faa8be3c17755d
Instruction ID: ddcd450bff0c030279d1a2b6f3094013004e176ae975d83117b07bfebd95721a
Opcode Fuzzy Hash: 928ea0d6eb40737a09ab7d935cff7767324b2a4376a36da463faa8be3c17755d
Instruction Fuzzy Hash: 37A18F30A18A5D8FDB94EF18C894BA9B3B5FF69301F5151E5A40DD72A6CB70EE818F40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F11F0C Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3258352619.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbc6a4a8998ec71bddc08a27ed7f7dc6bb7d765608575e50c1c000b5519ecd8f
Instruction ID: 969bbe38a4a8d2f1f79f868c44a89e14d885bdda7c8d17154b36e7d6b4fa9e3a
Opcode Fuzzy Hash: cbc6a4a8998ec71bddc08a27ed7f7dc6bb7d765608575e50c1c000b5519ecd8f
Instruction Fuzzy Hash: FC811770A09A5D8FDB98EF18C894BA9B3B1FF99304F5401A9D40DD7296CF35AD82CB04

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F12AE2 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3258352619.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f904dace425b5b76c77af907d0617e80638518db9b5262d79d2c9676cd35a6a9
Instruction ID: 0ddcfb9a020d7e1a59c3b860f7ffab0b6fe5f1a68d8142f341f1ab6b30ad2e94
Opcode Fuzzy Hash: f904dace425b5b76c77af907d0617e80638518db9b5262d79d2c9676cd35a6a9
Instruction Fuzzy Hash: 67711930A19A5A8FDB99EF28C895BA973B1FF58740F5505B8E40DC7292CE35ED81CB04

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F11DAA Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3258352619.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1893f9fa47ee6ea2b776ee89f7adf43e757a9ff34c80b0c1370151e804fbc602
Instruction ID: dc80a7cd1c615ca10d28b261fc6ec7ac949e2cdb6595d7f38170122671af390f
Opcode Fuzzy Hash: 1893f9fa47ee6ea2b776ee89f7adf43e757a9ff34c80b0c1370151e804fbc602
Instruction Fuzzy Hash: 7F410D7192A95A9FEBD9EF18C8516EAB3B1FF58744F0042B5D00DD3286DF34AE818B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F14CC9 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3258352619.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75081cbaefc96dfcae4511920da21689b5ae09f3936ff501ba2d4212ea94c02b
Instruction ID: 844dc7597324302e915d193ca2291814093d95059a647dac14680f5d7c20b842
Opcode Fuzzy Hash: 75081cbaefc96dfcae4511920da21689b5ae09f3936ff501ba2d4212ea94c02b
Instruction Fuzzy Hash: BB312A30908A4D8FDF95EF68D454AE97BF1FF6A341F1400AAD408E7292DB759885CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F1067D Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3258352619.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0352f0eda5538e9b39ef4653bddbc5f7a6a4c46e22a8c5242899bbdabdea56b3
Instruction ID: 37e3e3a443cdd3340d4d05190b6f46398334e318285f6041d1758c38509d4c87
Opcode Fuzzy Hash: 0352f0eda5538e9b39ef4653bddbc5f7a6a4c46e22a8c5242899bbdabdea56b3
Instruction Fuzzy Hash: A421BF3290C51D8FDB45FB18D4A56F9B3A1FB99350F04017AD00AE21C2DF6498408B50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F13739 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3258352619.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0daa6a9559463b34d58987021d8ec49a3c237e184f639ea83d8f20f3b28c60ff
Instruction ID: 7d23f3e02fa247662407f6472bf9b60a9e798a88005085a3bf8450245f2a3dae
Opcode Fuzzy Hash: 0daa6a9559463b34d58987021d8ec49a3c237e184f639ea83d8f20f3b28c60ff
Instruction Fuzzy Hash: D6114F70A08A4E8FDB84EF18D850BA973A1FF99340F5154A4E40DCB6D6CB75AC81CB14

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F11A34 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3258352619.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a77b47ba51cc3c6ca837d764ab190ade0440022e81131e185974cdb79661c123
Instruction ID: a2c1a2879f370daddea393fc1a43d8fb280c78017653b75eac6b4f269b7c96b5
Opcode Fuzzy Hash: a77b47ba51cc3c6ca837d764ab190ade0440022e81131e185974cdb79661c123
Instruction Fuzzy Hash: 56E01A30E1992D9EDBA9EB1888557E8B7B2FB1C740F4006E9809DE22D6DE341D818B04

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exePID: 3784, Parent PID: 1028

General

Chronological Activities

Disassembly

Analysis Process: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exePID: 3784, Parent PID: 1028COMMON

Executed Functions

Function 00007FF848F10B5D Relevance: .6, Instructions: 607COMMON

Function 00007FF848F13441 Relevance: .3, Instructions: 272COMMON

Windows Analysis Report
SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe