Windows Analysis Report
SecuriteInfo.com.Trojan.GenericKD.71996476.31717.4987.exe

Overview

General Information

Sample name: SecuriteInfo.com.Trojan.GenericKD.71996476.31717.4987.exe
Analysis ID: 1428520
MD5: 7482be7c2a16e99a446247d1565c712b
SHA1: c461c7c5dd1db679a0273ba4748365514ceeba35
SHA256: 83e35edc0fd7e57ec7cebdaa269cb563ad49180fe01ad9e0fb417ce06f2bd6e7
Tags: exe
Infos:

Detection

Score: 4
Range: 0 - 100
Whitelisted: false
Confidence: 40%

Signatures

Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
PE file contains an invalid checksum
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.GenericKD.71996476.31717.4987.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: SecuriteInfo.com.Trojan.GenericKD.71996476.31717.4987.exe Static PE information: certificate valid
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.71996476.31717.4987.exe Code function: 0_2_00405D07 FindFirstFileA,FindClose, 0_2_00405D07
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.71996476.31717.4987.exe Code function: 0_2_00405331 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_00405331
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.71996476.31717.4987.exe Code function: 0_2_0040263E FindFirstFileA, 0_2_0040263E
Source: SecuriteInfo.com.Trojan.GenericKD.71996476.31717.4987.exe String found in binary or memory: http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q
Source: SecuriteInfo.com.Trojan.GenericKD.71996476.31717.4987.exe String found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.cer0Q
Source: SecuriteInfo.com.Trojan.GenericKD.71996476.31717.4987.exe String found in binary or memory: http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0
Source: SecuriteInfo.com.Trojan.GenericKD.71996476.31717.4987.exe String found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.crl0
Source: SecuriteInfo.com.Trojan.GenericKD.71996476.31717.4987.exe String found in binary or memory: http://crls.ssl.com/ssl.com-rsa-RootCA.crl0
Source: SecuriteInfo.com.Trojan.GenericKD.71996476.31717.4987.exe String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: SecuriteInfo.com.Trojan.GenericKD.71996476.31717.4987.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: SecuriteInfo.com.Trojan.GenericKD.71996476.31717.4987.exe String found in binary or memory: http://ocsps.ssl.com0
Source: SecuriteInfo.com.Trojan.GenericKD.71996476.31717.4987.exe String found in binary or memory: http://ocsps.ssl.com0?
Source: SecuriteInfo.com.Trojan.GenericKD.71996476.31717.4987.exe String found in binary or memory: http://sslcom.crl.certum.pl/ctnca.crl0s
Source: SecuriteInfo.com.Trojan.GenericKD.71996476.31717.4987.exe String found in binary or memory: http://sslcom.ocsp-certum.com08
Source: SecuriteInfo.com.Trojan.GenericKD.71996476.31717.4987.exe String found in binary or memory: http://sslcom.repository.certum.pl/ctnca.cer0:
Source: SecuriteInfo.com.Trojan.GenericKD.71996476.31717.4987.exe String found in binary or memory: http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0
Source: SecuriteInfo.com.Trojan.GenericKD.71996476.31717.4987.exe String found in binary or memory: https://www.certum.pl/CPS0
Source: SecuriteInfo.com.Trojan.GenericKD.71996476.31717.4987.exe String found in binary or memory: https://www.ssl.com/repository0
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.71996476.31717.4987.exe Code function: 0_2_00404EE8 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00404EE8
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.71996476.31717.4987.exe Code function: 0_2_004030FA EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_004030FA
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.71996476.31717.4987.exe Code function: 0_2_00406128 0_2_00406128
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.71996476.31717.4987.exe Code function: 0_2_004046F9 0_2_004046F9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.71996476.31717.4987.exe Code function: 0_2_004068FF 0_2_004068FF
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.GenericKD.71996476.31717.4987.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engine Classification label: clean4.winEXE@1/1@0/0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.71996476.31717.4987.exe Code function: 0_2_004041FC GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 0_2_004041FC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.71996476.31717.4987.exe Code function: 0_2_00402020 CoCreateInstance,MultiByteToWideChar, 0_2_00402020
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.71996476.31717.4987.exe File created: C:\Users\user\AppData\Local\Temp\nsf620B.tmp Jump to behavior
Source: SecuriteInfo.com.Trojan.GenericKD.71996476.31717.4987.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.71996476.31717.4987.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.71996476.31717.4987.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.71996476.31717.4987.exe File read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.71996476.31717.4987.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.71996476.31717.4987.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.71996476.31717.4987.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.71996476.31717.4987.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.71996476.31717.4987.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.71996476.31717.4987.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.71996476.31717.4987.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.71996476.31717.4987.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.71996476.31717.4987.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.71996476.31717.4987.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.71996476.31717.4987.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.71996476.31717.4987.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.71996476.31717.4987.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.71996476.31717.4987.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.71996476.31717.4987.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.71996476.31717.4987.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.71996476.31717.4987.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.71996476.31717.4987.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.71996476.31717.4987.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.71996476.31717.4987.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.71996476.31717.4987.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.71996476.31717.4987.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: SecuriteInfo.com.Trojan.GenericKD.71996476.31717.4987.exe Static PE information: certificate valid
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.71996476.31717.4987.exe Code function: 0_2_00405D2E GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00405D2E
PE file contains an invalid checksum
Source: SecuriteInfo.com.Trojan.GenericKD.71996476.31717.4987.exe Static PE information: real checksum: 0xe26bd should be: 0xe2b3d
Source: System.dll.0.dr Static PE information: real checksum: 0x0 should be: 0xa27d
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.71996476.31717.4987.exe Code function: 0_2_10002A10 push eax; ret 0_2_10002A3E
Drops PE files
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.71996476.31717.4987.exe File created: C:\Users\user\AppData\Local\Temp\nsf620C.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.71996476.31717.4987.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.71996476.31717.4987.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsf620C.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.71996476.31717.4987.exe Code function: 0_2_00405D07 FindFirstFileA,FindClose, 0_2_00405D07
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.71996476.31717.4987.exe Code function: 0_2_00405331 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_00405331
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.71996476.31717.4987.exe Code function: 0_2_0040263E FindFirstFileA, 0_2_0040263E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.71996476.31717.4987.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.71996476.31717.4987.exe API call chain: ExitProcess graph end node
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.71996476.31717.4987.exe Code function: 0_2_00405D2E GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00405D2E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.71996476.31717.4987.exe Code function: 0_2_00405A2E GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA, 0_2_00405A2E
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1428520 Sample: SecuriteInfo.com.Trojan.Gen... Startdate: 19/04/2024 Architecture: WINDOWS Score: 4 4 SecuriteInfo.com.Trojan.GenericKD.71996476.31717.4987.exe 12 2->4         started        file3 7 C:\Users\user\AppData\Local\...\System.dll, PE32 4->7 dropped
No contacted IP infos