Windows
Analysis Report
SecuriteInfo.com.Win64.MalwareX-gen.6353.14933.exe
Overview
General Information
Detection
Score: | 56 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- SecuriteInfo.com.Win64.MalwareX-gen.6353.14933.exe (PID: 7560 cmdline:
"C:\Users\ user\Deskt op\Securit eInfo.com. Win64.Malw areX-gen.6 353.14933. exe" MD5: E8E8EFC99EB20DE4FBE6201AD6F64185) - conhost.exe (PID: 7608 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
Click to jump to signature section
AV Detection |
---|
Source: | ReversingLabs: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
System Summary |
---|
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Classification label: |
Source: | Mutant created: |
Source: | Key opened: | Jump to behavior |
Source: | ReversingLabs: |
Source: | Process created: | ||
Source: | Process created: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static PE information: |
Source: | Static file information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Last function: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 1 Process Injection | 1 Process Injection | OS Credential Dumping | 1 System Information Discovery | Remote Services | Data from Local System | Data Obfuscation | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 DLL Side-Loading | LSASS Memory | Application Window Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
32% | ReversingLabs | Win64.Trojan.Generic | ||
100% | Joe Sandbox ML |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1428928 |
Start date and time: | 2024-04-19 21:27:09 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 7s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 9 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | SecuriteInfo.com.Win64.MalwareX-gen.6353.14933.exe |
Detection: | MAL |
Classification: | mal56.winEXE@2/0@0/0 |
EGA Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
- Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- VT rate limit hit for: SecuriteInfo.com.Win64.MalwareX-gen.6353.14933.exe
File type: | |
Entropy (8bit): | 7.863059811750102 |
TrID: |
|
File name: | SecuriteInfo.com.Win64.MalwareX-gen.6353.14933.exe |
File size: | 16'835'584 bytes |
MD5: | e8e8efc99eb20de4fbe6201ad6f64185 |
SHA1: | 1b89bfa89b26e943d54851ba9dd7214c8570aef3 |
SHA256: | 15d69ab1d05e98c462782c0af121990bc1bffa67593d3cb8b731e135f2210bb1 |
SHA512: | 17492550bd4d510fdba13813ba304389e82087e55e538a5fcf104b667848800b171448381cd3a4f146ae39a135e76076762867708eb744d7374756bf0b5c4923 |
SSDEEP: | 393216:Dqrx9fConYWF2giSe4tq806qmNPokhFcUS:DuhCoIgiHSqDk7S |
TLSH: | 650723C1BEC9E2F4D5D599302983539971DB32EA81BFCD8E39C68C032950D398D1E6A7 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....].f.........."....'.`............G........@..........................................`................................ |
Icon Hash: | 00928e8e8686b000 |
Entrypoint: | 0x14147e60d |
Entrypoint Section: | .I0h |
Digitally signed: | false |
Imagebase: | 0x140000000 |
Subsystem: | windows cui |
Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x660C5DC9 [Tue Apr 2 19:34:33 2024 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: | bf4add444450dc805046132a4aed610d |
Instruction |
---|
push ecx |
dec eax |
mov ecx, 11217899h |
stosd |
pop ss |
aaa |
rcr dword ptr [edx+edx*8-56367F1Fh], 48h |
shr ecx, FFFFFFC7h |
setbe cl |
dec eax |
mov ecx, dword ptr [esp+08h] |
dec eax |
mov dword ptr [esp+08h], 6270844Ch |
push dword ptr [esp+00h] |
popfd |
dec eax |
lea esp, dword ptr [esp+08h] |
call 00007F729D82CD68h |
jnbe 00007F729D26FE5Bh |
test eax, 0F98A058h |
jmp 00007F72D00ADDE9h |
wait |
mov edx, ebx |
lodsd |
pop edi |
xchg eax, ebx |
add ecx, dword ptr [edx-70h] |
xchg bl, ah |
lds ecx, fword ptr [esi] |
dec eax |
xchg byte ptr [esp+esi*8+5F88396Ch], dh |
jle 00007F729D26FDE9h |
and eax, 74A3A02Bh |
pop ebp |
jecxz 00007F729D26FE09h |
dec ebx |
pop ebx |
mov al, byte ptr [A175B6A6h] |
xlatb |
pop edi |
out dx, al |
xchg eax, edi |
sbb al, ADh |
sub al, byte ptr [ebx] |
add dword ptr [ecx+27h], esi |
push 5052E054h |
or edx, esp |
in al, 15h |
rcr dword ptr [ebx], FFFFFFB6h |
lds ecx, fword ptr [ecx-5Ch] |
cmp dl, cl |
inc eax |
xchg eax, edi |
movsb |
aam 46h |
int3 |
lodsb |
push edx |
shl dword ptr [edi], cl |
mov ch, ADh |
pop esi |
ret |
adc ch, bh |
outsd |
and ecx, dword ptr [edi+720AAE13h] |
popad |
mov al, E2h |
enter 0A6Ch, 9Fh |
sbb esi, dword ptr [edi+31762855h] |
call far B95Eh : 8E7FA49Eh |
adc ecx, ebx |
idiv dword ptr [edi+ecx*2] |
cdq |
or eax, 090CC5F5h |
push ecx |
adc byte ptr [ecx+79h], dl |
pushfd |
or dword ptr [ecx+10h], edx |
and eax, 000CE716h |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x14e50f0 | 0x258 | .I0h |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x1b6f000 | 0x1e0 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x1b63120 | 0x9f54 | .I0h |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x1b6e000 | 0x11c | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x16d0d40 | 0x28 | .I0h |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x1b62fe0 | 0x140 | .I0h |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0xb5f000 | 0x1f8 | .FN" |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0xb5f78 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0xb7000 | 0x27d36 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0xdf000 | 0x1c13a8 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.pdata | 0x2a1000 | 0x75f0 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.Ii( | 0x2a9000 | 0x8b5817 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.FN" | 0xb5f000 | 0x2874 | 0x2a00 | 3362b290d70b2ea4d3abd05ee0ccbe02 | False | 0.022042410714285716 | data | 0.15620448838531284 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.I0h | 0xb62000 | 0x100b074 | 0x100b200 | a133a713e0008c17ee9aeef05d75d2f8 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.reloc | 0x1b6e000 | 0x11c | 0x200 | f1c851c28eb1acd229d01e8d40f15256 | False | 0.416015625 | data | 2.7518397691242864 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.rsrc | 0x1b6f000 | 0x1e0 | 0x200 | b3c427311151b1df1cbca3ce319cd668 | False | 0.541015625 | data | 4.780283563595412 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_MANIFEST | 0x1b6f058 | 0x188 | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.5892857142857143 |
DLL | Import |
---|---|
KERNEL32.dll | GetFileType |
USER32.dll | LoadCursorW |
SHELL32.dll | ShellExecuteW |
dwmapi.dll | DwmExtendFrameIntoClientArea |
MSVCP140.dll | ?setf@ios_base@std@@QEAAHHH@Z |
IMM32.dll | ImmReleaseContext |
d3d9.dll | Direct3DCreate9Ex |
d3dx11_43.dll | D3DX11CreateShaderResourceViewFromMemory |
CRYPT32.dll | CertAddCertificateContextToStore |
Normaliz.dll | IdnToAscii |
WLDAP32.dll | |
WS2_32.dll | closesocket |
RPCRT4.dll | UuidToStringA |
PSAPI.DLL | GetModuleInformation |
VCRUNTIME140_1.dll | __CxxFrameHandler4 |
VCRUNTIME140.dll | __std_exception_copy |
api-ms-win-crt-heap-l1-1-0.dll | realloc |
api-ms-win-crt-runtime-l1-1-0.dll | abort |
api-ms-win-crt-stdio-l1-1-0.dll | setvbuf |
api-ms-win-crt-utility-l1-1-0.dll | qsort |
api-ms-win-crt-string-l1-1-0.dll | strspn |
api-ms-win-crt-convert-l1-1-0.dll | strtol |
api-ms-win-crt-math-l1-1-0.dll | fmodf |
api-ms-win-crt-time-l1-1-0.dll | _time64 |
api-ms-win-crt-filesystem-l1-1-0.dll | _access |
api-ms-win-crt-locale-l1-1-0.dll | localeconv |
ADVAPI32.dll | CryptDestroyKey |
KERNEL32.dll | GetSystemTimeAsFileTime |
KERNEL32.dll | HeapAlloc, HeapFree, ExitProcess, LoadLibraryA, GetModuleHandleA, GetProcAddress |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Click to jump to process
Click to jump to process
Click to jump to process
Target ID: | 0 |
Start time: | 21:28:04 |
Start date: | 19/04/2024 |
Path: | C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.6353.14933.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff695f40000 |
File size: | 16'835'584 bytes |
MD5 hash: | E8E8EFC99EB20DE4FBE6201AD6F64185 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | false |
Target ID: | 2 |
Start time: | 21:28:04 |
Start date: | 19/04/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6ee680000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | false |