Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win64.MalwareX-gen.6353.14933.exe

Overview

General Information

Sample name:SecuriteInfo.com.Win64.MalwareX-gen.6353.14933.exe
Analysis ID:1428928
MD5:e8e8efc99eb20de4fbe6201ad6f64185
SHA1:1b89bfa89b26e943d54851ba9dd7214c8570aef3
SHA256:15d69ab1d05e98c462782c0af121990bc1bffa67593d3cb8b731e135f2210bb1
Tags:exe
Infos:

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Machine Learning detection for sample
PE file contains section with special chars
Entry point lies outside standard sections
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Win64.MalwareX-gen.6353.14933.exe (PID: 7560 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.6353.14933.exe" MD5: E8E8EFC99EB20DE4FBE6201AD6F64185)
    • conhost.exe (PID: 7608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Win64.MalwareX-gen.6353.14933.exeReversingLabs: Detection: 31%
Machine Learning detection for sample
Source: SecuriteInfo.com.Win64.MalwareX-gen.6353.14933.exeJoe Sandbox ML: detected
Source: SecuriteInfo.com.Win64.MalwareX-gen.6353.14933.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

System Summary

barindex
PE file contains section with special chars
Source: SecuriteInfo.com.Win64.MalwareX-gen.6353.14933.exeStatic PE information: section name: .Ii(
Source: SecuriteInfo.com.Win64.MalwareX-gen.6353.14933.exeStatic PE information: section name: .FN"
Source: classification engineClassification label: mal56.winEXE@2/0@0/0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7608:120:WilError_03
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.6353.14933.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: SecuriteInfo.com.Win64.MalwareX-gen.6353.14933.exeReversingLabs: Detection: 31%
Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.6353.14933.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.6353.14933.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.6353.14933.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.6353.14933.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.6353.14933.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.6353.14933.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.6353.14933.exeSection loaded: d3d9.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.6353.14933.exeSection loaded: d3dx11_43.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.6353.14933.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.6353.14933.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.6353.14933.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.6353.14933.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.6353.14933.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.6353.14933.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.6353.14933.exeSection loaded: wldp.dllJump to behavior
Source: SecuriteInfo.com.Win64.MalwareX-gen.6353.14933.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: SecuriteInfo.com.Win64.MalwareX-gen.6353.14933.exeStatic file information: File size 16835584 > 1048576
Source: SecuriteInfo.com.Win64.MalwareX-gen.6353.14933.exeStatic PE information: Raw size of .I0h is bigger than: 0x100000 < 0x100b200
Source: SecuriteInfo.com.Win64.MalwareX-gen.6353.14933.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: initial sampleStatic PE information: section where entry point is pointing to: .I0h
Source: SecuriteInfo.com.Win64.MalwareX-gen.6353.14933.exeStatic PE information: section name: .Ii(
Source: SecuriteInfo.com.Win64.MalwareX-gen.6353.14933.exeStatic PE information: section name: .FN"
Source: SecuriteInfo.com.Win64.MalwareX-gen.6353.14933.exeStatic PE information: section name: .I0h
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Process Injection		1
Process Injection		OS Credential Dumping1
System Information Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
DLL Side-Loading		LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
SecuriteInfo.com.Win64.MalwareX-gen.6353.14933.exe32%ReversingLabsWin64.Trojan.Generic
SecuriteInfo.com.Win64.MalwareX-gen.6353.14933.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1428928
Start date and time:2024-04-19 21:27:09 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 7s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:9
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:SecuriteInfo.com.Win64.MalwareX-gen.6353.14933.exe
Detection:MAL
Classification:mal56.winEXE@2/0@0/0
EGA Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
  • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information
  • VT rate limit hit for: SecuriteInfo.com.Win64.MalwareX-gen.6353.14933.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):7.863059811750102
TrID:
  • Win64 Executable Console (202006/5) 92.65%
  • Win64 Executable (generic) (12005/4) 5.51%
  • Generic Win/DOS Executable (2004/3) 0.92%
  • DOS Executable Generic (2002/1) 0.92%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:SecuriteInfo.com.Win64.MalwareX-gen.6353.14933.exe
File size:16'835'584 bytes
MD5:e8e8efc99eb20de4fbe6201ad6f64185
SHA1:1b89bfa89b26e943d54851ba9dd7214c8570aef3
SHA256:15d69ab1d05e98c462782c0af121990bc1bffa67593d3cb8b731e135f2210bb1
SHA512:17492550bd4d510fdba13813ba304389e82087e55e538a5fcf104b667848800b171448381cd3a4f146ae39a135e76076762867708eb744d7374756bf0b5c4923
SSDEEP:393216:Dqrx9fConYWF2giSe4tq806qmNPokhFcUS:DuhCoIgiHSqDk7S
TLSH:650723C1BEC9E2F4D5D599302983539971DB32EA81BFCD8E39C68C032950D398D1E6A7
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....].f.........."....'.`............G........@..........................................`................................

File Icon

Icon Hash:00928e8e8686b000

Static PE Info

General

Entrypoint:0x14147e60d
Entrypoint Section:.I0h
Digitally signed:false
Imagebase:0x140000000
Subsystem:windows cui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:0x660C5DC9 [Tue Apr 2 19:34:33 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:0
File Version Major:6
File Version Minor:0
Subsystem Version Major:6
Subsystem Version Minor:0
Import Hash:bf4add444450dc805046132a4aed610d

Entrypoint Preview

Instruction
push ecx
dec eax
mov ecx, 11217899h
stosd
pop ss
aaa
rcr dword ptr [edx+edx*8-56367F1Fh], 48h
shr ecx, FFFFFFC7h
setbe cl
dec eax
mov ecx, dword ptr [esp+08h]
dec eax
mov dword ptr [esp+08h], 6270844Ch
push dword ptr [esp+00h]
popfd
dec eax
lea esp, dword ptr [esp+08h]
call 00007F729D82CD68h
jnbe 00007F729D26FE5Bh
test eax, 0F98A058h
jmp 00007F72D00ADDE9h
wait
mov edx, ebx
lodsd
pop edi
xchg eax, ebx
add ecx, dword ptr [edx-70h]
xchg bl, ah
lds ecx, fword ptr [esi]
dec eax
xchg byte ptr [esp+esi*8+5F88396Ch], dh
jle 00007F729D26FDE9h
and eax, 74A3A02Bh
pop ebp
jecxz 00007F729D26FE09h
dec ebx
pop ebx
mov al, byte ptr [A175B6A6h]
xlatb
pop edi
out dx, al
xchg eax, edi
sbb al, ADh
sub al, byte ptr [ebx]
add dword ptr [ecx+27h], esi
push 5052E054h
or edx, esp
in al, 15h
rcr dword ptr [ebx], FFFFFFB6h
lds ecx, fword ptr [ecx-5Ch]
cmp dl, cl
inc eax
xchg eax, edi
movsb
aam 46h
int3
lodsb
push edx
shl dword ptr [edi], cl
mov ch, ADh
pop esi
ret
adc ch, bh
outsd
and ecx, dword ptr [edi+720AAE13h]
popad
mov al, E2h
enter 0A6Ch, 9Fh
sbb esi, dword ptr [edi+31762855h]
call far B95Eh : 8E7FA49Eh
adc ecx, ebx
idiv dword ptr [edi+ecx*2]
cdq
or eax, 090CC5F5h
push ecx
adc byte ptr [ecx+79h], dl
pushfd
or dword ptr [ecx+10h], edx
and eax, 000CE716h

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x14e50f00x258.I0h
IMAGE_DIRECTORY_ENTRY_RESOURCE0x1b6f0000x1e0.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x1b631200x9f54.I0h
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x1b6e0000x11c.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x16d0d400x28.I0h
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x1b62fe00x140.I0h
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0xb5f0000x1f8.FN"
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000xb5f780x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0xb70000x27d360x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0xdf0000x1c13a80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata0x2a10000x75f00x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.Ii(0x2a90000x8b58170x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.FN"0xb5f0000x28740x2a003362b290d70b2ea4d3abd05ee0ccbe02False0.022042410714285716data0.15620448838531284IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.I0h0xb620000x100b0740x100b200a133a713e0008c17ee9aeef05d75d2f8unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.reloc0x1b6e0000x11c0x200f1c851c28eb1acd229d01e8d40f15256False0.416015625data2.7518397691242864IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc0x1b6f0000x1e00x200b3c427311151b1df1cbca3ce319cd668False0.541015625data4.780283563595412IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_MANIFEST0x1b6f0580x188XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5892857142857143

Imports

DLLImport
KERNEL32.dllGetFileType
USER32.dllLoadCursorW
SHELL32.dllShellExecuteW
dwmapi.dllDwmExtendFrameIntoClientArea
MSVCP140.dll?setf@ios_base@std@@QEAAHHH@Z
IMM32.dllImmReleaseContext
d3d9.dllDirect3DCreate9Ex
d3dx11_43.dllD3DX11CreateShaderResourceViewFromMemory
CRYPT32.dllCertAddCertificateContextToStore
Normaliz.dllIdnToAscii
WLDAP32.dll
WS2_32.dllclosesocket
RPCRT4.dllUuidToStringA
PSAPI.DLLGetModuleInformation
VCRUNTIME140_1.dll__CxxFrameHandler4
VCRUNTIME140.dll__std_exception_copy
api-ms-win-crt-heap-l1-1-0.dllrealloc
api-ms-win-crt-runtime-l1-1-0.dllabort
api-ms-win-crt-stdio-l1-1-0.dllsetvbuf
api-ms-win-crt-utility-l1-1-0.dllqsort
api-ms-win-crt-string-l1-1-0.dllstrspn
api-ms-win-crt-convert-l1-1-0.dllstrtol
api-ms-win-crt-math-l1-1-0.dllfmodf
api-ms-win-crt-time-l1-1-0.dll_time64
api-ms-win-crt-filesystem-l1-1-0.dll_access
api-ms-win-crt-locale-l1-1-0.dlllocaleconv
ADVAPI32.dllCryptDestroyKey
KERNEL32.dllGetSystemTimeAsFileTime
KERNEL32.dllHeapAlloc, HeapFree, ExitProcess, LoadLibraryA, GetModuleHandleA, GetProcAddress

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:21:28:04
Start date:19/04/2024
Path:C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.6353.14933.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.6353.14933.exe"
Imagebase:0x7ff695f40000
File size:16'835'584 bytes
MD5 hash:E8E8EFC99EB20DE4FBE6201AD6F64185
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:false

General

Target ID:2
Start time:21:28:04
Start date:19/04/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff6ee680000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:false

Disassembly

No disassembly