Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.GenericKD.71649694.17364.11303.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Trojan.GenericKD.71649694.17364.11303.exe
Analysis ID:	1429005
MD5:	a55b12fe926fe729cab1e8a49ef53dd7
SHA1:	b54c1d78895dbcf36ecb2c449fd5cddedfcda956
SHA256:	6945efb2872ae57d20573a8ad5e99a0b8ecfa6120435262f58d706caa61b2d84
Tags:	exe
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Contains functionality to inject threads in other processes

Detected potential crypto function

PE file contains more sections than normal

PE file contains sections with non-standard names

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Trojan.GenericKD.71649694.17364.11303.exe (PID: 5064 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.71649694.17364.11303.exe" MD5: A55B12FE926FE729CAB1E8A49EF53DD7)

conhost.exe (PID: 4768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Trojan.GenericKD.71649694.17364.11303.exe

ReversingLabs: Detection: 18%

Source: SecuriteInfo.com.Trojan.GenericKD.71649694.17364.11303.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.71649694.17364.11303.exe	Code function: 0_2_00007FF71AE14750		0_2_00007FF71AE14750
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.71649694.17364.11303.exe	Code function: 0_2_00007FF71AE15930		0_2_00007FF71AE15930

Source: SecuriteInfo.com.Trojan.GenericKD.71649694.17364.11303.exe

Static PE information: Number of sections : 20 > 10

Source: classification engine

Classification label: mal52.evad.winEXE@2/1@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.71649694.17364.11303.exe

Code function: 0_2_00007FF71AE115F0 CreateToolhelp32Snapshot,Process32First,CloseHandle,FindCloseChangeNotification,

0_2_00007FF71AE115F0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4768:120:WilError_03

Source: SecuriteInfo.com.Trojan.GenericKD.71649694.17364.11303.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.71649694.17364.11303.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Trojan.GenericKD.71649694.17364.11303.exe

ReversingLabs: Detection: 18%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.71649694.17364.11303.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.71649694.17364.11303.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.71649694.17364.11303.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: SecuriteInfo.com.Trojan.GenericKD.71649694.17364.11303.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: SecuriteInfo.com.Trojan.GenericKD.71649694.17364.11303.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: SecuriteInfo.com.Trojan.GenericKD.71649694.17364.11303.exe	Static PE information: section name: .xdata
Source: SecuriteInfo.com.Trojan.GenericKD.71649694.17364.11303.exe	Static PE information: section name: /4
Source: SecuriteInfo.com.Trojan.GenericKD.71649694.17364.11303.exe	Static PE information: section name: /19
Source: SecuriteInfo.com.Trojan.GenericKD.71649694.17364.11303.exe	Static PE information: section name: /31
Source: SecuriteInfo.com.Trojan.GenericKD.71649694.17364.11303.exe	Static PE information: section name: /45
Source: SecuriteInfo.com.Trojan.GenericKD.71649694.17364.11303.exe	Static PE information: section name: /57
Source: SecuriteInfo.com.Trojan.GenericKD.71649694.17364.11303.exe	Static PE information: section name: /70
Source: SecuriteInfo.com.Trojan.GenericKD.71649694.17364.11303.exe	Static PE information: section name: /81
Source: SecuriteInfo.com.Trojan.GenericKD.71649694.17364.11303.exe	Static PE information: section name: /97
Source: SecuriteInfo.com.Trojan.GenericKD.71649694.17364.11303.exe	Static PE information: section name: /113

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.71649694.17364.11303.exe

Process information queried: ProcessInformation

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.71649694.17364.11303.exe	Code function: 0_2_00007FF71AE11180 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_initterm,	0_2_00007FF71AE11180
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.71649694.17364.11303.exe	Code function: 0_2_00007FF71AE1F358 SetUnhandledExceptionFilter,TlsGetValue,	0_2_00007FF71AE1F358
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.71649694.17364.11303.exe	Code function: 0_2_00007FF71AE11F61 SetUnhandledExceptionFilter,	0_2_00007FF71AE11F61

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject threads in other processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.71649694.17364.11303.exe

Code function: 0_2_00007FF71AE11806 SetConsoleTitleA,SetConsoleTitleA,GetStdHandle,SetConsoleTextAttribute,SetConsoleTextAttribute,SetConsoleCtrlHandler,Sleep,SleepEx,SetConsoleTextAttribute,SetConsoleTextAttribute,GetCurrentDirectoryA,fopen,SetConsoleTextAttribute,SetConsoleTextAttribute,SetConsoleTextAttribute,getchar,_fgetchar,OpenProcess,SetConsoleTextAttribute,getchar,strlen,VirtualAllocEx,SetConsoleTextAttribute,getchar,strlen,WriteProcessMemory,SetConsoleTextAttribute,getchar,GetModuleHandleA,GetProcAddress,CreateRemoteThread,SetConsoleTextAttribute,getchar,CloseHandle,VirtualFreeEx,OpenProcess,WaitForSingleObject,SetConsoleTextAttribute,CloseHandle,getchar,

0_2_00007FF71AE11806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	11 Process Injection	11 Process Injection	OS Credential Dumping	2 Process Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	1 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Trojan.GenericKD.71649694.17364.11303.exe	18%	ReversingLabs	Win64.Trojan.Generic

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1429005
Start date and time:	2024-04-20 01:32:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Trojan.GenericKD.71649694.17364.11303.exe
Detection:	MAL
Classification:	mal52.evad.winEXE@2/1@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 5 Number of non-executed functions: 16
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: SecuriteInfo.com.Trojan.GenericKD.71649694.17364.11303.exe

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.71649694.17364.11303.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.8686608475575435
Encrypted:	false
SSDEEP:	3:wPLsFgWMND9I2TG584Za7I9+SZMLDnNv:wPLsFgWOa2O8B7IPMnnNv
MD5:	3486D9F186227928FD5F839525883943
SHA1:	4625A1FB2EA090B40299C5083D1A98432D07E70A
SHA-256:	B54F05208EA30042B495E72F4BE4007C777F840C09CA36C2CEA3F5655DFC0DD6
SHA-512:	6E2412BAE9512EDD76153A8705443B14F782E63CC761941DE05E99C1901D8D886698F5C49293D7AFE9CC107F4179BF6E9861A4F3ACC890444B0D5DFCE058A252
Malicious:	false
Reputation:	low
Preview:	[] Waiting for Rustclient.exe.....[] Successfully got PID: 0..[!] Couldn't Find Smeg?...

Static File Info

General

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	5.822891632607638
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Trojan.GenericKD.71649694.17364.11303.exe
File size:	262'755 bytes
MD5:	a55b12fe926fe729cab1e8a49ef53dd7
SHA1:	b54c1d78895dbcf36ecb2c449fd5cddedfcda956
SHA256:	6945efb2872ae57d20573a8ad5e99a0b8ecfa6120435262f58d706caa61b2d84
SHA512:	5597268a45130be61f55b5131509d9592739bd262fba1bcda25b34b0988442ba6f1c85896f59ab5ca054598875f697af86af9147069461d89585fca49aaf6c5d
SSDEEP:	3072:zNtIm4G+xUBPfZY7BFkFifxSwmn1Om1sgIkDHQton1CWFZdr7uDxuz3TsOcrCtnA:8dfxk6gAf6nQS1jFB3TsOcreNBM
TLSH:	16445AC1FBC9ACDAC7155235899F83693338FAD007975B132E2A73341E17AD0AE86647
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....fe.N..d.....&....(.x.....................@............................. ............`... ............................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x1400013f0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x656680AF [Wed Nov 29 00:07:11 2023 UTC]
TLS Callbacks:	0x40002110, 0x1, 0x400020e0, 0x1
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	288919fe5cb331e1097ebdebffe68a14

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [000096A5h]
mov dword ptr [eax], 00000000h
call 00007F3D48679A8Fh
nop
nop
dec eax
add esp, 28h
ret
nop dword ptr [eax]
dec eax
sub esp, 28h
call 00007F3D48680EB4h
dec eax
cmp eax, 01h
sbb eax, eax
dec eax
add esp, 28h
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
dec eax
lea ecx, dword ptr [00000009h]
jmp 00007F3D48679CE9h
nop dword ptr [eax+00h]
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
push ebp
push ebx
dec eax
sub esp, 38h
dec eax
lea ebp, dword ptr [esp+30h]
dec eax
mov dword ptr [ebp+20h], ecx
dec eax
mov dword ptr [ebp+28h], edx
dec esp
mov dword ptr [ebp+30h], eax
dec esp
mov dword ptr [ebp+38h], ecx
dec eax
lea eax, dword ptr [ebp+28h]
dec eax
mov dword ptr [ebp-10h], eax
dec eax
mov ebx, dword ptr [ebp-10h]
mov ecx, 00000001h
dec eax
mov eax, dword ptr [00007C3Dh]
call eax
dec eax
mov ecx, eax
dec eax
mov eax, dword ptr [ebp+20h]
dec ecx
mov eax, ebx
dec eax
mov edx, eax
call 00007F3D4867B91Eh
mov dword ptr [ebp-04h], eax
mov eax, dword ptr [ebp-04h]
dec eax
add esp, 38h
pop ebx
pop ebp
ret
push ebp
dec eax
mov ebp, esp
dec eax
sub esp, 30h
dec eax
mov dword ptr [ebp+10h], ecx
dec eax
mov dword ptr [ebp+18h], edx
dec eax
mov edx, dword ptr [ebp+10h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xf000	0xaa8	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x12000	0x4e8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0xc000	0x4bc	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x13000	0x84	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xa360	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xf2a8	0x258	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x76f8	0x7800	005588ca27e683100865eca7986f0726	False	0.57255859375	data	6.229149819522027	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x9000	0xd0	0x200	38714103042774f37e8ccd432a423646	False	0.146484375	data	0.9349841751373522	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xa000	0x1340	0x1400	82bee0116a8a36cc2a2cfa211cba6e76	False	0.2923828125	data	5.250736990296306	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.pdata	0xc000	0x4bc	0x600	790f5ccc7f710daf35a98ea6aa41a7de	False	0.4264322916666667	data	3.512868987612826	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.xdata	0xd000	0x480	0x600	e9e47acf8ad6964c9c5f7de43d1e93e1	False	0.283203125	data	3.677201001454678	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0xe000	0xb80	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xf000	0xaa8	0xc00	83a5ba6e65c11bef1f51c06400625e65	False	0.3238932291666667	data	3.7495059248319142	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x10000	0x60	0x200	e88054fd8d8c089af4feb0d63f87d25b	False	0.06640625	data	0.28508543466005165	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x11000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x12000	0x4e8	0x600	08d63de6c16dc89e1209ee48225e35df	False	0.3326822916666667	data	4.776848300740951	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x13000	0x84	0x200	aae73d2e989105ed103af7039b04dc37	False	0.255859375	data	1.511514119161658	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/4	0x14000	0x620	0x800	ae82c4c6e8126cb26b24c4bf3d9812d7	False	0.18017578125	data	1.4523370873255197	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/19	0x15000	0x11ee2	0x12000	e79e8104b2f027469969d2aac619edf7	False	0.4268663194444444	data	5.7821636287769085	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/31	0x27000	0x3211	0x3400	23f3f232af3fe16014a06473275aa577	False	0.24489182692307693	data	4.774011686655647	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/45	0x2b000	0x690f	0x6a00	dab718e178a2156bd3943121b401fe24	False	0.5267909787735849	data	5.090598659903541	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/57	0x32000	0x2120	0x2200	b6fa2b38df37df31df527700e247c2c6	False	0.22093290441176472	data	3.5742441644001346	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/70	0x35000	0x39d	0x400	7525f1145b47b06d73d7667bb1386b5f	False	0.435546875	data	4.6233906248986	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/81	0x36000	0x2997	0x2a00	4217cdf4eb7f96986c8617a34ef99f88	False	0.09756324404761904	data	4.743102064571958	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/97	0x39000	0x787d	0x7a00	b6823d3ca099f5facdec927fe3caafb1	False	0.5150806864754098	data	5.824323962581455	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/113	0x41000	0x526	0x600	67efb8bbc40d346fc101be21c97c0d10	False	0.6341145833333334	data	5.267177788741966	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x12058	0x48f	XML 1.0 document, ASCII text			0.40102827763496146

Imports

DLL	Import
KERNEL32.dll	CloseHandle, CreateRemoteThread, CreateToolhelp32Snapshot, DeleteCriticalSection, DeleteFileW, EnterCriticalSection, ExitProcess, GetCurrentDirectoryA, GetLastError, GetModuleHandleA, GetProcAddress, GetStdHandle, InitializeCriticalSection, IsDBCSLeadByteEx, LeaveCriticalSection, MultiByteToWideChar, OpenProcess, Process32First, Process32Next, SetConsoleCtrlHandler, SetConsoleTextAttribute, SetConsoleTitleA, SetUnhandledExceptionFilter, Sleep, TerminateProcess, TlsGetValue, VirtualAllocEx, VirtualFreeEx, VirtualProtect, VirtualQuery, WaitForSingleObject, WideCharToMultiByte, WriteProcessMemory, __C_specific_handler
msvcrt.dll	___lc_codepage_func, ___mb_cur_max_func, __getmainargs, __initenv, __iob_func, __set_app_type, __setusermatherr, _amsg_exit, _cexit, _commode, _errno, _fmode, _initterm, _lock, _onexit, _unlock, abort, calloc, exit, fclose, fopen, fprintf, fputc, free, fwrite, getchar, localeconv, malloc, memcpy, memset, signal, strcmp, strerror, strlen, strncmp, vfprintf, wcslen
USER32.dll	MessageBoxA

Target ID:	0
Start time:	01:32:53
Start date:	20/04/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.71649694.17364.11303.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.71649694.17364.11303.exe"
Imagebase:	0x7ff71ae10000
File size:	262'755 bytes
MD5 hash:	A55B12FE926FE729CAB1E8A49EF53DD7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	01:32:53
Start date:	20/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	6.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	18.2%
Total number of Nodes:	654
Total number of Limit Nodes:	6

Executed Functions

Function 00007FF71AE11806 Relevance: 68.6, APIs: 13, Strings: 26, Instructions: 360
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetConsoleTitleA.KERNELBASE ref: 00007FF71AE1182E
SetConsoleTextAttribute.KERNELBASE ref: 00007FF71AE1185B

Part of subcall function 00007FF71AE115F0: FindCloseChangeNotification.KERNELBASE ref: 00007FF71AE1169D

SleepEx.KERNEL32 ref: 00007FF71AE118AF
SetConsoleTextAttribute.KERNELBASE ref: 00007FF71AE118D0
SetConsoleTextAttribute.KERNELBASE ref: 00007FF71AE119FF
getchar.MSVCRT ref: 00007FF71AE11AA8
getchar.MSVCRT ref: 00007FF71AE11B25
strlen.MSVCRT ref: 00007FF71AE11B72
getchar.MSVCRT ref: 00007FF71AE11BDB

Strings

[!] Couldn't call WriteProcessMemory., xrefs: 00007FF71AE11C79
[*] Monitoring rust client process..., xrefs: 00007FF71AE11E3F
Smeg Injector | , xrefs: 00007FF71AE1181D
?06!:'{0, xrefs: 00007FF71AE11992
802{199, xrefs: 00007FF71AE1194F
30;10'z&, xrefs: 00007FF71AE11945
Rustclient.exe, xrefs: 00007FF71AE1188E
[!] Couldn't Find Smeg?., xrefs: 00007FF71AE11A01
[!][Dev] Current FilePath:%s?., xrefs: 00007FF71AE11A99
[*] Successfully got PID: %lu, xrefs: 00007FF71AE118DA
[!][Dev] Current Dir:%s?., xrefs: 00007FF71AE11A80
[!] Could not open rust client for synchronization., xrefs: 00007FF71AE11E30
[!] Couldn't create a handle to rust client., xrefs: 00007FF71AE11B16
[*] Smeg has cleaning up..., xrefs: 00007FF71AE11EB1
[*] Successfully injected., xrefs: 00007FF71AE11DF4
z&802z<;, xrefs: 00007FF71AE11988
[*] Smeg is cleaning up..., xrefs: 00007FF71AE11E84
[!] Couldn't call CreateRemoteThread., xrefs: 00007FF71AE11D69
[*] Waiting for Rustclient.exe..., xrefs: 00007FF71AE11875
[!] Smeg couldnt clean up?Would suggest an restart of pc., xrefs: 00007FF71AE11EDA
LoadLibraryA, xrefs: 00007FF71AE11CE1
kernel32.dll, xrefs: 00007FF71AE11CCB
[*] Garrys mod closed / crashed..., xrefs: 00007FF71AE11E75
[!][Dev] Smegs dll isnt in the folder next to loader?., xrefs: 00007FF71AE11A67
[!] Couldn't call VirtualAllocEx., xrefs: 00007FF71AE11BCC
0-0, xrefs: 00007FF71AE119A4

Memory Dump Source

Source File: 00000000.00000002.3261360693.00007FF71AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71AE10000, based on PE: true

Associated: 00000000.00000002.3259365086.00007FF71AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261377981.00007FF71AE1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261392308.00007FF71AE1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261408510.00007FF71AE22000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261423294.00007FF71AE23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71ae10000_SecuriteInfo.jbxd

Similarity

API ID: Console$AttributeTextgetchar$ChangeCloseFindNotificationSleepTitlestrlen
String ID: 0-0$30;10'z&$802{199$?06!:'{0$LoadLibraryA$Rustclient.exe$Smeg Injector | $[!] Could not open rust client for synchronization.$[!] Couldn't Find Smeg?.$[!] Couldn't call CreateRemoteThread.$[!] Couldn't call VirtualAllocEx.$[!] Couldn't call WriteProcessMemory.$[!] Couldn't create a handle to rust client.$[!] Smeg couldnt clean up?Would suggest an restart of pc.$[!][Dev] Current Dir:%s?.$[!][Dev] Current FilePath:%s?.$[!][Dev] Smegs dll isnt in the folder next to loader?.$[*] Garrys mod closed / crashed...$[*] Monitoring rust client process...$[*] Smeg has cleaning up...$[*] Smeg is cleaning up...$[*] Successfully got PID: %lu$[*] Successfully injected.$[*] Waiting for Rustclient.exe...$kernel32.dll$z&802z<;
API String ID: 915047917-113419334
Opcode ID: 215c1266a9f5bf5f97cd8d1a100fd8691d93bac558c3053788ebdfc3eebfa616
Instruction ID: ede6974658433f48774ec7d4083f129ffc7f6c74375920054f686abf133de432
Opcode Fuzzy Hash: 215c1266a9f5bf5f97cd8d1a100fd8691d93bac558c3053788ebdfc3eebfa616
Instruction Fuzzy Hash: 7A026025B05F9289FB65FB65E8513EA63A4FB44BA8F8001BBD91D477A5DE3CD20C8310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF71AE11180 Relevance: 10.6, APIs: 7, Instructions: 146
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(?,?,?,00007FF71AE11406), ref: 00007FF71AE111BE
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF71AE1122F
malloc.MSVCRT(?,?,?,00007FF71AE11406), ref: 00007FF71AE11263
strlen.MSVCRT ref: 00007FF71AE11284
malloc.MSVCRT(?,?,?,00007FF71AE11406), ref: 00007FF71AE11290
memcpy.MSVCRT ref: 00007FF71AE112A8

Memory Dump Source

Source File: 00000000.00000002.3261360693.00007FF71AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71AE10000, based on PE: true

Associated: 00000000.00000002.3259365086.00007FF71AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261377981.00007FF71AE1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261392308.00007FF71AE1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261408510.00007FF71AE22000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261423294.00007FF71AE23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71ae10000_SecuriteInfo.jbxd

Similarity

API ID: malloc$ExceptionFilterSleepUnhandledmemcpystrlen
String ID:
API String ID: 3806033187-0
Opcode ID: 9d17db72d6bbb8996ff62dc2955ffea05b06a9ea5aeea3a66e5e92cd7683551d
Instruction ID: 96f4c5318b246cd4af557dbc1b7718dbf05532f9461b7bd254403528c7ececcb
Opcode Fuzzy Hash: 9d17db72d6bbb8996ff62dc2955ffea05b06a9ea5aeea3a66e5e92cd7683551d
Instruction Fuzzy Hash: 11512775E09E6285F611BB15E89267BE2A2AF44BB0FC444FBD90D47795DE3CE84C8320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF71AE115F0 Relevance: 1.5, APIs: 1, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE ref: 00007FF71AE1169D

Memory Dump Source

Source File: 00000000.00000002.3261360693.00007FF71AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71AE10000, based on PE: true

Associated: 00000000.00000002.3259365086.00007FF71AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261377981.00007FF71AE1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261392308.00007FF71AE1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261408510.00007FF71AE22000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261423294.00007FF71AE23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71ae10000_SecuriteInfo.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 082bdc2531c3331ed75e15c5fae2a17a4a564bc14d40bd7d4a03b985ae65c1f0
Instruction ID: d7b3cff9622d965c7b981721c5420b633fadedbc0c9528974bbcdc3403ab0255
Opcode Fuzzy Hash: 082bdc2531c3331ed75e15c5fae2a17a4a564bc14d40bd7d4a03b985ae65c1f0
Instruction Fuzzy Hash: D7112465604B968DFB30BF65D8053E96365EB043A8F8401B6CA1C5B7C9DF38D50C8760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF71AE13AC0 Relevance: 6.2, APIs: 4, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3261360693.00007FF71AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71AE10000, based on PE: true

Associated: 00000000.00000002.3259365086.00007FF71AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261377981.00007FF71AE1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261392308.00007FF71AE1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261408510.00007FF71AE22000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261423294.00007FF71AE23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71ae10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2804497f37bed78f9e3d7aef058ba03dbed360900f347cef15d15b3c6bcc9568
Instruction ID: e870efd45f14129ef5ae442c4a1f44b53ca61923768efd38bde264ce2615f815
Opcode Fuzzy Hash: 2804497f37bed78f9e3d7aef058ba03dbed360900f347cef15d15b3c6bcc9568
Instruction Fuzzy Hash: FF91CA72B08A6346F7A5BF29814177BA691AB04BA4F9481F2CE0C573C4DB3CE84DD760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF71AE114EC Relevance: 1.5, APIs: 1, Instructions: 20
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE ref: 00007FF71AE11524

Memory Dump Source

Source File: 00000000.00000002.3261360693.00007FF71AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71AE10000, based on PE: true

Associated: 00000000.00000002.3259365086.00007FF71AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261377981.00007FF71AE1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261392308.00007FF71AE1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261408510.00007FF71AE22000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261423294.00007FF71AE23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71ae10000_SecuriteInfo.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: c430a8bc528c303b26a417022506a4da0b7f844244d5aa017f7b41610ffa0cb6
Instruction ID: e37f57edd3347c4212da9573c6369b697a82eb40340f38a63befc50b0781333b
Opcode Fuzzy Hash: c430a8bc528c303b26a417022506a4da0b7f844244d5aa017f7b41610ffa0cb6
Instruction Fuzzy Hash: 20E06526B14FA588FB21BA28E8453E92324AB08358F8400BAC90D4B794EE2CD64DC220

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF71AE15930 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 1385COMMON

Download Yara Rule

Strings

Infinity, xrefs: 00007FF71AE15C88
, xrefs: 00007FF71AE170D4
NaN, xrefs: 00007FF71AE15C07
, xrefs: 00007FF71AE16DF0

Memory Dump Source

Source File: 00000000.00000002.3261360693.00007FF71AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71AE10000, based on PE: true

Associated: 00000000.00000002.3259365086.00007FF71AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261377981.00007FF71AE1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261392308.00007FF71AE1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261408510.00007FF71AE22000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261423294.00007FF71AE23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71ae10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: $ $Infinity$NaN
API String ID: 0-3274152445
Opcode ID: e8b157dc07018cd1b0e2bb85c577ddbc7c758f4043cddf46959810312c8c95f3
Instruction ID: 95912d1acfcdcf96c3086b05d72bbc28220cc4f5ac2ca6c1d976d4063f7e4709
Opcode Fuzzy Hash: e8b157dc07018cd1b0e2bb85c577ddbc7c758f4043cddf46959810312c8c95f3
Instruction Fuzzy Hash: 05D2C672A1CA918AF711BF25A00172BF791FB857A0F5081B6EA4A47B59DB3CE44DCF10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF71AE14750 Relevance: 1.5, Strings: 1, Instructions: 296COMMON

Download Yara Rule

Strings

., xrefs: 00007FF71AE1487E

Memory Dump Source

Source File: 00000000.00000002.3261360693.00007FF71AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71AE10000, based on PE: true

Associated: 00000000.00000002.3259365086.00007FF71AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261377981.00007FF71AE1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261392308.00007FF71AE1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261408510.00007FF71AE22000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261423294.00007FF71AE23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71ae10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: dc7c95912ea179b4376ebdfd1fe7d6f82869dd945337f08c514ca93ba6913bec
Instruction ID: 7c56727b5f94e4fb7a88850df310dd714400b7922d2febe34a156a7d8088749c
Opcode Fuzzy Hash: dc7c95912ea179b4376ebdfd1fe7d6f82869dd945337f08c514ca93ba6913bec
Instruction Fuzzy Hash: 80B1FCA2A1CA6346F7557E25D01677BE291EB41BA4F8481F2DE0E477C6DE2CE90C8720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF71AE1F358 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3261392308.00007FF71AE1F000.00000004.00000001.01000000.00000003.sdmp, Offset: 00007FF71AE10000, based on PE: true

Associated: 00000000.00000002.3259365086.00007FF71AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261360693.00007FF71AE11000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261377981.00007FF71AE1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261408510.00007FF71AE22000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261423294.00007FF71AE23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71ae10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5a45a94ecbe7473543027e91b9e240f81e177555c95c74afc7448f1a0a6f819
Instruction ID: da4290f5274b0bc800eb4267734a4614c47bc1882c27ab0ac4d3edff8530037d
Opcode Fuzzy Hash: c5a45a94ecbe7473543027e91b9e240f81e177555c95c74afc7448f1a0a6f819
Instruction Fuzzy Hash: 7AD0A78BD0DED244F15661740E272165AC05F63970B4D83FFCF38032D25A05B80A9361

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF71AE11F61 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3261360693.00007FF71AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71AE10000, based on PE: true

Associated: 00000000.00000002.3259365086.00007FF71AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261377981.00007FF71AE1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261392308.00007FF71AE1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261408510.00007FF71AE22000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261423294.00007FF71AE23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71ae10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a3e921274223871fabf03b3343526f713b7f296e36f4d548d484219d10f21e6
Instruction ID: 469824c7bf088388229b9c2a6b804c0165d973d3626a52dda0ef544a47b07d6d
Opcode Fuzzy Hash: 9a3e921274223871fabf03b3343526f713b7f296e36f4d548d484219d10f21e6
Instruction Fuzzy Hash: 7EA00252C4DD55C0F2046B44E8421719228D756611F8820B3C01D510A5892C91484165

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF71AE122C0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualQuery.KERNEL32 ref: 00007FF71AE123DB

Strings

Address %p has no image-section, xrefs: 00007FF71AE12332, 00007FF71AE12485
VirtualQuery failed for %d bytes at address %p, xrefs: 00007FF71AE12471
VirtualProtect failed with code 0x%x, xrefs: 00007FF71AE1244E
Mingw-w64 runtime failure:, xrefs: 00007FF71AE122F7

Memory Dump Source

Source File: 00000000.00000002.3261360693.00007FF71AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71AE10000, based on PE: true

Associated: 00000000.00000002.3259365086.00007FF71AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261377981.00007FF71AE1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261392308.00007FF71AE1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261408510.00007FF71AE22000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261423294.00007FF71AE23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71ae10000_SecuriteInfo.jbxd

Similarity

API ID: QueryVirtual
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 1804819252-1534286854
Opcode ID: e9a490fd51d39e951c90214a31b7a881265b3b714cfa718eb496ac04111f472b
Instruction ID: 19e7e266f8ef6154424223a656f1717167002b99ec577b31faf1f1f5dd843fef
Opcode Fuzzy Hash: e9a490fd51d39e951c90214a31b7a881265b3b714cfa718eb496ac04111f472b
Instruction Fuzzy Hash: 775187B2A04E5685FA11BB51E8426BAF760FB85BA4FC441B2DE4C07394DE3CD54DC760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF71AE13610 Relevance: 7.8, APIs: 5, Instructions: 299
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00007FF71AE13791
fputc.MSVCRT ref: 00007FF71AE138C2

Memory Dump Source

Source File: 00000000.00000002.3261360693.00007FF71AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71AE10000, based on PE: true

Associated: 00000000.00000002.3259365086.00007FF71AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261377981.00007FF71AE1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261392308.00007FF71AE1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261408510.00007FF71AE22000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261423294.00007FF71AE23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71ae10000_SecuriteInfo.jbxd

Similarity

API ID: fputcmemset
String ID:
API String ID: 947785774-0
Opcode ID: b75e487522b39b3bbe0c3696fac386f1b96f20ba868e3f26bbf2d185f95f227c
Instruction ID: 84e95e3a7e1829a788df3274c03b7d52827ab66f7e476c84ff1262eb089542a8
Opcode Fuzzy Hash: b75e487522b39b3bbe0c3696fac386f1b96f20ba868e3f26bbf2d185f95f227c
Instruction Fuzzy Hash: F3B1FBA6E189A346F7A1BF25C00633BA6D1AB007B4F9442F6CA1D177C5DA3CE84DC761

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF71AE124A0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 231memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(00007FF71AE1E050,00007FF71AE1E058,00000001,?,?,?,?,00007FF8C6F6ADA0,00007FF71AE11228,?,?,?,00007FF71AE11406), ref: 00007FF71AE1269D

Strings

Unknown pseudo relocation bit size %d., xrefs: 00007FF71AE127E2
Unknown pseudo relocation protocol version %d., xrefs: 00007FF71AE127EE
%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 00007FF71AE12707

Memory Dump Source

Source File: 00000000.00000002.3261360693.00007FF71AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71AE10000, based on PE: true

Associated: 00000000.00000002.3259365086.00007FF71AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261377981.00007FF71AE1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261392308.00007FF71AE1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261408510.00007FF71AE22000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261423294.00007FF71AE23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71ae10000_SecuriteInfo.jbxd

Similarity

API ID: ProtectVirtual
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
API String ID: 544645111-1286557213
Opcode ID: 417d21af58d2d3d50a368e1e91377f4ec64050e6dc27a6c7479be07aac230688
Instruction ID: 51107d3865f38617f10ea81e39a6ac367e983a35fbc888e60c0a2cd23218538c
Opcode Fuzzy Hash: 417d21af58d2d3d50a368e1e91377f4ec64050e6dc27a6c7479be07aac230688
Instruction Fuzzy Hash: E091A1A2E0997286FA10BB149D5227BE290BF54774FC482F2DE1D177D4DE3CE85D8620

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF71AE12843 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

signal.MSVCRT ref: 00007FF71AE128C2

Strings

CCG , xrefs: 00007FF71AE12865

Memory Dump Source

Source File: 00000000.00000002.3261360693.00007FF71AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71AE10000, based on PE: true

Associated: 00000000.00000002.3259365086.00007FF71AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261377981.00007FF71AE1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261392308.00007FF71AE1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261408510.00007FF71AE22000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261423294.00007FF71AE23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71ae10000_SecuriteInfo.jbxd

Similarity

API ID: signal
String ID: CCG
API String ID: 1946981877-1584390748
Opcode ID: a078fd30fed3b8767887fae0c85bee4124425d70a51118b925b8044ae2f13bee
Instruction ID: c7dc37e68feea7a43e40130a11897546891364e40cdd0978a688349d97246a1f
Opcode Fuzzy Hash: a078fd30fed3b8767887fae0c85bee4124425d70a51118b925b8044ae2f13bee
Instruction Fuzzy Hash: D4218EA1E09A2A42FA697659885337AD182DF59370F9849F7C91D873D0DD3CA8CD8221

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF71AE18220 Relevance: 6.1, APIs: 4, Instructions: 83COMMON

Download Yara Rule

APIs

IsDBCSLeadByteEx.KERNEL32 ref: 00007FF71AE1827A
MultiByteToWideChar.KERNEL32 ref: 00007FF71AE182BA

Memory Dump Source

Source File: 00000000.00000002.3261360693.00007FF71AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71AE10000, based on PE: true

Associated: 00000000.00000002.3259365086.00007FF71AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261377981.00007FF71AE1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261392308.00007FF71AE1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261408510.00007FF71AE22000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261423294.00007FF71AE23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71ae10000_SecuriteInfo.jbxd

Similarity

API ID: Byte$CharLeadMultiWide
String ID:
API String ID: 2561704868-0
Opcode ID: b892afee27befa9390ff12b951c17d71c98e9c64dea45c68a03a4fbd94c8224f
Instruction ID: eed80146d377b770ee934f0547933590c31cabd61d5f7a5d2ff112287b153b64
Opcode Fuzzy Hash: b892afee27befa9390ff12b951c17d71c98e9c64dea45c68a03a4fbd94c8224f
Instruction Fuzzy Hash: F531D87260CA9186F362AF28F40136FB690FBA5794F9481B2DA9847794DF3DD44DCB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF71AE121B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF71AE12230

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF71AE12217
Unknown error, xrefs: 00007FF71AE1229C

Memory Dump Source

Source File: 00000000.00000002.3261360693.00007FF71AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71AE10000, based on PE: true

Associated: 00000000.00000002.3259365086.00007FF71AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261377981.00007FF71AE1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261392308.00007FF71AE1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261408510.00007FF71AE22000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261423294.00007FF71AE23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71ae10000_SecuriteInfo.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: 634d8938bb56d9e0f5fd2ae82153dca1d7c6b0b30c3fc25f77a1cdfa16b81045
Instruction ID: cb60ea2d1897814d0d22784155f2ab6725a1a093528c016b73969df67da433e9
Opcode Fuzzy Hash: 634d8938bb56d9e0f5fd2ae82153dca1d7c6b0b30c3fc25f77a1cdfa16b81045
Instruction Fuzzy Hash: 0F01C262D0CF9482E602AF1CD8011BBB330FB6E798F559366EE8C26155DF28E58AC700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF71AE12290 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF71AE12230

Strings

Total loss of significance (TLOSS), xrefs: 00007FF71AE12290
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF71AE12217

Memory Dump Source

Source File: 00000000.00000002.3261360693.00007FF71AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71AE10000, based on PE: true

Associated: 00000000.00000002.3259365086.00007FF71AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261377981.00007FF71AE1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261392308.00007FF71AE1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261408510.00007FF71AE22000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261423294.00007FF71AE23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71ae10000_SecuriteInfo.jbxd

Similarity

API ID: fprintf
String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4273532761
Opcode ID: c971a3672ae1ba92292952e1765209915c22e90ad351eb8cfde800cdffd39e4b
Instruction ID: 4691456f7c65f1274a856aa12c91b8b66b700d0fc970cecb9879f43d1876f934
Opcode Fuzzy Hash: c971a3672ae1ba92292952e1765209915c22e90ad351eb8cfde800cdffd39e4b
Instruction Fuzzy Hash: 0DF06252D08E9482E213EF1CA8011BBB330FF5D7A8F585367EF8D26555DF29E58A8710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF71AE12280 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF71AE12230

Strings

The result is too small to be represented (UNDERFLOW), xrefs: 00007FF71AE12280
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF71AE12217

Memory Dump Source

Source File: 00000000.00000002.3261360693.00007FF71AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71AE10000, based on PE: true

Associated: 00000000.00000002.3259365086.00007FF71AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261377981.00007FF71AE1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261392308.00007FF71AE1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261408510.00007FF71AE22000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261423294.00007FF71AE23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71ae10000_SecuriteInfo.jbxd

Similarity

API ID: fprintf
String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2187435201
Opcode ID: 53999fce98eda89b82a53f86e7fd3430362f9e14b3238285a70787bb88555cf0
Instruction ID: 97654ecf74c441d3798d0594204f9031fe9d000eb8dfb7a85fc0cff09cdf9657
Opcode Fuzzy Hash: 53999fce98eda89b82a53f86e7fd3430362f9e14b3238285a70787bb88555cf0
Instruction Fuzzy Hash: 7DF06252D08E9486E213FF1CA8011BBB330FF9D7A8F585366EF8D26155DF29E58A8710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF71AE12270 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF71AE12230

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF71AE12217
Overflow range error (OVERFLOW), xrefs: 00007FF71AE12270

Memory Dump Source

Source File: 00000000.00000002.3261360693.00007FF71AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71AE10000, based on PE: true

Associated: 00000000.00000002.3259365086.00007FF71AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261377981.00007FF71AE1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261392308.00007FF71AE1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261408510.00007FF71AE22000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261423294.00007FF71AE23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71ae10000_SecuriteInfo.jbxd

Similarity

API ID: fprintf
String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4064033741
Opcode ID: fbc974752fea1caea45fefa3acd33513dfe0091bbaf5476e9fcce9c36d033d5a
Instruction ID: 352a8d7e5ead516c79d5640b6cccfaf4234689cc6edcf98fba91171867fe8998
Opcode Fuzzy Hash: fbc974752fea1caea45fefa3acd33513dfe0091bbaf5476e9fcce9c36d033d5a
Instruction Fuzzy Hash: 36F06252D08E9482E213EF1CE8011BBB330FF5E7A8F585366EF8D26155DF29E58A8710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF71AE12260 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF71AE12230

Strings

Partial loss of significance (PLOSS), xrefs: 00007FF71AE12260
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF71AE12217

Memory Dump Source

Source File: 00000000.00000002.3261360693.00007FF71AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71AE10000, based on PE: true

Associated: 00000000.00000002.3259365086.00007FF71AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261377981.00007FF71AE1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261392308.00007FF71AE1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261408510.00007FF71AE22000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261423294.00007FF71AE23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71ae10000_SecuriteInfo.jbxd

Similarity

API ID: fprintf
String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4283191376
Opcode ID: 8b195b809002428d1609d60b864f2c998565fb23057fe505748be45d67ddd552
Instruction ID: 94db327dd304a452b7889291b41d23ba0bb571626003de7528d77c278e597765
Opcode Fuzzy Hash: 8b195b809002428d1609d60b864f2c998565fb23057fe505748be45d67ddd552
Instruction Fuzzy Hash: B5F06252D08E9482E213EF1CA8011BBB330FF9D7A8F585366EF8D26155DF29E58A8710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF71AE12250 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF71AE12230

Strings

Argument domain error (DOMAIN), xrefs: 00007FF71AE12250
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF71AE12217

Memory Dump Source

Source File: 00000000.00000002.3261360693.00007FF71AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71AE10000, based on PE: true

Associated: 00000000.00000002.3259365086.00007FF71AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261377981.00007FF71AE1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261392308.00007FF71AE1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261408510.00007FF71AE22000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261423294.00007FF71AE23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71ae10000_SecuriteInfo.jbxd

Similarity

API ID: fprintf
String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2713391170
Opcode ID: d6fb19bb5c5e0e8aac553f78f459857bfa390450d0369f6a16eab92e0e984841
Instruction ID: fc714d240c0ed699b022e66755be0591656675d8810fe983fbdf36f7cd993da6
Opcode Fuzzy Hash: d6fb19bb5c5e0e8aac553f78f459857bfa390450d0369f6a16eab92e0e984841
Instruction Fuzzy Hash: 4FF06252D08E9486E213EF1CA8011BBB330FF5E7A8F585366EF8D26155DF29E58A8710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF71AE121E8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF71AE12230

Strings

Argument singularity (SIGN), xrefs: 00007FF71AE121E8
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF71AE12217

Memory Dump Source

Source File: 00000000.00000002.3261360693.00007FF71AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71AE10000, based on PE: true

Associated: 00000000.00000002.3259365086.00007FF71AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261377981.00007FF71AE1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261392308.00007FF71AE1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261408510.00007FF71AE22000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3261423294.00007FF71AE23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71ae10000_SecuriteInfo.jbxd

Similarity

API ID: fprintf
String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2468659920
Opcode ID: 4a9cb5e5456f8189433cacb5b3cee1d99bc4794b77bf2b06863172ead2cb8f73
Instruction ID: c27d9e69bc7a7bc212a050f286c6818748db538e32026b78715462cf66b833c4
Opcode Fuzzy Hash: 4a9cb5e5456f8189433cacb5b3cee1d99bc4794b77bf2b06863172ead2cb8f73
Instruction Fuzzy Hash: 09F09612D08E9482E203EF1CA4011BBB330FF5D798F545366EF8D2A115DF29E5868710

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Trojan.GenericKD.71649694.17364.11303.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: SecuriteInfo.com.Trojan.GenericKD.71649694.17364.11303.exePID: 5064, Parent PID: 1028

General

Chronological Activities

Analysis Process: conhost.exePID: 4768, Parent PID: 5064

General

Chronological Activities

Disassembly

Analysis Process: SecuriteInfo.com.Trojan.GenericKD.71649694.17364.11303.exePID: 5064, Parent PID: 1028COMMON

Execution Graph

Graph

Executed Functions

Function 00007FF71AE11806 Relevance: 68.6, APIs: 13, Strings: 26, Instructions: 360stringCOMMON

Control-flow Graph

Windows Analysis Report
SecuriteInfo.com.Trojan.GenericKD.71649694.17364.11303.exe

Function 00007FF71AE11806 Relevance: 68.6, APIs: 13, Strings: 26, Instructions: 360
stringCOMMON

Function 00007FF71AE11180 Relevance: 10.6, APIs: 7, Instructions: 146
sleepstringCOMMON

Function 00007FF71AE115F0 Relevance: 1.5, APIs: 1, Instructions: 42
COMMON

Function 00007FF71AE13AC0 Relevance: 6.2, APIs: 4, Instructions: 238
COMMON

Function 00007FF71AE114EC Relevance: 1.5, APIs: 1, Instructions: 20
fileCOMMON

Function 00007FF71AE122C0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 138
COMMON

Function 00007FF71AE13610 Relevance: 7.8, APIs: 5, Instructions: 299
COMMON