Windows Analysis Report
SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe

Overview

General Information

Sample name: SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe
Analysis ID: 1429037
MD5: abbfe93d01183831f51e40aba4bad37f
SHA1: 17a1f4110b3e711965681bbeb48f6339f8c86078
SHA256: 7d4d612275a6f4c3d1b0d23c3ae19cf39fcdd729f3f899f3df44b619bea7e17b
Tags: exe
Infos:

Detection

Score: 52
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Machine Learning detection for sample
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Found inlined nop instructions (likely shell or obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe Virustotal: Detection: 49% Perma Link
Machine Learning detection for sample
Source: SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe Joe Sandbox ML: detected
Source: SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\.Jakob\Other\OffensiveTools\SharpDPAPI\SharpChrome\obj\Debug\SharpChrome.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe
Source: Binary string: C:\.Jakob\Other\OffensiveTools\SharpDPAPI\SharpChrome\obj\Debug\SharpChrome.pdbt source: SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe Code function: 4x nop then jmp 00007FFD9B8909ECh 0_2_00007FFD9B8905FA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe Code function: 4x nop then dec eax 0_2_00007FFD9B890E3D
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe, 00000000.00000000.1662599128.0000017AE4604000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameSharpChrome.exe8 vs SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe
Source: SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe Binary or memory string: OriginalFilenameSharpChrome.exe8 vs SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe
Source: SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe, Crypto.cs Cryptographic APIs: 'TransformFinalBlock'
Source: SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe, Crypto.cs Cryptographic APIs: 'TransformFinalBlock'
Source: SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe, Crypto.cs Cryptographic APIs: 'TransformFinalBlock'
Source: SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe, Dpapi.cs Cryptographic APIs: 'TransformFinalBlock'
Source: SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe, Dpapi.cs Cryptographic APIs: 'TransformFinalBlock'
Source: SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe, LSADump.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe, Helpers.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe, Helpers.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe, Chrome.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe, Sqlite3.cs Suspicious method names: .Sqlite3.accessPayload
Source: SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe, Sqlite3.cs Suspicious method names: .Sqlite3.copyPayload
Source: SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe, Sqlite3.cs Suspicious method names: .Sqlite3.fetchPayload
Source: classification engine Classification label: mal52.winEXE@2/2@0/0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe.log Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7348:120:WilError_03
Source: SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe, 00000000.00000000.1662488123.0000017AE4532000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe, 00000000.00000000.1662488123.0000017AE4532000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;?Cannot add a PRIMARY KEY column5Cannot add a UNIQUE columnuCannot add a REFERENCES column with non-NULL default value
Source: SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe, 00000000.00000000.1662488123.0000017AE4532000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe, 00000000.00000000.1662488123.0000017AE4532000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe Virustotal: Detection: 49%
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\.Jakob\Other\OffensiveTools\SharpDPAPI\SharpChrome\obj\Debug\SharpChrome.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe
Source: Binary string: C:\.Jakob\Other\OffensiveTools\SharpDPAPI\SharpChrome\obj\Debug\SharpChrome.pdbt source: SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe Memory allocated: 17AE4830000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe Memory allocated: 17AFE360000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe TID: 7400 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe Memory allocated: page read and write | page guard Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe VolumeInformation Jump to behavior

No Screenshots

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1429037 Sample: SecuriteInfo.com.Win32.Malw... Startdate: 20/04/2024 Architecture: WINDOWS Score: 52 10 Multi AV Scanner detection for submitted file 2->10 12 Machine Learning detection for sample 2->12 6 SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe 2 2->6         started        process3 process4 8 conhost.exe 6->8         started       
No contacted IP infos