Windows Analysis Report
SecuriteInfo.com.Trojan.Msil.22568.30131.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Trojan.Msil.22568.30131.exe
Analysis ID:	1429043
MD5:	5a80095f4e26db2f8a0ee24c6a919cda
SHA1:	cc32d3f6feb93806da0a34ac7b8c6ed22b769f96
SHA256:	083797d70eff24ead4b63e2e7344010db68dd188da144af2b3f24d3aeb1d8176
Tags:	exe
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

.NET source code contains potential unpacker

Machine Learning detection for sample

Reads the Security eventlog

Reads the System eventlog

Allocates memory with a write watch (potentially for evading sandboxes)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: PSScriptPolicyTest Creation By Uncommon Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Virustotal: Detection: 22%			Perma Link
Source: SecuriteInfo.com.Trojan.Msil.22568.30131.exe	ReversingLabs: Detection: 18%

Machine Learning detection for sample

Source: SecuriteInfo.com.Trojan.Msil.22568.30131.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: SecuriteInfo.com.Trojan.Msil.22568.30131.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.Trojan.Msil.22568.30131.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Trojan.Msil.22568.30131.exe, 00000000.00000002.2884945329.0000000002881000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SecuriteInfo.com.Trojan.Msil.22568.30131.exe, 00000000.00000002.2884945329.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.auditionsante.ap
Source: SecuriteInfo.com.Trojan.Msil.22568.30131.exe, 00000000.00000002.2884945329.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.auditionsante.app/download/script/SHOP/Scr
Source: SecuriteInfo.com.Trojan.Msil.22568.30131.exe	String found in binary or memory: https://support.auditionsante.app/download/script/SHOP/Scripts.zip

Spam, unwanted Advertisements and Ransom Demands

Reads the Security eventlog

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShell	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShell	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShell	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior

Reads the System eventlog

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\PowerShell	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\PowerShell	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\PowerShell	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\PowerShell	Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe

Code function: 0_2_00007FFD9B8B09B6

0_2_00007FFD9B8B09B6

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.Trojan.Msil.22568.30131.exe, 00000000.00000002.2884945329.0000000002881000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs SecuriteInfo.com.Trojan.Msil.22568.30131.exe
Source: SecuriteInfo.com.Trojan.Msil.22568.30131.exe, 00000000.00000002.2884945329.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameScripts.exe4 vs SecuriteInfo.com.Trojan.Msil.22568.30131.exe
Source: SecuriteInfo.com.Trojan.Msil.22568.30131.exe, 00000000.00000002.2884945329.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ,\\StringFileInfo\\000004B0\\OriginalFilename vs SecuriteInfo.com.Trojan.Msil.22568.30131.exe
Source: SecuriteInfo.com.Trojan.Msil.22568.30131.exe, 00000000.00000002.2884945329.00000000028F6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs SecuriteInfo.com.Trojan.Msil.22568.30131.exe
Source: SecuriteInfo.com.Trojan.Msil.22568.30131.exe, 00000000.00000000.1631748690.0000000000682000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameScripts.exe4 vs SecuriteInfo.com.Trojan.Msil.22568.30131.exe
Source: SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Binary or memory string: OriginalFilenameScripts.exe4 vs SecuriteInfo.com.Trojan.Msil.22568.30131.exe

Uses 32bit PE files

Source: SecuriteInfo.com.Trojan.Msil.22568.30131.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal64.evad.winEXE@2/3@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6600:120:WilError_03

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1talphwc.cwk.ps1

Jump to behavior

Source: SecuriteInfo.com.Trojan.Msil.22568.30131.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.Trojan.Msil.22568.30131.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Virustotal: Detection: 22%
Source: SecuriteInfo.com.Trojan.Msil.22568.30131.exe	ReversingLabs: Detection: 18%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Section loaded: winnsi.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: SecuriteInfo.com.Trojan.Msil.22568.30131.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Trojan.Msil.22568.30131.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: SecuriteInfo.com.Trojan.Msil.22568.30131.exe, MainModuleUI.cs

.Net Code: Prompt

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe

Code function: 0_2_00007FFD9B79D2A5 pushad ; iretd

0_2_00007FFD9B79D2A6

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Memory allocated: CB0000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Memory allocated: 1A880000 memory reserve \| memory write watch			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Window / User API: threadDelayed 954			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Window / User API: threadDelayed 374			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe

Process information queried: ProcessInformation

Jump to behavior

Enables debug privileges

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe

Memory allocated: page read and write | page guard

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1talphwc.cwk.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hfik5dhw.yrr.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
\Device\ConDrv	ASCII text, with CRLF line terminators	75B511850129A5C084202DFAE651D6BC	D2AAC468EBA651F9A8CBF8FBC1C5E94B7980F5D0	0FE1FF5D76F20446A9FB0AACCFC044E934F7F7303D864EC6DA3FC4574316F1EC

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Virustotal: Detection: 22%			Perma Link
Source: SecuriteInfo.com.Trojan.Msil.22568.30131.exe	ReversingLabs: Detection: 18%

Machine Learning detection for sample

Source: SecuriteInfo.com.Trojan.Msil.22568.30131.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: SecuriteInfo.com.Trojan.Msil.22568.30131.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.Trojan.Msil.22568.30131.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Trojan.Msil.22568.30131.exe, 00000000.00000002.2884945329.0000000002881000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SecuriteInfo.com.Trojan.Msil.22568.30131.exe, 00000000.00000002.2884945329.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.auditionsante.ap
Source: SecuriteInfo.com.Trojan.Msil.22568.30131.exe, 00000000.00000002.2884945329.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.auditionsante.app/download/script/SHOP/Scr
Source: SecuriteInfo.com.Trojan.Msil.22568.30131.exe	String found in binary or memory: https://support.auditionsante.app/download/script/SHOP/Scripts.zip

Spam, unwanted Advertisements and Ransom Demands

Reads the Security eventlog

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShell	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShell	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShell	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior

Reads the System eventlog

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\PowerShell	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\PowerShell	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\PowerShell	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\PowerShell	Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe

Code function: 0_2_00007FFD9B8B09B6

0_2_00007FFD9B8B09B6

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.Trojan.Msil.22568.30131.exe, 00000000.00000002.2884945329.0000000002881000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs SecuriteInfo.com.Trojan.Msil.22568.30131.exe
Source: SecuriteInfo.com.Trojan.Msil.22568.30131.exe, 00000000.00000002.2884945329.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameScripts.exe4 vs SecuriteInfo.com.Trojan.Msil.22568.30131.exe
Source: SecuriteInfo.com.Trojan.Msil.22568.30131.exe, 00000000.00000002.2884945329.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ,\\StringFileInfo\\000004B0\\OriginalFilename vs SecuriteInfo.com.Trojan.Msil.22568.30131.exe
Source: SecuriteInfo.com.Trojan.Msil.22568.30131.exe, 00000000.00000002.2884945329.00000000028F6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs SecuriteInfo.com.Trojan.Msil.22568.30131.exe
Source: SecuriteInfo.com.Trojan.Msil.22568.30131.exe, 00000000.00000000.1631748690.0000000000682000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameScripts.exe4 vs SecuriteInfo.com.Trojan.Msil.22568.30131.exe
Source: SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Binary or memory string: OriginalFilenameScripts.exe4 vs SecuriteInfo.com.Trojan.Msil.22568.30131.exe

Uses 32bit PE files

Source: SecuriteInfo.com.Trojan.Msil.22568.30131.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal64.evad.winEXE@2/3@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6600:120:WilError_03

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1talphwc.cwk.ps1

Jump to behavior

Source: SecuriteInfo.com.Trojan.Msil.22568.30131.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.Trojan.Msil.22568.30131.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Virustotal: Detection: 22%
Source: SecuriteInfo.com.Trojan.Msil.22568.30131.exe	ReversingLabs: Detection: 18%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Section loaded: winnsi.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: SecuriteInfo.com.Trojan.Msil.22568.30131.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Trojan.Msil.22568.30131.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: SecuriteInfo.com.Trojan.Msil.22568.30131.exe, MainModuleUI.cs

.Net Code: Prompt

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe

Code function: 0_2_00007FFD9B79D2A5 pushad ; iretd

0_2_00007FFD9B79D2A6

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Memory allocated: CB0000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Memory allocated: 1A880000 memory reserve \| memory write watch			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Window / User API: threadDelayed 954			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Window / User API: threadDelayed 374			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe

Process information queried: ProcessInformation

Jump to behavior

Enables debug privileges

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe

Memory allocated: page read and write | page guard

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Msil.22568.30131.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

ID:	1429043
Product:	CloudBasic
Start time:	10:28:06
Start date:	20.04.2024
Sample:	SecuriteInfo.com.Trojan.Msil.22568.30131.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	5a80095f4e26db2f8a0ee24c6a919cda
SHA1:	cc32d3f6feb93806da0a34ac7b8c6ed22b769f96
SHA256:	083797d70eff24ead4b63e2e7344010db68dd188da144af2b3f24d3aeb1d8176
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Windows Analysis Report
SecuriteInfo.com.Trojan.Msil.22568.30131.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report SecuriteInfo.com.Trojan.Msil.22568.30131.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
SecuriteInfo.com.Trojan.Msil.22568.30131.exe