Windows Analysis Report
SecuriteInfo.com.W32.PossibleThreat.22253.14837.exe

Overview

General Information

Sample name: SecuriteInfo.com.W32.PossibleThreat.22253.14837.exe
Analysis ID: 1430219
MD5: 1bf162b20a551f32a094b1641aaf067f
SHA1: d8cc6857abd3ab2c994b9232640209b1fe452fe5
SHA256: 81bbfb7e239084ad2887bc988517c52cbbf066e90d2485c6b573dfbed2efffa5
Tags: exe
Infos:

Detection

Score: 52
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Contains functionality to infect the boot sector
Contains functionality to communicate with device drivers
Contains functionality to read device registry values (via SetupAPI)
Detected potential crypto function
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries device information via Setup API
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.W32.PossibleThreat.22253.14837.exe Virustotal: Detection: 14% Perma Link
Source: SecuriteInfo.com.W32.PossibleThreat.22253.14837.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.22253.14837.exe Code function: 0_2_00007FF705F51000: GetCommandLineW,CommandLineToArgvW,SetupDiGetClassDevsW,CompareStringOrdinal,CompareStringOrdinal,SetupDiEnumDeviceInfo,CompareStringOrdinal,SetupDiGetDeviceRegistryPropertyW,wsprintfW,CreateFileW,DeviceIoControl,DeviceIoControl,DeviceIoControl,DeviceIoControl,DeviceIoControl,CloseHandle,SetupDiEnumDeviceInfo,SetupDiDestroyDeviceInfoList,LocalFree, 0_2_00007FF705F51000
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.22253.14837.exe Code function: 0_2_00007FF705F51000 0_2_00007FF705F51000
Source: classification engine Classification label: mal52.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.22253.14837.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.W32.PossibleThreat.22253.14837.exe Virustotal: Detection: 14%
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.22253.14837.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.22253.14837.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.22253.14837.exe Section loaded: msasn1.dll Jump to behavior
Source: SecuriteInfo.com.W32.PossibleThreat.22253.14837.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: SecuriteInfo.com.W32.PossibleThreat.22253.14837.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
PE file contains sections with non-standard names
Source: SecuriteInfo.com.W32.PossibleThreat.22253.14837.exe Static PE information: section name: UPX2
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.22253.14837.exe Code function: 0_2_00007FF705F5381E push rbp; retf 0_2_00007FF705F53824
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1

Persistence and Installation Behavior
barindex
Contains functionality to infect the boot sector
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.22253.14837.exe Code function: GetCommandLineW,CommandLineToArgvW,SetupDiGetClassDevsW,CompareStringOrdinal,CompareStringOrdinal,SetupDiEnumDeviceInfo,CompareStringOrdinal,SetupDiGetDeviceRegistryPropertyW,wsprintfW,CreateFileW,DeviceIoControl,DeviceIoControl,DeviceIoControl,DeviceIoControl,DeviceIoControl,CloseHandle,SetupDiEnumDeviceInfo,SetupDiDestroyDeviceInfoList,LocalFree, \\.\PHYSICALDRIVE%d 0_2_00007FF705F51000

Boot Survival
barindex
Contains functionality to infect the boot sector
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.22253.14837.exe Code function: GetCommandLineW,CommandLineToArgvW,SetupDiGetClassDevsW,CompareStringOrdinal,CompareStringOrdinal,SetupDiEnumDeviceInfo,CompareStringOrdinal,SetupDiGetDeviceRegistryPropertyW,wsprintfW,CreateFileW,DeviceIoControl,DeviceIoControl,DeviceIoControl,DeviceIoControl,DeviceIoControl,CloseHandle,SetupDiEnumDeviceInfo,SetupDiDestroyDeviceInfoList,LocalFree, \\.\PHYSICALDRIVE%d 0_2_00007FF705F51000
Contains functionality to read device registry values (via SetupAPI)
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.22253.14837.exe Code function: 0_2_00007FF705F51000 GetCommandLineW,CommandLineToArgvW,SetupDiGetClassDevsW,CompareStringOrdinal,CompareStringOrdinal,SetupDiEnumDeviceInfo,CompareStringOrdinal,SetupDiGetDeviceRegistryPropertyW,wsprintfW,CreateFileW,DeviceIoControl,DeviceIoControl,DeviceIoControl,DeviceIoControl,DeviceIoControl,CloseHandle,SetupDiEnumDeviceInfo,SetupDiDestroyDeviceInfoList,LocalFree, 0_2_00007FF705F51000
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: SecuriteInfo.com.W32.PossibleThreat.22253.14837.exe, 00000000.00000003.1667886433.000002812051B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: SecuriteInfo.com.W32.PossibleThreat.22253.14837.exe, 00000000.00000003.1667886433.0000028120519000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: SecuriteInfo.com.W32.PossibleThreat.22253.14837.exe, 00000000.00000002.1668095846.00000281204F0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: K&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Queries device information via Setup API
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.22253.14837.exe Code function: 0_2_00007FF705F51000 GetCommandLineW,CommandLineToArgvW,SetupDiGetClassDevsW,CompareStringOrdinal,CompareStringOrdinal,SetupDiEnumDeviceInfo,CompareStringOrdinal,SetupDiGetDeviceRegistryPropertyW,wsprintfW,CreateFileW,DeviceIoControl,DeviceIoControl,DeviceIoControl,DeviceIoControl,DeviceIoControl,CloseHandle,SetupDiEnumDeviceInfo,SetupDiDestroyDeviceInfoList,LocalFree, 0_2_00007FF705F51000
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1430219 Sample: SecuriteInfo.com.W32.Possib... Startdate: 23/04/2024 Architecture: WINDOWS Score: 52 8 Multi AV Scanner detection for submitted file 2->8 5 SecuriteInfo.com.W32.PossibleThreat.22253.14837.exe 2->5         started        process3 signatures4 10 Contains functionality to infect the boot sector 5->10
No contacted IP infos