Windows Analysis Report
SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe

Overview

General Information

Sample name: SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe
Analysis ID: 1430705
MD5: 2d41e117f7b73d3b0b8804794b4fe9dd
SHA1: f0bd15035e0bf67f621c7e87c65b62c007e79fda
SHA256: 5b88fdc4c1564305f8883e5ec48cadea105d082a5a1bae6a17c57c81c01069a7
Tags: exe
Infos:

Detection

PureLog Stealer, RedLine, zgRAT
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected zgRAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops certificate files (DER)
Enables debug privileges
Enables security privileges
Entry point lies outside standard sections
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
RedLine Stealer RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer
Name Description Attribution Blogpost URLs Link
zgRAT zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

AV Detection
barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\d3d9.dll Virustotal: Detection: 51% Perma Link
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Virustotal: Detection: 49% Perma Link
Source: SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe ReversingLabs: Detection: 31%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\d3d9.dll Joe Sandbox ML: detected
Machine Learning detection for sample
Source: SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: MSBuild.exe, 00000003.00000002.2027925622.0000000003841000.00000004.00000800.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Code function: 0_2_6CE99F48 FindFirstFileExW, 0_2_6CE99F48
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: MSBuild.exe, 00000003.00000002.2021726688.00000000028CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: $sq3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\sq equals www.youtube.com (Youtube)
Source: MSBuild.exe, 00000003.00000002.2021726688.00000000028CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: MSBuild.exe, 00000003.00000002.2021726688.00000000028CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\sq equals www.youtube.com (Youtube)
Source: MSBuild.exe, 00000003.00000002.2021726688.00000000028CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb`,sq equals www.youtube.com (Youtube)
Source: MSBuild.exe, 00000003.00000002.2021726688.00000000028CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: `,sq#www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: MSBuild.exe, 00000003.00000002.2021726688.000000000289E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ip.s
Source: MSBuild.exe, 00000003.00000002.2021726688.000000000289E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ip.sb/ip
Source: MSBuild.exe, 00000003.00000002.2021726688.000000000294A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://discord.com/api/v9/users/
Source: unknown Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49703
Installs a raw input device (often for capturing keystrokes)
Source: MSBuild.exe, 00000003.00000002.2021726688.0000000002A4E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: GetRawInputData memstr_a5581eb7-f
Drops certificate files (DER)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\Users\user\AppData\Local\Temp\Tmp6D6D.tmp Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\Users\user\AppData\Local\Temp\Tmp6D5D.tmp Jump to dropped file

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6cea8000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6cea8000.2.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6ce90000.1.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 00000000.00000002.2019718873.000000006CEA8000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY Matched rule: Detects zgRAT Author: ditekSHen
.NET source code contains very large array initializations
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6cea8000.2.raw.unpack, Strings.cs Large array initialization: Strings: array initializer size 6160
PE file contains section with special chars
Source: SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Static PE information: section name: .{_x}
Source: SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Static PE information: section name: .Z%j5
Contains functionality to call native functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Code function: 0_2_6CE91C80 GetModuleHandleW,GetProcAddress,NtQueryInformationProcess,GetModuleHandleW,GetProcAddress, 0_2_6CE91C80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Code function: 0_2_02EF5C20 NtProtectVirtualMemory, 0_2_02EF5C20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Code function: 0_2_02EF6100 NtAllocateVirtualMemory, 0_2_02EF6100
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Code function: 0_2_02EF60DD NtAllocateVirtualMemory, 0_2_02EF60DD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Code function: 0_2_02EF5C1F NtProtectVirtualMemory, 0_2_02EF5C1F
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Code function: 0_2_6CE91C80 0_2_6CE91C80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Code function: 0_2_6CE92350 0_2_6CE92350
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Code function: 0_2_6CEA04E5 0_2_6CEA04E5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Code function: 0_2_6CE91000 0_2_6CE91000
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Code function: 0_2_6CE94810 0_2_6CE94810
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Code function: 0_2_6CE91220 0_2_6CE91220
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Code function: 0_2_01369020 0_2_01369020
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Code function: 0_2_01361098 0_2_01361098
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Code function: 0_2_0136E0D0 0_2_0136E0D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Code function: 0_2_01369B00 0_2_01369B00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Code function: 0_2_0136DBD0 0_2_0136DBD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Code function: 0_2_0136C228 0_2_0136C228
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Code function: 0_2_01369218 0_2_01369218
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Code function: 0_2_0136B6B8 0_2_0136B6B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Code function: 0_2_0136A12A 0_2_0136A12A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Code function: 0_2_0136A148 0_2_0136A148
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Code function: 0_2_01369010 0_2_01369010
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Code function: 0_2_0136920A 0_2_0136920A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Code function: 0_2_0136A2AF 0_2_0136A2AF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Code function: 0_2_0136A2C0 0_2_0136A2C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Code function: 0_2_0136DD30 0_2_0136DD30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Code function: 0_2_0136BD2A 0_2_0136BD2A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Code function: 0_2_0136A47F 0_2_0136A47F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Code function: 0_2_01368FB0 0_2_01368FB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Code function: 0_2_0136DFD0 0_2_0136DFD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Code function: 0_2_0136D609 0_2_0136D609
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Code function: 0_2_02EF9E9A 0_2_02EF9E9A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Code function: 0_2_02EF9BF8 0_2_02EF9BF8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Code function: 0_2_02EF0040 0_2_02EF0040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Code function: 0_2_02EF7400 0_2_02EF7400
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Code function: 0_2_02EF2DB0 0_2_02EF2DB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Code function: 0_2_02EF9900 0_2_02EF9900
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Code function: 0_2_02EF36C0 0_2_02EF36C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Code function: 0_2_02EF36D0 0_2_02EF36D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Code function: 0_2_02EF8AB0 0_2_02EF8AB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Code function: 0_2_02EF2650 0_2_02EF2650
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Code function: 0_2_02EF3220 0_2_02EF3220
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Code function: 0_2_02EF2B78 0_2_02EF2B78
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Code function: 0_2_02EF9320 0_2_02EF9320
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Code function: 0_2_02EF4F00 0_2_02EF4F00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Code function: 0_2_02EF54E8 0_2_02EF54E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Code function: 0_2_02EF3CE0 0_2_02EF3CE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Code function: 0_2_02EF84C8 0_2_02EF84C8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Code function: 0_2_02EF84B9 0_2_02EF84B9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Code function: 0_2_02EF44B0 0_2_02EF44B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Code function: 0_2_02EF0006 0_2_02EF0006
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Code function: 0_2_02EF95D8 0_2_02EF95D8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Code function: 0_2_02EF2DA0 0_2_02EF2DA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Code function: 0_2_02EF3948 0_2_02EF3948
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Code function: 0_2_02EF3958 0_2_02EF3958
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Code function: 0_2_02EF6920 0_2_02EF6920
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Code function: 0_2_02EF6910 0_2_02EF6910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_00B7E3E8 3_2_00B7E3E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_00B7E3D8 3_2_00B7E3D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_00B70878 3_2_00B70878
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_00B70868 3_2_00B70868
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_00B72CE4 3_2_00B72CE4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_00B74DD0 3_2_00B74DD0
Enables security privileges
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process token adjusted: Security Jump to behavior
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Code function: String function: 6CE95A70 appears 33 times
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe, 00000000.00000002.2019718873.000000006CF48000.00000004.00000001.01000000.00000006.sdmp Binary or memory string: OriginalFilenameRenowning.exe" vs SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe, 00000000.00000002.2008317345.00000000010D8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe, 00000000.00000000.1999217761.0000000000B46000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameasca1ex_crypted.exeT vs SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Binary or memory string: OriginalFilenameasca1ex_crypted.exeT vs SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe
Uses 32bit PE files
Source: SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6cea8000.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6cea8000.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6ce90000.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 00000000.00000002.2019718873.000000006CEA8000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6cea8000.2.raw.unpack, Strings.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6cea8000.2.raw.unpack, mLrwBjaNEgFvrhaGTgv.cs Cryptographic APIs: 'CreateDecryptor'
Source: 3.2.MSBuild.exe.3849970.1.raw.unpack, TaskParameter.cs Task registration methods: 'CreateNewTaskItemFrom'
Source: 3.2.MSBuild.exe.3849970.1.raw.unpack, OutOfProcTaskHostNode.cs Task registration methods: 'RegisterTaskObject', 'UnregisterPacketHandler', 'RegisterPacketHandler', 'UnregisterTaskObject', 'GetRegisteredTaskObject'
Source: 3.2.MSBuild.exe.3849970.1.raw.unpack, TaskLoader.cs Task registration methods: 'CreateTask'
Source: 3.2.MSBuild.exe.3849970.1.raw.unpack, RegisteredTaskObjectCacheBase.cs Task registration methods: 'GetLazyCollectionForLifetime', 'RegisterTaskObject', 'DisposeObjects', 'IsCollectionEmptyOrUncreated', 'UnregisterTaskObject', 'DisposeCacheObjects', 'GetRegisteredTaskObject', 'GetCollectionForLifetime'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6cea8000.2.raw.unpack, Strings.cs Base64 encoded string: 'GSk+Lyw0PSESIjU7AQ8FJDM7DA46MyEwJT0lBCEOAVU0QBUHLwJBVDAmGyERJAc5MSsRHTFAJhkuH1Nc'
Source: 3.2.MSBuild.exe.3849970.1.raw.unpack, CommunicationsUtilities.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 3.2.MSBuild.exe.3849970.1.raw.unpack, CommunicationsUtilities.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 3.2.MSBuild.exe.3849970.1.raw.unpack, NodeEndpointOutOfProcBase.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent(bool)
Source: 3.2.MSBuild.exe.3849970.1.raw.unpack, NodeEndpointOutOfProcBase.cs Security API names: System.IO.Pipes.PipeSecurity.AddAccessRule(System.IO.Pipes.PipeAccessRule)
Source: 3.2.MSBuild.exe.3849970.1.raw.unpack, NodeEndpointOutOfProcBase.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: MSBuild.exe, 00000003.00000002.2027925622.0000000003841000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: .configAMSBUILDDIRECTORYDELETERETRYCOUNTCMSBUILDDIRECTORYDELETRETRYTIMEOUT.sln
Source: MSBuild.exe, 00000003.00000002.2027925622.0000000003841000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: MSBuild MyApp.sln /t:Rebuild /p:Configuration=Release
Source: MSBuild.exe, 00000003.00000002.2027925622.0000000003841000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb
Source: MSBuild.exe, 00000003.00000002.2027925622.0000000003841000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: *.sln
Source: MSBuild.exe, 00000003.00000002.2027925622.0000000003841000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: MSBuild MyApp.csproj /t:Clean
Source: MSBuild.exe, 00000003.00000002.2027925622.0000000003841000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: /ignoreprojectextensions:.sln
Source: MSBuild.exe, 00000003.00000002.2027925622.0000000003841000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: MSBUILD : error MSB1048: Solution files cannot be debugged directly. Run MSBuild first with an environment variable MSBUILDEMITSOLUTION=1 to create a corresponding ".sln.metaproj" file. Then debug that.
Source: classification engine Classification label: mal100.troj.evad.winEXE@4/7@0/0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe File created: C:\Users\user\AppData\Roaming\d3d9.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1076:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Mutant created: NULL
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe File created: C:\Users\user\AppData\Local\Temp\tmp6A9D.tmp Jump to behavior
Source: SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File read: C:\Program Files (x86)\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Virustotal: Detection: 49%
Source: SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe ReversingLabs: Detection: 31%
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: esdsip.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00021401-0000-0000-C000-000000000046}\InProcServer32 Jump to behavior
Source: Google Chrome.lnk.3.dr LNK file: ..\..\..\Program Files\Google\Chrome\Application\chrome.exe
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Static file information: File size 4988416 > 1048576
Source: SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Static PE information: Raw size of .OKDa is bigger than: 0x100000 < 0x4c0e00
Source: SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: MSBuild.exe, 00000003.00000002.2027925622.0000000003841000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6cea8000.2.raw.unpack, mLrwBjaNEgFvrhaGTgv.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
.NET source code contains potential unpacker
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6cea8000.2.raw.unpack, G8WxH38hhBnr1IE68vI.cs .Net Code: lrPIYdBHH0
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6cea8000.2.raw.unpack, G8WxH38hhBnr1IE68vI.cs .Net Code: kKcFHrrDYN
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .OKDa
PE file contains sections with non-standard names
Source: SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Static PE information: section name: .{_x}
Source: SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Static PE information: section name: .Z%j5
Source: SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Static PE information: section name: .OKDa
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Code function: 0_2_6CEA0C14 push ecx; ret 0_2_6CEA0C27
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Code function: 0_2_02EF1F40 push esp; iretd 0_2_02EF1F41
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6cea8000.2.raw.unpack, G8WxH38hhBnr1IE68vI.cs High entropy of concatenated method names: 'uYP5UMy1hu', 'nt15Ceoiwh', 'opo5rgGLQg', 'gA95bU2ExD', 'Rks5BkBZi5', 'ADm5J0cpqR', 'NaM52ZqZyD', 'THoZbd2fUw', 'Y8N5itYb3g', 'Wb65MvkIMT'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6cea8000.2.raw.unpack, mLrwBjaNEgFvrhaGTgv.cs High entropy of concatenated method names: 'oQG8WrDol0', 'g38PJ8K3c0', 'jBH8UdC1PV', 'UlO8CDfJsQ', 'hcC8rW5pKa', 'mN58bMtfWM', 'ts3XxWXD9Z', 'OigaEK3D3W', 'jroa4iUVTS', 'B6saGICwMv'

Persistence and Installation Behavior
barindex
Installs new ROOT certificates
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob Jump to behavior
Drops PE files
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe File created: C:\Users\user\AppData\Roaming\d3d9.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: MSBuild.exe, 00000003.00000002.2021726688.000000000294A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \QEMU-GA.EXE`,SQ
Source: MSBuild.exe, 00000003.00000002.2021726688.000000000294A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \QEMU-GA.EXE@\SQ
Source: MSBuild.exe, 00000003.00000002.2021726688.000000000294A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \QEMU-GA.EXE
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Memory allocated: 1360000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Memory allocated: 2F80000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Memory allocated: 2DD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Memory allocated: 53C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Memory allocated: 73C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Memory allocated: 7600000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Memory allocated: 9600000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: B70000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 2840000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 4840000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\d3d9.dll Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe TID: 5536 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6464 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Code function: 0_2_6CE99F48 FindFirstFileExW, 0_2_6CE99F48
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: MSBuild.exe, 00000003.00000002.2021726688.000000000294A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \qemu-ga.exe@\sq
Source: MSBuild.exe, 00000003.00000002.2021726688.000000000294A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \qemu-ga.exe`,sq
Source: MSBuild.exe, 00000003.00000002.2021726688.000000000294A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \qemu-ga.exe
Source: MSBuild.exe, 00000003.00000002.2031047933.00000000074AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Code function: 0_2_6CE958FA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6CE958FA
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Code function: 0_2_6CE9B66B GetProcessHeap, 0_2_6CE9B66B
Enables debug privileges
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Code function: 0_2_6CE958FA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6CE958FA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Code function: 0_2_6CE99897 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6CE99897
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Code function: 0_2_6CE95421 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6CE95421
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write Jump to behavior
Contains functionality to inject code into remote processes
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Code function: 0_2_6CE92350 MSIGame,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,ReadProcessMemory,WriteProcessMemory,ReadProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,CloseHandle,CloseHandle,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,CloseHandle,CloseHandle, 0_2_6CE92350
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 462000 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 4BE000 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 6C3008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Source: MSBuild.exe, 00000003.00000002.2021726688.0000000002A4E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: GetProgmanWindow
Source: MSBuild.exe, 00000003.00000002.2021726688.0000000002A4E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SetProgmanWindow
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Code function: 0_2_6CE95AB8 cpuid 0_2_6CE95AB8
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe Code function: 0_2_6CE95543 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_6CE95543
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected PureLog Stealer
Source: Yara match File source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6cea8000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6cea8000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6ce90000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.2018294948.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2019718873.000000006CEA8000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Yara detected RedLine Stealer
Source: Yara match File source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6cea8000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6cea8000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6ce90000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.2018294948.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2019718873.000000006CEA8000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Yara detected zgRAT
Source: Yara match File source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6cea8000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6cea8000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6ce90000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2019718873.000000006CEA8000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected PureLog Stealer
Source: Yara match File source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6cea8000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6cea8000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6ce90000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.2018294948.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2019718873.000000006CEA8000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Yara detected RedLine Stealer
Source: Yara match File source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6cea8000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6cea8000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6ce90000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.2018294948.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2019718873.000000006CEA8000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Yara detected zgRAT
Source: Yara match File source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6cea8000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6cea8000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6ce90000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2019718873.000000006CEA8000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1430705 Sample: SecuriteInfo.com.Win32.Cryp... Startdate: 24/04/2024 Architecture: WINDOWS Score: 100 17 Malicious sample detected (through community Yara rule) 2->17 19 Multi AV Scanner detection for dropped file 2->19 21 Multi AV Scanner detection for submitted file 2->21 23 9 other signatures 2->23 6 SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe 4 2->6         started        process3 file4 15 C:\Users\user\AppData\Roaming\d3d9.dll, PE32 6->15 dropped 25 Contains functionality to inject code into remote processes 6->25 27 Writes to foreign memory regions 6->27 29 Allocates memory in foreign processes 6->29 31 Injects a PE file into a foreign processes 6->31 10 MSBuild.exe 1 24 6->10         started        13 conhost.exe 6->13         started        signatures5 process6 signatures7 33 Installs new ROOT certificates 10->33 35 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->35
No contacted IP infos

Contacted Domains

Name IP Active
bg.microsoft.map.fastly.net 199.232.210.172 true
fp2e7a.wpc.phicdn.net 192.229.211.108 true