Edit tour
Windows
Analysis Report
SecuriteInfo.com.Program.Unwanted.5320.27373.27791.exe
Overview
General Information
Detection
Score: | 28 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 20% |
Signatures
Multi AV Scanner detection for submitted file
Monitors registry run keys for changes
Tries to harvest and steal browser information (history, passwords, etc)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Detected potential crypto function
Drops PE files
Enables security privileges
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
JA3 SSL client fingerprint seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Steals Internet Explorer cookies
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Classification
Analysis Advice
Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox |
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior |
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--") |
Sample searches for specific file, try point organization specific fake files to the analysis machine |
- System is w10x64
- SecuriteInfo.com.Program.Unwanted.5320.27373.27791.exe (PID: 7280 cmdline:
"C:\Users\ user\Deskt op\Securit eInfo.com. Program.Un wanted.532 0.27373.27 791.exe" MD5: 199E8896119BD3FC3850E9B19EB98AB2) - SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp (PID: 7296 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-HLN I5.tmp\Sec uriteInfo. com.Progra m.Unwanted .5320.2737 3.27791.tm p" /SL5="$ 20450,6944 918,831488 ,C:\Users\ user\Deskt op\Securit eInfo.com. Program.Un wanted.532 0.27373.27 791.exe" MD5: CCCE5E18D7E151BBFB8592DCB09AF84B) - PCCNotifications.exe (PID: 7380 cmdline:
"C:\Progra m Files (x 86)\PC Cle aner\PCCNo tification s.exe" MD5: FFCD8953CCB602777CE77EF08F6368C7) - PCCleaner.exe (PID: 7436 cmdline:
"C:\Progra m Files (x 86)\PC Cle aner\PCCle aner" /STA RT MD5: F5AEC68E32818A9A647615FDA4414B65)
- PCCNotifications.exe (PID: 7960 cmdline:
"C:\Progra m Files (x 86)\PC Cle aner\PCCNo tification s.exe" MD5: FFCD8953CCB602777CE77EF08F6368C7)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Virustotal: | Perma Link |
Source: | Code function: | 4_2_6C00A56D |
Source: | Code function: | 4_2_6C036BC0 | |
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |