Windows Analysis Report
SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe
Analysis ID:	1431445
MD5:	6e2ade4a332a81a6e18d1101361ac7c7
SHA1:	ca050814550fab318f4bc93b5d680594951111cf
SHA256:	7b6f17f1369b7e4cfab6b6c64a2ef4a9192d950d7ea1b08a9e5e6ebc9b8130c2
Tags:	exe
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Machine Learning detection for sample

Contains functionality to call native functions

PE file contains an invalid checksum

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe

Virustotal: Detection: 12%

Perma Link

Machine Learning detection for sample

Source: SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source:	Binary string: empty.pdb\| source: SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe
Source:	Binary string: empty.pdb source: SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe

Source: SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe	String found in binary or memory: http://img1.tbcdn.cn/tfscom/T1ouC2FdpbXXXtxVjX.swf
Source: SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe	String found in binary or memory: http://jd.sscltan.com/jd/sscjh.txt
Source: SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe	String found in binary or memory: http://jd.sscltan.com/jd/tp1.txt
Source: SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe	String found in binary or memory: http://jd.sscltan.com/jd/tp1.txthttp://jd.sscltan.com/jd/tp2.txt
Source: SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe	String found in binary or memory: http://jd.sscltan.com/jd/tp2.txt
Source: SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe	String found in binary or memory: http://jd.sscltan.com/jd/zgg.txt
Source: SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe	String found in binary or memory: http://s104.cnzz.com/stat.php?id=1935778&web_id=1935778
Source: SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe	String found in binary or memory: http://www.sscltan.com
Source: SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe	String found in binary or memory: http://www.sscltan.comhttp://jd.sscltan.com/jd/zgg.txt
Source: SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe	String found in binary or memory: https://http://=deletedUTF-8GBKAdodb.StreamTypeWritePositionCharsetReadTextCloseWriteTextRead

Contains functionality to call native functions

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe	Code function: 0_2_01001A88 VirtualAlloc,NtQuerySystemInformation,VirtualFree,RtlUnicodeStringToAnsiString,strrchr,strncpy,malloc,strncpy,strncat,strncat,		0_2_01001A88
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe	Code function: 0_2_01001F7D NtSetSystemInformation,		0_2_01001F7D

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe, 00000000.00000002.1224089803.00000000012D4000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameempty.exej% vs SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe
Source: SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe	Binary or memory string: OriginalFilenameempty.exej% vs SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe

Uses 32bit PE files

Source: SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal60.winEXE@2/1@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe

Code function: 0_2_01001D1B GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueA,GetLastError,AdjustTokenPrivileges,GetLastError,printf,

0_2_01001D1B

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5280:120:WilError_03

Source: SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe

Virustotal: Detection: 12%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe

Section loaded: apphelp.dll

Jump to behavior

Source: SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe

Static file information: File size 6005077 > 1048576

Source: SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: empty.pdb\| source: SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe
Source:	Binary string: empty.pdb source: SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe

PE file contains an invalid checksum

Source: SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe

Static PE information: real checksum: 0x3e9f should be: 0x5c5790

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe

Code function: 0_2_01001A6B push ecx; ret

0_2_01001A7B

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe

Code function: 0_2_01001765 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,GetModuleHandleA,GetProcAddress,

0_2_01001765

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

ID:	1431445
Product:	CloudBasic
Start time:	05:30:23
Start date:	25.04.2024
Sample:	SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	6e2ade4a332a81a6e18d1101361ac7c7
SHA1:	ca050814550fab318f4bc93b5d680594951111cf
SHA256:	7b6f17f1369b7e4cfab6b6c64a2ef4a9192d950d7ea1b08a9e5e6ebc9b8130c2
Filetype:	Win32 Executable (generic) a (10002005/4) 99.83%

Windows Analysis Report
SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe