Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe
Analysis ID:	1431445
MD5:	6e2ade4a332a81a6e18d1101361ac7c7
SHA1:	ca050814550fab318f4bc93b5d680594951111cf
SHA256:	7b6f17f1369b7e4cfab6b6c64a2ef4a9192d950d7ea1b08a9e5e6ebc9b8130c2
Tags:	exe
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Machine Learning detection for sample

Contains functionality to call native functions

PE file contains an invalid checksum

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe (PID: 824 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe" MD5: 6E2ADE4A332A81A6E18D1101361AC7C7)

conhost.exe (PID: 5280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe

Virustotal: Detection: 12%

Perma Link

Machine Learning detection for sample

Source: SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe

Joe Sandbox ML: detected

Source: SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source:	Binary string: empty.pdb\| source: SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe
Source:	Binary string: empty.pdb source: SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe

Source: SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe	String found in binary or memory: http://img1.tbcdn.cn/tfscom/T1ouC2FdpbXXXtxVjX.swf
Source: SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe	String found in binary or memory: http://jd.sscltan.com/jd/sscjh.txt
Source: SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe	String found in binary or memory: http://jd.sscltan.com/jd/tp1.txt
Source: SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe	String found in binary or memory: http://jd.sscltan.com/jd/tp1.txthttp://jd.sscltan.com/jd/tp2.txt
Source: SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe	String found in binary or memory: http://jd.sscltan.com/jd/tp2.txt
Source: SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe	String found in binary or memory: http://jd.sscltan.com/jd/zgg.txt
Source: SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe	String found in binary or memory: http://s104.cnzz.com/stat.php?id=1935778&web_id=1935778
Source: SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe	String found in binary or memory: http://www.sscltan.com
Source: SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe	String found in binary or memory: http://www.sscltan.comhttp://jd.sscltan.com/jd/zgg.txt
Source: SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe	String found in binary or memory: https://http://=deletedUTF-8GBKAdodb.StreamTypeWritePositionCharsetReadTextCloseWriteTextRead

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe	Code function: 0_2_01001A88 VirtualAlloc,NtQuerySystemInformation,VirtualFree,RtlUnicodeStringToAnsiString,strrchr,strncpy,malloc,strncpy,strncat,strncat,		0_2_01001A88
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe	Code function: 0_2_01001F7D NtSetSystemInformation,		0_2_01001F7D

Source: SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe, 00000000.00000002.1224089803.00000000012D4000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameempty.exej% vs SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe
Source: SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe	Binary or memory string: OriginalFilenameempty.exej% vs SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe

Source: SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal60.winEXE@2/1@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe

Code function: 0_2_01001D1B GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueA,GetLastError,AdjustTokenPrivileges,GetLastError,printf,

0_2_01001D1B

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5280:120:WilError_03

Source: SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe

Virustotal: Detection: 12%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe

Section loaded: apphelp.dll

Jump to behavior

Source: SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe

Static file information: File size 6005077 > 1048576

Source: SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: empty.pdb\| source: SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe
Source:	Binary string: empty.pdb source: SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe

Source: SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe

Static PE information: real checksum: 0x3e9f should be: 0x5c5790

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe

Code function: 0_2_01001A6B push ecx; ret

0_2_01001A7B

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe

Code function: 0_2_01001765 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,GetModuleHandleA,GetProcAddress,

0_2_01001765

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Access Token Manipulation	1 Access Token Manipulation	OS Credential Dumping	1 System Time Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Process Injection	1 Process Injection	LSASS Memory	2 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 DLL Side-Loading	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe	13%	Virustotal		Browse
SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe	100%	Avira	HEUR/AGEN.1355761
SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://jd.sscltan.com/jd/sscjh.txt	0%	Avira URL Cloud	safe
http://jd.sscltan.com/jd/tp2.txt	0%	Avira URL Cloud	safe
http://jd.sscltan.com/jd/tp1.txthttp://jd.sscltan.com/jd/tp2.txt	0%	Avira URL Cloud	safe
http://jd.sscltan.com/jd/tp1.txt	0%	Avira URL Cloud	safe
http://jd.sscltan.com/jd/zgg.txt	0%	Avira URL Cloud	safe
http://jd.sscltan.com/jd/tp2.txt	0%	Virustotal		Browse
http://jd.sscltan.com/jd/zgg.txt	1%	Virustotal		Browse
http://www.sscltan.comhttp://jd.sscltan.com/jd/zgg.txt	0%	Avira URL Cloud	safe
https://http://=deletedUTF-8GBKAdodb.StreamTypeWritePositionCharsetReadTextCloseWriteTextRead	0%	Avira URL Cloud	safe
http://jd.sscltan.com/jd/tp1.txt	0%	Virustotal		Browse
http://www.sscltan.com	0%	Avira URL Cloud	safe
http://www.sscltan.com	1%	Virustotal		Browse
http://jd.sscltan.com/jd/sscjh.txt	0%	Virustotal		Browse

Name	Source	Malicious	Antivirus Detection	Reputation
http://jd.sscltan.com/jd/tp1.txthttp://jd.sscltan.com/jd/tp2.txt	SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe	false	Avira URL Cloud: safe	unknown
http://jd.sscltan.com/jd/sscjh.txt	SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://jd.sscltan.com/jd/tp2.txt	SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://jd.sscltan.com/jd/zgg.txt	SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://jd.sscltan.com/jd/tp1.txt	SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://http://=deletedUTF-8GBKAdodb.StreamTypeWritePositionCharsetReadTextCloseWriteTextRead	SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe	false	Avira URL Cloud: safe	low
http://www.sscltan.comhttp://jd.sscltan.com/jd/zgg.txt	SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe	false	Avira URL Cloud: safe	unknown
http://img1.tbcdn.cn/tfscom/T1ouC2FdpbXXXtxVjX.swf	SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe	false		high
http://www.sscltan.com	SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://s104.cnzz.com/stat.php?id=1935778&web_id=1935778	SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1431445
Start date and time:	2024-04-25 05:30:23 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe
Detection:	MAL
Classification:	mal60.winEXE@2/1@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 2 Number of non-executed functions: 9
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, Sgrmuserer.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.796217602590056
Encrypted:	false
SSDEEP:	3:x3FbREJCKvn:dFbREMKv
MD5:	086C526845287751BED13107B8B7DE42
SHA1:	C2482932161156B79C00AB15B6B5DE8CE0626A45
SHA-256:	85CB94425FC238E1E88BCDEBBC46654D71288250072183352B911104BE6E8C88
SHA-512:	6C6C1340802E03E10783192252DBA723E385B689819E15DFDA455EBEA5CEE06792312CCAE1F03FB1A375D2CBF5F0F24110BF33F1DFF8300E3BEEB23952A55D4C
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	missing pid or task name..

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	7.344026093594585
TrID:	Win32 Executable (generic) a (10002005/4) 99.83% Windows Screen Saver (13104/52) 0.13% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe
File size:	6'005'077 bytes
MD5:	6e2ade4a332a81a6e18d1101361ac7c7
SHA1:	ca050814550fab318f4bc93b5d680594951111cf
SHA256:	7b6f17f1369b7e4cfab6b6c64a2ef4a9192d950d7ea1b08a9e5e6ebc9b8130c2
SHA512:	35542f786770b464d5d3587245a3440ed866b7f469ac226dd8e9126814167c9451125b442321c394189e7016f35fdbaa3dca300ceeaafbcef5f77f3c0b6d5fef
SSDEEP:	98304:XusiD2IRbHfi8MfpnwFP3FtkfvoOYuXspmSGc0GD9aj:XHiD2gL3+pnm3Ft4YuXspm6Jo
TLSH:	6D560185FB628422D85E0170E96A83F8B374DD94CA5D63233299FF1E3D75324CEA6943
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........8c..V0..V0..V0\.Y0..V0\..0..V0..W0..V0Q..0..V0\..0..V0\..0..V0Rich..V0........PE..L...O..>......................-............

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x1001889
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x1000000
Subsystem:	windows cui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x3EA0A14F [Sat Apr 19 01:07:27 2003 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	821c455b475c3595aa1e4e6ad93e77fd

Entrypoint Preview

Instruction
push 00000028h
push 01001210h
call 00007F09D0B2E980h
cmp word ptr [01000000h], 5A4Dh
jne 00007F09D0B2E80Ah
mov eax, dword ptr [0100003Ch]
cmp dword ptr [eax+01000000h], 00004550h
jne 00007F09D0B2E7F9h
movzx ecx, word ptr [eax+01000018h]
cmp ecx, 0000010Bh
je 00007F09D0B2E803h
cmp ecx, 0000020Bh
je 00007F09D0B2E7E8h
and dword ptr [ebp-1Ch], 00000000h
jmp 00007F09D0B2E80Ch
cmp dword ptr [eax+01000084h], 0Eh
jbe 00007F09D0B2E7D3h
xor ecx, ecx
cmp dword ptr [eax+010000F8h], ecx
jmp 00007F09D0B2E7F3h
cmp dword ptr [eax+01000074h], 0Eh
jbe 00007F09D0B2E7C0h
xor ecx, ecx
cmp dword ptr [eax+010000E8h], ecx
setne cl
mov dword ptr [ebp-1Ch], ecx
and dword ptr [ebp-04h], 00000000h
push 00000001h
call dword ptr [010010FCh]
pop ecx
or dword ptr [012D318Ch], FFFFFFFFh
or dword ptr [012D3190h], FFFFFFFFh
call dword ptr [01001108h]
mov ecx, dword ptr [0100304Ch]
mov dword ptr [eax], ecx
call dword ptr [010010F4h]
mov ecx, dword ptr [01003048h]
mov dword ptr [eax], ecx
mov eax, dword ptr [010010F0h]
mov eax, dword ptr [eax]
mov dword ptr [012D3194h], eax
call 00007F09D0B2E8D1h
cmp dword ptr [01003020h], 00000000h
jne 00007F09D0B2E7EEh
push 01001A2Ch
call dword ptr [000000ECh]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x21c4	0x78	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2d4000	0x408	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1120	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1428	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x120	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x183c	0x1a00	3543ee8bdb2ac84a01d2d2e5c2fc7790	False	0.5713641826923077	data	6.034102541370818	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x3000	0x2d019c	0x200	6dfc3192dabf750a57ab508e05f262a0	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x2d4000	0x408	0x600	5dfd2036e06f01cd0c70049a1978decd	False	0.3111979166666667	data	2.4882655178081543	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x2d4060	0x3a4	data	English	United States	0.47317596566523606

Imports

DLL	Import
KERNEL32.dll	GetCurrentProcessId, GetSystemTimeAsFileTime, GetCurrentThreadId, GetCurrentProcess, SetUnhandledExceptionFilter, GetTickCount, QueryPerformanceCounter, GetModuleHandleA, GetProcAddress, TerminateProcess, GetCommandLineA, GetProcessWorkingSetSize, SetProcessWorkingSetSize, OpenProcess, CloseHandle, VirtualAlloc, VirtualFree, GetLastError
msvcrt.dll	strncpy, strrchr, toupper, strstr, _strdup, strncat, printf, strchr, isspace, isdigit, _strupr, malloc, _exit, _XcptFilter, _cexit, exit, __initenv, __getmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, _controlfp, __set_app_type, _except_handler3, _c_exit, __p__fmode
ADVAPI32.dll	AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken
USER32.dll	EnumDesktopsA, EnumWindows, GetWindowThreadProcessId, GetWindow, GetWindowLongA, GetWindowTextA, FindWindowExA, GetProcessWindowStation, GetThreadDesktop, OpenWindowStationA, SetProcessWindowStation, OpenDesktopA, SetThreadDesktop, CloseDesktop, CloseWindowStation, EnumWindowStationsA
ntdll.dll	NtSetSystemInformation, RtlUnicodeStringToAnsiString, NtQuerySystemInformation

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	05:31:08
Start date:	25/04/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe"
Imagebase:	0x1000000
File size:	6'005'077 bytes
MD5 hash:	6E2ADE4A332A81A6E18D1101361AC7C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	05:31:08
Start date:	25/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	14%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	24.4%
Total number of Nodes:	119
Total number of Limit Nodes:	4

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 01001592 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 150
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 010014EF: GetCommandLineA.KERNEL32 ref: 0100150A
Part of subcall function 010014EF: isspace.MSVCRT ref: 01001532
Part of subcall function 010014EF: isdigit.MSVCRT ref: 01001543
Part of subcall function 010014EF: isdigit.MSVCRT ref: 01001564

printf.MSVCRT ref: 010015C6

Part of subcall function 010021B2: EnumWindowStationsA.USER32(01002151,?), ref: 010021BB

printf.MSVCRT ref: 010015FC
printf.MSVCRT ref: 01001626
strchr.MSVCRT ref: 0100168B
printf.MSVCRT ref: 01001706
printf.MSVCRT ref: 01001742

Strings

could not empty working set for process #%d [%s], xrefs: 010016E7, 01001705, 01001741
could not empty working set for process #%d, xrefs: 01001621
USAGE: empty.exe {pid | task-name}, xrefs: 010015F7
missing pid or task name, xrefs: 010015C1

Memory Dump Source

Source File: 00000000.00000002.1224000823.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1223986613.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224089803.00000000012D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_SecuriteInfo.jbxd

Similarity

API ID: printf$isdigit$CommandEnumLineStationsWindowisspacestrchr
String ID: USAGE: empty.exe {pid | task-name}$could not empty working set for process #%d$could not empty working set for process #%d [%s]$missing pid or task name
API String ID: 1354646753-1684680011
Opcode ID: 6a4a46aea4c65747fa3fd7d42c912066f3b0f1f627bdd2b954d95753f581ac3c
Instruction ID: 7f5fd6e0b5ed4496388ac76e03c1bec8723b05ae8ded05a71d6ba1a844e95ec8
Opcode Fuzzy Hash: 6a4a46aea4c65747fa3fd7d42c912066f3b0f1f627bdd2b954d95753f581ac3c
Instruction Fuzzy Hash: 2341C431A04306BFF773AB69DC44BAB7AE9BF09345F080469F9C5961C2EB75C5048762

Uniqueness

Uniqueness Score: -1.00%

Function 01001889 Relevance: 13.6, APIs: 9, Instructions: 87
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 010018FE
__p__fmode.MSVCRT ref: 01001913
__p__commode.MSVCRT ref: 01001921
__setusermatherr.MSVCRT ref: 0100194E
_initterm.MSVCRT ref: 01001964
__getmainargs.MSVCRT ref: 01001987
_initterm.MSVCRT ref: 0100199A
exit.KERNELBASE ref: 010019C7
_cexit.MSVCRT ref: 010019CD

Memory Dump Source

Source File: 00000000.00000002.1224000823.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1223986613.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224089803.00000000012D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_SecuriteInfo.jbxd

Similarity

API ID: _initterm$__getmainargs__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
String ID:
API String ID: 1729372338-0
Opcode ID: 6475bd4c6ed8833a0989c9d558f407950949184a80d82e2bc5251f1b681a44ac
Instruction ID: 48c59f8d14c5f71abf4ac56d5ce7d23acfaaf1853e7d6aca13d4dc6d32785dda
Opcode Fuzzy Hash: 6475bd4c6ed8833a0989c9d558f407950949184a80d82e2bc5251f1b681a44ac
Instruction Fuzzy Hash: 03312670901205DFEB27DFA4E449AEC7BF0BB09311F10416AF1D6AA2D4DB79C684CB61

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 01001D1B Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000028,?,?,?,?,?,?,01001608), ref: 01001D27
OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,01001608), ref: 01001D2E
GetLastError.KERNEL32(?,?,?,?,?,01001608), ref: 01001D38
LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 01001D51
GetLastError.KERNEL32(?,?,?,?,?,01001608), ref: 01001D5B
printf.MSVCRT ref: 01001DA8

Strings

OpenProcessToken failed with %d, xrefs: 01001D3F
AdjustTokenPrivileges failed with %d, xrefs: 01001DA3
SeDebugPrivilege, xrefs: 01001D4A
LookupPrivilegeValue failed with %d, xrefs: 01001D62

Memory Dump Source

Source File: 00000000.00000002.1224000823.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1223986613.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224089803.00000000012D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLastProcess$CurrentLookupOpenPrivilegeTokenValueprintf
String ID: AdjustTokenPrivileges failed with %d$LookupPrivilegeValue failed with %d$OpenProcessToken failed with %d$SeDebugPrivilege
API String ID: 3917496471-4288129742
Opcode ID: e2fb129cfde9ce2d03cf6dead91c46a9d671c55d3b3f46d1ffadbb510200a34e
Instruction ID: d91b34e568323ca93b4a009b128a30ebf8ff8c43a7b08257e90444c258f86ed1
Opcode Fuzzy Hash: e2fb129cfde9ce2d03cf6dead91c46a9d671c55d3b3f46d1ffadbb510200a34e
Instruction Fuzzy Hash: 64113971B40244ABEB12EBE4994ABEE77B8AB04705F004156F6C2E5080E7B9D5048B61

Uniqueness

Uniqueness Score: -1.00%

Function 01001A88 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 199
stringmemorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,00001000,00000004,?,00000000,01001650,01003180,00000400), ref: 01001AAB
NtQuerySystemInformation.NTDLL ref: 01001AC4
VirtualFree.KERNEL32(00000000,00008000,?,00000000,01001650,01003180,00000400), ref: 01001AE7
RtlUnicodeStringToAnsiString.NTDLL ref: 01001B1D
strrchr.MSVCRT ref: 01001B2D
strncpy.MSVCRT ref: 01001B57
malloc.MSVCRT ref: 01001BC0
strncpy.MSVCRT ref: 01001C73
strncat.MSVCRT ref: 01001C94
strncat.MSVCRT ref: 01001CA6

Strings

System Process, xrefs: 01001B48, 01001B52

Memory Dump Source

Source File: 00000000.00000002.1224000823.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1223986613.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224089803.00000000012D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_SecuriteInfo.jbxd

Similarity

API ID: StringVirtualstrncatstrncpy$AllocAnsiFreeInformationQuerySystemUnicodemallocstrrchr
String ID: System Process
API String ID: 2616596419-499623549
Opcode ID: 22922ab224ab9272da6d9b979fc19e9493de17a8228f71efb056a6835651b191
Instruction ID: 155eff1ad740cd19f7491e524e5fb2a217c342ecd7a7a4f5c5707f47dc159c31
Opcode Fuzzy Hash: 22922ab224ab9272da6d9b979fc19e9493de17a8228f71efb056a6835651b191
Instruction Fuzzy Hash: C6813C74A0070AEFEB22CF68D884A9ABBF5FF08304F104469E69AD7281D775E550CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01001765 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 40
libraryloadertimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 01001780
GetCurrentProcessId.KERNEL32 ref: 0100178C
GetCurrentThreadId.KERNEL32 ref: 01001794
GetTickCount.KERNEL32 ref: 0100179C
QueryPerformanceCounter.KERNEL32(?), ref: 010017A8
GetModuleHandleA.KERNEL32(kernel32.dll), ref: 010017CD
GetProcAddress.KERNEL32(00000000,UnhandledExceptionFilter), ref: 010017DE

Strings

UnhandledExceptionFilter, xrefs: 010017D8
kernel32.dll, xrefs: 010017C8

Memory Dump Source

Source File: 00000000.00000002.1224000823.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1223986613.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224089803.00000000012D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_SecuriteInfo.jbxd

Similarity

API ID: CurrentTime$AddressCountCounterFileHandleModulePerformanceProcProcessQuerySystemThreadTick
String ID: UnhandledExceptionFilter$kernel32.dll
API String ID: 2672014633-2428948374
Opcode ID: c78f97b6d19b08e38b69e259f6903e2bd2be64486a87993152d120711a86c496
Instruction ID: 8fb40e13c9998fe3057cd634cfeac8cb381f6fa519e78833bf518b7abc47d89c
Opcode Fuzzy Hash: c78f97b6d19b08e38b69e259f6903e2bd2be64486a87993152d120711a86c496
Instruction Fuzzy Hash: 6E011A75E01214ABEB33DBF5E84C98ABBF8BB08340F410955F9C1EB148DA79D6009B90

Uniqueness

Uniqueness Score: -1.00%

Function 01001F7D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 16
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtSetSystemInformation.NTDLL ref: 01001F93

Strings

could not empty working set for process #%d [%s], xrefs: 01001F7D

Memory Dump Source

Source File: 00000000.00000002.1224000823.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1223986613.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224089803.00000000012D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_SecuriteInfo.jbxd

Similarity

API ID: InformationSystem
String ID: could not empty working set for process #%d [%s]
API String ID: 157093387-630290577
Opcode ID: 2dd638f03d983fee136b463f16d61f7ad8ae3d47a0922db5f1e64022572ae77b
Instruction ID: 94f7c2926b4aca0748fea48e0687e5489894991ddce34d27313f45928fbb4fa1
Opcode Fuzzy Hash: 2dd638f03d983fee136b463f16d61f7ad8ae3d47a0922db5f1e64022572ae77b
Instruction Fuzzy Hash: 77D05E3060070A5BDB0896A98C4B6AA7AAC5B08330F500328A672E50D0D660DB454691

Uniqueness

Uniqueness Score: -1.00%

Function 01002151 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 36
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenWindowStationA.USER32(?,00000000,02000000), ref: 0100215D
GetProcessWindowStation.USER32 ref: 0100216B
SetProcessWindowStation.USER32(00000000), ref: 0100217A
_strdup.MSVCRT(?), ref: 01002180
EnumDesktopsA.USER32(00000000,QUh,?), ref: 01002195
SetProcessWindowStation.USER32(00000000), ref: 010021A0
CloseWindowStation.USER32(00000000), ref: 010021A3

Strings

QUh, xrefs: 0100218C

Memory Dump Source

Source File: 00000000.00000002.1224000823.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1223986613.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224089803.00000000012D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_SecuriteInfo.jbxd

Similarity

API ID: StationWindow$Process$CloseDesktopsEnumOpen_strdup
String ID: QUh
API String ID: 2491530623-379248110
Opcode ID: a6aa625d72dc241017096f1f3bf6a75bd876148a4a9743482af85f5019327217
Instruction ID: f94d7c1546836bf3e8310750d478ae221b94bd31ed1f0e8113160d9c0f86c060
Opcode Fuzzy Hash: a6aa625d72dc241017096f1f3bf6a75bd876148a4a9743482af85f5019327217
Instruction Fuzzy Hash: D9F03036608341ABF7229B64EC4CE5B7BAAEB94710F100419F2C5D2144DBB6D8018B11

Uniqueness

Uniqueness Score: -1.00%

Function 010020BB Relevance: 13.6, APIs: 9, Instructions: 54
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenDesktopA.USER32(?,00000000,00000000,02000000), ref: 010020CA
GetCurrentThreadId.KERNEL32 ref: 010020D9
GetThreadDesktop.USER32(00000000), ref: 010020E0
SetThreadDesktop.USER32(00000000), ref: 010020EB
_strdup.MSVCRT(?), ref: 010020F5
EnumWindows.USER32(Function_00001FA4,?), ref: 01002117

Part of subcall function 01001DB9: FindWindowExA.USER32(000000FD,00000000,00000000,00000000), ref: 01001DC3

EnumWindows.USER32(Function_00001FA4,?), ref: 01002126
SetThreadDesktop.USER32(?), ref: 0100213C
CloseDesktop.USER32(?), ref: 01002143

Memory Dump Source

Source File: 00000000.00000002.1224000823.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1223986613.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224089803.00000000012D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_SecuriteInfo.jbxd

Similarity

API ID: Desktop$Thread$EnumWindows$CloseCurrentFindOpenWindow_strdup
String ID:
API String ID: 675152996-0
Opcode ID: 749aad4e4096d3c3829c9b80b1c966c22e2da4baa2e3a86c4bea5838e5b860f0
Instruction ID: dc13d4766630820bc506023bb796d524830332ac52da066e69976a2c0ff8b51f
Opcode Fuzzy Hash: 749aad4e4096d3c3829c9b80b1c966c22e2da4baa2e3a86c4bea5838e5b860f0
Instruction Fuzzy Hash: 56016135208344AFE322AF60DC4CBAB7FBCEF55755F004519F1C591054CBBAE8049BA1

Uniqueness

Uniqueness Score: -1.00%

Function 010014EF Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCommandLineA.KERNEL32 ref: 0100150A
isspace.MSVCRT ref: 01001532
isdigit.MSVCRT ref: 01001543
isdigit.MSVCRT ref: 01001564
_strupr.MSVCRT ref: 01001585

Strings

`0, xrefs: 010014FB
, xrefs: 01001515

Memory Dump Source

Source File: 00000000.00000002.1224000823.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1223986613.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224089803.00000000012D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_SecuriteInfo.jbxd

Similarity

API ID: isdigit$CommandLine_struprisspace
String ID: $`0
API String ID: 3306339058-4246127893
Opcode ID: c7f4505af63a00a1bd53791b6937e89d486bba802a2f250bb1b3bfe2fd32206a
Instruction ID: f2f2181aac8318358d0cb9141b348a0eaad237632353fd334fb04d8e933b88d3
Opcode Fuzzy Hash: c7f4505af63a00a1bd53791b6937e89d486bba802a2f250bb1b3bfe2fd32206a
Instruction Fuzzy Hash: EA118E7228A286EFF767CB28E8547B57BE4FB42316F18018AE8C28B185C736C0058765

Uniqueness

Uniqueness Score: -1.00%

Function 01001F2C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 36
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32(001F0FFF,00000000,?,010031A0,01003180,?,could not empty working set for process #%d [%s],010016FE,01003180,01003180,01003180,00000400), ref: 01001F3D
GetProcessWorkingSetSize.KERNEL32(00000000,?,?), ref: 01001F56
SetProcessWorkingSetSize.KERNEL32(00000000,000000FF,000000FF), ref: 01001F65
CloseHandle.KERNEL32(00000000,?,could not empty working set for process #%d [%s],010016FE,01003180,01003180,01003180,00000400), ref: 01001F6F

Strings

could not empty working set for process #%d [%s], xrefs: 01001F2C

Memory Dump Source

Source File: 00000000.00000002.1224000823.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1223986613.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224089803.00000000012D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_SecuriteInfo.jbxd

Similarity

API ID: Process$SizeWorking$CloseHandleOpen
String ID: could not empty working set for process #%d [%s]
API String ID: 1564249169-630290577
Opcode ID: f220a81c96058be8085741b607c882058e935c89eac33378b06e9b9520850ff4
Instruction ID: 17a8a6ae7a837a3a535b03d9b8580639ec7a5410a5d9c505bdca255b0a69dd93
Opcode Fuzzy Hash: f220a81c96058be8085741b607c882058e935c89eac33378b06e9b9520850ff4
Instruction Fuzzy Hash: 52F08276304054BB972397669C4CCEF3AACDADA3B1B000325F6B6D11C4DB78C601C6B0

Uniqueness

Uniqueness Score: -1.00%

Function 01001FA4 Relevance: 6.1, APIs: 4, Instructions: 74
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowThreadProcessId.USER32(?,?), ref: 01001FDE
GetWindow.USER32(?,00000004), ref: 01001FF1
GetWindowLongA.USER32(?,000000F0), ref: 01002004
GetWindowTextA.USER32(?,?,00000080), ref: 0100206F

Memory Dump Source

Source File: 00000000.00000002.1224000823.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1223986613.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224089803.00000000012D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_SecuriteInfo.jbxd

Similarity

API ID: Window$LongProcessTextThread
String ID:
API String ID: 4064226584-0
Opcode ID: 6ed2e5abf12169728c1d0f67032fbb0a1b470cdb1d93ab4e16fe0895d4b13440
Instruction ID: 63ea032996a7d5d77ce760acf1aaa287d23cfa1d020b824599bd7f9e6fc22501
Opcode Fuzzy Hash: 6ed2e5abf12169728c1d0f67032fbb0a1b470cdb1d93ab4e16fe0895d4b13440
Instruction Fuzzy Hash: F331E574A00319DFEB62DF28C844B99BBF5BF05710F408295B9D9D6292C770EA85CF91

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exePID: 824, Parent PID: 3968

General

Chronological Activities

Analysis Process: conhost.exePID: 5280, Parent PID: 824

General

Chronological Activities

Disassembly

Analysis Process: SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exePID: 824, Parent PID: 3968COMMON

Execution Graph

Graph

Windows Analysis Report
SecuriteInfo.com.Trojan.Win32.Krypt.14164.25813.exe

Function 01001592 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 150
stringCOMMON

Function 01001889 Relevance: 13.6, APIs: 9, Instructions: 87
COMMON

Function 01001D1B Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 55
COMMON

Function 01001A88 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 199
stringmemorynativeCOMMON

Function 01001765 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 40
libraryloadertimeCOMMON

Function 01001F7D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 16
nativeCOMMON

Function 01002151 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 36
COMMON

Function 010020BB Relevance: 13.6, APIs: 9, Instructions: 54
threadCOMMON

Function 010014EF Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 66
COMMON

Function 01001F2C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 36
COMMON

Function 01001FA4 Relevance: 6.1, APIs: 4, Instructions: 74
threadCOMMON