Windows Analysis Report
SecuriteInfo.com.Trojan.Crypt.14125.25529.exe

Overview

General Information

Sample name: SecuriteInfo.com.Trojan.Crypt.14125.25529.exe
Analysis ID: 1431788
MD5: e9d2d1f8d13bfc61b8eba5899b98cacd
SHA1: 595d42f95c0c5f35d7f13931836b7378bea997bc
SHA256: 7a84132479f6c500730b87327c0bcb5cf550d889a6c116d87ce00fad7c21bb15
Tags: exe
Infos:

Detection

Score: 4
Range: 0 - 100
Whitelisted: false
Confidence: 60%

Signatures

Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Detected potential crypto function
Found evasive API chain (may stop execution after checking a module file name)
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.Crypt.14125.25529.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: SecuriteInfo.com.Trojan.Crypt.14125.25529.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Crypt.14125.25529.exe Code function: 0_2_009A1034 WSAStartup,WSACleanup,socket,WSACleanup,gethostbyname,WSACleanup,shutdown,closesocket,htons,connect,lstrlenA,send,recv,StrStrA,StrStrA,StrStrA,shutdown,closesocket,WSACleanup, 0_2_009A1034
Source: SecuriteInfo.com.Trojan.Crypt.14125.25529.exe String found in binary or memory: http://www.e-sushi.net/minibin/
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Crypt.14125.25529.exe Code function: 0_2_009A16DC 0_2_009A16DC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Crypt.14125.25529.exe Code function: 0_2_009A8ADC 0_2_009A8ADC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Crypt.14125.25529.exe Code function: 0_2_009A902D 0_2_009A902D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Crypt.14125.25529.exe Code function: 0_2_009AB060 0_2_009AB060
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Crypt.14125.25529.exe Code function: 0_2_009A5132 0_2_009A5132
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Crypt.14125.25529.exe Code function: 0_2_009A9D5D 0_2_009A9D5D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Crypt.14125.25529.exe Code function: 0_2_009A957E 0_2_009A957E
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Trojan.Crypt.14125.25529.exe, 00000000.00000002.2594542975.00000000009B9000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameminibin.exep( vs SecuriteInfo.com.Trojan.Crypt.14125.25529.exe
Source: SecuriteInfo.com.Trojan.Crypt.14125.25529.exe Binary or memory string: OriginalFilenameminibin.exep( vs SecuriteInfo.com.Trojan.Crypt.14125.25529.exe
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.Crypt.14125.25529.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: clean4.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Crypt.14125.25529.exe Mutant created: \Sessions\1\BaseNamedObjects\MiniBin
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Crypt.14125.25529.exe Command line argument: MiniBin 0_2_009A2502
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Crypt.14125.25529.exe Command line argument: minibin.ini 0_2_009A2502
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Crypt.14125.25529.exe Command line argument: \empty.ico 0_2_009A2502
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Crypt.14125.25529.exe Command line argument: \25.ico 0_2_009A2502
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Crypt.14125.25529.exe Command line argument: \50.ico 0_2_009A2502
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Crypt.14125.25529.exe Command line argument: \75.ico 0_2_009A2502
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Crypt.14125.25529.exe Command line argument: \full.ico 0_2_009A2502
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Crypt.14125.25529.exe Command line argument: MiniBin 0_2_009A2502
Source: SecuriteInfo.com.Trojan.Crypt.14125.25529.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Crypt.14125.25529.exe File read: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1003\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Crypt.14125.25529.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Crypt.14125.25529.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Crypt.14125.25529.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Crypt.14125.25529.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Crypt.14125.25529.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Crypt.14125.25529.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Crypt.14125.25529.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Crypt.14125.25529.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4a04656d-52aa-49de-8a09-cb178760e748}\InProcServer32 Jump to behavior
Source: SecuriteInfo.com.Trojan.Crypt.14125.25529.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: SecuriteInfo.com.Trojan.Crypt.14125.25529.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Trojan.Crypt.14125.25529.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Trojan.Crypt.14125.25529.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Trojan.Crypt.14125.25529.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Trojan.Crypt.14125.25529.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Crypt.14125.25529.exe Code function: 0_2_009A784C LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_009A784C
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Crypt.14125.25529.exe Code function: 0_2_009A4E95 push ecx; ret 0_2_009A4EA8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Crypt.14125.25529.exe Code function: 0_2_009A11A5 lstrcatW,GetPrivateProfileStringW,lstrcpyW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileIntW, 0_2_009A11A5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Crypt.14125.25529.exe Code function: 0_2_009A1602 __aulldiv,__floor_pentium4,GetPrivateProfileIntW,SHEmptyRecycleBinW, 0_2_009A1602
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Crypt.14125.25529.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Crypt.14125.25529.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Crypt.14125.25529.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Crypt.14125.25529.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Crypt.14125.25529.exe API call chain: ExitProcess graph end node
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Crypt.14125.25529.exe Code function: 0_2_009A64F9 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_009A64F9
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Crypt.14125.25529.exe Code function: 0_2_009A784C LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_009A784C
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Crypt.14125.25529.exe Code function: 0_2_009A64F9 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_009A64F9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Crypt.14125.25529.exe Code function: 0_2_009A6FEE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_009A6FEE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Crypt.14125.25529.exe Code function: 0_2_009A3D5A SetUnhandledExceptionFilter, 0_2_009A3D5A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Crypt.14125.25529.exe Code function: 0_2_009A503F GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_009A503F
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1431788 Sample: SecuriteInfo.com.Trojan.Cry... Startdate: 25/04/2024 Architecture: WINDOWS Score: 4 4 SecuriteInfo.com.Trojan.Crypt.14125.25529.exe 2->4         started       
No contacted IP infos