Click to jump to signature section
Source: SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | ReversingLabs: Detection: 23% |
Source: SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Joe Sandbox ML: detected |
Source: Yara match | File source: 00000000.00000002.4408858008.0000014287181000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe PID: 6024, type: MEMORYSTR |
Source: SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Code function: 4x nop then jmp 00007FF848F322DFh | 0_2_00007FF848F319A9 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Code function: 4x nop then jmp 00007FF848F346FCh | 0_2_00007FF848F344F5 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Process Stats: CPU usage > 49% |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Code function: 0_2_00007FF848F35AB0 | 0_2_00007FF848F35AB0 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Code function: 0_2_00007FF848F3C924 | 0_2_00007FF848F3C924 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Code function: 0_2_00007FF848F3AB68 | 0_2_00007FF848F3AB68 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Code function: 0_2_00007FF848F465B8 | 0_2_00007FF848F465B8 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Code function: 0_2_00007FF848F3D0E9 | 0_2_00007FF848F3D0E9 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Code function: 0_2_00007FF848F30620 | 0_2_00007FF848F30620 |
Source: SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Static PE information: No import functions for PE file found |
Source: SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe, 00000000.00000000.1968356454.0000014285422000.00000002.00000001.01000000.00000003.sdmp | Binary or memory string: OriginalFilenameasia.exe* vs SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe |
Source: SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Binary or memory string: OriginalFilenameasia.exe* vs SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe |
Source: classification engine | Classification label: mal76.expl.evad.winEXE@2/0@0/0 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Mutant created: NULL |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2624:120:WilError_03 |
Source: SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Static file information: TRID: Win64 Executable Console Net Framework (206006/5) 48.58% |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | ReversingLabs: Detection: 23% |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | File read: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Jump to behavior |
Source: unknown | Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe" |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Section loaded: mscoree.dll | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Section loaded: apphelp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Section loaded: version.dll | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Section loaded: vcruntime140_clr0400.dll | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Section loaded: ucrtbase_clr0400.dll | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Section loaded: ucrtbase_clr0400.dll | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Section loaded: windows.storage.dll | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Section loaded: wldp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Section loaded: profapi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Section loaded: cryptsp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Section loaded: rsaenh.dll | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Section loaded: cryptbase.dll | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Section loaded: amsi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Section loaded: userenv.dll | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll | Jump to behavior |
Source: SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR |
Source: SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Static PE information: 0xFAFBEEAE [Sat Jun 9 06:43:58 2103 UTC] |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Code function: 0_2_00007FF848F3FC16 pushfd ; retf | 0_2_00007FF848F3FC29 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Code function: 0_2_00007FF84900026B push esp; retf 4810h | 0_2_00007FF849000312 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: Yara match | File source: Process Memory Space: SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe PID: 6024, type: MEMORYSTR |
Source: SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe, 00000000.00000002.4408858008.0000014287181000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: WINE_GET_UNIX_FILE_NAME |
Source: SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe, 00000000.00000002.4408858008.0000014287181000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: SBIEDLL.DLL |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Memory allocated: 14286F10000 memory reserve | memory write watch | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Memory allocated: 1429F160000 memory reserve | memory write watch | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Window / User API: threadDelayed 5441 | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Window / User API: threadDelayed 4539 | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe TID: 4040 | Thread sleep count: 5441 > 30 | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe TID: 4040 | Thread sleep time: -5441000s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe TID: 5960 | Thread sleep count: 4539 > 30 | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe TID: 5960 | Thread sleep time: -4539000s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | System information queried: CurrentTimeZoneInformation | Jump to behavior |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\System32\conhost.exe | Last function: Thread delayed |
Source: SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe, 00000000.00000002.4408858008.0000014287181000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: VMware |
Source: SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe, 00000000.00000002.4408858008.0000014287181000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys |
Source: SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe, 00000000.00000002.4408858008.0000014287181000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: vmware |
Source: SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe, 00000000.00000002.4408858008.0000014287181000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\ |
Source: SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe, 00000000.00000002.4408858008.0000014287181000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys |
Source: SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe, 00000000.00000002.4408858008.0000014287181000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools |
Source: SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe, 00000000.00000002.4408858008.0000014287181000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: VMWARE |
Source: SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe, 00000000.00000002.4408858008.0000014287181000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys |
Source: SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe, 00000000.00000002.4408858008.0000014287181000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys |
Source: SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe, 00000000.00000002.4408858008.0000014287181000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys |
Source: SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe, 00000000.00000002.4408858008.0000014287181000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum |
Source: SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe, 00000000.00000002.4408858008.0000014287181000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: VMware SVGA II |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Process Stats: CPU usage > 42% for more than 60s |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Memory allocated: page read and write | page guard | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe VolumeInformation | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.17202.22243.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid | Jump to behavior |