Analysis Report SecuriteInfo.com.Trojan.GenericKD.45695593.9197.12080

Overview

General Information

Sample Name: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.12080 (renamed file extension from 12080 to exe)
Analysis ID: 356835
MD5: bb663ffdda23f4277af1d261ac43a88e
SHA1: 8f4e7653ba71af974226415ed512f44a6168abcc
SHA256: 145539dcc07505d1a41913332a55d78398f93c35d7332346e6a58c2006a79714
Infos:

Most interesting Screenshot:

Detection

Raccoon
Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for submitted file
Yara detected Raccoon Stealer
Machine Learning detection for sample
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Metadefender: Detection: 29% Perma Link
Source: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe ReversingLabs: Detection: 89%
Yara detected Raccoon Stealer
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe PID: 472, type: MEMORY
Machine Learning detection for sample
Source: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Joe Sandbox ML: detected

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Code function: 0_2_0040A1F6 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,LocalAlloc,BCryptDecrypt,BCryptCloseAlgorithmProvider,BCryptDestroyKey, 0_2_0040A1F6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Code function: 0_2_004245C3 CryptAcquireContextA,CryptCreateHash,lstrlenW,CryptHashData,CryptGetHashParam,wsprintfW,lstrcatW,wsprintfW,lstrcatW,CryptDestroyHash,CryptReleaseContext,lstrlenW,CryptUnprotectData,LocalFree, 0_2_004245C3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Code function: 0_2_00424796 lstrlenW,lstrlenW,lstrlenW,CredEnumerateW,CryptUnprotectData,LocalFree,CredFree, 0_2_00424796
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Code function: 0_2_0040A7BA GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData, 0_2_0040A7BA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Code function: 0_2_0040C9A1 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,LocalFree,CryptUnprotectData,LocalFree, 0_2_0040C9A1

Compliance:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Unpacked PE file: 0.2.SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe.400000.0.unpack
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
Uses new MSVCR Dlls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Uses secure TLS version for HTTPS connections
Source: unknown HTTPS traffic detected: 195.201.225.248:443 -> 192.168.2.4:49727 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.199.58:443 -> 192.168.2.4:49728 version: TLS 1.2
Binary contains paths to debug symbols
Source: Binary string: msvcrt.pdbk source: WerFault.exe, 00000005.00000003.660730906.00000000055D2000.00000004.00000040.sdmp
Source: Binary string: ktmw32.pdb~p source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000005.00000003.660759508.0000000005441000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000005.00000003.660759508.0000000005441000.00000004.00000001.sdmp
Source: Binary string: ktmw32.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: dnsapi.pdbN source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: mskeyprotect.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000005.00000003.660730906.00000000055D2000.00000004.00000040.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000005.00000003.660730906.00000000055D2000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000005.00000003.660759508.0000000005441000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000005.00000003.660730906.00000000055D2000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: winnsi.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000005.00000003.660759508.0000000005441000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000005.00000003.660759508.0000000005441000.00000004.00000001.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000005.00000003.660730906.00000000055D2000.00000004.00000040.sdmp
Source: Binary string: wmswsock.pdbbp source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: mskeyprotect.pdb_ source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: msvcr100.i386.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: schannel.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000005.00000003.660759508.0000000005441000.00000004.00000001.sdmp
Source: Binary string: winnsi.pdb2 source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000005.00000003.660759508.0000000005441000.00000004.00000001.sdmp
Source: Binary string: userenv.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000005.00000003.660800358.00000000055D0000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000005.00000003.660759508.0000000005441000.00000004.00000001.sdmp
Source: Binary string: schannel.pdb, source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc.pdb4 source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: winhttp.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: ntasn1.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: gdiplus.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: shcore.pdbdp source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000005.00000003.660759508.0000000005441000.00000004.00000001.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000005.00000003.660730906.00000000055D2000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: nsi.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdbhp source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: webio.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: ncryptsslp.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdbk source: WerFault.exe, 00000005.00000003.660730906.00000000055D2000.00000004.00000040.sdmp
Source: Binary string: wmswsock.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdbpp source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000005.00000003.660800358.00000000055D0000.00000004.00000040.sdmp
Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000005.00000003.660800358.00000000055D0000.00000004.00000040.sdmp
Source: Binary string: sechost.pdbk source: WerFault.exe, 00000005.00000003.660730906.00000000055D2000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000005.00000003.660800358.00000000055D0000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000005.00000003.660800358.00000000055D0000.00000004.00000040.sdmp
Source: Binary string: ncrypt.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: dpapi.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000005.00000003.660759508.0000000005441000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000005.00000003.660759508.0000000005441000.00000004.00000001.sdmp
Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Code function: 0_2_0043E217 FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError, 0_2_0043E217
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Code function: 0_2_0043E387 GetFileAttributesExW,GetLastError,___std_fs_open_handle@16,GetLastError,GetFileInformationByHandle,FindFirstFileExW,FindClose, 0_2_0043E387

Networking:

barindex
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 195.201.225.248 195.201.225.248
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: ce5f3254611a8c095a3d821d44539877
Source: unknown DNS traffic detected: queries for: telete.in
Source: unknown Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown HTTPS traffic detected: 195.201.225.248:443 -> 192.168.2.4:49727 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.199.58:443 -> 192.168.2.4:49728 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to record screenshots
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Code function: 0_2_004266C0 GdiplusStartup,GetDesktopWindow,GetWindowRect,GetWindowDC,GetDeviceCaps,CreateCompatibleDC,CreateDIBSection,DeleteDC,DeleteDC,DeleteDC,SaveDC,SelectObject,BitBlt,RestoreDC,DeleteDC,DeleteDC,DeleteDC,GdipAlloc,GdipCreateBitmapFromHBITMAP,_mbstowcs,GdipSaveImageToFile,DeleteObject,GdiplusShutdown, 0_2_004266C0

E-Banking Fraud:

barindex
Yara detected Raccoon Stealer
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe PID: 472, type: MEMORY

System Summary:

barindex
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Code function: 0_2_0042693B 0_2_0042693B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Code function: 0_2_00414B7F 0_2_00414B7F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Code function: 0_2_0045A249 0_2_0045A249
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Code function: 0_2_0044824A 0_2_0044824A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Code function: 0_2_0044A210 0_2_0044A210
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Code function: 0_2_0045A369 0_2_0045A369
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Code function: 0_2_0041A4E6 0_2_0041A4E6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Code function: 0_2_004644EB 0_2_004644EB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Code function: 0_2_004144A8 0_2_004144A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Code function: 0_2_0042865E 0_2_0042865E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Code function: 0_2_004187C0 0_2_004187C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Code function: 0_2_0040A7BA 0_2_0040A7BA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Code function: 0_2_0042495F 0_2_0042495F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Code function: 0_2_00412930 0_2_00412930
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Code function: 0_2_0043C990 0_2_0043C990
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Code function: 0_2_0040C9A1 0_2_0040C9A1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Code function: 0_2_00436ACF 0_2_00436ACF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Code function: 0_2_00442BF0 0_2_00442BF0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Code function: String function: 004102CD appears 47 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Code function: String function: 0043FC0D appears 47 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Code function: String function: 0044EE89 appears 33 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Code function: String function: 004677E0 appears 74 times
One or more processes crash
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 472 -s 684
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe, 00000000.00000002.675310906.0000000004170000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe
Source: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe, 00000000.00000002.675301791.0000000004160000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemswsock.dll.muij% vs SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe
Source: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe, 00000000.00000002.675152667.00000000040A0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamenlsbres.dll.muij% vs SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
Source: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal76.troj.evad.winEXE@2/4@2/3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Code function: 0_2_00438121 CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,OpenProcessToken,DuplicateTokenEx,CloseHandle,GetModuleFileNameA,_strlen,_mbstowcs,CreateProcessWithTokenW,CloseHandle,Process32NextW, 0_2_00438121
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Code function: 0_2_0043483A CoCreateInstance, 0_2_0043483A
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess472
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Mutant created: \Sessions\1\BaseNamedObjects\uiabfqwfuuser
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER4564.tmp Jump to behavior
Source: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Metadefender: Detection: 29%
Source: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe ReversingLabs: Detection: 89%
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe'
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 472 -s 684
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: Binary string: msvcrt.pdbk source: WerFault.exe, 00000005.00000003.660730906.00000000055D2000.00000004.00000040.sdmp
Source: Binary string: ktmw32.pdb~p source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000005.00000003.660759508.0000000005441000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000005.00000003.660759508.0000000005441000.00000004.00000001.sdmp
Source: Binary string: ktmw32.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: dnsapi.pdbN source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: mskeyprotect.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000005.00000003.660730906.00000000055D2000.00000004.00000040.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000005.00000003.660730906.00000000055D2000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000005.00000003.660759508.0000000005441000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000005.00000003.660730906.00000000055D2000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: winnsi.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000005.00000003.660759508.0000000005441000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000005.00000003.660759508.0000000005441000.00000004.00000001.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000005.00000003.660730906.00000000055D2000.00000004.00000040.sdmp
Source: Binary string: wmswsock.pdbbp source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: mskeyprotect.pdb_ source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: msvcr100.i386.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: schannel.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000005.00000003.660759508.0000000005441000.00000004.00000001.sdmp
Source: Binary string: winnsi.pdb2 source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000005.00000003.660759508.0000000005441000.00000004.00000001.sdmp
Source: Binary string: userenv.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000005.00000003.660800358.00000000055D0000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000005.00000003.660759508.0000000005441000.00000004.00000001.sdmp
Source: Binary string: schannel.pdb, source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc.pdb4 source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: winhttp.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: ntasn1.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: gdiplus.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: shcore.pdbdp source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000005.00000003.660759508.0000000005441000.00000004.00000001.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000005.00000003.660730906.00000000055D2000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: nsi.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdbhp source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: webio.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: ncryptsslp.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdbk source: WerFault.exe, 00000005.00000003.660730906.00000000055D2000.00000004.00000040.sdmp
Source: Binary string: wmswsock.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdbpp source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000005.00000003.660800358.00000000055D0000.00000004.00000040.sdmp
Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000005.00000003.660800358.00000000055D0000.00000004.00000040.sdmp
Source: Binary string: sechost.pdbk source: WerFault.exe, 00000005.00000003.660730906.00000000055D2000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000005.00000003.660800358.00000000055D0000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000005.00000003.660800358.00000000055D0000.00000004.00000040.sdmp
Source: Binary string: ncrypt.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: dpapi.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000005.00000003.660759508.0000000005441000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000005.00000003.660759508.0000000005441000.00000004.00000001.sdmp
Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Unpacked PE file: 0.2.SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Unpacked PE file: 0.2.SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe.400000.0.unpack
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Code function: 0_2_0042495F GetVersionExW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,StrStrIW,lstrlenW,lstrlenW,FreeLibrary, 0_2_0042495F
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Code function: 0_2_004400B4 push ecx; ret 0_2_004400C6
Source: initial sample Static PE information: section name: .text entropy: 7.76039382624
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe TID: 3436 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Code function: 0_2_0043E217 FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError, 0_2_0043E217
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Code function: 0_2_0043E387 GetFileAttributesExW,GetLastError,___std_fs_open_handle@16,GetLastError,GetFileInformationByHandle,FindFirstFileExW,FindClose, 0_2_0043E387
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Code function: 0_2_00436ACF _strftime,GetUserDefaultLCID,GetLocaleInfoA,GetUserNameA,GetUserNameA,GetComputerNameA,GetUserNameA,GetSystemInfo,GlobalMemoryStatusEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,EnumDisplayDevicesA,EnumDisplayDevicesA,EnumDisplayDevicesA, 0_2_00436ACF
Source: WerFault.exe, 00000005.00000002.672972673.0000000005240000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 00000005.00000002.672718308.0000000004F40000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: WerFault.exe, 00000005.00000002.672972673.0000000005240000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 00000005.00000002.672972673.0000000005240000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 00000005.00000002.672972673.0000000005240000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Code function: 0_2_0045C2E6 IsDebuggerPresent,OutputDebugStringW, 0_2_0045C2E6
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Code function: 0_2_0042495F GetVersionExW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,StrStrIW,lstrlenW,lstrlenW,FreeLibrary, 0_2_0042495F
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Code function: 0_2_00446991 mov eax, dword ptr fs:[00000030h] 0_2_00446991
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Code function: 0_2_0040A3FB GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 0_2_0040A3FB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Code function: 0_2_004402A4 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_004402A4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Code function: 0_2_004463B5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_004463B5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Code function: 0_2_00440406 SetUnhandledExceptionFilter, 0_2_00440406
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Code function: 0_2_004405C8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_004405C8

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Code function: 0_2_004400C8 cpuid 0_2_004400C8
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Code function: CoInitialize,GetUserDefaultLCID,GetLocaleInfoA,Sleep,GetUserNameA,_strlen,_strlen,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,WaitForSingleObject,CreateThread,CreateThread,CreateThread,CreateThread,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,CreateThread,GetModuleHandleA,FreeLibrary,WaitForSingleObject,GetEnvironmentVariableA,ShellExecuteA,ShellExecuteA,CoUninitialize, 0_2_0042693B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 0_2_00462121
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Code function: EnumSystemLocalesW, 0_2_00458367
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Code function: EnumSystemLocalesW, 0_2_004623C3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Code function: EnumSystemLocalesW, 0_2_0046240E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Code function: EnumSystemLocalesW, 0_2_004624A9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_00462534
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Code function: GetLocaleInfoW, 0_2_00462787
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_004628AD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Code function: GetLocaleInfoW, 0_2_00458994
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Code function: GetLocaleInfoW, 0_2_004629B3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Code function: _strftime,GetUserDefaultLCID,GetLocaleInfoA,GetUserNameA,GetUserNameA,GetComputerNameA,GetUserNameA,GetSystemInfo,GlobalMemoryStatusEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,EnumDisplayDevicesA,EnumDisplayDevicesA,EnumDisplayDevicesA, 0_2_00436ACF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_00462A82
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Code function: 0_2_00440470 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00440470
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Code function: 0_2_0042693B CoInitialize,GetUserDefaultLCID,GetLocaleInfoA,Sleep,GetUserNameA,_strlen,_strlen,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,WaitForSingleObject,CreateThread,CreateThread,CreateThread,CreateThread,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,CreateThread,GetModuleHandleA,FreeLibrary,WaitForSingleObject,GetEnvironmentVariableA,ShellExecuteA,ShellExecuteA,CoUninitialize, 0_2_0042693B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Code function: 0_2_004364C1 GetTimeZoneInformation,std::ios_base::_Ios_base_dtor, 0_2_004364C1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Code function: 0_2_0042495F GetVersionExW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,StrStrIW,lstrlenW,lstrlenW,FreeLibrary, 0_2_0042495F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Raccoon Stealer
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe PID: 472, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Raccoon Stealer
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe PID: 472, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 356835 Sample: SecuriteInfo.com.Trojan.Gen... Startdate: 23/02/2021 Architecture: WINDOWS Score: 76 18 Multi AV Scanner detection for submitted file 2->18 20 Yara detected Raccoon Stealer 2->20 22 Machine Learning detection for sample 2->22 6 SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe 2->6         started        process3 dnsIp4 12 telete.in 195.201.225.248, 443, 49727 HETZNER-ASDE Germany 6->12 14 yearofthepig.top 172.67.199.58, 443, 49728 CLOUDFLARENETUS United States 6->14 16 192.168.2.1 unknown unknown 6->16 24 Detected unpacking (changes PE section rights) 6->24 26 Detected unpacking (overwrites its own PE header) 6->26 10 WerFault.exe 23 9 6->10         started        signatures5 process6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
195.201.225.248
 unknown Germany
24940 HETZNER-ASDE false
172.67.199.58
 unknown United States
13335 CLOUDFLARENETUS false

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
yearofthepig.top 172.67.199.58 true
telete.in 195.201.225.248 true