Analysis Report SecuriteInfo.com.Trojan.GenericKD.46243806.32106.30285

Overview

General Information

Sample Name: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.30285 (renamed file extension from 30285 to exe)
Analysis ID: 404310
MD5: cce6c363c0ff7ac663cd71c5906069a6
SHA1: 98ad5e24bf99fbb4cf7bdcaa54b6d720064dc810
SHA256: b65eed317058df5ddd4247ec93ac2b555ae2c29b751ee455ceee3dd9b670ecad
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Abnormal high CPU Usage
Antivirus or Machine Learning detection for unpacked file
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

AV Detection:

barindex
Found malware configuration
Source: 0.2.SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe.428c788.2.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "bigazz@sixjan.xyzH^i?T2&gWQ({sixjan.xyz"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe ReversingLabs: Detection: 40%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notpad\notpad.exe ReversingLabs: Detection: 40%
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Virustotal: Detection: 30% Perma Link
Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe ReversingLabs: Detection: 40%
Antivirus or Machine Learning detection for unpacked file
Source: 16.2.SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8

Compliance:

barindex
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Code function: 4x nop then jmp 05FA4D92h 0_2_05FA4A67
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Code function: 4x nop then jmp 05FA5032h 0_2_05FA4A67
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Code function: 4x nop then jmp 05FA4D92h 0_2_05FA4A67
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Code function: 4x nop then jmp 05FA5032h 0_2_05FA4A67
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Code function: 4x nop then jmp 05FA4D92h 0_2_05FA4BF4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Code function: 4x nop then jmp 05FA4D92h 0_2_05FA4A98
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Code function: 4x nop then jmp 05FA5032h 0_2_05FA4A98
Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe, 00000010.00000002.484888113.0000000002BB1000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe, 00000010.00000002.484888113.0000000002BB1000.00000004.00000001.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe, 00000010.00000002.484888113.0000000002BB1000.00000004.00000001.sdmp String found in binary or memory: http://mNVnNH.com
Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe String found in binary or memory: http://ocsp.digicert.com0A
Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe String found in binary or memory: http://ocsp.digicert.com0H
Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe String found in binary or memory: http://ocsp.digicert.com0I
Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe, 00000010.00000002.484888113.0000000002BB1000.00000004.00000001.sdmp String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe String found in binary or memory: https://discord.com/
Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe String found in binary or memory: https://discord.com/2
Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe String found in binary or memory: https://discord.com/6
Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe String found in binary or memory: https://discord.com/:
Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe String found in binary or memory: https://www.digicert.com/CPS0
Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe, 00000010.00000002.484888113.0000000002BB1000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe, 00000000.00000002.341547950.00000000013EB000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process Stats: CPU usage > 98%
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Code function: 0_2_05F1DF98 0_2_05F1DF98
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Code function: 0_2_05F195B0 0_2_05F195B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Code function: 0_2_05F14F90 0_2_05F14F90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Code function: 0_2_05F181E8 0_2_05F181E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Code function: 0_2_05F1ABE8 0_2_05F1ABE8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Code function: 0_2_05F70CD0 0_2_05F70CD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Code function: 0_2_05F71432 0_2_05F71432
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Code function: 0_2_05F7E7A8 0_2_05F7E7A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Code function: 0_2_05F7E540 0_2_05F7E540
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Code function: 0_2_05F7E536 0_2_05F7E536
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Code function: 0_2_05F7E797 0_2_05F7E797
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Code function: 0_2_05F72150 0_2_05F72150
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Code function: 0_2_05FA009E 0_2_05FA009E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Code function: 0_2_05FA6458 0_2_05FA6458
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Code function: 0_2_05FA1850 0_2_05FA1850
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Code function: 0_2_05FA193C 0_2_05FA193C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Code function: 0_2_05FA6448 0_2_05FA6448
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Code function: 0_2_05FA1C08 0_2_05FA1C08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Code function: 0_2_05FA37C0 0_2_05FA37C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Code function: 0_2_05FA37B0 0_2_05FA37B0
Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Code function: 16_2_02A34E40 16_2_02A34E40
Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Code function: 16_2_02A3EA8A 16_2_02A3EA8A
Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Code function: 16_2_02A34E32 16_2_02A34E32
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe B65EED317058DF5DDD4247EC93AC2B555AE2C29B751EE455CEEE3DD9B670ECAD
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notpad\notpad.exe B65EED317058DF5DDD4247EC93AC2B555AE2C29B751EE455CEEE3DD9B670ECAD
PE / OLE file has an invalid certificate
Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe, 00000000.00000002.341547950.00000000013EB000.00000004.00000020.sdmp Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe
Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe, 00000000.00000002.341092452.0000000000C70000.00000002.00020000.sdmp Binary or memory string: OriginalFilename44444.exe^ vs SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe
Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe, 00000000.00000002.345992042.0000000005C90000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe
Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe, 00000000.00000002.346362509.0000000005F80000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameBtuucsui.dll" vs SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe
Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe, 00000000.00000002.341983354.00000000031C2000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamehHjrmKPrlxwsmtWVgQPQZlucKNq.exe4 vs SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe
Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe, 0000000F.00000002.338937682.0000000000280000.00000002.00020000.sdmp Binary or memory string: OriginalFilename44444.exe^ vs SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe
Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe, 00000010.00000002.481465313.0000000000402000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamehHjrmKPrlxwsmtWVgQPQZlucKNq.exe4 vs SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe
Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe, 00000010.00000000.339515688.0000000000730000.00000002.00020000.sdmp Binary or memory string: OriginalFilename44444.exe^ vs SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe
Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe, 00000010.00000002.483591584.0000000000D3A000.00000004.00000020.sdmp Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe
Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Binary or memory string: OriginalFilename44444.exe^ vs SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: notpad.exe.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal96.troj.evad.winEXE@5/5@0/0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notpad Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe File created: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Jump to behavior
Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Virustotal: Detection: 30%
Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe ReversingLabs: Detection: 40%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe File read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe'
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process created: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process created: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process created: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process created: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Code function: 0_2_05F1F66C pushad ; ret 0_2_05F1F66D
Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Code function: 16_2_02A31BAB push es; retf 16_2_02A31BB7
Source: initial sample Static PE information: section name: .text entropy: 7.96408240927
Source: initial sample Static PE information: section name: .text entropy: 7.96408240927
Source: initial sample Static PE information: section name: .text entropy: 7.96408240927

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe File created: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notpad\notpad.exe Jump to dropped file

Boot Survival:

barindex
Creates an undocumented autostart registry key
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notpad Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notpad\notpad.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notpad\notpad.exe\:Zone.Identifier:$DATA Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe, 00000000.00000002.346362509.0000000005F80000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Window / User API: threadDelayed 800 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Window / User API: threadDelayed 9009 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe TID: 4888 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe TID: 5812 Thread sleep time: -20291418481080494s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe TID: 5848 Thread sleep count: 800 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe TID: 5848 Thread sleep count: 9009 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe TID: 5812 Thread sleep count: 43 > 30 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe, 00000000.00000002.346362509.0000000005F80000.00000004.00000001.sdmp Binary or memory string: vmware
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Memory written: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Memory written: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Memory written: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe base: 402000 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Memory written: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe base: 46C000 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Memory written: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe base: 46E000 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Memory written: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe base: 9EC008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process created: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Process created: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Jump to behavior
Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe, 00000010.00000002.484585171.0000000001580000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe, 00000010.00000002.484585171.0000000001580000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe, 00000010.00000002.484585171.0000000001580000.00000002.00000001.sdmp Binary or memory string: Progman
Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe, 00000010.00000002.484585171.0000000001580000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Queries volume information: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000010.00000002.484888113.0000000002BB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe PID: 1848, type: MEMORY
Yara detected Credential Stealer
Source: Yara match File source: 00000010.00000002.484888113.0000000002BB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe PID: 1848, type: MEMORY

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000010.00000002.484888113.0000000002BB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe PID: 1848, type: MEMORY
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 404310 Sample: SecuriteInfo.com.Trojan.Gen... Startdate: 04/05/2021 Architecture: WINDOWS Score: 96 23 Found malware configuration 2->23 25 Multi AV Scanner detection for dropped file 2->25 27 Multi AV Scanner detection for submitted file 2->27 29 2 other signatures 2->29 6 SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe 8 2->6         started        process3 file4 15 C:\Users\user\AppData\Roaming\...\notpad.exe, PE32 6->15 dropped 17 SecuriteInfo.com.T....46243806.32106.exe, PE32 6->17 dropped 19 SecuriteInfo.com.T...exe:Zone.Identifier, ASCII 6->19 dropped 21 SecuriteInfo.com.T...43806.32106.exe.log, ASCII 6->21 dropped 31 Creates an undocumented autostart registry key 6->31 33 Writes to foreign memory regions 6->33 35 Injects a PE file into a foreign processes 6->35 10 SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe 6->10         started        13 SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe 2 6->13         started        signatures5 process6 signatures7 37 Multi AV Scanner detection for dropped file 10->37 39 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 10->39 41 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 10->41
No contacted IP infos