Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.Trojan.GenericKD.46243806.32106.30285

Overview

General Information

Sample Name:SecuriteInfo.com.Trojan.GenericKD.46243806.32106.30285 (renamed file extension from 30285 to exe)
Analysis ID:404310
MD5:cce6c363c0ff7ac663cd71c5906069a6
SHA1:98ad5e24bf99fbb4cf7bdcaa54b6d720064dc810
SHA256:b65eed317058df5ddd4247ec93ac2b555ae2c29b751ee455ceee3dd9b670ecad
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Abnormal high CPU Usage
Antivirus or Machine Learning detection for unpacked file
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "bigazz@sixjan.xyzH^i?T2&gWQ({sixjan.xyz"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000010.00000002.484888113.0000000002BB1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000010.00000002.484888113.0000000002BB1000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      Process Memory Space: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe PID: 1848JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        Process Memory Space: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe PID: 1848JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 0.2.SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe.428c788.2.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "bigazz@sixjan.xyzH^i?T2&gWQ({sixjan.xyz"}
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeReversingLabs: Detection: 40%
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notpad\notpad.exeReversingLabs: Detection: 40%
          Multi AV Scanner detection for submitted fileShow sources
          Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeVirustotal: Detection: 30%Perma Link
          Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeReversingLabs: Detection: 40%
          Source: 16.2.SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
          Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeCode function: 4x nop then jmp 05FA4D92h0_2_05FA4A67
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeCode function: 4x nop then jmp 05FA5032h0_2_05FA4A67
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeCode function: 4x nop then jmp 05FA4D92h0_2_05FA4A67
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeCode function: 4x nop then jmp 05FA5032h0_2_05FA4A67
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeCode function: 4x nop then jmp 05FA4D92h0_2_05FA4BF4
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeCode function: 4x nop then jmp 05FA4D92h0_2_05FA4A98
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeCode function: 4x nop then jmp 05FA5032h0_2_05FA4A98
          Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe, 00000010.00000002.484888113.0000000002BB1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
          Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe, 00000010.00000002.484888113.0000000002BB1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
          Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
          Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
          Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
          Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
          Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
          Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
          Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
          Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
          Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
          Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
          Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
          Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
          Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe, 00000010.00000002.484888113.0000000002BB1000.00000004.00000001.sdmpString found in binary or memory: http://mNVnNH.com
          Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeString found in binary or memory: http://ocsp.digicert.com0A
          Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeString found in binary or memory: http://ocsp.digicert.com0C
          Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeString found in binary or memory: http://ocsp.digicert.com0H
          Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeString found in binary or memory: http://ocsp.digicert.com0I
          Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
          Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe, 00000010.00000002.484888113.0000000002BB1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
          Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeString found in binary or memory: https://discord.com/
          Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeString found in binary or memory: https://discord.com/2
          Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeString found in binary or memory: https://discord.com/6
          Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeString found in binary or memory: https://discord.com/:
          Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeString found in binary or memory: https://www.digicert.com/CPS0
          Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe, 00000010.00000002.484888113.0000000002BB1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
          Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe, 00000000.00000002.341547950.00000000013EB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess Stats: CPU usage > 98%
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeCode function: 0_2_05F1DF980_2_05F1DF98
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeCode function: 0_2_05F195B00_2_05F195B0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeCode function: 0_2_05F14F900_2_05F14F90
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeCode function: 0_2_05F181E80_2_05F181E8
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeCode function: 0_2_05F1ABE80_2_05F1ABE8
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeCode function: 0_2_05F70CD00_2_05F70CD0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeCode function: 0_2_05F714320_2_05F71432
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeCode function: 0_2_05F7E7A80_2_05F7E7A8
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeCode function: 0_2_05F7E5400_2_05F7E540
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeCode function: 0_2_05F7E5360_2_05F7E536
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeCode function: 0_2_05F7E7970_2_05F7E797
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeCode function: 0_2_05F721500_2_05F72150
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeCode function: 0_2_05FA009E0_2_05FA009E
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeCode function: 0_2_05FA64580_2_05FA6458
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeCode function: 0_2_05FA18500_2_05FA1850
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeCode function: 0_2_05FA193C0_2_05FA193C
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeCode function: 0_2_05FA64480_2_05FA6448
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeCode function: 0_2_05FA1C080_2_05FA1C08
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeCode function: 0_2_05FA37C00_2_05FA37C0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeCode function: 0_2_05FA37B00_2_05FA37B0
          Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeCode function: 16_2_02A34E4016_2_02A34E40
          Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeCode function: 16_2_02A3EA8A16_2_02A3EA8A
          Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeCode function: 16_2_02A34E3216_2_02A34E32
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe B65EED317058DF5DDD4247EC93AC2B555AE2C29B751EE455CEEE3DD9B670ECAD
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notpad\notpad.exe B65EED317058DF5DDD4247EC93AC2B555AE2C29B751EE455CEEE3DD9B670ECAD
          Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeStatic PE information: invalid certificate
          Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe, 00000000.00000002.341547950.00000000013EB000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe
          Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe, 00000000.00000002.341092452.0000000000C70000.00000002.00020000.sdmpBinary or memory string: OriginalFilename44444.exe^ vs SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe
          Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe, 00000000.00000002.345992042.0000000005C90000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe
          Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe, 00000000.00000002.346362509.0000000005F80000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameBtuucsui.dll" vs SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe
          Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe, 00000000.00000002.341983354.00000000031C2000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamehHjrmKPrlxwsmtWVgQPQZlucKNq.exe4 vs SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe
          Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe, 0000000F.00000002.338937682.0000000000280000.00000002.00020000.sdmpBinary or memory string: OriginalFilename44444.exe^ vs SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe
          Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe, 00000010.00000002.481465313.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamehHjrmKPrlxwsmtWVgQPQZlucKNq.exe4 vs SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe
          Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe, 00000010.00000000.339515688.0000000000730000.00000002.00020000.sdmpBinary or memory string: OriginalFilename44444.exe^ vs SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe
          Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe, 00000010.00000002.483591584.0000000000D3A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe
          Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeBinary or memory string: OriginalFilename44444.exe^ vs SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe
          Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: notpad.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal96.troj.evad.winEXE@5/5@0/0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notpadJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeFile created: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeJump to behavior
          Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeVirustotal: Detection: 30%
          Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeReversingLabs: Detection: 40%
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe'
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess created: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess created: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess created: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess created: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeCode function: 0_2_05F1F66C pushad ; ret 0_2_05F1F66D
          Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeCode function: 16_2_02A31BAB push es; retf 16_2_02A31BB7
          Source: initial sampleStatic PE information: section name: .text entropy: 7.96408240927
          Source: initial sampleStatic PE information: section name: .text entropy: 7.96408240927
          Source: initial sampleStatic PE information: section name: .text entropy: 7.96408240927
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeFile created: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeJump to dropped file
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notpad\notpad.exeJump to dropped file

          Boot Survival:

          barindex
          Creates an undocumented autostart registry key Show sources
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notpadJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notpad\notpad.exeJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notpad\notpad.exe\:Zone.Identifier:$DATAJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
          Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
          Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
          Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe, 00000000.00000002.346362509.0000000005F80000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeWindow / User API: threadDelayed 800Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeWindow / User API: threadDelayed 9009Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe TID: 4888Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe TID: 5812Thread sleep time: -20291418481080494s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe TID: 5848Thread sleep count: 800 > 30Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe TID: 5848Thread sleep count: 9009 > 30Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe TID: 5812Thread sleep count: 43 > 30Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe, 00000000.00000002.346362509.0000000005F80000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeMemory written: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe base: 400000 value starts with: 4D5AJump to behavior
          Writes to foreign memory regionsShow sources
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeMemory written: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe base: 400000Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeMemory written: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe base: 402000Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeMemory written: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe base: 46C000Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeMemory written: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe base: 46E000Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeMemory written: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe base: 9EC008Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess created: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeProcess created: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeJump to behavior
          Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe, 00000010.00000002.484585171.0000000001580000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe, 00000010.00000002.484585171.0000000001580000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe, 00000010.00000002.484585171.0000000001580000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe, 00000010.00000002.484585171.0000000001580000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeQueries volume information: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information:

          barindex
          Yara detected AgentTeslaShow sources
          Source: Yara matchFile source: 00000010.00000002.484888113.0000000002BB1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe PID: 1848, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.484888113.0000000002BB1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe PID: 1848, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected AgentTeslaShow sources
          Source: Yara matchFile source: 00000010.00000002.484888113.0000000002BB1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.GenericKD.46243806.32106.exe PID: 1848, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsWindows Management Instrumentation211Registry Run Keys / Startup Folder11Process Injection212Masquerading1Input Capture1Query Registry1Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsRegistry Run Keys / Startup Folder11Disable or Modify Tools1LSASS MemorySecurity Software Discovery311Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion131Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection212NTDSVirtualization/Sandbox Evasion131Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information3LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing3Cached Domain CredentialsSystem Information Discovery113VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.