Windows Analysis Report SecuriteInfo.com.Trojan.InjectNET.14.3934.31899

Overview

General Information

Sample Name: SecuriteInfo.com.Trojan.InjectNET.14.3934.31899 (renamed file extension from 31899 to exe)
Analysis ID: 502723
MD5: 13003cbfb6d2adfeea85952f8172c4f7
SHA1: e5ef2dd654b50ed7be455cbe7aaabaa7acaedc80
SHA256: 9c8590c7165b453dd0792be3cf51e200961a1ed9cf1154768ee86f7018db8fd9
Tags: exe
Infos:

Most interesting Screenshot:

Detection

Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Creates a thread in another existing process (thread injection)
Allocates memory in foreign processes
Queries the volume information (name, serial number etc) of a device
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to call native functions
Creates a process in suspended mode (likely to inject code)
Contains long sleeps (>= 3 min)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Trojan.InjectNET.14.3934.exe Virustotal: Detection: 37% Perma Link
Source: SecuriteInfo.com.Trojan.InjectNET.14.3934.exe Metadefender: Detection: 25% Perma Link
Source: SecuriteInfo.com.Trojan.InjectNET.14.3934.exe ReversingLabs: Detection: 33%

System Summary:

barindex
Detected potential crypto function
Source: C:\Windows\System32\conhost.exe Code function: 1_2_000001BA559E70D6 1_2_000001BA559E70D6
Source: C:\Windows\System32\conhost.exe Code function: 1_2_000001BA559E6D06 1_2_000001BA559E6D06
Source: C:\Windows\System32\conhost.exe Code function: 1_2_000001BA559E60D2 1_2_000001BA559E60D2
Source: C:\Windows\System32\conhost.exe Code function: 1_2_000001BA559E750E 1_2_000001BA559E750E
Source: C:\Windows\System32\conhost.exe Code function: 1_2_000001BA559E796A 1_2_000001BA559E796A
Source: C:\Windows\System32\conhost.exe Code function: 1_2_00007FFD04005862 1_2_00007FFD04005862
Source: C:\Windows\System32\conhost.exe Code function: 1_2_00007FFD04004AB6 1_2_00007FFD04004AB6
Contains functionality to call native functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.14.3934.exe Code function: 0_2_00401D58 NtAllocateVirtualMemory, 0_2_00401D58
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.14.3934.exe Code function: 0_2_00401D18 NtWriteVirtualMemory, 0_2_00401D18
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.14.3934.exe Code function: 0_2_004019D8 NtCreateThreadEx, 0_2_004019D8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.14.3934.exe Code function: 0_2_00401D98 NtProtectVirtualMemory, 0_2_00401D98
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.14.3934.exe Code function: 0_2_00401C98 NtClose, 0_2_00401C98
Source: SecuriteInfo.com.Trojan.InjectNET.14.3934.exe Static PE information: Section: .rdata ZLIB complexity 0.999692137922
Source: SecuriteInfo.com.Trojan.InjectNET.14.3934.exe Virustotal: Detection: 37%
Source: SecuriteInfo.com.Trojan.InjectNET.14.3934.exe Metadefender: Detection: 25%
Source: SecuriteInfo.com.Trojan.InjectNET.14.3934.exe ReversingLabs: Detection: 33%
Source: SecuriteInfo.com.Trojan.InjectNET.14.3934.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.14.3934.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\conhost.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.14.3934.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.14.3934.exe'
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.14.3934.exe Process created: C:\Windows\System32\conhost.exe 'C:\Windows\System32\conhost.exe' 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.14.3934.exe'
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.14.3934.exe Process created: C:\Windows\System32\conhost.exe 'C:\Windows\System32\conhost.exe' 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.14.3934.exe' Jump to behavior
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log Jump to behavior
Source: classification engine Classification label: mal60.evad.winEXE@3/1@0/0
Source: C:\Windows\System32\conhost.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: SecuriteInfo.com.Trojan.InjectNET.14.3934.exe Static file information: File size 2009088 > 1048576
Source: SecuriteInfo.com.Trojan.InjectNET.14.3934.exe Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x1e8800

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.14.3934.exe Code function: 0_2_005ECB00 push rax; retf 0_2_005ECB01
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.14.3934.exe Code function: 0_2_005EC8C0 push rax; retn 0009h 0_2_005EC8C1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.14.3934.exe Code function: 0_2_005ECBFF push rax; iretd 0_2_005ECC01
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.14.3934.exe Code function: 0_2_005ECAB7 push rax; retf 0009h 0_2_005ECAC1
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\conhost.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\conhost.exe Thread delayed: delay time: 922337203685477 Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.14.3934.exe Memory written: C:\Windows\System32\conhost.exe base: 1BA55800000 Jump to behavior
Creates a thread in another existing process (thread injection)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.14.3934.exe Thread created: C:\Windows\System32\conhost.exe EIP: 55800000 Jump to behavior
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.14.3934.exe Memory allocated: C:\Windows\System32\conhost.exe base: 1BA55800000 protect: page execute and read and write Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.14.3934.exe Process created: C:\Windows\System32\conhost.exe 'C:\Windows\System32\conhost.exe' 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.14.3934.exe' Jump to behavior
Source: conhost.exe, 00000001.00000000.350445968.000001BA56310000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: conhost.exe, 00000001.00000000.350445968.000001BA56310000.00000002.00020000.sdmp Binary or memory string: Progman
Source: conhost.exe, 00000001.00000000.350445968.000001BA56310000.00000002.00020000.sdmp Binary or memory string: &Program Manager
Source: conhost.exe, 00000001.00000000.350445968.000001BA56310000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\conhost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 502723 Sample: SecuriteInfo.com.Trojan.Inj... Startdate: 14/10/2021 Architecture: WINDOWS Score: 60 11 Multi AV Scanner detection for submitted file 2->11 6 SecuriteInfo.com.Trojan.InjectNET.14.3934.exe 2->6         started        process3 signatures4 13 Writes to foreign memory regions 6->13 15 Allocates memory in foreign processes 6->15 17 Creates a thread in another existing process (thread injection) 6->17 9 conhost.exe 3 6->9         started        process5
No contacted IP infos