Play interactive tour

Edit tour

Windows Analysis Report SecuriteInfo.com.Trojan.InjectNET.14.3934.31899

Overview

General Information

Sample Name:	SecuriteInfo.com.Trojan.InjectNET.14.3934.31899 (renamed file extension from 31899 to exe)
Analysis ID:	502723
MD5:	13003cbfb6d2adfeea85952f8172c4f7
SHA1:	e5ef2dd654b50ed7be455cbe7aaabaa7acaedc80
SHA256:	9c8590c7165b453dd0792be3cf51e200961a1ed9cf1154768ee86f7018db8fd9
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Creates a thread in another existing process (thread injection)

Allocates memory in foreign processes

Queries the volume information (name, serial number etc) of a device

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains functionality to call native functions

Creates a process in suspended mode (likely to inject code)

Contains long sleeps (>= 3 min)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Trojan.InjectNET.14.3934.exe (PID: 5576 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.14.3934.exe' MD5: 13003CBFB6D2ADFEEA85952F8172C4F7)

conhost.exe (PID: 3224 cmdline: 'C:\Windows\System32\conhost.exe' 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.14.3934.exe' MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: SecuriteInfo.com.Trojan.InjectNET.14.3934.exe	Virustotal: Detection: 37%	Perma Link
Source: SecuriteInfo.com.Trojan.InjectNET.14.3934.exe	Metadefender: Detection: 25%	Perma Link
Source: SecuriteInfo.com.Trojan.InjectNET.14.3934.exe	ReversingLabs: Detection: 33%

Source: C:\Windows\System32\conhost.exe	Code function: 1_2_000001BA559E70D6	1_2_000001BA559E70D6
Source: C:\Windows\System32\conhost.exe	Code function: 1_2_000001BA559E6D06	1_2_000001BA559E6D06
Source: C:\Windows\System32\conhost.exe	Code function: 1_2_000001BA559E60D2	1_2_000001BA559E60D2
Source: C:\Windows\System32\conhost.exe	Code function: 1_2_000001BA559E750E	1_2_000001BA559E750E
Source: C:\Windows\System32\conhost.exe	Code function: 1_2_000001BA559E796A	1_2_000001BA559E796A
Source: C:\Windows\System32\conhost.exe	Code function: 1_2_00007FFD04005862	1_2_00007FFD04005862
Source: C:\Windows\System32\conhost.exe	Code function: 1_2_00007FFD04004AB6	1_2_00007FFD04004AB6

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.14.3934.exe	Code function: 0_2_00401D58 NtAllocateVirtualMemory,	0_2_00401D58
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.14.3934.exe	Code function: 0_2_00401D18 NtWriteVirtualMemory,	0_2_00401D18
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.14.3934.exe	Code function: 0_2_004019D8 NtCreateThreadEx,	0_2_004019D8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.14.3934.exe	Code function: 0_2_00401D98 NtProtectVirtualMemory,	0_2_00401D98
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.14.3934.exe	Code function: 0_2_00401C98 NtClose,	0_2_00401C98

Source: SecuriteInfo.com.Trojan.InjectNET.14.3934.exe

Static PE information: Section: .rdata ZLIB complexity 0.999692137922

Source: SecuriteInfo.com.Trojan.InjectNET.14.3934.exe	Virustotal: Detection: 37%
Source: SecuriteInfo.com.Trojan.InjectNET.14.3934.exe	Metadefender: Detection: 25%
Source: SecuriteInfo.com.Trojan.InjectNET.14.3934.exe	ReversingLabs: Detection: 33%

Source: SecuriteInfo.com.Trojan.InjectNET.14.3934.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.14.3934.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.14.3934.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.14.3934.exe'
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.14.3934.exe	Process created: C:\Windows\System32\conhost.exe 'C:\Windows\System32\conhost.exe' 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.14.3934.exe'
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.14.3934.exe	Process created: C:\Windows\System32\conhost.exe 'C:\Windows\System32\conhost.exe' 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.14.3934.exe'	Jump to behavior

Source: C:\Windows\System32\conhost.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'

Source: C:\Windows\System32\conhost.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log

Jump to behavior

Source: classification engine

Classification label: mal60.evad.winEXE@3/1@0/0

Source: C:\Windows\System32\conhost.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: SecuriteInfo.com.Trojan.InjectNET.14.3934.exe

Static file information: File size 2009088 > 1048576

Source: SecuriteInfo.com.Trojan.InjectNET.14.3934.exe

Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x1e8800

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.14.3934.exe	Code function: 0_2_005ECB00 push rax; retf	0_2_005ECB01
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.14.3934.exe	Code function: 0_2_005EC8C0 push rax; retn 0009h	0_2_005EC8C1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.14.3934.exe	Code function: 0_2_005ECBFF push rax; iretd	0_2_005ECC01
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.14.3934.exe	Code function: 0_2_005ECAB7 push rax; retf 0009h	0_2_005ECAC1

Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.14.3934.exe

Memory written: C:\Windows\System32\conhost.exe base: 1BA55800000

Jump to behavior

Creates a thread in another existing process (thread injection)

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.14.3934.exe

Thread created: C:\Windows\System32\conhost.exe EIP: 55800000

Jump to behavior

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.14.3934.exe

Memory allocated: C:\Windows\System32\conhost.exe base: 1BA55800000 protect: page execute and read and write

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.14.3934.exe

Process created: C:\Windows\System32\conhost.exe 'C:\Windows\System32\conhost.exe' 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.14.3934.exe'

Jump to behavior

Source: conhost.exe, 00000001.00000000.350445968.000001BA56310000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: conhost.exe, 00000001.00000000.350445968.000001BA56310000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: conhost.exe, 00000001.00000000.350445968.000001BA56310000.00000002.00020000.sdmp	Binary or memory string: &Program Manager
Source: conhost.exe, 00000001.00000000.350445968.000001BA56310000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\conhost.exe

Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	Path Interception	Process Injection312	Masquerading1	OS Credential Dumping	Process Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion11	LSASS Memory	Virtualization/Sandbox Evasion11	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Software Packing1	Security Account Manager	System Information Discovery12	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection312	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information1	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Trojan.InjectNET.14.3934.exe	37%	Virustotal		Browse
SecuriteInfo.com.Trojan.InjectNET.14.3934.exe	26%	Metadefender		Browse
SecuriteInfo.com.Trojan.InjectNET.14.3934.exe	33%	ReversingLabs	Win64.Trojan.Donut

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	502723
Start date:	14.10.2021
Start time:	10:55:01
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 3m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SecuriteInfo.com.Trojan.InjectNET.14.3934.31899 (renamed file extension from 31899 to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal60.evad.winEXE@3/1@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 63.1% (good quality ratio 52.4%) Quality average: 41.6% Quality standard deviation: 27.2%
HCA Information:	Successful, ratio: 69% Number of executed functions: 21 Number of non-executed functions: 8
Cookbook Comments:	Adjust boot time Enable AMSI Stop behavior analysis, all processes terminated
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe Excluded IPs from analysis (whitelisted): 95.100.218.79 Excluded domains from analysis (whitelisted): e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, store-images.s-microsoft.com-c.edgekey.net Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
10:56:02	API Interceptor	1x Sleep call for process: SecuriteInfo.com.Trojan.InjectNET.14.3934.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log Download File
Process:	C:\Windows\System32\conhost.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1160
Entropy (8bit):	5.346338419905592
Encrypted:	false
SSDEEP:	24:ML9E4Kr8sXE4+aE4KnKDE4KGKN08AKhPKIE4TKD1KoZAE4KKPz:MxHKHH+aHKnYHKGD8AoPtHTG1hAHKKPz
MD5:	FD0B81AE7B9DB28F2254E423DE209C18
SHA1:	1E0DA698A79580E2B2305BF949E281EDA356063A
SHA-256:	9427A9D8FD96E5489F1412D5A5152922A0DBBBD6D1CE3BB1645F941DF67B2138
SHA-512:	4643F041B16C657B4974EF015E8B8D879157D14188D0C011D91DCEFAC3423F32EE38122E8B1FFDF29743DC2A6A96610B4C2243009EF854FC394D6E0CE75C62B9
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Management\d0f4eb5b1d0857aabc3e7dd079735875\System.Management.ni.dll",0..2,"System.IO.Compression, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\e82398e9ff6885d617e4b97e31fb4f02\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Cult

Static File Info

General
File type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	7.9994750606333005
TrID:	Win64 Executable (generic) (12005/4) 74.80% Generic Win/DOS Executable (2004/3) 12.49% DOS Executable Generic (2002/1) 12.47% VXD Driver (31/22) 0.19% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	SecuriteInfo.com.Trojan.InjectNET.14.3934.exe
File size:	2009088
MD5:	13003cbfb6d2adfeea85952f8172c4f7
SHA1:	e5ef2dd654b50ed7be455cbe7aaabaa7acaedc80
SHA256:	9c8590c7165b453dd0792be3cf51e200961a1ed9cf1154768ee86f7018db8fd9
SHA512:	ccb7e4dfb0454711cb50a619497072082bae3111ac8ba76b22d1f95af9721762b3b493596191f879bdca3d5872315009bb8f021ac131d9a1067e1dff91696824
SSDEEP:	49152:YMWXWDNahuR7JmTqru3cJXNxDyfCDVYNd/0wZUGGa639KNg:YMwiYSHVYNSwZUhV3R
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................./.................."........@......................................;.....................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x4022fa
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	02549ff92b49cce693542fc9afb10102

Entrypoint Preview

Instruction
push ebp
dec eax
mov ebp, esp
dec eax
sub esp, 00000040h
dec eax
mov eax, 00000004h
add byte ptr [eax], al
add byte ptr [eax], al
dec ecx
mov eax, eax
mov eax, 00000000h
dec ecx
mov ebx, eax
dec eax
lea eax, dword ptr [ebp-04h]
dec ecx
mov edx, eax
dec esp
mov ecx, edx
dec esp
mov edx, ebx
call 00007F5D44A273F1h
dec eax
lea eax, dword ptr [FFFFFF98h]
dec ecx
mov edx, eax
dec esp
mov ecx, edx
call 00007F5D44A2740Fh
mov eax, 00000001h
dec ecx
mov edx, eax
dec esp
mov ecx, edx
call 00007F5D44A27407h
mov eax, 00030000h
dec ecx
mov ebx, eax
mov eax, 00010000h
dec ecx
mov edx, eax
dec esp
mov ecx, edx
dec esp
mov edx, ebx
call 00007F5D44A273F4h
dec eax
mov eax, dword ptr [001E9224h]
dec eax
mov ecx, dword ptr [001E9225h]
dec eax
mov edx, dword ptr [001E9226h]
dec eax
mov dword ptr [ebp-10h], eax
dec eax
lea eax, dword ptr [ebp-04h]
dec eax
mov dword ptr [esp+20h], eax
mov eax, dword ptr [001EAC17h]
dec ecx
mov ecx, eax
dec ecx
mov eax, edx
dec ecx
mov ebx, ecx
dec eax
mov eax, dword ptr [ebp-10h]
dec ecx
mov edx, eax
dec esp
mov ecx, edx
dec esp
mov edx, ebx
call 00007F5D44A273B9h
dec eax
mov eax, dword ptr [001E91E1h]
dec eax
mov ecx, dword ptr [001E91E2h]
dec eax
mov edx, dword ptr [001E91E3h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1eb530	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1ee000	0x3c0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x1ed000	0x90	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1eb56c	0x90	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x14e0	0x1600	False	0.327947443182	data	5.41198326455	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x3000	0x1e876e	0x1e8800	False	0.999692137922	data	7.99989652588	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0x1ec000	0xfac	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
.pdata	0x1ed000	0x90	0x200	False	0.17578125	data	1.20871562712	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x1ee000	0x3c0	0x400	False	0.4013671875	data	3.13286119705	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x1ee058	0x368	data	English	United States

Imports

DLL	Import
msvcrt.dll	malloc, memset, _get_pgmptr, getenv, sprintf, __argc, __argv, _environ, _XcptFilter, __set_app_type, _controlfp, __getmainargs, exit
kernel32.dll	Sleep, CreateProcessA, SetUnhandledExceptionFilter

Version Infos

Description	Data
LegalCopyright	Copyright 1996-2018 VideoLAN and VLC Authors
FileVersion	3,0,3,0
CompanyName	VideoLAN
ProductName	VLC media player
ProductVersion	3,0,3,0
FileDescription	VLC media player
FileTitle	vlc
LegalTrademark	VLC media player, VideoLAN and x264 are registered trademarks from VideoLAN
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: SecuriteInfo.com.Trojan.InjectNET.14.3934.exe PID: 5576 Parent PID: 600

General

Start time:	10:56:01
Start date:	14/10/2021
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.14.3934.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.14.3934.exe'
Imagebase:	0x400000
File size:	2009088 bytes
MD5 hash:	13003CBFB6D2ADFEEA85952F8172C4F7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: conhost.exe PID: 3224 Parent PID: 5576

General

Start time:	10:56:02
Start date:	14/10/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\conhost.exe' 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.14.3934.exe'
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Analysis Process: SecuriteInfo.com.Trojan.InjectNET.14.3934.exe PID: 5576 Parent PID: 600 SecuriteInfo.com.Trojan.InjectNET.14.3934.exeCOMMON

Executed Functions

Function 004010C4, Relevance: 2.7, APIs: 2, Instructions: 189
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E004010C4(void* __rax, long long __rcx, long long __rdx, long long _a8, long long _a16) {
				intOrPtr _v24;
				char _v32;
				char _v136;
				void* _v144;
				char _v152;
				char _v160;
				char _v168;
				char _v176;
				char _v696;
				void* _v1216;
				long long _v1224;
				long long _v1232;
				long long _v1256;
				long long _v1264;
				long long _v1272;
				long long _v1280;
				long long _v1288;
				long long _v1296;
				long long _v1304;
				long long _t105;

				_a8 = __rcx;
				_a16 = __rdx;
				L00402480(); // executed
				memset(??, ??, ??);
				_v136 = 0x68;
				_v144 = 0;
				_v152 = 0x1e84d4;
				_v160 = 0;
				L00402490();
				E00401000(0x403021,  &_v176);
				_v1224 = 0x403021;
				E00401000(0x403027, 0x403021);
				L00402498();
				_v1232 = 0x403021;
				E00401000(0x403032, 0x403021);
				L004024A0();
				E00401000(0x403047,  &_v696);
				sprintf(??, ??);
				_v1264 =  &_v32;
				_v1272 =  &_v136;
				_v1280 = 0;
				_v1288 = 0;
				_v1296 = 0;
				_v1304 = 0;
				_t105 =  &_v696;
				L004024A8(); // executed
				_v1296 = _t105;
				_v1304 = _t105;
				E00401D58(_v32,  &_v144,  &_v152,  &_v152); // executed
				E00401000(0x403051, _v32); // executed
				_v1304 =  &_v160;
				E00401D18(_v32, _v144, 0x403051, _v152); // executed
				_v1304 = 0;
				E00401D98(_v32,  &_v144,  &_v160, 0); // executed
				_v1256 = 0;
				_v1264 = 0;
				_v1272 = 0;
				_v1280 = 0;
				_v1288 = 0;
				_v1296 = _v144;
				_v1304 = _v144;
				E004019D8( &_v168, 0, 0, _v32); // executed
				E00401C98(_v32, 0, 0, _v32); // executed
				E00401C98(_v24, 0, 0, _v32);
				return 0;
			}

0x004010cf
0x004010d3
0x004010e2
0x00401109
0x00401113
0x00401120
0x00401131
0x00401142
0x00401156
0x00401173
0x0040118a
0x00401197
0x004011a2
0x004011b9
0x004011c6
0x004011f2
0x0040120f
0x0040123b
0x00401244
0x0040124d
0x0040125c
0x0040126b
0x00401275
0x0040127f
0x004012a8
0x004012b8
0x004012c2
0x004012cc
0x004012fa
0x00401318
0x00401324
0x0040134d
0x0040135c
0x0040138a
0x00401399
0x004013a8
0x004013b7
0x004013c6
0x004013d0
0x004013dc
0x004013e8
0x00401419
0x00401428
0x00401437
0x00401442

APIs

memset.MSVCRT ref: 00401109
sprintf.MSVCRT ref: 0040123B

Memory Dump Source

Source File: 00000000.00000002.354771975.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.354765768.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.354778084.0000000000403000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.355161361.00000000005EC000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.355165658.00000000005EE000.00000002.00020000.sdmp Download File

Similarity

API ID: memsetsprintf
String ID:
API String ID: 4041149307-0
Opcode ID: 48c3255a3533da9562ed1963c545a56ebe4dfb58447aac8a741f816e0511be55
Instruction ID: 422b12cc93bf93f535939e3cb7af276f76aa4246d74be24400c87d8edbe0fd99
Opcode Fuzzy Hash: 48c3255a3533da9562ed1963c545a56ebe4dfb58447aac8a741f816e0511be55
Instruction Fuzzy Hash: 81713B61702B148DEB909B27DC5139A37A8F749FC8F804176EE4CA7B98EE3CCA448744

Uniqueness

Uniqueness Score: -1.00%

Function 00401000, Relevance: 1.3, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00401000(long long __rcx, long long __rdx, long long _a8, long long _a16) {
				long long _v16;
				signed int _v20;
				void* _v32;
				signed char* _v40;
				signed int _t30;

				_a8 = __rcx;
				_a16 = __rdx;
				L00402478(); // executed
				_v16 = _a16 + 1;
				 *((char*)(_v16 + _a16)) = 0;
				_v20 = 0;
				while(1) {
					_t30 = _v20;
					if(_t30 >= _a16) {
						break;
					}
					_v32 = _v16 + _v20;
					_v40 = _a8 + _v20;
					asm("cdq");
					 *_v32 =  *_v40 ^  *("2b960g9m:s205.<6,6i9n<x$<.![m!xf" + _v20 % 0x20);
					_v20 = _v20 + 1;
				}
				return _t30;
			}

0x0040100b
0x0040100f
0x00401023
0x00401028
0x0040103e
0x00401045
0x00401048
0x00401048
0x00401050
0x00000000
0x00000000
0x00401085
0x0040108e
0x00401092
0x004010b2
0x00401063
0x00401063
0x004010bb

Strings

2b960g9m:s205.<6,6i9n<x$<.![m!xf, xrefs: 00401098

Memory Dump Source

Source File: 00000000.00000002.354771975.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.354765768.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.354778084.0000000000403000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.355161361.00000000005EC000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.355165658.00000000005EE000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: 2b960g9m:s205.<6,6i9n<x$<.![m!xf
API String ID: 0-2881668743
Opcode ID: 7c3953f8a7c90db685ffea7de54f2d06ba9ad392580460fe7ac0a4260f709850
Instruction ID: 0d50406a0cd25772023a57935085f3dfc6f67c384a3cfb9a17e074b16623a215
Opcode Fuzzy Hash: 7c3953f8a7c90db685ffea7de54f2d06ba9ad392580460fe7ac0a4260f709850
Instruction Fuzzy Hash: BC214772B01A40DEEB04CBA9D8913AC3BF1E74878DF00846AEE5DA7B58DA38D5518744

Uniqueness

Uniqueness Score: -1.00%

Function 004022FA, Relevance: .1, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 53%

			_entry_() {
				char _v12;
				long long _v24;
				long long _v40;
				void* _t15;
				void* _t16;

				L00402488();
				L004024B8();
				L004024C0();
				L004024C8();
				_v24 = __imp____argc;
				_v40 =  &_v12;
				L004024D0();
				_v24 = __imp____argc;
				_t15 = E0040224F(_t16, _v24,  *__imp____argv,  *__imp___environ,  &_v12); // executed
				L004024D8(); // executed
				return _t15;
			}

0x00402327
0x00402339
0x00402349
0x00402364
0x0040237e
0x00402386
0x004023a7
0x004023c1
0x004023e0
0x004023eb
0x004023f1

Memory Dump Source

Source File: 00000000.00000002.354771975.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.354765768.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.354778084.0000000000403000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.355161361.00000000005EC000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.355165658.00000000005EE000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07e093ea5a9663d3bdfe6965a7e1bd723eda6cda78cf41bdf6b598850343967d
Instruction ID: a501339966c04edbcbda1b4c3ef5bf7bee510f2e4593854d8ef202444a2175d6
Opcode Fuzzy Hash: 07e093ea5a9663d3bdfe6965a7e1bd723eda6cda78cf41bdf6b598850343967d
Instruction Fuzzy Hash: 64215B64301A548CEA54DB67DD553AA33A4B74CFC9F804437AE4CA73A5EF7CCA008B04

Uniqueness

Uniqueness Score: -1.00%

Function 0040224F, Relevance: .0, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E0040224F(void* __ecx, long long __rcx, long long __rdx, long long __r8, void* __r9, long long _a8, long long _a16, long long _a24) {
				intOrPtr _v12;
				long long _v24;
				intOrPtr _t14;

				_a8 = __rcx;
				_a16 = __rdx;
				_a24 = __r8;
				E00402158(_a16, _a16, _a24);
				_v24 = __imp____argc;
				_t14 = E004010C4(_v24, _v24,  *__imp____argv); // executed
				_v12 = _t14;
				E004021EC();
				return _v12;
			}

0x0040225a
0x0040225e
0x00402262
0x00402280
0x0040229a
0x004022b9
0x004022be
0x004022c1
0x004022ca

Memory Dump Source

Source File: 00000000.00000002.354771975.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.354765768.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.354778084.0000000000403000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.355161361.00000000005EC000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.355165658.00000000005EE000.00000002.00020000.sdmp Download File

Similarity

API ID: memsetsprintf
String ID:
API String ID: 4041149307-0
Opcode ID: ff9f661cb6c1e2a653d9ee59c112bbbaab8d2a3b42dcee6fb904b2618c5b787b
Instruction ID: 848ae4ffbb84e0bec17494c6b0a1c05b808523c161bf323237f682c992abe15d
Opcode Fuzzy Hash: ff9f661cb6c1e2a653d9ee59c112bbbaab8d2a3b42dcee6fb904b2618c5b787b
Instruction Fuzzy Hash: E201A476701B988DEB40DF66DC8139937A4B309BC8F004826AE5CA7B69EB78C6118B44

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00401D58, Relevance: .0, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 40%

			E00401D58(long long __rcx, long long __rdx, long long __r8, long long __r9, long long _a8, long long _a16, long long _a24, long long _a32) {
				void* _t9;
				signed long long _t11;

				_a8 = __rcx;
				_a16 = __rdx;
				_a24 = __r8;
				_a32 = __r9;
				_t9 = E004018EF(_t11, __rcx);
				asm("syscall");
				return _t9;
			}

0x00401d58
0x00401d5d
0x00401d62
0x00401d67
0x00401d75
0x00401d95
0x00401d97

Memory Dump Source

Source File: 00000000.00000002.354771975.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.354765768.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.354778084.0000000000403000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.355161361.00000000005EC000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.355165658.00000000005EE000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a33d4c2589a0a0e030cf565e08a5ce4a3f4aa7e1e7ab656288357c1d05c0b8cb
Instruction ID: f5786d1abfcdca8d5aa6566e32f28f63e9c87e4faa2297304d8ad0afc813e31e
Opcode Fuzzy Hash: a33d4c2589a0a0e030cf565e08a5ce4a3f4aa7e1e7ab656288357c1d05c0b8cb
Instruction Fuzzy Hash: A9E0B6B6608B84918210EF96F08040AB7A4F7D87C4B14495AFAC807B19CF38C1608B54

Uniqueness

Uniqueness Score: -1.00%

Function 00401D18, Relevance: .0, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 40%

			E00401D18(long long __rcx, long long __rdx, long long __r8, long long __r9, long long _a8, long long _a16, long long _a24, long long _a32) {
				void* _t9;
				signed long long _t11;

				_a8 = __rcx;
				_a16 = __rdx;
				_a24 = __r8;
				_a32 = __r9;
				_t9 = E004018EF(_t11, __rcx);
				asm("syscall");
				return _t9;
			}

0x00401d18
0x00401d1d
0x00401d22
0x00401d27
0x00401d35
0x00401d55
0x00401d57

Memory Dump Source

Source File: 00000000.00000002.354771975.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.354765768.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.354778084.0000000000403000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.355161361.00000000005EC000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.355165658.00000000005EE000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 020f5d48da09c7700aeda8bd0a3f6b9993537dbb26fb64f6943ef127969a50b2
Instruction ID: c7d7455ca217e8b3c23fe1936170d254a3e5e22e9f4eb8c11b6f947ad1bce58b
Opcode Fuzzy Hash: 020f5d48da09c7700aeda8bd0a3f6b9993537dbb26fb64f6943ef127969a50b2
Instruction Fuzzy Hash: 72E0B6B6608B84918610EF55F09000AB7A4F7D87C4B10452AFACC07B19CF38C1608B54

Uniqueness

Uniqueness Score: -1.00%

Function 004019D8, Relevance: .0, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 40%

			E004019D8(long long __rcx, long long __rdx, long long __r8, long long __r9, long long _a8, long long _a16, long long _a24, long long _a32) {
				void* _t9;
				signed long long _t11;

				_a8 = __rcx;
				_a16 = __rdx;
				_a24 = __r8;
				_a32 = __r9;
				_t9 = E004018EF(_t11, __rcx);
				asm("syscall");
				return _t9;
			}

0x004019d8
0x004019dd
0x004019e2
0x004019e7
0x004019f5
0x00401a15
0x00401a17

Memory Dump Source

Source File: 00000000.00000002.354771975.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.354765768.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.354778084.0000000000403000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.355161361.00000000005EC000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.355165658.00000000005EE000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca3c3e23f7f5060f60ee19056fbc1c70fca65fad76dbb6e40effcae9b66313bb
Instruction ID: 627af5f8094be66caef8c1b0706e96e42ef7260cfbbcc69a360fc60fbdea0424
Opcode Fuzzy Hash: ca3c3e23f7f5060f60ee19056fbc1c70fca65fad76dbb6e40effcae9b66313bb
Instruction Fuzzy Hash: DCE0B676608BC4818610EF56F08000EB7A4F3D87C4B50451AFEC807B19CF38C1608B94

Uniqueness

Uniqueness Score: -1.00%

Function 00401D98, Relevance: .0, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 40%

			E00401D98(long long __rcx, long long __rdx, long long __r8, long long __r9, long long _a8, long long _a16, long long _a24, long long _a32) {
				void* _t9;
				signed long long _t11;

				_a8 = __rcx;
				_a16 = __rdx;
				_a24 = __r8;
				_a32 = __r9;
				_t9 = E004018EF(_t11, __rcx);
				asm("syscall");
				return _t9;
			}

0x00401d98
0x00401d9d
0x00401da2
0x00401da7
0x00401db5
0x00401dd5
0x00401dd7

Memory Dump Source

Source File: 00000000.00000002.354771975.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.354765768.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.354778084.0000000000403000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.355161361.00000000005EC000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.355165658.00000000005EE000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db6b6cfaf8a4343f9749643661a9f9a5664ab33be6a1bd7be59ea7afcb63d4d2
Instruction ID: b2e0e82ad3426746da12d9f0277540f7e25234b30cdab3b6ff9ce6c5225f79a2
Opcode Fuzzy Hash: db6b6cfaf8a4343f9749643661a9f9a5664ab33be6a1bd7be59ea7afcb63d4d2
Instruction Fuzzy Hash: B5E0B676608B88818610EF55F09000EB7B4F3E87C4B10852AFAC817B19CF38C2608B54

Uniqueness

Uniqueness Score: -1.00%

Function 00401C98, Relevance: .0, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 40%

			E00401C98(long long __rcx, long long __rdx, long long __r8, long long __r9, long long _a8, long long _a16, long long _a24, long long _a32) {
				void* _t9;
				signed long long _t11;

				_a8 = __rcx;
				_a16 = __rdx;
				_a24 = __r8;
				_a32 = __r9;
				_t9 = E004018EF(_t11, __rcx);
				asm("syscall");
				return _t9;
			}

0x00401c98
0x00401c9d
0x00401ca2
0x00401ca7
0x00401cb5
0x00401cd5
0x00401cd7

Memory Dump Source

Source File: 00000000.00000002.354771975.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.354765768.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.354778084.0000000000403000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.355161361.00000000005EC000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.355165658.00000000005EE000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a28beb2cf51f9b71989e72db21d67a0b42a4e1b113aff34d5980b4674a401d7
Instruction ID: a4dee403f1f2686bbcf15adc62412925ab874ec13bcc78934c739608fafdbb81
Opcode Fuzzy Hash: 1a28beb2cf51f9b71989e72db21d67a0b42a4e1b113aff34d5980b4674a401d7
Instruction Fuzzy Hash: A6E0B676608B84D28210EF56F09000AB7A4F3D87C4B10455AFAC817B19CF38C1608B54

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: conhost.exe PID: 3224 Parent PID: 5576 conhost.exeCOMMON

Executed Functions

Function 000001BA559E6D06, Relevance: 1.9, APIs: 1, Instructions: 378libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE ref: 000001BA559E6E64

Memory Dump Source

Source File: 00000001.00000002.354952521.000001BA55800000.00000040.00000001.sdmp, Offset: 000001BA55800000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e85963f26a05e09d368196b1c7f413e753b92ff7721d7fdd34470331445b4a6a
Instruction ID: b6c81e55252366440d4e9e6151cab80c586b3e5b168ae24980997dcfbddb875a
Opcode Fuzzy Hash: e85963f26a05e09d368196b1c7f413e753b92ff7721d7fdd34470331445b4a6a
Instruction Fuzzy Hash: CAC1C830310945DBEB79EB29D8D5BFDB3D1FF98301F940129D48AC7186DB28EA528683

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD04004AB6, Relevance: 1.8, Strings: 1, Instructions: 533COMMON

Download Yara Rule

Strings

8eYg, xrefs: 00007FFD04004CB9

Memory Dump Source

Source File: 00000001.00000002.360944252.00007FFD04000000.00000040.00000001.sdmp, Offset: 00007FFD04000000, based on PE: false

Similarity

API ID:
String ID: 8eYg
API String ID: 0-3798471807
Opcode ID: 5dde2e4467daeea98cc15d26d57dfc562c14db66db2c48d5c179fdbc9e5b795e
Instruction ID: 821dc119c9aaee154d90ae2068883e5517b6dd529c5d9ed6226e48a70e78fdad
Opcode Fuzzy Hash: 5dde2e4467daeea98cc15d26d57dfc562c14db66db2c48d5c179fdbc9e5b795e
Instruction Fuzzy Hash: BB029230A18A8E8FEBA8DF28C855BED37D1FF55311F00427AD84DC7295DB78A9448B85

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD04005862, Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

8eYg, xrefs: 00007FFD04005B9B

Memory Dump Source

Source File: 00000001.00000002.360944252.00007FFD04000000.00000040.00000001.sdmp, Offset: 00007FFD04000000, based on PE: false

Similarity

API ID:
String ID: 8eYg
API String ID: 0-3798471807
Opcode ID: 8485aaf9b72ad9ed865965b5d8d4c71a8cd8e2e45d522130d157811196be701d
Instruction ID: f17860c4296745095b4729433d9e477b6122ca2ef46cdcaa24fac15daad4c417
Opcode Fuzzy Hash: 8485aaf9b72ad9ed865965b5d8d4c71a8cd8e2e45d522130d157811196be701d
Instruction Fuzzy Hash: 3902A330A18A4E8FEBA8DF28C895BF937D1FF55310F04427AD84DD7295DE78A8448B81

Uniqueness

Uniqueness Score: -1.00%

Function 000001BA559E70D6, Relevance: .4, Instructions: 407COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.354952521.000001BA55800000.00000040.00000001.sdmp, Offset: 000001BA55800000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4df33c4ccec31c159c2c9679ea8671149bf8637389190af38ec92ac25d3ec371
Instruction ID: 06ce3dd7ccb3aee581c3f4e9e22038d352b4fcc817031d59d0eead7eaba18a7b
Opcode Fuzzy Hash: 4df33c4ccec31c159c2c9679ea8671149bf8637389190af38ec92ac25d3ec371
Instruction Fuzzy Hash: E3E15E31508A488BDF69DF28C889BAAB7E2FF94310F14466DE88BC7255DF30E545CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD040002F0, Relevance: 3.3, Strings: 2, Instructions: 768COMMON

Download Yara Rule

Strings

HYg, xrefs: 00007FFD040007AE
HYg, xrefs: 00007FFD04000548

Memory Dump Source

Source File: 00000001.00000002.360944252.00007FFD04000000.00000040.00000001.sdmp, Offset: 00007FFD04000000, based on PE: false

Similarity

API ID:
String ID: HYg$HYg
API String ID: 0-588949623
Opcode ID: f730d0d481008b8eb40cbd299e282ebd9cb2df00ad82ea8afdc1515cd505506d
Instruction ID: 75212b6a9a3a9b1fe95920162fea227e4145200f65da2b4c5955bcfe1db2b782
Opcode Fuzzy Hash: f730d0d481008b8eb40cbd299e282ebd9cb2df00ad82ea8afdc1515cd505506d
Instruction Fuzzy Hash: BC32F531B1890A8FE755EB2C98A57F977D2EF8A310F5101BAD04DDB297CE38AC468741

Uniqueness

Uniqueness Score: -1.00%

Function 000001BA559E6AB2, Relevance: 3.2, APIs: 2, Instructions: 235COMMON

Download Yara Rule

APIs

CLRCreateInstance.MSCOREE ref: 000001BA559E6B01
SafeArrayDestroy.OLEAUT32 ref: 000001BA559E6CAC

Memory Dump Source

Source File: 00000001.00000002.354952521.000001BA55800000.00000040.00000001.sdmp, Offset: 000001BA55800000, based on PE: false

Similarity

API ID: ArrayCreateDestroyInstanceSafe
String ID:
API String ID: 3902440814-0
Opcode ID: e3a29ec6c90617ad7c1928cbae39db72877cdd96e7781ee4f5e73e7a13d7ce10
Instruction ID: 5448ea18d393204c898722139c2d47e8780b2f73f04bc85badd56fe785d7d26f
Opcode Fuzzy Hash: e3a29ec6c90617ad7c1928cbae39db72877cdd96e7781ee4f5e73e7a13d7ce10
Instruction Fuzzy Hash: C7818F30208A488FD778EF29D888BEA77E5FF95301F404A6DD48BC7151EB35E6458B42

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD040003AA, Relevance: 3.2, Strings: 2, Instructions: 690COMMON

Download Yara Rule

Strings

HYg, xrefs: 00007FFD040007AE
HYg, xrefs: 00007FFD04000548

Memory Dump Source

Source File: 00000001.00000002.360944252.00007FFD04000000.00000040.00000001.sdmp, Offset: 00007FFD04000000, based on PE: false

Similarity

API ID:
String ID: HYg$HYg
API String ID: 0-588949623
Opcode ID: d41b8697671fbfb7e3223cf374400d0c3a0c6eb4d4960f29a381901e9bbf6494
Instruction ID: 9e31878cd1f546561e4f5360b181f69432b0f43ecdc92eaa506368125cf29e22
Opcode Fuzzy Hash: d41b8697671fbfb7e3223cf374400d0c3a0c6eb4d4960f29a381901e9bbf6494
Instruction Fuzzy Hash: 36221331B1890A8FE795EB2C94B57B977D2EF9A304F5001B9D04DDB396CE38AC428781

Uniqueness

Uniqueness Score: -1.00%

Function 000001BA559E5FBA, Relevance: 1.6, APIs: 1, Instructions: 125libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE ref: 000001BA559E5FD4

Memory Dump Source

Source File: 00000001.00000002.354952521.000001BA55800000.00000040.00000001.sdmp, Offset: 000001BA55800000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f89ad9e96b35fafe6bd70e564392d15cd00fb15afb359a287abc9c565ef81a9a
Instruction ID: 15a16278b79c050f42557873a8bf3007d5eef9da8bd1a8c7d5cffd451f1f85b7
Opcode Fuzzy Hash: f89ad9e96b35fafe6bd70e564392d15cd00fb15afb359a287abc9c565ef81a9a
Instruction Fuzzy Hash: E831C53130CA188FEB69AA69E8457AE73D5FBC4311F001559EC4BC3286DF64DE0187C2

Uniqueness

Uniqueness Score: -1.00%

Function 000001BA559E5EAF, Relevance: 1.6, APIs: 1, Instructions: 115libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE ref: 000001BA559E5EBC

Memory Dump Source

Source File: 00000001.00000002.354952521.000001BA55800000.00000040.00000001.sdmp, Offset: 000001BA55800000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f58acd79c9a8aa4a66f57679936c769f9dd2a38ea99c88ea39cd659f90fbd764
Instruction ID: c95477ed4f4fdfd82b2b595cbf3f158d422e51b504265663618a40bd939f2644
Opcode Fuzzy Hash: f58acd79c9a8aa4a66f57679936c769f9dd2a38ea99c88ea39cd659f90fbd764
Instruction Fuzzy Hash: 4631933170CA088BDB68BA59985579D73D6FBD8320F404659DC4BC72CADF64DE0587C2

Uniqueness

Uniqueness Score: -1.00%

Function 000001BA559E5EA2, Relevance: 1.5, APIs: 1, Instructions: 35libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE ref: 000001BA559E5EBC

Memory Dump Source

Source File: 00000001.00000002.354952521.000001BA55800000.00000040.00000001.sdmp, Offset: 000001BA55800000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 18f38e2fc847854b46ad59a886f9863d7abffa86fceba1a0e453a632ae2104e0
Instruction ID: 2ace80c48ef2f5e30a38a5408dee4621121d16dbfe8ebb7d2ccde5cb1a0ce89a
Opcode Fuzzy Hash: 18f38e2fc847854b46ad59a886f9863d7abffa86fceba1a0e453a632ae2104e0
Instruction Fuzzy Hash: CCE0203120CA0D5FF778A59ED84A7FA76D8DB95371F00003EF549C2142E145D8910392

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD04000A93, Relevance: 1.4, Strings: 1, Instructions: 132COMMON

Download Yara Rule

Strings

dj_H, xrefs: 00007FFD04000AFE

Memory Dump Source

Source File: 00000001.00000002.360944252.00007FFD04000000.00000040.00000001.sdmp, Offset: 00007FFD04000000, based on PE: false

Similarity

API ID:
String ID: dj_H
API String ID: 0-2506389895
Opcode ID: 05da8deccb82237760bc9d882e0c08e6033759382adcc99d91fa144d3c0c4aa5
Instruction ID: 61638f9b35d8b7f0fb448ba22c2bc31058097fc9255b2d19fe0c82ae8592e3ab
Opcode Fuzzy Hash: 05da8deccb82237760bc9d882e0c08e6033759382adcc99d91fa144d3c0c4aa5
Instruction Fuzzy Hash: 09418230B199098FEA98E72894A67BC72D2EF9A704F50007DD44ED7297CE7A6C418745

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD04005FC0, Relevance: 1.1, Instructions: 1075COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.360944252.00007FFD04000000.00000040.00000001.sdmp, Offset: 00007FFD04000000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9564fab7fa76ec7132e26100682ee211a55ba2d0ce98f1c649daf65208f42c26
Instruction ID: 14f8bc0e1c59bd2c69bc0476a4ae4ee14c1623af889946c59068a4d68fd2bc51
Opcode Fuzzy Hash: 9564fab7fa76ec7132e26100682ee211a55ba2d0ce98f1c649daf65208f42c26
Instruction Fuzzy Hash: DE115712F1D9460FF755A22C08A92B67BC3DF9B2A1F0541B6D04CC72DBDC596C065341

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD0400106A, Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.360944252.00007FFD04000000.00000040.00000001.sdmp, Offset: 00007FFD04000000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cb939277f5aaf927aa1d4446b96b8543e7f76792bf06b74dda8842dd8b1c01a
Instruction ID: 0b6b145caaab567df95e4845bafb3977ee65f7bd68d891806e70609a0fa84f4c
Opcode Fuzzy Hash: 5cb939277f5aaf927aa1d4446b96b8543e7f76792bf06b74dda8842dd8b1c01a
Instruction Fuzzy Hash: E4416E30B18A098FDB88EB2C94A5AADB3E1EF9D301F400579E04ED7297DD69AC428745

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD04000E36, Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.360944252.00007FFD04000000.00000040.00000001.sdmp, Offset: 00007FFD04000000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 322745fa4e3a701734388f4efc08e2d3875c0b25996c49b9ce22c9c70e6c9781
Instruction ID: c4c5d68897a71a81d7ed39d39e2c81dd46e7dd0c3378864d51fbf1867052a85b
Opcode Fuzzy Hash: 322745fa4e3a701734388f4efc08e2d3875c0b25996c49b9ce22c9c70e6c9781
Instruction Fuzzy Hash: 85414F20A4E3C15FE307A334A8B5BA93FA26F83355F1D41DAE4C5CA0B7CA690885D712

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD04000F71, Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.360944252.00007FFD04000000.00000040.00000001.sdmp, Offset: 00007FFD04000000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 118f0afb17373b6926b1020b0bf41b13eaf7be6204e1050a1883bac05cac6ed7
Instruction ID: 83da14f9b24c2c1d4f0dd4a7c1c81b55205dc6822b947071d03b113a396ba76f
Opcode Fuzzy Hash: 118f0afb17373b6926b1020b0bf41b13eaf7be6204e1050a1883bac05cac6ed7
Instruction Fuzzy Hash: CC313820B0DA454FE744EB2C886ABB97BD1EF9B300F1441B9F04DC7293DD28AC465346

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD04000120, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.360944252.00007FFD04000000.00000040.00000001.sdmp, Offset: 00007FFD04000000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ae5b5ab1342277365aec115d8e9dca0c3b88a5a7cec4c91b44a9688f819369a
Instruction ID: 11944e81fb0f448b07792cba8a363af87128c570747a30d9af1a8e9ae0f0bfd1
Opcode Fuzzy Hash: 3ae5b5ab1342277365aec115d8e9dca0c3b88a5a7cec4c91b44a9688f819369a
Instruction Fuzzy Hash: 9A213220B189058FEB48AB2C846AB7A77C1EFAE300F100579F04DD7292ED68BC424386

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD04000108, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.360944252.00007FFD04000000.00000040.00000001.sdmp, Offset: 00007FFD04000000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68586d4b0bbb57a6f759b8c6d5e6e59ee6c3cf96f5b8be1513fddaeb004c1b67
Instruction ID: 70c7a3901b19a9e4c2c7f1c2726be0d3af15fa45a9eb3a809da0a5d665f01f15
Opcode Fuzzy Hash: 68586d4b0bbb57a6f759b8c6d5e6e59ee6c3cf96f5b8be1513fddaeb004c1b67
Instruction Fuzzy Hash: BAE09231B18C1D4F9A94F62C5464FA862C2EBDC220B1141B2E40DC324ADC28EC419784

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 000001BA559E750E, Relevance: .5, Instructions: 485COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.354952521.000001BA55800000.00000040.00000001.sdmp, Offset: 000001BA55800000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aead6af51b41200c7faad30d12abe602ed119050d19f46eacd4953986aecc5ac
Instruction ID: 9b108d2adcb4eca93d60f1471db991b4917ab1ffa16b009a36d114a65f3fb16e
Opcode Fuzzy Hash: aead6af51b41200c7faad30d12abe602ed119050d19f46eacd4953986aecc5ac
Instruction Fuzzy Hash: 82E1B235618A558BEB78DF29C8857E973D1FF54310F94452DE88AC7281EB38E90287C3

Uniqueness

Uniqueness Score: -1.00%

Function 000001BA559E796A, Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.354952521.000001BA55800000.00000040.00000001.sdmp, Offset: 000001BA55800000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3e321b4785e06cfc76593c4065e2a267ad969067c31a882a516f8b4e134ab4b
Instruction ID: 440e2c9a84b9421ac01d21ad1997182d759f5a216ad9fc8a949adea4272dc5ad
Opcode Fuzzy Hash: f3e321b4785e06cfc76593c4065e2a267ad969067c31a882a516f8b4e134ab4b
Instruction Fuzzy Hash: E1A11E31508A4C8FDB65EF28C889BEA77E9FBA8315F10466EE44BC7160EB30D645CB41

Uniqueness

Uniqueness Score: -1.00%

Function 000001BA559E60D2, Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.354952521.000001BA55800000.00000040.00000001.sdmp, Offset: 000001BA55800000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9024142b0f504c64395661c2abff4caccef44dbafbcbe07c4f80d19b33edefa
Instruction ID: 29f260acae1ad796f9e66caafc2ebeab2fe78c4b6d8f80c98952f2e6f670e741
Opcode Fuzzy Hash: b9024142b0f504c64395661c2abff4caccef44dbafbcbe07c4f80d19b33edefa
Instruction Fuzzy Hash: 8E816531618B498BDB78DF25D8897EAB7E4FF58301F00562DD89BC2141DF34EA458B82

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report SecuriteInfo.com.Trojan.InjectNET.14.3934.31899

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

Jbx Signature Overview

AV Detection:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: SecuriteInfo.com.Trojan.InjectNET.14.3934.exe PID: 5576 Parent PID: 600

General

Chronological Activities

Analysis Process: conhost.exe PID: 3224 Parent PID: 5576

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: SecuriteInfo.com.Trojan.InjectNET.14.3934.exe PID: 5576 Parent PID: 600 SecuriteInfo.com.Trojan.InjectNET.14.3934.exeCOMMON

Executed Functions

Function 004010C4, Relevance: 2.7, APIs: 2, Instructions: 189COMMON

Function 004010C4, Relevance: 2.7, APIs: 2, Instructions: 189
COMMON

Function 00401000, Relevance: 1.3, Strings: 1, Instructions: 57
COMMON

Function 004022FA, Relevance: .1, Instructions: 61
COMMON

Function 0040224F, Relevance: .0, Instructions: 34
COMMON

Function 00401D58, Relevance: .0, Instructions: 15
COMMON

Function 00401D18, Relevance: .0, Instructions: 15
COMMON

Function 004019D8, Relevance: .0, Instructions: 15
COMMON

Function 00401D98, Relevance: .0, Instructions: 15
COMMON

Function 00401C98, Relevance: .0, Instructions: 15
COMMON