Windows Analysis Report
SecuriteInfo.com.Variant.Jaik.84784.3654.20731

Overview

General Information

Sample Name: SecuriteInfo.com.Variant.Jaik.84784.3654.20731 (renamed file extension from 20731 to exe)
Analysis ID: 662065
MD5: 74cd3c3d32dcf5029d1bc66347f44af7
SHA1: d7ec9719a6e5ea0b386ef590b1b74c317e597ff8
SHA256: cb943da125fde19e41c965a9f260caf79a6fca98c89b83bde609b843be0da377
Tags: exe
Infos:

Detection

Dridex Dropper
Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Antivirus detection for dropped file
Dridex dropper found
Machine Learning detection for sample
Uses 32bit PE files
PE file contains strange resources
Drops PE files
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Checks if the current process is being debugged
PE file contains sections with non-standard names
Detected potential crypto function
Found potential string decryption / allocating functions
Found evasive API chain (may stop execution after checking a module file name)
PE / OLE file has an invalid certificate
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Abnormal high CPU Usage

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe Virustotal: Detection: 58% Perma Link
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe ReversingLabs: Detection: 69%
Antivirus detection for dropped file
Source: C:\Users\user\AppVerif\DllHelper.exe Avira: detection malicious, Label: TR/Dropper.Gen7
Machine Learning detection for sample
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\pik vevaye\Wapawini\gal\Yim.pdb source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe, DllHelper.exe.0.dr
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe, DllHelper.exe.0.dr String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe, DllHelper.exe.0.dr String found in binary or memory: http://s.symcd.com06
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe, DllHelper.exe.0.dr String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe, DllHelper.exe.0.dr String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe, DllHelper.exe.0.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe, DllHelper.exe.0.dr String found in binary or memory: https://d.symcb.com/cps0%
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe, DllHelper.exe.0.dr String found in binary or memory: https://d.symcb.com/rpa0
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe, DllHelper.exe.0.dr String found in binary or memory: https://d.symcb.com/rpa0.

E-Banking Fraud
barindex
Dridex dropper found
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_00B886DE InterlockedIncrement,__itow_s,__invoke_watson_if_error,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,__strftime_l,__invoke_watson_if_oneof,_wcscpy_s,__invoke_watson_if_error,_wcscpy_s,__invoke_watson_if_error,__invoke_watson_if_error,_wcscat_s,__invoke_watson_if_error,_wcscat_s,__invoke_watson_if_error,__snwprintf_s,__invoke_watson_if_oneof,_wcscpy_s,__invoke_watson_if_error,__cftoe,__invoke_watson_if_oneof,_wcscpy_s,__invoke_watson_if_error,_strlen,WriteFile,OutputDebugStringA,__itow_s,__invoke_watson_if_error, 0_2_00B886DE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_00B88F12 InterlockedIncrement,__itow_s,__invoke_watson_if_error,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,__strftime_l,__invoke_watson_if_oneof,_wcscpy_s,__invoke_watson_if_error,_wcscpy_s,__invoke_watson_if_error,_wcscat_s,__invoke_watson_if_error,_wcscat_s,__invoke_watson_if_error,_wcscat_s,__invoke_watson_if_error,__snwprintf_s,__invoke_watson_if_oneof,_wcscpy_s,__invoke_watson_if_error,__invoke_watson_if_oneof,_wcscpy_s,__invoke_watson_if_error,GetFileType,_wcslen,WriteConsoleW,GetLastError,__invoke_watson_if_oneof,_wcslen,WriteFile,WriteFile,OutputDebugStringW,__itow_s,__invoke_watson_if_error,___crtMessageWindowW, 0_2_00B88F12
Uses 32bit PE files
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
PE file contains strange resources
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DllHelper.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DllHelper.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DllHelper.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_00B8BAF0 0_2_00B8BAF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_00B82460 0_2_00B82460
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_00B8AD10 0_2_00B8AD10
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: String function: 00B81290 appears 31 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: String function: 00B809F0 appears 106 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: String function: 00B7D760 appears 144 times
PE / OLE file has an invalid certificate
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe Static PE information: invalid certificate
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Process Stats: CPU usage > 98%
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: DllHelper.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe Virustotal: Detection: 58%
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe ReversingLabs: Detection: 69%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe File read: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Jump to behavior
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_00B78A10 __wcstoui64,__wdupenv_s,SetThreadPriority,FindVolumeClose,GetCommConfig,LoadLibraryW,GetThreadPriority,GetCommandLineW,SetLastError,GenerateConsoleCtrlEvent,MoveFileWithProgressA,GetProcessHeaps,GetLastError,GetModuleHandleW,GetLastError,InitializeSListHead,DebugSetProcessKillOnExit,EnumSystemGeoID,GetProcessHeap,HeapFree,GetProcAddress,VirtualProtect,LoadResource,GetACP,FreeResource,__atodbl_l,SetConsoleCtrlHandler,SetConsoleCursorPosition,GetCalendarInfoW,VirtualProtect, 0_2_00B78A10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe File created: C:\Users\user\AppVerif Jump to behavior
Source: classification engine Classification label: mal68.bank.winEXE@1/2@0/0
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe Static file information: File size 1870760 > 1048576
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x19f800
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\pik vevaye\Wapawini\gal\Yim.pdb source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe, DllHelper.exe.0.dr
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_00B98235 push edi; retf 0_2_00B98236
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_00D0F460 push ebp; iretd 0_2_00D0F461
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_00B7962F pushfd ; ret 0_2_00B79630
PE file contains sections with non-standard names
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe Static PE information: section name: .tenio
Source: DllHelper.exe.0.dr Static PE information: section name: .tenio
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_00B901F0 LoadLibraryA,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer, 0_2_00B901F0
Source: initial sample Static PE information: section name: .text entropy: 7.816031131002002
Source: initial sample Static PE information: section name: .text entropy: 7.816031131002002
Drops PE files
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe File created: C:\Users\user\AppVerif\DllHelper.exe Jump to dropped file
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Dropped PE file which has not been started: C:\Users\user\AppVerif\DllHelper.exe Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe API coverage: 9.0 %
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe API call chain: ExitProcess graph end node
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_00B80A60 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00B80A60
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Process queried: DebugPort Jump to behavior
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_00B88F12 InterlockedIncrement,__itow_s,__invoke_watson_if_error,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,__strftime_l,__invoke_watson_if_oneof,_wcscpy_s,__invoke_watson_if_error,_wcscpy_s,__invoke_watson_if_error,_wcscat_s,__invoke_watson_if_error,_wcscat_s,__invoke_watson_if_error,_wcscat_s,__invoke_watson_if_error,__snwprintf_s,__invoke_watson_if_oneof,_wcscpy_s,__invoke_watson_if_error,__invoke_watson_if_oneof,_wcscpy_s,__invoke_watson_if_error,GetFileType,_wcslen,WriteConsoleW,GetLastError,__invoke_watson_if_oneof,_wcslen,WriteFile,WriteFile,OutputDebugStringW,__itow_s,__invoke_watson_if_error,___crtMessageWindowW, 0_2_00B88F12
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_00B901F0 LoadLibraryA,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer, 0_2_00B901F0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_00B78A10 __wcstoui64,__wdupenv_s,SetThreadPriority,FindVolumeClose,GetCommConfig,LoadLibraryW,GetThreadPriority,GetCommandLineW,SetLastError,GenerateConsoleCtrlEvent,MoveFileWithProgressA,GetProcessHeaps,GetLastError,GetModuleHandleW,GetLastError,InitializeSListHead,DebugSetProcessKillOnExit,EnumSystemGeoID,GetProcessHeap,HeapFree,GetProcAddress,VirtualProtect,LoadResource,GetACP,FreeResource,__atodbl_l,SetConsoleCtrlHandler,SetConsoleCursorPosition,GetCalendarInfoW,VirtualProtect, 0_2_00B78A10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_00B7D060 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00B7D060
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_00B80A60 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00B80A60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_00B805D0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00B805D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_00B85760 SetUnhandledExceptionFilter, 0_2_00B85760
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: GetLocaleInfoA, 0_2_00B94180
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_00B85780 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_00B85780
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 662065 Sample: SecuriteInfo.com.Variant.Ja... Startdate: 12/07/2022 Architecture: WINDOWS Score: 68 13 Antivirus detection for dropped file 2->13 15 Multi AV Scanner detection for submitted file 2->15 17 Machine Learning detection for sample 2->17 5 SecuriteInfo.com.Variant.Jaik.84784.3654.exe 3 2->5         started        process3 file4 9 C:\Users\user\AppVerif\DllHelper.exe, PE32 5->9 dropped 11 C:\Users\...\DllHelper.exe:Zone.Identifier, ASCII 5->11 dropped 19 Dridex dropper found 5->19 signatures5
No contacted IP infos