Windows Analysis Report
SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe

Overview

General Information

Sample Name: SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe
Analysis ID: 756119
MD5: c852376dda1de89231d5f558255775e0
SHA1: 2377355189c59e6f0d4c8792aa959425585dbc61
SHA256: 2c9d6d1a184ed20ff0667797fe4d182170716fb1b179488979bc33f79a901208
Tags: exe
Infos:

Detection

Score: 52
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Machine Learning detection for sample
Uses 32bit PE files
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Checks if the current process is being debugged
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to read the clipboard data
Found large amount of non-executed APIs
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe ReversingLabs: Detection: 17%
Machine Learning detection for sample
Source: SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe Code function: 0_2_001B5293 FindFirstFileExW, 0_2_001B5293
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe Code function: 0_2_001B5347 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 0_2_001B5347
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe Code function: 0_2_001AB830 GetKeyboardState, 0_2_001AB830
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe Code function: 0_2_001AACA0 OpenClipboard,GetClipboardData,GlobalLock,GlobalSize,VkKeyScanW,MapVirtualKeyW,GlobalUnlock,CloseClipboard, 0_2_001AACA0
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe Code function: 0_2_001AAA00 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalReAlloc,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_001AAA00
Uses 32bit PE files
Source: SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
One or more processes crash
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5640 -s 464
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe Code function: 0_2_001A18D0 0_2_001A18D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe Code function: 0_2_001BA9AA 0_2_001BA9AA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe Code function: 0_2_001AC4C0 0_2_001AC4C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe Code function: 0_2_001A34E0 0_2_001A34E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe Code function: 0_2_001A8E70 0_2_001A8E70
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe Code function: String function: 001AD900 appears 32 times
Source: SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe ReversingLabs: Detection: 17%
Source: SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5640 -s 464
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5640
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe Command line argument: --headless 0_2_001A18D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe Command line argument: --unix 0_2_001A18D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe Command line argument: --width 0_2_001A18D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe Command line argument: --height 0_2_001A18D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe Command line argument: --signal 0_2_001A18D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe Command line argument: --server 0_2_001A18D0
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERE76B.tmp Jump to behavior
Source: classification engine Classification label: mal52.winEXE@2/4@0/1
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe Code function: 0_2_001B5A15 push ecx; ret 0_2_001B5A28
PE file contains sections with non-standard names
Source: SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe Static PE information: section name: .00cfg
Source: SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe Static PE information: section name: .voltbl
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe API coverage: 2.2 %
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe Code function: 0_2_001B5293 FindFirstFileExW, 0_2_001B5293
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe Code function: 0_2_001B5347 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 0_2_001B5347
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe Code function: 0_2_001AD72C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_001AD72C
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe Code function: 0_2_001B009E mov ecx, dword ptr fs:[00000030h] 0_2_001B009E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe Code function: 0_2_001B418D mov eax, dword ptr fs:[00000030h] 0_2_001B418D
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe Process queried: DebugPort Jump to behavior
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe Code function: 0_2_001B258B GetProcessHeap, 0_2_001B258B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe Code function: 0_2_001AD720 SetUnhandledExceptionFilter, 0_2_001AD720
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe Code function: 0_2_001ADC2D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_001ADC2D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe Code function: 0_2_001AD72C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_001AD72C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe Code function: 0_2_001B37DA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_001B37DA
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe Code function: 0_2_001AD945 cpuid 0_2_001AD945
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe Code function: 0_2_001AD5D2 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_001AD5D2
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 756119 Sample: SecuriteInfo.com.Win32.PWSX... Startdate: 29/11/2022 Architecture: WINDOWS Score: 52 13 Multi AV Scanner detection for submitted file 2->13 15 Machine Learning detection for sample 2->15 6 SecuriteInfo.com.Win32.PWSX-gen.16188.7094.exe 2->6         started        process3 process4 8 WerFault.exe 20 9 6->8         started        dnsIp5 11 192.168.2.1 unknown unknown 8->11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious

Private

IP
192.168.2.1