Windows Analysis Report
SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe

Overview

General Information

Sample Name:	SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe
Analysis ID:	800793
MD5:	bd13975abc6ac3e5a97706a45f48f7df
SHA1:	154e70c5150815308e17bbb74cae4ee79948e438
SHA256:	7bda9944d4b4a62a86088d56ad964c0a4b98516c93f6467cd89a8f8f655a0029
Tags:	exe
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Uses 32bit PE files

AV process strings found (often used to terminate AV products)

PE file does not import any functions

One or more processes crash

PE file contains an invalid checksum

Uses code obfuscation techniques (call, push, ret)

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Detected potential crypto function

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe

ReversingLabs: Detection: 12%

Uses 32bit PE files

Source: SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: Amcache.hve.3.dr	String found in binary or memory: http://upx.sf.net
Source: SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe	String found in binary or memory: http://www.clamav.net

Uses 32bit PE files

Source: SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

PE file does not import any functions

Source: SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe

Static PE information: No import functions for PE file found

One or more processes crash

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5948 -s 220

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe	Code function: 0_2_00412098	0_2_00412098
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe	Code function: 0_2_0040D0A4	0_2_0040D0A4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe	Code function: 0_2_00420B22	0_2_00420B22
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe	Code function: 0_2_0040DBDA	0_2_0040DBDA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe	Code function: 0_2_00412D62	0_2_00412D62
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe	Code function: 0_2_00414691	0_2_00414691
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe	Code function: 0_2_0041BF83	0_2_0041BF83

Source: SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe

ReversingLabs: Detection: 12%

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER79AB.tmp

Jump to behavior

Source: SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: classification engine

Classification label: mal56.winEXE@3/10@0/0

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5948 -s 220
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5948 -s 220

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5948

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

PE file contains an invalid checksum

Source: SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe

Static PE information: real checksum: 0x32ef3 should be: 0x38ad4

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe

Code function: 0_2_00418A50 push eax; ret

0_2_00418A7E

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Amcache.hve.3.dr	Binary or memory string: VMware
Source: Amcache.hve.3.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.3.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.3.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.3.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: VMware-42 35 44 6e 75 85 11 47-bd a2 bb ed 21 43 9f 89
Source: Amcache.hve.3.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe

Process queried: DebugPort

Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe

Code function: 0_2_0041CA40 LdrInitializeThunk,

0_2_0041CA40

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.3.dr

Binary or memory string: c:\program files\windows defender\msmpeng.exe

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

ID:	800793
Product:	CloudBasic
Start time:	19:58:56
Start date:	07.02.2023
Sample:	SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	bd13975abc6ac3e5a97706a45f48f7df
SHA1:	154e70c5150815308e17bbb74cae4ee79948e438
SHA256:	7bda9944d4b4a62a86088d56ad964c0a4b98516c93f6467cd89a8f8f655a0029
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_63a32cbc58eca2f445502337681ea96cbf1e38a6_5c1322d7_17cc865d\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	9E6F5F83756A722153DE06DB0296E447	938128D2C7E77AD36D0FDE60E0E156BD5ABDDB75	49810D9D418FACA0C29426E9D0D040328CCD0145CE8EB0C30BF3BADF70139C90
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_f8b2f5d487f13ef078ee9e48b4dedc7a1e0c36a_5c1322d7_16d906f7\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	53685A419CF7EC9EEB8E8B262B84AB14	664EB1A851BEE5C23313419260831F03DDEFD44A	16706EECDC267A278870AEA6F43800D7FFBCAAAF1AADE5B3411689A9F186B983
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1E6.tmp.dmp	Mini DuMP crash report, 14 streams, Wed Feb 8 04:00:32 2023, 0x1205a4 type	2F9CBFAF66514F6F949E2DA828278CF1	4ED77862C2ED12163C281022D7BF71CDD4861424	2C2259EFDA83A91C63F67A22DBB273E23FA0196CF8CEC79886A16EA6D2B31759
C:\ProgramData\Microsoft\Windows\WER\Temp\WER284.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	C216304369B0861C406CD0E8BF90B9C9	F4D169D2A08B632CA02F68D4F495DBAC9C6ED0B4	FB31C1BECD68341E91C0CA0F6D920106E7766B84B69913C88B8C3EA9A1027A12
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2E2.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	B91254BEBC2CB3BBCC3C2FD371C19BCD	0AF037B5BACAC11F3A80D9806B508BAE5A3BD476	4E143D383879AB8AF86555DDB5A14E556CE8B072DA21F021BD03AFABDE3A1185
C:\ProgramData\Microsoft\Windows\WER\Temp\WER79AB.tmp.dmp	Mini DuMP crash report, 14 streams, Wed Feb 8 03:59:57 2023, 0x1205a4 type	D863407F220D9FCD294967B7B3A22500	9D89BA50795E74E905744C983121466734A9476E	E9873D794BA3AB454452DBE67EB39D5438A29AD201AE1C2828C3CABA4B851205
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7AA6.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	64BECBF4071943E2B8CD287D5DCEBA86	B886DA8B4862216F5F1BA7D3E8910506AD91DA1C	052FBCEC73916EFFE070CEC471F8408E2F0A3006EC9A7F305C492B29631387A2
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7B15.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	CDEA9895AE45FAA2B9145C5C8277D26B	09D422C225D41E09692A2934E47959B7AC92E608	9BB95FD6833B02A12E68F8CF95AB581F45CD1D404768FB9AEA4BAC64E3A09DF1
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	8F475F956A1FDD12DB994C03ED7E6F23	0E3C19098B8C41C4AD1DCD78DB9FB80F0366081A	F3C1A9728423119F5C89F7B63A644156E106D0A509B030FBC58D1D936AF6C2BA
C:\Windows\appcompat\Programs\Amcache.hve.LOG1	MS Windows registry file, NT/2000 or above	CA4E9267CF91757F5744DD8FF9324565	C24424A4F80676739C5ACFFED25A9E9583633320	4726BCB33D0EDE6651D680A10581DA4DC78300259B0CABD83298C0DA94B1B141

Windows Analysis Report
SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Windows Analysis Report SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe