Windows
Analysis Report
SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe
Overview
General Information
Detection
Score: | 56 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe (PID: 5948 cmdline:
C:\Users\u ser\Deskto p\Securite Info.com.T rojan.TR.C rypt.XPACK .Gen.23862 .23788.exe MD5: BD13975ABC6AC3E5A97706A45F48F7DF) - WerFault.exe (PID: 6040 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 5 948 -s 220 MD5: 9E2B8ACAD48ECCA55C0230D63623661B) - WerFault.exe (PID: 5772 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 5 948 -s 220 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
- cleanup
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | ReversingLabs: |
Source: | Static PE information: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Process created: |
Source: | Code function: | 0_2_00412098 | |
Source: | Code function: | 0_2_0040D0A4 | |
Source: | Code function: | 0_2_00420B22 | |
Source: | Code function: | 0_2_0040DBDA | |
Source: | Code function: | 0_2_00412D62 | |
Source: | Code function: | 0_2_00414691 | |
Source: | Code function: | 0_2_0041BF83 |
Source: | ReversingLabs: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Classification label: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Mutant created: |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Static PE information: |
Source: | Code function: | 0_2_00418A7E |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process queried: | Jump to behavior |
Source: | Code function: | 0_2_0041CA40 |
Source: | Binary or memory string: |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation | Path Interception | 1 Process Injection | 1 Virtualization/Sandbox Evasion | OS Credential Dumping | 21 Security Software Discovery | Remote Services | 1 Archive Collected Data | Exfiltration Over Other Network Medium | 1 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 Process Injection | LSASS Memory | 1 Virtualization/Sandbox Evasion | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Junk Data | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | 1 Obfuscated Files or Information | Security Account Manager | 1 System Information Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Binary Padding | NTDS | 1 Remote System Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
13% | ReversingLabs | |||
100% | Avira | TR/Crypt.XPACK.Gen |
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
100% | Avira | TR/Crypt.XPACK.Gen | Download File |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high |
Joe Sandbox Version: | 36.0.0 Rainbow Opal |
Analysis ID: | 800793 |
Start date and time: | 2023-02-07 19:58:56 +01:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 6m 37s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Run name: | Run with higher sleep bypass |
Number of analysed new started processes analysed: | 16 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample file name: | SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe |
Detection: | MAL |
Classification: | mal56.winEXE@3/10@0/0 |
EGA Information: |
|
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 20.42.73.29, 13.89.179.12
- Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, watson.telemetry.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com
- Not all processes where analyzed, report is missing behavior information
- VT rate limit hit for: SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_63a32cbc58eca2f445502337681ea96cbf1e38a6_5c1322d7_17cc865d\Report.wer
Download File
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.6785938513999892 |
Encrypted: | false |
SSDEEP: | 192:eqj19H2YGwHBUZMXUKOjE/u7shS274It6LG:DR9H2YGYBUZMXUKOjE/u7shX4It6LG |
MD5: | 9E6F5F83756A722153DE06DB0296E447 |
SHA1: | 938128D2C7E77AD36D0FDE60E0E156BD5ABDDB75 |
SHA-256: | 49810D9D418FACA0C29426E9D0D040328CCD0145CE8EB0C30BF3BADF70139C90 |
SHA-512: | 7ADAD777C04BDA5F89CC9895CA634870FD38B40BBC0C2D795B9541DB8460688A7013BA878A13C16151D7E87F040EB1D4170A14C2020C38347B76E12E6FC855BA |
Malicious: | false |
Reputation: | low |
Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_f8b2f5d487f13ef078ee9e48b4dedc7a1e0c36a_5c1322d7_16d906f7\Report.wer
Download File
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.6890775397208573 |
Encrypted: | false |
SSDEEP: | 192:8zj19H2YlyOHK5S5KOjE/u7sGS274It6LG:QR9H2YlyGK5S5KOjE/u7sGX4It6LG |
MD5: | 53685A419CF7EC9EEB8E8B262B84AB14 |
SHA1: | 664EB1A851BEE5C23313419260831F03DDEFD44A |
SHA-256: | 16706EECDC267A278870AEA6F43800D7FFBCAAAF1AADE5B3411689A9F186B983 |
SHA-512: | 5F79E1FA7C6538F3D0CDF2607FFD7F73107BA54998AEB247ECDCA23E347649C19116420CF603DC6E3367794412610DEC3E3114DBC3583641C11AB3E90E1F6BB9 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 18004 |
Entropy (8bit): | 2.184282510089021 |
Encrypted: | false |
SSDEEP: | 96:548i5X8Q/ZtaLyR9ii7kw4QTnHS44XbX5v9FtZSXJgI9WInWIXQIwLQ0+JSa:Ji5bZtyk9iOQd5vlZMJgvLv+JSa |
MD5: | 2F9CBFAF66514F6F949E2DA828278CF1 |
SHA1: | 4ED77862C2ED12163C281022D7BF71CDD4861424 |
SHA-256: | 2C2259EFDA83A91C63F67A22DBB273E23FA0196CF8CEC79886A16EA6D2B31759 |
SHA-512: | 2D16BF8D36FFD0E6BB3409CECF443E1BCD0E2867313D04E81541168F79E18E1DB9834A743023A757886DC8AB291C3B9DE56AAD6B3C65AEA477975F9B5DF01D4B |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8584 |
Entropy (8bit): | 3.7190717986753423 |
Encrypted: | false |
SSDEEP: | 192:Rrl7r3GLNipmla6Q36YAPSUoYfpgmf9VYXS7CpDR89b+Rwsfcqm:RrlsNipmI6Q36YYSUVxgmf9mXSV+1fA |
MD5: | C216304369B0861C406CD0E8BF90B9C9 |
SHA1: | F4D169D2A08B632CA02F68D4F495DBAC9C6ED0B4 |
SHA-256: | FB31C1BECD68341E91C0CA0F6D920106E7766B84B69913C88B8C3EA9A1027A12 |
SHA-512: | 8E2E0F499E638C4B39D302BBA012FC804370E7A147E6489E83F24670BA6E251E61EC098CB7029205DD8FFFD8F6C66D94A42F41AC6388BA69160153877808588B |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4925 |
Entropy (8bit): | 4.666777965909841 |
Encrypted: | false |
SSDEEP: | 48:cvIwSD8zsbJgtWI9lxWgc8sqYjN8fm8M4JK+PFs6+q81PqntU1+xcd:uITf1eggrsqYuJVTtU1+xcd |
MD5: | B91254BEBC2CB3BBCC3C2FD371C19BCD |
SHA1: | 0AF037B5BACAC11F3A80D9806B508BAE5A3BD476 |
SHA-256: | 4E143D383879AB8AF86555DDB5A14E556CE8B072DA21F021BD03AFABDE3A1185 |
SHA-512: | F1532FBCFEB9CB14037B9724395DB886EBF29F8FB6527BE9F3589D666AB044721482160C35852CA933B43F7A302B84544D2C461C353FB680E6C32B6B49709860 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 18136 |
Entropy (8bit): | 2.2063334751789574 |
Encrypted: | false |
SSDEEP: | 96:5F8igX8Q/vyRCp+ii7kHX/uSOz7244XbXtv9NtZSXWI9WInWIXQI4bCSGq1r4:8igbvkY+iOYGgtvNZMWXbCG1r4 |
MD5: | D863407F220D9FCD294967B7B3A22500 |
SHA1: | 9D89BA50795E74E905744C983121466734A9476E |
SHA-256: | E9873D794BA3AB454452DBE67EB39D5438A29AD201AE1C2828C3CABA4B851205 |
SHA-512: | 12449996E5505F14AD65EC7EFEB172835D2C471EA584B981A76EC08B47BA361089611ABB0856A28D0D5876E25BF86FD7ADB42B089EF10AE2F2A2AE24A8857536 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8482 |
Entropy (8bit): | 3.7119871307963144 |
Encrypted: | false |
SSDEEP: | 192:Rrl7r3GLNipmlN6ii6YAKSUdhgmf9VXSiCprN89beRwsfZqm:RrlsNipmP6ii6YdSUdhgmf9VSwe1f1 |
MD5: | 64BECBF4071943E2B8CD287D5DCEBA86 |
SHA1: | B886DA8B4862216F5F1BA7D3E8910506AD91DA1C |
SHA-256: | 052FBCEC73916EFFE070CEC471F8408E2F0A3006EC9A7F305C492B29631387A2 |
SHA-512: | B997E14E220F537522D947456A77C0D1535310C729F340F4D1BC53A3459423ACC7B7721199D5EEE2B2B57B09CE61612F62D0900F556C04625F4E401086DC29CF |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4827 |
Entropy (8bit): | 4.614432447858704 |
Encrypted: | false |
SSDEEP: | 48:cvIwSD8zs6tJgtWI9lxWgc8sqYjz8fm8M4JKvZFaXA+q8+fQntU1+xcd:uITf6HeggrsqYUJQ+Qb+tU1+xcd |
MD5: | CDEA9895AE45FAA2B9145C5C8277D26B |
SHA1: | 09D422C225D41E09692A2934E47959B7AC92E608 |
SHA-256: | 9BB95FD6833B02A12E68F8CF95AB581F45CD1D404768FB9AEA4BAC64E3A09DF1 |
SHA-512: | 6DE03DE585C08C738A8CA1EAAB0DF952D708B02DF995DAEF14BA35396C824BAE1969805BF8B0D6B69A751A817DECBDB47B812DACDE11F0EA1E3A6F257F60F9E5 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1572864 |
Entropy (8bit): | 4.289519862686535 |
Encrypted: | false |
SSDEEP: | 12288:+JgdyhLVs1tqONcKyQL0gGJiBpoIbM6yvUVD1quejGjL+GEkyP:k2yhLVs1tqONcKMBUo6 |
MD5: | 8F475F956A1FDD12DB994C03ED7E6F23 |
SHA1: | 0E3C19098B8C41C4AD1DCD78DB9FB80F0366081A |
SHA-256: | F3C1A9728423119F5C89F7B63A644156E106D0A509B030FBC58D1D936AF6C2BA |
SHA-512: | 02026AE0107171BFF194BE972531CB3F71C24DED5FEEDE8085A841AD4416C6ABB587C22024635ADC28380A6304049AA25F3760E5696EA13AC31FAB9E3B2D1096 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 24576 |
Entropy (8bit): | 3.0177781802530625 |
Encrypted: | false |
SSDEEP: | 384:2q85SnX9SaPySp9sJImYwSxrZK/MFsJImYwSD:7KStSaPBpWzYwSNZK/dzYwS |
MD5: | CA4E9267CF91757F5744DD8FF9324565 |
SHA1: | C24424A4F80676739C5ACFFED25A9E9583633320 |
SHA-256: | 4726BCB33D0EDE6651D680A10581DA4DC78300259B0CABD83298C0DA94B1B141 |
SHA-512: | 757E694FB09A82E16990AFCB3A52EE2549505AE88E4741591168B4B5A75B0BDE8C2C659D10178249427E7254873395FF7C6BC7EC00767BBB367F5F5B5A7675A5 |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 5.8855949580269264 |
TrID: |
|
File name: | SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe |
File size: | 188416 |
MD5: | bd13975abc6ac3e5a97706a45f48f7df |
SHA1: | 154e70c5150815308e17bbb74cae4ee79948e438 |
SHA256: | 7bda9944d4b4a62a86088d56ad964c0a4b98516c93f6467cd89a8f8f655a0029 |
SHA512: | 9fee403e82536f4c3c42225762e2ebd1c66496fb94ca1b97ccdc11ced2e56211e60159d6b183667a8fdf270faec42d31888ef60be0f1e401f5d12fb976732178 |
SSDEEP: | 3072:jCY64XFREi9URWKznfMvJ/zl6HvK2KkAtZodTzHHNaTrOT:tTORmLyJdvH4TrOT |
TLSH: | EB046C316842A495F0E3E8F3C9EBD47DBB0977A0030224F761CC065AA7625FA763E553 |
File Content Preview: | MZ......................@...............................................!.L.!This file was created by ClamAV for internal use and should not be run...ClamAV - A GPL virus scanner - http://www.clamav.net..$...PE..L...CLAM................. ..........k...... |
Icon Hash: | 00828e8e8686b000 |
Entrypoint: | 0x41856b |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
DLL Characteristics: | |
Time Stamp: | 0x4D414C43 [Thu Jan 27 10:43:15 2011 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: |
Instruction |
---|
push ebp |
mov ebp, esp |
push FFFFFFFFh |
push 004234E8h |
push 0041CA40h |
mov eax, dword ptr fs:[00000000h] |
push eax |
mov dword ptr fs:[00000000h], esp |
sub esp, 58h |
push ebx |
push esi |
push edi |
mov dword ptr [ebp-18h], esp |
call dword ptr [004230CCh] |
xor edx, edx |
mov dl, ah |
mov dword ptr [0042C508h], edx |
mov ecx, eax |
and ecx, 000000FFh |
mov dword ptr [0042C504h], ecx |
shl ecx, 08h |
add ecx, edx |
mov dword ptr [0042C500h], ecx |
shr eax, 10h |
mov dword ptr [0042C4FCh], eax |
push 00000001h |
call 00007F3F2A4A3236h |
pop ecx |
test eax, eax |
jne 00007F3F58A4312Ah |
push 0000001Ch |
call 00007F3EED1A3236h |
pop ecx |
call 00007F3FD0723236h |
test eax, eax |
jne 00007F3F58A4312Ah |
push 00000010h |
call 00007F3EED1A3236h |
pop ecx |
xor esi, esi |
mov dword ptr [ebp-04h], esi |
call 00007F3F1EF73236h |
call dword ptr [004230C8h] |
mov dword ptr [0042CB34h], eax |
call 00007F3F9E713236h |
mov dword ptr [0042C560h], eax |
call 00007F3F516E3236h |
call 00007F3F986E3236h |
call 00007F3EDFF43236h |
mov dword ptr [ebp-30h], esi |
lea eax, dword ptr [ebp-5Ch] |
push eax |
call dword ptr [00423088h] |
call 00007F3F406D3236h |
mov dword ptr [ebp-64h], eax |
test byte ptr [ebp-30h], 00000001h |
je 00007F3F58A43128h |
movzx eax, word ptr [ebp+00h] |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x23f88 | 0x50 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x23000 | 0x1a8 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x22000 | 0x22000 | False | 0.4499942555147059 | data | 6.458075836010223 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x23000 | 0x2000 | 0x2000 | False | 0.2213134765625 | data | 2.8987922797855528 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x25000 | 0x9000 | 0x9000 | False | 0.20203993055555555 | data | 3.054353288110077 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 19:59:56 |
Start date: | 07/02/2023 |
Path: | C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 188416 bytes |
MD5 hash: | BD13975ABC6AC3E5A97706A45F48F7DF |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Target ID: | 3 |
Start time: | 19:59:56 |
Start date: | 07/02/2023 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x80000 |
File size: | 434592 bytes |
MD5 hash: | 9E2B8ACAD48ECCA55C0230D63623661B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Target ID: | 12 |
Start time: | 20:00:32 |
Start date: | 07/02/2023 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x80000 |
File size: | 434592 bytes |
MD5 hash: | 9E2B8ACAD48ECCA55C0230D63623661B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Execution Graph
Execution Coverage: | 0.1% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 60% |
Total number of Nodes: | 5 |
Total number of Limit Nodes: | 0 |
Graph
Function 0041CA40 Relevance: 1.6, APIs: 1, Instructions: 73libraryCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0041856B Relevance: 1.6, APIs: 1, Instructions: 81libraryCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00420B22 Relevance: 26.7, Strings: 21, Instructions: 417COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00412D62 Relevance: 19.8, Strings: 15, Instructions: 1086COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040D0A4 Relevance: 7.9, Strings: 6, Instructions: 373COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00412098 Relevance: 7.8, Strings: 6, Instructions: 273COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00414691 Relevance: 1.5, Strings: 1, Instructions: 221COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0041BF83 Relevance: .3, Instructions: 259COMMONCrypto
C-Code - Quality: 100% |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040DBDA Relevance: .2, Instructions: 159COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |