Windows
Analysis Report
SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.10881.31061.exe
Overview
General Information
Detection
Score: | 60 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.10881.31061.exe (PID: 7388 cmdline:
C:\Users\u ser\Deskto p\Securite Info.com.T rojan.TR.C rypt.XPACK .Gen.10881 .31061.exe MD5: 2D49D0D6906103A3F6C171D354FAA0AF) WerFault.exe (PID: 7452 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 7 388 -s 216 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
- cleanup
- • AV Detection
- • Compliance
- • Networking
- • Key, Mouse, Clipboard, Microphone and Screen Capturing
- • System Summary
- • Data Obfuscation
- • Hooking and other Techniques for Hiding and Protection
- • Malware Analysis System Evasion
- • Anti Debugging
- • Lowering of HIPS / PFW / Operating System Security Settings
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Process created: |
Source: | Code function: |
Source: | ReversingLabs: | ||
Source: | Virustotal: |
Source: | File created: | Jump to behavior |
Source: | Key opened: |
Source: | Classification label: |
Source: | Process created: | ||
Source: | Process created: |
Source: | Mutant created: |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Static file information: |
Source: | Static PE information: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process queried: |
Source: | Code function: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation | Path Interception | 1 Process Injection | 1 Virtualization/Sandbox Evasion | 1 Input Capture | 21 Security Software Discovery | Remote Services | 1 Input Capture | Exfiltration Over Other Network Medium | 1 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 Process Injection | LSASS Memory | 1 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 1 Archive Collected Data | Exfiltration Over Bluetooth | Junk Data | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | 1 Obfuscated Files or Information | Security Account Manager | 1 System Information Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Binary Padding | NTDS | 1 Remote System Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
32% | ReversingLabs | |||
28% | Virustotal | Browse | ||
100% | Avira | TR/Crypt.XPACK.Gen | ||
100% | Joe Sandbox ML |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high |
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|
IP |
---|
192.168.2.1 |
Joe Sandbox Version: | 38.0.0 Beryl |
Analysis ID: | 1277760 |
Start date and time: | 2023-07-22 11:40:27 +02:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 7m 1s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Run name: | Run with higher sleep bypass |
Number of analysed new started processes analysed: | 8 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample file name: | SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.10881.31061.exe |
Detection: | MAL |
Classification: | mal60.winEXE@2/6@0/1 |
EGA Information: |
|
HDC Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis
(whitelisted): MpCmdRun.exe, a udiodg.exe, WerFault.exe, WMIA DAP.exe, conhost.exe, svchost. exe - Excluded IPs from analysis (wh
itelisted): 52.168.117.173 - Excluded domains from analysis
(whitelisted): onedsblobprdeu s16.eastus.cloudapp.azure.com, login.live.com, blobcollector .events.data.trafficmanager.ne t, watson.telemetry.microsoft. com - Not all processes where analyz
ed, report is missing behavior information
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.6790339392113841 |
Encrypted: | false |
SSDEEP: | 192:qMxBR+hfHBUZMXL30jE/u7srS274It6OgPI:dxBR+hfBUZMXL30jE/u7srX4It6OgPI |
MD5: | EEC5A651477B43D76750B4AB116A646C |
SHA1: | 0106BE3143E7869AFB1ED9558E1C5549A2777AAD |
SHA-256: | 0A232FD1869EFB0AAEFD617A7D9D253027FAEADBE6249506A2D65A3BFB722DFB |
SHA-512: | 9A5883CF320C92C9A867860E4EBF7C62B9E63DB5EFAC036E87CC3E1AC9619DDA9C860F38B7288FA8BB60F04875EA06A36E2BD3A45625109F814EA7D330E66D60 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 18060 |
Entropy (8bit): | 2.2014095982110486 |
Encrypted: | false |
SSDEEP: | 96:5l8i48D/ERPAKzft2i7k3Ey1dSVmm1P9zmCulRMeSWInWIX4I4fynq1l:gi/WAKjUOydSVmm1wRfbfqq1 |
MD5: | FD79B8E5738601C44A85C0DD4C7905AD |
SHA1: | 7E6B17F11B425F4E9DD357D5EF0BE5D214734AE4 |
SHA-256: | 9AE7BA31EC5EB655CAEC36A78E6FEFCE843FB966C9458DC34C0E4E00BB52C90C |
SHA-512: | 075E9595C3884BB9297878E6D5B11891675A8FCD4F68D6ABA99A3778BB611388A4083EEBEA9D0EA0633AAB421ECF30558D4E34BE858E176F4BE5C4956D5D6C07 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8488 |
Entropy (8bit): | 3.7118128131876573 |
Encrypted: | false |
SSDEEP: | 192:Rrl7r3GLNioj56Iq6YqfSU5gmf9DMSkCprp89brxsfCZm:RrlsNio9636YySU5gmf9oSqrqf1 |
MD5: | 94EFBBBA13234E53BB4F468843F10BE2 |
SHA1: | F68404199B35F632BE001C6B7D727D5CCF927F52 |
SHA-256: | 5C8372DE372CB5BB3882031EC6148374DB534231663182656525F0BE70AD6A90 |
SHA-512: | EE04D6F3A85F6C58D7D2AE4C3A92BE6C058C8E26F2E9B035295B7663DCC1C1309D31B8ADEF7DB42ECFBE29661EABFE8B139D4561742135A1EAC9C4B4819119C2 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4823 |
Entropy (8bit): | 4.601856115849031 |
Encrypted: | false |
SSDEEP: | 48:cvIwSD8zsAJgtWI9UyWgc8sqYjlu8fm8M4JqwtwT2ZFHk+q8BwPmSl048w0+Sw0p:uITfGPTgrsqY5LJ7yKwLuSl0I0+T07d |
MD5: | 1CBCD6846B7F518BDAA144CE5B55B7EB |
SHA1: | 2AF9AFE4D90720C5AC916247E0FA00B946014868 |
SHA-256: | F1C5D43E2ECCB7741F1B40BAFEE7ABB8ED8EC61ECDB6E9B92C243FE9F96CD6B9 |
SHA-512: | D2B1AE977102422D788B7814B66F0F4DA41A4244CFD94F30829CD64F4E6DA3552FFE66079DED9D37F9A77AF3ED851DD7A5ABC59D7680264CF24A48B1D6BA4BE5 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1572864 |
Entropy (8bit): | 4.294500264710577 |
Encrypted: | false |
SSDEEP: | 12288:yaGwROAydfbcnGnwd6Lp6d40g3ANPIX2zN7NawVDrFOWIwhVZd0M1uB:MwROAydfbcnGnwin7 |
MD5: | 989590E03485A40C52EA3ECB67693036 |
SHA1: | 39C4702DAB3D9FA912062D1CDB8268B0425E9727 |
SHA-256: | 1E7D9AE74EED738E3A39BB57913102D691BFC561E524B0E60FE17992A0EEC2EE |
SHA-512: | 253B2089C14739882163EBA1DEC402EC3DE89975C302BEEB077377AA745214F661734CF531C061D99E73B7B3C2D8420CD46772FF9C948B5731E1CA00EE4CC174 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 28672 |
Entropy (8bit): | 3.8217116156174575 |
Encrypted: | false |
SSDEEP: | 768:TgrRftx1MJ4JDHNAJfGqpGBlkqICSC9OrMYPQo0:+WqRlb |
MD5: | AA16146A041269C0EA9BEB9ABB0E694F |
SHA1: | A4A763A049D01E4E96F1E89C25CA0D8B7D37E35C |
SHA-256: | FD028F74175E64DF93D0E7C8458A4DDE54708F0A45CE947EED0770C75087E09D |
SHA-512: | 62728855AFEEFA3B17C096DCE3C3738D82A296A9CF0646EE3EF9B41D224B1B44660BDE6B4C419B08811214A53589E76E9F2603F7AA389CFC4F67E5E095ADB910 |
Malicious: | false |
Reputation: | low |
Preview: |
File type: | |
Entropy (8bit): | 7.210509338559239 |
TrID: |
|
File name: | SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.10881.31061.exe |
File size: | 3'444'736 bytes |
MD5: | 2d49d0d6906103a3f6c171d354faa0af |
SHA1: | 1132e7c79711ca7358ef712f917ada28f7df0d1e |
SHA256: | ce3dab7e124372ea19e7e9e9b5c61a482951c72156d82196e9045cc2055d189c |
SHA512: | 056d55cc21eacbb4727536ef760edf556c26e0a3ef2b40d9e4195cf6d1b8225e070f0439a9cd34cccbb9bbb1800d03e6c8edc1b1ff07292274612523892f3dc5 |
SSDEEP: | 49152:Bq1vUXJXXcPMmtQk7AMS9CYS5DRzOmpinVI+kFLgDi9Ufbrr:Q+XJHcdTYS5lzOmpimtEDT |
TLSH: | 77F5E18742C10776C773B9384D5973BB4A19AA1359247CEAFD926B4C2B35E02FB20736 |
File Content Preview: | MZ......................@...............................................!.L.!This file was created by ClamAV for internal use and should not be run...ClamAV - A GPL virus scanner - http://www.clamav.net..$...PE..L...CLAM.................X....'.....4g..... |
Icon Hash: | 90cececece8e8eb0 |
Entrypoint: | 0x4c6734 |
Entrypoint Section: | CODE |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI |
DLL Characteristics: | |
Time Stamp: | 0x4D414C43 [Thu Jan 27 10:43:15 2011 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: |
Instruction |
---|
push ebp |
mov ebp, esp |
add esp, FFFFFFF0h |
mov eax, 004C645Ch |
call 00007F164D29A230h |
push 00000036h |
call 00007F168533A230h |
push 00000036h |
call 00007F168533A230h |
push 00000036h |
call 00007F168533A230h |
push 00000036h |
call 00007F168533A230h |
push 00000036h |
call 00007F168533A230h |
mov dword ptr [004CAD3Ch], 00000001h |
push 00000036h |
call 00007F168533A230h |
inc dword ptr [004CAD3Ch] |
cmp dword ptr [004CAD3Ch], 06B3C41Dh |
jne 00007F16B0D4A1F9h |
mov eax, dword ptr [004C9808h] |
mov eax, dword ptr [eax] |
call 00007F17019AA830h |
mov ecx, dword ptr [004C9AB8h] |
mov eax, dword ptr [004C9808h] |
mov eax, dword ptr [eax] |
mov edx, dword ptr [004C5C40h] |
call 00007F17199AA830h |
mov eax, dword ptr [004C9808h] |
mov eax, dword ptr [eax] |
call 00007F16999AA830h |
call 00007F163104A230h |
nop |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xcb000 | 0x27ea | .idata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xdf000 | 0x269e00 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xd0000 | 0xefe4 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0xcf000 | 0x18 | .rdata |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
CODE | 0x1000 | 0xc6000 | 0xc6000 | False | 0.44383655894886365 | data | 6.564348905944287 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
DATA | 0xc7000 | 0x3000 | 0x3000 | False | 0.3990885416666667 | data | 4.52569659394763 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
BSS | 0xca000 | 0x1000 | 0x1000 | False | 0.00634765625 | data | 0.0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.idata | 0xcb000 | 0x3000 | 0x3000 | False | 0.07210286458333333 | data | 1.1147063293278243 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.tls | 0xce000 | 0x1000 | 0x1000 | False | 0.00634765625 | data | 0.0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rdata | 0xcf000 | 0x1000 | 0x1000 | False | 0.010498046875 | data | 0.03316609302002148 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ |
.reloc | 0xd0000 | 0xf000 | 0xf000 | False | 0.0013346354166666667 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ |
.rsrc | 0xdf000 | 0x26a000 | 0x26a000 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ |
Click to jump to process
Target ID: | 0 |
Start time: | 11:41:22 |
Start date: | 22/07/2023 |
Path: | C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.10881.31061.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 3'444'736 bytes |
MD5 hash: | 2D49D0D6906103A3F6C171D354FAA0AF |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Target ID: | 3 |
Start time: | 11:41:23 |
Start date: | 22/07/2023 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xbe0000 |
File size: | 434'592 bytes |
MD5 hash: | 9E2B8ACAD48ECCA55C0230D63623661B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |