Windows Analysis Report
SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exe

Overview

General Information

Sample Name: SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exe
Analysis ID: 1345561
MD5: b794418cce0beacb8eab531605e194b7
SHA1: 859a978d7252563cffd21140a6869f0f685f8f6d
SHA256: a94ed8371035cbc5f21d14be02444b5d85cf2d4feeba9a869ec3a446222721df
Tags: exe
Infos:

Detection

NSISDropper
Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected NSISDropper
Machine Learning detection for sample
Uses 32bit PE files
AV process strings found (often used to terminate AV products)
One or more processes crash
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Checks if the current process is being debugged
Detected potential crypto function
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Found large amount of non-executed APIs
Contains functionality which may be used to detect a debugger (GetProcessHeap)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exe ReversingLabs: Detection: 26%
Source: SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exe Virustotal: Detection: 33% Perma Link
Machine Learning detection for sample
Source: SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Amcache.hve.3.dr String found in binary or memory: http://upx.sf.net
Uses 32bit PE files
Source: SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
One or more processes crash
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6536 -s 228
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exe Code function: 0_2_0041286A 0_2_0041286A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exe Code function: 0_2_00422032 0_2_00422032
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exe Code function: 0_2_004200E8 0_2_004200E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exe Code function: 0_2_0042188A 0_2_0042188A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exe Code function: 0_2_004130B7 0_2_004130B7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exe Code function: 0_2_00412376 0_2_00412376
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exe Code function: 0_2_00421318 0_2_00421318
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exe Code function: 0_2_0040EB33 0_2_0040EB33
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exe Code function: 0_2_004164C0 0_2_004164C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exe Code function: 0_2_004134EC 0_2_004134EC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exe Code function: 0_2_00412C82 0_2_00412C82
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exe Code function: 0_2_00417C9B 0_2_00417C9B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exe Code function: 0_2_004174B0 0_2_004174B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exe Code function: 0_2_0040ED86 0_2_0040ED86
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exe Code function: 0_2_00420DA6 0_2_00420DA6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exe Code function: 0_2_0042364C 0_2_0042364C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exe Code function: 0_2_00416727 0_2_00416727
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exe Code function: 0_2_005708B7 0_2_005708B7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exe Code function: 0_2_00570B61 0_2_00570B61
Source: SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exe ReversingLabs: Detection: 26%
Source: SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exe Virustotal: Detection: 33%
Source: SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6536 -s 228
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6536
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exe Command line argument: pRB 0_2_00401190
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exe Command line argument: pRB 0_2_00401190
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\93699842-8f8b-4701-b591-80b24c5333aa Jump to behavior
Source: classification engine Classification label: mal60.troj.winEXE@2/5@0/0
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exe Code function: 0_2_0041540A push ecx; ret 0_2_0041541D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exe Code function: 0_2_00417495 push ecx; ret 0_2_004174A8
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exe Code function: 0_2_00416727 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00416727
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exe API coverage: 6.5 %
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exe Code function: 0_2_005707DA GetSystemInfo, 0_2_005707DA
Source: Amcache.hve.3.dr Binary or memory string: VMware
Source: Amcache.hve.3.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.3.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.3.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.3.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.3.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr Binary or memory string: vmci.sys
Source: Amcache.hve.3.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.3.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.3.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.3.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr Binary or memory string: VMware20,1
Source: Amcache.hve.3.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.3.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.3.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.3.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.3.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.3.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exe Code function: 0_2_0041A0B2 IsDebuggerPresent, 0_2_0041A0B2
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exe Code function: 0_2_0057005F mov eax, dword ptr fs:[00000030h] 0_2_0057005F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exe Code function: 0_2_0057017B mov eax, dword ptr fs:[00000030h] 0_2_0057017B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exe Code function: 0_2_00570109 mov eax, dword ptr fs:[00000030h] 0_2_00570109
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exe Code function: 0_2_0057013E mov eax, dword ptr fs:[00000030h] 0_2_0057013E
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exe Process queried: DebugPort Jump to behavior
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exe Code function: 0_2_0041EC7F EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_0041EC7F
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exe Code function: 0_2_004177BD GetProcessHeap, 0_2_004177BD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exe Code function: 0_2_004169E3 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_004169E3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exe Code function: 0_2_004169B2 SetUnhandledExceptionFilter, 0_2_004169B2
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exe Code function: _GetPrimaryLen,EnumSystemLocalesW, 0_2_0041F826
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exe Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage, 0_2_0041F8A9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exe Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage, 0_2_0041FA9E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exe Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_0041FBC8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exe Code function: GetLocaleInfoW,_GetPrimaryLen, 0_2_0041FC75
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 0_2_0041CCD1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exe Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s, 0_2_0041FCDF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exe Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW, 0_2_0041F4F5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exe Code function: EnumSystemLocalesW, 0_2_00416D50
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exe Code function: GetLocaleInfoW, 0_2_00416D8D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exe Code function: EnumSystemLocalesW, 0_2_0041F769
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exe Code function: _GetPrimaryLen,EnumSystemLocalesW, 0_2_0041F7A9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exe Code function: 0_2_00419F1D GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00419F1D
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.3.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.3.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.3.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.3.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected NSISDropper
Source: Yara match File source: 00000000.00000002.1674381918.0000000000570000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1674331641.000000000042E000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected NSISDropper
Source: Yara match File source: 00000000.00000002.1674381918.0000000000570000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1674331641.000000000042E000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1345561 Sample: SecuriteInfo.com.Win32.PWSX... Startdate: 21/11/2023 Architecture: WINDOWS Score: 60 10 Multi AV Scanner detection for submitted file 2->10 12 Yara detected NSISDropper 2->12 14 Machine Learning detection for sample 2->14 6 SecuriteInfo.com.Win32.PWSX-gen.16770.26321.exe 2->6         started        process3 process4 8 WerFault.exe 21 16 6->8         started       
No contacted IP infos