Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.TR.Dropper.Gen.13342.19149.exe

Overview

General Information

Sample name:SecuriteInfo.com.Trojan.TR.Dropper.Gen.13342.19149.exe
Analysis ID:1367881
MD5:e26159f3d33e0a7e087881e92b9959af
SHA1:33c2dd43cc789069948a19237cc7708ac5586524
SHA256:4aa9e283503100fe94c6516eca4ee0e3f7293a82f782412dfaca3409959d15d9
Tags:exe
Infos:
Errors
  • Corrupt sample or wrongly selected analyzer. Details: The %1 application cannot be run in Win32 mode.

Detection

Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Machine Learning detection for sample
May modify the system service descriptor table (often done to hook functions)
Contains functionality to call native functions
PE file contains an invalid checksum
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Snort rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: SecuriteInfo.com.Trojan.TR.Dropper.Gen.13342.19149.exeAvira: detected
Source: SecuriteInfo.com.Trojan.TR.Dropper.Gen.13342.19149.exeReversingLabs: Detection: 16%
Source: SecuriteInfo.com.Trojan.TR.Dropper.Gen.13342.19149.exeVirustotal: Detection: 19%Perma Link
Source: SecuriteInfo.com.Trojan.TR.Dropper.Gen.13342.19149.exeJoe Sandbox ML: detected
Source: SecuriteInfo.com.Trojan.TR.Dropper.Gen.13342.19149.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownDNS traffic detected: queries for: time.windows.com
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Dropper.Gen.13342.19149.exeCode function: 0_2_0001048C EntryPoint,ZwOpenKey,RtlInitUnicodeString,ZwSetValueKey,0_2_0001048C
Source: SecuriteInfo.com.Trojan.TR.Dropper.Gen.13342.19149.exeBinary or memory string: OriginalFilename vs SecuriteInfo.com.Trojan.TR.Dropper.Gen.13342.19149.exe
Source: SecuriteInfo.com.Trojan.TR.Dropper.Gen.13342.19149.exeBinary or memory string: OriginalFilenameArSwp.EXE vs SecuriteInfo.com.Trojan.TR.Dropper.Gen.13342.19149.exe
Source: SecuriteInfo.com.Trojan.TR.Dropper.Gen.13342.19149.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: SecuriteInfo.com.Trojan.TR.Dropper.Gen.13342.19149.exeBinary string: \Device\DosDevicesU
Source: classification engineClassification label: mal64.evad.winEXE@1/0@1/0
Source: SecuriteInfo.com.Trojan.TR.Dropper.Gen.13342.19149.exeReversingLabs: Detection: 16%
Source: SecuriteInfo.com.Trojan.TR.Dropper.Gen.13342.19149.exeVirustotal: Detection: 19%
Source: SecuriteInfo.com.Trojan.TR.Dropper.Gen.13342.19149.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Trojan.TR.Dropper.Gen.13342.19149.exeStatic PE information: real checksum: 0x468c should be: 0x60b98

Hooking and other Techniques for Hiding and Protection

barindex
Source: SecuriteInfo.com.Trojan.TR.Dropper.Gen.13342.19149.exeBinary or memory string: KeServiceDescriptorTable
Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpactResource DevelopmentReconnaissance
Valid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume Access1
Credential API Hooking
System Service DiscoveryRemote Services1
Credential API Hooking
Exfiltration Over Other Network Medium1
Non-Application Layer Protocol
Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationAbuse Accessibility FeaturesAcquire InfrastructureGather Victim Identity Information
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
Application Layer Protocol
SIM Card SwapObtain Device Cloud BackupsNetwork Denial of ServiceDomainsCredentials
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1367881 Sample: SecuriteInfo.com.Trojan.TR.... Startdate: 29/12/2023 Architecture: WINDOWS Score: 64 8 time.windows.com 2->8 10 Antivirus / Scanner detection for submitted sample 2->10 12 Multi AV Scanner detection for submitted file 2->12 14 Machine Learning detection for sample 2->14 16 May modify the system service descriptor table (often done to hook functions) 2->16 6 SecuriteInfo.com.Trojan.TR.Dropper.Gen.13342.19149.exe 2->6         started        signatures3 process4
SourceDetectionScannerLabelLink
SecuriteInfo.com.Trojan.TR.Dropper.Gen.13342.19149.exe16%ReversingLabsWin32.Trojan.Generic
SecuriteInfo.com.Trojan.TR.Dropper.Gen.13342.19149.exe19%VirustotalBrowse
SecuriteInfo.com.Trojan.TR.Dropper.Gen.13342.19149.exe100%AviraTR/Dropper.Gen
SecuriteInfo.com.Trojan.TR.Dropper.Gen.13342.19149.exe100%Joe Sandbox ML
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches

Download Network PCAP: filteredfull

NameIPActiveMaliciousAntivirus DetectionReputation
time.windows.com
unknown
unknownfalse
    high
    No contacted IP infos
    Joe Sandbox version:38.0.0 Ammolite
    Analysis ID:1367881
    Start date and time:2023-12-29 01:12:05 +01:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 1m 54s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:10
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:SecuriteInfo.com.Trojan.TR.Dropper.Gen.13342.19149.exe
    Detection:MAL
    Classification:mal64.evad.winEXE@1/0@1/0
    EGA Information:Failed
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 0
    • Number of non-executed functions: 1
    Cookbook Comments:
    • Found application associated with file extension: .exe
    • Unable to launch sample, stop analysis
    • Corrupt sample or wrongly selected analyzer. Details: The %1 application cannot be run in Win32 mode.
    • Exclude process from analysis (whitelisted): dllhost.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, svchost.exe
    • Excluded IPs from analysis (whitelisted): 40.119.6.228
    • Excluded domains from analysis (whitelisted): twc.trafficmanager.net
    • Execution Graph export aborted for target SecuriteInfo.com.Trojan.TR.Dropper.Gen.13342.19149.exe, PID 5944 because there are no executed function
    No simulations
    No context
    No context
    No context
    No context
    No context
    No created / dropped files found
    File type:PE32 executable (native) Intel 80386, for MS Windows
    Entropy (8bit):7.218058874585358
    TrID:
    • Win32 Device Driver (generic) (12004/3) 66.44%
    • Clipper DOS Executable (2020/12) 11.18%
    • Generic Win/DOS Executable (2004/3) 11.09%
    • DOS Executable Generic (2002/1) 11.08%
    • VXD Driver (31/22) 0.17%
    File name:SecuriteInfo.com.Trojan.TR.Dropper.Gen.13342.19149.exe
    File size:354'664 bytes
    MD5:e26159f3d33e0a7e087881e92b9959af
    SHA1:33c2dd43cc789069948a19237cc7708ac5586524
    SHA256:4aa9e283503100fe94c6516eca4ee0e3f7293a82f782412dfaca3409959d15d9
    SHA512:4a19cf8282461d491e1ebdeff4f554dcfefaecd47e08c3c78022ffa6399b5e4491c0142611e6a6687d739a8e685346aee8bb67e1c3052a26a837581626ff187d
    SSDEEP:6144:qwjZBZHzhRvCCM5wBvbuV523wq6txm1XtCBofHBy4LzYfw1UF:hjZ7vLMKVZwHK1XQCfHByo+weF
    TLSH:6774D1E273F4D405F050CBB4948A4F122F79B97113A8E64EE9405B4EE973A92A321F5F
    File Content Preview:MZ......................@...................................P...........!..L.!This program cannot be run in DOS mode....$......................................................................................................................................
    Icon Hash:00928e8e8686b000
    Entrypoint:0x1048c
    Entrypoint Section:INIT
    Digitally signed:false
    Imagebase:0x10000
    Subsystem:native
    Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
    DLL Characteristics:NO_SEH
    Time Stamp:0x45B458CE [Mon Jan 22 06:25:18 2007 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:5
    OS Version Minor:0
    File Version Major:5
    File Version Minor:0
    Subsystem Version Major:5
    Subsystem Version Minor:0
    Import Hash:eedca3cd4d5f133b3c1ec5535d19ee00
    Instruction
    push ebp
    mov ebp, esp
    sub esp, 24h
    mov eax, dword ptr [ebp+0Ch]
    and dword ptr [ebp-20h], 00000000h
    and dword ptr [ebp-14h], 00000000h
    and dword ptr [ebp-10h], 00000000h
    mov dword ptr [ebp-1Ch], eax
    lea eax, dword ptr [ebp-24h]
    push eax
    push 000F003Fh
    lea eax, dword ptr [ebp+0Ch]
    push eax
    mov dword ptr [ebp-04h], 00000004h
    mov dword ptr [ebp-24h], 00000018h
    mov dword ptr [ebp-18h], 00000040h
    call dword ptr [00010404h]
    test eax, eax
    jl 00007F99011F44E8h
    push 00010480h
    lea eax, dword ptr [ebp-0Ch]
    push eax
    call dword ptr [00010400h]
    push 00000004h
    lea eax, dword ptr [ebp-04h]
    push eax
    push 00000004h
    push 00000000h
    lea eax, dword ptr [ebp-0Ch]
    push eax
    push dword ptr [ebp+0Ch]
    call dword ptr [00010408h]
    xor eax, eax
    leave
    retn 0008h
    and al, 05h
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    push 00000005h
    add al, 00h
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [ebp+eax+00h], al
    add byte ptr [ebp+eax+00h], bl
    add byte ptr [00000000h+eax], dh
    add byte ptr [eax], al
    imul eax, dword ptr [edx+ebx*2], 77h
    push ebx
    je 00007F99011F4519h
    popad
    insb
    jne 00007F99011F4527h
    dec ebx
    jns 00007F99011F44C3h
    add dx, word ptr [edx+74h]
    insb
    dec ecx
    outsb
    imul esi, dword ptr [ebp+edx*2+6Eh], 646F6369h
    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x4fc0x28INIT
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x5800x10.reloc
    IMAGE_DIRECTORY_ENTRY_DEBUG0x4100x1c.rdata
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IAT0x4000x10.rdata
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .rdata0x4000x6d0x80False0.4453125data2.2580921893730874IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ
    INIT0x4800xf60x100False0.78515625data4.643726141333676IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .reloc0x5800x180x80False0.203125GLS_BINARY_LSB_FIRST0.5274741106746463IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
    DLLImport
    ntoskrnl.exeRtlInitUnicodeString, ZwOpenKey, ZwSetValueKey

    Download Network PCAP: filteredfull

    TimestampSource PortDest PortSource IPDest IP
    Dec 29, 2023 01:13:05.953843117 CET5703553192.168.2.71.1.1.1
    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
    Dec 29, 2023 01:13:05.953843117 CET192.168.2.71.1.1.10x7d07Standard query (0)time.windows.comA (IP address)IN (0x0001)false
    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
    Dec 29, 2023 01:13:06.075613022 CET1.1.1.1192.168.2.70x7d07No error (0)time.windows.comtwc.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
    Target ID:0
    Start time:01:12:59
    Start date:29/12/2023
    Path:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Dropper.Gen.13342.19149.exe
    Wow64 process (32bit):false
    Commandline:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Dropper.Gen.13342.19149.exe
    Imagebase:0x10000
    File size:354'664 bytes
    MD5 hash:E26159F3D33E0A7E087881E92B9959AF
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:low
    Has exited:true

    Non-executed Functions

    APIs
    • ZwOpenKey.NTOSKRNL.EXE(?,000F003F,?), ref: 000104C6
    • RtlInitUnicodeString.NTOSKRNL.EXE(?,Start), ref: 000104D9
    • ZwSetValueKey.NTOSKRNL.EXE(?,?,00000000,00000004,00000004,00000004), ref: 000104F0
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1257327227.0000000000010000.00000080.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000_SecuriteInfo.jbxd
    Similarity
    • API ID: Key.$InitOpenString.UnicodeValue
    • String ID: @$Start
    • API String ID: 2997323011-3720372401
    • Opcode ID: 38dba06937b8f3f742bf14534eb9bcc898be011ef6f7131621eae653b66d1740
    • Instruction ID: ce41d662631763182704d6583f6a8b28c0c9f0474f597d1ea171edb8188ad3f1
    • Opcode Fuzzy Hash: 38dba06937b8f3f742bf14534eb9bcc898be011ef6f7131621eae653b66d1740
    • Instruction Fuzzy Hash: AF01B6F191020DAFEB00DF90C989BEEB7BCAB08715F508015F751FA191D7B89A48CBA5
    Uniqueness

    Uniqueness Score: -1.00%