Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe
Analysis ID:	1381672
MD5:	6cb9581e342b238db72842250c54ca93
SHA1:	7ebd2c14eeda75f8105cb8c552ce727678ae2e9e
SHA256:	1cb2c29c3d84ad7ca883067bf95fe8060252662a77609eaf0f34e158ed8bd7cf
Tags:	exe
Infos:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe (PID: 7532 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe MD5: 6CB9581E342B238DB72842250C54CA93)

tmp5E09.tmp.exe (PID: 7660 cmdline: "C:\Users\user\AppData\Local\Temp\tmp5E09.tmp.exe" MD5: 3652E37BD7858716F902B7E6F69C7C71)

tmp6926.tmp.exe (PID: 7716 cmdline: "C:\Users\user\AppData\Local\Temp\tmp6926.tmp.exe" MD5: 339C419FED9E4C7D02BD9548F7F97A61)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

• AV Detection
• Compliance
• Networking
• System Summary
• Data Obfuscation
• Persistence and Installation Behavior
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe

Virustotal: Detection: 32%

Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\tmp5E09.tmp.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\tmp6926.tmp.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe

Joe Sandbox ML: detected

Source: SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: tmp5E09.tmp.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: tmp5E09.tmp.exe.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: tmp5E09.tmp.exe.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: tmp5E09.tmp.exe.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: tmp5E09.tmp.exe.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: tmp5E09.tmp.exe.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: tmp5E09.tmp.exe.0.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: tmp5E09.tmp.exe.0.dr	String found in binary or memory: http://ocsp.sectigo.com0$
Source: tmp5E09.tmp.exe.0.dr	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: tmp5E09.tmp.exe.0.dr	String found in binary or memory: http://s.symcd.com06
Source: tmp6926.tmp.exe, 00000003.00000002.2619290771.0000000002861000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: tmp5E09.tmp.exe.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: tmp5E09.tmp.exe.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: tmp5E09.tmp.exe.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: tmp5E09.tmp.exe.0.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: tmp5E09.tmp.exe.0.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: tmp5E09.tmp.exe.0.dr	String found in binary or memory: https://d.symcb.com/rpa0.
Source: tmp5E09.tmp.exe.0.dr	String found in binary or memory: https://sectigo.com/CPS0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe	Code function: 0_2_00007FFB4B1404A0	0_2_00007FFB4B1404A0
Source: C:\Users\user\AppData\Local\Temp\tmp5E09.tmp.exe	Code function: 2_2_00007FFB4B1452DD	2_2_00007FFB4B1452DD
Source: C:\Users\user\AppData\Local\Temp\tmp6926.tmp.exe	Code function: 3_2_00007FFB4B150845	3_2_00007FFB4B150845
Source: C:\Users\user\AppData\Local\Temp\tmp6926.tmp.exe	Code function: 3_2_00007FFB4B157C4D	3_2_00007FFB4B157C4D
Source: C:\Users\user\AppData\Local\Temp\tmp6926.tmp.exe	Code function: 3_2_00007FFB4B15877D	3_2_00007FFB4B15877D
Source: C:\Users\user\AppData\Local\Temp\tmp6926.tmp.exe	Code function: 3_2_00007FFB4B155E57	3_2_00007FFB4B155E57
Source: C:\Users\user\AppData\Local\Temp\tmp6926.tmp.exe	Code function: 3_2_00007FFB4B151886	3_2_00007FFB4B151886
Source: C:\Users\user\AppData\Local\Temp\tmp6926.tmp.exe	Code function: 3_2_00007FFB4B15567A	3_2_00007FFB4B15567A
Source: C:\Users\user\AppData\Local\Temp\tmp6926.tmp.exe	Code function: 3_2_00007FFB4B1564CC	3_2_00007FFB4B1564CC
Source: C:\Users\user\AppData\Local\Temp\tmp6926.tmp.exe	Code function: 3_2_00007FFB4B156B05	3_2_00007FFB4B156B05

Source: SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe, 00000000.00000000.1365927005.00000000001D8000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameDroper.exe@ vs SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe
Source: SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe, 00000000.00000002.1410815421.0000000012596000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameJNaNURIK.exe2 vs SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe
Source: SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe	Binary or memory string: OriginalFilenameDroper.exe@ vs SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe

Source: SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal72.evad.winEXE@5/4@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe

File created: C:\Users\user\AppData\Local\Temp\tmp5E09.tmp

Jump to behavior

Source: SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp5E09.tmp.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp6926.tmp.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\tmp5E09.tmp.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe

Virustotal: Detection: 32%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe	Process created: C:\Users\user\AppData\Local\Temp\tmp5E09.tmp.exe "C:\Users\user\AppData\Local\Temp\tmp5E09.tmp.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe	Process created: C:\Users\user\AppData\Local\Temp\tmp6926.tmp.exe "C:\Users\user\AppData\Local\Temp\tmp6926.tmp.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe	Process created: C:\Users\user\AppData\Local\Temp\tmp5E09.tmp.exe "C:\Users\user\AppData\Local\Temp\tmp5E09.tmp.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe	Process created: C:\Users\user\AppData\Local\Temp\tmp6926.tmp.exe "C:\Users\user\AppData\Local\Temp\tmp6926.tmp.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe

Static file information: File size 1269760 > 1048576

Source: SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x117600

Source: tmp5E09.tmp.exe.0.dr

Static PE information: 0x9C523AC4 [Sat Feb 8 13:38:12 2053 UTC]

Source: C:\Users\user\AppData\Local\Temp\tmp5E09.tmp.exe	Code function: 2_2_00007FFB4B143E8D pushad ; retf	2_2_00007FFB4B143ED9
Source: C:\Users\user\AppData\Local\Temp\tmp5E09.tmp.exe	Code function: 2_2_00007FFB4B143ED3 pushad ; retf	2_2_00007FFB4B143ED9
Source: C:\Users\user\AppData\Local\Temp\tmp5E09.tmp.exe	Code function: 2_2_00007FFB4B1416F2 push FFFFFFE8h; ret	2_2_00007FFB4B1416F9
Source: C:\Users\user\AppData\Local\Temp\tmp5E09.tmp.exe	Code function: 2_2_00007FFB4B147569 push ebx; iretd	2_2_00007FFB4B14756A
Source: C:\Users\user\AppData\Local\Temp\tmp5E09.tmp.exe	Code function: 2_2_00007FFB4B147969 push ebx; retf	2_2_00007FFB4B14796A
Source: C:\Users\user\AppData\Local\Temp\tmp6926.tmp.exe	Code function: 3_2_00007FFB4B1542C9 pushad ; retf	3_2_00007FFB4B1542CA
Source: C:\Users\user\AppData\Local\Temp\tmp6926.tmp.exe	Code function: 3_2_00007FFB4B1542D9 pushad ; retf	3_2_00007FFB4B1542DA
Source: C:\Users\user\AppData\Local\Temp\tmp6926.tmp.exe	Code function: 3_2_00007FFB4B15C145 pushad ; ret	3_2_00007FFB4B15C15D

Source: SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe	Static PE information: section name: .text entropy: 7.979108213857573
Source: tmp6926.tmp.exe.0.dr	Static PE information: section name: .text entropy: 7.259852083636164

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe	File created: C:\Users\user\AppData\Local\Temp\tmp5E09.tmp.exe			Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe	File created: C:\Users\user\AppData\Local\Temp\tmp6926.tmp.exe			Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp5E09.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp5E09.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp5E09.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp5E09.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp5E09.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp5E09.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp5E09.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp5E09.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp5E09.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp5E09.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp5E09.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp5E09.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp5E09.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp5E09.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp5E09.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp5E09.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp5E09.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp5E09.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp5E09.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp5E09.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp5E09.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp5E09.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp5E09.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp5E09.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp5E09.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp5E09.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp5E09.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp5E09.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp6926.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp6926.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp6926.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp6926.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp6926.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp6926.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp6926.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp6926.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp6926.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp6926.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp6926.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp6926.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp6926.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp6926.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp6926.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp6926.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp6926.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp6926.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp6926.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp6926.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp6926.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp6926.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp6926.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp6926.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp6926.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp6926.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp6926.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp6926.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp6926.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp6926.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp6926.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp6926.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp6926.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\tmp5E09.tmp.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\tmp5E09.tmp.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Users\user\AppData\Local\Temp\tmp5E09.tmp.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Users\user\AppData\Local\Temp\tmp5E09.tmp.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp5E09.tmp.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe TID: 7596	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp5E09.tmp.exe TID: 7684	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\tmp5E09.tmp.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp5E09.tmp.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: tmp5E09.tmp.exe, 00000002.00000000.1397307385.0000000000912000.00000002.00000001.01000000.00000008.sdmp, tmp5E09.tmp.exe.0.dr	Binary or memory string: GiHGfsBdHdlnqpuSioQh
Source: tmp5E09.tmp.exe.0.dr	Binary or memory string: FuDsCJcrUVERVJVVmCIACWJUlLWv

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe	Process created: C:\Users\user\AppData\Local\Temp\tmp5E09.tmp.exe "C:\Users\user\AppData\Local\Temp\tmp5E09.tmp.exe"			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe	Process created: C:\Users\user\AppData\Local\Temp\tmp6926.tmp.exe "C:\Users\user\AppData\Local\Temp\tmp6926.tmp.exe"			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp5E09.tmp.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\tmp5E09.tmp.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp6926.tmp.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\tmp6926.tmp.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp6926.tmp.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\tmp5E09.tmp.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	211 Windows Management Instrumentation	Path Interception	11 Process Injection	1 Masquerading	OS Credential Dumping	211 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	131 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	131 Virtualization/Sandbox Evasion	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	113 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe	32%	Virustotal		Browse
SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe	100%	Avira	TR/Dropper.MSIL.Gen
SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\tmp5E09.tmp.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\tmp6926.tmp.exe	100%	Joe Sandbox ML

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#	0%	URL Reputation	safe
http://ocsp.sectigo.com0$	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0	tmp5E09.tmp.exe.0.dr	false	URL Reputation: safe	unknown
https://sectigo.com/CPS0	tmp5E09.tmp.exe.0.dr	false	URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	tmp5E09.tmp.exe.0.dr	false	URL Reputation: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	tmp5E09.tmp.exe.0.dr	false	URL Reputation: safe	unknown
http://ocsp.sectigo.com0	tmp5E09.tmp.exe.0.dr	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	tmp6926.tmp.exe, 00000003.00000002.2619290771.0000000002861000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#	tmp5E09.tmp.exe.0.dr	false	URL Reputation: safe URL Reputation: safe	unknown
http://ocsp.sectigo.com0$	tmp5E09.tmp.exe.0.dr	false	Avira URL Cloud: safe	low

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	39.0.0 Ruby
Analysis ID:	1381672
Start date and time:	2024-01-26 14:58:41 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe
Detection:	MAL
Classification:	mal72.evad.winEXE@5/4@0/0
EGA Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe, PID 7532 because it is empty
Execution Graph export aborted for target tmp5E09.tmp.exe, PID 7660 because there are no executed function
Execution Graph export aborted for target tmp6926.tmp.exe, PID 7716 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe.log

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	434
Entropy (8bit):	5.383282394444275
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPXcp151KDLI4MN5I/k1Bv:ML9E4KQ71qE4GIsD
MD5:	00930768B2E044245AC5529BC4F2FFDF
SHA1:	DF262F47F31653AAE570477B12B90B2E385A8D50
SHA-256:	E0A23AC0FD66AC2AD5922D20187B374A1B7B148FF47CABB69441EB2F699008C8
SHA-512:	76F371B3D2FCE707DA45DCA1755DE56BA7AC8827E5F18F900E52AEF35AEF3D42B39F656CC08A10372872BA601AFD9E6F3D930A98F92A3F9A885E9B6CBAF38ADA
Malicious:	false
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\tmp5E09.tmp.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\tmp5E09.tmp.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	443
Entropy (8bit):	5.347274615985407
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPXcp1WzAbDLI4MNepQZav:ML9E4KQMsXE4Npv
MD5:	F73EF0CF34F9748349B7DC26D23369A1
SHA1:	9F1AA6A1896EE82B13E910AFF27CB179ECAA77B5
SHA-256:	6B8272C1059743AA45FBEB2E303FEFB6F591D3D374FB78252432881E38E21EFD
SHA-512:	C848DEE56D1BB8ABED56C0424879344F852BFA5147D529183A66C98BC303C225DCF5D7ADCF6B25B4946D0ED14023E0B5DB7D2A2C2789727949478DE64A4BAA13
Malicious:	false
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Management\8af759007c012da690062882e06694f1\System.Management.ni.dll",0..

C:\Users\user\AppData\Local\Temp\tmp5E09.tmp.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1307208
Entropy (8bit):	5.873922043769103
Encrypted:	false
SSDEEP:	12288:NumZYmx6T2d1UgMRaXOpuwhOWlUozEq2VTR56gyrTZgIehcGffufbt0cwBW21nRD:aMzvohfm9qWt41TZgLLffCkh+A
MD5:	3652E37BD7858716F902B7E6F69C7C71
SHA1:	63D2EADA5C57AF0393D42471E0A60528624EAA4B
SHA-256:	118A1E62E28F26EB550BE941928FB7B7A0C3F411792D3921C1445BA4787EC6FF
SHA-512:	A2340C187ACD2825158D82CF760B286EF8807476F8A4E99C16EE18F488AFF8F52A8B0BE94DE365A7A894060163141802B6730137CB62AC144D79C39722A511E4
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....:R..........."...0.................. ... ....@.. ....................... ............@.................................P...K.... ..................H$........................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc..............................@..B........................H........r..\........:...m...............................................W......H3.......W......3.......".(3:...".(4:...".(6:...".(7:...".(8:...".(9:...".(::...".(;:...".(<:...".(=:...".(>:...".(?:...".(@:...".(A:...".(B:...".(C:...".(D:...".(E:...".(F:...".(G:...".(H:...".(I:...".(J:...".(K:...".(L:...".(M:...".(N:...".(O:...".(P:...".(Q:...".(R:...".(S:...".(T:...".(U:...".(V:...".(W:...".(X:...".(Y:...".(Z:...".([:...".(\:...*".(]:..

C:\Users\user\AppData\Local\Temp\tmp6926.tmp.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	89088
Entropy (8bit):	7.344085021793248
Encrypted:	false
SSDEEP:	1536:ycbH4lVS+TqPZbyGiR+rjZbyGiR+rcAwoz8xQuuXwZbyGiR+rD:+vqRbydWFbydWcf6ObydWD
MD5:	339C419FED9E4C7D02BD9548F7F97A61
SHA1:	F19BD7624C1243E5D3274DA152CB552080449595
SHA-256:	8FDC4DF321D8DDB0A47DE22949C9C2DEDDC35301BBC24EB904F7B5619D38D28E
SHA-512:	29A4219C51D73CEA40D7BDE01FE03E736A40EB39640005C1E3CB6F8F33BC0D86F61C6246F64E21E19891AD1A2D3BB44ED69CF262B4FF1092970EEB03EA36D25B
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...o..e.....................@.......8... ........@.. ......................................................................\|8..O....@...>........................................................................... ............... ..H............text........ ...................... ..`.rsrc....>...@...>..................@..@.reloc...............Z..............@..B.................8......H.......L...0"...........................................................0.......... ...... ....\Z ....Y...b328.... ...... ....^ .. .....bZa_.@....~b.....X8.... .....@....... ....X....A....X8....... ..b._f ...._ ....@.... [D.... .... .'....`Z ....Y....bef;N...8............. .....XY._.;/... .... ....a8^... v... ...b~........Z.be_.@...... .:..;....+........X ..}..... ..........].... ....;....+........ ..z_..@^Zf...Z...ZXY .%..;.... ...... [D.. [D..;A...8.......89.......~......

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.892464198615006
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe
File size:	1'269'760 bytes
MD5:	6cb9581e342b238db72842250c54ca93
SHA1:	7ebd2c14eeda75f8105cb8c552ce727678ae2e9e
SHA256:	1cb2c29c3d84ad7ca883067bf95fe8060252662a77609eaf0f34e158ed8bd7cf
SHA512:	84cc5a71ea962196ca25f4b430cc05d860944358e85139e1a44732f5412bbd1da832b869753a7e8b1e95473e8e51922bfebe81bef84f341eb1c8a8bc9c6e67b1
SSDEEP:	24576:Yc7YSTBHBa8O/bia+7aTIPcR8ZcVDnTUbGEPBRgP9ZCQdlwVXKlDGIez0l6lll:+STBHBaFDiJ7Gb+cVDnTUbGEp2P9gSl+
TLSH:	114512C02C44E6D7E52B6E3822706E3579BB6FFEBD5EF5854E9470223A33E851821493
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e.................v............... ........@.. .....................................................................

File Icon


Icon Hash:	0f316ce46c71338f

Static PE Info

General

Entrypoint:	0x51940e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x65B38FB3 [Fri Jan 26 10:55:47 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1193b4	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x11a000	0x1e600	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x13a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x117414	0x117600	f7bcf8ebed2128433cb0176af748fe63	False	0.98574961549217	data	7.979108213857573	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x11a000	0x1e600	0x1e600	55640ee3b6a3e5c8d40a05460d9829e1	False	0.4140625	data	5.403816544578362	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x13a000	0xc	0x200	6c66d6cbc0c77221a7d15298bd19d490	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x11a100	0x1de88	Device independent bitmap graphic, 172 x 344 x 32, image size 118336, resolution 3779 x 3779 px/m	0.4137007771174819
RT_GROUP_ICON	0x137f98	0x14	data	1.15
RT_VERSION	0x137fbc	0x37a	data	0.45393258426966293
RT_MANIFEST	0x138348	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

• SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe
• tmp5E09.tmp.exe
• tmp6926.tmp.exe

Click to jump to process

Memory Usage

• SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe
• tmp5E09.tmp.exe
• tmp6926.tmp.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Behavior

• SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe
• tmp5E09.tmp.exe
• tmp6926.tmp.exe

Click to jump to process

System Behavior

Analysis Process: SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exePID: 7532, Parent PID: 4084

Function Logs

General

Target ID:	0
Start time:	14:59:31
Start date:	26/01/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe
Imagebase:	0xa0000
File size:	1'269'760 bytes
MD5 hash:	6CB9581E342B238DB72842250C54CA93
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low
Has exited:	true

Show Windows behavior

File Activities

File Opened

File Created

File Written

File Read

File Attributes Queried

Other File Operations

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Key Opened

Key Value Queried

Key Value Enumerated

Key Enumerated

Show Windows behavior

COM Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

Process Created

Process Queried

Process Information Set

Show Windows behavior

Thread Activities

Thread Created

Thread Execution Resumed

Thread Delayed

Thread Information Set

Show Windows behavior

Memory Activities

Memory Allocated

Memory Protection Changed

Memory Usage Statistics

Show Windows behavior

System Activities

Language or Locale ID Queried

System Information Queried

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Windows UI Activities

Window Created

Window UI Enumerated

Show Windows behavior

Object Security Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Analysis Process: tmp5E09.tmp.exePID: 7660, Parent PID: 7532

Function Logs

General

Target ID:	2
Start time:	14:59:34
Start date:	26/01/2024
Path:	C:\Users\user\AppData\Local\Temp\tmp5E09.tmp.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\tmp5E09.tmp.exe"
Imagebase:	0x910000
File size:	1'307'208 bytes
MD5 hash:	3652E37BD7858716F902B7E6F69C7C71
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

File Activities

File Opened

File Created

File Written

File Read

File Attributes Queried

Device IO

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Key Opened

Key Created

Key Value Queried

Key Value Enumerated

Key Enumerated

Show Windows behavior

COM Activities

WMI Operations

COM Object Queried

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

Process Queried

Process Information Set

Thread Activities

Thread Created

Thread Execution Resumed

Thread Delayed

Thread Information Set

Show Windows behavior

Memory Activities

Memory Allocated

Memory Protection Changed

Memory Usage Statistics

Show Windows behavior

System Activities

System Information Queried

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Analysis Process: tmp6926.tmp.exePID: 7716, Parent PID: 7532

Function Logs

General

Target ID:	3
Start time:	14:59:34
Start date:	26/01/2024
Path:	C:\Users\user\AppData\Local\Temp\tmp6926.tmp.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\tmp6926.tmp.exe"
Imagebase:	0x6b0000
File size:	89'088 bytes
MD5 hash:	339C419FED9E4C7D02BD9548F7F97A61
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	false

Show Windows behavior

File Activities

File Opened

File Created

File Read

File Attributes Queried

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Key Opened

Key Value Queried

Key Value Enumerated

Key Enumerated

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

Process Queried

Process Information Set

Show Windows behavior

Thread Activities

Thread Created

Thread Execution Resumed

Thread Information Set

Show Windows behavior

Memory Activities

Memory Allocated

Memory Protection Changed

Memory Usage Statistics

Show Windows behavior

System Activities

System Information Queried

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Windows UI Activities

Window Created

Window UI Enumerated

Message Posted to Windows UI

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Disassembly

Analysis Process: SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exePID: 7532, Parent PID: 4084COMMON

Executed Functions

Function 00007FFB4B1404A0 Relevance: .7, Instructions: 705COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1414209827.00007FFB4B140000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b140000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bcce9cd30c157956e95f24a83a5955517e4eb2a01088ce5941cd6c179e5d7fd
Instruction ID: 01d25b7d2b940b6697ac6601b9010f01ff2fd5a48843eae7448db01ad1c6d1e3
Opcode Fuzzy Hash: 1bcce9cd30c157956e95f24a83a5955517e4eb2a01088ce5941cd6c179e5d7fd
Instruction Fuzzy Hash: ED2268B1A2CA664FE36CEF2CD8561B57BD1EB95310F50403ED48BC36D6DE3868168B81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B141B0E Relevance: .6, Instructions: 606COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1414209827.00007FFB4B140000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b140000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9bbb510175c52f5b6fd0c705b4e1db6d93c9b97f00643d0f121b42e25769de3
Instruction ID: bc0c91a8a4590309de0a2469af48af87ad7b1ef5421f9a043f3c48b4739c97d6
Opcode Fuzzy Hash: f9bbb510175c52f5b6fd0c705b4e1db6d93c9b97f00643d0f121b42e25769de3
Instruction Fuzzy Hash: 83110A50A1D6E50FE36AAB3CD5546703FE1DF45711B1980F9C18DCB1B3D8449C55C782

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B140E79 Relevance: .5, Instructions: 541COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1414209827.00007FFB4B140000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b140000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b944927e46594012cb7d0920c2f448baa8954cd283d4e10c6af3ec829128addf
Instruction ID: 76331ad54e39608d03fb8ab72086231b89b3f0b1207e104ee432b43c4b1c195c
Opcode Fuzzy Hash: b944927e46594012cb7d0920c2f448baa8954cd283d4e10c6af3ec829128addf
Instruction Fuzzy Hash: BA41C3A1B2C8670BF35DAA3CC95667866C2EBD4308F288179D54EC77E7DD2CA8124B41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B140650 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1414209827.00007FFB4B140000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b140000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17187203ae9001d597b731c009c4fe17f682841c38e78bfb054c913fea046e7b
Instruction ID: d6f0faff906eaa308476f53288e5493fff35137a9192d0612cb028c6be3c0cac
Opcode Fuzzy Hash: 17187203ae9001d597b731c009c4fe17f682841c38e78bfb054c913fea046e7b
Instruction Fuzzy Hash: 9801F55291DAD10FE75ABA75596D2683FA1DF42214B0840FAD189C71E3CC4C4C80C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B140AAD Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1414209827.00007FFB4B140000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b140000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7ba37ec2f7bbf1ceca949c7af58b781d2ff897fa64ff8762ff7b4e32b3a66d0
Instruction ID: 3f232c3fcf7d82c5bf4756004c7e8f69bcc939c4cbc087e8553f3d2b7b43be01
Opcode Fuzzy Hash: e7ba37ec2f7bbf1ceca949c7af58b781d2ff897fa64ff8762ff7b4e32b3a66d0
Instruction Fuzzy Hash: 6B41E37572894D4FDB88EF3DC899A6873D2EB9831171981B9A44ECB2A3DD24DC428740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B140AC0 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1414209827.00007FFB4B140000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b140000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f86c7c7494326afa435b62f279fe7af7ede85270f19254778d2e03b372629054
Instruction ID: 26cb5acaaa8f3443848e0cdc4ac117b8a5e67776fbfed69151567350cc8baf3d
Opcode Fuzzy Hash: f86c7c7494326afa435b62f279fe7af7ede85270f19254778d2e03b372629054
Instruction Fuzzy Hash: 5841D17572880D4FDB88EE3DC899A6973D2EB9D321B1981B9A44EC73A2DD34DC428740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1404A8 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1414209827.00007FFB4B140000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b140000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc1224ff109a18fc95eabd6676d727f1ecb88f0fa66b4ff277c89a2ec982d3c1
Instruction ID: 689e3554af49da4d0a09ffc4948852ebc4c75412528a4661384d9682150481f9
Opcode Fuzzy Hash: fc1224ff109a18fc95eabd6676d727f1ecb88f0fa66b4ff277c89a2ec982d3c1
Instruction Fuzzy Hash: F5410261B2C8274BF35DAB38C455A7966C2FBC4308F288179D50EC73E6DD2CA8138B41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B140990 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1414209827.00007FFB4B140000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b140000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9ada742751d99b5dac8c47ffb30dc3249b10917beabfd63b5d4e0f9bfb683e2
Instruction ID: badc832f75698a0e5fc93e9d7cde3f8b2741bba09727decbcc34a01f0196c8af
Opcode Fuzzy Hash: a9ada742751d99b5dac8c47ffb30dc3249b10917beabfd63b5d4e0f9bfb683e2
Instruction Fuzzy Hash: 7621D5B5B1C8154BF75CE63DD96A27862C2EB94308F548479E50ECB3E7DD68AC42C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B140C22 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1414209827.00007FFB4B140000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b140000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abc2a06a3b7a88bd8c777ac86fd2ff604628caaf810e036e95434f5fa3de3b6c
Instruction ID: ab9c0946792b676d554f57c98258d4f117e247c398684da5cf0ea7cbde8f46a4
Opcode Fuzzy Hash: abc2a06a3b7a88bd8c777ac86fd2ff604628caaf810e036e95434f5fa3de3b6c
Instruction Fuzzy Hash: 931127A161DA9A0FE79AEB3D84582796BD1EF89155B0840FBD14CC72A3DD089C028751

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1408D9 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1414209827.00007FFB4B140000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b140000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f61eab33495157c16a32569c32b4bab28934a71b56c580b2b0e94256624f1598
Instruction ID: 7014869776b69efb598fe9e48299adc4f3e92b9b13089dc99c03d22640bb73d0
Opcode Fuzzy Hash: f61eab33495157c16a32569c32b4bab28934a71b56c580b2b0e94256624f1598
Instruction Fuzzy Hash: 29113861A1C6854FE788EB3CC8966603BD1EF49308F1840FAD14DCB2E3D919EC42CB41

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: tmp6926.tmp.exePID: 7716, Parent PID: 7532COMMON

Executed Functions

Function 00007FFB4B1564CC Relevance: 7.1, Strings: 3, Instructions: 3377COMMON

Download Yara Rule

Strings

{\R, xrefs: 00007FFB4B157978
9Td,, xrefs: 00007FFB4B157504
AQ_H, xrefs: 00007FFB4B158E74

Memory Dump Source

Source File: 00000003.00000002.2620885752.00007FFB4B150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b150000_tmp6926.jbxd

Similarity

API ID:
String ID: 9Td,$AQ_H${\R
API String ID: 0-2656259752
Opcode ID: f86a1a56340fc8fddb0948c6f096e528fc327671c579c7f95e2d349b5ed01e3a
Instruction ID: 690add7a41363a0995ae7af2ba01c255662aca5b2147b3ef06ab24f5ea6b1c91
Opcode Fuzzy Hash: f86a1a56340fc8fddb0948c6f096e528fc327671c579c7f95e2d349b5ed01e3a
Instruction Fuzzy Hash: 4C536FB0A1891A8FDB94DF1CC994BA9B3F1FB98345F1485B6D00DD72A5DA34AD81CF80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B156B05 Relevance: 6.3, Strings: 3, Instructions: 2573COMMON

Download Yara Rule

Strings

{\R, xrefs: 00007FFB4B157978
9Td,, xrefs: 00007FFB4B157504
AQ_H, xrefs: 00007FFB4B158E74

Memory Dump Source

Source File: 00000003.00000002.2620885752.00007FFB4B150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b150000_tmp6926.jbxd

Similarity

API ID:
String ID: 9Td,$AQ_H${\R
API String ID: 0-2656259752
Opcode ID: f49c12c4e35d7c56e85857259aa0a70fb4a988688545d98eb383ea881e1e4975
Instruction ID: 8d69f72aead70ff34e95cd36add1c74046b46b2bd42a0be106a019ea43b80d2c
Opcode Fuzzy Hash: f49c12c4e35d7c56e85857259aa0a70fb4a988688545d98eb383ea881e1e4975
Instruction Fuzzy Hash: 15139671A1891E8FD798EF1CC894BA973E1FB98345F1485B9D00DC72A5DA34AD82CF81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B157C4D Relevance: 5.0, Strings: 2, Instructions: 2545COMMON

Download Yara Rule

Strings

Ny1,, xrefs: 00007FFB4B158758
AQ_H, xrefs: 00007FFB4B158E74

Memory Dump Source

Source File: 00000003.00000002.2620885752.00007FFB4B150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b150000_tmp6926.jbxd

Similarity

API ID:
String ID: AQ_H$Ny1,
API String ID: 0-1624604585
Opcode ID: 6413943898e08f2a11fdb0ecd7629a01230bebd638c4048942ec18d5f1d47c6b
Instruction ID: 3f910a8619cd4f9f14187808c1ce250fd57305157d4a7d8d52e409e3afc48665
Opcode Fuzzy Hash: 6413943898e08f2a11fdb0ecd7629a01230bebd638c4048942ec18d5f1d47c6b
Instruction Fuzzy Hash: 741396B1A1891D8FD798EF1CC994BA973E1FB98345F1485B9D00DC72A5DA34AD82CF80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B150845 Relevance: 4.8, Strings: 1, Instructions: 3549COMMON

Download Yara Rule

Strings

Z-j+, xrefs: 00007FFB4B15343D

Memory Dump Source

Source File: 00000003.00000002.2620885752.00007FFB4B150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b150000_tmp6926.jbxd

Similarity

API ID:
String ID: Z-j+
API String ID: 0-2261753604
Opcode ID: b73339a79c74795eb68d9f28d8e9451a633882b53b3f7f799fc199b2b96cba07
Instruction ID: bb2eeb9d301f4eb352196ea2fe0f1dd11a2a6fe2e224532f7d4dfd52d4cf2a52
Opcode Fuzzy Hash: b73339a79c74795eb68d9f28d8e9451a633882b53b3f7f799fc199b2b96cba07
Instruction Fuzzy Hash: A573D774E1851D8FDB98EF18C894BA9B7B1FB98304F1481E9D40EE7295DA35AE81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B15877D Relevance: 3.5, Strings: 1, Instructions: 2241COMMON

Download Yara Rule

Strings

AQ_H, xrefs: 00007FFB4B158E74

Memory Dump Source

Source File: 00000003.00000002.2620885752.00007FFB4B150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b150000_tmp6926.jbxd

Similarity

API ID:
String ID: AQ_H
API String ID: 0-716582138
Opcode ID: 62352cb0c2d68aed77e87d05efca1b4b5003b907bad576f000fb5007a526eafd
Instruction ID: b8476720bd43ff4ad992596ec184ec53b83c4ba0f685a712fb03a32e599fd263
Opcode Fuzzy Hash: 62352cb0c2d68aed77e87d05efca1b4b5003b907bad576f000fb5007a526eafd
Instruction Fuzzy Hash: FDF2F971A1CA494FE798EF2CC494BA977E1FB98305F1485BAD04DC72A6DE34AC42CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B155E57 Relevance: 3.5, Strings: 1, Instructions: 2212COMMON

Download Yara Rule

Strings

AQ_H, xrefs: 00007FFB4B158E74

Memory Dump Source

Source File: 00000003.00000002.2620885752.00007FFB4B150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b150000_tmp6926.jbxd

Similarity

API ID:
String ID: AQ_H
API String ID: 0-716582138
Opcode ID: e3211454ec88b04e6672d2e2618246b4937cc01cac42e56c18ba0fc4f2f08abe
Instruction ID: 4eeb1e18fe97a7c046929e0c26ffadd28452e37dcae68a8ce50442a4989757c5
Opcode Fuzzy Hash: e3211454ec88b04e6672d2e2618246b4937cc01cac42e56c18ba0fc4f2f08abe
Instruction Fuzzy Hash: 20F2FAB1A1C50A8FE798EF2CC595BB973E1FB98344F148579D04DC72A6DE34AC428B81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B151886 Relevance: 2.8, Strings: 1, Instructions: 1532COMMON

Download Yara Rule

Strings

Z-j+, xrefs: 00007FFB4B15343D

Memory Dump Source

Source File: 00000003.00000002.2620885752.00007FFB4B150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b150000_tmp6926.jbxd

Similarity

API ID:
String ID: Z-j+
API String ID: 0-2261753604
Opcode ID: 898a931fadba1d45328937de0726311a590ea1c9e7015a97b52490d82c160ae1
Instruction ID: 3534f67eada96d6901fc3b7834284679a4c62c3077c313600abe35b418b58a7e
Opcode Fuzzy Hash: 898a931fadba1d45328937de0726311a590ea1c9e7015a97b52490d82c160ae1
Instruction Fuzzy Hash: FCE2B474A0891D8FDB95EF18C894BA9B7B2FF98304F1085EAD40DE7255DB35AE818F40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1564A4 Relevance: 3.0, Strings: 1, Instructions: 1770COMMON

Download Yara Rule

Strings

AQ_H, xrefs: 00007FFB4B158E74

Memory Dump Source

Source File: 00000003.00000002.2620885752.00007FFB4B150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b150000_tmp6926.jbxd

Similarity

API ID:
String ID: AQ_H
API String ID: 0-716582138
Opcode ID: a3b83f598e77e7e86b5fa989b1a502e84f9a4e9d958ef680cbc4695a0dc462d4
Instruction ID: e50abde29ee74fbd3d1c00c5bdcecbe23b244d8ff0d1c9d85d77996efdaff5db
Opcode Fuzzy Hash: a3b83f598e77e7e86b5fa989b1a502e84f9a4e9d958ef680cbc4695a0dc462d4
Instruction Fuzzy Hash: 90B2F6B171CA494FE398EE2CD495BB973D1EBA8345F04857AD04EC72A2DD35AC438B81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B15AD28 Relevance: .5, Instructions: 482COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2620885752.00007FFB4B150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b150000_tmp6926.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bcc14be218e7d1f2b03ecc8ff7c3bc4042df210088c5ca40f7f2f9b7e36b986
Instruction ID: 6025ef27ee1dc84f367a3811fc8b85feac40c34253fabc6225df4a62f72f4940
Opcode Fuzzy Hash: 1bcc14be218e7d1f2b03ecc8ff7c3bc4042df210088c5ca40f7f2f9b7e36b986
Instruction Fuzzy Hash: D302C87062C7858FD369DF28C495AA977E1FF89304F54847ED18EC72A2DA34AC42CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B15C405 Relevance: .3, Instructions: 338COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2620885752.00007FFB4B150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b150000_tmp6926.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 186110cae909de85085f1b4aeed064b5c72153c7c1b80e3d13ac96eefbfb3be2
Instruction ID: b4be37696928f607753b25f7f96700c34058da51fe100436d5b458dd872e2b85
Opcode Fuzzy Hash: 186110cae909de85085f1b4aeed064b5c72153c7c1b80e3d13ac96eefbfb3be2
Instruction Fuzzy Hash: 11B10771A1C5894FE354EF28C994AB977D2FF95308F54807AE50EC72E2DE29AC42CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B15AA5D Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2620885752.00007FFB4B150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b150000_tmp6926.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82d689781b0265d56a457599601e28ee3689651051c071aaa30fc17054b2cd69
Instruction ID: 86d0dac7d8a6f286a59a3aa352cdeb24cf2f824b6a5a7b1c26a87ee110d9d314
Opcode Fuzzy Hash: 82d689781b0265d56a457599601e28ee3689651051c071aaa30fc17054b2cd69
Instruction Fuzzy Hash: 6A816AB192D6858FE35AEF24C855E643BE0EF46304F2481FEC18DC71A2DA28AC47C791

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B15B25F Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2620885752.00007FFB4B150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b150000_tmp6926.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01c843b2d4d95240dd570719c0d37b47a02fbd559e27f0f1e98a024c7f7243c7
Instruction ID: 58d1ee4da07b06585fffc3598efa6b0788e063a664d8b9c0d7133b364c64cf5e
Opcode Fuzzy Hash: 01c843b2d4d95240dd570719c0d37b47a02fbd559e27f0f1e98a024c7f7243c7
Instruction Fuzzy Hash: 8F31E4A191D6C58FE347AB38D8649787FE1EF43214B1980EBC089CB0A7DA296847C751

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B153B98 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2620885752.00007FFB4B150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b150000_tmp6926.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31f72372f5f9c8c79551fdcf70974f49b97b05a3906f49c269b54494f3b6790d
Instruction ID: 2e342b94de4cf95c256d14a5eb653db23aef9e40a75d8723986321ba66887be5
Opcode Fuzzy Hash: 31f72372f5f9c8c79551fdcf70974f49b97b05a3906f49c269b54494f3b6790d
Instruction Fuzzy Hash: EBD0234191CC180BA7A4BDFC21551FC9480CB54010B8004BDC20CD1291DC8D1CC10386

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\tmp5E09.tmp.exe.log

C:\Users\user\AppData\Local\Temp\tmp5E09.tmp.exe

C:\Users\user\AppData\Local\Temp\tmp6926.tmp.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exePID: 7532, Parent PID: 4084

General

File Activities

Windows Analysis Report
SecuriteInfo.com.Trojan.TR.Dropper.MSIL.Gen.4896.2923.exe