Windows Analysis Report
SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe

Overview

General Information

Sample name: SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe
Analysis ID: 1446237
MD5: 64f3e14650cfa8ad34d2bf90cd41e082
SHA1: 0d82a34f554342d30bea3fa21ebd7ec8e1fc395c
SHA256: 12f0f76abdf6223e604587f961c1aa9a5d423c38f2f807bc42b148861414c691
Tags: exe
Infos:

Detection

Score: 92
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
AI detected suspicious sample
Machine Learning detection for dropped file
Machine Learning detection for sample
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Creates a process in suspended mode (likely to inject code)
Drops PE files
Entry point lies outside standard sections
Found evasive API chain (may stop execution after checking a module file name)
PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names
Sigma detected: Use Short Name Path in Command Line
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe Avira: detection malicious, Label: TR/Bublik.vdmcq
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe ReversingLabs: Detection: 73%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.7% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: Z:\Projects\Loader\Release\Loader.pdb source: SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe, SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe, 00000000.00000002.1292308298.0000000001630000.00000040.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe, 00000000.00000002.1292336763.000000000165E000.00000004.00000020.00020000.00000000.sdmp, hcbnaf.exe, hcbnaf.exe, 0000000A.00000002.1351512511.000000000097E000.00000004.00000020.00020000.00000000.sdmp, hcbnaf.exe, 0000000A.00000002.1351710808.0000000000A80000.00000040.00001000.00020000.00000000.sdmp

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2826825 ETPRO TROJAN DNS Query for known malicious URL thisaintpc .com 192.168.2.7:63921 -> 1.1.1.1:53
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: thisaintpc.com replaycode: Name error (3)
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe Code function: 0_2_01631000 EntryPoint,GetModuleHandleW,ExitProcess,HeapCreate,HeapAlloc,HeapAlloc,HeapAlloc,GetModuleFileNameW,GetTempPathW,wsprintfW,CreateFileW,GetFileSize,lstrlenW,lstrlenW,RtlAllocateHeap,ReadFile,lstrcmpW,lstrlenW,CreateFileW,lstrlenW,WriteFile,CloseHandle,FindCloseChangeNotification,CloseHandle,GetTempPathW,ShellExecuteW,CloseHandle,DeleteFileW,InternetOpenW,InternetConnectW,HttpOpenRequestW,InternetQueryOptionW,InternetSetOptionW,HttpSendRequestW,HttpQueryInfoW,HeapAlloc,InternetReadFile,CreateFileW,WriteFile,CloseHandle,GetCurrentDirectoryW,wsprintfW, 0_2_01631000
Source: global traffic DNS traffic detected: DNS query: thisaintpc.com
Source: hcbnaf.exe, 0000000A.00000002.1351512511.00000000009C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://thisaintpc.com/
Source: hcbnaf.exe, 0000000A.00000002.1351512511.00000000009C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://thisaintpc.com/Y
Source: hcbnaf.exe, 0000000A.00000002.1351512511.000000000097E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://thisaintpc.com/downloads/tehb.exe
Source: hcbnaf.exe, 0000000A.00000002.1351512511.000000000097E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://thisaintpc.com/downloads/tehb.exew
Source: hcbnaf.exe, 0000000A.00000002.1351512511.00000000009C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://thisaintpc.com/o

System Summary
barindex
PE file contains section with special chars
Source: SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe Static PE information: section name: .k+g
Source: SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe Static PE information: section name: .IQ"
Source: hcbnaf.exe.0.dr Static PE information: section name: .k+g
Source: hcbnaf.exe.0.dr Static PE information: section name: .IQ"
PE file contains more sections than normal
Source: SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe Static PE information: Number of sections : 11 > 10
Source: hcbnaf.exe.0.dr Static PE information: Number of sections : 11 > 10
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal92.winEXE@3/1@1/0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe File created: C:\Users\user~1\AppData\Local\Temp\hcbnaf.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe ReversingLabs: Detection: 73%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe File read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe Process created: C:\Users\user\AppData\Local\Temp\hcbnaf.exe "C:\Users\user~1\AppData\Local\Temp\hcbnaf.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe Process created: C:\Users\user\AppData\Local\Temp\hcbnaf.exe "C:\Users\user~1\AppData\Local\Temp\hcbnaf.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe Static file information: File size 6920232 > 1048576
Source: SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe Static PE information: Raw size of .K0f is bigger than: 0x100000 < 0x695200
Source: SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: Z:\Projects\Loader\Release\Loader.pdb source: SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe, SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe, 00000000.00000002.1292308298.0000000001630000.00000040.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe, 00000000.00000002.1292336763.000000000165E000.00000004.00000020.00020000.00000000.sdmp, hcbnaf.exe, hcbnaf.exe, 0000000A.00000002.1351512511.000000000097E000.00000004.00000020.00020000.00000000.sdmp, hcbnaf.exe, 0000000A.00000002.1351710808.0000000000A80000.00000040.00001000.00020000.00000000.sdmp
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .K0f
PE file contains an invalid checksum
Source: SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe Static PE information: real checksum: 0x6a504a should be: 0x6a46b4
Source: hcbnaf.exe.0.dr Static PE information: real checksum: 0x6a504a should be: 0x6a635f
PE file contains sections with non-standard names
Source: SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe Static PE information: section name: .k+g
Source: SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe Static PE information: section name: .4kl
Source: SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe Static PE information: section name: .htext
Source: SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe Static PE information: section name: .jhn
Source: SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe Static PE information: section name: .IQ"
Source: SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe Static PE information: section name: .K0f
Source: hcbnaf.exe.0.dr Static PE information: section name: .k+g
Source: hcbnaf.exe.0.dr Static PE information: section name: .4kl
Source: hcbnaf.exe.0.dr Static PE information: section name: .htext
Source: hcbnaf.exe.0.dr Static PE information: section name: .jhn
Source: hcbnaf.exe.0.dr Static PE information: section name: .IQ"
Source: hcbnaf.exe.0.dr Static PE information: section name: .K0f
Drops PE files
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe File created: C:\Users\user\AppData\Local\Temp\hcbnaf.exe Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe Memory written: PID: 2408 base: FE0005 value: E9 8B 2F 78 76 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe Memory written: PID: 2408 base: 77762F90 value: E9 7A D0 87 89 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe Memory written: PID: 2408 base: FF0005 value: E9 2B BA 73 76 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe Memory written: PID: 2408 base: 7772BA30 value: E9 DA 45 8C 89 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe Memory written: PID: 2408 base: 1450008 value: E9 8B 8E 32 76 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe Memory written: PID: 2408 base: 77778E90 value: E9 80 71 CD 89 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe Memory written: PID: 2408 base: 1470005 value: E9 8B 4D 5C 74 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe Memory written: PID: 2408 base: 75A34D90 value: E9 7A B2 A3 8B Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe Memory written: PID: 2408 base: 1480005 value: E9 EB EB 5C 74 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe Memory written: PID: 2408 base: 75A4EBF0 value: E9 1A 14 A3 8B Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe Memory written: PID: 2408 base: 1490005 value: E9 8B 8A 14 75 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe Memory written: PID: 2408 base: 765D8A90 value: E9 7A 75 EB 8A Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe Memory written: PID: 2408 base: 14A0005 value: E9 2B 02 16 75 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe Memory written: PID: 2408 base: 76600230 value: E9 DA FD E9 8A Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe Memory written: PID: 7224 base: 8D0005 value: E9 8B 2F E9 76 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe Memory written: PID: 7224 base: 77762F90 value: E9 7A D0 16 89 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe Memory written: PID: 7224 base: 8E0005 value: E9 2B BA E4 76 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe Memory written: PID: 7224 base: 7772BA30 value: E9 DA 45 1B 89 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe Memory written: PID: 7224 base: 8F0008 value: E9 8B 8E E8 76 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe Memory written: PID: 7224 base: 77778E90 value: E9 80 71 17 89 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe Memory written: PID: 7224 base: 910005 value: E9 8B 4D 12 75 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe Memory written: PID: 7224 base: 75A34D90 value: E9 7A B2 ED 8A Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe Memory written: PID: 7224 base: 920005 value: E9 EB EB 12 75 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe Memory written: PID: 7224 base: 75A4EBF0 value: E9 1A 14 ED 8A Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe Memory written: PID: 7224 base: 930005 value: E9 8B 8A CA 75 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe Memory written: PID: 7224 base: 765D8A90 value: E9 7A 75 35 8A Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe Memory written: PID: 7224 base: 940005 value: E9 2B 02 CC 75 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe Memory written: PID: 7224 base: 76600230 value: E9 DA FD 33 8A Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe, 00000000.00000002.1292336763.0000000001687000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}*{
Source: hcbnaf.exe, 0000000A.00000002.1351512511.000000000097E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll/
Source: SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe, 00000000.00000002.1292336763.0000000001687000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe Process information queried: ProcessInformation Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe Process created: C:\Users\user\AppData\Local\Temp\hcbnaf.exe "C:\Users\user~1\AppData\Local\Temp\hcbnaf.exe" Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1446237 Sample: SecuriteInfo.com.Trojan.Dow... Startdate: 23/05/2024 Architecture: WINDOWS Score: 92 16 thisaintpc.com 2->16 18 Snort IDS alert for network traffic 2->18 20 Antivirus / Scanner detection for submitted sample 2->20 22 Multi AV Scanner detection for submitted file 2->22 24 3 other signatures 2->24 7 SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe 2 2->7         started        signatures3 process4 file5 14 C:\Users\user\AppData\Local\Temp\hcbnaf.exe, PE32 7->14 dropped 26 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 7->26 11 hcbnaf.exe 6 7->11         started        signatures6 process7 signatures8 28 Antivirus detection for dropped file 11->28 30 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 11->30 32 Machine Learning detection for dropped file 11->32
No contacted IP infos

Contacted Domains

Name IP Active
thisaintpc.com unknown unknown