Windows Analysis Report
SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe

Overview

General Information

Sample name: SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe
Analysis ID: 1447452
MD5: ae09f3510f52dfc175d014de7d3aa667
SHA1: 7c9f7581d246cb08a5f7f0fdd5af8974f9f9faf8
SHA256: 4f948480805fd39934d7f27be3bb892961595687094da5dd863722d508e04314
Tags: exe
Infos:

Detection

Score: 3
Range: 0 - 100
Whitelisted: false
Confidence: 80%

Signatures

Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)

Classification

Source: SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\gegen\Desktop\rip\insonew\x64\Debug\insonew.pdb source: SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe
Source: Binary string: C:\Users\gegen\Desktop\rip\insonew\x64\Debug\insonew.pdb%% source: SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe
Source: SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe String found in binary or memory: https://dash.insolence.online/
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe Code function: 0_2_00007FF715BD53F0 0_2_00007FF715BD53F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe Code function: 0_2_00007FF715BD136B 0_2_00007FF715BD136B
Source: classification engine Classification label: clean3.winEXE@2/0@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2852:120:WilError_03
Source: C:\Users\user\Desktop\SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe "C:\Users\user\Desktop\SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe Section loaded: msvcp140d.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe Section loaded: vcruntime140_1d.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe Section loaded: vcruntime140d.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe Section loaded: ucrtbased.dll Jump to behavior
Source: SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\gegen\Desktop\rip\insonew\x64\Debug\insonew.pdb source: SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe
Source: Binary string: C:\Users\gegen\Desktop\rip\insonew\x64\Debug\insonew.pdb%% source: SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe
PE file contains sections with non-standard names
Source: SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe Static PE information: section name: .textbss
Source: SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe Static PE information: section name: .msvcjmc
Source: SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe Static PE information: section name: .00cfg
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe Code function: 0_2_00007FF715BD1370 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF715BD1370
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe Code function: 0_2_00007FF715BD58A0 VirtualQuery,GetProcAddress,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree, 0_2_00007FF715BD58A0
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe Code function: 0_2_00007FF715BD3870 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00007FF715BD3870
Source: C:\Users\user\Desktop\SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe Code function: 0_2_00007FF715BD1285 SetUnhandledExceptionFilter, 0_2_00007FF715BD1285
Source: C:\Users\user\Desktop\SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe Code function: 0_2_00007FF715BD1370 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF715BD1370
Source: C:\Users\user\Desktop\SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe Code function: 0_2_00007FF715BD45E0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00007FF715BD45E0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1447452 Sample: SecuriteInfo.com.PossibleTh... Startdate: 25/05/2024 Architecture: WINDOWS Score: 3 5 SecuriteInfo.com.PossibleThreat.PALLASNET.H.31417.27596.exe 1 2->5         started        process3 7 conhost.exe 5->7         started       
No contacted IP infos