Edit tour

Windows Analysis Report
SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.23682.9672.exe

Overview

General Information

Sample name:	SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.23682.9672.exe
Analysis ID:	1448258
MD5:	8226ddacb0b8f6acd1a90a6daf74dc14
SHA1:	60b581349c8d3bc9da9cc4320ba27f5a58ce5204
SHA256:	a568482e1742719c74fb203ca0d3230629e6bd5c37e6a40a4a568c2d6406dcc5
Tags:	exe
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious sample

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Detected potential crypto function

One or more processes crash

PE file does not import any functions

Uses 32bit PE files

Classification

Process Tree

System is w10x64

SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.23682.9672.exe (PID: 6600 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.23682.9672.exe" MD5: 8226DDACB0B8F6ACD1A90A6DAF74DC14)

WerFault.exe (PID: 6428 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6600 -s 232 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.23682.9672.exe

ReversingLabs: Detection: 18%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 94.9% probability

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.23682.9672.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: Amcache.hve.3.dr	String found in binary or memory: http://upx.sf.net
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.23682.9672.exe	String found in binary or memory: http://www.clamav.net

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.23682.9672.exe	Code function: 0_2_0040190E		0_2_0040190E
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.23682.9672.exe	Code function: 0_2_004015E7		0_2_004015E7

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.23682.9672.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6600 -s 232

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.23682.9672.exe

Static PE information: No import functions for PE file found

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.23682.9672.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal52.winEXE@2/5@0/0

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6600

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\4ff1c373-43fd-4f13-8c6d-3c84a0594832

Jump to behavior

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.23682.9672.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.23682.9672.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.23682.9672.exe

ReversingLabs: Detection: 18%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.23682.9672.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.23682.9672.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.23682.9672.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6600 -s 232

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.23682.9672.exe

Section loaded: apphelp.dll

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Amcache.hve.3.dr	Binary or memory string: VMware
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.3.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.3.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.3.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.3.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.3.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.3.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.3.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.3.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.23682.9672.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.23682.9672.exe

Code function: 0_2_00401E72 EntryPoint,LdrInitializeThunk,

0_2_00401E72

Source: Amcache.hve.3.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	1 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.23682.9672.exe	18%	ReversingLabs

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://www.clamav.net	0%	URL Reputation	safe
http://upx.sf.net	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.clamav.net	SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.23682.9672.exe	false	URL Reputation: safe	unknown
http://upx.sf.net	Amcache.hve.3.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1448258
Start date and time:	2024-05-28 06:36:14 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.23682.9672.exe
Detection:	MAL
Classification:	mal52.winEXE@2/5@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 1 Number of non-executed functions: 2
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.168.117.173
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
VT rate limit hit for: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.23682.9672.exe

Simulations

Behavior and APIs

Time	Type	Description
00:37:19	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_41c6a414123ddcc8329c1b2cdc5ca2d6c7dc1ea_32c75163_aecd7862-2cd3-4077-bb0a-d6b971afafdb\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6838409274543426
Encrypted:	false
SSDEEP:	96:hLFSM3d3E+zTEV+eEyjs2E9hMyoI7JfdQXIDcQvc6QcEVcw3cE/DE/Ez+HbHg6Z1:tImdvq9j90BU/wjEzuiF5Z24IO8L
MD5:	C483DA02AD53A141640884A4947712EF
SHA1:	0086D45C9D2F68956302658834871B3E4D85AB76
SHA-256:	9ED3430CAE01BF13DDBD568A32669C2F6774F5F355C6CB0EAE7738DE8529E4D2
SHA-512:	A21638E14963852044D41358C7A393C8B5B36C6F3AC7486D1C10477049963FC766CB6126A56407470D4435943E119727AE9BDB2303B871C00CC25906A4CBEF0D
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.1.3.4.4.6.2.6.7.2.5.2.1.7.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.1.3.4.4.6.2.7.1.0.0.2.0.6.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.e.c.d.7.8.6.2.-.2.c.d.3.-.4.0.7.7.-.b.b.0.a.-.d.6.b.9.7.1.a.f.a.f.d.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.b.1.4.8.d.3.a.-.7.f.0.0.-.4.a.6.7.-.b.9.2.c.-.4.f.7.1.2.0.0.9.e.5.3.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...W.3.2...X.p.a.c.k...E...g.e.n...E.l.d.o.r.a.d.o...2.3.6.8.2...9.6.7.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.c.8.-.0.0.0.1.-.0.0.1.4.-.3.e.f.a.-.a.1.b.1.b.8.b.0.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.f.5.1.d.e.3.1.3.5.f.3.3.7.8.8.c.b.c.4.a.1.e.9.0.0.1.b.f.2.1.b.0.0.0.0.f.f.f.f.!.0.0.0.0.6.0.b.5.8.1.3.4.9.c.8.d.3.b.c.9.d.a.9.c.c.4.3.2.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC673.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue May 28 04:37:06 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	18600
Entropy (8bit):	1.9600357385619431
Encrypted:	false
SSDEEP:	96:578sXaH1v1/qqjOIXMcEoi7nEjKGGeRTHJn9BeX6kP4JWINWIOcIQPHf7lOT:a9C8OEeGGO7d7eKkPoPHf7lOT
MD5:	C259D2602E8D1EDB00794B2232BB6F8B
SHA1:	54C732FA038BB6ABD1086F2EB86152B562E9AD74
SHA-256:	ED3AF460AABE4B7054F3E6DE908E46B1E233800211CD280036B8196D766F29C1
SHA-512:	E5F1F36C683B894FA6169023A70BEA21D8CF67C9197D14DD03EC907E842CE7176B5CE8FE538E9865D6991796856CDF656B270E94A921C9BD021581D5A214EE21
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......r_Uf............4...............<.......d...............T.......8...........T................?......................................................................................................eJ......L.......GenuineIntel............T...........r_Uf.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC6C2.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8490
Entropy (8bit):	3.707575920503669
Encrypted:	false
SSDEEP:	192:R6l7wVeJPy6PdFx6YEICSU9aggmfyCxfprr89b/Dsf06n1m:R6lXJa6PdD6YENSU9aggmffo/ofS
MD5:	D45E33A0195B712FE472601998C6021C
SHA1:	B90F43A7A9A26C2FF16D7F0CC9CCB49733107158
SHA-256:	0BD5CC1F6E4812BF8636C8507E7C6E802A25235F9225E7AE7020F105B3319363
SHA-512:	254E4008F71222AA6AE70209FBA7AC7431CA72CE70A56FF9DD36AF03E0E7D2BC06B0001D2837AAE1BEDF554ACF5A7CBBFF8158671FC745ECE6A352672B7F6428
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.6.0.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC702.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4829
Entropy (8bit):	4.582634434001029
Encrypted:	false
SSDEEP:	48:cvIwWl8zs9Jg77aI9vcWpW8VYqYm8M4JSgFzG+q8ZD3Te/3f+5Xd:uIjfXI7hV7V2J9G63Cff+5Xd
MD5:	6B0CF7E4EA6CD39A5CBD1E8380F44487
SHA1:	E2612381D3A802F971F2FB2CA7C6AD8BB45EA8A5
SHA-256:	96B8B7DD96C0BC5A96189B2886079292C340F2480120AE85FAAFE45174800AB8
SHA-512:	FB764EF97BD99062FA145D72350521FBBD98CE04A80D17A2D91DA11997F244A1D20C5844308AD2FE25BFC810C3E58E0D70CFFA8E31115E4C421E1004BBEE8130
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="342459" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.4217680133774895
Encrypted:	false
SSDEEP:	6144:CSvfpi6ceLP/9skLmb0OT5WSPHaJG8nAgeMZMMhA2fX4WABlEnN20uhiTw:RvloT5W+EZMM6DFyk03w
MD5:	D14BC5EC8073E76F72C1E5017455AE94
SHA1:	BF0ED85614CF78F00868702B86D27CFB698E8677
SHA-256:	2EAE7D81A196591E2628EC7E338A70D8E52C5529E63EA25AECE598CBB00FA1F0
SHA-512:	5499E248DB3FBD922323E5C2E0A5D5E8F1123CA2C2E3BD8CB8AC8596265D8DB7FFDD019FDFF6E5DD1B73877C071ECDAEB1640230D2E60B29AD0B626440470BB0
Malicious:	false
Reputation:	low
Preview:	regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.W..................................................................................................................................................................................................................................................................................................................................................-.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.158713102167987
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.23682.9672.exe
File size:	200'704 bytes
MD5:	8226ddacb0b8f6acd1a90a6daf74dc14
SHA1:	60b581349c8d3bc9da9cc4320ba27f5a58ce5204
SHA256:	a568482e1742719c74fb203ca0d3230629e6bd5c37e6a40a4a568c2d6406dcc5
SHA512:	acfcb8575999d504c85dc271fcc6960daabc60f20aa498d27666061b7008de81fe242ecaba93c8fd44cc9da2c0e327733543d3efe0e60cf2a3173a9e293ece23
SSDEEP:	3072:QDm/7RgVClKQAnvIH9I5zSK324ZfNTwI0:gmTRgVClNAnvIH9IRBfBw
TLSH:	E3147D6EC112C5ECD1E28634314667305869E7F99161B28AC7AFA4BD382D4AF23D0FD7
File Content Preview:	MZ......................@...............................................!.L.!This file was created by ClamAV for internal use and should not be run...ClamAV - A GPL virus scanner - http://www.clamav.net..$...PE..L...CLAM.................P..........r......

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x401e72
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x4D414C43 [Thu Jan 27 10:43:15 2011 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
push 00000000h
call 00007F2BB29B0FAAh
mov dword ptr [00408ECFh], eax
push 0000006Ah
push eax
call 00007F2BEE9C0FAAh
mov dword ptr [00408EE7h], eax
xor eax, eax
mov ax, 0065h
push 00000000h
push 00401EADh
push 00000000h
push eax
push dword ptr [00408ECFh]
call 00007F2BBE9C0FAAh
push 00000000h
call 00007F2BAC9B0FAAh
push ebp
mov ebp, esp
add esp, FFFFFF68h
push ebx
push esi
push edi
push ebp
xor eax, eax
mov ax, word ptr [ebp+0Ch]
cmp ax, 0002h
jne 00007F2BB4880FA9h
jmp 00007F2B8A990FAAh
jmp 00007F2BB4881005h
cmp ax, 0010h
jne 00007F2BB4880FA9h
jmp 00007F2B8A990FAAh
jmp 00007F2BB4880FF8h
cmp ax, 00000111h
jne 00007F2BB4880FA9h
jmp 00007F2BAE990FAAh
jmp 00007F2BB4880FEBh
cmp ax, 00000110h
jne 00007F2BB4880FA9h
jmp 00007F2BCF9A0FAAh
jmp 00007F2BB4880FDEh
cmp ax, 000Fh
jne 00007F2BB4880FA9h
jmp 00007F2BF6990FAAh
jmp 00007F2BB4880FD1h
cmp ax, 00000138h
jne 00007F2BB4880FA6h
jmp 00007F2BB4880FD3h
jmp 00007F2BB4880FC7h
cmp ax, 00000136h
jne 00007F2BB4880FA9h
jmp 00007F2B48970FAAh
jmp 00007F2BB4880FBAh
cmp ax, 00000133h
jne 00007F2BB4880FA9h
jmp 00007F2B7A970FAAh
jmp 00007F2BB4880FADh
cmp ax, 002Bh
jne 00007F2BB4880FA7h
jmp 00007F2BB9980FAAh
xor eax, eax
pop ebp
pop edi
pop esi
pop ebx
leave
retn 0010h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6d80	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x9000	0x27858	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x6000	0x8c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5000	0x5000	6314f8061d4b324367f24969fef3c2f0	False	0.494482421875	data	6.113811895386132	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x6000	0x2000	0x2000	083e4cd81f7f9ee5c57488434856b5f7	False	0.245849609375	data	2.528557545569208	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x8000	0x1000	0x1000	fa8272a007a97e2fbc2613135a69f1a9	False	0.35546875	data	4.097524704616555	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x9000	0x28000	0x28000	ced2fbc0556a8f21f80ba76dafecbaa6	False	0.39296875	data	5.004028779434402	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.23682.9672.exePID: 6600, Parent PID: 1028

General

Target ID:	0
Start time:	00:37:06
Start date:	28/05/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.23682.9672.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.23682.9672.exe"
Imagebase:	0x400000
File size:	200'704 bytes
MD5 hash:	8226DDACB0B8F6ACD1A90A6DAF74DC14
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 6428, Parent PID: 6600

General

Target ID:	3
Start time:	00:37:06
Start date:	28/05/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6600 -s 232
Imagebase:	0x7d0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.23682.9672.exePID: 6600, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	0.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	100%
Total number of Nodes:	2
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00401E72 Relevance: 1.6, APIs: 1, Instructions: 87
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 00401E74

Memory Dump Source

Source File: 00000000.00000002.2184084560.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2184055781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184110335.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184125673.0000000000408000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184140802.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184140802.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1ccf180ae0e661584f6c1444838e9439597a9049cf3b063110e3033873a064b8
Instruction ID: 899ca4c68f11c272d544ad445f210b07d30d1d4ccd3a4efe2e107a9aa2aaa709
Opcode Fuzzy Hash: 1ccf180ae0e661584f6c1444838e9439597a9049cf3b063110e3033873a064b8
Instruction Fuzzy Hash: 8621D335A28206A5DF30AB79DD01BAF3651E750B71F404B33E970F01F4DBB9499285AE

Non-executed Functions

Function 004015E7 Relevance: 2.7, Strings: 2, Instructions: 208
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

3333, xrefs: 004017D6
3333, xrefs: 00401625

Memory Dump Source

Source File: 00000000.00000002.2184084560.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2184055781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184110335.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184125673.0000000000408000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184140802.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184140802.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 3333$3333
API String ID: 0-1524365199
Opcode ID: 700d2dd0150ac8d540287fca2a18572666203227f89e6b88d1a990bca23eb7f6
Instruction ID: 5130a048f01f4abbc55f211897e241e366b9e71e688df7df1181825fcf70b19f
Opcode Fuzzy Hash: 700d2dd0150ac8d540287fca2a18572666203227f89e6b88d1a990bca23eb7f6
Instruction Fuzzy Hash: EC515E33B615240BE74CCE6E9C4111663D3ABC836031FC639DE5AEB295E9B4ED2396C4

Function 0040190E Relevance: .2, Instructions: 169
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2184084560.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2184055781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184110335.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184125673.0000000000408000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184140802.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184140802.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01eddaa6512a551407d988d8b2230ba911bc53bb30c3b00d91c541813f87162b
Instruction ID: 066a13f26bf6f3b5ebc720046df87bcef7594361944eb841f1117ff8a7e22bbd
Opcode Fuzzy Hash: 01eddaa6512a551407d988d8b2230ba911bc53bb30c3b00d91c541813f87162b
Instruction Fuzzy Hash: 3851E7B2D00259ABCB10DFA9CC85DEF7BB8AF45320F050A6BE964A72D1D6349945C7D0

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.23682.9672.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_41c6a414123ddcc8329c1b2cdc5ca2d6c7dc1ea_32c75163_aecd7862-2cd3-4077-bb0a-d6b971afafdb\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC673.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC6C2.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC702.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.23682.9672.exePID: 6600, Parent PID: 1028

General

Chronological Activities

Analysis Process: WerFault.exePID: 6428, Parent PID: 6600

General

Chronological Activities

Disassembly

Windows Analysis Report
SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.23682.9672.exe

Function 00401E72 Relevance: 1.6, APIs: 1, Instructions: 87
libraryCOMMON

Function 004015E7 Relevance: 2.7, Strings: 2, Instructions: 208
COMMON

Function 0040190E Relevance: .2, Instructions: 169
COMMON