Windows Analysis Report
SecuriteInfo.com.Riskware.Application.32484.16969.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Riskware.Application.32484.16969.exe
Analysis ID:	1467926
MD5:	0c4ff697bf8bee358d876a64d19ab643
SHA1:	d99a8bf2aaa11c7a89dd40bd485f5b2f570af1d4
SHA256:	eaef7bca8697e9832e378f4afedf3504b1c72826514602a1d43eb4bfd0871532
Tags:	exe
Infos:

Detection

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Found direct / indirect Syscall (likely to bypass EDR)

Hides threads from debuggers

Machine Learning detection for sample

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

PE file contains section with special chars

Query firmware table information (likely to detect VMs)

Tries to detect debuggers (CloseHandle check)

Tries to evade analysis by execution special instruction (VM detection)

Checks if the current process is being debugged

Creates files inside the system directory

Entry point lies outside standard sections

PE file contains sections with non-standard names

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Riskware.Application.32484.16969.exe	ReversingLabs: Detection: 29%
Source: SecuriteInfo.com.Riskware.Application.32484.16969.exe	Virustotal: Detection: 21%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for sample

Source: SecuriteInfo.com.Riskware.Application.32484.16969.exe

Joe Sandbox ML: detected

Source: SecuriteInfo.com.Riskware.Application.32484.16969.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

System Summary

PE file contains section with special chars

Source: SecuriteInfo.com.Riskware.Application.32484.16969.exe	Static PE information: section name: .ro#
Source: SecuriteInfo.com.Riskware.Application.32484.16969.exe	Static PE information: section name: .<G^
Source: SecuriteInfo.com.Riskware.Application.32484.16969.exe	Static PE information: section name: .[wS

Creates files inside the system directory

Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe

File created: C:\Windows\license.id

Jump to behavior

Source: classification engine

Classification label: mal84.evad.winEXE@2/2@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2672:120:WilError_03

Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Riskware.Application.32484.16969.exe	ReversingLabs: Detection: 29%
Source: SecuriteInfo.com.Riskware.Application.32484.16969.exe	Virustotal: Detection: 21%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe "C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: SecuriteInfo.com.Riskware.Application.32484.16969.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: SecuriteInfo.com.Riskware.Application.32484.16969.exe

Static file information: File size 18314240 > 1048576

Source: SecuriteInfo.com.Riskware.Application.32484.16969.exe

Static PE information: Raw size of .[wS is bigger than: 0x100000 < 0x113e600

Source: SecuriteInfo.com.Riskware.Application.32484.16969.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .[wS

PE file contains sections with non-standard names

Source: SecuriteInfo.com.Riskware.Application.32484.16969.exe	Static PE information: section name: _RDATA
Source: SecuriteInfo.com.Riskware.Application.32484.16969.exe	Static PE information: section name: .ro#
Source: SecuriteInfo.com.Riskware.Application.32484.16969.exe	Static PE information: section name: .<G^
Source: SecuriteInfo.com.Riskware.Application.32484.16969.exe	Static PE information: section name: .[wS

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe	Code function: 0_3_0000019DE5714567 push es; iretd		0_3_0000019DE5714602
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe	Code function: 0_3_0000019DE5712001 push es; ret		0_3_0000019DE5712080

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe	Memory written: PID: 5640 base: 7FF8C8A50008 value: E9 EB D9 E9 FF	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe	Memory written: PID: 5640 base: 7FF8C88ED9F0 value: E9 20 26 16 00	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe	Memory written: PID: 5640 base: 7FF8C8A6000D value: E9 BB CB EB FF	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe	Memory written: PID: 5640 base: 7FF8C891CBC0 value: E9 5A 34 14 00	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe	Memory written: PID: 5640 base: 7FF8C8A70005 value: E9 CB 05 E5 FF	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe	Memory written: PID: 5640 base: 7FF8C88C05D0 value: E9 3A FA 1A 00	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe	Memory written: PID: 5640 base: 7FF8C8A80005 value: E9 9B 07 DF FF	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe	Memory written: PID: 5640 base: 7FF8C88707A0 value: E9 6A F8 20 00	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe	Memory written: PID: 5640 base: 7FF8C6F40007 value: E9 AB 11 E0 FF	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe	Memory written: PID: 5640 base: 7FF8C6D411B0 value: E9 5E EE 1F 00	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe	Memory written: PID: 5640 base: 7FF8C7010006 value: E9 BB 7F D0 FF	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe	Memory written: PID: 5640 base: 7FF8C6D17FC0 value: E9 4C 80 2F 00	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe	Memory written: PID: 5640 base: 7FF8C6560007 value: E9 CB E3 E3 FF	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe	Memory written: PID: 5640 base: 7FF8C639E3D0 value: E9 3E 1C 1C 00	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe	Memory written: PID: 5640 base: 7FF8C6570006 value: E9 AB 4D D3 FF	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe	Memory written: PID: 5640 base: 7FF8C62A4DB0 value: E9 5C B2 2C 00	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe	System information queried: FirmwareTableInformation			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe	System information queried: FirmwareTableInformation			Jump to behavior

Tries to evade analysis by execution special instruction (VM detection)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe	Special instruction interceptor: First address: 7FF7A6934E4B instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe	Special instruction interceptor: First address: 7FF7A6934E59 instructions rdtsc caused by: RDTSC with Trap Flag (TF)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe	Thread information set: HideFromDebugger			Jump to behavior

Tries to detect debuggers (CloseHandle check)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe

Handle closed: DEADC0DE

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe	Process queried: DebugPort	Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe	NtSetInformationThread: Direct from: 0x7FF7A5FB97A5	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe	NtQuerySystemInformation: Direct from: 0x7FF7A690BBE9	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe	NtQueryInformationProcess: Direct from: 0x7FF7A692AA7F	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe	NtProtectVirtualMemory: Direct from: 0x7FF7A5D6517B	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe	NtMapViewOfSection: Direct from: 0x7FF7A5FF7A12	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe	NtSetInformationProcess: Direct from: 0x7FF7A5F90AF3	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe	NtProtectVirtualMemory: Direct from: 0x7FF7A5D9EAC7	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe	NtProtectVirtualMemory: Direct from: 0x7FF7A5D5102A	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe	NtProtectVirtualMemory: Direct from: 0x7FF7A5D37729	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe	NtProtectVirtualMemory: Indirect: 0x7FF7A5D1926B	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe	NtProtectVirtualMemory: Direct from: 0x7FF7A691E611	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe	NtProtectVirtualMemory: Direct from: 0x7FF7A5D69012	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe	NtQueryInformationProcess: Direct from: 0x7FF7A5D688A4	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe	NtProtectVirtualMemory: Direct from: 0x7FF7A6000E99	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe	NtQuerySystemInformation: Direct from: 0x7FF7A5FA5352	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe	NtQueryInformationProcess: Direct from: 0x7FF7A5D4D59D	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe	NtProtectVirtualMemory: Direct from: 0x7FF7A5FAD723	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe	NtQuerySystemInformation: Direct from: 0x7FF7A5E0FBE7	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe	NtProtectVirtualMemory: Direct from: 0x7FF7A5D71273	Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

ID:	1467926
Product:	CloudBasic
Start time:	03:35:22
Start date:	05.07.2024
Sample:	SecuriteInfo.com.Riskware.Application.32484.16969.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	0c4ff697bf8bee358d876a64d19ab643
SHA1:	d99a8bf2aaa11c7a89dd40bd485f5b2f570af1d4
SHA256:	eaef7bca8697e9832e378f4afedf3504b1c72826514602a1d43eb4bfd0871532
Filetype:	Win64 Executable Console (202006/5) 92.65%

Name	Type	MD5	SHA1	SHA256
C:\Windows\license.id	ASCII text, with no line terminators	EA7B0CD457C0A734A0284E21453618A2	92F07EF9CE0C7A7BB62D0234FD90AD3D339772F0	ED1C562046D880087C713F921134C2B3DD6527657001C4AEF69C26F22D15883F
\Device\ConDrv	ASCII text, with CRLF, CR, LF line terminators	5BE192DC40CF711D35D45F63ACDF49A5	414C88E9DC9693CA23EBBB06CEE4A1731DD5069A	D02BF8BABC61EC1909D025D42B378AE2968B1A96F9E32A452390FF50D584C9FD

Windows Analysis Report
SecuriteInfo.com.Riskware.Application.32484.16969.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Screenshots

Behavior Graph

Network Map

Windows Analysis Report SecuriteInfo.com.Riskware.Application.32484.16969.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
SecuriteInfo.com.Riskware.Application.32484.16969.exe