Windows Analysis Report
SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe

Overview

General Information

Sample name: SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe
Analysis ID: 1475143
MD5: 8aae495569f2eba4371a7666c6066c2e
SHA1: bdb285e457e68fe05974e62671754277a3c22d5d
SHA256: 6664c76fa812ee8c12dfd4d5763a29d10b66b7f3beff780ff13e67dd667e575d
Tags: exe
Infos:

Detection

DarkTortilla, XWorm
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AntiVM3
Yara detected DarkTortilla Crypter
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
DarkTortilla DarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks Counter Threat Unit (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.darktortilla
Name Description Attribution Blogpost URLs Link
XWorm Malware with wide range of capabilities ranging from RAT to ransomware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Avira: detected
Found malware configuration
Source: 00000000.00000002.2473856137.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Xworm {"C2 url": ["nnx.linkworldlogiticservices.online"], "Port": "9196", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.0"}
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe ReversingLabs: Detection: 60%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 3.2.InstallUtil.exe.430000.0.unpack String decryptor: nnx.linkworldlogiticservices.online
Source: 3.2.InstallUtil.exe.430000.0.unpack String decryptor: 9196
Source: 3.2.InstallUtil.exe.430000.0.unpack String decryptor: <123456789>
Source: 3.2.InstallUtil.exe.430000.0.unpack String decryptor: <Xwormmm>
Source: 3.2.InstallUtil.exe.430000.0.unpack String decryptor: XWorm V5.0
Source: 3.2.InstallUtil.exe.430000.0.unpack String decryptor: USB.exe
Source: 3.2.InstallUtil.exe.430000.0.unpack String decryptor: %AppData%
Source: 3.2.InstallUtil.exe.430000.0.unpack String decryptor: diagaudio.exe
Source: SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: diagaudio.exe.4.dr
Source: Binary string: InstallUtil.pdb source: diagaudio.exe.4.dr

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2855924 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.6:49723 -> 168.119.55.248:9196
Source: Traffic Snort IDS: 2852870 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes 168.119.55.248:9196 -> 192.168.2.6:49723
Source: Traffic Snort IDS: 2852923 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) 192.168.2.6:49723 -> 168.119.55.248:9196
Source: Traffic Snort IDS: 2852874 ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2 168.119.55.248:9196 -> 192.168.2.6:49723
Source: Traffic Snort IDS: 2853193 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.6:49723 -> 168.119.55.248:9196
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: nnx.linkworldlogiticservices.online
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49723 -> 168.119.55.248:9196
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: HETZNER-ASDE HETZNER-ASDE
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: nnx.linkworldlogiticservices.online
Source: SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe, 00000000.00000002.2473142144.00000000013E2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://go.mic
Source: InstallUtil.exe, 00000004.00000002.4559451531.0000000002911000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe.30786f0.0.raw.unpack, XLogger.cs .Net Code: KeyboardLayout

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 3.2.InstallUtil.exe.430000.0.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe.30786f0.0.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe.30786f0.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000003.00000002.2145809299.0000000000432000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.2473856137.000000000320E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.2473856137.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Abnormal high CPU Usage
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process Stats: CPU usage > 49%
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_079D98A8 CreateProcessAsUserW, 0_2_079D98A8
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_01348385 0_2_01348385
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_01344E98 0_2_01344E98
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_0134B2A0 0_2_0134B2A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_01347418 0_2_01347418
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_01347A30 0_2_01347A30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_01344E88 0_2_01344E88
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_0134B270 0_2_0134B270
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_0134BB4D 0_2_0134BB4D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_075BA788 0_2_075BA788
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_075BE7A8 0_2_075BE7A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_075BC7A0 0_2_075BC7A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_075B2E78 0_2_075B2E78
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_075BCEC9 0_2_075BCEC9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_075BBB5F 0_2_075BBB5F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_075BD89A 0_2_075BD89A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_075BD718 0_2_075BD718
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_075BC786 0_2_075BC786
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_075BE7A4 0_2_075BE7A4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_075BF650 0_2_075BF650
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_075BF640 0_2_075BF640
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_075B2E45 0_2_075B2E45
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_075BE6E2 0_2_075BE6E2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_075BF45A 0_2_075BF45A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_075BEBE8 0_2_075BEBE8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_079D87AD 0_2_079D87AD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_079D4350 0_2_079D4350
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_079D4A99 0_2_079D4A99
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_079D7AA8 0_2_079D7AA8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_079D9E40 0_2_079D9E40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_079D28E0 0_2_079D28E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_079D4048 0_2_079D4048
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_079D2B80 0_2_079D2B80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_079DF728 0_2_079DF728
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_079D4340 0_2_079D4340
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_079D2B72 0_2_079D2B72
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_079D7A98 0_2_079D7A98
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_079D3210 0_2_079D3210
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_079D3200 0_2_079D3200
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_079D81D8 0_2_079D81D8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_079D81D1 0_2_079D81D1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_079DEDC8 0_2_079DEDC8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_079D7CA1 0_2_079D7CA1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_079D68D9 0_2_079D68D9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_079D28D2 0_2_079D28D2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_079D68E8 0_2_079D68E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_079D0006 0_2_079D0006
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_079D4038 0_2_079D4038
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_079D0040 0_2_079D0040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_079D3878 0_2_079D3878
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_079D3867 0_2_079D3867
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_07F134E8 0_2_07F134E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_07F1EC48 0_2_07F1EC48
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_07F134D8 0_2_07F134D8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_07F1D410 0_2_07F1D410
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_08313538 0_2_08313538
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_0831E328 0_2_0831E328
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_0831E317 0_2_0831E317
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_08322AD0 0_2_08322AD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_0832E830 0_2_0832E830
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_0832E608 0_2_0832E608
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_0832EC70 0_2_0832EC70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_0832EC60 0_2_0832EC60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_0832E840 0_2_0832E840
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_0832E288 0_2_0832E288
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_0832DF98 0_2_0832DF98
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_08329D85 0_2_08329D85
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_0832DF88 0_2_0832DF88
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_0832E5F8 0_2_0832E5F8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_08322ACF 0_2_08322ACF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_02734460 4_2_02734460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_02731320 4_2_02731320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_02733848 4_2_02733848
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_02733E69 4_2_02733E69
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe, 00000000.00000002.2484247029.00000000057C0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMiPro.dll, vs SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe
Source: SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe, 00000000.00000002.2482269120.0000000004188000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMiPro.dll, vs SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe
Source: SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe, 00000000.00000002.2482269120.0000000004061000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMiPro.dll, vs SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe
Source: SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe, 00000000.00000002.2473856137.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameNew_XClient.exe4 vs SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe
Source: SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe, 00000000.00000002.2473856137.00000000032A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameNew_XClient.exe4 vs SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe
Source: SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe, 00000000.00000000.2094219575.00000000008D2000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamedxdiag.exeH vs SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe
Source: SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe, 00000000.00000002.2486523986.0000000007800000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameRP8SH.dll, vs SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe
Source: SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe, 00000000.00000002.2473142144.00000000013AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe
Source: SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Binary or memory string: OriginalFilenamedxdiag.exeH vs SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe
Yara signature match
Source: 3.2.InstallUtil.exe.430000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe.30786f0.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe.30786f0.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000003.00000002.2145809299.0000000000432000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.2473856137.000000000320E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.2473856137.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe.30786f0.0.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe.30786f0.0.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe.30786f0.0.raw.unpack, AlgorithmAES.cs Cryptographic APIs: 'TransformFinalBlock'
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@5/4@1/1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe.log Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Mutant created: NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Mutant created: \Sessions\1\BaseNamedObjects\amFkCzzuyT6seqQS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File created: C:\Users\user\AppData\Local\Temp\Log.tmp Jump to behavior
Source: SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe ReversingLabs: Detection: 60%
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: avicap32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: diagaudio.lnk.4.dr LNK file: ..\..\..\..\..\diagaudio.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: diagaudio.exe.4.dr
Source: Binary string: InstallUtil.pdb source: diagaudio.exe.4.dr

Data Obfuscation
barindex
Yara detected DarkTortilla Crypter
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe.57c0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe.4138790.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe.57c0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe.41887b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe.4138790.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe.4110770.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe.41887b0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2482269120.0000000004188000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2484247029.00000000057C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2482269120.0000000004061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2473856137.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe PID: 5044, type: MEMORYSTR
.NET source code contains method to dynamically call methods (often used by packers)
Source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe.30786f0.0.raw.unpack, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe.30786f0.0.raw.unpack, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe.30786f0.0.raw.unpack, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
.NET source code contains potential unpacker
Source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe.30786f0.0.raw.unpack, Messages.cs .Net Code: Plugin System.AppDomain.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe.30786f0.0.raw.unpack, Messages.cs .Net Code: Memory System.AppDomain.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe.30786f0.0.raw.unpack, Messages.cs .Net Code: Memory
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_07F1EC48 push eax; ret 0_2_07F1F651
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_0831071B push eax; retf 0_2_08310721
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_08320252 push 00000059h; ret 0_2_08320256
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Code function: 0_2_08329FC6 pushad ; ret 0_2_0832A003
Source: SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Static PE information: section name: .text entropy: 7.0677126968600845
Source: SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe, Wp54Ek.cs High entropy of concatenated method names: 'y5JPn8', 'a5H6Bt', 'f3C7Eb', 'g8XWa9', 'i7Y1Lk', 't7DNy8', 'Wa03As', 'q5LYf2', 'i3A4Cp', 'Xf32Bs'
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File created: C:\Users\user\AppData\Roaming\diagaudio.exe Jump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\diagaudio.lnk Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\diagaudio.lnk Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe File opened: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe\:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe PID: 5044, type: MEMORYSTR
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Memory allocated: 1340000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Memory allocated: 2FE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Memory allocated: 4FE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Memory allocated: 8370000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Memory allocated: 9370000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Memory allocated: 9540000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Memory allocated: A540000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Memory allocated: A8D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Memory allocated: B8D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Memory allocated: C8D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2650000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2910000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2650000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: threadDelayed 6984 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: threadDelayed 2851 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe TID: 6464 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe TID: 5920 Thread sleep time: -62000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe TID: 4988 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2832 Thread sleep count: 34 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2832 Thread sleep time: -31359464925306218s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5564 Thread sleep count: 6984 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5564 Thread sleep count: 2851 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe, 00000000.00000002.2485723159.000000000635A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: "Vmcirb8bimipc/Y^
Source: SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe, 00000000.00000002.2484247029.00000000057C0000.00000004.08000000.00040000.00000000.sdmp, SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe, 00000000.00000002.2482269120.0000000004188000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe, 00000000.00000002.2482269120.0000000004061000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VBoxTray
Source: SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe, 00000000.00000002.2482269120.0000000004061000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: sandboxierpcssGSOFTWARE\VMware, Inc.\VMware VGAuth
Source: InstallUtil.exe, 00000004.00000002.4554035801.0000000000A43000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllh
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 430000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 430000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 430000 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 432000 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 43C000 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 43E000 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 22A008 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 40C000 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 40E000 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 6E3008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: InstallUtil.exe, 00000004.00000002.4554035801.00000000009FF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information
barindex
Yara detected XWorm
Source: Yara match File source: 3.2.InstallUtil.exe.430000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe.30786f0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe.30786f0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.2145809299.0000000000432000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2473856137.000000000320E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2473856137.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4559451531.0000000002911000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe PID: 5044, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 2976, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 3136, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected XWorm
Source: Yara match File source: 3.2.InstallUtil.exe.430000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe.30786f0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe.30786f0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.2145809299.0000000000432000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2473856137.000000000320E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2473856137.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4559451531.0000000002911000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe PID: 5044, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 2976, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 3136, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1475143 Sample: SecuriteInfo.com.Win32.Troj... Startdate: 17/07/2024 Architecture: WINDOWS Score: 100 22 nnx.linkworldlogiticservices.online 2->22 26 Snort IDS alert for network traffic 2->26 28 Found malware configuration 2->28 30 Malicious sample detected (through community Yara rule) 2->30 32 12 other signatures 2->32 7 SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe 3 2->7         started        signatures3 process4 file5 18 SecuriteInfo.com.W....10530.8108.exe.log, ASCII 7->18 dropped 34 Writes to foreign memory regions 7->34 36 Allocates memory in foreign processes 7->36 38 Hides that the sample has been downloaded from the Internet (zone.identifier) 7->38 40 Injects a PE file into a foreign processes 7->40 11 InstallUtil.exe 7->11         started        14 InstallUtil.exe 6 7->14         started        signatures6 process7 dnsIp8 42 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 11->42 24 nnx.linkworldlogiticservices.online 168.119.55.248, 49723, 9196 HETZNER-ASDE Germany 14->24 20 C:\Users\user\AppData\Roaming\diagaudio.exe, PE32 14->20 dropped file9 signatures10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
168.119.55.248
 nnx.linkworldlogiticservices.online Germany
24940 HETZNER-ASDE true

Contacted Domains

Name IP Active
nnx.linkworldlogiticservices.online 168.119.55.248 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
nnx.linkworldlogiticservices.online true
  • Avira URL Cloud: safe
 unknown