Edit tour
Windows
Analysis Report
SecuriteInfo.com.Trojan.Win64.Krypt.29681.4103.exe
Overview
General Information
| Sample name: | SecuriteInfo.com.Trojan.Win64.Krypt.29681.4103.exe |
| Analysis ID: | 1494655 |
| MD5: | 0a22ee2a7354dbfd4a802bd68c7c67fc |
| SHA1: | 829ef593707684e4e90ba96c273151995e0a1472 |
| SHA256: | 1ccb286c02b131eb643ce5456905582a836b9af1bcb12db6b0636d3f94532ed6 |
| Tags: | exe |
 | |
Errors
| |
Detection
| Score: | 1 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
PE file contains an invalid checksum
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Classification
- System is w10x64
SecuriteInfo.com.Trojan.Win64.Krypt.29681.4103.exe (PID: 6980 cmdline: "C:\Users\ user\Deskt op\Securit eInfo.com. Trojan.Win 64.Krypt.2 9681.4103. exe" MD5: 0A22EE2A7354DBFD4A802BD68C7C67FC)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Suricata rule has matched
- • Compliance
- • Networking
- • System Summary
- • Data Obfuscation
- • Malware Analysis System Evasion
- • Anti Debugging
Click to jump to signature section
Show All Signature Results
There are no malicious signatures, click here to show all signatures.
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary string: | ||
| Source: | Classification label: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Static PE information: | ||
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
⊘No Mitre Att&ck techniques found
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe |
⊘No contacted domains info
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| false |
| unknown |
⊘No contacted IP infos
| Joe Sandbox version: | 40.0.0 Tourmaline |
| Analysis ID: | 1494655 |
| Start date and time: | 2024-08-19 00:29:08 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 1m 31s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 2 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | SecuriteInfo.com.Trojan.Win64.Krypt.29681.4103.exe |
| Detection: | UNKNOWN |
| Classification: | unknown1.winEXE@1/0@0/0 |
| EGA Information: | Failed |
| HCA Information: |
|
| Cookbook Comments: |
|
- Corrupt sample or wrongly sele
cted analyzer. Details: The %1 application cannot be run in Win32 mode.
- Exclude process from analysis
(whitelisted): dllhost.exe - VT rate limit hit for: Securi
teInfo.com.Trojan.Win64.Krypt. 29681.4103.exe
⊘No simulations
⊘No context
⊘No context
⊘No context
⊘No context
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 5.943975678042477 |
| TrID: |
|
| File name: | SecuriteInfo.com.Trojan.Win64.Krypt.29681.4103.exe |
| File size: | 65'968 bytes |
| MD5: | 0a22ee2a7354dbfd4a802bd68c7c67fc |
| SHA1: | 829ef593707684e4e90ba96c273151995e0a1472 |
| SHA256: | 1ccb286c02b131eb643ce5456905582a836b9af1bcb12db6b0636d3f94532ed6 |
| SHA512: | f73cfc969b1ce2d7f46a34c86936f580db08173afaa951e0e07399db5d11d1e31c9d305da9a4e2c45d78b755c1e0ed9a0ccbb8f7ac673445c41a25cac8f40598 |
| SSDEEP: | 1536:mSmJTQSwZ9umiu/6SqCa4xsCxKRK2Ozs:fmJTQSaMm5/6Ca4eCZ2Ozs |
| TLSH: | 4A534A8373981465F6B756FC86B64615ABB17E640B31A3CF2290413C0FA37E46E3BB52 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G...................$...uy......uy......uy..............uy......Rich....................PE..d......R.........."......P....\.... |
 | |
| Icon Hash: | 00928e8e8686b000 |
| Entrypoint: | 0x5e2200 |
| Entrypoint Section: | INIT |
| Digitally signed: | true |
| Imagebase: | 0x10000 |
| Subsystem: | native |
| Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
| DLL Characteristics: | |
| Time Stamp: | 0x5284EAC3 [Thu Nov 14 15:22:43 2013 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 2 |
| File Version Major: | 5 |
| File Version Minor: | 2 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 2 |
| Import Hash: | 55db306bc2be3ff71a6b91fd9db051b8 |
| Signature Valid: | |
| Signature Issuer: | |
| Signature Validation Error: | |
| Error Number: | |
| Not Before, Not After | |
| Subject Chain | |
| Version: | |
| Thumbprint MD5: | |
| Thumbprint SHA-1: | |
| Thumbprint SHA-256: | |
| Serial: |
| Instruction |
|---|
| dec eax |
| mov eax, dword ptr [FFA34F01h] |
| dec ecx |
| mov ecx, 2DDFA232h |
| cdq |
| sub eax, dword ptr [eax] |
| add byte ptr [eax-7Bh], cl |
| sal byte ptr [ebp+eax+49h], 0000003Bh |
| sal dword ptr [ebp+2Fh], 4Ch |
| lea eax, dword ptr [FFA34EE6h] |
| dec eax |
| mov eax, 00000320h |
| xor bh, FFFFFFFFh |
| dec dword ptr [eax-75h] |
| add byte ptr [ecx+33h], cl |
| ror byte ptr [ecx-48h], FFFFFFFFh |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x5d22dc | 0x3c | INIT |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x5d3000 | 0x3f8 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x5d1000 | 0x408 | .pdata |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x6800 | 0x1f08 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x6150 | 0x1c | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x6000 | 0x148 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x4615 | 0x4800 | 658045c4f01ff520bd915f6ae780bb32 | False | 0.4717339409722222 | Matlab v4 mat-file (little endian) \3540H\213\331H\215, numeric, rows 0, columns 0 | 6.227045063215454 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x6000 | 0x7c0 | 0x800 | a9fd28c26d39a69935129379ffde5f25 | False | 0.5068359375 | data | 4.656629330107381 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ |
| .data | 0x7000 | 0x5c9ec0 | 0x200 | ebd8a922cbe8ab7f614843e8706ed006 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .pdata | 0x5d1000 | 0x408 | 0x600 | b5ae8bd78edef2804ed9d0406fcd650a | False | 0.353515625 | PEX Binary Archive | 3.1422739943466262 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ |
| INIT | 0x5d2000 | 0x7a8 | 0x800 | 6f6894644224d7239def2e984925e864 | False | 0.59326171875 | Matlab v4 mat-file (little endian) \203\354hH\211X\030H\213\331L\215\005\253\002, numeric, rows 0, columns 0 | 5.68000953149949 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x5d3000 | 0x3f8 | 0x400 | e503be0ddf75f99b22763e68a65972c7 | False | 0.455078125 | data | 3.4033291780766843 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_VERSION | 0x5d3060 | 0x394 | OpenPGP Secret Key | English | United States | 0.4650655021834061 |
| DLL | Import |
|---|---|
| ntoskrnl.exe | IoCreateSymbolicLink, IoCreateDevice, IofCompleteRequest, ExAllocatePoolWithTag, ExFreePoolWithTag, MmGetPhysicalAddress, DbgPrint, strncpy, vsprintf, IoFreeMdl, MmMapLockedPagesSpecifyCache, MmBuildMdlForNonPagedPool, IoAllocateMdl, MmUnmapIoSpace, MmUnmapLockedPages, MmAllocateContiguousMemory, MmFreeContiguousMemory, RtlInitUnicodeString, ObfDereferenceObject, KeWaitForSingleObject, IofCallDriver, IoBuildSynchronousFsdRequest, KeInitializeEvent, ZwClose, RtlFreeAnsiString, strstr, RtlUnicodeStringToAnsiString, ZwEnumerateValueKey, ZwOpenKey, wcsncpy, IoGetDeviceObjectPointer, IoGetDeviceInterfaces, ObReferenceObjectByPointer, KeBugCheckEx, IoDeleteSymbolicLink, MmMapIoSpace, IoDeleteDevice |
| HAL.dll | KeStallExecutionProcessor, KeQueryPerformanceCounter |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node⊘No network behavior found
Click to jump to process
Click to jump to process
| Target ID: | 0 |
| Start time: | 18:29:58 |
| Start date: | 18/08/2024 |
| Path: | C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Krypt.29681.4103.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x10000 |
| File size: | 65'968 bytes |
| MD5 hash: | 0A22EE2A7354DBFD4A802BD68C7C67FC |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
⊘No disassembly
