Edit tour

Windows Analysis Report
SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe
Analysis ID:	1508669
MD5:	85877d16342cea80354627b1e26bd1a5
SHA1:	0db5402908665862107f36edf4cda9daa913ba61
SHA256:	309d16af0620da1d4811bdbffac56cbe4cfbbb2b1a190073571e7efe0b3f6b2a
Tags:	exe
Infos:

Detection

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Found direct / indirect Syscall (likely to bypass EDR)

Machine Learning detection for sample

PE file contains section with special chars

Query firmware table information (likely to detect VMs)

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

AV process strings found (often used to terminate AV products)

Contains capabilities to detect virtual machines

Detected TCP or UDP traffic on non-standard ports

Entry point lies outside standard sections

IP address seen in connection with other malware

One or more processes crash

PE file contains more sections than normal

PE file contains sections with non-standard names

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe (PID: 744 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe" MD5: 85877D16342CEA80354627B1E26BD1A5)

WerFault.exe (PID: 6716 cmdline: C:\Windows\system32\WerFault.exe -u -p 744 -s 616 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe

ReversingLabs: Detection: 79%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe

Joe Sandbox ML: detected

Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe, 00000000.00000002.2215670015.0000000140D4F000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: loader.pdb source: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe, 00000000.00000003.2060451798.00000000004D0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe, 00000000.00000002.2215530451.00000001400F9000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe, 00000000.00000002.2215670015.0000000140D4F000.00000040.00000001.01000000.00000003.sdmp

Source: global traffic

TCP traffic: 192.168.2.5:49704 -> 51.38.37.194:3333

Source: Joe Sandbox View	IP Address: 51.222.31.217 51.222.31.217
Source: Joe Sandbox View	IP Address: 103.251.113.36 103.251.113.36
Source: Joe Sandbox View	IP Address: 51.38.37.194 51.38.37.194

Source: unknown	TCP traffic detected without corresponding DNS query: 51.38.37.194
Source: unknown	TCP traffic detected without corresponding DNS query: 51.38.37.194
Source: unknown	TCP traffic detected without corresponding DNS query: 51.38.37.194
Source: unknown	TCP traffic detected without corresponding DNS query: 51.38.37.194
Source: unknown	TCP traffic detected without corresponding DNS query: 51.38.37.194
Source: unknown	TCP traffic detected without corresponding DNS query: 51.38.37.194
Source: unknown	TCP traffic detected without corresponding DNS query: 51.38.37.194
Source: unknown	TCP traffic detected without corresponding DNS query: 51.38.37.194
Source: unknown	TCP traffic detected without corresponding DNS query: 51.38.37.194

Source: Amcache.hve.4.dr

String found in binary or memory: http://upx.sf.net

System Summary

PE file contains section with special chars

Source: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Static PE information: section name:
Source: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Static PE information: section name:
Source: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Static PE information: section name:
Source: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Static PE information: section name:
Source: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Static PE information: section name:
Source: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Static PE information: section name:
Source: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Static PE information: section name:
Source: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 744 -s 616

Source: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe

Static PE information: Number of sections : 13 > 10

Source: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Static PE information: Section: ZLIB complexity 0.9994698397737983
Source: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Static PE information: Section: .reloc ZLIB complexity 1.5

Source: classification engine

Classification label: mal88.evad.winEXE@2/5@0/5

Source: C:\Windows\System32\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess744

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\a3464d11-e4a6-43d3-932e-f0f9376c2feb

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe

ReversingLabs: Detection: 79%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 744 -s 616

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Section loaded: hid.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe

Static file information: File size 14287888 > 1048576

Source: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe

Static PE information: Raw size of .boot is bigger than: 0x100000 < 0xced800

Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe, 00000000.00000002.2215670015.0000000140D4F000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: loader.pdb source: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe, 00000000.00000003.2060451798.00000000004D0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe, 00000000.00000002.2215530451.00000001400F9000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe, 00000000.00000002.2215670015.0000000140D4F000.00000040.00000001.01000000.00000003.sdmp

Source: initial sample

Static PE information: section where entry point is pointing to: .boot

Source: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Static PE information: section name:
Source: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Static PE information: section name:
Source: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Static PE information: section name:
Source: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Static PE information: section name:
Source: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Static PE information: section name:
Source: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Static PE information: section name:
Source: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Static PE information: section name:
Source: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Static PE information: section name:
Source: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Static PE information: section name: .boot

Source: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe

Static PE information: section name: entropy: 7.986056231058502

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Window searched: window name: RegmonClass	Jump to behavior

Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe

File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe, 00000000.00000002.2215068694.000000000056C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllot #
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe

System information queried: ModuleInformation

Jump to behavior

Anti Debugging

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe

NtQuerySystemInformation: Indirect: 0x140E4F307

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	21 Virtualization/Sandbox Evasion	OS Credential Dumping	421 Security Software Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Abuse Elevation Control Mechanism	2 Software Packing	LSASS Memory	21 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Process Injection	Security Account Manager	3 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Abuse Elevation Control Mechanism	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label
SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	79%	ReversingLabs	Win64.Infostealer.Tinba
SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	100%	Avira	BDS/Agent.rlulr
SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.4.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
51.222.31.217	unknown	France	16276	OVHFR	false
103.230.14.225	unknown	Hong Kong	55953	XIM-HKRoom704ChinaChenLeightonPlazaHK	false
77.105.172.225	unknown	Russian Federation	43176	ICOMF-ASRU	false
103.251.113.36	unknown	Hong Kong	133380	LAYER-ASLayerstackLimitedHK	false
51.38.37.194	unknown	France	16276	OVHFR	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1508669
Start date and time:	2024-09-10 15:25:10 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe
Detection:	MAL
Classification:	mal88.evad.winEXE@2/5@0/5
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
VT rate limit hit for: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe

Simulations

Behavior and APIs

Time	Type	Description
09:26:18	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
51.222.31.217	0Ig0ovoll2k6.exe	Get hash	malicious	Unknown	Browse
	LisectAVT_2403002A_212.exe	Get hash	malicious	Unknown	Browse
	LisectAVT_2403002A_212.exe	Get hash	malicious	Unknown	Browse
	LisectAVT_2403002A_234.exe	Get hash	malicious	Unknown	Browse
	LisectAVT_2403002A_234.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.Evo-gen.8630.20101.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.Evo-gen.8630.20101.exe	Get hash	malicious	Unknown	Browse
	uF57zn1zFCF77zYR.exe	Get hash	malicious	Unknown	Browse
	uF57zn1zFCF77zYR.exe	Get hash	malicious	Unknown	Browse
103.230.14.225	0Ig0ovoll2k6.exe	Get hash	malicious	Unknown	Browse
	LisectAVT_2403002A_234.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.Evo-gen.8630.20101.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.Evo-gen.8630.20101.exe	Get hash	malicious	Unknown	Browse
77.105.172.225	0Ig0ovoll2k6.exe	Get hash	malicious	Unknown	Browse
103.251.113.36	0Ig0ovoll2k6.exe	Get hash	malicious	Unknown	Browse
	LisectAVT_2403002A_212.exe	Get hash	malicious	Unknown	Browse
	LisectAVT_2403002A_212.exe	Get hash	malicious	Unknown	Browse
	LisectAVT_2403002A_234.exe	Get hash	malicious	Unknown	Browse
	LisectAVT_2403002A_234.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.Evo-gen.8630.20101.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.Evo-gen.8630.20101.exe	Get hash	malicious	Unknown	Browse
	uF57zn1zFCF77zYR.exe	Get hash	malicious	Unknown	Browse
	uF57zn1zFCF77zYR.exe	Get hash	malicious	Unknown	Browse
51.38.37.194	0Ig0ovoll2k6.exe	Get hash	malicious	Unknown	Browse
	LisectAVT_2403002A_212.exe	Get hash	malicious	Unknown	Browse
	LisectAVT_2403002A_212.exe	Get hash	malicious	Unknown	Browse
	LisectAVT_2403002A_234.exe	Get hash	malicious	Unknown	Browse
	LisectAVT_2403002A_234.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.Evo-gen.8630.20101.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.Evo-gen.8630.20101.exe	Get hash	malicious	Unknown	Browse
	uF57zn1zFCF77zYR.exe	Get hash	malicious	Unknown	Browse
	uF57zn1zFCF77zYR.exe	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
XIM-HKRoom704ChinaChenLeightonPlazaHK	0Ig0ovoll2k6.exe	Get hash	malicious	Unknown	Browse	103.230.14.225
	LisectAVT_2403002A_234.exe	Get hash	malicious	Unknown	Browse	103.230.14.225
	SecuriteInfo.com.Win64.Evo-gen.8630.20101.exe	Get hash	malicious	Unknown	Browse	103.230.14.225
	SecuriteInfo.com.Win64.Evo-gen.8630.20101.exe	Get hash	malicious	Unknown	Browse	103.230.14.225
OVHFR	https://www.tiktok.com/////link/v2?aid=1988&lang=enFSmPWg&scene=bio_url&target=google.com.////amp/s/%E2%80%8Bva%C2%ADnd%C2%ADat%C2%ADco%E2%80%8B.%C2%ADv%C2%ADn/.dev/ChZuQF9L/bHlubi5wYXJzb25zQGltYWdvLmNvbW11bml0eQ===$%E3%80%82	Get hash	malicious	HTMLPhisher	Browse	51.178.195.217
	https://kby.oqp.mybluehost.me/wp-admin/20191952407230/account/amendes2024org	Get hash	malicious	Unknown	Browse	91.134.109.31
	https://kby.oqp.mybluehost.me/wp-admin/20191952407230/account/amendes2024org/infospage.php	Get hash	malicious	Unknown	Browse	91.134.109.31
	https://kby.oqp.mybluehost.me/wp-admin/20191952407230/account/amendes2024org/3dsec.php	Get hash	malicious	Unknown	Browse	137.74.125.233
	https://kby.oqp.mybluehost.me/wp-admin/20191952407230/account/amendes2024org/3dsece.php	Get hash	malicious	Unknown	Browse	137.74.125.233
	https://kby.oqp.mybluehost.me/wp-admin/20191952407230/account/amendes2024org/paiement.php	Get hash	malicious	Unknown	Browse	91.134.109.31
	https://emailmarketing.locaweb.com.br/accounts/193978/messages/3/clicks/1078/3?envelope_id=3	Get hash	malicious	Unknown	Browse	91.134.109.31
	https://sucursal-virtual123.w3spaces.com/	Get hash	malicious	Unknown	Browse	51.77.64.70
	https://holidayvisuals.com/Payment_receipt.html	Get hash	malicious	WinSearchAbuse	Browse	51.89.199.99
	Chrome.exe	Get hash	malicious	Xmrig	Browse	54.37.232.103
ICOMF-ASRU	gobEmOm5sr.exe	Get hash	malicious	LummaC, PureLog Stealer, RedLine, Socks5Systemz, Stealc, Vidar, Xmrig	Browse	77.105.164.24
	FileApp.exe	Get hash	malicious	LummaC, PureLog Stealer, RedLine, Stealc, Vidar, Xmrig, zgRAT	Browse	77.105.164.24
	file.exe	Get hash	malicious	Unknown	Browse	77.105.164.24
	kqS23MOytx.exe	Get hash	malicious	Socks5Systemz, Stealc, Vidar, XWorm, Xmrig	Browse	77.105.164.24
	file.exe	Get hash	malicious	Unknown	Browse	77.105.164.24
	0Ig0ovoll2k6.exe	Get hash	malicious	Unknown	Browse	77.105.172.225
	ozA28PDMTu.exe	Get hash	malicious	Unknown	Browse	77.105.164.24
	file.exe	Get hash	malicious	Unknown	Browse	77.105.164.24
	66b9e7f54cf7b_pro.exe	Get hash	malicious	Unknown	Browse	77.105.164.24
	SecuriteInfo.com.Trojan.MulDrop28.3097.13525.30211.exe	Get hash	malicious	Unknown	Browse	77.105.164.24
LAYER-ASLayerstackLimitedHK	SecuriteInfo.com.Trojan.GenericKD.73873010.20504.26058.exe	Get hash	malicious	Unknown	Browse	43.228.126.4
	SecuriteInfo.com.Trojan.GenericKD.73873010.20504.26058.exe	Get hash	malicious	Unknown	Browse	43.228.126.4
	0Ig0ovoll2k6.exe	Get hash	malicious	Unknown	Browse	103.251.113.36
	LisectAVT_2403002A_212.exe	Get hash	malicious	Unknown	Browse	103.251.113.36
	LisectAVT_2403002A_212.exe	Get hash	malicious	Unknown	Browse	103.251.113.36
	LisectAVT_2403002A_234.exe	Get hash	malicious	Unknown	Browse	103.251.113.36
	LisectAVT_2403002A_234.exe	Get hash	malicious	Unknown	Browse	103.251.113.36
	SecuriteInfo.com.Win64.Evo-gen.8630.20101.exe	Get hash	malicious	Unknown	Browse	103.251.113.36
	SecuriteInfo.com.Win64.Evo-gen.8630.20101.exe	Get hash	malicious	Unknown	Browse	103.251.113.36
	xfO72LuQ7K.elf	Get hash	malicious	Unknown	Browse	103.254.214.105

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_232cd476b1733e4f7c6ba7b9cba6ba5ab4ffab_4fb347c0_7759c989-d008-400a-bb5a-aadd61201c5f\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9329136481575825
Encrypted:	false
SSDEEP:	96:RcFXcl17sIhqFi7qIf4QXIDcQyc6ycEncw3SH+HbHg/HgoXO+ZuUXqOE8OQ5oEEm:Ws170fY0s29njufFRzuiFvZ24lO8L
MD5:	BE71C9C9389C9E19F18206E9FE0E5B90
SHA1:	57881BC96301D8C4D5082CF30D462A05D6DD401B
SHA-256:	FC956BC8D3ED2F7E18CFA2F848766E974250AABC0102FAD1E83A81237DA5AE22
SHA-512:	847C5F2CF86B47D8C828A9A6E91ED1C5AABD394620C5C29FC24706736047589A226F12B1A44DDBBD88CFC71D62C3FB22BF91ED44057E256350E60EF5217DFEEB
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.0.4.4.8.3.6.5.9.0.5.6.2.2.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.0.4.4.8.3.6.6.2.4.9.3.6.9.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.7.5.9.c.9.8.9.-.d.0.0.8.-.4.0.0.a.-.b.b.5.a.-.a.a.d.d.6.1.2.0.1.c.5.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.4.d.e.0.7.e.f.-.6.5.f.d.-.4.e.f.8.-.b.a.2.0.-.f.6.4.b.3.3.d.9.0.3.2.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...W.i.n.6.4...M.a.l.w.a.r.e.X.-.g.e.n...2.1.4.4.2...4.0.7.6...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.2.e.8.-.0.0.0.1.-.0.0.1.4.-.f.f.4.3.-.8.d.f.b.8.4.0.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.c.b.1.5.9.8.b.3.a.7.d.7.0.1.b.a.c.e.d.f.c.c.b.c.0.9.c.6.a.9.4.4.0.0.0.0.f.f.f.f.!.0.0.0.0.0.d.b.5.4.0.2.9.0.8.6.6.5.8.6.2.1.0.7.f.3.6.e.d.f.4.c.d.a.9.d.a.a.9.1.3.b.a.6.1.!.S.e.c.u.r.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7EEE.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue Sep 10 13:26:06 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	111814
Entropy (8bit):	1.4792592215399694
Encrypted:	false
SSDEEP:	192:6Sw6yIXbO+wboIM5slg0qUYIumE+7n0T6+aMavz+nS5:e6yx+wKU6mE+7niAMJ0
MD5:	92890B0D4DB9C128012A654D9961AC83
SHA1:	103C727F4F573ECBD32360504B0EB18FCD49BD5F
SHA-256:	CE9B6766ABFDF105F8190DA92C096F4F1BB2B5A4B7518E7C31ABC5B90F051B81
SHA-512:	81A38E2EF79B164E5CEBECE42A9FF93EA0B17A939BAE870DDD86846DD979E22B0E41EC77DBEEF8E7D74DA60C7E895A5101ACAE9CEA541F64C8EA60032A34516B
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........H.f............T...........P...\.......4....G..........T.......8...........T.......................................................................................................................eJ......0.......Lw......................T............H.f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7FBA.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8952
Entropy (8bit):	3.7056766813507864
Encrypted:	false
SSDEEP:	192:R6l7wVeJDDJw6YEI9JscgmfzqEcpDa89b2+sfFym:R6lXJH+6YESJscgmfzs2dfB
MD5:	3B53D688CC9553628CDEC417EE93DFA5
SHA1:	903D8D310A12CA38E55A69B179D87137F9D9DC13
SHA-256:	60B32928B01F04E0CF910C1E29BA23F7EF2488CD51FCBDE4433C1D8633458850
SHA-512:	0F2158C15965991A0E433061AC2FFC0DB954D95617ECDA3DBE5C20AB0B403EB359EE57C9633404D483154222C8BACFCF707842A55C12DE62DFBC556B3BE2AFFA
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.4.4.<./.P.i.d.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7FDA.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4894
Entropy (8bit):	4.550498246267619
Encrypted:	false
SSDEEP:	48:cvIwWl8zshMJg771I9Z2WpW8VYjYm8M4J5Unm8n5FDO9yq85dFb7NPt4Unrs8sTd:uIjfhKI7uX7V/JDkt4mgVTd
MD5:	D155B345BE011FB0EEFCBBF15BE1D771
SHA1:	02926499BDAF379B0F750B76AC3CED57353639F1
SHA-256:	07150A05FF9A4BA632C2805238448478A4B3F2EAFDFFF6D84C064F8A1F55648B
SHA-512:	EEC1644EC024298F3708E1410C7AA822479BD099CDD1F8BC228DF7B64FAD6CE9D1B2B33F3E22CF8A1673AFBF58004B9FD3A1E78BC29571E7D3B075B0E9E3CE47
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="494188" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.421895733111292
Encrypted:	false
SSDEEP:	6144:MSvfpi6ceLP/9skLmb0OTjWSPHaJG8nAgeMZMMhA2fX4WABlEnN+0uhiTw:3vloTjW+EZMM6DFyg03w
MD5:	AFB7A4D026668705B0AA5549638B0DDC
SHA1:	5BFC649E246EDEDBFF92083E9CAA8B71F4B74C02
SHA-256:	0E90C9E0DB440A48E2E09D20C74CC9CF44FCCB94BE34D6EE0D35B4487E1CD93E
SHA-512:	F21620532FC190C0E6122A5025EF113014FDE17336E0D80CA62324F5365220CFB5F13447074C8ECD0748B8D67EF193C68446D9057796CAA9A0B5AB7D1055B8F6
Malicious:	false
Reputation:	low
Preview:	regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.rP...................................................................................................................................................................................................................................................................................................................................................G.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.9555117307343535
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe
File size:	14'287'888 bytes
MD5:	85877d16342cea80354627b1e26bd1a5
SHA1:	0db5402908665862107f36edf4cda9daa913ba61
SHA256:	309d16af0620da1d4811bdbffac56cbe4cfbbb2b1a190073571e7efe0b3f6b2a
SHA512:	2d2c73592d6cd956c4bf837aac163ae4bd3819b6305bb2937848b6b5699d9ecb38efa99e15aaa1c5e1f6db74ceb7df97afb46d5458fae4b20096bb1408e8640e
SSDEEP:	196608:DIqlYtZt1fGNcD/qf4YxIWD3rpR3Y3oi2/qxmLcrZ72k640Ka3k422pb+K8BMzj:DhKtFfGaDyAlonBtOmLLkX0S4Fl+K8aX
TLSH:	5AE6334BB3C48FA5EB8CE3F09D2855A2E61592F7A8593278750F582A3F5EC015F37A40
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........J..m...m...m...n...m...h.~.m...i...m...h...m...n...m.".....m..7i...m...i...m...j...m...l...m...l...m..7n...m..7d...m..7....m

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x1414eb058
Entrypoint Section:	.boot
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, TERMINAL_SERVER_AWARE
Time Stamp:	0x66BB9FAD [Tue Aug 13 18:02:21 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	22402abe221b6efa466ca4190864858f

Entrypoint Preview

Instruction
call 00007F07D4B05907h
inc ecx
push edx
dec ecx
mov edx, esp
inc ecx
push edx
dec ecx
mov esi, dword ptr [edx+10h]
dec ecx
mov edi, dword ptr [edx+20h]
cld
mov dl, 80h
mov al, byte ptr [esi]
dec eax
inc esi
mov byte ptr [edi], al
dec eax
inc edi
mov ebx, 00000002h
add dl, dl
jne 00007F07D4B05789h
mov dl, byte ptr [esi]
dec eax
inc esi
adc dl, dl
jnc 00007F07D4B05766h
add dl, dl
jne 00007F07D4B05789h
mov dl, byte ptr [esi]
dec eax
inc esi
adc dl, dl
jnc 00007F07D4B057E0h
xor eax, eax
add dl, dl
jne 00007F07D4B05789h
mov dl, byte ptr [esi]
dec eax
inc esi
adc dl, dl
jnc 00007F07D4B05888h
add dl, dl
jne 00007F07D4B05789h
mov dl, byte ptr [esi]
dec eax
inc esi
adc dl, dl
adc eax, eax
add dl, dl
jne 00007F07D4B05789h
mov dl, byte ptr [esi]
dec eax
inc esi
adc dl, dl
adc eax, eax
add dl, dl
jne 00007F07D4B05789h
mov dl, byte ptr [esi]
dec eax
inc esi
adc dl, dl
adc eax, eax
add dl, dl
jne 00007F07D4B05789h
mov dl, byte ptr [esi]
dec eax
inc esi
adc dl, dl
adc eax, eax
je 00007F07D4B0578Bh
push edi
mov eax, eax
dec eax
sub edi, eax
mov al, byte ptr [edi]
pop edi
mov byte ptr [edi], al
dec eax
inc edi
mov ebx, 00000002h
jmp 00007F07D4B0570Ah
mov eax, 00000001h
add dl, dl
jne 00007F07D4B05789h
mov dl, byte ptr [esi]
dec eax
inc esi
adc dl, dl
adc eax, eax
add dl, dl
jne 00007F07D4B05789h
mov dl, byte ptr [esi]
dec eax
inc esi
adc dl, dl
jc 00007F07D4B05768h
sub eax, ebx
mov ebx, 00000001h
jne 00007F07D4B057B0h
mov ecx, 00000001h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x160183	0x1f0	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x162000	0x1e4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x14c70c8	0x136bc
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x21d9000	0x10	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x161018	0x28	.tls
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0xf7330	0x84a00	fc4efca6798147d176d1c9394e2cb3e2	False	0.9994698397737983	data	7.986056231058502	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
	0xf9000	0x4e7fc	0x26200	7d8ec58b2e3a2e0a346a7f2bb330351d	False	0.9857581967213115	data	7.973579534804117	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0x148000	0xa49c	0xa00	fb51965c6ea1612373c43861164f2ee7	False	0.961328125	data	7.73764349978694	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x153000	0x975c	0x5c00	6fa6b912427cc4e349d11c7caff224c1	False	0.9390285326086957	data	7.661341495375132	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0x15d000	0x15c	0x200	f919a0492ef13d21ff89eab5fc879069	False	0.40625	data	3.3057524302120944	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0x15e000	0x1e8	0x200	2c8f2eff25c1fd909a1e16c4489a15ca	False	0.587890625	data	4.770300300856275	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0x15f000	0xe38	0x800	80398426ce6cb383b52d1b32fed44367	False	0.931640625	data	7.672017416382715	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.idata	0x160000	0x1000	0x400	70004a422ac32050917d726c77409539	False	0.3935546875	data	3.2999306991246558	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x161000	0x1000	0x200	c79dc6026e9279d7106bb722ff03079e	False	0.0625	data	0.28456851570206254	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x162000	0x1000	0x200	1b6a67de27f1688f2391ce4c0b9544a5	False	0.53515625	data	4.758721582235538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0x163000	0x1388000	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.boot	0x14eb000	0xced800	0xced800	5cdf2be9ae8ec287bffea6b9e372afe2	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.reloc	0x21d9000	0x1000	0x10	6e6996b1c92025b8fdb50642647770f9	False	1.5	GLS_BINARY_LSB_FIRST	2.349601752714581	IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x162058	0x188	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5892857142857143

Imports

DLL	Import
kernel32.dll	GetModuleHandleA
CFGMGR32.dll	CM_Locate_DevNodeW
IPHLPAPI.DLL	GetTcpTable
d3d9.dll	Direct3DCreate9
ADVAPI32.dll	AdjustTokenPrivileges
SHELL32.dll	SHGetSpecialFolderPathW
ole32.dll	StringFromGUID2
WS2_32.dll	connect
HID.DLL	HidD_GetManufacturerString
SETUPAPI.dll	SetupDiGetClassDevsW
ntdll.dll	RtlPcToFileHeader
SHLWAPI.dll	StrStrIW
NETAPI32.dll	NetUserEnum

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 10, 2024 15:26:05.181232929 CEST	49704	3333	192.168.2.5	51.38.37.194
Sep 10, 2024 15:26:05.186218023 CEST	3333	49704	51.38.37.194	192.168.2.5
Sep 10, 2024 15:26:05.186343908 CEST	49704	3333	192.168.2.5	51.38.37.194
Sep 10, 2024 15:26:05.188692093 CEST	49704	3333	192.168.2.5	51.38.37.194
Sep 10, 2024 15:26:05.193496943 CEST	3333	49704	51.38.37.194	192.168.2.5
Sep 10, 2024 15:26:05.804034948 CEST	3333	49704	51.38.37.194	192.168.2.5
Sep 10, 2024 15:26:05.804719925 CEST	3333	49704	51.38.37.194	192.168.2.5
Sep 10, 2024 15:26:05.804807901 CEST	49704	3333	192.168.2.5	51.38.37.194
Sep 10, 2024 15:26:05.805548906 CEST	49704	3333	192.168.2.5	51.38.37.194
Sep 10, 2024 15:26:05.811229944 CEST	3333	49704	51.38.37.194	192.168.2.5
Sep 10, 2024 15:26:05.811316013 CEST	49704	3333	192.168.2.5	51.38.37.194
Sep 10, 2024 15:26:05.817338943 CEST	3333	49704	51.38.37.194	192.168.2.5
Sep 10, 2024 15:26:06.053126097 CEST	3333	49704	51.38.37.194	192.168.2.5
Sep 10, 2024 15:26:06.057400942 CEST	49704	3333	192.168.2.5	51.38.37.194
Sep 10, 2024 15:26:06.064188004 CEST	3333	49704	51.38.37.194	192.168.2.5
Sep 10, 2024 15:26:06.191847086 CEST	3333	49704	51.38.37.194	192.168.2.5
Sep 10, 2024 15:26:06.231854916 CEST	3333	49704	51.38.37.194	192.168.2.5
Sep 10, 2024 15:26:06.232038021 CEST	49704	3333	192.168.2.5	51.38.37.194
Sep 10, 2024 15:26:19.884217024 CEST	49704	3333	192.168.2.5	51.38.37.194

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Type
Sep 10, 2024 15:26:04.173990965 CEST	192.168.2.5	51.222.31.217	b353	Echo
Sep 10, 2024 15:26:04.267126083 CEST	51.222.31.217	192.168.2.5	bb53	Echo Reply
Sep 10, 2024 15:26:04.268938065 CEST	192.168.2.5	103.230.14.225	b352	Echo
Sep 10, 2024 15:26:04.536592007 CEST	103.230.14.225	192.168.2.5	bb52	Echo Reply
Sep 10, 2024 15:26:04.537520885 CEST	192.168.2.5	77.105.172.225	b351	Echo
Sep 10, 2024 15:26:04.588488102 CEST	77.105.172.225	192.168.2.5	bb51	Echo Reply
Sep 10, 2024 15:26:04.589452982 CEST	192.168.2.5	51.38.37.194	b350	Echo
Sep 10, 2024 15:26:04.604238033 CEST	51.38.37.194	192.168.2.5	bb50	Echo Reply
Sep 10, 2024 15:26:04.604911089 CEST	192.168.2.5	103.251.113.36	b34f	Echo

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exePID: 744, Parent PID: 1028

General

Target ID:	0
Start time:	09:26:02
Start date:	10/09/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe"
Imagebase:	0x140000000
File size:	14'287'888 bytes
MD5 hash:	85877D16342CEA80354627B1E26BD1A5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 6716, Parent PID: 744

General

Target ID:	4
Start time:	09:26:05
Start date:	10/09/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 744 -s 616
Imagebase:	0x7ff6af830000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_232cd476b1733e4f7c6ba7b9cba6ba5ab4ffab_4fb347c0_7759c989-d008-400a-bb5a-aadd61201c5f\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7EEE.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7FBA.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7FDA.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

ICMP Packets

Statistics

CPU Usage

Memory Usage

Windows Analysis Report
SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe