Edit tour

Windows Analysis Report
SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe
Analysis ID:	1508669
MD5:	85877d16342cea80354627b1e26bd1a5
SHA1:	0db5402908665862107f36edf4cda9daa913ba61
SHA256:	309d16af0620da1d4811bdbffac56cbe4cfbbb2b1a190073571e7efe0b3f6b2a
Tags:	exe
Infos:

Detection

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Found direct / indirect Syscall (likely to bypass EDR)

Machine Learning detection for sample

PE file contains section with special chars

Query firmware table information (likely to detect VMs)

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

AV process strings found (often used to terminate AV products)

Contains capabilities to detect virtual machines

Detected TCP or UDP traffic on non-standard ports

Entry point lies outside standard sections

IP address seen in connection with other malware

One or more processes crash

PE file contains more sections than normal

PE file contains sections with non-standard names

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe (PID: 3356 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe" MD5: 85877D16342CEA80354627B1E26BD1A5)

WerFault.exe (PID: 1964 cmdline: C:\Windows\system32\WerFault.exe -u -p 3356 -s 748 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe

ReversingLabs: Detection: 63%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe

Joe Sandbox ML: detected

Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe, 00000000.00000002.2509708020.0000000140D4F000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: loader.pdb source: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe, 00000000.00000002.2509601739.00000001400F9000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe, 00000000.00000003.2022087817.0000000000400000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe, 00000000.00000002.2509708020.0000000140D4F000.00000040.00000001.01000000.00000003.sdmp

Source: global traffic

TCP traffic: 192.168.2.5:49705 -> 51.38.37.194:3333

Source: Joe Sandbox View	IP Address: 51.222.31.217 51.222.31.217
Source: Joe Sandbox View	IP Address: 103.251.113.36 103.251.113.36
Source: Joe Sandbox View	IP Address: 51.38.37.194 51.38.37.194

Source: unknown	TCP traffic detected without corresponding DNS query: 51.38.37.194
Source: unknown	TCP traffic detected without corresponding DNS query: 51.38.37.194
Source: unknown	TCP traffic detected without corresponding DNS query: 51.38.37.194
Source: unknown	TCP traffic detected without corresponding DNS query: 51.38.37.194
Source: unknown	TCP traffic detected without corresponding DNS query: 51.38.37.194
Source: unknown	TCP traffic detected without corresponding DNS query: 51.38.37.194
Source: unknown	TCP traffic detected without corresponding DNS query: 51.38.37.194
Source: unknown	TCP traffic detected without corresponding DNS query: 51.38.37.194
Source: unknown	TCP traffic detected without corresponding DNS query: 51.38.37.194
Source: unknown	TCP traffic detected without corresponding DNS query: 51.38.37.194

Source: Amcache.hve.4.dr

String found in binary or memory: http://upx.sf.net

System Summary

PE file contains section with special chars

Source: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Static PE information: section name:
Source: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Static PE information: section name:
Source: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Static PE information: section name:
Source: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Static PE information: section name:
Source: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Static PE information: section name:
Source: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Static PE information: section name:
Source: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Static PE information: section name:
Source: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3356 -s 748

Source: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe

Static PE information: Number of sections : 13 > 10

Source: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Static PE information: Section: ZLIB complexity 0.9994698397737983
Source: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Static PE information: Section: .reloc ZLIB complexity 1.5

Source: classification engine

Classification label: mal88.evad.winEXE@2/5@0/5

Source: C:\Windows\System32\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3356

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\79675d6e-a57b-4969-93b9-2c3a49c08c15

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe

ReversingLabs: Detection: 63%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3356 -s 748

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Section loaded: hid.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe

Static file information: File size 14287888 > 1048576

Source: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe

Static PE information: Raw size of .boot is bigger than: 0x100000 < 0xced800

Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe, 00000000.00000002.2509708020.0000000140D4F000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: loader.pdb source: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe, 00000000.00000002.2509601739.00000001400F9000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe, 00000000.00000003.2022087817.0000000000400000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe, 00000000.00000002.2509708020.0000000140D4F000.00000040.00000001.01000000.00000003.sdmp

Source: initial sample

Static PE information: section where entry point is pointing to: .boot

Source: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Static PE information: section name:
Source: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Static PE information: section name:
Source: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Static PE information: section name:
Source: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Static PE information: section name:
Source: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Static PE information: section name:
Source: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Static PE information: section name:
Source: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Static PE information: section name:
Source: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Static PE information: section name:
Source: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Static PE information: section name: .boot

Source: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe

Static PE information: section name: entropy: 7.986056231058502

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Window searched: window name: RegmonClass	Jump to behavior

Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe

File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe, 00000000.00000002.2509261439.00000000004C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe

System information queried: ModuleInformation

Jump to behavior

Anti Debugging

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe

NtQuerySystemInformation: Indirect: 0x140E4F307

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	21 Virtualization/Sandbox Evasion	OS Credential Dumping	421 Security Software Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Abuse Elevation Control Mechanism	2 Software Packing	LSASS Memory	21 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Process Injection	Security Account Manager	3 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Abuse Elevation Control Mechanism	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label
SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	63%	ReversingLabs	Win64.Trojan.Malgent
SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	100%	Avira	BDS/Agent.rlulr
SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.4.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
51.222.31.217	unknown	France	16276	OVHFR	false
103.230.14.225	unknown	Hong Kong	55953	XIM-HKRoom704ChinaChenLeightonPlazaHK	false
77.105.172.225	unknown	Russian Federation	43176	ICOMF-ASRU	false
103.251.113.36	unknown	Hong Kong	133380	LAYER-ASLayerstackLimitedHK	false
51.38.37.194	unknown	France	16276	OVHFR	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1508669
Start date and time:	2024-09-10 15:29:59 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe
Detection:	MAL
Classification:	mal88.evad.winEXE@2/5@0/5
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.65.92
Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
VT rate limit hit for: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
51.222.31.217	0Ig0ovoll2k6.exe	Get hash	malicious	Unknown	Browse
	LisectAVT_2403002A_212.exe	Get hash	malicious	Unknown	Browse
	LisectAVT_2403002A_212.exe	Get hash	malicious	Unknown	Browse
	LisectAVT_2403002A_234.exe	Get hash	malicious	Unknown	Browse
	LisectAVT_2403002A_234.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.Evo-gen.8630.20101.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.Evo-gen.8630.20101.exe	Get hash	malicious	Unknown	Browse
	uF57zn1zFCF77zYR.exe	Get hash	malicious	Unknown	Browse
	uF57zn1zFCF77zYR.exe	Get hash	malicious	Unknown	Browse
103.230.14.225	0Ig0ovoll2k6.exe	Get hash	malicious	Unknown	Browse
	LisectAVT_2403002A_234.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.Evo-gen.8630.20101.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.Evo-gen.8630.20101.exe	Get hash	malicious	Unknown	Browse
77.105.172.225	0Ig0ovoll2k6.exe	Get hash	malicious	Unknown	Browse
103.251.113.36	0Ig0ovoll2k6.exe	Get hash	malicious	Unknown	Browse
	LisectAVT_2403002A_212.exe	Get hash	malicious	Unknown	Browse
	LisectAVT_2403002A_212.exe	Get hash	malicious	Unknown	Browse
	LisectAVT_2403002A_234.exe	Get hash	malicious	Unknown	Browse
	LisectAVT_2403002A_234.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.Evo-gen.8630.20101.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.Evo-gen.8630.20101.exe	Get hash	malicious	Unknown	Browse
	uF57zn1zFCF77zYR.exe	Get hash	malicious	Unknown	Browse
	uF57zn1zFCF77zYR.exe	Get hash	malicious	Unknown	Browse
51.38.37.194	0Ig0ovoll2k6.exe	Get hash	malicious	Unknown	Browse
	LisectAVT_2403002A_212.exe	Get hash	malicious	Unknown	Browse
	LisectAVT_2403002A_212.exe	Get hash	malicious	Unknown	Browse
	LisectAVT_2403002A_234.exe	Get hash	malicious	Unknown	Browse
	LisectAVT_2403002A_234.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.Evo-gen.8630.20101.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.Evo-gen.8630.20101.exe	Get hash	malicious	Unknown	Browse
	uF57zn1zFCF77zYR.exe	Get hash	malicious	Unknown	Browse
	uF57zn1zFCF77zYR.exe	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
XIM-HKRoom704ChinaChenLeightonPlazaHK	0Ig0ovoll2k6.exe	Get hash	malicious	Unknown	Browse	103.230.14.225
	LisectAVT_2403002A_234.exe	Get hash	malicious	Unknown	Browse	103.230.14.225
	SecuriteInfo.com.Win64.Evo-gen.8630.20101.exe	Get hash	malicious	Unknown	Browse	103.230.14.225
	SecuriteInfo.com.Win64.Evo-gen.8630.20101.exe	Get hash	malicious	Unknown	Browse	103.230.14.225
OVHFR	Voicemail Transcription.(387.KB).html	Get hash	malicious	HTMLPhisher	Browse	149.202.238.104
	https://www.tiktok.com/////link/v2?aid=1988&lang=enFSmPWg&scene=bio_url&target=google.com.////amp/s/%E2%80%8Bva%C2%ADnd%C2%ADat%C2%ADco%E2%80%8B.%C2%ADv%C2%ADn/.dev/ChZuQF9L/bHlubi5wYXJzb25zQGltYWdvLmNvbW11bml0eQ===$%E3%80%82	Get hash	malicious	HTMLPhisher	Browse	51.178.195.217
	https://kby.oqp.mybluehost.me/wp-admin/20191952407230/account/amendes2024org	Get hash	malicious	Unknown	Browse	91.134.109.31
	https://kby.oqp.mybluehost.me/wp-admin/20191952407230/account/amendes2024org/infospage.php	Get hash	malicious	Unknown	Browse	91.134.109.31
	https://kby.oqp.mybluehost.me/wp-admin/20191952407230/account/amendes2024org/3dsec.php	Get hash	malicious	Unknown	Browse	137.74.125.233
	https://kby.oqp.mybluehost.me/wp-admin/20191952407230/account/amendes2024org/3dsece.php	Get hash	malicious	Unknown	Browse	137.74.125.233
	https://kby.oqp.mybluehost.me/wp-admin/20191952407230/account/amendes2024org/paiement.php	Get hash	malicious	Unknown	Browse	91.134.109.31
	https://emailmarketing.locaweb.com.br/accounts/193978/messages/3/clicks/1078/3?envelope_id=3	Get hash	malicious	Unknown	Browse	91.134.109.31
	https://sucursal-virtual123.w3spaces.com/	Get hash	malicious	Unknown	Browse	51.77.64.70
ICOMF-ASRU	gobEmOm5sr.exe	Get hash	malicious	LummaC, PureLog Stealer, RedLine, Socks5Systemz, Stealc, Vidar, Xmrig	Browse	77.105.164.24
	FileApp.exe	Get hash	malicious	LummaC, PureLog Stealer, RedLine, Stealc, Vidar, Xmrig, zgRAT	Browse	77.105.164.24
	file.exe	Get hash	malicious	Unknown	Browse	77.105.164.24
	kqS23MOytx.exe	Get hash	malicious	Socks5Systemz, Stealc, Vidar, XWorm, Xmrig	Browse	77.105.164.24
	file.exe	Get hash	malicious	Unknown	Browse	77.105.164.24
	0Ig0ovoll2k6.exe	Get hash	malicious	Unknown	Browse	77.105.172.225
	ozA28PDMTu.exe	Get hash	malicious	Unknown	Browse	77.105.164.24
	file.exe	Get hash	malicious	Unknown	Browse	77.105.164.24
	66b9e7f54cf7b_pro.exe	Get hash	malicious	Unknown	Browse	77.105.164.24
LAYER-ASLayerstackLimitedHK	SecuriteInfo.com.Trojan.GenericKD.73873010.20504.26058.exe	Get hash	malicious	Unknown	Browse	43.228.126.4
	SecuriteInfo.com.Trojan.GenericKD.73873010.20504.26058.exe	Get hash	malicious	Unknown	Browse	43.228.126.4
	0Ig0ovoll2k6.exe	Get hash	malicious	Unknown	Browse	103.251.113.36
	LisectAVT_2403002A_212.exe	Get hash	malicious	Unknown	Browse	103.251.113.36
	LisectAVT_2403002A_212.exe	Get hash	malicious	Unknown	Browse	103.251.113.36
	LisectAVT_2403002A_234.exe	Get hash	malicious	Unknown	Browse	103.251.113.36
	LisectAVT_2403002A_234.exe	Get hash	malicious	Unknown	Browse	103.251.113.36
	SecuriteInfo.com.Win64.Evo-gen.8630.20101.exe	Get hash	malicious	Unknown	Browse	103.251.113.36
	SecuriteInfo.com.Win64.Evo-gen.8630.20101.exe	Get hash	malicious	Unknown	Browse	103.251.113.36

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_232cd476b1733e4f7c6ba7b9cba6ba5ab4ffab_4fb347c0_c342a195-fac7-4d8e-b243-653721b6bb0b\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9330712543223453
Encrypted:	false
SSDEEP:	96:YKlFwOR1FsIhqFi7qIf4QXIDcQyc6ycEncw3SH+HbHg/HgoXO+ZuUXqOE8OQr5TY:3ZR1F0fY0s29njufFRzuiFqZ24lO8L
MD5:	5F22F5D4CB287943A3935FEA8A4E57BC
SHA1:	4DD67682E639D6CD949B31AACCB57DCB822ADEAC
SHA-256:	A36A4A95550CD2A4C48A7070BA536B41317914BAEB1E14EBF7661B66F2D9D7D8
SHA-512:	F99C83C19ED80E463E648A999952B6791B17F2F122EE55A4BDF9547D2FF13D79F5BA164639719C2C87626E03EFE672C3BA72CAD53EDA4E3E901A74082DE93E59
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.0.4.4.8.6.5.1.2.4.0.3.8.8.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.0.4.4.8.6.5.1.7.8.7.2.5.2.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.3.4.2.a.1.9.5.-.f.a.c.7.-.4.d.8.e.-.b.2.4.3.-.6.5.3.7.2.1.b.6.b.b.0.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.e.5.9.c.4.f.f.-.b.c.3.6.-.4.8.d.3.-.8.9.d.a.-.6.6.0.b.e.d.a.1.4.8.4.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...W.i.n.6.4...M.a.l.w.a.r.e.X.-.g.e.n...2.1.4.4.2...4.0.7.6...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.d.1.c.-.0.0.0.1.-.0.0.1.4.-.e.7.8.6.-.a.c.a.4.8.5.0.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.c.b.1.5.9.8.b.3.a.7.d.7.0.1.b.a.c.e.d.f.c.c.b.c.0.9.c.6.a.9.4.4.0.0.0.0.f.f.f.f.!.0.0.0.0.0.d.b.5.4.0.2.9.0.8.6.6.5.8.6.2.1.0.7.f.3.6.e.d.f.4.c.d.a.9.d.a.a.9.1.3.b.a.6.1.!.S.e.c.u.r.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER63A.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue Sep 10 13:30:51 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	111596
Entropy (8bit):	1.4728660846541286
Encrypted:	false
SSDEEP:	192:RT06yIdjXanFO+g0Uesg0jUYgumE+7c2DOlRT2B/LgdwsN6zK:N06yIgo+gplUymE+7cIm2BTvQaK
MD5:	8159E68B1F95BA5EFE3D13F848F1D62F
SHA1:	29A8F5697F523C437EDAFA46ED1C6AF80D24C45D
SHA-256:	B73D3459AD7C66C1A1C3A2C41C8A4047F7559681653A37099F4B04CE7B975755
SHA-512:	C2EC3B79AB51BC404F2D9B51C3779333BCD1599BFE2ABDE4769D767E69997CCF6D23A8ED0FE905384EBF0959FCB4D4C8C6A4B299792D080E6787AF1760FF2389
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........J.f............T...........P...\.......$....G..........T.......8...........T...........X...........................................................................................................eJ......0.......Lw......................T............J.f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER793.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8958
Entropy (8bit):	3.7059593745933825
Encrypted:	false
SSDEEP:	192:R6l7wVeJvF206YEI1DOlivagmfzTpDM89bDYjkfwBm:R6lXJNd6YE6DOlivagmfzPDYAfb
MD5:	C736A0026D37BE55789F53D40A2CE6DE
SHA1:	12751B2A936F2512A30000C57DD84BA0A09194FD
SHA-256:	9DC91D7898F99CB6180D7AD5EABCCD62F35FFE690EE9CCEFE349CF34C23B67F8
SHA-512:	36C398B01E4A3A7F3369378917EDC4542087964E4CDA0FB81052FA0EBDAFB1FFB4C5DE2847894E1B0E7D1299155FD4FEBCAB9EF59710E0ED6E80FD1B97AF7A6C
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.3.5.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7D3.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4894
Entropy (8bit):	4.549128410175167
Encrypted:	false
SSDEEP:	48:cvIwWl8zshUJg771I9y1WpW8VYgvYm8M4J5Unm8n5F+tyq85dFb7Nws4Unrs8s3d:uIjfhSI7tE7VvyJTtps4mgV3d
MD5:	FE3DB807F3DA0DB8DCCF293296C6B3CA
SHA1:	65D25D5DCBCB8B74B6495F7FCB0D5E5CD522F2AC
SHA-256:	4134E1A5F4F3204F28C06E68EAB183503F7CE8911ABB9579BD82F9CB788DAEED
SHA-512:	029B3BDDC8A2215DA025C938866778CE4607273EBCEF60615490F16EE2A1747009A1A3D72B6CE342294251267EA90D47C1B82ED38259DBBCFB9181AC671683EF
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="494193" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.421881925638682
Encrypted:	false
SSDEEP:	6144:2Svfpi6ceLP/9skLmb0OT/WSPHaJG8nAgeMZMMhA2fX4WABlEnN+0uhiTw:VvloT/W+EZMM6DFyg03w
MD5:	FBA122879154E7AB80B6693D3D8064E6
SHA1:	D43885A7FAA94B98B6C88D405E0B5CF4598EAA57
SHA-256:	E04A256BA3FF9C1136ABC048A37A2906F2DD8BC87EA7DB7395D5FDD476115F3E
SHA-512:	8E18CA30C6838EEDDB98B45628789EF71EE9784D284A532F7244CB618655C0F2A39C37DD4E868DD3EB3D0C196F99A16E9408BFAF30B13BAF2946FCCFE1FB16B7
Malicious:	false
Reputation:	low
Preview:	regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.va...................................................................................................................................................................................................................................................................................................................................................v.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.9555117307343535
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe
File size:	14'287'888 bytes
MD5:	85877d16342cea80354627b1e26bd1a5
SHA1:	0db5402908665862107f36edf4cda9daa913ba61
SHA256:	309d16af0620da1d4811bdbffac56cbe4cfbbb2b1a190073571e7efe0b3f6b2a
SHA512:	2d2c73592d6cd956c4bf837aac163ae4bd3819b6305bb2937848b6b5699d9ecb38efa99e15aaa1c5e1f6db74ceb7df97afb46d5458fae4b20096bb1408e8640e
SSDEEP:	196608:DIqlYtZt1fGNcD/qf4YxIWD3rpR3Y3oi2/qxmLcrZ72k640Ka3k422pb+K8BMzj:DhKtFfGaDyAlonBtOmLLkX0S4Fl+K8aX
TLSH:	5AE6334BB3C48FA5EB8CE3F09D2855A2E61592F7A8593278750F582A3F5EC015F37A40
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........J..m...m...m...n...m...h.~.m...i...m...h...m...n...m.".....m..7i...m...i...m...j...m...l...m...l...m..7n...m..7d...m..7....m

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x1414eb058
Entrypoint Section:	.boot
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, TERMINAL_SERVER_AWARE
Time Stamp:	0x66BB9FAD [Tue Aug 13 18:02:21 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	22402abe221b6efa466ca4190864858f

Entrypoint Preview

Instruction
call 00007F31ECEF4677h
inc ecx
push edx
dec ecx
mov edx, esp
inc ecx
push edx
dec ecx
mov esi, dword ptr [edx+10h]
dec ecx
mov edi, dword ptr [edx+20h]
cld
mov dl, 80h
mov al, byte ptr [esi]
dec eax
inc esi
mov byte ptr [edi], al
dec eax
inc edi
mov ebx, 00000002h
add dl, dl
jne 00007F31ECEF44F9h
mov dl, byte ptr [esi]
dec eax
inc esi
adc dl, dl
jnc 00007F31ECEF44D6h
add dl, dl
jne 00007F31ECEF44F9h
mov dl, byte ptr [esi]
dec eax
inc esi
adc dl, dl
jnc 00007F31ECEF4550h
xor eax, eax
add dl, dl
jne 00007F31ECEF44F9h
mov dl, byte ptr [esi]
dec eax
inc esi
adc dl, dl
jnc 00007F31ECEF45F8h
add dl, dl
jne 00007F31ECEF44F9h
mov dl, byte ptr [esi]
dec eax
inc esi
adc dl, dl
adc eax, eax
add dl, dl
jne 00007F31ECEF44F9h
mov dl, byte ptr [esi]
dec eax
inc esi
adc dl, dl
adc eax, eax
add dl, dl
jne 00007F31ECEF44F9h
mov dl, byte ptr [esi]
dec eax
inc esi
adc dl, dl
adc eax, eax
add dl, dl
jne 00007F31ECEF44F9h
mov dl, byte ptr [esi]
dec eax
inc esi
adc dl, dl
adc eax, eax
je 00007F31ECEF44FBh
push edi
mov eax, eax
dec eax
sub edi, eax
mov al, byte ptr [edi]
pop edi
mov byte ptr [edi], al
dec eax
inc edi
mov ebx, 00000002h
jmp 00007F31ECEF447Ah
mov eax, 00000001h
add dl, dl
jne 00007F31ECEF44F9h
mov dl, byte ptr [esi]
dec eax
inc esi
adc dl, dl
adc eax, eax
add dl, dl
jne 00007F31ECEF44F9h
mov dl, byte ptr [esi]
dec eax
inc esi
adc dl, dl
jc 00007F31ECEF44D8h
sub eax, ebx
mov ebx, 00000001h
jne 00007F31ECEF4520h
mov ecx, 00000001h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x160183	0x1f0	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x162000	0x1e4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x14c70c8	0x136bc
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x21d9000	0x10	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x161018	0x28	.tls
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0xf7330	0x84a00	fc4efca6798147d176d1c9394e2cb3e2	False	0.9994698397737983	data	7.986056231058502	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
	0xf9000	0x4e7fc	0x26200	7d8ec58b2e3a2e0a346a7f2bb330351d	False	0.9857581967213115	data	7.973579534804117	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0x148000	0xa49c	0xa00	fb51965c6ea1612373c43861164f2ee7	False	0.961328125	data	7.73764349978694	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x153000	0x975c	0x5c00	6fa6b912427cc4e349d11c7caff224c1	False	0.9390285326086957	data	7.661341495375132	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0x15d000	0x15c	0x200	f919a0492ef13d21ff89eab5fc879069	False	0.40625	data	3.3057524302120944	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0x15e000	0x1e8	0x200	2c8f2eff25c1fd909a1e16c4489a15ca	False	0.587890625	data	4.770300300856275	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0x15f000	0xe38	0x800	80398426ce6cb383b52d1b32fed44367	False	0.931640625	data	7.672017416382715	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.idata	0x160000	0x1000	0x400	70004a422ac32050917d726c77409539	False	0.3935546875	data	3.2999306991246558	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x161000	0x1000	0x200	c79dc6026e9279d7106bb722ff03079e	False	0.0625	data	0.28456851570206254	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x162000	0x1000	0x200	1b6a67de27f1688f2391ce4c0b9544a5	False	0.53515625	data	4.758721582235538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0x163000	0x1388000	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.boot	0x14eb000	0xced800	0xced800	5cdf2be9ae8ec287bffea6b9e372afe2	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.reloc	0x21d9000	0x1000	0x10	6e6996b1c92025b8fdb50642647770f9	False	1.5	GLS_BINARY_LSB_FIRST	2.349601752714581	IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x162058	0x188	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5892857142857143

Imports

DLL	Import
kernel32.dll	GetModuleHandleA
CFGMGR32.dll	CM_Locate_DevNodeW
IPHLPAPI.DLL	GetTcpTable
d3d9.dll	Direct3DCreate9
ADVAPI32.dll	AdjustTokenPrivileges
SHELL32.dll	SHGetSpecialFolderPathW
ole32.dll	StringFromGUID2
WS2_32.dll	connect
HID.DLL	HidD_GetManufacturerString
SETUPAPI.dll	SetupDiGetClassDevsW
ntdll.dll	RtlPcToFileHeader
SHLWAPI.dll	StrStrIW
NETAPI32.dll	NetUserEnum

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 10, 2024 15:30:49.996400118 CEST	49705	3333	192.168.2.5	51.38.37.194
Sep 10, 2024 15:30:50.003834009 CEST	3333	49705	51.38.37.194	192.168.2.5
Sep 10, 2024 15:30:50.004070997 CEST	49705	3333	192.168.2.5	51.38.37.194
Sep 10, 2024 15:30:50.007292986 CEST	49705	3333	192.168.2.5	51.38.37.194
Sep 10, 2024 15:30:50.012264013 CEST	3333	49705	51.38.37.194	192.168.2.5
Sep 10, 2024 15:30:51.896313906 CEST	3333	49705	51.38.37.194	192.168.2.5
Sep 10, 2024 15:30:51.897830963 CEST	3333	49705	51.38.37.194	192.168.2.5
Sep 10, 2024 15:30:51.897923946 CEST	49705	3333	192.168.2.5	51.38.37.194
Sep 10, 2024 15:30:51.899058104 CEST	49705	3333	192.168.2.5	51.38.37.194
Sep 10, 2024 15:30:51.905867100 CEST	3333	49705	51.38.37.194	192.168.2.5
Sep 10, 2024 15:30:51.905944109 CEST	49705	3333	192.168.2.5	51.38.37.194
Sep 10, 2024 15:30:51.912806034 CEST	3333	49705	51.38.37.194	192.168.2.5
Sep 10, 2024 15:30:52.145843983 CEST	3333	49705	51.38.37.194	192.168.2.5
Sep 10, 2024 15:30:52.150804996 CEST	49705	3333	192.168.2.5	51.38.37.194
Sep 10, 2024 15:30:52.156008959 CEST	3333	49705	51.38.37.194	192.168.2.5
Sep 10, 2024 15:30:52.266144991 CEST	3333	49705	51.38.37.194	192.168.2.5
Sep 10, 2024 15:30:52.320388079 CEST	49705	3333	192.168.2.5	51.38.37.194
Sep 10, 2024 15:30:52.324129105 CEST	3333	49705	51.38.37.194	192.168.2.5
Sep 10, 2024 15:30:52.324208975 CEST	49705	3333	192.168.2.5	51.38.37.194
Sep 10, 2024 15:31:37.565689087 CEST	49705	3333	192.168.2.5	51.38.37.194

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 10, 2024 15:31:03.834302902 CEST	53	58835	1.1.1.1	192.168.2.5

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Type
Sep 10, 2024 15:30:48.653258085 CEST	192.168.2.5	51.222.31.217	b353	Echo
Sep 10, 2024 15:30:48.746535063 CEST	51.222.31.217	192.168.2.5	bb53	Echo Reply
Sep 10, 2024 15:30:48.749216080 CEST	192.168.2.5	103.230.14.225	b352	Echo
Sep 10, 2024 15:30:49.017677069 CEST	103.230.14.225	192.168.2.5	bb52	Echo Reply
Sep 10, 2024 15:30:49.018536091 CEST	192.168.2.5	77.105.172.225	b351	Echo
Sep 10, 2024 15:30:49.069610119 CEST	77.105.172.225	192.168.2.5	bb51	Echo Reply
Sep 10, 2024 15:30:49.070405960 CEST	192.168.2.5	51.38.37.194	b350	Echo
Sep 10, 2024 15:30:49.087001085 CEST	51.38.37.194	192.168.2.5	bb50	Echo Reply
Sep 10, 2024 15:30:49.087527990 CEST	192.168.2.5	103.251.113.36	b34f	Echo

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exePID: 3356, Parent PID: 1028

General

Target ID:	0
Start time:	09:30:46
Start date:	10/09/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe"
Imagebase:	0x140000000
File size:	14'287'888 bytes
MD5 hash:	85877D16342CEA80354627B1E26BD1A5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 1964, Parent PID: 3356

General

Target ID:	4
Start time:	09:30:51
Start date:	10/09/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 3356 -s 748
Imagebase:	0x7ff6b8460000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_232cd476b1733e4f7c6ba7b9cba6ba5ab4ffab_4fb347c0_c342a195-fac7-4d8e-b243-653721b6bb0b\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER63A.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER793.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7D3.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

Statistics

CPU Usage

Windows Analysis Report
SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exe