Windows Analysis Report
SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe

Overview

General Information

Sample name: SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe
Analysis ID: 1511537
MD5: a0cfa7a65a035edfafa607d060719e97
SHA1: fe7d97371cc38870233bd5a6471dc53b18f34776
SHA256: f0d0614de591fb0659acd31e0569f8b68caabe80912b5546d47661d620b36b8d
Tags: exe
Infos:

Detection

Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Detected potential unwanted application
Sigma detected: Tasks Folder Evasion
AV process strings found (often used to terminate AV products)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Copy From or To System Directory
Sleep loop found (likely to delay execution)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe ReversingLabs: Detection: 63%
Source: SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe Virustotal: Detection: 62% Perma Link
Uses 32bit PE files
Source: SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe Code function: 0_2_004378FB FindFirstFileW, 0_2_004378FB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe Code function: 0_2_004376E6 FindFirstFileW, 0_2_004376E6
Source: SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe String found in binary or memory: http://forum.ru-board.com/topic.cgi?forum=2&topic=5734#1
Source: SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe String found in binary or memory: http://forum.ru-board.com/topic.cgi?forum=2&topic=5734#1BelizeBasqueNorwegianNot
Source: SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe String found in binary or memory: http://www.solidfiles.com/folder/bd7165a0d4/
Source: SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe String found in binary or memory: http://www.solidfiles.com/folder/bd7165a0d4/HKEY_LOCAL_MACHINE

System Summary
barindex
Detected potential unwanted application
Source: SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe PE Siganture Subject Chain: CN=WZTeam
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe Code function: 0_2_0042AB10 0_2_0042AB10
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe Code function: String function: 0044C0F0 appears 78 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe Code function: String function: 00410962 appears 54 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe Code function: String function: 00410008 appears 90 times
PE / OLE file has an invalid certificate
Source: SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe, 00000000.00000002.3183336743.000000000049F000.00000008.00000001.01000000.00000003.sdmp Binary or memory string: LatinArgentinaratiboruskmstoolsruboard01062019PrivateBuildChineseKazakSerbianSpanishset filesystem = CreateObject("scripting.Filesystemobject")NetUserAddUruguayGreekafgedProcess32NextService PackMalayalamInternalNameSeShutdownPrivilegeHong Kong SAR, PRCSlovenianGuatemalaGetProcessImageFileNameWcscript.exe" "%1"NetLocalGroupGetMembers<em:.iniOriginalFilename4.0.0.0Colombia# vs SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe
Source: SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe, 00000000.00000001.1932293575.000000000049F000.00000008.00000001.01000000.00000003.sdmp Binary or memory string: LatinArgentinaratiboruskmstoolsruboard01062019PrivateBuildChineseKazakSerbianSpanishset filesystem = CreateObject("scripting.Filesystemobject")NetUserAddUruguayGreekafgedProcess32NextService PackMalayalamInternalNameSeShutdownPrivilegeHong Kong SAR, PRCSlovenianGuatemalaGetProcessImageFileNameWcscript.exe" "%1"NetLocalGroupGetMembers<em:.iniOriginalFilename4.0.0.0Colombia# vs SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe
Source: SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe Binary or memory string: LatinArgentinaratiboruskmstoolsruboard01062019PrivateBuildChineseKazakSerbianSpanishset filesystem = CreateObject("scripting.Filesystemobject")NetUserAddUruguayGreekafgedProcess32NextService PackMalayalamInternalNameSeShutdownPrivilegeHong Kong SAR, PRCSlovenianGuatemalaGetProcessImageFileNameWcscript.exe" "%1"NetLocalGroupGetMembers<em:.iniOriginalFilename4.0.0.0Colombia# vs SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe
Source: SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe Binary or memory string: OriginalFilename7za.exe, vs SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe
Uses 32bit PE files
Source: SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engine Classification label: mal56.winEXE@4/0@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6664:120:WilError_03
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe ReversingLabs: Detection: 63%
Source: SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe Virustotal: Detection: 62%
Source: SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe String found in binary or memory: <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
Source: SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe String found in binary or memory: <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
Source: SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe String found in binary or memory: <StopOnIdleEnd>true</StopOnIdleEnd>
Source: SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe String found in binary or memory: <StopOnIdleEnd>true</StopOnIdleEnd>
Source: SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe String found in binary or memory: -help
Source: SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe String found in binary or memory: Check charset encoding and -scs switch.Cannot find listfilebsobbbtbdba-helph?asut012sea0-pstlsdelsncsnrsnssnisnlsnhspfspespdsasscsswsltsccscsslpsosiscrcsemlsfxstmrvuanaxaiiwstxtaoadybspbseUnsupported switch postfix -stmUnsupported switch postfix -bbDuplicate archive path:Incorrect Number of benmchmark iterationsOnly one archive can be created with rename commandstdout mode and email mode cannot be combined-ai switch is not supported for this commandCannot use absolute pathnames for this commandArchive name cannot by emptyCannot find archive nameUnsupported -spf:2Unsupported command:The command must be spcifiedThere is no second file name for rename pair:Unsupported rename command:-rIncorrect wildcard type markerToo short switchUnsupported Map data sizeMap data errorUnsupported Map dataMapViewOfFile errorCan not open mappingIncorrect volume size:incorrect update switch commandUnsupported charset:Can not delete output folderCan not delete output fileCan not rename existing fileCan not create file with auto nameSeSecurityPrivilege
Source: SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe String found in binary or memory: */adDoyf
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\Sysnative\cmd.exe" /c copy C:\Windows\system32\Tasks\KMSTools "C:\Users\user\AppData\Local\Temp\KMSTools.tmp" /Y
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\Sysnative\cmd.exe" /c copy C:\Windows\system32\Tasks\KMSTools "C:\Users\user\AppData\Local\Temp\KMSTools.tmp" /Y Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe Section loaded: icmp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe Section loaded: msi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe Section loaded: iconcodecservice.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe Window detected: Number of UI elements: 91
Source: SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe Static file information: File size 52034288 > 1048576
Source: SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe Static PE information: Raw size of .data is bigger than: 0x100000 < 0x30e5200
PE file contains sections with non-standard names
Source: SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe Static PE information: section name: .code
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe Code function: 0_2_00410B30 push eax; ret 0_2_00410B5E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe Code function: 0_2_00408F91 push eax; mov dword ptr [esp], 00000000h 0_2_00408F95
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe Window / User API: threadDelayed 9994 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe Window / User API: foregroundWindowGot 1775 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe TID: 6560 Thread sleep time: -49970s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Sleep loop found (likely to delay execution)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe Thread sleep count: Count: 9994 delay: -5 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe Code function: 0_2_004378FB FindFirstFileW, 0_2_004378FB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe Code function: 0_2_004376E6 FindFirstFileW, 0_2_004376E6
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\Sysnative\cmd.exe" /c copy C:\Windows\system32\Tasks\KMSTools "C:\Users\user\AppData\Local\Temp\KMSTools.tmp" /Y Jump to behavior
Source: SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe Binary or memory string: ! Microsoft Sans SerifKMSTools.binHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SpynetIrelandTeluguWNetAddConnection2Aroot\cimv2SlovakHKEY_LOCAL_MACHINE\SOFTWARE\Novell\NetWareWorkstation\CurrentVersionLibyaCatalanArmenianGetComputerNameExAKMSTools.tmpProgram in the folder: vHKEY_CLASSES_ROOT\.deleteprogram.vbs\7zaxxx.exe has joined the domain \\fver.exeConfigurationsababccdabcdefgePathfgFlag Library not initialisedShell_TrayWndhttp://forum.ru-board.com/topic.cgi?forum=2&topic=5734#1BelizeBasqueNorwegianNot joined to any domain or group
AV process strings found (often used to terminate AV products)
Source: SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe Binary or memory string: \Program Files\Windows Defender\MsMpEng.exe
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1511537 Sample: SecuriteInfo.com.Win32.Malw... Startdate: 15/09/2024 Architecture: WINDOWS Score: 56 13 Multi AV Scanner detection for submitted file 2->13 15 Detected potential unwanted application 2->15 17 Sigma detected: Tasks Folder Evasion 2->17 7 SecuriteInfo.com.Win32.Malware-gen.15916.11672.exe 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        process5 11 conhost.exe 9->11         started       
No contacted IP infos