Windows Analysis Report
SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe

Overview

General Information

Sample name: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe
Analysis ID: 1539813
MD5: b352a969814c63eb03f8771d0b61c763
SHA1: fcd849e29f057f46766738c8cd4ce91a4c7e537e
SHA256: 1c4f4363a89bb180c36067da145fbc4086217bb5c55312dfa8605b127b3ac35a
Tags: exe

Detection

Score: 52
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Potentially malicious time measurement code found
Contains functionality for execution timing, often used to detect debuggers
Detected potential crypto function
PE file contains sections with non-standard names

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe Virustotal: Detection: 12% Perma Link
Source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe, 00000000.00000002.2085346990.00007FF6C2F69000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_4c651ae1-8
Source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: crypto\encode_decode\decoder_meth.cossl_decoder_newossl_decoder_from_algorithminner_ossl_decoder_fetch<null>%s, Name (%s : %d), Properties (%s)OSSL_DECODER_get0_providerOSSL_DECODER_get0_propertiesossl_decoder_parsed_propertiesOSSL_DECODER_CTX_newOSSL_DECODER_from_biocrypto\encode_decode\decoder_lib.cNo decoders were found. For standard decoders you need at least one of the default or base providers available. Did you forget to load them?Input type: Input structure: No supported data to decode. %s%s%s%s%s%sOSSL_DECODER_from_dataOSSL_DECODER_CTX_set_selectionOSSL_DECODER_CTX_set_input_typeOSSL_DECODER_CTX_set_input_structureossl_decoder_instance_newthere are no property definitions with decoder %sinputthe mandatory 'input' property is missing for decoder %s (properties: %s)structureossl_decoder_ctx_add_decoder_instOSSL_DECODER_CTX_add_extraOSSL_DECODER_CTX_set_constructOSSL_DECODER_CTX_set_construct_dataOSSL_DECODER_CTX_set_cleanupdata-typedata-structuredecoder_processcrypto\encode_decode\decoder_pkey.creference1.2.840.10045.2.1ossl_decoder_ctx_setup_for_pkeyOSSL_DECODER_CTX_new_for_pkeycompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC;CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificE:\NGULibraries\openssl-3.0.11\build\sslE:\NGULibraries\openssl-3.0.11\build\static_lib\x64\Release\lib\ossl-modules.dllCPUINFO: crypto\bio\bio_sock.cBIO_sock_initcalling wsastartup()BIO_socket_ioctlcalling ioctlsocket()@@@@@@@@@hHHHH@@@@@@@@@@@@@@@@@@( source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe
Source: Binary string: crypto\stack\stack.cOPENSSL_sk_dupOPENSSL_sk_deep_copysk_reserveOPENSSL_sk_new_reserveOPENSSL_sk_reserveOPENSSL_sk_insertOPENSSL_sk_seti=%dcompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PICOpenSSL 3.0.11 19 Sep 20233.0.11built on: Wed May 15 23:28:32 2024 UTCplatform: VC-WIN64AOPENSSLDIR: "E:\NGULibraries\openssl-3.0.11\build\ssl"ENGINESDIR: "E:\NGULibraries\openssl-3.0.11\build\static_lib\x64\Release\lib\engines-3"MODULESDIR: "E:\NGULibraries\openssl-3.0.11\build\static_lib\x64\Release\lib\ossl-modules"CPUINFO: N/Anot availablecrypto\bio\bio_lib.cBIO_new_exbio_read_internbio_write_internBIO_putsBIO_getsBIO_ctrlBIO_callback_ctrlBIO_find_type source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe
Source: Binary string: E:\X\x64\Release\ActiveState.pdb source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe
Source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe, 00000000.00000002.2085008638.0000019EDF9AC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://154.53.160.19/ActiveState/
Source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe String found in binary or memory: https://curl.se/docs/hsts.html
Source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe String found in binary or memory: https://curl.se/docs/http-cookies.html
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe Code function: 0_2_00007FF6C2CB1500 0_2_00007FF6C2CB1500
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe Code function: 0_2_00007FF6C2CCAF40 0_2_00007FF6C2CCAF40
Source: classification engine Classification label: mal52.evad.winEXE@1/1@0/0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe File created: C:\Users\user\Desktop\log.bin Jump to behavior
Source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe Virustotal: Detection: 12%
Source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe String found in binary or memory: iphlpapi.dllif_nametoindexkernel32LoadLibraryExA\/AddDllDirectoryh1h2h3%10s %512s %u %10s %512s %u "%64[^"]" %u %urt%s %s%s%s %u %s %s%s%s %u "%d%02d%02d %02d:%02d:%02d" %u %d
Source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe String found in binary or memory: id-cmc-addExtensions
Source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe String found in binary or memory: set-addPolicy
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe Static file information: File size 3981312 > 1048576
Source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x2b8000
Source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: crypto\encode_decode\decoder_meth.cossl_decoder_newossl_decoder_from_algorithminner_ossl_decoder_fetch<null>%s, Name (%s : %d), Properties (%s)OSSL_DECODER_get0_providerOSSL_DECODER_get0_propertiesossl_decoder_parsed_propertiesOSSL_DECODER_CTX_newOSSL_DECODER_from_biocrypto\encode_decode\decoder_lib.cNo decoders were found. For standard decoders you need at least one of the default or base providers available. Did you forget to load them?Input type: Input structure: No supported data to decode. %s%s%s%s%s%sOSSL_DECODER_from_dataOSSL_DECODER_CTX_set_selectionOSSL_DECODER_CTX_set_input_typeOSSL_DECODER_CTX_set_input_structureossl_decoder_instance_newthere are no property definitions with decoder %sinputthe mandatory 'input' property is missing for decoder %s (properties: %s)structureossl_decoder_ctx_add_decoder_instOSSL_DECODER_CTX_add_extraOSSL_DECODER_CTX_set_constructOSSL_DECODER_CTX_set_construct_dataOSSL_DECODER_CTX_set_cleanupdata-typedata-structuredecoder_processcrypto\encode_decode\decoder_pkey.creference1.2.840.10045.2.1ossl_decoder_ctx_setup_for_pkeyOSSL_DECODER_CTX_new_for_pkeycompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC;CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificE:\NGULibraries\openssl-3.0.11\build\sslE:\NGULibraries\openssl-3.0.11\build\static_lib\x64\Release\lib\ossl-modules.dllCPUINFO: crypto\bio\bio_sock.cBIO_sock_initcalling wsastartup()BIO_socket_ioctlcalling ioctlsocket()@@@@@@@@@hHHHH@@@@@@@@@@@@@@@@@@( source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe
Source: Binary string: crypto\stack\stack.cOPENSSL_sk_dupOPENSSL_sk_deep_copysk_reserveOPENSSL_sk_new_reserveOPENSSL_sk_reserveOPENSSL_sk_insertOPENSSL_sk_seti=%dcompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PICOpenSSL 3.0.11 19 Sep 20233.0.11built on: Wed May 15 23:28:32 2024 UTCplatform: VC-WIN64AOPENSSLDIR: "E:\NGULibraries\openssl-3.0.11\build\ssl"ENGINESDIR: "E:\NGULibraries\openssl-3.0.11\build\static_lib\x64\Release\lib\engines-3"MODULESDIR: "E:\NGULibraries\openssl-3.0.11\build\static_lib\x64\Release\lib\ossl-modules"CPUINFO: N/Anot availablecrypto\bio\bio_lib.cBIO_new_exbio_read_internbio_write_internBIO_putsBIO_getsBIO_ctrlBIO_callback_ctrlBIO_find_type source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe
Source: Binary string: E:\X\x64\Release\ActiveState.pdb source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe
Source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
PE file contains sections with non-standard names
Source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe Static PE information: section name: .msvcjmc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe Code function: 0_2_00007FF6C2CB1020 rdtsc 0_2_00007FF6C2CB1020
Source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe, 00000000.00000003.2084368550.0000019EDF9D5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe, 00000000.00000003.2084459984.0000019EDF9DC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllK

Anti Debugging
barindex
Potentially malicious time measurement code found
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe Code function: 0_2_00007FF6C2CB13B0 0_2_00007FF6C2CB13B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe Code function: 0_2_00007FF6C2CB1350 0_2_00007FF6C2CB1350
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe Code function: 0_2_00007FF6C2CB1020 rdtsc 0_2_00007FF6C2CB1020
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe Code function: 0_2_00007FF6C2DEA854 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00007FF6C2DEA854
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1539813 Sample: SecuriteInfo.com.Variant.La... Startdate: 23/10/2024 Architecture: WINDOWS Score: 52 8 Multi AV Scanner detection for submitted file 2->8 5 SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe 1 2->5         started        process3 signatures4 10 Potentially malicious time measurement code found 5->10
No contacted IP infos