Windows Analysis Report
SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe

Overview

General Information

Sample name: SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe
Analysis ID: 1541499
MD5: 4213b2aa13a965e52e3e2f4b2ca37211
SHA1: 85a14551d90665015cbd74f0e7d902edc0b77e00
SHA256: 3795ba40a0fbf045785bf0670aa127cbc5d60e2bbd2ba8859ef414daf54215ce
Tags: exe
Infos:

Detection

Score: 48
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
JA3 SSL client fingerprint seen in connection with other malware
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe ReversingLabs: Detection: 34%
Source: SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe, 00000000.00000000.2078993616.0000000000EB9000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_1335de3a-d
Uses 32bit PE files
Source: SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe Static PE information: certificate valid
Source: unknown HTTPS traffic detected: 172.67.68.136:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 74954a0c86284d0d6e1c4efefe92b521
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /455474F642F2D352/93243153651/53446B44EFA2F130/72980820451?33FCE66818B56E8D1729808204 HTTP/1.1Host: gamesfileapp.comUser-Agent: NSIS_InetLoad (Mozilla)Accept: */*
Source: global traffic DNS traffic detected: DNS query: gamesfileapp.com
Source: SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe String found in binary or memory: https://curl.se/docs/hsts.html
Source: SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe, 00000000.00000002.2101416372.000000000148E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gamesfileapp.com/455474F642F2D352/93243153651/53446B44EFA2F130/72980820451?33FCE66818B56E8D1
Source: SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe String found in binary or memory: https://www.globalsign.com/repository/0
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown HTTPS traffic detected: 172.67.68.136:443 -> 192.168.2.5:49709 version: TLS 1.2
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe, 00000000.00000002.2101279089.0000000000F1F000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameSincereMotion.exeD vs SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe
Source: SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe, 00000000.00000002.2101416372.00000000014F0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameD3D10Warp.dl vs SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe
Source: SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe Binary or memory string: OriginalFilenameSincereMotion.exeD vs SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe
Uses 32bit PE files
Source: SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal48.winEXE@1/0@1/2
Source: SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe ReversingLabs: Detection: 34%
Source: SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe String found in binary or memory: iphlpapi.dllif_nametoindexkernel32LoadLibraryExW\/AddDllDirectoryh1h2h3%10s %512s %u %10s %512s %u "%64[^"]" %u %urt%s %s %u %s %s %u "%d%02d%02d %02d:%02d:%02d" %u %d
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe Section loaded: d2d1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CACAF262-9370-4615-A13B-9F5539DA4C0A}\InProcServer32 Jump to behavior
Source: SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe Static PE information: certificate valid
Source: SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe Static file information: File size 12867416 > 1048576
Source: SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0xbb7600
Source: SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe, 00000000.00000003.2091101428.00000000014A6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1541499 Sample: SecuriteInfo.com.Variant.La... Startdate: 24/10/2024 Architecture: WINDOWS Score: 48 9 gamesfileapp.com 2->9 15 Multi AV Scanner detection for submitted file 2->15 6 SecuriteInfo.com.Variant.Lazy.618554.7337.5785.exe 2->6         started        signatures3 process4 dnsIp5 11 gamesfileapp.com 172.67.68.136, 443, 49709 CLOUDFLARENETUS United States 6->11 13 127.0.0.1 unknown unknown 6->13
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.67.68.136
 gamesfileapp.com United States
13335 CLOUDFLARENETUS false

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
gamesfileapp.com 172.67.68.136 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://gamesfileapp.com/455474F642F2D352/93243153651/53446B44EFA2F130/72980820451?33FCE66818B56E8D1729808204 false
    		unknown