Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe
Analysis ID:	1543316
MD5:	d9ca1551c8b85b251d570bc6b9161d23
SHA1:	b2300be703a2cb95aceac0ef571a67b6956d8929
SHA256:	9ae76169ae9738a3d47661633a8cd768cd2a6fc07f2dc8a6f6b4925a754c301c
Tags:	exe
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Detected potential crypto function

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe (PID: 5972 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe" MD5: D9CA1551C8B85B251D570BC6B9161D23)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe

ReversingLabs: Detection: 18%

Source: SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: E:\source\repos\TestQPP\obj\Debug\TestQPP.pdb source: SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe

Source: unknown

DNS traffic detected: query: 15.164.165.52.in-addr.arpa replaycode: Name error (3)

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe

Code function: 0_2_00CEDC54

0_2_00CEDC54

Source: SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe, 00000000.00000002.2829795626.0000000000A9E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe
Source: SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe, 00000000.00000002.2829386277.00000000005F7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe
Source: SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe, 00000000.00000000.1552654495.0000000000462000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameTestQPP.exe0 vs SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe
Source: SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe	Binary or memory string: OriginalFilenameTestQPP.exe0 vs SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe

Source: classification engine

Classification label: mal48.winEXE@1/0@1/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe

Mutant created: NULL

Source: SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe

ReversingLabs: Detection: 18%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe	Section loaded: wintypes.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: E:\source\repos\TestQPP\obj\Debug\TestQPP.pdb source: SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe

Source: SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe

Static PE information: 0xC4CF46E2 [Sun Aug 19 15:33:54 2074 UTC]

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe

Code function: 0_2_00CEEF70 push eax; iretd

0_2_00CEEF71

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe	Memory allocated: CC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe	Memory allocated: 28A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe	Memory allocated: 48A0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 Virtualization/Sandbox Evasion	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	12 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Timestomp	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe	18%	ReversingLabs	Win32.Trojan.Generic

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
15.164.165.52.in-addr.arpa	unknown	unknown	false		unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1543316
Start date and time:	2024-10-27 16:56:20 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe
Detection:	MAL
Classification:	mal48.winEXE@1/0@1/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 19 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.5632936002667535
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe
File size:	11'776 bytes
MD5:	d9ca1551c8b85b251d570bc6b9161d23
SHA1:	b2300be703a2cb95aceac0ef571a67b6956d8929
SHA256:	9ae76169ae9738a3d47661633a8cd768cd2a6fc07f2dc8a6f6b4925a754c301c
SHA512:	2096a3604ec58e099cf81badd074b279060c5a315e1b1d2108725b9330981ff30765153c200a6a26e7aeb2d28fa3c00a22e512dc648251092091d18ab9216596
SSDEEP:	192:7Z3asD853sWj3V5kIfmQd16vkYcV6oMU2lAFEs2F:Zr83sWTV55fn1YkYcV6oMUqAFn+
TLSH:	F3320A2182D58176C631AA3378666B057BB7C2BF3E5B966E348C151FBFB3110C2237A5
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F............"...0..............3... ...@....@.. ....................................`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4033da
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xC4CF46E2 [Sun Aug 19 15:33:54 2074 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3386	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4000	0x15d0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x6000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3308	0x38	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x13e0	0x1400	be302228ef9272725fbe5f6f6d6781e4	False	0.5220703125	data	5.466978504145806	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x4000	0x15d0	0x1600	73d3a90fe9e3f5457f3afe64e96117ca	False	0.3984375	data	5.483723703180803	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x6000	0xc	0x200	05710589d3104bd546b4c2b9a69279fb	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x4090	0x30c	data			0.4230769230769231
RT_MANIFEST	0x43ac	0x121d	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.4019840414060815

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 27, 2024 16:58:06.728677988 CET	53	54164	162.159.36.2	192.168.2.8
Oct 27, 2024 16:58:07.348208904 CET	57636	53	192.168.2.8	1.1.1.1
Oct 27, 2024 16:58:07.356566906 CET	53	57636	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 27, 2024 16:58:07.348208904 CET	192.168.2.8	1.1.1.1	0x34b4	Standard query (0)	15.164.165.52.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 27, 2024 16:58:07.356566906 CET	1.1.1.1	192.168.2.8	0x34b4	Name error (3)	15.164.165.52.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exePID: 5972, Parent PID: 4084

General

Target ID:	0
Start time:	11:57:35
Start date:	27/10/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe"
Imagebase:	0x460000
File size:	11'776 bytes
MD5 hash:	D9CA1551C8B85B251D570BC6B9161D23
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exePID: 5972, Parent PID: 4084COMMON

Execution Graph

Execution Coverage:	9.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	167
Total number of Limit Nodes:	14

Executed Functions

Function 00CED088 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 131
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00CED116
GetCurrentThread.KERNEL32 ref: 00CED153
GetCurrentProcess.KERNEL32 ref: 00CED190
GetCurrentThreadId.KERNEL32 ref: 00CED1E9

Strings

0/0, xrefs: 00CED0B4

Memory Dump Source

Source File: 00000000.00000002.2830156620.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ce0000_SecuriteInfo.jbxd

Similarity

API ID: Current$ProcessThread
String ID: 0/0
API String ID: 2063062207-1915817121
Opcode ID: 0ce8bd8c83036361bd5296696e9de7e9b4a77485b0aa4ce729d596689b62eeb7
Instruction ID: da0288fff721d3cc9c5e28100dcea6f1bddfd9e814cfafb26eb586a3559ce763
Opcode Fuzzy Hash: 0ce8bd8c83036361bd5296696e9de7e9b4a77485b0aa4ce729d596689b62eeb7
Instruction Fuzzy Hash: 7F5178B09003898FDB14DFAAD948BDEBBF1BF88314F208059E419A73A0DB745945CF26

Function 00CED098 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00CED116
GetCurrentThread.KERNEL32 ref: 00CED153
GetCurrentProcess.KERNEL32 ref: 00CED190
GetCurrentThreadId.KERNEL32 ref: 00CED1E9

Strings

0/0, xrefs: 00CED0B4

Memory Dump Source

Source File: 00000000.00000002.2830156620.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ce0000_SecuriteInfo.jbxd

Similarity

API ID: Current$ProcessThread
String ID: 0/0
API String ID: 2063062207-1915817121
Opcode ID: b413a22b1b5dbf609ddc6c1caaf1f47256d1741ec99082b89c6c612e953064d1
Instruction ID: 2613c1258eac082a9a2c1ff60730398c632045e47a3e9d3f9da0785b8c7df7fa
Opcode Fuzzy Hash: b413a22b1b5dbf609ddc6c1caaf1f47256d1741ec99082b89c6c612e953064d1
Instruction Fuzzy Hash: 845158B09003498FDB14DFAAD948B9EBBF1BF88314F208459E419A73A0DB745945CF66

Function 00CEAE10 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 193
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00CEB066

Strings

0/0, xrefs: 00CEB01F

Memory Dump Source

Source File: 00000000.00000002.2830156620.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ce0000_SecuriteInfo.jbxd

Similarity

API ID: HandleModule
String ID: 0/0
API String ID: 4139908857-1915817121
Opcode ID: f6214a97d8cb8af3208420f6cb015d543328358d28db002e686bd46754df0272
Instruction ID: dccc7d5d5c9fb7b807622b93d04d27b9198b30938373bfad349cf5b45a813532
Opcode Fuzzy Hash: f6214a97d8cb8af3208420f6cb015d543328358d28db002e686bd46754df0272
Instruction Fuzzy Hash: EC7133B0A00B858FDB24DF6AD44175ABBF1BF88300F00892DE49AD7A50DB75E959CB91

Function 00CE4248 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00CE59C9

Strings

0/0, xrefs: 00CE594C

Memory Dump Source

Source File: 00000000.00000002.2830156620.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ce0000_SecuriteInfo.jbxd

Similarity

API ID: Create
String ID: 0/0
API String ID: 2289755597-1915817121
Opcode ID: d100c37eaeb3db43c3fbf9071faa4245dc38ad760259802a778ad2beaafd07af
Instruction ID: 853751d924e066f865cf7f6a10ea3bb7168549cb2224cd232fbe9e29e4720257
Opcode Fuzzy Hash: d100c37eaeb3db43c3fbf9071faa4245dc38ad760259802a778ad2beaafd07af
Instruction Fuzzy Hash: A141E2B1C0075DCFDB24DFAAC884B9EBBB1BF88704F20816AD408AB251DB755945CF91

Function 00CE590C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00CE59C9

Strings

0/0, xrefs: 00CE594C

Memory Dump Source

Source File: 00000000.00000002.2830156620.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ce0000_SecuriteInfo.jbxd

Similarity

API ID: Create
String ID: 0/0
API String ID: 2289755597-1915817121
Opcode ID: cb9d314c4f2da53165a82d04fb1a88644404e9612a46b3f4d20e4e6b3e85a353
Instruction ID: b1184c8c132445c5e01e4a081700d7e7161b5b339a34876e32cca01dfe0376f1
Opcode Fuzzy Hash: cb9d314c4f2da53165a82d04fb1a88644404e9612a46b3f4d20e4e6b3e85a353
Instruction Fuzzy Hash: DC4101B1D0075DCFDB24DFAAC88479DBBB1BF88704F20816AD018AB291DB755946CF51

Function 04E68730 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,04E6871D,?,?), ref: 04E687CF

Strings

0/0, xrefs: 04E6875D

Memory Dump Source

Source File: 00000000.00000002.2830800072.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e60000_SecuriteInfo.jbxd

Similarity

API ID: DrawText
String ID: 0/0
API String ID: 2175133113-1915817121
Opcode ID: 90bbe0847ce067601ad5976e53054ed9ac634c5b43da8b12a674d8446b1fe79e
Instruction ID: 07c30a261797cab76a5a55e37e45f089caf1b8e11ad3392282522747bc9cbfb1
Opcode Fuzzy Hash: 90bbe0847ce067601ad5976e53054ed9ac634c5b43da8b12a674d8446b1fe79e
Instruction Fuzzy Hash: F331FDB5D012099FDB10DF9AD884ADEBBF5FF48324F24842AE819A7210D775A901CFA1

Function 04E670F4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,04E6871D,?,?), ref: 04E687CF

Strings

0/0, xrefs: 04E6875D

Memory Dump Source

Source File: 00000000.00000002.2830800072.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e60000_SecuriteInfo.jbxd

Similarity

API ID: DrawText
String ID: 0/0
API String ID: 2175133113-1915817121
Opcode ID: 3261621b934eb1bfcda8c2a19a33ab1e0661aa505a2741e7bb080f3f3c32f052
Instruction ID: e2146b7a4278b0fe7b968edb23f81370a8f3355ff4840ea7bbebc1ca9b08adc9
Opcode Fuzzy Hash: 3261621b934eb1bfcda8c2a19a33ab1e0661aa505a2741e7bb080f3f3c32f052
Instruction Fuzzy Hash: A931E0B59013099FDB10DF9AD884AAEFBF5FF58364F14842EE919A7210D774A940CFA0

Function 04E6CE00 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MonitorFromPoint.USER32(?,?,00000002), ref: 04E6CE7F

Strings

0/0, xrefs: 04E6CE17

Memory Dump Source

Source File: 00000000.00000002.2830800072.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e60000_SecuriteInfo.jbxd

Similarity

API ID: FromMonitorPoint
String ID: 0/0
API String ID: 1566494148-1915817121
Opcode ID: f5e6c1ac129ed5662ecdcfad2811fcb0e6b146198a8ee708d885112a868fb237
Instruction ID: 7118a480bd5e646d0fe3fcde086d4b4e12d677fc53c98d5548bf5f5362ebcbe1
Opcode Fuzzy Hash: f5e6c1ac129ed5662ecdcfad2811fcb0e6b146198a8ee708d885112a868fb237
Instruction Fuzzy Hash: F4216A75A043489FDB10DF9AD505BEEFBF5EB48714F10801AE956AB380CB78A905CFA1

Function 00CED2D8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00CED367

Strings

0/0, xrefs: 00CED2FF

Memory Dump Source

Source File: 00000000.00000002.2830156620.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ce0000_SecuriteInfo.jbxd

Similarity

API ID: DuplicateHandle
String ID: 0/0
API String ID: 3793708945-1915817121
Opcode ID: 23a5873f3451c0dbb3027130f839750ba2ed037de8a504cad8121488799efbfa
Instruction ID: a17e1b5b8c83987726a9078b87e8c03b0f6c5c8ee9a777b8d496970684b1cc24
Opcode Fuzzy Hash: 23a5873f3451c0dbb3027130f839750ba2ed037de8a504cad8121488799efbfa
Instruction Fuzzy Hash: F821E2B5900249DFDB10CFAAD484ADEBBF5FB48320F14801AE958A3250C778A955CFA5

Function 00CED2E0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00CED367

Strings

0/0, xrefs: 00CED2FF

Memory Dump Source

Source File: 00000000.00000002.2830156620.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ce0000_SecuriteInfo.jbxd

Similarity

API ID: DuplicateHandle
String ID: 0/0
API String ID: 3793708945-1915817121
Opcode ID: d3cab41dfae82ea37dded72ade2e4b2f35775b96d68573f8ab904fc735c57cce
Instruction ID: 73b2f18c27e1cc306a5801d92f486f63dac3f16c9b5ae96b0ba0f3051cf2f65f
Opcode Fuzzy Hash: d3cab41dfae82ea37dded72ade2e4b2f35775b96d68573f8ab904fc735c57cce
Instruction Fuzzy Hash: 9421C4B59003499FDB10CFAAD884ADEBBF9FB48720F14841AE914A3350D379A954CFA5

Function 04E6CDFF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MonitorFromPoint.USER32(?,?,00000002), ref: 04E6CE7F

Strings

0/0, xrefs: 04E6CE17

Memory Dump Source

Source File: 00000000.00000002.2830800072.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e60000_SecuriteInfo.jbxd

Similarity

API ID: FromMonitorPoint
String ID: 0/0
API String ID: 1566494148-1915817121
Opcode ID: ce189acfdf5fd4571e9e97f1289d04275b5d87de9452f3e3d8470b399961ebd8
Instruction ID: afe037b124051a2a75a1098f228dd73730dd0bd16d4c53ba5852547d26b32d75
Opcode Fuzzy Hash: ce189acfdf5fd4571e9e97f1289d04275b5d87de9452f3e3d8470b399961ebd8
Instruction Fuzzy Hash: 842158B59043489FDB10DF9AD445BEEBBF4EB48714F10801AE959AB340C778A945CFA1

Function 00CEB000 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00CEB066

Strings

0/0, xrefs: 00CEB01F

Memory Dump Source

Source File: 00000000.00000002.2830156620.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ce0000_SecuriteInfo.jbxd

Similarity

API ID: HandleModule
String ID: 0/0
API String ID: 4139908857-1915817121
Opcode ID: 76778a3accc1e2ac77cc2905ffb74b621e106300223d42487da388abcf236e75
Instruction ID: a7028aea3cb1c0d3d3a47e4cfcb86398c69c5bb561044855fbe6ede8f005dc3a
Opcode Fuzzy Hash: 76778a3accc1e2ac77cc2905ffb74b621e106300223d42487da388abcf236e75
Instruction Fuzzy Hash: FF11DFB6C003498FDB20DF9AC444A9FFBF4AB88724F10841AD529A7610C379A945CFA5

Function 04E6A488 Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00000003,00000000,00000000,?,?,?,00000000), ref: 04E6A506

Memory Dump Source

Source File: 00000000.00000002.2830800072.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e60000_SecuriteInfo.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 2c622540610fb1b1107af3bf299d05d94f12da72afbc117f0228b63b5d67ee7b
Instruction ID: 6f15a23eb630b1b340e963704a59da5baa510b4b079f330172e98cb11558d271
Opcode Fuzzy Hash: 2c622540610fb1b1107af3bf299d05d94f12da72afbc117f0228b63b5d67ee7b
Instruction Fuzzy Hash: D521D732F405109FEB14EB59DC01BA9B766EFC5329F0481B8E50A97755C770E811DB90

Function 00A6D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2829638275.0000000000A6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a6d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 554fa2c8070074bae9bf0a767cab6536d0ad73d506069537973ba1b05ca71c54
Instruction ID: 1352bd317b9c7fae05d2e2e684e88c44e8e81254314cece24392144ebd6a5757
Opcode Fuzzy Hash: 554fa2c8070074bae9bf0a767cab6536d0ad73d506069537973ba1b05ca71c54
Instruction Fuzzy Hash: 8A21F171A04340DFDB05DF14D9C4B26BF75FB88768F24C569E80A0A656C336D856CAA2

Function 00A7D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2829721277.0000000000A7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a7d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd45386cc28a99f2042a727a51caf688e38bd26227dc9822f64ad03bac704f2c
Instruction ID: b7954807a55c2c9a0ec5308ae0221915f67a59f491879d579a109953b7be7bf3
Opcode Fuzzy Hash: bd45386cc28a99f2042a727a51caf688e38bd26227dc9822f64ad03bac704f2c
Instruction Fuzzy Hash: 3521D0B5604304AFDB05DF10D984B26BBB5FF84314F24C6ADE84D4B292C336D847CAA1

Function 00A7D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2829721277.0000000000A7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a7d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 761d4e692d20bdbe80988fa0a070307c0dceae8c8a33e23edceed784f66e7454
Instruction ID: 4abec3046035527370acfc0d11c28bd43f7e37961c2172190bd36a436ea5b598
Opcode Fuzzy Hash: 761d4e692d20bdbe80988fa0a070307c0dceae8c8a33e23edceed784f66e7454
Instruction Fuzzy Hash: B521CC75604304AFDB14DF24D984B26BBB5FB88324F24C569E84E4B286C33AD847CA62

Function 00A6D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2829638275.0000000000A6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a6d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
Instruction ID: 913a2db35cac40e86f8cd6f1284f8673898310edd46b9cfc77babee4abdddda5
Opcode Fuzzy Hash: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
Instruction Fuzzy Hash: 9D11E676A04280CFCB16CF14D5C4B16BF72FB94324F24C6A9D84A0F656C33AD856CBA1

Function 00A7D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2829721277.0000000000A7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a7d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
Instruction ID: 9373df9e5524212f89daa19a2160d4423e5a8be32ddfad3a6ea87971f6e4b06a
Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
Instruction Fuzzy Hash: F1118E75504284DFCB15CF14D9C4B15BB72FB44314F24C6A9D84E4B656C33AD85BCB61

Function 00A7D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2829721277.0000000000A7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a7d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
Instruction ID: 24116aef6b25eb926f653d99472c94e3111540228489bffd38de65844d737e04
Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
Instruction Fuzzy Hash: DC11A975604280DFCB01CF10C9C0B15BBB2FB84324F28C6A9D8494B296C33AD80ACBA1

Non-executed Functions

Function 00CEDC54 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2830156620.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ce0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c23ba9ff6c4ef6e5c6c465228c5b38fe0af8f844eabea45087786db800a23d27
Instruction ID: f68dc4a05c1f7e637a0f2a762f1f2bc69a95edd4e2d27c422bc05ae1885923cc
Opcode Fuzzy Hash: c23ba9ff6c4ef6e5c6c465228c5b38fe0af8f844eabea45087786db800a23d27
Instruction Fuzzy Hash: FAA18F32E002598FCF05DFB6C9405DEB7B2FF84300B25857AE916AB265DB71EA16DB40

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exePID: 5972, Parent PID: 4084

General

Chronological Activities

Disassembly

Analysis Process: SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exePID: 5972, Parent PID: 4084COMMON

Execution Graph

Graph

Windows Analysis Report
SecuriteInfo.com.Trojan.GenericKD.74343103.31007.21862.exe

Function 00CED088 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 131
threadCOMMON

Function 00CED098 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128
threadCOMMON

Function 00CEAE10 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 193
COMMON

Function 00CE4248 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96
COMMON

Function 00CE590C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 95
COMMON

Function 04E68730 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 73
COMMON

Function 04E670F4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 72
COMMON

Function 04E6CE00 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64
COMMON

Function 00CED2D8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63
COMMON

Function 00CED2E0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62
COMMON

Function 04E6CDFF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56
COMMON

Function 00CEB000 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47
COMMON