Edit tour
Windows
Analysis Report
SecuriteInfo.com.Program.Unwanted.5533.30107.22661.exe
Overview
General Information
| Sample name: | SecuriteInfo.com.Program.Unwanted.5533.30107.22661.exe |
| Analysis ID: | 1546907 |
| MD5: | 17563cfba0842038f0a8bd7f15c89e2e |
| SHA1: | 34b5dbfe3bfcdd033d256fe66c87864bc3c61aaa |
| SHA256: | 7ef8b3f4ca7db60e350a0b51dd7c284248a94a073735a25a00f85f9072d48143 |
| Tags: | AdwareGenericexe |
| Infos: |   |
 | |
Detection
| Score: | 32 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 40% |
Signatures
Yara detected AntiVM3
May drop file containing decryption instructions (likely related to ransomware)
Monitors registry run keys for changes
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected potential crypto function
Drops PE files
Enables security privileges
Found dropped PE file which has not been started or loaded
JA3 SSL client fingerprint seen in connection with other malware
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Use Short Name Path in Command Line
Steals Internet Explorer cookies
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
SecuriteInfo.com.Program.Unwanted.5533.30107.22661.exe (PID: 3800 cmdline: "C:\Users\ user\Deskt op\Securit eInfo.com. Program.Un wanted.553 3.30107.22 661.exe" MD5: 17563CFBA0842038F0A8BD7F15C89E2E) - SecuriteInfo.com.Program.Unwanted.5533.30107.22661.tmp (PID: 2080 cmdline:
"C:\Users\ user~1\App Data\Local \Temp\is-O 0UIQ.tmp\S ecuriteInf o.com.Prog ram.Unwant ed.5533.30 107.22661. tmp" /SL5= "$2044E,58 51923,8325 12,C:\User s\user\Des ktop\Secur iteInfo.co m.Program. Unwanted.5 533.30107. 22661.exe" MD5: 023C73AD61BF1C58697C2C09C09E521F) 
SPONotifications.exe (PID: 7476 cmdline: "C:\Progra m Files (x 86)\Smart PC Solutio ns\Smart P C Optimize r\SPONotif ications.e xe" MD5: ADBB7F96A4A14023CE27D2F8D6710736) - SmartPCOptimizer.exe (PID: 7528 cmdline:
"C:\Progra m Files (x 86)\Smart PC Solutio ns\Smart P C Optimize r\SmartPCO ptimizer" /START MD5: 89943B083FEE6DA392A6668D6EE260BB)
- SPONotifications.exe (PID: 8068 cmdline:
"C:\Progra m Files (x 86)\Smart PC Solutio ns\Smart P C Optimize r\SPONotif ications.e xe" MD5: ADBB7F96A4A14023CE27D2F8D6710736)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | ||
| JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security |
| Source: | Author: frack113, Nasreddine Bencherchali: | ||
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-01T17:29:25.352359+0100 | 2022930 | 1 | A Network Trojan was detected | 52.149.20.212 | 443 | 192.168.2.7 | 49730 | TCP |
| 2024-11-01T17:30:05.474200+0100 | 2022930 | 1 | A Network Trojan was detected | 20.12.23.50 | 443 | 192.168.2.7 | 49947 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-01T17:29:16.753695+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.7 | 49703 | 116.203.251.147 | 443 | TCP |
| 2024-11-01T17:29:18.566135+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.7 | 49705 | 178.63.52.39 | 443 | TCP |
| 2024-11-01T17:29:19.899521+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.7 | 49711 | 178.63.52.39 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | JA3 fingerprint: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||