Edit tour

Windows Analysis Report
SecuriteInfo.com.Win64.MalwareX-gen.10229.1578.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win64.MalwareX-gen.10229.1578.exe
Analysis ID:	1501343
MD5:	90b5da7657536a226fde8da73a417746
SHA1:	80fdc6cabb8e170241df17a5852e52a098782aa4
SHA256:	8b4daf990bbf15c272273df92ed829b3283199f593ffc239133fb1e3605e8ab7
Tags:	exe

Errors Corrupt sample or wrongly selected analyzer. Details: The %1 application cannot be run in Win32 mode.

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

PE / OLE file has an invalid certificate

Program does not show much activity (idle)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win64.MalwareX-gen.10229.1578.exe (PID: 940 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.10229.1578.exe" MD5: 90B5DA7657536A226FDE8DA73A417746)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win64.MalwareX-gen.10229.1578.exe

ReversingLabs: Detection: 50%

Source: SecuriteInfo.com.Win64.MalwareX-gen.10229.1578.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF

Source:	Binary string: E:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Driver Valorant\payson-ioctl-cheat-driver-main\build\driver\driver.pdb source: SecuriteInfo.com.Win64.MalwareX-gen.10229.1578.exe
Source:	Binary string: !E:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Driver Valorant\payson-ioctl-cheat-driver-main\build\driver\driver.pdb source: SecuriteInfo.com.Win64.MalwareX-gen.10229.1578.exe

Source: SecuriteInfo.com.Win64.MalwareX-gen.10229.1578.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: SecuriteInfo.com.Win64.MalwareX-gen.10229.1578.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SecuriteInfo.com.Win64.MalwareX-gen.10229.1578.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: SecuriteInfo.com.Win64.MalwareX-gen.10229.1578.exe	String found in binary or memory: http://certs.apple.com/wwdrg3.der01
Source: SecuriteInfo.com.Win64.MalwareX-gen.10229.1578.exe	String found in binary or memory: http://crl.apple.com/root.crl0
Source: SecuriteInfo.com.Win64.MalwareX-gen.10229.1578.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: SecuriteInfo.com.Win64.MalwareX-gen.10229.1578.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: SecuriteInfo.com.Win64.MalwareX-gen.10229.1578.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: SecuriteInfo.com.Win64.MalwareX-gen.10229.1578.exe	String found in binary or memory: http://ocsp.apple.com/ocsp03-applerootca0.
Source: SecuriteInfo.com.Win64.MalwareX-gen.10229.1578.exe	String found in binary or memory: http://ocsp.apple.com/ocsp03-wwdrg3010
Source: SecuriteInfo.com.Win64.MalwareX-gen.10229.1578.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: SecuriteInfo.com.Win64.MalwareX-gen.10229.1578.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: SecuriteInfo.com.Win64.MalwareX-gen.10229.1578.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: SecuriteInfo.com.Win64.MalwareX-gen.10229.1578.exe	String found in binary or memory: https://www.apple.com/certificateauthority/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.10229.1578.exe

Code function: 0_2_00007FF7F2631094 ExFreePoolWithTag,ExAllocatePool,ZwQuerySystemInformation,ExFreePoolWithTag,

0_2_00007FF7F2631094

Source: SecuriteInfo.com.Win64.MalwareX-gen.10229.1578.exe

Static PE information: invalid certificate

Source: SecuriteInfo.com.Win64.MalwareX-gen.10229.1578.exe

Binary string: \Device\OHGFsL490

Source: classification engine

Classification label: mal48.winEXE@1/0@0/0

Source: SecuriteInfo.com.Win64.MalwareX-gen.10229.1578.exe

ReversingLabs: Detection: 50%

Source: SecuriteInfo.com.Win64.MalwareX-gen.10229.1578.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: SecuriteInfo.com.Win64.MalwareX-gen.10229.1578.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF

Source: SecuriteInfo.com.Win64.MalwareX-gen.10229.1578.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: E:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Driver Valorant\payson-ioctl-cheat-driver-main\build\driver\driver.pdb source: SecuriteInfo.com.Win64.MalwareX-gen.10229.1578.exe
Source:	Binary string: !E:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Driver Valorant\payson-ioctl-cheat-driver-main\build\driver\driver.pdb source: SecuriteInfo.com.Win64.MalwareX-gen.10229.1578.exe

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: SecuriteInfo.com.Win64.MalwareX-gen.10229.1578.exe	Binary or memory string: \Device\OHGFsL490
Source: SecuriteInfo.com.Win64.MalwareX-gen.10229.1578.exe	Binary or memory string: \DosDevices\OHGFsL490

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.10229.1578.exe

Code function: 0_2_00007FF7F2631700 cpuid

0_2_00007FF7F2631700

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.10229.1578.exe

Code function: 0_2_00007FF7F263128C RtlGetVersion,

0_2_00007FF7F263128C

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Direct Volume Access	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	11 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Win64.MalwareX-gen.10229.1578.exe	50%	ReversingLabs	Win64.Trojan.Generic

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false		unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1501343
Start date and time:	2024-08-29 19:23:21 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 1m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Win64.MalwareX-gen.10229.1578.exe
Detection:	MAL
Classification:	mal48.winEXE@1/0@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 5
Cookbook Comments:	Found application associated with file extension: .exe Unable to launch sample, stop analysis

Errors

Corrupt sample or wrongly selected analyzer. Details: The %1 application cannot be run in Win32 mode.

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded IPs from analysis (whitelisted): 93.184.221.240
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, ocsp.edge.digicert.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, wu.azureedge.net
Execution Graph export aborted for target SecuriteInfo.com.Win64.MalwareX-gen.10229.1578.exe, PID 940 because there are no executed function
VT rate limit hit for: SecuriteInfo.com.Win64.MalwareX-gen.10229.1578.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fp2e7a.wpc.phicdn.net	http://idtyvfyfmst.weebly.com	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	http://getquckbulck.top	Get hash	malicious	Unknown	Browse	192.229.221.95
	http://passtcnet.homeunix.com/amj/2.mp4	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://sgsconsulting.com/	Get hash	malicious	Unknown	Browse	192.229.221.95
	http://idtyvfyfmst.weebly.com	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	http://www.water-filter.com	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	http://econltractors.com	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	http://premium.davidabostic.com	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://elc-path.com/pdfglobal2/docs89q9eqwwe/login.php#wa=wsignin1.0&rpsnv=13&ct=1539585327&rver=7.0.6737.0&wp=MBI_SSL&wreply=https%3a%2f%2foutlook.live.com%2fowa%2f%3fnlp%3d1%26RpsCsrfState%3d715d44a2-2f11-4282-f625-a066679e96e2&id=292841&CBCXT=out&lw=1&fl=dob%2cflname%2cwld&cobrandid=90015	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	https://gocloud.co.ke/ShareDocu.php/?email=cmFjaGVsakBjb21wbHl3b3Jrcy5jb20=	Get hash	malicious	Captcha Phish, HTMLPhisher	Browse	192.229.221.95

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32+ executable (native) x86-64, for MS Windows
Entropy (8bit):	6.46362536517447
TrID:	Win64 Device Driver (generic) (12004/3) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	SecuriteInfo.com.Win64.MalwareX-gen.10229.1578.exe
File size:	17'704 bytes
MD5:	90b5da7657536a226fde8da73a417746
SHA1:	80fdc6cabb8e170241df17a5852e52a098782aa4
SHA256:	8b4daf990bbf15c272273df92ed829b3283199f593ffc239133fb1e3605e8ab7
SHA512:	d7838aad609b4c2cf1d932d72fab5f6cab221d9d7923e568a921164cd39718bb12bdf227fa093fdb31f943b28b189c2156892cc30e344555f8d4900f45a3b615
SSDEEP:	384:k+OkJ6DIX5/DQeNymPH8E9VF3AM+oMMFp99:6CDBcENAMxMg
TLSH:	14828DF556153C96EF1B687861C9A43AFD75B3872762C5DB4194C2240F42BC23E3D2E8
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........y..W...W...W...W...V....`..T...W...F....`..Q....`..R...8...V...8...V...RichW...........PE..d...5..f.........."....&...........

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x140001000
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	native
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF
Time Stamp:	0x66C2F035 [Mon Aug 19 07:11:49 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	10
OS Version Minor:	0
File Version Major:	10
File Version Minor:	0
Subsystem Version Major:	10
Subsystem Version Minor:	0
Import Hash:	48aab8b485505e39221c6ac40909a9cb

Authenticode Signature

Signature Valid:	false
Signature Issuer:	C=US, O=Apple Inc., OU=G3, CN=Apple Worldwide Developer Relations Certification Authority
Signature Validation Error:	A certificate chain could not be built to a trusted root authority
Error Number:	-2146762486
Not Before, Not After	18/04/2023 05:42:38 17/04/2026 05:42:37
Subject Chain	C=CN, O="TVMining Media Technology Co., Ltd.", OU=B7ASWPLEQP, CN="iPhone Distribution: TVMining Media Technology Co., Ltd.", OID.0.9.2342.19200300.100.1.1=B7ASWPLEQP
Version:	3
Thumbprint MD5:	A11CDBFD10E3DABAEC835AB4C1246EB8
Thumbprint SHA-1:	695A55F12BBE1C4DDAAB5BA0D39CCA80B25BCE9E
Thumbprint SHA-256:	63782209D25E351B5201DA6BB51C4C111EED9F601ECAF3658129E7C62000C9A8
Serial:	433BBD610FB88B195295211CEB94B69E

Entrypoint Preview

Instruction
dec eax
lea edx, dword ptr [000002E9h]
xor ecx, ecx
jmp 00007EFEFCDFBD9Fh
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
mov ebx, edx
xor edx, edx
dec eax
mov ecx, ebx
call dword ptr [0000100Ch]
mov eax, dword ptr [ebx+30h]
dec eax
add esp, 20h
pop ebx
ret
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
cmp dword ptr [ecx], 00398769h
dec eax
mov ebx, ecx
jne 00007EFEFCDFB708h
dec eax
arpl word ptr [ecx+04h], ax
test eax, eax
je 00007EFEFCDFB700h
dec eax
and dword ptr [esp+30h], 00000000h
dec eax
lea edx, dword ptr [esp+30h]
dec eax
mov ecx, eax
call dword ptr [0000100Bh]
dec eax
mov ecx, dword ptr [esp+30h]
dec eax
test ecx, ecx
je 00007EFEFCDFB6E2h
call 00007EFEFCDFBD47h
dec eax
test eax, eax
je 00007EFEFCDFB6D8h
dec eax
mov ecx, dword ptr [ebx+08h]
dec eax
mov dword ptr [ecx], eax
dec eax
mov ecx, dword ptr [esp+30h]
call dword ptr [00000FD5h]
xor eax, eax
jmp 00007EFEFCDFB6C7h
mov eax, C0000001h
dec eax
add esp, 20h
pop ebx
ret
int3
int3
dec eax
mov dword ptr [esp+10h], ebx
dec eax
mov dword ptr [esp+18h], esi
push edi
dec eax
sub esp, 20h
cmp dword ptr [ecx], 00398769h
dec eax
mov esi, ecx
je 00007EFEFCDFB6CCh
mov eax, C0000001h
jmp 00007EFEFCDFB77Ah
xor ebx, ebx
dec esp
lea ecx, dword ptr [esp+30h]
inc ebp
xor eax, eax
mov dword ptr [esp+30h], ebx
dec eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5000	0x28	INIT
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x4000	0xe4	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x2200	0x2328
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x6000	0x24	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x2230	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x20f0	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x90	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xd2c	0xe00	d66a3b2f55aa3e6697453efd94851fc8	False	0.5864955357142857	data	5.891165627330976	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2000	0x55c	0x600	f46bcef09365a906c2c3cb099f1217cb	False	0.4166666666666667	COM executable for DOS	3.4492684598402525	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ
.data	0x3000	0x40	0x200	cbb748dee567c4d5bf81dbe930f4b320	False	0.044921875	Matlab v4 mat-file (little endian) \231+, sparse, rows 0, columns 0	0.14263576814887827	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x4000	0xe4	0x200	60b5a33475c6e368a968172c7922a3f4	False	0.3125	PEX Binary Archive	1.8589259487159813	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ
INIT	0x5000	0x238	0x400	5ae7b6b5e0712cb96ca9db29ab0a3a7a	False	0.3466796875	data	2.9939354875697997	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.reloc	0x6000	0x24	0x200	1f4efc9ecfe0db769e417c46c3d0da6e	False	0.095703125	data	0.5034383167085339	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
ntoskrnl.exe	RtlInitUnicodeString, RtlGetVersion, ExAllocatePool, ExFreePoolWithTag, MmUnmapIoSpace, MmMapIoSpaceEx, IofCompleteRequest, IoCreateDevice, IoCreateSymbolicLink, IoDeleteDevice, IoDeleteSymbolicLink, ObfDereferenceObject, MmCopyMemory, PsLookupProcessByProcessId, IoCreateDriver, PsGetProcessSectionBaseAddress, ZwQuerySystemInformation

Network Behavior

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 29, 2024 19:24:22.355266094 CEST	1.1.1.1	192.168.2.5	0x2e2f	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Aug 29, 2024 19:24:22.355266094 CEST	1.1.1.1	192.168.2.5	0x2e2f	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: SecuriteInfo.com.Win64.MalwareX-gen.10229.1578.exePID: 940, Parent PID: 1028

General

Target ID:	0
Start time:	13:24:26
Start date:	29/08/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.10229.1578.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.10229.1578.exe"
Imagebase:	0x7ff7f2630000
File size:	17'704 bytes
MD5 hash:	90B5DA7657536A226FDE8DA73A417746
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: SecuriteInfo.com.Win64.MalwareX-gen.10229.1578.exePID: 940, Parent PID: 1028COMMON

Non-executed Functions

Function 00007FF7F2631094 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68memorynativeCOMMON

Download Yara Rule

APIs

ExFreePoolWithTag.NTOSKRNL.EXE ref: 00007FF7F26310EA
ExAllocatePool.NTOSKRNL.EXE ref: 00007FF7F26310F6
ZwQuerySystemInformation.NTOSKRNL.EXE ref: 00007FF7F2631111
ExFreePoolWithTag.NTOSKRNL.EXE ref: 00007FF7F2631165

Strings

TnoC, xrefs: 00007FF7F263113D

Memory Dump Source

Source File: 00000000.00000002.2189718781.00007FF7F2631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F2630000, based on PE: true

Associated: 00000000.00000002.2189701147.00007FF7F2630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189734788.00007FF7F2632000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189752108.00007FF7F2634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189765938.00007FF7F2635000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f2630000_SecuriteInfo.jbxd

Similarity

API ID: FreePoolTag.With$AllocateInformation.Pool.QuerySystem
String ID: TnoC
API String ID: 270286560-718456449
Opcode ID: e8d4c319ac97a194a64eaf48438c26ea64b723645a3d7a9252985b0fc2af9a19
Instruction ID: 0c916a6c98f0b73ccd5da5a2789b0802916a45e965f2493e66ab34ab794630c4
Opcode Fuzzy Hash: e8d4c319ac97a194a64eaf48438c26ea64b723645a3d7a9252985b0fc2af9a19
Instruction Fuzzy Hash: 0621E975B1C68582EB649B169180679E3A3FB48B84F948075DA6D03FC8CFBDEC81DB50

Function 00007FF7F263128C Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

RtlGetVersion.NTOSKRNL.EXE ref: 00007FF7F26312AA

Memory Dump Source

Source File: 00000000.00000002.2189718781.00007FF7F2631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F2630000, based on PE: true

Associated: 00000000.00000002.2189701147.00007FF7F2630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189734788.00007FF7F2632000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189752108.00007FF7F2634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189765938.00007FF7F2635000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f2630000_SecuriteInfo.jbxd

Similarity

API ID: Version.
String ID:
API String ID: 4117761997-0
Opcode ID: a504fe3e7332e3f595242ad3ee69ec368ad003783d483382a79f66b4f4c13d97
Instruction ID: 0a52d4b7651b41a81d6dd826fb9d56adfdc99dd3ae48a00c9f20cde5b077d57b
Opcode Fuzzy Hash: a504fe3e7332e3f595242ad3ee69ec368ad003783d483382a79f66b4f4c13d97
Instruction Fuzzy Hash: 94F0D426E0C14246F7B06669D0883789152BB95301FD452B1E56DC1BD8CD9CEE84EBA9

Function 00007FF7F2631700 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2189718781.00007FF7F2631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F2630000, based on PE: true

Associated: 00000000.00000002.2189701147.00007FF7F2630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189734788.00007FF7F2632000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189752108.00007FF7F2634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189765938.00007FF7F2635000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f2630000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5871cc722dc03c176e77e1eee76a988c3731cc8a4ffdaaf5c98dfd6c20a69ed6
Instruction ID: ac710e02720ff20127b7c01b75094b2f7be2bce63856b6f46843fe0b22d714d3
Opcode Fuzzy Hash: 5871cc722dc03c176e77e1eee76a988c3731cc8a4ffdaaf5c98dfd6c20a69ed6
Instruction Fuzzy Hash: AD01B172B0C2828AF7199E29A082B26BAD2A364310F80D07DD59EC3BC5D57D94909F64

Function 00007FF7F26312F0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

RtlInitUnicodeString.NTOSKRNL.EXE ref: 00007FF7F2631313
RtlInitUnicodeString.NTOSKRNL.EXE ref: 00007FF7F2631325
IoCreateDevice.NTOSKRNL.EXE ref: 00007FF7F2631355
IoCreateSymbolicLink.NTOSKRNL.EXE ref: 00007FF7F2631369
IoDeleteDevice.NTOSKRNL.EXE ref: 00007FF7F263137D

Strings

\DosDevices\OHGFsL490, xrefs: 00007FF7F2631319
\Device\OHGFsL490, xrefs: 00007FF7F2631305

Memory Dump Source

Source File: 00000000.00000002.2189718781.00007FF7F2631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F2630000, based on PE: true

Associated: 00000000.00000002.2189701147.00007FF7F2630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189734788.00007FF7F2632000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189752108.00007FF7F2634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189765938.00007FF7F2635000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f2630000_SecuriteInfo.jbxd

Similarity

API ID: CreateDevice.InitString.Unicode$DeleteLink.Symbolic
String ID: \Device\OHGFsL490$\DosDevices\OHGFsL490
API String ID: 1055650502-797575210
Opcode ID: e401287dfdd1ea83126ebf4e1eaeb051637359655d44e9bd7b0611466d1b92b9
Instruction ID: 5ef85f1eba5ca22345be94569c320a2fcd2ce4f4d373f46c2445593659bb09d5
Opcode Fuzzy Hash: e401287dfdd1ea83126ebf4e1eaeb051637359655d44e9bd7b0611466d1b92b9
Instruction Fuzzy Hash: A7212B3261CB8292EB109F15F884399B7A5FB84788F804175C79D43BA8DFBCE909D790

Function 00007FF7F2631494 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MmCopyMemory.NTOSKRNL.EXE ref: 00007FF7F263150B
MmCopyMemory.NTOSKRNL.EXE ref: 00007FF7F2631550
MmCopyMemory.NTOSKRNL.EXE ref: 00007FF7F26315A9
MmCopyMemory.NTOSKRNL.EXE ref: 00007FF7F26315EE

Memory Dump Source

Source File: 00000000.00000002.2189718781.00007FF7F2631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F2630000, based on PE: true

Associated: 00000000.00000002.2189701147.00007FF7F2630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189734788.00007FF7F2632000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189752108.00007FF7F2634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189765938.00007FF7F2635000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f2630000_SecuriteInfo.jbxd

Similarity

API ID: CopyMemory.
String ID:
API String ID: 1294038310-0
Opcode ID: 9b30d3826514b3acac7b14ce90094d97fa10d693872eb120fa5c5a0264eefb49
Instruction ID: e042bf644b26a720ff0f0015cdb83bd39b985c1b5c028defda6451f2327dfff4
Opcode Fuzzy Hash: 9b30d3826514b3acac7b14ce90094d97fa10d693872eb120fa5c5a0264eefb49
Instruction Fuzzy Hash: 4141BBA3728B4596EB118F51E8403E867A2FB157ECF505631DE2D07BC8EB79C90AD350

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win64.MalwareX-gen.10229.1578.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Errors

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

DNS Answers

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: SecuriteInfo.com.Win64.MalwareX-gen.10229.1578.exePID: 940, Parent PID: 1028

General

Chronological Activities

Disassembly

Analysis Process: SecuriteInfo.com.Win64.MalwareX-gen.10229.1578.exePID: 940, Parent PID: 1028COMMON

Non-executed Functions

Function 00007FF7F2631094 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68memorynativeCOMMON

Function 00007FF7F263128C Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Function 00007FF7F2631700 Relevance: .0, Instructions: 48COMMON

Function 00007FF7F26312F0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMON

Function 00007FF7F2631494 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Windows Analysis Report
SecuriteInfo.com.Win64.MalwareX-gen.10229.1578.exe