Windows
Analysis Report
SecuriteInfo.com.PUA.VMProtect.7160.22341.exe
Overview
General Information
Detection
Score: | 68 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- SecuriteInfo.com.PUA.VMProtect.7160.22341.exe (PID: 7528 cmdline:
"C:\Users\ user\Deskt op\Securit eInfo.com. PUA.VMProt ect.7160.2 2341.exe" MD5: 1394628B42DB25D5960C3AB8027B4FB4) - conhost.exe (PID: 7536 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
System Summary |
---|
Source: | Static PE information: |
Source: | Classification label: |
Source: | Mutant created: |
Source: | Key opened: | Jump to behavior |
Source: | ReversingLabs: |
Source: | Process created: | ||
Source: | Process created: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static file information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Last function: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 1 Process Injection | 1 Process Injection | OS Credential Dumping | 1 System Information Discovery | Remote Services | Data from Local System | Data Obfuscation | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 DLL Side-Loading | LSASS Memory | Application Window Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
24% | ReversingLabs | |||
100% | Avira | HEUR/AGEN.1315472 | ||
100% | Joe Sandbox ML |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1501344 |
Start date and time: | 2024-08-29 19:23:22 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 46s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 17 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | SecuriteInfo.com.PUA.VMProtect.7160.22341.exe |
Detection: | MAL |
Classification: | mal68.winEXE@2/0@0/0 |
EGA Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe, UsoClient.exe
- Excluded IPs from analysis (whitelisted): 20.73.194.208
- Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, atm-settingsfe-prod-geo2.trafficmanager.net, slscr.update.microsoft.com, settings-prod-weu-2.westeurope.cloudapp.azure.com, tse1.mm.bing.net, ctldl.windowsupdate.com, settings-win.data.microsoft.com, g.bing.com, arc.msn.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target SecuriteInfo.com.PUA.VMProtect.7160.22341.exe, PID 7528 because there are no executed function
- Not all processes where analyzed, report is missing behavior information
- VT rate limit hit for: SecuriteInfo.com.PUA.VMProtect.7160.22341.exe
File type: | |
Entropy (8bit): | 7.923422477443611 |
TrID: |
|
File name: | SecuriteInfo.com.PUA.VMProtect.7160.22341.exe |
File size: | 6'500'352 bytes |
MD5: | 1394628b42db25d5960c3ab8027b4fb4 |
SHA1: | 6778358165002ca54686d85419f35e9575b4e8d5 |
SHA256: | 904d122b8bf322d91a0711a5adbd13e6a100bdec5d735e241409481b40f5a75d |
SHA512: | 7ce23c0f137f7df96d34c000b3e04effd17595950dcb6733ec569d91aebedbc9197f98be7e597d75a220eb588ba6b1dc1f5f58586b1e2dc52b5ce2c1acfacb11 |
SSDEEP: | 98304:Oiwk1y8GFolQ9oZqqgOxgDh/KWbWw+FmJIqKfWNXinAsgZXqvGYMbn:O3k0FoVRgtF+FLWNSLl |
TLSH: | 6A6623FD61543758C41A8C385133ED09B1F6062F0EF98AB978DFBAC07FA38249691B56 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...^..f.........."....&.......................@..........................................`................................ |
Icon Hash: | 00928e8e8686b000 |
Entrypoint: | 0x1409db384 |
Entrypoint Section: | .vmp1 |
Digitally signed: | false |
Imagebase: | 0x140000000 |
Subsystem: | windows cui |
Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x66CF9D5E [Wed Aug 28 21:57:50 2024 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: | 81631472274658d3947e814d8e376086 |
Instruction |
---|
push 5152E776h |
call 00007F2F847C54A6h |
xor dword ptr [esi+ebp*8], esp |
pop ss |
jo 00007F2F846CE761h |
cmpsb |
inc esi |
push eax |
mov es, ax |
push cs |
push ds |
jnp 00007F2F846CE79Ah |
add bl, byte ptr [ebp+42F6E9E1h] |
test eax, 3A3C4E46h |
xor dword ptr [esi-80h], eax |
popfd |
scasd |
cwde |
push ds |
jo 00007F2F846CE771h |
xor al, CFh |
loope 00007F2F846CE734h |
hlt |
inc ebp |
pop ss |
inc esi |
mov al, byte ptr [1E35F132h] |
mov dword ptr [B9AF988Fh], eax |
jnbe 00007F2F846CE6ECh |
xor eax, ecx |
loope 00007F2F846CE75Dh |
les eax, edi |
mov bl, 46h |
rol byte ptr [edx], FFFFFFF8h |
sbb ebx, dword ptr [esi] |
push esp |
cmp cl, byte ptr [eax+7AA2A1E1h] |
mov esp, 02583246h |
and al, 46h |
and al, 79h |
xchg eax, edi |
lea ebx, dword ptr [esi] |
movsb |
retf |
or al, DAh |
loope 00007F2F846CE7B4h |
dec eax |
jnl 00007F2F846CE764h |
inc esi |
and byte ptr [edx-576568D8h], dl |
jc 00007F2F846CE75Fh |
add al, byte ptr [edi-5FC7B2E1h] |
dec esp |
or cl, byte ptr [ebx] |
push ds |
dec ebp |
int1 |
push ebp |
add al, bh |
xchg eax, edx |
outsd |
jnp 00007F2F846CE7A2h |
insd |
js 00007F2F846CE741h |
movsd |
sahf |
jmp 00007F2F8C500060h |
xchg eax, ebx |
xchg eax, ecx |
dec esi |
inc ebx |
push es |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0xa1f968 | 0xc4f | .vmp1 |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x8fad50 | 0x2bc | .vmp1 |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xb99000 | 0x1e0 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0xb876c0 | 0xff9c | .vmp1 |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xb98000 | 0xc8 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x9e2510 | 0x30 | .vmp1 |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0xb87580 | 0x140 | .vmp1 |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0xa1c000 | 0x280 | .vmp1 |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x130960 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x132000 | 0x4b6fa | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x17e000 | 0x56bc8 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.pdata | 0x1d5000 | 0xd23c | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.vmp0 | 0x1e3000 | 0x3816cd | 0x0 | d41d8cd98f00b204e9800998ecf8427e | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.vmp1 | 0x565000 | 0x63265c | 0x632800 | c98d527b18b34ebc9f8201e1064624e0 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.reloc | 0xb98000 | 0xc8 | 0x200 | d9e46b46d1b074e1b48eb43f1fff5d1c | False | 0.322265625 | GLS_BINARY_LSB_FIRST | 1.9392435587922985 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.rsrc | 0xb99000 | 0x1e0 | 0x200 | e3a6493e0931623162fa18f60309c4f7 | False | 0.5390625 | data | 4.772037401703051 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_MANIFEST | 0xb99058 | 0x188 | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.5892857142857143 |
DLL | Import |
---|---|
d3d11.dll | D3D11CreateDeviceAndSwapChain |
D3DCOMPILER_43.dll | D3DCompile |
KERNEL32.dll | ReadFile |
USER32.dll | SetCursor |
ADVAPI32.dll | DeleteService |
MSVCP140.dll | ?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ |
dwmapi.dll | DwmExtendFrameIntoClientArea |
WINHTTP.dll | WinHttpSendRequest |
CRYPT32.dll | CertCreateCertificateChainEngine |
IMM32.dll | ImmReleaseContext |
Normaliz.dll | IdnToAscii |
WLDAP32.dll | |
WS2_32.dll | ntohs |
RPCRT4.dll | UuidToStringA |
PSAPI.DLL | GetModuleInformation |
USERENV.dll | UnloadUserProfile |
VCRUNTIME140_1.dll | __CxxFrameHandler4 |
VCRUNTIME140.dll | __current_exception_context |
api-ms-win-crt-runtime-l1-1-0.dll | exit |
api-ms-win-crt-stdio-l1-1-0.dll | __stdio_common_vsprintf_s |
api-ms-win-crt-heap-l1-1-0.dll | calloc |
api-ms-win-crt-math-l1-1-0.dll | asinf |
api-ms-win-crt-string-l1-1-0.dll | strncmp |
api-ms-win-crt-convert-l1-1-0.dll | atoi |
api-ms-win-crt-utility-l1-1-0.dll | qsort |
api-ms-win-crt-filesystem-l1-1-0.dll | _unlink |
api-ms-win-crt-locale-l1-1-0.dll | _configthreadlocale |
api-ms-win-crt-time-l1-1-0.dll | _time64 |
SHELL32.dll | ShellExecuteA |
WTSAPI32.dll | WTSSendMessageW |
KERNEL32.dll | GetSystemTimeAsFileTime |
USER32.dll | GetUserObjectInformationW |
KERNEL32.dll | LocalAlloc, LocalFree, GetModuleFileNameW, GetProcessAffinityMask, SetProcessAffinityMask, SetThreadAffinityMask, Sleep, ExitProcess, FreeLibrary, LoadLibraryA, GetModuleHandleA, GetProcAddress |
USER32.dll | GetProcessWindowStation, GetUserObjectInformationW |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Click to jump to process
Click to jump to process
Click to jump to process
Target ID: | 2 |
Start time: | 13:24:33 |
Start date: | 29/08/2024 |
Path: | C:\Users\user\Desktop\SecuriteInfo.com.PUA.VMProtect.7160.22341.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff669c00000 |
File size: | 6'500'352 bytes |
MD5 hash: | 1394628B42DB25D5960C3AB8027B4FB4 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | false |
Target ID: | 3 |
Start time: | 13:24:33 |
Start date: | 29/08/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff66e660000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | false |