Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe
Analysis ID:	1501345
MD5:	88783a57777926114b5c5c95af4c943c
SHA1:	6f57492bd78ebc3c3900919e08e039fbc032268a
SHA256:	94132d9dde2b730f4800ee383ddaa63d2e2f92264f07218295d2c5755a414b6a
Tags:	exe
Infos:

Detection

Score:	42
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Machine Learning detection for sample

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to query network adapater information

PE file contains executable resources (Code or Archives)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe (PID: 5916 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe" MD5: 88783A57777926114B5C5C95AF4C943C)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe

ReversingLabs: Detection: 23%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 84.9% probability

Machine Learning detection for sample

Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe

Joe Sandbox ML: detected

Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe

Static PE information: certificate valid

Source: global traffic

HTTP traffic detected: GET /pc_game_ly.php?lm=9377ly&rnd=960.9796 HTTP/1.1Accept: */*Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: client.9377.comConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

Source: global traffic	DNS traffic detected: DNS query: client.9377.com
Source: global traffic	DNS traffic detected: DNS query: www.y2126.com

Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.000000000059D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.9377.com/api/ly_client_button.php?
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.000000000058C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bbs.9377.com/forum-277-1.html
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2694154198.0000000003B2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://client.9377.com/pc_game_ly.php
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.000000000058C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://client.9377.com/pc_game_ly.php?lm=
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2690956172.0000000000191000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://client.9377.com/pc_game_ly.php?lm=9377ly&rnd=960.
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2694154198.0000000003B10000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2696024851.00000000043D8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.000000000059D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://client.9377.com/pc_game_ly.php?lm=9377ly&rnd=960.9796
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.0000000000612000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://client.9377.com/pc_game_ly.php?lm=9377ly&rnd=960.9796$
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.000000000059D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://client.9377.com/pc_game_ly.php?lm=9377ly&rnd=960.9796...terfaced=960.979688.com/pay/recharge?
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.000000000058C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://client.9377.com/pc_game_ly.php?lm=9377ly&rnd=960.9796Zt
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.0000000000612000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.000000000059D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://client.9377.com/pc_game_ly.php?lm=9377ly&rnd=960.9796d
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.000000000058C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://client.9377.com/pc_game_ly.php?lm=9377ly&rnd=960.9796ju
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2694154198.0000000003B10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://client.9377.com/pc_game_ly.php?lm=9377ly&rnd=960.9796kcl
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691138467.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://client.9377.com/pc_game_ly.php?lm=Rhttp://www.9377.com/pay_index.php?game=lyHhttp://bbs.9377.
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691138467.0000000000401000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.000000000059D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ly.9377.com/
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	String found in binary or memory: http://w.w3.
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.000000000059D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.1188.com/guanwang/ly
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.000000000059D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.1188.com/pay/recharge?gid=
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.000000000059D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.1188.com/pay/recharge?gid=5
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.000000000059D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.1188.com/pay/recharge?gid=5&server=
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	String found in binary or memory: http://www.9377.com/kefu.html
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.0000000000584000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.9377.com/kefu.html)F
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.000000000059D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.9377.com/pay_index.php?game=ly
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2694154198.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.y2126.com/
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691138467.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.y2126.com/9377ly.asp?short=1&t=
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.000000000059D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2694154198.0000000003B9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.y2126.com/9377ly.asp?short=1&t=17.40229&id=004F0049004D004D0082008F0092005B00590043005C00
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.000000000059D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.y2126.com/9377ly.asp?short=1&t=17.40229rt
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.0000000000612000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.y2126.com/ckground_gradient.jpgjqW
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2694154198.0000000003B2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.comt

Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe

Static PE information: Resource name: IMG type: DOS executable (COM)

Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000000.1439677149.0000000000513000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamelh15_ly.exe vs SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691849808.0000000000513000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamelh15_ly.exe vs SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Binary or memory string: OriginalFilenamelh15_ly.exe vs SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe

Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal42.winEXE@1/10@3/1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\http_400_webOC[1]

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe

File created: C:\Users\user~1\AppData\Local\Temp\~DFDBEA2E7E2544A31B.TMP

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe

ReversingLabs: Detection: 23%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: vb6zz.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: vb6chs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: vb6chs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: dhcpcsvc.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe

Static PE information: certificate valid

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Code function: 0_2_004015E8 pushad ; retf		0_2_004015E9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Code function: 0_2_0046525E pushad ; iretd		0_2_00465266

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Memory allocated: 43B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Memory allocated: 52C0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Memory allocated: 5440000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Memory allocated: 54C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Memory allocated: 9840000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,		0_2_004A1840
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Code function: GetAdaptersInfo,		0_2_0046AA0C

Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2694154198.0000000003B10000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW A
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2694154198.0000000003B4A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWE
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2694154198.0000000003B4A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691138467.0000000000401000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation			Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Disable or Modify Tools	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	12 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Process Injection	NTDS	1 System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Obfuscated Files or Information	LSA Secrets	11 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	24%	ReversingLabs	Win32.Trojan.LTLogger
SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.y2126.com/9377ly.asp?short=1&t=17.40229&id=004F0049004D004D0082008F0092005B00590043005C00	0%	Avira URL Cloud	safe
http://client.9377.com/pc_game_ly.php?lm=9377ly&rnd=960.9796...terfaced=960.979688.com/pay/recharge?	0%	Avira URL Cloud	safe
http://www.1188.com/pay/recharge?gid=5&server=	0%	Avira URL Cloud	safe
http://client.9377.com/pc_game_ly.php	0%	Avira URL Cloud	safe
http://client.9377.com/pc_game_ly.php?lm=9377ly&rnd=960.9796ju	0%	Avira URL Cloud	safe
http://client.9377.com/pc_game_ly.php?lm=9377ly&rnd=960.9796d	0%	Avira URL Cloud	safe
http://client.9377.com/pc_game_ly.php?lm=9377ly&rnd=960.9796$	0%	Avira URL Cloud	safe
http://ly.9377.com/	0%	Avira URL Cloud	safe
http://www.y2126.com/ckground_gradient.jpgjqW	0%	Avira URL Cloud	safe
http://bbs.9377.com/forum-277-1.html	0%	Avira URL Cloud	safe
http://client.9377.com/pc_game_ly.php?lm=	0%	Avira URL Cloud	safe
http://client.9377.com/pc_game_ly.php?lm=9377ly&rnd=960.9796kcl	0%	Avira URL Cloud	safe
http://www.9377.com/pay_index.php?game=ly	0%	Avira URL Cloud	safe
http://client.9377.com/pc_game_ly.php?lm=9377ly&rnd=960.	0%	Avira URL Cloud	safe
http://www.y2126.com/9377ly.asp?short=1&t=	0%	Avira URL Cloud	safe
http://client.9377.com/pc_game_ly.php?lm=9377ly&rnd=960.9796Zt	0%	Avira URL Cloud	safe
http://www.1188.com/guanwang/ly	0%	Avira URL Cloud	safe
http://app.9377.com/api/ly_client_button.php?	0%	Avira URL Cloud	safe
http://www.9377.com/kefu.html	0%	Avira URL Cloud	safe
http://client.9377.com/pc_game_ly.php?lm=Rhttp://www.9377.com/pay_index.php?game=lyHhttp://bbs.9377.	0%	Avira URL Cloud	safe
http://www.1188.com/pay/recharge?gid=	0%	Avira URL Cloud	safe
http://www.1188.com/pay/recharge?gid=5	0%	Avira URL Cloud	safe
http://client.9377.com/pc_game_ly.php?lm=9377ly&rnd=960.9796	0%	Avira URL Cloud	safe
http://www.9377.com/kefu.html)F	0%	Avira URL Cloud	safe
http://www.y2126.com/	0%	Avira URL Cloud	safe
http://www.y2126.com/9377ly.asp?short=1&t=17.40229rt	0%	Avira URL Cloud	safe
http://w.w3.	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
traefik.sz.ali.pool.9377.com	120.76.203.28	true	false	unknown
www.y2126.com	unknown	unknown	false	unknown
client.9377.com	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://client.9377.com/pc_game_ly.php?lm=9377ly&rnd=960.9796	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.y2126.com/9377ly.asp?short=1&t=17.40229&id=004F0049004D004D0082008F0092005B00590043005C00	SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.000000000059D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2694154198.0000000003B9E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ly.9377.com/	SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691138467.0000000000401000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.000000000059D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://client.9377.com/pc_game_ly.php?lm=9377ly&rnd=960.9796$	SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.0000000000612000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://client.9377.com/pc_game_ly.php?lm=9377ly&rnd=960.9796d	SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.0000000000612000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.000000000059D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://client.9377.com/pc_game_ly.php?lm=9377ly&rnd=960.9796ju	SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.000000000058C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.1188.com/pay/recharge?gid=5&server=	SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.000000000059D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://bbs.9377.com/forum-277-1.html	SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.000000000058C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://client.9377.com/pc_game_ly.php	SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2694154198.0000000003B2D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.y2126.com/ckground_gradient.jpgjqW	SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.0000000000612000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://client.9377.com/pc_game_ly.php?lm=9377ly&rnd=960.9796...terfaced=960.979688.com/pay/recharge?	SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.000000000059D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://client.9377.com/pc_game_ly.php?lm=	SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.000000000058C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.1188.com/guanwang/ly	SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.000000000059D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://client.9377.com/pc_game_ly.php?lm=9377ly&rnd=960.	SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2690956172.0000000000191000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.9377.com/pay_index.php?game=ly	SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.000000000059D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://client.9377.com/pc_game_ly.php?lm=9377ly&rnd=960.9796Zt	SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.000000000058C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://client.9377.com/pc_game_ly.php?lm=9377ly&rnd=960.9796kcl	SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2694154198.0000000003B10000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://app.9377.com/api/ly_client_button.php?	SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.000000000059D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.y2126.com/9377ly.asp?short=1&t=	SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691138467.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://client.9377.com/pc_game_ly.php?lm=Rhttp://www.9377.com/pay_index.php?game=lyHhttp://bbs.9377.	SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691138467.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://www.9377.com/kefu.html	SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	false	Avira URL Cloud: safe	unknown
http://www.1188.com/pay/recharge?gid=	SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.000000000059D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://w.w3.	SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	false	Avira URL Cloud: safe	unknown
http://www.y2126.com/	SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2694154198.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.9377.com/kefu.html)F	SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.0000000000584000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.y2126.com/9377ly.asp?short=1&t=17.40229rt	SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.000000000059D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.1188.com/pay/recharge?gid=5	SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.000000000059D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
120.76.203.28	traefik.sz.ali.pool.9377.com	China		37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1501345
Start date and time:	2024-08-29 19:23:22 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe
Detection:	MAL
Classification:	mal42.winEXE@1/10@3/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 6 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe

Simulations

Behavior and APIs

Time	Type	Description
13:24:44	API Interceptor	1x Sleep call for process: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	SecuriteInfo.com.Linux.Siggen.9999.28377.24731.elf	Get hash	malicious	Mirai	Browse	139.246.180.243
	SecuriteInfo.com.Linux.Siggen.9999.6015.2041.elf	Get hash	malicious	Mirai	Browse	39.96.157.233
	SecuriteInfo.com.Linux.Siggen.9999.16227.30183.elf	Get hash	malicious	Mirai	Browse	47.114.199.42
	AyyPZaqgaZ.exe	Get hash	malicious	Unknown	Browse	39.97.203.64
	https://oh3y.ulvantiro.su/82xG/	Get hash	malicious	HTMLPhisher	Browse	203.119.144.7
	factura-630.900.exe	Get hash	malicious	FormBook	Browse	47.104.180.139
	PAGO $630.900.exe	Get hash	malicious	FormBook	Browse	47.104.180.139
	g4oUrF5Xr7.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	60.205.2.78
	HZXkZxgQBR.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	60.205.2.78
	TREvPb2cEy.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	60.205.2.78

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe
File Type:	data
Category:	dropped
Size (bytes):	49120
Entropy (8bit):	0.0017331682157558962
Encrypted:	false
SSDEEP:	3:Ztt:T
MD5:	0392ADA071EB68355BED625D8F9695F3
SHA1:	777253141235B6C6AC92E17E297A1482E82252CC
SHA-256:	B1313DD95EAF63F33F86F72F09E2ECD700D11159A8693210C37470FCB84038F7
SHA-512:	EF659EEFCAB16221783ECB258D19801A1FF063478698CF4FCE3C9F98059CA7B1D060B0449E6FD89D3B70439D9735FA1D50088568FF46C9927DE45808250AEC2E
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\background_gradient[1]

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 1x800, components 3
Category:	modified
Size (bytes):	453
Entropy (8bit):	5.019973044227213
Encrypted:	false
SSDEEP:	6:3llVuiPjlXJYhg5suRd8PImMo23C/kHrJ8yA/NIeYoWg78C/vTFvbKLAh3:V/XPYhiPRd8j7+9LoIrobtHTdbKi
MD5:	20F0110ED5E4E0D5384A496E4880139B
SHA1:	51F5FC61D8BF19100DF0F8AADAA57FCD9C086255
SHA-256:	1471693BE91E53C2640FE7BAEECBC624530B088444222D93F2815DFCE1865D5B
SHA-512:	5F52C117E346111D99D3B642926139178A80B9EC03147C00E27F07AAB47FE38E9319FE983444F3E0E36DEF1E86DD7C56C25E44B14EFDC3F13B45EDEDA064DB5A
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	......JFIF.....d.d......Ducky.......P......Adobe.d................................................................................................................................................. ...............W..............................................................Qa.................................?......%.....x......s...Z.......j.T.wz.6...X.@... V.3tM...P@.u.%...m..D.25...T...F.........p......A..........BP..qD.(.........ntH.@......h?..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\httpErrorPagesScripts[1]

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	12105
Entropy (8bit):	5.451485481468043
Encrypted:	false
SSDEEP:	192:x20iniOciwd1BtvjrG8tAGGGVWnvyJVUrUiki3ayimi5ezLCvJG1gwm3z:xPini/i+1Btvjy815ZVUwiki3ayimi5f
MD5:	9234071287E637F85D721463C488704C
SHA1:	CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152
SHA-256:	65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
SHA-512:	87D691987E7A2F69AD8605F35F94241AB7E68AD4F55AD384F1F0D40DC59FFD1432C758123661EE39443D624C881B01DCD228A67AFB8700FE5E66FC794A6C0384
Malicious:	false
Reputation:	high, very likely benign file
Preview:	...function isExternalUrlSafeForNavigation(urlStr)..{..var regEx = new RegExp("^(http(s?)\|ftp\|file)://", "i");..return regEx.exec(urlStr);..}..function clickRefresh()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..window.location.replace(location.substring(poundIndex+1));..}..}..function navCancelInit()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..var bElement = document.createElement("A");..bElement.innerText = L_REFRESH_TEXT;..bElement.href = 'javascript:clickRefresh()';..navCancelContainer.appendChild(bElement);..}..else..{..var textNode = document.createTextNode(L_RELOAD_TEXT);..navCancelContainer.appendChild(textNode);..}..}..function getDisplayValue(elem

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\http_400_webOC[1]

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe
File Type:	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	6309
Entropy (8bit):	3.8506703058719767
Encrypted:	false
SSDEEP:	48:upUPinvV4VkBXvLoJyk5N9JXa5TI7kZ3GUsn3GFa7K083GJehBuU1kpd87KxnCQ:ufbpM9N9JcKktZs36a7x05h427Ov
MD5:	05BF9126C766F2136B6FB1CEC93EF98D
SHA1:	FF25A19853A8F675B9A065933DD2503CFA623597
SHA-256:	4F3F545A25EE10E5269615794C9E17B84604A4C6AAE55286189599D4E188A639
SHA-512:	86DC43834FF2382826E1AC17859FA1A62F21AF105D450E9A40C2607A30DFC4DC4291602CB736E915CB47283436FFD4BF9F98C18158B51D1042C29F04A1557600
Malicious:	false
Reputation:	low
Preview:	.<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">....<html>.... <head>.. <link rel="stylesheet" type="text/css" href="ErrorPageTemplate.css" >.... <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.... <title>HTTP 400 Bad Request</title>.... <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onLoad="javascript:initHomepage(); expandCollapse('infoBlockID', true); initGoBack(); initMoreInfo('infoBlockID');">.... <table width="730" cellpadding="0" cellspacing="0" border="0">.... Error title -->.. <tr>.. <td id="infoIconAlign" width="60" align="left" valign="top" rowspan="2">.. <img src="info_48.png" id="infoIcon" alt="Information icon">..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\info_48[1]

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe
File Type:	PNG image data, 47 x 48, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	4113
Entropy (8bit):	7.9370830126943375
Encrypted:	false
SSDEEP:	96:WNTJL8szf79M8FUjE39KJoUUuJPnvmKacs6Uq7qDMj1XPL:WNrzFoQSJPnvzs6rL
MD5:	5565250FCC163AA3A79F0B746416CE69
SHA1:	B97CC66471FCDEE07D0EE36C7FB03F342C231F8F
SHA-256:	51129C6C98A82EA491F89857C31146ECEC14C4AF184517450A7A20C699C84859
SHA-512:	E60EA153B0FECE4D311769391D3B763B14B9A140105A36A13DAD23C2906735EAAB9092236DEB8C68EF078E8864D6E288BEF7EF1731C1E9F1AD9B0170B95AC134
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR.../...0.......#.....IDATx^...pUU..{....KB........!....F......jp.Q.......Vg.F..m.Q....{...,m.@.56D...&$d!.<..}....s..K9.....{............[./<..T..I.I..JR)).9.k.N.%.E.W^}....Po..............X..;.=.P......./...+...9./..s.....9..\|........7v.`..V.....-^.$S[[[......K..z......3..3....5 ...0.."/n/.c...&.{.ht..?....A..I{.n.....\|....t......N}..%.v...:.E..i....`....a.k.mg.LX..fcFU.fO-..YEfd.}...~."......}l$....^.re..'^X..}.?.^U.G..... .30...X......f[.l0.P`..KC...[..[..6....~..i..Q.\|;x..T ..........s.5...n+.0..;...H#.2..#.M..m[^3x&E.Ya..\K..{[..M..g...yf0..~....M.]7..ZZZ:..a.O.G64]....9..l[..a....N,,.h......5...f.y...}...BX{.G^...?.c.......s^..P.(..G...t.0.:.X.DCs.....]vf...py).........x..>-..Be.a...G...Y!...z...g.{....d.s.o.....%.x......R.W.....Z.b,....!..6Ub....U.qY(/v..m.a...4.`Qr\.E.G..a)..t..e.j.W........C<.1.....c..l1w....]3%....tR;.,..3..-.NW.5...t..H..h..D..b......M....)B..2J...)..o..m..M.t....wn./....+Wv....xkg....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\down[1]

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe
File Type:	PNG image data, 15 x 15, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	748
Entropy (8bit):	7.249606135668305
Encrypted:	false
SSDEEP:	12:6v/7/2QeZ7HVJ6o6yiq1p4tSQfAVFcm6R2HkZuU4fB4CsY4NJlrvMezoW2uONroc:GeZ6oLiqkbDuU4fqzTrvMeBBlE
MD5:	C4F558C4C8B56858F15C09037CD6625A
SHA1:	EE497CC061D6A7A59BB66DEFEA65F9A8145BA240
SHA-256:	39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
SHA-512:	D60353D3FBEA2992D96795BA30B20727B022B9164B2094B922921D33CA7CE1634713693AC191F8F5708954544F7648F4840BCD5B62CB6A032EF292A8B0E52A44
Malicious:	false
Preview:	.PNG........IHDR...............ex....PLTE....W..W..W..W..W..W..W..W..W..W..W..W..W.U..............W..W.!Y.#Z.$\.'].<r.=s.P..Q..Q..U..o..p..r..x..z..~.............................................b.............................................................................................................................................................................................................$..s...7tRNS.a.o(,.s....e......q*...................................F.Z....IDATx^%.S..@.C..jm.mTk...m.?\|;.y..S....F.t...,.......D.>..LpX=f.M...H4........=...=..xy.[h..7....7.....<.q.kH....#+....I..z.....'.ksC...X<.+..J>....%3BmqaV...h..Z._.:<.Y_jG...vN^.<>.Nu.u@.....M....?...1D.m~)s8..&....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\errorPageStrings[1]

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	4722
Entropy (8bit):	5.16192639844512
Encrypted:	false
SSDEEP:	96:z9UUiqRxqH211CUIRgRLnRynjZbRXkRPRk6C87Apsat/5/+mhPcF+5g5O8b7A9I5:JsUOG1yNlX6ZzWpHOo/iP16CbM1k
MD5:	387B4FC78ABB97F378C5299D4D2CE305
SHA1:	6F2995FC620AB520C9EE1CA7244DF57367F983A2
SHA-256:	030209A13E2C84118139ABF0C4F08DBD203B4C802C7B73B74851860D79DF9CB7
SHA-512:	592D5E3FB7C78420F648281D87B0B303773749B8E0D3621A493ACAE257E2C1E77B782F3D6DAA0C2B3D37CBB4865B382617AF744E34F66C0F3E522DBCA7D71AAE
Malicious:	false
Preview:	.//Split out for localization...var L_GOBACK_TEXT = "Go back to the previous page.";..var L_REFRESH_TEXT = "Refresh the page.";..var L_MOREINFO_TEXT = "More information";..var L_OFFLINE_USERS_TEXT = "For offline users";..var L_RELOAD_TEXT = "Retype the address.";..var L_HIDE_HOTKEYS_TEXT = "Hide tab shortcuts";..var L_SHOW_HOTKEYS_TEXT = "Show more tab shortcuts";..var L_CONNECTION_OFF_TEXT = "You are not connected to the Internet. Check your Internet connection.";..var L_CONNECTION_ON_TEXT = "It appears you are connected to the Internet, but you might want to try to reconnect to the Internet.";....//used by invalidcert.js and hstscerterror.js..var L_CertUnknownCA_TEXT = "Your PC doesn\u2019t trust this website\u2019s security certificate.";..var L_CertExpired_TEXT = "The website\u2019s security certificate is not yet valid or has expired.";..var L_CertCNMismatch_TEXT = "The hostname in the website\u2019s security certificate differs from the website you are trying to visit.";..var L

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\ErrorPageTemplate[1]

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	2168
Entropy (8bit):	5.207912016937144
Encrypted:	false
SSDEEP:	24:5+j5xU5k5N0ndgvoyeP0yyiyQCDr3nowMVworDtX3orKxWxDnCMA0da+hieyuSQK:5Q5K5k5pvFehWrrarrZIrHd3FIQfOS6
MD5:	F4FE1CB77E758E1BA56B8A8EC20417C5
SHA1:	F4EDA06901EDB98633A686B11D02F4925F827BF0
SHA-256:	8D018639281B33DA8EB3CE0B21D11E1D414E59024C3689F92BE8904EB5779B5F
SHA-512:	62514AB345B6648C5442200A8E9530DFB88A0355E262069E0A694289C39A4A1C06C6143E5961074BFAC219949102A416C09733F24E8468984B96843DC222B436
Malicious:	false
Preview:	.body..{...font-family: "Segoe UI", "verdana", "arial";...background-image: url(background_gradient.jpg);...background-repeat: repeat-x;...background-color: #E8EAEF;...margin-top: 20px;...margin-left: 20px;...color: #575757;..}....body.securityError..{...font-family: "Segoe UI", "verdana" , "Arial";...background-image: url(background_gradient_red.jpg);...background-repeat: repeat-x;...background-color: #E8EAEF;...margin-top: 20px;...margin-left: 20px;..}....body.tabInfo..{...background-image: none;...background-color: #F4F4F4;..}.. ..a..{...color: rgb(19,112,171);.font-size: 1em;...font-weight: normal;...text-decoration: none;...margin-left: 0px;...vertical-align: top;..}....a:link, a:visited..{...color: rgb(19,112,171);...text-decoration: none;...vertical-align: top;..}....a:hover..{...color: rgb(7,74,229);...text-decoration: underline;..}....p..{...font-size: 0.9em;..}.....h1 /* used for Title */..{...color: #4465A2;...font-size: 1.1em;...font-weight: normal;...vertical-align

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\bullet[1]

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe
File Type:	PNG image data, 15 x 15, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	447
Entropy (8bit):	7.304718288205936
Encrypted:	false
SSDEEP:	12:6v/71Cyt/JNTWxGdr+kZDWO7+4dKIv0b1GKuxu+R:/yBJNTqsSk9BTwE05su+R
MD5:	26F971D87CA00E23BD2D064524AEF838
SHA1:	7440BEFF2F4F8FABC9315608A13BF26CABAD27D9
SHA-256:	1D8E5FD3C1FD384C0A7507E7283C7FE8F65015E521B84569132A7EABEDC9D41D
SHA-512:	C62EB51BE301BB96C80539D66A73CD17CA2021D5D816233853A37DB72E04050271E581CC99652F3D8469B390003CA6C62DAD2A9D57164C620B7777AE99AA1B15
Malicious:	false
Preview:	.PNG........IHDR...............ex....PLTE...(EkFRp&@e&@e)Af)AgANjBNjDNjDNj2Vv-Xz-Y{3XyC\}E_.2j.3l.8p.7q.;j.;l.Zj.\l.5o.7q.<..aw.<..dz.E...........1..@.7..~.....9..:.....A..B..E..9..:..a..c..b..g.#M.%O.#r.#s.%y.2..4..+..-..?..@..;..p..s...G..H..M.........z`....#tRNS................................../,....mIDATx^..C..`.......S....y'...05...\|..k.X......*`.F.K....JQ..u.<.}.. ..[U..m....'r%.......yn.`.7F..).5..b..rX.T.....IEND.B`.

C:\Users\user\AppData\Local\Temp\~DFDBEA2E7E2544A31B.TMP

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.7822889482332622
Encrypted:	false
SSDEEP:	12:rl3lKFQCb77c4HsUg4YZaS/PZPUE4HsUg4YZaS/PZPUE4HsUg4YZaS/PZPUE4HsU:ru4G4G4G4G4G4
MD5:	24FFAD9ADE1AF846F2CB61BE68E85F36
SHA1:	4FBCC86453BC0FE296A44CA8DD3E1440C97FCF3F
SHA-256:	5D50F2138DCAA6F83F9A7D4880A8DBA514F84AC880EAA2E69D82309206F6AAFD
SHA-512:	B10BFA0D4AEC004CED8714575779AD3411674AB89E570A3965A069797A4850DA365582C3C9CB73357DDBE0CF04E4130C4B87DF9805CAEFBF2FE6517B339F404F
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy (8bit):	7.803666047146493
TrID:	Win32 Executable (generic) a (10002005/4) 99.39% UPX compressed Win32 Executable (30571/9) 0.30% Win32 EXE Yoda's Crypter (26571/9) 0.26% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe
File size:	564'128 bytes
MD5:	88783a57777926114b5c5c95af4c943c
SHA1:	6f57492bd78ebc3c3900919e08e039fbc032268a
SHA256:	94132d9dde2b730f4800ee383ddaa63d2e2f92264f07218295d2c5755a414b6a
SHA512:	167abcc77770101d23fcc5cd1df2b57c4fe66be73ea0d1fde7f7132ab5610c214e0af00e6ff981db46cd78e176401f2626aa04217b4caf54a249811bbf79d9c6
SSDEEP:	12288:7Egn2EkLvTjotXsXsjo3sPnXMRJmV0nzJEdMNZ:7R2EkLvPotX5jo3EQFl
TLSH:	57C4238706751195EF093E33561EC1A20B92B9122D0B7D178CD6DCBB5831EE5EB87F06
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........X.J.9...9...9...%...9.......9.......9..Rich.9..................PE..L....T.Q.................`...0.......'.......0....@........

File Icon


Icon Hash:	16155d48d0a12d1f

Static PE Info

General

Entrypoint:	0x5127f0
Entrypoint Section:	UPX1
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x518B5488 [Thu May 9 07:47:20 2013 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	5b091649031f38ad86eb9061a77425fb

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	25/02/2013 01:00:00 26/02/2015 00:59:59
Subject Chain	CN=\u5e7f\u5dde\u5fae\u5a31\u7f51\u7edc\u79d1\u6280\u6709\u9650\u516c\u53f8, OU=\u7814\u53d1\u90e8, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=\u5e7f\u5dde\u5fae\u5a31\u7f51\u7edc\u79d1\u6280\u6709\u9650\u516c\u53f8, L=guangzhou, S=guangdong, C=CN
Version:	3
Thumbprint MD5:	91EBBBED78D9B839B41A485341D1FD7E
Thumbprint SHA-1:	C6825C71D84B85A17C886FD4210A7E4F402BCC15
Thumbprint SHA-256:	2EEC19B9AF1E7D6EA23B977BBE42DD807C03B605307BF9AFFA6600F14B427E62
Serial:	59E4E1C94F2114A80E4D13AB5933681A

Entrypoint Preview

Instruction
pushad
mov esi, 0048D000h
lea edi, dword ptr [esi-0008C000h]
push edi
or ebp, FFFFFFFFh
jmp 00007F61DCF8BCB2h
nop
nop
nop
nop
nop
nop
mov al, byte ptr [esi]
inc esi
mov byte ptr [edi], al
inc edi
add ebx, ebx
jne 00007F61DCF8BCA9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F61DCF8BC8Fh
mov eax, 00000001h
add ebx, ebx
jne 00007F61DCF8BCA9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
add ebx, ebx
jnc 00007F61DCF8BCADh
jne 00007F61DCF8BCCAh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F61DCF8BCC1h
dec eax
add ebx, ebx
jne 00007F61DCF8BCA9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
jmp 00007F61DCF8BC76h
add ebx, ebx
jne 00007F61DCF8BCA9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
jmp 00007F61DCF8BCF4h
xor ecx, ecx
sub eax, 03h
jc 00007F61DCF8BCB3h
shl eax, 08h
mov al, byte ptr [esi]
inc esi
xor eax, FFFFFFFFh
je 00007F61DCF8BD17h
sar eax, 1
mov ebp, eax
jmp 00007F61DCF8BCADh
add ebx, ebx
jne 00007F61DCF8BCA9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F61DCF8BC6Eh
inc ecx
add ebx, ebx
jne 00007F61DCF8BCA9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F61DCF8BC60h
add ebx, ebx
jne 00007F61DCF8BCA9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
add ebx, ebx
jnc 00007F61DCF8BC91h
jne 00007F61DCF8BCABh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jnc 00007F61DCF8BC86h
add ecx, 02h
cmp ebp, FFFFFB00h
adc ecx, 02h
lea edx, dword ptr [eax+eax]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x115644	0x11c	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x113000	0x2644	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x88600	0x15a0	UPX0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x115760	0xc	.rsrc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0x8c000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX1	0x8d000	0x86000	0x85a00	577ef821e2e91af8d522159af63ef26d	False	0.9785412038119738	data	7.805781198930377	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x113000	0x3000	0x2800	ec40ca3e777007ce31c4a96751d4d68f	False	0.67939453125	data	5.972962211613611	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
CUSTOM	0xae794	0x33c	data	Chinese	China	1.0132850241545894
CUSTOM	0xaead0	0x33c	data	Chinese	China	1.0132850241545894
IMG	0xaee0c	0x68e	data	Chinese	China	1.0065554231227651
IMG	0xaf49c	0x69e	data	Chinese	China	1.0064935064935066
IMG	0xafb3c	0x649	DOS executable (COM)	Chinese	China	1.006836544437539
IMG	0xb0188	0x2771	OpenPGP Secret Key	Chinese	China	0.9755372883034564
IMG	0xb28fc	0x29fd	data	Chinese	China	0.9739510652153689
IMG	0xb52fc	0x2569	data	Chinese	China	0.9781768821133967
IMG	0xb7868	0x24c4	data	Chinese	China	0.9765193370165746
IMG	0xb9d2c	0x2719	data	Chinese	China	0.980717354381057
IMG	0xbc448	0x2373	data	Chinese	China	0.9791735537190083
IMG	0xbe7bc	0x4ed	data	Chinese	China	1.0087232355273592
IMG	0xbecac	0x554	floppy image data (IBM SaveDskF, old)	Chinese	China	1.0080645161290323
IMG	0xbf200	0x48c	data	Chinese	China	1.0094501718213058
IMG	0xbf68c	0x26e0	data	Chinese	China	0.9769895498392283
IMG	0xc1d6c	0x2931	data	Chinese	China	0.9806543385490754
IMG	0xc46a0	0x24c4	compacted data	Chinese	China	0.9797067573310667
IMG	0xc6b64	0x25db	data	Chinese	China	0.9803941801671654
IMG	0xc9140	0x281f	data	Chinese	China	0.9778015772563529
IMG	0xcb960	0x23f8	data	Chinese	China	0.9794743701129452
IMG	0xcdd58	0x400e4	data	Chinese	China	0.9832642202674066
RT_ICON	0x113798	0x1ca8	Device independent bitmap graphic, 48 x 96 x 24, image size 7296	Chinese	China	0.7966194111232279
RT_ICON	0x10fae4	0x130	data			1.0361842105263157
RT_ICON	0x10fc14	0x2e8	data			1.0147849462365592
RT_ICON	0x10fefc	0x128	data			1.037162162162162
RT_GROUP_ICON	0x115444	0x14	data	Chinese	China	1.15
RT_GROUP_ICON	0x110038	0x30	data			1.2291666666666667
RT_VERSION	0x11545c	0x1e8	data	Chinese	China	0.5327868852459017

Imports

DLL	Import
KERNEL32.DLL	LoadLibraryA, GetProcAddress, VirtualProtect, ExitProcess
MSVBVM60.DLL
OLE32.DLL	IsEqualGUID
SHLWAPI.DLL	PathFileExistsW

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 29, 2024 19:24:42.417064905 CEST	49707	80	192.168.2.7	120.76.203.28
Aug 29, 2024 19:24:42.421996117 CEST	80	49707	120.76.203.28	192.168.2.7
Aug 29, 2024 19:24:42.422260046 CEST	49707	80	192.168.2.7	120.76.203.28
Aug 29, 2024 19:24:42.422331095 CEST	49707	80	192.168.2.7	120.76.203.28
Aug 29, 2024 19:24:42.427370071 CEST	80	49707	120.76.203.28	192.168.2.7
Aug 29, 2024 19:24:43.589519024 CEST	80	49707	120.76.203.28	192.168.2.7
Aug 29, 2024 19:24:43.589595079 CEST	49707	80	192.168.2.7	120.76.203.28
Aug 29, 2024 19:25:57.046881914 CEST	80	49707	120.76.203.28	192.168.2.7
Aug 29, 2024 19:25:57.046968937 CEST	49707	80	192.168.2.7	120.76.203.28
Aug 29, 2024 19:26:31.261105061 CEST	49707	80	192.168.2.7	120.76.203.28
Aug 29, 2024 19:26:31.266185999 CEST	80	49707	120.76.203.28	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 29, 2024 19:24:41.338567019 CEST	50611	53	192.168.2.7	1.1.1.1
Aug 29, 2024 19:24:42.336724997 CEST	50611	53	192.168.2.7	1.1.1.1
Aug 29, 2024 19:24:42.410022974 CEST	53	50611	1.1.1.1	192.168.2.7
Aug 29, 2024 19:24:42.410065889 CEST	53	50611	1.1.1.1	192.168.2.7
Aug 29, 2024 19:24:44.921996117 CEST	54104	53	192.168.2.7	1.1.1.1
Aug 29, 2024 19:24:44.932130098 CEST	53	54104	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 29, 2024 19:24:41.338567019 CEST	192.168.2.7	1.1.1.1	0x9c08	Standard query (0)	client.9377.com	A (IP address)	IN (0x0001)	false
Aug 29, 2024 19:24:42.336724997 CEST	192.168.2.7	1.1.1.1	0x9c08	Standard query (0)	client.9377.com	A (IP address)	IN (0x0001)	false
Aug 29, 2024 19:24:44.921996117 CEST	192.168.2.7	1.1.1.1	0x72f3	Standard query (0)	www.y2126.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 29, 2024 19:24:42.410022974 CEST	1.1.1.1	192.168.2.7	0x9c08	No error (0)	client.9377.com	wwww-traefik.9377.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 29, 2024 19:24:42.410022974 CEST	1.1.1.1	192.168.2.7	0x9c08	No error (0)	wwww-traefik.9377.com	traefik.sz.ali.pool.9377.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 29, 2024 19:24:42.410022974 CEST	1.1.1.1	192.168.2.7	0x9c08	No error (0)	traefik.sz.ali.pool.9377.com		120.76.203.28	A (IP address)	IN (0x0001)	false
Aug 29, 2024 19:24:42.410022974 CEST	1.1.1.1	192.168.2.7	0x9c08	No error (0)	traefik.sz.ali.pool.9377.com		120.79.30.240	A (IP address)	IN (0x0001)	false
Aug 29, 2024 19:24:42.410065889 CEST	1.1.1.1	192.168.2.7	0x9c08	No error (0)	client.9377.com	wwww-traefik.9377.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 29, 2024 19:24:42.410065889 CEST	1.1.1.1	192.168.2.7	0x9c08	No error (0)	wwww-traefik.9377.com	traefik.sz.ali.pool.9377.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 29, 2024 19:24:42.410065889 CEST	1.1.1.1	192.168.2.7	0x9c08	No error (0)	traefik.sz.ali.pool.9377.com		120.76.203.28	A (IP address)	IN (0x0001)	false
Aug 29, 2024 19:24:42.410065889 CEST	1.1.1.1	192.168.2.7	0x9c08	No error (0)	traefik.sz.ali.pool.9377.com		120.79.30.240	A (IP address)	IN (0x0001)	false
Aug 29, 2024 19:24:44.932130098 CEST	1.1.1.1	192.168.2.7	0x72f3	Name error (3)	www.y2126.com	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

client.9377.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49707	120.76.203.28	80	5916	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 19:24:42.422331095 CEST	335	OUT	GET /pc_game_ly.php?lm=9377ly&rnd=960.9796 HTTP/1.1 Accept: / Accept-Language: en-CH Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: client.9377.com Connection: Keep-Alive
Aug 29, 2024 19:24:43.589519024 CEST	319	IN	HTTP/1.1 400 Bad Request B-Via: proxy_02.pt.e.9377 Content-Length: 166 Content-Type: text/html Date: Thu, 29 Aug 2024 17:24:43 GMT Server: nginx Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>400 Bad Request</title></head><body bgcolor="white"><center><h1>400 Bad Request</h1></center><hr><center>nginx</center></body></html>

Target ID:	0
Start time:	13:24:39
Start date:	29/08/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe"
Imagebase:	0x400000
File size:	564'128 bytes
MD5 hash:	88783A57777926114B5C5C95AF4C943C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	10.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	28
Total number of Limit Nodes:	2

Executed Functions

Function 004A1840 Relevance: 9.6, Strings: 7, Instructions: 899
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0,@, xrefs: 004A1DEE, 004A1DF1, 004A1E19, 004A1E6E, 004A1E93, 004A1EA4
Index, xrefs: 004A22BA
Silent, xrefs: 004A2027
key, xrefs: 004A2147, 004A237A
Refresh2, xrefs: 004A2524
object, xrefs: 004A2046, 004A2455
@, xrefs: 004A23B1

Memory Dump Source

Source File: 00000000.00000002.2691138467.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2691069732.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2691138467.00000000004AC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2691138467.000000000050F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2691138467.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2691803135.0000000000512000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2691849808.0000000000513000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: @$0,@$Index$Refresh2$Silent$key$object
API String ID: 0-528044599
Opcode ID: a52cd6b653e7b89bb05e3509709c6c4bba5637a6b607d8372c9a9ecb7fd7335a
Instruction ID: 75b67a71b11e7b55d79c481be80bc58c9a1d07e27cb75acbe4d56e6921d32b29
Opcode Fuzzy Hash: a52cd6b653e7b89bb05e3509709c6c4bba5637a6b607d8372c9a9ecb7fd7335a
Instruction Fuzzy Hash: 01824BB59002189FDB14DF94CD88BDEBBB9FF48305F1081AAE50AB7260DB745A85CF64

Function 0046AA0C Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2691138467.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2691069732.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2691138467.00000000004AC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2691138467.000000000050F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2691138467.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2691803135.0000000000512000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2691849808.0000000000513000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bb51332f2c5eb9c7a8e4356eb20d59769ff504bc3ca2cb20678b6f158729938
Instruction ID: 61091fbe9d0274de224f56c43ffcf95127211ee1c6fedb410a671d71f2f10d41
Opcode Fuzzy Hash: 9bb51332f2c5eb9c7a8e4356eb20d59769ff504bc3ca2cb20678b6f158729938
Instruction Fuzzy Hash: 05B01260394441BB761086A89D064342580A2423407304C73E041F11E0EB5CDD60CF3F

Function 004961D0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 219
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageA.USER32(?,00000080,00000001,00000000), ref: 00496334
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 00496347
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 00496432
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 00496445

Strings

F2@, xrefs: 004961F9

Memory Dump Source

Source File: 00000000.00000002.2691138467.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2691069732.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2691138467.00000000004AC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2691138467.000000000050F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2691138467.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2691803135.0000000000512000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2691849808.0000000000513000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend
String ID: F2@
API String ID: 3850602802-284835201
Opcode ID: 95adf5c32d1919881bd6a170a2009bba05b655b42a89715e21568125e9ec4a85
Instruction ID: 3a03212bac6aa6cd72ab3bf9abd0cae5cdec34751c2d697b6f49718d0a0bd471
Opcode Fuzzy Hash: 95adf5c32d1919881bd6a170a2009bba05b655b42a89715e21568125e9ec4a85
Instruction Fuzzy Hash: 82711D70A40208ABDF10EFA5DD89EDE7BB9FF48B04F10452AF541B7290DBB49845CB69

Function 00495820 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 169
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetPropA.USER32(F2@,00000000), ref: 004958FA

Strings

F2@, xrefs: 00495849, 0049584E, 00495887, 004958F4, 0049591E, 0049593D, 00495955, 004959B5, 004959EE
PrevWndProc, xrefs: 00495930
ISubclassEx, xrefs: 004958BF, 00495980
nISubclassExs, xrefs: 0049587A, 004959E1

Memory Dump Source

Source File: 00000000.00000002.2691138467.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2691069732.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2691138467.00000000004AC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2691138467.000000000050F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2691138467.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2691803135.0000000000512000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2691849808.0000000000513000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Prop
String ID: F2@$ISubclassEx$PrevWndProc$nISubclassExs
API String ID: 257714900-3149081379
Opcode ID: f72edf707b5299f31a7e7c88f5a2c8ac25e09bc968dcb1cb5905a22b4dca1560
Instruction ID: 9c7bc86d8f6065fcd95c4fad90366c04000015dc91e38ebbc8494777216d274b
Opcode Fuzzy Hash: f72edf707b5299f31a7e7c88f5a2c8ac25e09bc968dcb1cb5905a22b4dca1560
Instruction Fuzzy Hash: 4D5116B1900209AFDB00AFE4ED89DEE7B7CFF48305B14416AF502F2160EA785A45CB69

Function 05480FCF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2698360615.0000000005480000.00000010.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5480000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction ID: 3f86476654f6a4c03e528a1c6503a1bcd068545598f7b5c4b43d5f07afaca009
Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction Fuzzy Hash:

Function 05480FD7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2698360615.0000000005480000.00000010.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5480000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction ID: 3f86476654f6a4c03e528a1c6503a1bcd068545598f7b5c4b43d5f07afaca009
Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction Fuzzy Hash:

Non-executed Functions

Function 004A2650 Relevance: 77.1, APIs: 22, Strings: 22, Instructions: 127COMMON

Download Yara Rule

APIs

6D79253F.MSVBVM60 ref: 004A269C
6D79253F.MSVBVM60(&H3F72), ref: 004A26B0
6D79253F.MSVBVM60(&H4A52), ref: 004A26C7
6D79253F.MSVBVM60(&HA6), ref: 004A26D8
6D79253F.MSVBVM60(&H04), ref: 004A26EE
6D79253F.MSVBVM60(&H7B), ref: 004A26FE
6D79253F.MSVBVM60(&HCB), ref: 004A270E
6D79253F.MSVBVM60(&HF3), ref: 004A271E
6D79253F.MSVBVM60(&H98), ref: 004A272E
6D79253F.MSVBVM60(&H2C), ref: 004A273E
6D79253F.MSVBVM60(&HBB), ref: 004A274E
6D79253F.MSVBVM60(&Hf38bc242), ref: 004A275E
6D79253F.MSVBVM60(&Hb950), ref: 004A2772
6D79253F.MSVBVM60(&H11d1), ref: 004A2783
6D79253F.MSVBVM60(&H89), ref: 004A2794
6D79253F.MSVBVM60(&H18), ref: 004A27A4
6D79253F.MSVBVM60(&H00), ref: 004A27B4
6D79253F.MSVBVM60(&Hc0), ref: 004A27C4
6D79253F.MSVBVM60(&H4f), ref: 004A27D4
6D79253F.MSVBVM60(&Hc2), ref: 004A27E4
6D79253F.MSVBVM60(&Hc8), ref: 004A27F4
6D79253F.MSVBVM60(&H36), ref: 004A2804

Strings

&Hf38bc242, xrefs: 004A2756
&H3F72, xrefs: 004A26A8
&H98, xrefs: 004A2726
&Hb950, xrefs: 004A276A
&H18, xrefs: 004A279C
&H7B, xrefs: 004A26F6
&H04, xrefs: 004A26E6
&HBB, xrefs: 004A2746
&Hc2, xrefs: 004A27DC
&H89, xrefs: 004A278B
&H00, xrefs: 004A27AF
&H4A52, xrefs: 004A26BE
&H11d1, xrefs: 004A277A
&H36, xrefs: 004A27FC
&H2C, xrefs: 004A2736
&HA6, xrefs: 004A26CF
&Hc0, xrefs: 004A27BC
&Hc8, xrefs: 004A27EC
&HCB, xrefs: 004A2706
&HD2BC4C84, xrefs: 004A2690
&H4f, xrefs: 004A27CC
&HF3, xrefs: 004A2716

Memory Dump Source

Source File: 00000000.00000002.2691138467.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2691069732.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2691138467.00000000004AC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2691138467.000000000050F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2691138467.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2691803135.0000000000512000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2691849808.0000000000513000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: D79253
String ID: &H00$&H04$&H11d1$&H18$&H2C$&H36$&H3F72$&H4A52$&H4f$&H7B$&H89$&H98$&HA6$&HBB$&HCB$&HD2BC4C84$&HF3$&Hb950$&Hc0$&Hc2$&Hc8$&Hf38bc242
API String ID: 2166859834-2898014800
Opcode ID: 6b24086b0239b6e192cb56aaebc61cabd92a84baa51c198244de689ce75abac5
Instruction ID: 710df2ab8c6952c363da4d9daff4dc60b5a990d85f00be6ee45f9197cf806b5c
Opcode Fuzzy Hash: 6b24086b0239b6e192cb56aaebc61cabd92a84baa51c198244de689ce75abac5
Instruction Fuzzy Hash: 25413C345457C5ABC710BBB6DE4EA8E7FE0EF45700B1005AFE492E6671DA78A804CB1E

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\background_gradient[1]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\httpErrorPagesScripts[1]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\http_400_webOC[1]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\info_48[1]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\down[1]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\errorPageStrings[1]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\ErrorPageTemplate[1]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\bullet[1]

C:\Users\user\AppData\Local\Temp\~DFDBEA2E7E2544A31B.TMP

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

Windows Analysis Report
SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe

Function 004A1840 Relevance: 9.6, Strings: 7, Instructions: 899
COMMON

Function 004961D0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 219
windowCOMMON

Function 00495820 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 169
COMMON