Windows Analysis Report
SecuriteInfo.com.PUA.VMProtect.28434.4337.exe

Overview

General Information

Sample name: SecuriteInfo.com.PUA.VMProtect.28434.4337.exe
Analysis ID: 1501350
MD5: 27047eb28d9fce65df74eb314965e864
SHA1: 83d69213149561a63fcff59451c74c02c823e6cc
SHA256: 81cc68386ca5d4bebfff9c61ae6d679310925a4b021293e52180898fa2f35b34
Tags: exe
Infos:

Detection

Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
AI detected suspicious sample
Detected VMProtect packer
Machine Learning detection for sample
Entry point lies outside standard sections
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: SecuriteInfo.com.PUA.VMProtect.28434.4337.exe Avira: detected
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 92.8% probability
Machine Learning detection for sample
Source: SecuriteInfo.com.PUA.VMProtect.28434.4337.exe Joe Sandbox ML: detected
Source: SecuriteInfo.com.PUA.VMProtect.28434.4337.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

System Summary
barindex
Detected VMProtect packer
Source: SecuriteInfo.com.PUA.VMProtect.28434.4337.exe Static PE information: .vmp0 and .vmp1 section names
Source: classification engine Classification label: mal60.winEXE@2/0@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6584:120:WilError_03
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.VMProtect.28434.4337.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.PUA.VMProtect.28434.4337.exe "C:\Users\user\Desktop\SecuriteInfo.com.PUA.VMProtect.28434.4337.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.VMProtect.28434.4337.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.VMProtect.28434.4337.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.VMProtect.28434.4337.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.VMProtect.28434.4337.exe Section loaded: d3dcompiler_43.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.VMProtect.28434.4337.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.VMProtect.28434.4337.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.VMProtect.28434.4337.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.VMProtect.28434.4337.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.VMProtect.28434.4337.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.VMProtect.28434.4337.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.VMProtect.28434.4337.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.VMProtect.28434.4337.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.VMProtect.28434.4337.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.VMProtect.28434.4337.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.VMProtect.28434.4337.exe Section loaded: vcruntime140.dll Jump to behavior
Source: SecuriteInfo.com.PUA.VMProtect.28434.4337.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: SecuriteInfo.com.PUA.VMProtect.28434.4337.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: SecuriteInfo.com.PUA.VMProtect.28434.4337.exe Static file information: File size 6471680 > 1048576
Source: SecuriteInfo.com.PUA.VMProtect.28434.4337.exe Static PE information: Raw size of .vmp1 is bigger than: 0x100000 < 0x62b800
Source: SecuriteInfo.com.PUA.VMProtect.28434.4337.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .vmp1
PE file contains sections with non-standard names
Source: SecuriteInfo.com.PUA.VMProtect.28434.4337.exe Static PE information: section name: .vmp0
Source: SecuriteInfo.com.PUA.VMProtect.28434.4337.exe Static PE information: section name: .vmp1
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1501350 Sample: SecuriteInfo.com.PUA.VMProt... Startdate: 29/08/2024 Architecture: WINDOWS Score: 60 10 Antivirus / Scanner detection for submitted sample 2->10 12 Detected VMProtect packer 2->12 14 Machine Learning detection for sample 2->14 16 AI detected suspicious sample 2->16 6 SecuriteInfo.com.PUA.VMProtect.28434.4337.exe 1 2->6         started        process3 process4 8 conhost.exe 6->8         started       
No contacted IP infos