Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.PUA.VMProtect.28434.4337.exe

Overview

General Information

Sample name:SecuriteInfo.com.PUA.VMProtect.28434.4337.exe
Analysis ID:1501350
MD5:27047eb28d9fce65df74eb314965e864
SHA1:83d69213149561a63fcff59451c74c02c823e6cc
SHA256:81cc68386ca5d4bebfff9c61ae6d679310925a4b021293e52180898fa2f35b34
Tags:exe
Infos:

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
AI detected suspicious sample
Detected VMProtect packer
Machine Learning detection for sample
Entry point lies outside standard sections
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.PUA.VMProtect.28434.4337.exe (PID: 6576 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.PUA.VMProtect.28434.4337.exe" MD5: 27047EB28D9FCE65DF74EB314965E864)
    • conhost.exe (PID: 6584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: SecuriteInfo.com.PUA.VMProtect.28434.4337.exeAvira: detected
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 92.8% probability
Machine Learning detection for sample
Source: SecuriteInfo.com.PUA.VMProtect.28434.4337.exeJoe Sandbox ML: detected
Source: SecuriteInfo.com.PUA.VMProtect.28434.4337.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

System Summary

barindex
Detected VMProtect packer
Source: SecuriteInfo.com.PUA.VMProtect.28434.4337.exeStatic PE information: .vmp0 and .vmp1 section names
Source: classification engineClassification label: mal60.winEXE@2/0@0/0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6584:120:WilError_03
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.VMProtect.28434.4337.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.PUA.VMProtect.28434.4337.exe "C:\Users\user\Desktop\SecuriteInfo.com.PUA.VMProtect.28434.4337.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.VMProtect.28434.4337.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.VMProtect.28434.4337.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.VMProtect.28434.4337.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.VMProtect.28434.4337.exeSection loaded: d3dcompiler_43.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.VMProtect.28434.4337.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.VMProtect.28434.4337.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.VMProtect.28434.4337.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.VMProtect.28434.4337.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.VMProtect.28434.4337.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.VMProtect.28434.4337.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.VMProtect.28434.4337.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.VMProtect.28434.4337.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.VMProtect.28434.4337.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.VMProtect.28434.4337.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.VMProtect.28434.4337.exeSection loaded: vcruntime140.dllJump to behavior
Source: SecuriteInfo.com.PUA.VMProtect.28434.4337.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: SecuriteInfo.com.PUA.VMProtect.28434.4337.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: SecuriteInfo.com.PUA.VMProtect.28434.4337.exeStatic file information: File size 6471680 > 1048576
Source: SecuriteInfo.com.PUA.VMProtect.28434.4337.exeStatic PE information: Raw size of .vmp1 is bigger than: 0x100000 < 0x62b800
Source: SecuriteInfo.com.PUA.VMProtect.28434.4337.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: initial sampleStatic PE information: section where entry point is pointing to: .vmp1
Source: SecuriteInfo.com.PUA.VMProtect.28434.4337.exeStatic PE information: section name: .vmp0
Source: SecuriteInfo.com.PUA.VMProtect.28434.4337.exeStatic PE information: section name: .vmp1
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Process Injection		1
Process Injection		OS Credential Dumping1
System Information Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
DLL Side-Loading		LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
SecuriteInfo.com.PUA.VMProtect.28434.4337.exe100%AviraHEUR/AGEN.1315472
SecuriteInfo.com.PUA.VMProtect.28434.4337.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1501350
Start date and time:2024-08-29 19:24:08 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 32s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:8
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:SecuriteInfo.com.PUA.VMProtect.28434.4337.exe
Detection:MAL
Classification:mal60.winEXE@2/0@0/0
EGA Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • Execution Graph export aborted for target SecuriteInfo.com.PUA.VMProtect.28434.4337.exe, PID 6576 because there are no executed function
  • Not all processes where analyzed, report is missing behavior information
  • VT rate limit hit for: SecuriteInfo.com.PUA.VMProtect.28434.4337.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):7.923575098613163
TrID:
  • Win64 Executable Console (202006/5) 92.65%
  • Win64 Executable (generic) (12005/4) 5.51%
  • Generic Win/DOS Executable (2004/3) 0.92%
  • DOS Executable Generic (2002/1) 0.92%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:SecuriteInfo.com.PUA.VMProtect.28434.4337.exe
File size:6'471'680 bytes
MD5:27047eb28d9fce65df74eb314965e864
SHA1:83d69213149561a63fcff59451c74c02c823e6cc
SHA256:81cc68386ca5d4bebfff9c61ae6d679310925a4b021293e52180898fa2f35b34
SHA512:7db1a8db18b17ccbc9358d6859e396405e64a1c6e94a9b1c14aaa78da7727a5ec33226cd7c86a44afa489388e7899ea86380c7ad9edbfec9ad8790bc94cb2d82
SSDEEP:196608:qzzoO2MjOwMkzjJjOaqQ4ZDJC2l67Zo/Nd7oLnT:8k3MjOwMEjJj4JZckHULT
TLSH:255622A96288379CC41FC4B48433FD58B2B6561E0EF594F974DB7AC07BDA821DA42B43
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f.........."....&..............j........@..........................................`................................

File Icon

Icon Hash:00928e8e8686b000

Static PE Info

General

Entrypoint:0x1406ad80c
Entrypoint Section:.vmp1
Digitally signed:false
Imagebase:0x140000000
Subsystem:windows cui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:0x66CF9BA3 [Wed Aug 28 21:50:27 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:0
File Version Major:6
File Version Minor:0
Subsystem Version Major:6
Subsystem Version Minor:0
Import Hash:fe62e7b8a40c03d561cfb8699c943fa7

Entrypoint Preview

Instruction
push FA1B33D9h
call 00007F5FF0A49548h
inc edx
les eax, edi
sar ah, cl
iretd
aaa

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x732b180xc4f.vmp1
IMAGE_DIRECTORY_ENTRY_IMPORT0x6a88100x2bc.vmp1
IMAGE_DIRECTORY_ENTRY_RESOURCE0xb8b0000x1e0.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0xb797f00xfee8.vmp1
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0xb8a0000xc8.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x57d8700x30.vmp1
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb796b00x140.vmp1
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x7360000x280.vmp1
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x12d9100x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x12f0000x4b2a20x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x17b0000x567600x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata0x1d20000xd1880x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.vmp00x1e00000x37d0db0x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.vmp10x55e0000x62b6d80x62b8004bd735cbb33a2e11d9f305cf27f34466unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.reloc0xb8a0000xc80x200c8bc9ec15f6bd4272b929aef68e46d82False0.33984375GLS_BINARY_LSB_FIRST2.0257843738150934IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc0xb8b0000x1e00x2000c147024c6d77c1de59362bb792be15aFalse0.5390625data4.772037401703051IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_MANIFEST0xb8b0580x188XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5892857142857143

Imports

DLLImport
d3d11.dllD3D11CreateDeviceAndSwapChain
D3DCOMPILER_43.dllD3DCompile
KERNEL32.dllReadFile
USER32.dllSetCursor
ADVAPI32.dllDeleteService
MSVCP140.dll?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
dwmapi.dllDwmExtendFrameIntoClientArea
WINHTTP.dllWinHttpSendRequest
CRYPT32.dllCertCreateCertificateChainEngine
IMM32.dllImmReleaseContext
Normaliz.dllIdnToAscii
WLDAP32.dll
WS2_32.dllsendto
RPCRT4.dllUuidToStringA
PSAPI.DLLGetModuleInformation
USERENV.dllUnloadUserProfile
VCRUNTIME140_1.dll__CxxFrameHandler4
VCRUNTIME140.dll__current_exception_context
api-ms-win-crt-runtime-l1-1-0.dllexit
api-ms-win-crt-stdio-l1-1-0.dll__stdio_common_vsprintf_s
api-ms-win-crt-heap-l1-1-0.dllfree
api-ms-win-crt-math-l1-1-0.dllcos
api-ms-win-crt-string-l1-1-0.dllstrncmp
api-ms-win-crt-convert-l1-1-0.dllatof
api-ms-win-crt-utility-l1-1-0.dllqsort
api-ms-win-crt-filesystem-l1-1-0.dll_unlock_file
api-ms-win-crt-locale-l1-1-0.dll_configthreadlocale
api-ms-win-crt-time-l1-1-0.dll_time64
SHELL32.dllShellExecuteA
WTSAPI32.dllWTSSendMessageW
KERNEL32.dllGetSystemTimeAsFileTime
USER32.dllGetUserObjectInformationW
KERNEL32.dllLocalAlloc, LocalFree, GetModuleFileNameW, GetProcessAffinityMask, SetProcessAffinityMask, SetThreadAffinityMask, Sleep, ExitProcess, FreeLibrary, LoadLibraryA, GetModuleHandleA, GetProcAddress
USER32.dllGetProcessWindowStation, GetUserObjectInformationW

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

UDP Packets

TimestampSource PortDest PortSource IPDest IP
Aug 29, 2024 19:25:27.928740025 CEST53603361.1.1.1192.168.2.12

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:13:25:07
Start date:29/08/2024
Path:C:\Users\user\Desktop\SecuriteInfo.com.PUA.VMProtect.28434.4337.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.PUA.VMProtect.28434.4337.exe"
Imagebase:0x7ff6d8a70000
File size:6'471'680 bytes
MD5 hash:27047EB28D9FCE65DF74EB314965E864
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:false

General

Target ID:1
Start time:13:25:07
Start date:29/08/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff704000000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:false

Disassembly

No disassembly