Windows
Analysis Report
SecuriteInfo.com.PUA.VMProtect.28434.4337.exe
Overview
General Information
Detection
Score: | 60 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- SecuriteInfo.com.PUA.VMProtect.28434.4337.exe (PID: 6576 cmdline:
"C:\Users\ user\Deskt op\Securit eInfo.com. PUA.VMProt ect.28434. 4337.exe" MD5: 27047EB28D9FCE65DF74EB314965E864) - conhost.exe (PID: 6584 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
System Summary |
---|
Source: | Static PE information: |
Source: | Classification label: |
Source: | Mutant created: |
Source: | Key opened: | Jump to behavior |
Source: | Process created: | ||
Source: | Process created: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static file information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Last function: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 1 Process Injection | 1 Process Injection | OS Credential Dumping | 1 System Information Discovery | Remote Services | Data from Local System | Data Obfuscation | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 DLL Side-Loading | LSASS Memory | Application Window Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Avira | HEUR/AGEN.1315472 | ||
100% | Joe Sandbox ML |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1501350 |
Start date and time: | 2024-08-29 19:24:08 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 32s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 8 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | SecuriteInfo.com.PUA.VMProtect.28434.4337.exe |
Detection: | MAL |
Classification: | mal60.winEXE@2/0@0/0 |
EGA Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target SecuriteInfo.com.PUA.VMProtect.28434.4337.exe, PID 6576 because there are no executed function
- Not all processes where analyzed, report is missing behavior information
- VT rate limit hit for: SecuriteInfo.com.PUA.VMProtect.28434.4337.exe
File type: | |
Entropy (8bit): | 7.923575098613163 |
TrID: |
|
File name: | SecuriteInfo.com.PUA.VMProtect.28434.4337.exe |
File size: | 6'471'680 bytes |
MD5: | 27047eb28d9fce65df74eb314965e864 |
SHA1: | 83d69213149561a63fcff59451c74c02c823e6cc |
SHA256: | 81cc68386ca5d4bebfff9c61ae6d679310925a4b021293e52180898fa2f35b34 |
SHA512: | 7db1a8db18b17ccbc9358d6859e396405e64a1c6e94a9b1c14aaa78da7727a5ec33226cd7c86a44afa489388e7899ea86380c7ad9edbfec9ad8790bc94cb2d82 |
SSDEEP: | 196608:qzzoO2MjOwMkzjJjOaqQ4ZDJC2l67Zo/Nd7oLnT:8k3MjOwMEjJj4JZckHULT |
TLSH: | 255622A96288379CC41FC4B48433FD58B2B6561E0EF594F974DB7AC07BDA821DA42B43 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f.........."....&..............j........@..........................................`................................ |
Icon Hash: | 00928e8e8686b000 |
Entrypoint: | 0x1406ad80c |
Entrypoint Section: | .vmp1 |
Digitally signed: | false |
Imagebase: | 0x140000000 |
Subsystem: | windows cui |
Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x66CF9BA3 [Wed Aug 28 21:50:27 2024 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: | fe62e7b8a40c03d561cfb8699c943fa7 |
Instruction |
---|
push FA1B33D9h |
call 00007F5FF0A49548h |
inc edx |
les eax, edi |
sar ah, cl |
iretd |
aaa |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x732b18 | 0xc4f | .vmp1 |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x6a8810 | 0x2bc | .vmp1 |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xb8b000 | 0x1e0 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0xb797f0 | 0xfee8 | .vmp1 |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xb8a000 | 0xc8 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x57d870 | 0x30 | .vmp1 |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0xb796b0 | 0x140 | .vmp1 |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x736000 | 0x280 | .vmp1 |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x12d910 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x12f000 | 0x4b2a2 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x17b000 | 0x56760 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.pdata | 0x1d2000 | 0xd188 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.vmp0 | 0x1e0000 | 0x37d0db | 0x0 | d41d8cd98f00b204e9800998ecf8427e | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.vmp1 | 0x55e000 | 0x62b6d8 | 0x62b800 | 4bd735cbb33a2e11d9f305cf27f34466 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.reloc | 0xb8a000 | 0xc8 | 0x200 | c8bc9ec15f6bd4272b929aef68e46d82 | False | 0.33984375 | GLS_BINARY_LSB_FIRST | 2.0257843738150934 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.rsrc | 0xb8b000 | 0x1e0 | 0x200 | 0c147024c6d77c1de59362bb792be15a | False | 0.5390625 | data | 4.772037401703051 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_MANIFEST | 0xb8b058 | 0x188 | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.5892857142857143 |
DLL | Import |
---|---|
d3d11.dll | D3D11CreateDeviceAndSwapChain |
D3DCOMPILER_43.dll | D3DCompile |
KERNEL32.dll | ReadFile |
USER32.dll | SetCursor |
ADVAPI32.dll | DeleteService |
MSVCP140.dll | ?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ |
dwmapi.dll | DwmExtendFrameIntoClientArea |
WINHTTP.dll | WinHttpSendRequest |
CRYPT32.dll | CertCreateCertificateChainEngine |
IMM32.dll | ImmReleaseContext |
Normaliz.dll | IdnToAscii |
WLDAP32.dll | |
WS2_32.dll | sendto |
RPCRT4.dll | UuidToStringA |
PSAPI.DLL | GetModuleInformation |
USERENV.dll | UnloadUserProfile |
VCRUNTIME140_1.dll | __CxxFrameHandler4 |
VCRUNTIME140.dll | __current_exception_context |
api-ms-win-crt-runtime-l1-1-0.dll | exit |
api-ms-win-crt-stdio-l1-1-0.dll | __stdio_common_vsprintf_s |
api-ms-win-crt-heap-l1-1-0.dll | free |
api-ms-win-crt-math-l1-1-0.dll | cos |
api-ms-win-crt-string-l1-1-0.dll | strncmp |
api-ms-win-crt-convert-l1-1-0.dll | atof |
api-ms-win-crt-utility-l1-1-0.dll | qsort |
api-ms-win-crt-filesystem-l1-1-0.dll | _unlock_file |
api-ms-win-crt-locale-l1-1-0.dll | _configthreadlocale |
api-ms-win-crt-time-l1-1-0.dll | _time64 |
SHELL32.dll | ShellExecuteA |
WTSAPI32.dll | WTSSendMessageW |
KERNEL32.dll | GetSystemTimeAsFileTime |
USER32.dll | GetUserObjectInformationW |
KERNEL32.dll | LocalAlloc, LocalFree, GetModuleFileNameW, GetProcessAffinityMask, SetProcessAffinityMask, SetThreadAffinityMask, Sleep, ExitProcess, FreeLibrary, LoadLibraryA, GetModuleHandleA, GetProcAddress |
USER32.dll | GetProcessWindowStation, GetUserObjectInformationW |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Aug 29, 2024 19:25:27.928740025 CEST | 53 | 60336 | 1.1.1.1 | 192.168.2.12 |
Click to jump to process
Click to jump to process
Click to jump to process
Target ID: | 0 |
Start time: | 13:25:07 |
Start date: | 29/08/2024 |
Path: | C:\Users\user\Desktop\SecuriteInfo.com.PUA.VMProtect.28434.4337.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6d8a70000 |
File size: | 6'471'680 bytes |
MD5 hash: | 27047EB28D9FCE65DF74EB314965E864 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | false |
Target ID: | 1 |
Start time: | 13:25:07 |
Start date: | 29/08/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff704000000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | false |