Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe
Analysis ID:	1520348
MD5:	6d362753dce141d1177ce73b14fa572d
SHA1:	574fc684ce0c09b50ca5e6e603d2dae72d3fa0af
SHA256:	dc4bcfa9aaf97ad72e0360b8e7a4b17392482f8b1f9ae597c3670c9cb3215660
Tags:	exe

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Machine Learning detection for sample

PE file has a writeable .text section

Contains functionality for execution timing, often used to detect debuggers

Detected potential crypto function

Entry point lies outside standard sections

PE file contains sections with non-standard names

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe (PID: 2564 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe" MD5: 6D362753DCE141D1177CE73B14FA572D)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe

ReversingLabs: Detection: 42%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 96.3% probability

Machine Learning detection for sample

Source: SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe

Joe Sandbox ML: detected

Source: SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

System Summary

PE file has a writeable .text section

Source: SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe	Code function: 0_2_0046714A	0_2_0046714A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe	Code function: 0_2_0046712C	0_2_0046712C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe	Code function: 0_2_0046713B	0_2_0046713B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe	Code function: 0_2_00467D66	0_2_00467D66
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe	Code function: 0_2_00467D74	0_2_00467D74
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe	Code function: 0_2_00467D94	0_2_00467D94

Source: SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe, 00000000.00000002.2781843631.000000000053A000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameText_CTreeBT_Demo.EXEN vs SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe
Source: SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe, 00000000.00000000.1512319311.0000000000539000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameText_CTreeBT_Demo.EXEN vs SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe
Source: SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe	Binary or memory string: OriginalFilenameText_CTreeBT_Demo.EXEN vs SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe

Source: SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: classification engine

Classification label: mal72.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe

ReversingLabs: Detection: 42%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe	Section loaded: mfc100.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe	Section loaded: msvcp100.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe	Section loaded: msvcr100.dll	Jump to behavior

Source: SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe

Static file information: File size 1076736 > 1048576

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source: initial sample

Static PE information: section where entry point is pointing to: .sedata

Source: SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe	Static PE information: section name: .sedata
Source: SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe	Static PE information: section name: .sedata

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe	Code function: 0_2_00474844 push dword ptr [esp+04h]; retn 0008h	0_2_004748C6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe	Code function: 0_2_00476875 push dword ptr [esp+08h]; retn 000Ch	0_2_004768C9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe	Code function: 0_2_00476870 push dword ptr [esp+08h]; retn 000Ch	0_2_004768C9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe	Code function: 0_2_0045D000 push ecx; mov dword ptr [esp], ebx	0_2_0045D01B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe	Code function: 0_2_0047489C push dword ptr [esp+04h]; retn 0008h	0_2_004748C6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe	Code function: 0_2_0047214F push 0000006Ah; retf	0_2_00472228
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe	Code function: 0_2_00475158 push dword ptr [esp+08h]; retn 000Ch	0_2_0047520C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe	Code function: 0_2_0047B96E push dword ptr [esp+2Ch]; retn 0030h	0_2_0047B945
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe	Code function: 0_2_0047B91B push dword ptr [esp+2Ch]; retn 0030h	0_2_0047B945
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe	Code function: 0_2_0049C92B pushfd ; mov dword ptr [esp], eax	0_2_0049C48B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe	Code function: 0_2_0047B93D push dword ptr [esp+2Ch]; retn 0030h	0_2_0047B945
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe	Code function: 0_2_004749C5 push dword ptr [esp+20h]; retn 0024h	0_2_00474A57
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe	Code function: 0_2_0046B1C8 push ecx; iretd	0_2_00486190
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe	Code function: 0_2_004679DC push dword ptr [esp+40h]; retn 0044h	0_2_00467A69
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe	Code function: 0_2_004841F2 push word ptr [esp+02h]; mov dword ptr [esp], ebp	0_2_004841FE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe	Code function: 0_2_004721B7 push 0000006Ah; retf	0_2_00472228
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe	Code function: 0_2_004721B9 push 0000006Ah; retf	0_2_00472228
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe	Code function: 0_2_00468A5A push ebp; mov dword ptr [esp], ecx	0_2_004B2A7E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe	Code function: 0_2_00468A5A push ebp; mov dword ptr [esp], ecx	0_2_004B2A7E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe	Code function: 0_2_00474A65 push dword ptr [esp+20h]; retn 0024h	0_2_00474A57
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe	Code function: 0_2_00484270 push dword ptr [esp+02h]; mov dword ptr [esp], ebp	0_2_0048429F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe	Code function: 0_2_0046B20E push ecx; iretd	0_2_00486190
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe	Code function: 0_2_00467A30 push dword ptr [esp+40h]; retn 0044h	0_2_00467A69
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe	Code function: 0_2_00476A38 push dword ptr [esp+10h]; retn 0014h	0_2_00476A6D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe	Code function: 0_2_0048429A push word ptr [esp+02h]; mov dword ptr [esp], ebp	0_2_0048429F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe	Code function: 0_2_00474B0F push dword ptr [esp+18h]; retn 001Ch	0_2_00474B69
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe	Code function: 0_2_004763EF push dword ptr [esp]; retn 0004h	0_2_0047647B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe	Code function: 0_2_00467BFD push edi; mov dword ptr [esp], esi	0_2_00467C1C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe	Code function: 0_2_00467BFD push edi; mov dword ptr [esp], esi	0_2_00467C1C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe	Code function: 0_2_0046FC3C pushad ; mov dword ptr [esp], esi	0_2_0046FE6D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe	Code function: 0_2_0046A4C2 push cs; ret	0_2_0046A4C4

Source: SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe	Static PE information: section name: .text entropy: 7.998737130003935
Source: SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe	Static PE information: section name: .sedata entropy: 7.6820869028084315

Malware Analysis System Evasion

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe

Code function: 0_2_00536C11

0_2_00536C11

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe

Code function: 0_2_004CA860 rdtsc

0_2_004CA860

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe

Code function: 0_2_004CA860 rdtsc

0_2_004CA860

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	2 Software Packing	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 DLL Side-Loading	LSASS Memory	11 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe	42%	ReversingLabs
SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe	100%	Avira	HEUR/AGEN.1353483
SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe	100%	Joe Sandbox ML

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1520348
Start date and time:	2024-09-27 08:33:11 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe
Detection:	MAL
Classification:	mal72.evad.winEXE@1/0@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 9
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe, PID 2564 because there are no executed function
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.74681427100991
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe
File size:	1'076'736 bytes
MD5:	6d362753dce141d1177ce73b14fa572d
SHA1:	574fc684ce0c09b50ca5e6e603d2dae72d3fa0af
SHA256:	dc4bcfa9aaf97ad72e0360b8e7a4b17392482f8b1f9ae597c3670c9cb3215660
SHA512:	8193e76e330e1741b805cfc73dad845f9eba37f43af5486330a90fd7632c4e3654c448ca82ab53237e5b875a470736fd241d5ec791eb0b3e88ec4673f946f3ad
SSDEEP:	24576:vwd4XMf2FyhaG9dNygHwrH7ydifo4asHhfstbNnjbgIx3rLCA/9J:vq4DKNyWwDuifyg6bNnjbLrWA/v
TLSH:	AF3512C9ED642276E17B1570A81765CCE9B80CE11F38C67B43F117A27A711B9A63E2C3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........._..._..._...0.r.Y.....v.^...0.p.^...V.}.R..._...b...0.D.K...0.E.T...0.t.^...0.s.^...Rich_...........PE..L...,r.f...........

File Icon


Icon Hash:	71b018dccec77331

Static PE Info

General

Entrypoint:	0x536bf0
Entrypoint Section:	.sedata
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66E7722C [Sun Sep 15 23:47:56 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	0ffacaa5916e809890e37542ad1c481f

Entrypoint Preview

Instruction
call 00007F74D88CD661h
push ebx
popad
outsb
imul ebp, dword ptr [bp+65h], 69685320h
insb
outsb
and byte ptr [esi+32h], dh
xor al, 2Eh
xor byte ptr [esi], ch
xor byte ptr [eax], al
jmp 00007F74D88CD5F7h
call 00007F74D88CD645h
jmp 00007F74D88CE6EAh
and al, 57h
mov esi, 414B2889h
inc esp
push esi
inc ecx
push eax
dec ecx
xor esi, dword ptr [edx]
insb
insb
add cl, al
ficomp word ptr [E8D98766h]
add dword ptr [eax], eax
add byte ptr [eax], al
loop 00007F74D88CD6A8h
mov dword ptr [esp+01h], esi
bts di, si
std
mov al, byte ptr [esp+02h]
jmp 00007F74D88CD66Dh
adc bl, byte ptr [ebp+46A7540Dh]
insb
jnle 00007F74D88CD68Bh
push eax
dec eax
dec esp
push eax
inc ecx
push eax
dec ecx
inc esp
dec esp
dec esp
add byte ptr [eax+0Fh], bl
mov esp, 6646B0CFh
shl edx, 08h
rdtsc
call 00007F74D88CD66Eh
inc esi
int1
jmp far 1C8Dh : 9C5BA20Fh
adc al, 8Ah
clc
mov ch, byte ptr [esp]
jmp 00007F74D88CD61Eh
bswap ebp
mov word ptr [esp], bx
neg dl
mov ch, 0Bh
add esp, 00000000h
or dh, FFFFFFC7h
jmp 00007F74D88CD661h
add eax, 88CEA7B4h
adc al, 24h
jmp 00007F74D88CD627h
setle dh
rdtsc
ror ecx, cl
push dword ptr [esp+05h]
xchg esi, ebp
jmp 00007F74D88CD65Dh
dec ecx

Rich Headers

Programming Language:

[IMP] VS2010 build 30319
[ASM] VS2010 build 30319
[IMP] VS2008 SP1 build 30729
[ C ] VS2010 build 30319
[C++] VS2010 build 30319
[RES] VS2010 build 30319
[LNK] VS2010 build 30319

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x13908e	0x104	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x13a000	0xc00	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5c000	0x28c00	0ee8dc40012d34aaccd69215edd8979e	False	1.000341497315951	data	7.998737130003935	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.sedata	0x5d000	0xdc000	0xdbe00	1e3b95ad33628a19815c224179980c8c	False	0.8214306335275725	data	7.6820869028084315	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x139000	0x1000	0x400	3d404bb847c6557ac22050fb62595f96	False	0.3974609375	data	3.6675811869566814	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x13a000	0x1000	0xc00	74dcff3844bcf2e0c90820d790a7507c	False	0.3623046875	data	4.090537608817185	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.sedata	0x13b000	0x1000	0x1000	643e5a3ea85f917fe7cdc89f54c64ead	False	0.78173828125	data	7.982685760275232	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x13a160	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	Chinese	China	0.33064516129032256
RT_ICON	0x13a448	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	Chinese	China	0.4391891891891892
RT_GROUP_ICON	0x13a570	0x22	data	Chinese	China	1.0
RT_VERSION	0x13a594	0x330	data	Chinese	China	0.4632352941176471
RT_MANIFEST	0x13a8c4	0x25f	ASCII text, with very long lines (607), with no line terminators	English	United States	0.43492586490939045

Imports

DLL	Import
MSIMG32.dll	TransparentBlt
MSVCR100.dll	_controlfp_s
mfc100.dll
KERNEL32.dll	FreeLibrary
USER32.dll	GetFocus
GDI32.dll	GetTextExtentPoint32A
SHELL32.dll	SHGetSpecialFolderPathA
MSVCP100.dll	?_Xout_of_range@std@@YAXPBD@Z
MSVCRT.dll	strncpy
IPHLPAPI.DLL	GetInterfaceInfo
PSAPI.DLL	GetMappedFileNameW
ADVAPI32.dll	RegDeleteKeyA

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China
English	United States

Target ID:	0
Start time:	02:34:19
Start date:	27/09/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe"
Imagebase:	0x400000
File size:	1'076'736 bytes
MD5 hash:	6D362753DCE141D1177CE73B14FA572D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Function 00467D66 Relevance: .6, Instructions: 642COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2781747478.000000000045D000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2781704895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2781719443.0000000000401000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2781747478.0000000000534000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2781827963.0000000000539000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2781843631.000000000053A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2781860168.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47c4453e01dc046bfcceaa0656a5068aeaea57ef08022d7ea3b1c1835b3d857f
Instruction ID: 9a972a28613d3762c1e185ebe420523aaf44b438c367b058c90a5f8d69fff675
Opcode Fuzzy Hash: 47c4453e01dc046bfcceaa0656a5068aeaea57ef08022d7ea3b1c1835b3d857f
Instruction Fuzzy Hash: 3C321AB7F507299BCB14CED5DCC05CDB3B2BF98214B1E9165C914F7306E6B8AA068B90

Function 00467D74 Relevance: .6, Instructions: 632COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2781747478.000000000045D000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2781704895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2781719443.0000000000401000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2781747478.0000000000534000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2781827963.0000000000539000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2781843631.000000000053A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2781860168.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f933a730031b89d025ea583653a8a3e0c86aae27f30676c2f9e3e185c12f5a78
Instruction ID: b57cf159a1b401274b214af74dd10fd94d6112e4d5fe0ca821cb3f95529a84ac
Opcode Fuzzy Hash: f933a730031b89d025ea583653a8a3e0c86aae27f30676c2f9e3e185c12f5a78
Instruction Fuzzy Hash: A3321AB7F507299BCB14CED5DCC05CDB3B2BF98214B1E9165C914F7306E6B8AA068B90

Function 00467D94 Relevance: .6, Instructions: 621COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2781747478.000000000045D000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2781704895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2781719443.0000000000401000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2781747478.0000000000534000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2781827963.0000000000539000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2781843631.000000000053A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2781860168.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58410b746b93751fcc3cf7f8e30105b1e4ae87830f80aaa5f3f5e24011c70c8f
Instruction ID: 92a182c6e6eb3771b82020bcf47ba87234528cf2d9b36f15b41c27232eca5fcf
Opcode Fuzzy Hash: 58410b746b93751fcc3cf7f8e30105b1e4ae87830f80aaa5f3f5e24011c70c8f
Instruction Fuzzy Hash: 07323AB7F507299BCB14CED5DCC05CDB3B2BF98214B1E9165C914F7306E6B8AA068B90

Function 0046712C Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2781747478.000000000045D000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2781704895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2781719443.0000000000401000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2781747478.0000000000534000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2781827963.0000000000539000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2781843631.000000000053A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2781860168.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49cd371982010bdb7b0ddc26a8c3da839a59c2c98051a4016d2dc57fd7bea087
Instruction ID: f078d21c5f17d94e842f70678dc58f46d875d24c1638c7090f05805dca9e1edd
Opcode Fuzzy Hash: 49cd371982010bdb7b0ddc26a8c3da839a59c2c98051a4016d2dc57fd7bea087
Instruction Fuzzy Hash: A5F1A537D106A18FC711CF6DDD80149B7A3AF89201B5FC2A4CA886B356D630BA96CBD4

Function 0046713B Relevance: .4, Instructions: 385COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2781747478.000000000045D000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2781704895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2781719443.0000000000401000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2781747478.0000000000534000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2781827963.0000000000539000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2781843631.000000000053A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2781860168.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daf12016a5bfe9199243c3b2cc475600aab08c94b78582c0643877a3e022a767
Instruction ID: b1ddbbc0869ff5f656853ff9cc89849c75444f529965282bbbf10fd30dda967d
Opcode Fuzzy Hash: daf12016a5bfe9199243c3b2cc475600aab08c94b78582c0643877a3e022a767
Instruction Fuzzy Hash: 8CF1A537D106B18FC711CF6DDD80149B7A3AB89201B5FC2A4CA887B356D670BA96CBD4

Function 0046714A Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2781747478.000000000045D000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2781704895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2781719443.0000000000401000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2781747478.0000000000534000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2781827963.0000000000539000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2781843631.000000000053A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2781860168.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6802b04cea7efa3ba05ec64cdc7953619e896bf07f6274bbe57553ad7edcb43
Instruction ID: 8803b8250ab53277bce2db185c8e94158942f4d68e535f063af6e52c68cf15f7
Opcode Fuzzy Hash: e6802b04cea7efa3ba05ec64cdc7953619e896bf07f6274bbe57553ad7edcb43
Instruction Fuzzy Hash: 14F1A437D106B18FD711CF6DDD8014DB7A3AB89201B5FC2A4CA886B356D630BA86CBD4

Function 004CA860 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2781747478.000000000045D000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2781704895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2781719443.0000000000401000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2781747478.0000000000534000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2781827963.0000000000539000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2781843631.000000000053A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2781860168.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b340245e2e606d6d6dafb5eedb27693cec34abf7399a1ebbb3a544d1530240b
Instruction ID: 913e579d1735734849b37f8df69567bcb5da5ef28228a5d9128b36606cc31bc6
Opcode Fuzzy Hash: 0b340245e2e606d6d6dafb5eedb27693cec34abf7399a1ebbb3a544d1530240b
Instruction Fuzzy Hash: CC51B37D90820DDFC7A4DF04C541FA9B7B1AB84308F25491FD59687201E378A936EB9B

Function 00536C11 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2781747478.0000000000534000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2781704895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2781719443.0000000000401000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2781747478.000000000045D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2781827963.0000000000539000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2781843631.000000000053A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2781860168.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a98f4b84411f3aba5081beca86a6dfb62e66ba3ccd5c1e756c4b84cd1b4a3084
Instruction ID: 86e6b59020544a0604cd06e3cf98467e60a43f6271a2d3147e53b3d5056a1941
Opcode Fuzzy Hash: a98f4b84411f3aba5081beca86a6dfb62e66ba3ccd5c1e756c4b84cd1b4a3084
Instruction Fuzzy Hash: B731ED3650C356EACB06AF54D4912EABFB1BF95300F64DD1CE4EA0B212E2758908D793

Function 004EF765 Relevance: 23.8, Strings: 19, Instructions: 76COMMON

Download Yara Rule

Strings

H, xrefs: 004EF7E3
G, xrefs: 004EF7D9
[, xrefs: 004EF80A
G, xrefs: 004EF814
I, xrefs: 004EF840
[, xrefs: 004EF90D
W, xrefs: 004EF856
O, xrefs: 004EF89B
V, xrefs: 004EF7E9
H, xrefs: 004EF85A
N, xrefs: 004EF909
i, xrefs: 004EF8D9
<, xrefs: 004EF753
J, xrefs: 004EF799
Y, xrefs: 004EF801
o, xrefs: 004EF894
C, xrefs: 004EF87B
W, xrefs: 004EF7B7
J, xrefs: 004EF76F

Memory Dump Source

Source File: 00000000.00000002.2781747478.000000000045D000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2781704895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2781719443.0000000000401000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2781747478.0000000000534000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2781827963.0000000000539000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2781843631.000000000053A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2781860168.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: <$C$G$G$H$H$I$J$J$N$O$V$W$W$Y$[$[$i$o
API String ID: 0-2640510608
Opcode ID: 2a376f5b626aaed9cd45dda005aa91a40c96324d05de4e86b76d2e0d12c4d799
Instruction ID: be3c72eaf39225f9b26b786c8124ae09caeb2506b790e4046f02a7082c8359a0
Opcode Fuzzy Hash: 2a376f5b626aaed9cd45dda005aa91a40c96324d05de4e86b76d2e0d12c4d799
Instruction Fuzzy Hash: F931E858C0C2C5D9DB01D66994053AEBFF05F1230AF1484AAC9DA6B241E37D471ED76B

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: SecuriteInfo.com.Win32.Evo-gen.15464.19850.exePID: 2564, Parent PID: 4084

General

Chronological Activities

Disassembly

Analysis Process: SecuriteInfo.com.Win32.Evo-gen.15464.19850.exePID: 2564, Parent PID: 4084COMMON

Non-executed Functions

Function 00467D66 Relevance: .6, Instructions: 642COMMON

Function 00467D74 Relevance: .6, Instructions: 632COMMON

Function 00467D94 Relevance: .6, Instructions: 621COMMON

Function 0046712C Relevance: .4, Instructions: 389COMMON

Function 0046713B Relevance: .4, Instructions: 385COMMON

Function 0046714A Relevance: .4, Instructions: 383COMMON

Function 004CA860 Relevance: .2, Instructions: 163COMMON

Function 00536C11 Relevance: .1, Instructions: 107COMMON

Windows Analysis Report
SecuriteInfo.com.Win32.Evo-gen.15464.19850.exe