Windows Analysis Report
SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe

Overview

General Information

Sample name: SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe
Analysis ID: 1520349
MD5: c3c547a2f7ba40a8ccc74c64f56f74bf
SHA1: 3499ffe761db6d8a1f3d506e3cc3497e18f0a5ff
SHA256: be1650866941ac704ce9dd90f87276c3b9f008f25040e8ac78f3cc2c62233124
Tags: exe
Infos:

Detection

Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Machine Learning detection for dropped file
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Potential key logger detected (key state polling based)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\4549359\....\TemporaryFile (copy) ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe ReversingLabs: Detection: 50%
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe ReversingLabs: Detection: 65%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_0046E165 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA, 0_2_0046E165
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_0040EA40 FindNextFileA,FindClose,FindFirstFileA,FindClose, 0_2_0040EA40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_00416E10 FindFirstFileA,FindClose, 0_2_00416E10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_00405B20 FindFirstFileA,SendMessageA,SendMessageA,FindNextFileA,FindClose,SendMessageA, 0_2_00405B20
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_00427270 FindFirstFileA,FindNextFileA,FindClose, 2_2_00427270
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_00425BC0 FindFirstFileA,FindClose, 2_2_00425BC0
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_00494017 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA, 2_2_00494017
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_0041ECD0 FindNextFileA,FindClose,FindFirstFileA,FindClose, 2_2_0041ECD0
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_00415DC0 FindFirstFileA,SendMessageA,SendMessageA,FindNextFileA,FindClose,SendMessageA, 2_2_00415DC0
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 4x nop then mov eax, dword ptr fs:[00000000h] 0_2_00422152
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 4x nop then push FFFFFFFFh 2_2_00416422
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_00422070 ioctlsocket,recvfrom, 0_2_00422070
Source: csrss2.exe.0.dr String found in binary or memory: http://38.147.172.248:8080/apii.php
Source: Amcache.hve.0.dr String found in binary or memory: http://upx.sf.net
Source: SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe String found in binary or memory: http://www.eyuyan.com)DVarFileInfo$
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_0042B120 GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,GlobalFree,EmptyClipboard,SetClipboardData,CloseClipboard, 0_2_0042B120
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_0042B120 GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,GlobalFree,EmptyClipboard,SetClipboardData,CloseClipboard, 0_2_0042B120
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_0043A3A0 GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,GlobalFree,EmptyClipboard,SetClipboardData,CloseClipboard, 2_2_0043A3A0
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_0042B280 OpenClipboard,GetClipboardData,CloseClipboard,GlobalSize,GlobalLock,GlobalUnlock,CloseClipboard, 0_2_0042B280
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_0047283F GetKeyState,GetKeyState,GetKeyState,GetKeyState, 0_2_0047283F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_00470D18 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 0_2_00470D18
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_00416FC0 GetKeyState,GetKeyState,GetKeyState,GetKeyState, 0_2_00416FC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_004152A0 IsWindowEnabled,TranslateAcceleratorA,IsChild,GetFocus,PostMessageA,PostMessageA,SendMessageA,IsChild,IsWindow,IsWindowVisible,SendMessageA,SendMessageA,SendMessageA,SendMessageA,GetParent,SendMessageA,WinHelpA,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,IsWindow, 0_2_004152A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_00429980 GetKeyState,GetKeyState,GetKeyState,CopyRect, 0_2_00429980
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_004986A6 GetKeyState,GetKeyState,GetKeyState,GetKeyState, 2_2_004986A6
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_004248D0 IsWindowEnabled,TranslateAcceleratorA,IsChild,GetFocus,PostMessageA,PostMessageA,SendMessageA,IsChild,IsWindow,IsWindowVisible,SendMessageA,SendMessageA,SendMessageA,SendMessageA,GetParent,SendMessageA,WinHelpA,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,IsWindow, 2_2_004248D0
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_00496BB0 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 2_2_00496BB0
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_00438C00 GetKeyState,GetKeyState,GetKeyState,CopyRect, 2_2_00438C00
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_00425D70 GetKeyState,GetKeyState,GetKeyState,GetKeyState, 2_2_00425D70
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_004024A0 NtQueryInformationProcess,CloseHandle, 2_2_004024A0
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_0040102A NtQuerySystemInformation, 2_2_0040102A
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_004580E0 0_2_004580E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_004461B0 0_2_004461B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_0043C240 0_2_0043C240
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_0046A249 0_2_0046A249
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_0044A20E 0_2_0044A20E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_0045023E 0_2_0045023E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_004202E0 0_2_004202E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_004422A0 0_2_004422A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_0045A350 0_2_0045A350
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_00466326 0_2_00466326
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_0045048E 0_2_0045048E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_00410540 0_2_00410540
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_004425B0 0_2_004425B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_0044A640 0_2_0044A640
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_004488E0 0_2_004488E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_00456950 0_2_00456950
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_004429E0 0_2_004429E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_0044AB10 0_2_0044AB10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_00446C70 0_2_00446C70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_0040CCE0 0_2_0040CCE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_0044AD40 0_2_0044AD40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_00438D20 0_2_00438D20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_00450F90 0_2_00450F90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_0040F050 0_2_0040F050
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_00439050 0_2_00439050
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_00449120 0_2_00449120
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_004391E0 0_2_004391E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_00419310 0_2_00419310
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_00447460 0_2_00447460
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_0045F420 0_2_0045F420
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_00451430 0_2_00451430
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_0043B493 0_2_0043B493
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_0043D650 0_2_0043D650
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_00449639 0_2_00449639
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_00417680 0_2_00417680
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_0044B780 0_2_0044B780
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_004357A0 0_2_004357A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_00433840 0_2_00433840
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_00449AF6 0_2_00449AF6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_00445C70 0_2_00445C70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_00459DD0 0_2_00459DD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_00449DE1 0_2_00449DE1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_00425D80 0_2_00425D80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_00455EB0 0_2_00455EB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_0045BF20 0_2_0045BF20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_00449F94 0_2_00449F94
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_0046FFB9 0_2_0046FFB9
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_004600D0 2_2_004600D0
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_00448150 2_2_00448150
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_0047E1D0 2_2_0047E1D0
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_00458240 2_2_00458240
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_004482E0 2_2_004482E0
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_00428390 2_2_00428390
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_00426430 2_2_00426430
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_00460570 2_2_00460570
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_00456580 2_2_00456580
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_0044A593 2_2_0044A593
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_0044C750 2_2_0044C750
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_00458759 2_2_00458759
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_004207D0 2_2_004207D0
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_004847B0 2_2_004847B0
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_00472890 2_2_00472890
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_0047E890 2_2_0047E890
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_0045A8A0 2_2_0045A8A0
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_00444950 2_2_00444950
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_00442A20 2_2_00442A20
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_00472AC0 2_2_00472AC0
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_00458C16 2_2_00458C16
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_00454D90 2_2_00454D90
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_0045EEF0 2_2_0045EEF0
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_00468EF0 2_2_00468EF0
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_0046EEF0 2_2_0046EEF0
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_0041CF70 2_2_0041CF70
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_00458F01 2_2_00458F01
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_00464FF0 2_2_00464FF0
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_0046B040 2_2_0046B040
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_00435000 2_2_00435000
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_004590B4 2_2_004590B4
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_00467200 2_2_00467200
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_004552D0 2_2_004552D0
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_0041F2E0 2_2_0041F2E0
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_0044B340 2_2_0044B340
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_0045F36E 2_2_0045F36E
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_0046F310 2_2_0046F310
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_0045932E 2_2_0045932E
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_004513C0 2_2_004513C0
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_00469470 2_2_00469470
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_00411480 2_2_00411480
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_0042F570 2_2_0042F570
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_0045F5BE 2_2_0045F5BE
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_004516D0 2_2_004516D0
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_00459760 2_2_00459760
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_00457A00 2_2_00457A00
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_00465A90 2_2_00465A90
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_0048BAB6 2_2_0048BAB6
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_0048FB7C 2_2_0048FB7C
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_00451B00 2_2_00451B00
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_00459C30 2_2_00459C30
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_0047DCC0 2_2_0047DCC0
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_00455D90 2_2_00455D90
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_00495E51 2_2_00495E51
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_00459E60 2_2_00459E60
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_00447E20 2_2_00447E20
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\4549359\....\TemporaryFile (copy) 113528ADBBF5F74519D59A556E232E43F87E067EBE229CE0698BB9CD2A3656B0
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\csrss2.exe 113528ADBBF5F74519D59A556E232E43F87E067EBE229CE0698BB9CD2A3656B0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: String function: 004418D0 appears 81 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: String function: 00441A60 appears 39 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: String function: 004600A8 appears 92 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: String function: 00441CE0 appears 77 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: String function: 0046F079 appears 44 times
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: String function: 00485D88 appears 91 times
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: String function: 004509F0 appears 73 times
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: String function: 00494F11 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: String function: 00450B80 appears 39 times
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: String function: 00450E00 appears 77 times
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engine Classification label: mal68.winEXE@7/3@0/0
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_0040297D LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle, 2_2_0040297D
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_00403953 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 2_2_00403953
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_00410BB0 LoadTypeLib,GetUserDefaultLCID,LHashValOfNameSys,RegisterTypeLib,CoCreateInstance,CoCreateInstance,CoCreateInstance,OleRun,CoCreateInstance, 2_2_00410BB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_0046E7ED __EH_prolog,FindResourceA,LoadResource,LockResource,IsWindowEnabled,EnableWindow,EnableWindow,GetActiveWindow,SetActiveWindow, 0_2_0046E7ED
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe File created: C:\Users\user\AppData\Local\Temp\csrss1.exe Jump to behavior
Source: SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe ReversingLabs: Detection: 65%
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Process created: C:\Users\user\AppData\Local\Temp\csrss2.exe C:\Users\user\AppData\Local\Temp\csrss2.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Process created: C:\Users\user\AppData\Local\Temp\csrss2.exe C:\Users\user\AppData\Local\Temp\csrss2.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Static file information: File size 1613824 > 1048576
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_0040E2D0 GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary, 0_2_0040E2D0
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_004600A8 push eax; ret 0_2_004600C6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_0045E8F0 push eax; ret 0_2_0045E91E
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_0041CA28 push ss; retn 0041h 2_2_0041CA29
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_00483C70 push eax; ret 2_2_00483C9E
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_00485D88 push eax; ret 2_2_00485DA6
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe File created: C:\Users\user\AppData\Local\Temp\4549359\....\TemporaryFile (copy) Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe File created: C:\Users\user\AppData\Local\Temp\csrss2.exe Jump to dropped file
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_00412080 DestroyCursor,IsWindowVisible,IsIconic,IsZoomed,GetWindowRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMenu,DeleteMenu,GetSystemMenu, 0_2_00412080
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_00416490 IsIconic,IsZoomed,LoadLibraryA,GetProcAddress,GetProcAddress,FreeLibrary,SystemParametersInfoA,IsWindow,ShowWindow, 0_2_00416490
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_00412750 IsIconic,IsZoomed, 0_2_00412750
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_0040CCE0 IsWindow,IsIconic,SetActiveWindow,IsWindow,IsWindow,DestroyAcceleratorTable,DestroyMenu,DestroyAcceleratorTable,DestroyMenu,DestroyAcceleratorTable,DestroyMenu,SetParent,SetWindowPos,IsWindow,SendMessageA,SendMessageA,DestroyAcceleratorTable,IsWindow,IsWindow,IsWindow,IsWindow,IsWindow,GetParent,GetFocus,IsWindow,SendMessageA,IsWindow,GetFocus,SetFocus, 0_2_0040CCE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_0045CF60 IsIconic,GetWindowPlacement,GetWindowRect, 0_2_0045CF60
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_004822DF IsIconic,GetWindowPlacement,GetWindowRect, 2_2_004822DF
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_0041CF70 IsWindow,IsIconic,SetActiveWindow,IsWindow,IsWindow,DestroyAcceleratorTable,DestroyMenu,DestroyAcceleratorTable,DestroyMenu,DestroyAcceleratorTable,DestroyMenu,SetParent,SetWindowPos,IsWindow,SendMessageA,SendMessageA,DestroyAcceleratorTable,IsWindow,IsWindow,IsWindow,IsWindow,IsWindow,GetParent,GetFocus,IsWindow,SendMessageA,IsWindow,GetFocus,SetFocus, 2_2_0041CF70
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_00425AC0 IsIconic,IsZoomed,LoadLibraryA,GetProcAddress,GetProcAddress,FreeLibrary,SystemParametersInfoA,IsWindow,ShowWindow, 2_2_00425AC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe API coverage: 2.9 %
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe API coverage: 2.8 %
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_0046E165 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA, 0_2_0046E165
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_0040EA40 FindNextFileA,FindClose,FindFirstFileA,FindClose, 0_2_0040EA40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_00416E10 FindFirstFileA,FindClose, 0_2_00416E10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_00405B20 FindFirstFileA,SendMessageA,SendMessageA,FindNextFileA,FindClose,SendMessageA, 0_2_00405B20
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_00427270 FindFirstFileA,FindNextFileA,FindClose, 2_2_00427270
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_00425BC0 FindFirstFileA,FindClose, 2_2_00425BC0
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_00494017 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA, 2_2_00494017
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_0041ECD0 FindNextFileA,FindClose,FindFirstFileA,FindClose, 2_2_0041ECD0
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_00415DC0 FindFirstFileA,SendMessageA,SendMessageA,FindNextFileA,FindClose,SendMessageA, 2_2_00415DC0
Source: Amcache.hve.0.dr Binary or memory string: VMware
Source: Amcache.hve.0.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.0.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.0.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.0.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.0.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.0.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.0.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.0.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.0.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.0.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.0.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.0.dr Binary or memory string: vmci.sys
Source: Amcache.hve.0.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.0.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.0.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.0.dr Binary or memory string: VMware20,1
Source: Amcache.hve.0.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.0.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.0.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.0.dr Binary or memory string: VMware-42 27 c7 3b 45 a3 e4 a4-61 bc 19 7c 28 5c 10 19
Source: Amcache.hve.0.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.0.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.0.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.0.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.0.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.0.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.0.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.0.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_0040E2D0 GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary, 0_2_0040E2D0
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_0040102A mov edx, dword ptr fs:[00000030h] 2_2_0040102A
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_004012E5 mov eax, dword ptr fs:[00000030h] 2_2_004012E5
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_004013C9 mov ebx, dword ptr fs:[00000030h] 2_2_004013C9
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_004346B0 GetProcessHeap,OleInitialize,GetModuleFileNameA,SetCurrentDirectoryA,LoadCursorA,GetStockObject,GetCurrentThreadId, 0_2_004346B0
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_0046902D SetUnhandledExceptionFilter, 0_2_0046902D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_0046903F SetUnhandledExceptionFilter, 0_2_0046903F
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_0048EA4D SetUnhandledExceptionFilter, 2_2_0048EA4D
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe Code function: 2_2_0048EA5F SetUnhandledExceptionFilter, 2_2_0048EA5F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_0046060A GetLocalTime,GetSystemTime,GetTimeZoneInformation, 0_2_0046060A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_0046060A GetLocalTime,GetSystemTime,GetTimeZoneInformation, 0_2_0046060A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe Code function: 0_2_00477D1A GetVersion,GetProcessVersion,LoadCursorA,LoadCursorA,LoadCursorA, 0_2_00477D1A
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.0.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.0.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.0.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.0.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.0.dr Binary or memory string: MsMpEng.exe
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1520349 Sample: SecuriteInfo.com.Trojan.Mul... Startdate: 27/09/2024 Architecture: WINDOWS Score: 68 17 Multi AV Scanner detection for dropped file 2->17 19 Multi AV Scanner detection for submitted file 2->19 21 Machine Learning detection for sample 2->21 23 AI detected suspicious sample 2->23 6 SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe 5 2->6         started        process3 file4 13 C:\Users\user\AppData\Local\Temp\csrss2.exe, PE32 6->13 dropped 9 csrss2.exe 4 6->9         started        process5 file6 15 C:\Users\user\...\TemporaryFile (copy), PE32 9->15 dropped 25 Multi AV Scanner detection for dropped file 9->25 27 Machine Learning detection for dropped file 9->27 signatures7
No contacted IP infos