Windows
Analysis Report
SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe
Overview
General Information
Detection
Score: | 68 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe (PID: 7008 cmdline:
"C:\Users\ user\Deskt op\Securit eInfo.com. Win32.Troj anX-gen.18 973.13261. exe" MD5: 44263157176D2DCE120E56AE6D3EF234) - WerFault.exe (PID: 6172 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 7 008 -s 488 MD5: C31336C1EFC2CCB44B4326EA793040F2)
- cleanup
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | Code function: | 0_2_0041F0F0 | |
Source: | Code function: | 0_2_0041ED60 |
Source: | Code function: | 0_2_00407847 |
Source: | Code function: | 0_2_0041F4D1 |
Source: | String found in binary or memory: |
Key, Mouse, Clipboard, Microphone and Screen Capturing |
---|
Source: | Code function: | 0_2_0040CC61 |
Source: | Code function: | 0_2_0040C4BD |
Source: | Code function: | 0_2_0040C4BD | |
Source: | Code function: | 0_2_0040C39B |
Source: | Code function: | 0_2_0040DEC4 |
Source: | Code function: | 0_2_0041293F |
Source: | Code function: | 0_2_00423D60 | |
Source: | Code function: | 0_2_004242E0 | |
Source: | Code function: | 0_2_004216A0 | |
Source: | Code function: | 0_2_00422F90 |
Source: | Process created: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Code function: | 0_2_0041273E |
Source: | Code function: | 0_2_0040C6B5 |
Source: | Code function: | 0_2_00413144 |
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | ReversingLabs: |
Source: | File read: | Jump to behavior |
Source: | Process created: | ||
Source: | Process created: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Code function: | 0_2_004012AD |
Source: | Code function: | 0_2_0042497E | |
Source: | Code function: | 0_2_0040BA8D |
Source: | Code function: | 0_2_00412AB1 |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Code function: | 0_2_00414175 | |
Source: | Code function: | 0_2_00415536 | |
Source: | Code function: | 0_2_00415BE0 |
Source: | API coverage: |
Source: | Code function: | 0_2_0041F0F0 | |
Source: | Code function: | 0_2_0041ED60 |
Source: | Code function: | 0_2_00407847 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | API call chain: | graph_0-14781 | ||
Source: | API call chain: | graph_0-14972 | ||
Source: | API call chain: | graph_0-14942 | ||
Source: | API call chain: | graph_0-14769 |
Source: | Process queried: | Jump to behavior |
Source: | Code function: | 0_2_004012AD |
Source: | Code function: | 0_2_0041D500 |
Source: | Code function: | 0_2_004022EE | |
Source: | Code function: | 0_2_0040234C |
Source: | Code function: | 0_2_00420290 |
Source: | Code function: | 0_2_0041D770 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: | 0_2_00410A09 |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Command and Scripting Interpreter | 12 Windows Service | 12 Windows Service | 1 Virtualization/Sandbox Evasion | 11 Input Capture | 31 Security Software Discovery | Remote Services | 11 Input Capture | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | 12 Service Execution | 1 DLL Side-Loading | 1 Process Injection | 1 Process Injection | LSASS Memory | 1 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 1 Archive Collected Data | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | 1 Native API | Logon Script (Windows) | 1 DLL Side-Loading | 2 Obfuscated Files or Information | Security Account Manager | 1 Process Discovery | SMB/Windows Admin Shares | 2 Clipboard Data | Steganography | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 DLL Side-Loading | NTDS | 1 System Service Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | 2 File and Directory Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | Steganography | Cached Domain Credentials | 12 System Information Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
63% | ReversingLabs | Win32.Trojan.Generic | ||
100% | Avira | TR/Spy.Gen | ||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown |
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1521526 |
Start date and time: | 2024-09-28 22:24:07 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 38s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 8 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe |
Detection: | MAL |
Classification: | mal68.spyw.winEXE@2/5@0/0 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 20.42.73.29
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- VT rate limit hit for: SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe
Time | Type | Description |
---|---|---|
16:25:34 | API Interceptor |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_7212a4befdb83f9e6522613afc3cc91592917d_71cefb02_7c5facf3-cc09-463c-9c66-220058371a9e\Report.wer
Download File
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.8205709485769352 |
Encrypted: | false |
SSDEEP: | 96:bBFYglVWxwCjpFA8YstzkPtRmyf8QXIDcQvc6QcEVcw3cE/6wd+HbHg/8BRTf3ue:l1h2phYN0BU/YjeoqzuiFMZ24IO8i5J |
MD5: | 6995E80BACC69EB4FBFCFE68CD16FF4F |
SHA1: | 74D662CED532760D3B9E3B9A5D3D38D001E5EBC9 |
SHA-256: | 2DE7605F1A8572AEF3381DAAA09E17D7004616F77A7988B586EB92CDFD67D3E0 |
SHA-512: | 9B51DA19C7B70B654030FD7BBAED16E1C5F561F1EFF015CDB6E5C0134DD307909661500FC8CE0A0CE85601E137CA4394D7EE8D5458E26BE0136CADB8078A39A1 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 35888 |
Entropy (8bit): | 1.926733532911623 |
Encrypted: | false |
SSDEEP: | 192:jrmjTsHLOH75PZLqZ0tYoYmjDHWeR16IY:+fH75By0tpDHp |
MD5: | A97A0165CFCA3864453F44DF7B034A2B |
SHA1: | 79203B6F564CBF3F83215EEAD2D73B3CDE6CF650 |
SHA-256: | 55910E1DF732A0ADD06AE9E60A3C38DB7F2063C3120E57B04AA38F014E2AD2E6 |
SHA-512: | 479817AA4B47E11E6554A80D6D0FDE6E25C00DF7355EC6FE8B039D02F1CB3DF052636E08BD8F71C489BA2D8C35A5B50F8DBA23B174AC91017001A1AA327E9EB3 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8512 |
Entropy (8bit): | 3.702465045410482 |
Encrypted: | false |
SSDEEP: | 192:R6l7wVeJac6ig6Y9YSU9Dh7LgmffGprQ89bT5sfkKxm:R6lXJJ676YiSU9tngmff+TSfc |
MD5: | 7FDE7E13C524DBEEF1F5940659D7BC15 |
SHA1: | 747AC211141FCC2321D8B9B8B4C606B63C3D2220 |
SHA-256: | 75AAD788BD0143A86513D3CAADFBF6F8046B33DE539000DE8AF6A61F7F434747 |
SHA-512: | ACE12BD0CF5B2B4E663A7567DA5A7E9ED06AC30B0CC0140D9B2089453A2F12FD76E7EE7D9D20790A70217A3B9FFECC0D39E250C7E63FE2AE2C73DB2A981DAC8B |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4893 |
Entropy (8bit): | 4.57509558692161 |
Encrypted: | false |
SSDEEP: | 48:cvIwWl8zswtJg77aI9RCrWpW8VYpjYm8M4JDNmqFrG+q8mMSm/K2vFd:uIjf2I77Ca7Vq2J/GSi2vFd |
MD5: | 612ED854CD244194286F0437441F4CB6 |
SHA1: | 74FA0C4347FC60D67B602BABD79631C750011831 |
SHA-256: | DEE3B36F310169BC4A6B322D1D248F02867C5508E58C1C2DD6D07B424E994BEF |
SHA-512: | 82B4263F876178D93FC0ADF755E80E021B6B59AFAB9DD3A7AED93C011E3FE0A989B5F0FE774344781A3EC28941BC7CE5732EAE625647E387204BB91734719A11 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1835008 |
Entropy (8bit): | 4.465687853453082 |
Encrypted: | false |
SSDEEP: | 6144:kIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNFdwBCswSbZ:ZXD94+WlLZMM6YFHf+Z |
MD5: | CDBA5E40F98AC56ADB58B1DE4B789F28 |
SHA1: | 9324E4C013C11B720863610E1C139C80785B58F4 |
SHA-256: | ED8CBAF24F2CE8B78986B35381541978255CBC5154C6F2CB5EDA8D17CCDAD8F0 |
SHA-512: | BEC7E641D061CADF061DD4D9F577285BBA9DC02F1DB5E3F3F1A131A7578AFF635430C5261F71AF7E06DB587142A4D91E98CEA86F82DF5226E05C406C494A11DD |
Malicious: | false |
Reputation: | low |
Preview: |
File type: | |
Entropy (8bit): | 6.099336289847779 |
TrID: |
|
File name: | SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe |
File size: | 170'496 bytes |
MD5: | 44263157176d2dce120e56ae6d3ef234 |
SHA1: | 56a7650df487782d51c8974fa0e2686f86132c33 |
SHA256: | bc72cde1d16c58b721d38dae2bcaa61b3a9bc7c22eae128e0439329f32ddef05 |
SHA512: | 37aca245d40e01b49c1481a19189bd52cac9fea53b33a1393ccb0be4ec97ffb79d125b89f3e626dd1c9ee93a4730b20c0c65595ba54e4cca9e5458202bf055a7 |
SSDEEP: | 3072:RITI68njNkWEumKMQt5wFiJOVekPiyt5P0d/uR3IgfQ8m6gXe3ul0:RhIumKMQ6i8V5PiykdA3I8EhXe3ul |
TLSH: | 85F3F733A214C8A6D02136B622F20B38EDB447563D789177EFE4DEB1AC61562CF9794C |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........*\-.K2~.K2~.K2~.W>~.K2~.W<~.K2~.T6~.K2~.m8~.K2~aT8~.K2~.K3~0K2~JDo~.K2~.m9~.K2~.K2~.K2~aT9~.K2~NM4~.K2~Rich.K2~............... |
Icon Hash: | 90cececece8e8eb0 |
Entrypoint: | 0x401000 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
DLL Characteristics: | |
Time Stamp: | 0x64C8CD50 [Tue Aug 1 09:16:00 2023 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 1e137beb03917c84d5c479ef47f30e98 |
Instruction |
---|
call 00007F1675073160h |
call 00007F1675072E71h |
xor eax, eax |
ret |
nop |
nop |
nop |
push ebp |
mov ebp, esp |
mov eax, 00000000h |
jmp 00007F1675056E45h |
mov esp, ebp |
pop ebp |
ret |
push ebp |
mov ebp, esp |
sub esp, 0000000Ch |
mov dword ptr [ebp-04h], esp |
xor eax, eax |
call dword ptr [0042509Ch] |
nop |
nop |
cmp dword ptr [ebp-04h], esp |
je 00007F1675056E59h |
push 00000000h |
push 0402FB73h |
push 00000006h |
call 00007F1675072E96h |
add esp, 0Ch |
mov dword ptr [00428345h], 00000000h |
mov dword ptr [00428349h], 00000000h |
push 00000000h |
mov ebx, 000008D4h |
call 00007F167507353Fh |
add esp, 04h |
mov dword ptr [ebp-08h], eax |
cmp dword ptr [ebp-08h], 03h |
mov eax, 00000000h |
setnl al |
mov dword ptr [0042834Dh], eax |
call 00007F1675056E53h |
mov eax, 00000000h |
jmp 00007F1675056E45h |
mov esp, ebp |
pop ebp |
ret |
push ebp |
mov ebp, esp |
mov esp, ebp |
pop ebp |
ret |
test ebx, ebx |
jne 00007F1675056E45h |
xor eax, eax |
ret |
mov ecx, ebx |
test ecx, 00000003h |
je 00007F1675056E51h |
mov al, byte ptr [ecx] |
inc ecx |
test al, al |
je 00007F1675056E7Dh |
test ecx, 00000003h |
jne 00007F1675056E33h |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x26030 | 0xdc | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x3a000 | 0x3e8 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x25000 | 0x2c4 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x239d2 | 0x23a00 | 4e4a8c9bf57761c03e9543dcf78c293b | False | 0.3617324561403509 | data | 6.123504050230424 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x25000 | 0x1f72 | 0x2000 | be6f75a0e0ce694046397a15c9458685 | False | 0.3873291015625 | OpenPGP Public Key Version 2 | 5.263097382925648 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x27000 | 0x12e05 | 0x3800 | 809f032558492b22bd7ad0d452ad939c | False | 0.396484375 | data | 4.7946460050679045 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x3a000 | 0x3e8 | 0x400 | a3028926dad9a486c5651ddf0f9fdd93 | False | 0.5263671875 | data | 4.420889371032156 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_VERSION | 0x3a270 | 0x174 | data | 0.5403225806451613 | ||
RT_MANIFEST | 0x3a0a0 | 0x1cb | XML 1.0 document, ASCII text, with CRLF line terminators | 0.6318082788671024 |
DLL | Import |
---|---|
KERNEL32.dll | PeekNamedPipe, ReadFile, GetExitCodeProcess, Sleep, GlobalFree, HeapAlloc, HeapFree, lstrcatA, ReadProcessMemory, ExitProcess, HeapReAlloc, IsBadReadPtr, GetVersionExA, GetModuleFileNameA, GetTickCount, WaitForSingleObject, CreateProcessA, GetStartupInfoA, GetFileSize, FindNextFileA, FindFirstFileA, FindClose, GetCommandLineA, FreeLibrary, LCMapStringA, CreateProcessW, CreatePipe, CopyFileA, GetProcAddress, CreateFileA, SetUnhandledExceptionFilter, OpenEventA, CreateEventA, lstrlenW, GetTempPathW, WideCharToMultiByte, GetProcessHeap, MultiByteToWideChar, IsBadCodePtr, GetCommandLineW, RtlMoveMemory, LocalFree, GetCurrentProcessId, OpenProcess, CloseHandle, CreateToolhelp32Snapshot, Process32Next, SetFileAttributesA, CreateThread, LoadLibraryA, GetCurrentProcess, CreateIoCompletionPort, GetQueuedCompletionStatus, GetLogicalDriveStringsA, GetTempFileNameA, GetWindowsDirectoryA, CreateDirectoryW, LocalAlloc, lstrcpyn, RemoveDirectoryA, DeleteFileA, GetModuleHandleA, Process32First, GlobalUnlock, GlobalLock, GlobalAlloc, GetFileAttributesA, MoveFileA, CreateDirectoryA |
USER32.dll | CloseClipboard, OpenClipboard, GetSystemMetrics, SetClipboardData, EmptyClipboard, PeekMessageA, TranslateMessage, DispatchMessageA, wsprintfA, MessageBoxA, SetWindowPos, SetFocus, CreateWindowExA, IsWindowEnabled, EnableWindow, MapWindowPoints, GetParent, GetWindowRect, MoveWindow, GetWindowTextA, GetWindowTextLengthA, GetInputState, WaitForInputIdle, CallWindowProcA, SetWindowLongA, CallNextHookEx, SetWindowsHookExA, UnhookWindowsHookEx, GetForegroundWindow, GetMessageA |
COMCTL32.dll | |
SHELL32.dll | SHGetPathFromIDListA, CommandLineToArgvW, SHGetSpecialFolderLocation, SHGetSpecialFolderPathW |
ADVAPI32.dll | EnumServicesStatusExA, EnumServicesStatusA, ChangeServiceConfigA, ControlService, StartServiceA, DeleteService, CreateServiceA, GetServiceKeyNameA, GetServiceDisplayNameA, ChangeServiceConfig2A, QueryServiceConfig2A, QueryServiceConfigA, RegDeleteValueA, RegDeleteKeyA, RegCreateKeyExA, RegOpenKeyExA, RegSetValueExA, RegFlushKey, RegQueryValueExA, RegEnumValueA, RegQueryInfoKeyA, RegEnumKeyA, RegOpenKeyA, RegCreateKeyA, CreateProcessWithTokenW, DuplicateTokenEx, OpenServiceA, OpenSCManagerA, CloseServiceHandle, QueryServiceStatus, LookupAccountSidA, GetTokenInformation, OpenProcessToken, RegCloseKey, RegSetValueExW, RegCreateKeyExW, RegOpenKeyExW, EnumDependentServicesA |
WTSAPI32.dll | WTSEnumerateProcessesA, WTSFreeMemory |
SHLWAPI.dll | PathIsDirectoryA, PathFindFileNameA, PathIsDirectoryW |
ole32.dll | CoCreateGuid |
MSVCRT.dll | sprintf, srand, rand, atoi, _ftol, _stricmp, free, malloc, __CxxFrameHandler, strrchr, strchr, modf, realloc, memmove, strncmp, ??3@YAXPAX@Z |
WS2_32.dll | gethostname, WSACleanup, WSAStartup |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 16:25:20 |
Start date: | 28/09/2024 |
Path: | C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 170'496 bytes |
MD5 hash: | 44263157176D2DCE120E56AE6D3EF234 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Target ID: | 3 |
Start time: | 16:25:20 |
Start date: | 28/09/2024 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x310000 |
File size: | 483'680 bytes |
MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Execution Graph
Execution Coverage: | 0.4% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 20.1% |
Total number of Nodes: | 822 |
Total number of Limit Nodes: | 7 |
Graph
Function 004012AD Relevance: 22.0, APIs: 4, Strings: 8, Instructions: 1036libraryfileloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0041D500 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25memorywindowCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0041DE90 Relevance: 6.0, APIs: 4, Instructions: 43fileCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00414175 Relevance: 52.4, APIs: 18, Strings: 11, Instructions: 1602memoryserviceCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00415BE0 Relevance: 45.4, APIs: 14, Strings: 11, Instructions: 1609servicememoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00410A09 Relevance: 30.6, APIs: 13, Strings: 4, Instructions: 886pipesleepprocessCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040C39B Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 143clipboardmemoryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040C6B5 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 433processCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0041ED60 Relevance: 9.1, APIs: 6, Instructions: 123fileCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0041F0F0 Relevance: 7.7, APIs: 5, Instructions: 213fileCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00412AB1 Relevance: 7.6, APIs: 5, Instructions: 90serviceCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040CC61 Relevance: 4.6, APIs: 3, Instructions: 54COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0041D770 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004022EE Relevance: 1.5, APIs: 1, Instructions: 29COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040234C Relevance: 1.5, APIs: 1, Instructions: 27COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0041F4D1 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004216A0 Relevance: .9, Instructions: 903COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00423D60 Relevance: .4, Instructions: 379COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004242E0 Relevance: .3, Instructions: 295COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00422F90 Relevance: .1, Instructions: 127COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00420290 Relevance: .0, Instructions: 23COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0041F960 Relevance: 37.2, APIs: 18, Strings: 3, Instructions: 426windowstringCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00413C55 Relevance: 35.4, APIs: 9, Strings: 11, Instructions: 396servicememoryCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040E413 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 287registryCOMMON
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00413715 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 218servicememoryCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0041FEF0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 136librarywindowstringCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040503F Relevance: 15.5, APIs: 10, Instructions: 474COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0041009D Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 297registryCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004087C5 Relevance: 10.9, APIs: 2, Strings: 5, Instructions: 406stringCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0041DCC0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65processsynchronizationCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040D8F8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 142memoryCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004125AB Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 124serviceCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00410738 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 105librarystringloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0041D3D0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 70windowCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0041D550 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35memorywindowCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0041EEC0 Relevance: 7.5, APIs: 5, Instructions: 47windowCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00404590 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 411libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0041244D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 107serviceCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0041D4B0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25memorywindowCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0041BC7C Relevance: 6.3, APIs: 4, Instructions: 308COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0041BD59 Relevance: 6.3, APIs: 4, Instructions: 308COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0041BE36 Relevance: 6.3, APIs: 4, Instructions: 308COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0041BF16 Relevance: 6.3, APIs: 4, Instructions: 308COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0041BB9F Relevance: 6.3, APIs: 4, Instructions: 308COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004072DC Relevance: 6.1, APIs: 4, Instructions: 82COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00420970 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00413040 Relevance: 6.1, APIs: 4, Instructions: 73serviceCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040EFCA Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 257registryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|