Windows Analysis Report
SecuriteInfo.com.Win64.MalwareX-gen.32396.3970.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win64.MalwareX-gen.32396.3970.exe
Analysis ID:	1522428
MD5:	69cf2ff495c90c2bdd9182e9d1d83467
SHA1:	32111f59feb39824f1f8b7d1d541f483c120fc69
SHA256:	915bec2968a2cda0014b6fbe20c14f2588059a1d730e8ec44e07c44e19ffe7bc
Tags:	exe
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Contains functionality to inject code into remote processes

Machine Learning detection for sample

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Program does not show much activity (idle)

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Win64.MalwareX-gen.32396.3970.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win64.MalwareX-gen.32396.3970.exe	ReversingLabs: Detection: 47%
Source: SecuriteInfo.com.Win64.MalwareX-gen.32396.3970.exe	Virustotal: Detection: 63%			Perma Link

Machine Learning detection for sample

Source: SecuriteInfo.com.Win64.MalwareX-gen.32396.3970.exe

Joe Sandbox ML: detected

Source: SecuriteInfo.com.Win64.MalwareX-gen.32396.3970.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Users\erays\Desktop\Process-Hollowing-main\Source\x64\Release\runpe.pdb source: SecuriteInfo.com.Win64.MalwareX-gen.32396.3970.exe

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.32396.3970.exe

Code function: 0_2_00007FF7DC6D1F50

0_2_00007FF7DC6D1F50

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.32396.3970.exe

Code function: String function: 00007FF7DC6D1010 appears 57 times

Source: classification engine

Classification label: mal64.evad.winEXE@2/1@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3208:120:WilError_03

Source: SecuriteInfo.com.Win64.MalwareX-gen.32396.3970.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.32396.3970.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win64.MalwareX-gen.32396.3970.exe	ReversingLabs: Detection: 47%
Source: SecuriteInfo.com.Win64.MalwareX-gen.32396.3970.exe	Virustotal: Detection: 63%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.32396.3970.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.32396.3970.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.32396.3970.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.32396.3970.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.32396.3970.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.32396.3970.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: SecuriteInfo.com.Win64.MalwareX-gen.32396.3970.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: SecuriteInfo.com.Win64.MalwareX-gen.32396.3970.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Win64.MalwareX-gen.32396.3970.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Win64.MalwareX-gen.32396.3970.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Win64.MalwareX-gen.32396.3970.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Win64.MalwareX-gen.32396.3970.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Win64.MalwareX-gen.32396.3970.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SecuriteInfo.com.Win64.MalwareX-gen.32396.3970.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Win64.MalwareX-gen.32396.3970.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\Users\erays\Desktop\Process-Hollowing-main\Source\x64\Release\runpe.pdb source: SecuriteInfo.com.Win64.MalwareX-gen.32396.3970.exe

Source: SecuriteInfo.com.Win64.MalwareX-gen.32396.3970.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Win64.MalwareX-gen.32396.3970.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Win64.MalwareX-gen.32396.3970.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Win64.MalwareX-gen.32396.3970.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Win64.MalwareX-gen.32396.3970.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.32396.3970.exe

API coverage: 4.8 %

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.32396.3970.exe

Code function: 0_2_00007FF7DC6D2CC0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF7DC6D2CC0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.32396.3970.exe

Code function: 0_2_00007FF7DC6D1F50 printf,CreateFileA,printf,CloseHandle,GetFileSize,printf,CloseHandle,GetProcessHeap,HeapAlloc,printf,CloseHandle,CloseHandle,ReadFile,printf,CloseHandle,CloseHandle,CloseHandle,printf,printf,CreateProcessA,IsWow64Process,memset,Wow64GetThreadContext,ReadProcessMemory,memset,GetThreadContext,ReadProcessMemory,printf,printf,printf,printf,printf,printf,printf,printf,printf,printf,printf,GetProcessHeap,printf,GetProcessHeap,HeapFree,CloseHandle,CloseHandle,printf,GetProcessHeap,HeapFree,CloseHandle,TerminateProcess,CloseHandle,printf,GetProcessHeap,HeapFree,printf,

0_2_00007FF7DC6D1F50

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.32396.3970.exe	Code function: 0_2_00007FF7DC6D27E4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF7DC6D27E4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.32396.3970.exe	Code function: 0_2_00007FF7DC6D2E64 SetUnhandledExceptionFilter,	0_2_00007FF7DC6D2E64
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.32396.3970.exe	Code function: 0_2_00007FF7DC6D2CC0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF7DC6D2CC0

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.32396.3970.exe

Code function: 0_2_00007FF7DC6D1580 VirtualAllocEx,printf,printf,WriteProcessMemory,printf,printf,WriteProcessMemory,printf,memset,GetThreadContext,printf,printf,WriteProcessMemory,printf,SetThreadContext,printf,ResumeThread,

0_2_00007FF7DC6D1580

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.32396.3970.exe

Code function: 0_2_00007FF7DC6D2BA0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF7DC6D2BA0

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

ID:	1522428
Product:	CloudBasic
Start time:	03:23:06
Start date:	30.09.2024
Sample:	SecuriteInfo.com.Win64.MalwareX-gen.32396.3970.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	69cf2ff495c90c2bdd9182e9d1d83467
SHA1:	32111f59feb39824f1f8b7d1d541f483c120fc69
SHA256:	915bec2968a2cda0014b6fbe20c14f2588059a1d730e8ec44e07c44e19ffe7bc
Filetype:	Win64 Executable Console (202006/5) 92.65%

Windows Analysis Report
SecuriteInfo.com.Win64.MalwareX-gen.32396.3970.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

System Summary

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report SecuriteInfo.com.Win64.MalwareX-gen.32396.3970.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

System Summary

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
SecuriteInfo.com.Win64.MalwareX-gen.32396.3970.exe