Windows Analysis Report
SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe

Overview

General Information

Sample name: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe
Analysis ID: 1523259
MD5: 29122e889d1b60a2b96f6f01c338b31c
SHA1: 8097ba814311ab728403185037003dc554495a8f
SHA256: 039c644a60fb4d6eb6b0b8a2e90a7e9aec0869e7f76002577d15024f9265f8ee
Tags: exe
Infos:

Detection

Score: 52
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
AI detected suspicious sample
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to query CPU information (cpuid)
Detected potential crypto function
One or more processes crash
PE file contains an invalid checksum
PE file does not import any functions
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe ReversingLabs: Detection: 13%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Uses 32bit PE files
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: Amcache.hve.3.dr String found in binary or memory: http://upx.sf.net
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe String found in binary or memory: http://www.clamav.net
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe Code function: 0_2_00412038 0_2_00412038
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe Code function: 0_2_00427161 0_2_00427161
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe Code function: 0_2_004212BE 0_2_004212BE
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe Code function: 0_2_00443391 0_2_00443391
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe Code function: 0_2_0041A46B 0_2_0041A46B
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe Code function: 0_2_0041240C 0_2_0041240C
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe Code function: 0_2_0041D750 0_2_0041D750
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe Code function: 0_2_004037E0 0_2_004037E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe Code function: 0_2_00427859 0_2_00427859
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe Code function: 0_2_00412818 0_2_00412818
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe Code function: 0_2_0040F890 0_2_0040F890
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe Code function: 0_2_0042397B 0_2_0042397B
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe Code function: 0_2_00409A40 0_2_00409A40
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe Code function: 0_2_0047CBF0 0_2_0047CBF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe Code function: 0_2_00411BA3 0_2_00411BA3
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe Code function: 0_2_0044EBBC 0_2_0044EBBC
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe Code function: 0_2_00412C38 0_2_00412C38
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe Code function: 0_2_00423EBF 0_2_00423EBF
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe Code function: 0_2_00424F70 0_2_00424F70
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe Code function: 0_2_0041AF0D 0_2_0041AF0D
One or more processes crash
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3732 -s 232
PE file does not import any functions
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe Static PE information: No import functions for PE file found
Uses 32bit PE files
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: classification engine Classification label: mal52.winEXE@2/5@0/0
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3732
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\2486dd6f-ca78-4e90-af2d-fec7f28842e4 Jump to behavior
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe ReversingLabs: Detection: 13%
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3732 -s 232
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe Section loaded: apphelp.dll Jump to behavior
PE file contains an invalid checksum
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe Static PE information: real checksum: 0xa2135 should be: 0xbf531
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe Code function: 0_2_004171D1 push ecx; ret 0_2_004171E4
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe Code function: 0_2_0041465D push dword ptr [ecx-75h]; iretd 0_2_00414665
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: Amcache.hve.3.dr Binary or memory string: VMware
Source: Amcache.hve.3.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.3.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.3.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.3.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.3.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr Binary or memory string: vmci.sys
Source: Amcache.hve.3.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.3.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.3.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.3.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr Binary or memory string: VMware20,1
Source: Amcache.hve.3.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.3.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.3.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.3.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.3.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.3.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe Code function: 0_2_00416310 LdrInitializeThunk, 0_2_00416310
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe Binary or memory string: Shell_TrayWnd
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe Binary or memory string: @3PDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe Code function: 0_2_00410D10 cpuid 0_2_00410D10
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.3.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.3.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.3.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.3.dr Binary or memory string: MsMpEng.exe
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1523259 Sample: SecuriteInfo.com.W32.Xpack.... Startdate: 01/10/2024 Architecture: WINDOWS Score: 52 10 Multi AV Scanner detection for submitted file 2->10 12 AI detected suspicious sample 2->12 6 SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe 2->6         started        process3 process4 8 WerFault.exe 21 16 6->8         started       
No contacted IP infos