Edit tour

Windows Analysis Report
SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe

Overview

General Information

Sample name:	SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe
Analysis ID:	1523259
MD5:	29122e889d1b60a2b96f6f01c338b31c
SHA1:	8097ba814311ab728403185037003dc554495a8f
SHA256:	039c644a60fb4d6eb6b0b8a2e90a7e9aec0869e7f76002577d15024f9265f8ee
Tags:	exe
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious sample

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to query CPU information (cpuid)

Detected potential crypto function

One or more processes crash

PE file contains an invalid checksum

PE file does not import any functions

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe (PID: 3732 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe" MD5: 29122E889D1B60A2B96F6F01C338B31C)

WerFault.exe (PID: 5236 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3732 -s 232 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe

ReversingLabs: Detection: 13%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: Amcache.hve.3.dr	String found in binary or memory: http://upx.sf.net
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe	String found in binary or memory: http://www.clamav.net

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe	Code function: 0_2_00412038	0_2_00412038
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe	Code function: 0_2_00427161	0_2_00427161
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe	Code function: 0_2_004212BE	0_2_004212BE
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe	Code function: 0_2_00443391	0_2_00443391
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe	Code function: 0_2_0041A46B	0_2_0041A46B
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe	Code function: 0_2_0041240C	0_2_0041240C
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe	Code function: 0_2_0041D750	0_2_0041D750
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe	Code function: 0_2_004037E0	0_2_004037E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe	Code function: 0_2_00427859	0_2_00427859
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe	Code function: 0_2_00412818	0_2_00412818
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe	Code function: 0_2_0040F890	0_2_0040F890
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe	Code function: 0_2_0042397B	0_2_0042397B
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe	Code function: 0_2_00409A40	0_2_00409A40
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe	Code function: 0_2_0047CBF0	0_2_0047CBF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe	Code function: 0_2_00411BA3	0_2_00411BA3
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe	Code function: 0_2_0044EBBC	0_2_0044EBBC
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe	Code function: 0_2_00412C38	0_2_00412C38
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe	Code function: 0_2_00423EBF	0_2_00423EBF
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe	Code function: 0_2_00424F70	0_2_00424F70
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe	Code function: 0_2_0041AF0D	0_2_0041AF0D

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3732 -s 232

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe

Static PE information: No import functions for PE file found

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal52.winEXE@2/5@0/0

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3732

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\2486dd6f-ca78-4e90-af2d-fec7f28842e4

Jump to behavior

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe

ReversingLabs: Detection: 13%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3732 -s 232

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe

Section loaded: apphelp.dll

Jump to behavior

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe

Static PE information: real checksum: 0xa2135 should be: 0xbf531

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe	Code function: 0_2_004171D1 push ecx; ret		0_2_004171E4
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe	Code function: 0_2_0041465D push dword ptr [ecx-75h]; iretd		0_2_00414665

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Amcache.hve.3.dr	Binary or memory string: VMware
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.3.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.3.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.3.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.3.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.3.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.3.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.3.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.3.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe

Code function: 0_2_00416310 LdrInitializeThunk,

0_2_00416310

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe	Binary or memory string: Shell_TrayWnd
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe	Binary or memory string: @3PDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe

Code function: 0_2_00410D10 cpuid

0_2_00410D10

Source: Amcache.hve.3.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	2 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	2 Process Injection	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	11 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe	13%	ReversingLabs

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe
http://upx.sf.net	0%	URL Reputation	safe
http://www.clamav.net	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.clamav.net	SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe	false	0%, Virustotal, Browse	unknown
http://upx.sf.net	Amcache.hve.3.dr	false	URL Reputation: safe URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1523259
Start date and time:	2024-10-01 11:22:04 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe
Detection:	MAL
Classification:	mal52.winEXE@2/5@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 1 Number of non-executed functions: 15
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.182.143.212
Excluded domains from analysis (whitelisted): ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, d.4.1.9.1.6.7.1.0.0.0.0.0.0.0.0.1.0.0.9.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
05:23:06	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_d45efbb66f135ac8cdfb63cf29b9eedf1d892ee_1c527afe_b625bdb1-c4ff-4937-90f9-5c486047f251\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6832308809620882
Encrypted:	false
SSDEEP:	96:POFKg72Qhpb+i8Ns2zhMyoI7JfPQXIDcQvc6QcEVcw3cE/H1d+HbHg6ZAX/d5FM6:2sWnDONQ0BU/AjEzuiFhZ24IO8n
MD5:	98FEEAE3E5F48F56A076537CAF96A1E1
SHA1:	E37D346F0AACC23DAF9C5B22A3C00BBF0C921A3B
SHA-256:	F9EAF375594E9573CE2C9B6AA5B414DB3A44BB56F6331EF84E8FAA2B7CDEC2A9
SHA-512:	FE620CAECD4C1A01FF80B287210151AD5A720063CC621320887C812D825DA4074FF8A3FF051FF7B621C258B8F9E99C55EF745D9BEEF5E1D486CBD675B66A29D7
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.2.4.8.1.7.4.1.7.2.9.9.0.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.2.4.8.1.7.4.4.2.2.9.8.4.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.6.2.5.b.d.b.1.-.c.4.f.f.-.4.9.3.7.-.9.0.f.9.-.5.c.4.8.6.0.4.7.f.2.5.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.3.f.3.a.f.5.c.-.b.b.2.8.-.4.4.3.b.-.b.f.8.3.-.a.b.0.9.2.b.b.e.1.1.a.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...W.3.2...X.p.a.c.k...E...g.e.n...E.l.d.o.r.a.d.o...1.7.8.2.9...9.7.3...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.e.9.4.-.0.0.0.1.-.0.0.1.4.-.7.7.f.1.-.8.1.7.e.e.3.1.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.9.f.4.a.d.a.2.3.f.a.c.5.e.3.0.d.f.b.a.7.c.c.5.f.c.7.e.0.4.7.d.0.0.0.0.f.f.f.f.!.0.0.0.0.8.0.9.7.b.a.8.1.4.3.1.1.a.b.7.2.8.4.0.3.1.8.5.0.3.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER339D.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue Oct 1 09:22:54 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	18570
Entropy (8bit):	1.9588507910685005
Encrypted:	false
SSDEEP:	96:5t84DTN36o+kQF2mi7nF5LVpNxzwdrFe2WIkWIYMI4hDLfe+6:8GKqcOHNxzXh/e+6
MD5:	2492B985673E79AF4BA539EFF97DE0EA
SHA1:	9DEB7B97B44CAB0B71C198F454259EBC0AB03C41
SHA-256:	C1B4E166E5037FB3A36F72F95899CCA6297DFA7D36D033D59278DDE5089CEDAE
SHA-512:	CD0B8961A1332CD85DC1B6BE58FA6B9BA0BCF9B06D8E0C90C4C54EBBC5B18BF34541B1404CAB9CCFD2677BA96BC77FC5619E18A3293B351E9A5FED159323920C
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......n..f............4...............<.......T...............T.......8...........T................>......................................................................................................eJ......L.......GenuineIntel............T...........m..f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER33DC.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8484
Entropy (8bit):	3.7063083351578863
Encrypted:	false
SSDEEP:	192:R6l7wVeJto696Y9FSU9/JgmfLczprp89bm7sf/ACm:R6lXJC696YfSU9xgmfAImAfM
MD5:	C85854A8C2BCDD592B1ACD859D3353E1
SHA1:	0DC1A6C0F78F807DED9449BA84FBB23EC3EEC937
SHA-256:	47A873EE062F54ACFE37BB8897F6BFAA960A317E7FE075586A90C4805BD0F3BF
SHA-512:	30916163BEF648614316E9C584748D9390C505D5F0F8B8F71E520AF059A2FFCD1004293BEB3B769C49317E12A9112417F211B41FC9BA8F414AF38CF2613C5723
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.7.3.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER33FC.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4828
Entropy (8bit):	4.582258857052252
Encrypted:	false
SSDEEP:	48:cvIwWl8zsZJg77aI9vEWpW8VY0lYm8M4J4qF6+q8WTlHBVJJ+IhQd:uIjfrI7Bd7VMJs5lH7n+IhQd
MD5:	07652DE4048C3D0C2D35BA36F384C2D3
SHA1:	85455C1939BDD8886E3B9A91719023F8185434A9
SHA-256:	7F8C0023557B49AD8BE74FFEDC0F8648FF8D5E918BA02ECF4068FEAAD44D202D
SHA-512:	F192543FF8492E00126F6B8F6C9C20347D1AFF4776619AB8F3EDFCDBF785CB07E20C3BDDCEB4EF48129F9651F3D52D7A0F330538F8EC692CB0045C0CFC618026
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="524185" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465711930210382
Encrypted:	false
SSDEEP:	6144:UIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNedwBCswSbg:pXD94+WlLZMM6YFHA+g
MD5:	FC3FF5FCF02F0C3C9CF3AB3C3EA1E703
SHA1:	30D8E7C5CA407F0B6811396AB33D3B76CDB6C313
SHA-256:	06D9A53A1C36F1870C470566422AB30E3DBA9474206060385980EB11920AFEAB
SHA-512:	AE485CE25C1B8F84F15AB37F48F0663927AD52E3B2B2D0798E1A601C6E76AA56A19F197AA6B40C472A57E7332267F88044039ACD6C0F411FA3C55DDE4B2CBD58
Malicious:	false
Reputation:	low
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm:.~.................................................................................................................................................................................................................................................................................................................................................D.J........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.7278542194973046
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe
File size:	720'896 bytes
MD5:	29122e889d1b60a2b96f6f01c338b31c
SHA1:	8097ba814311ab728403185037003dc554495a8f
SHA256:	039c644a60fb4d6eb6b0b8a2e90a7e9aec0869e7f76002577d15024f9265f8ee
SHA512:	25e3454950e724b930db3608baa6f343cecbdfdd11e9b6b86ba97f03ffeecd0263d4de8cb87a7405ec316ae30a089e449f504cb1cb7d50f42d603617bc9d2947
SSDEEP:	12288:OXBSIiiSBQVKBOtbix6BgVYXGgN+otbBrX:s4JQMU46eVYNRBrX
TLSH:	78E48D41F7C784C6EEE279B1197FE7126F26F418533A44FBA3B41C324A51481AA2D7A3
File Content Preview:	MZ......................@...............................................!.L.!This file was created by ClamAV for internal use and should not be run...ClamAV - A GPL virus scanner - http://www.clamav.net..$...PE..L...CLAM..........#..................c.....

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x416310
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x4D414C43 [Thu Jan 27 10:43:15 2011 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
call 00007F297CEC2FF6h
jmp 00007F29542A2EF6h
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push edi
push esi
mov esi, dword ptr [ebp+0Ch]
mov ecx, dword ptr [ebp+10h]
mov edi, dword ptr [ebp+08h]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F29C4D92DEAh
cmp edi, eax
jc 00007F29C4D92F8Ah
cmp ecx, 00000100h
jc 00007F29C4D92E01h
cmp dword ptr [004A94E0h], 00000000h
je 00007F29C4D92DF8h
push edi
push esi
and edi, 0Fh
and esi, 0Fh
cmp edi, esi
pop esi
pop edi
jne 00007F29C4D92DEAh
pop esi
pop edi
pop ebp
jmp 00007F298D302EF6h
test edi, 00000003h
jne 00007F29C4D92DF7h
shr ecx, 02h
and edx, 03h
cmp ecx, 08h
jc 00007F29C4D92E0Ch
rep movsd
jmp dword ptr [00416494h+edx*4]
nop
mov eax, edi
mov edx, 00000003h
sub ecx, 04h
jc 00007F29C4D92DEEh
and eax, 03h
add ecx, eax
jmp dword ptr [004163A8h+eax*4]
jmp dword ptr [004164A4h+ecx*4]
nop
jmp dword ptr [00416428h+ecx*4]
nop
mov eax, E4004163h
arpl word ptr [ecx+00h], ax
or byte ptr [ecx+eax*2+00h], ah
and edx, ecx
mov al, byte ptr [esi]
mov byte ptr [edi], al
mov al, byte ptr [esi+01h]
mov byte ptr [edi+01h], al
mov al, byte ptr [esi+02h]
shr ecx, 02h
mov byte ptr [edi+02h], al
add esi, 03h
add edi, 03h
cmp ecx, 08h
jc 00007F29C4D92DAEh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8cd3c	0x154	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xab000	0x4b58	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x82000	0x840	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x81000	0x81000	704fc008d1efbdf69f06413bba431726	False	0.5054392260174418	data	6.618892666849093	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x82000	0xe000	0xe000	0c9712a5fc53efa165bfe2bcc8940668	False	0.24051339285714285	data	3.4974150857139263	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x90000	0x1b000	0x1b000	d4628e6ef406eeb571dc2a6a71b5aaf0	False	0.040961371527777776	data	0.6400072349742453	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xab000	0x5000	0x5000	bfb2f4b4503d7826c17f71c665dbcb3f	False	0.109033203125	data	1.763911230516258	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Network Behavior

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 1, 2024 11:23:16.363075972 CEST	53	62020	1.1.1.1	192.168.2.4
Oct 1, 2024 11:23:41.987570047 CEST	53	49235	162.159.36.2	192.168.2.4
Oct 1, 2024 11:23:43.288120031 CEST	53	63078	1.1.1.1	192.168.2.4

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exePID: 3732, Parent PID: 2580

General

Target ID:	0
Start time:	05:22:53
Start date:	01/10/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe"
Imagebase:	0x400000
File size:	720'896 bytes
MD5 hash:	29122E889D1B60A2B96F6F01C338B31C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 5236, Parent PID: 3732

General

Target ID:	3
Start time:	05:22:54
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3732 -s 232
Imagebase:	0xef0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exePID: 3732, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	0%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	100%
Total number of Nodes:	1
Total number of Limit Nodes:	0

Executed Functions

Function 00416310 Relevance: 1.5, APIs: 1, Instructions: 2
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 00416310

Memory Dump Source

Source File: 00000000.00000002.1786389498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1786377607.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786433721.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786449752.0000000000490000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786464053.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 04d999aae1addd1f87dbd746204af1a3ba66c0c33e9df23231ce7408dfcac47c
Instruction ID: 97f797fd40c3734c3dc0fca83b724349fda1eb26c2cbe1c224d936f202521ea2
Opcode Fuzzy Hash: 04d999aae1addd1f87dbd746204af1a3ba66c0c33e9df23231ce7408dfcac47c
Instruction Fuzzy Hash:

Non-executed Functions

Function 004037E0 Relevance: 5.4, Strings: 4, Instructions: 354COMMON

Download Yara Rule

Strings

#include depth exceeded. Make sure there are no recursive includes, xrefs: 0042B87B
Unterminated string, xrefs: 0042B9BA
_, xrefs: 00403B48
Error opening the file, xrefs: 0042B8AC

Memory Dump Source

Source File: 00000000.00000002.1786389498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1786377607.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786433721.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786449752.0000000000490000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786464053.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: #include depth exceeded. Make sure there are no recursive includes$Error opening the file$Unterminated string$_
API String ID: 0-188983378
Opcode ID: b1d58798016a8666737698f55678c8f9a562e42af19396b7f46fa38e72443bda
Instruction ID: 4b027f86bd787732040b2c1ea9a3bd0341be4f4b0e40c3467f7560298c483ba0
Opcode Fuzzy Hash: b1d58798016a8666737698f55678c8f9a562e42af19396b7f46fa38e72443bda
Instruction Fuzzy Hash: 2CD1D1B25083419AD710DF28C844AEF77E8AF95324F044F2EE5E5932E1DB74DA48C7A6

Function 00409A40 Relevance: 4.9, Strings: 2, Instructions: 2429COMMON

Download Yara Rule

Strings

0vH, xrefs: 0042E5E9
4RH, xrefs: 0042D5BE

Memory Dump Source

Source File: 00000000.00000002.1786389498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1786377607.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786433721.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786449752.0000000000490000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786464053.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 0vH$4RH
API String ID: 0-2085553193
Opcode ID: e75db05d8d8b92a1f7fc08217f079643dbae426abb1b7128aacec507bdd6e793
Instruction ID: bf9e14912e8b20d4543ec6407b425ddbbadcb7513d400c407e63b6ecdf00d3d9
Opcode Fuzzy Hash: e75db05d8d8b92a1f7fc08217f079643dbae426abb1b7128aacec507bdd6e793
Instruction Fuzzy Hash: F4239170A043109FC724CF29D880A1AB7E1BF85320F548B6EE8A59B3E5D735EC45CB96

Function 0044EBBC Relevance: 4.2, Strings: 3, Instructions: 490COMMON

Download Yara Rule

Strings

h, xrefs: 0044F872
ACCEPT, xrefs: 0044EBFE, 0044EC47
^, xrefs: 0044F7CD

Memory Dump Source

Source File: 00000000.00000002.1786389498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1786377607.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786433721.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786449752.0000000000490000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786464053.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: ACCEPT$^$h
API String ID: 0-4263704089
Opcode ID: 401bf12fad1252ccb0175980d7c8ce75d8d6af8c3fd385a49c496871d1181cf4
Instruction ID: c76d79826411299f780db426e8fba00b793c07a50d02588be29e136997c312f7
Opcode Fuzzy Hash: 401bf12fad1252ccb0175980d7c8ce75d8d6af8c3fd385a49c496871d1181cf4
Instruction Fuzzy Hash: 7F12B1756083818FE725CF29C48075BBBE2BFC6314F244A6EE8E587390C7799846CB56

Function 0047CBF0 Relevance: 2.9, Strings: 2, Instructions: 418COMMON

Download Yara Rule

Strings

HH, xrefs: 0047CF38
0vH, xrefs: 0047CFD9

Memory Dump Source

Source File: 00000000.00000002.1786389498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1786377607.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786433721.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786449752.0000000000490000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786464053.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 0vH$HH
API String ID: 0-728391547
Opcode ID: 934b930a4dba222724e7e52d736ec7cd505d204433e377cc57240eed3fb3bbdf
Instruction ID: a33b33284c683fe2ce034c66ef0c6454d319a89ba7bdf2abf9e5f29f2261ca32
Opcode Fuzzy Hash: 934b930a4dba222724e7e52d736ec7cd505d204433e377cc57240eed3fb3bbdf
Instruction Fuzzy Hash: 4DF18E725083119BC310DF68C880A9FB7E5AFC8724F018B1EF5A99B2D0D775E945CB96

Function 0042397B Relevance: 1.8, Strings: 1, Instructions: 518COMMON

Download Yara Rule

Strings

, xrefs: 00423E17

Memory Dump Source

Source File: 00000000.00000002.1786389498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1786377607.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786433721.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786449752.0000000000490000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786464053.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 16e72d50a6875a36fb12fa0c9d635a732b9b801b7da4bc314e15c7f393f64026
Instruction ID: c32d22c4df8b0aa09672813279a4d1281c855965ef7bd8f839ab6bd445e34500
Opcode Fuzzy Hash: 16e72d50a6875a36fb12fa0c9d635a732b9b801b7da4bc314e15c7f393f64026
Instruction Fuzzy Hash: B002E932B105299BDF04CF69D8403ADB7B2FBD8316F25C67ED916A7290C7786A05CB84

Function 00423EBF Relevance: 1.8, Strings: 1, Instructions: 518COMMON

Download Yara Rule

Strings

, xrefs: 0042435B

Memory Dump Source

Source File: 00000000.00000002.1786389498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1786377607.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786433721.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786449752.0000000000490000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786464053.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: d817edb64f117f6e5afa9a8f8f7f5b645681a00cad18b4ceaa0fe1cdb2f17551
Instruction ID: 20222ebbaf31a8cb6c924dce308f176e59f12450783450f4023d9f39e55708e6
Opcode Fuzzy Hash: d817edb64f117f6e5afa9a8f8f7f5b645681a00cad18b4ceaa0fe1cdb2f17551
Instruction Fuzzy Hash: E902E832F105299BDF04CF68E8403ADB3B2FBD8365F65826ADD25A72D0C7746A45CB84

Function 00443391 Relevance: 1.3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

Strings

rJ, xrefs: 00443399

Memory Dump Source

Source File: 00000000.00000002.1786389498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1786377607.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786433721.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786449752.0000000000490000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786464053.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: rJ
API String ID: 0-1865492326
Opcode ID: 459b4493d9efb69004f7e680e2b7d07d89454fd89f9db25ade9b1a4ad0add50b
Instruction ID: 91fd5aa8b771d8f6c986f479a179aaa35f817026b5b8c1139de9cb7767a82de4
Opcode Fuzzy Hash: 459b4493d9efb69004f7e680e2b7d07d89454fd89f9db25ade9b1a4ad0add50b
Instruction Fuzzy Hash: 392175336645108BF321CF36CC4165677E3EBE0324B258B69D4B5873D5CA79B9068B98

Function 0040F890 Relevance: .6, Instructions: 589COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1786389498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1786377607.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786433721.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786449752.0000000000490000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786464053.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6976ed3ee251a270bc4f1cf100ee2296cb20db0440bdad4ff4fd970e688cb5b5
Instruction ID: fc548da5bdd80b7d650d340644b5a8552c20e99f42d4f7711bb17dd86f7fd622
Opcode Fuzzy Hash: 6976ed3ee251a270bc4f1cf100ee2296cb20db0440bdad4ff4fd970e688cb5b5
Instruction Fuzzy Hash: 2412B4B7B983194FDB48CEE5DCC169573E1FB98304F09A43C9A15C7306F6E8AA098790

Function 00411BA3 Relevance: .4, Instructions: 407COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1786389498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1786377607.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786433721.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786449752.0000000000490000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786464053.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 716d80aa8c6d91b70a2bf08cc32f33e3346e33aeaeaba6f2ee022d3921281ed0
Instruction ID: ea89862040b53bbdf4223699cb44cc7d4160ccfcf797db4c000f41121bdd8a22
Opcode Fuzzy Hash: 716d80aa8c6d91b70a2bf08cc32f33e3346e33aeaeaba6f2ee022d3921281ed0
Instruction Fuzzy Hash: 53E15333C49BB24B4B714EF941E05AB6E605E0579131F47EACEC03F3A7C10A9D9A95E4

Function 00412818 Relevance: .4, Instructions: 374COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1786389498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1786377607.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786433721.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786449752.0000000000490000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786464053.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74a29868a32051cba633a4003de16fd6570556f072c26fad033648912b46de40
Instruction ID: 613b34640b3bca98f879594139a4fbfa94f41acac8213fbf7a44c753edb936fd
Opcode Fuzzy Hash: 74a29868a32051cba633a4003de16fd6570556f072c26fad033648912b46de40
Instruction Fuzzy Hash: 89D1B173D0A9B30A8735852D42581AFEE626FD578031FC3E28CD07F38AD26B5DA186D4

Function 00412C38 Relevance: .4, Instructions: 368COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1786389498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1786377607.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786433721.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786449752.0000000000490000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786464053.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f21002669519091e2ac2c3443de8f9a2cd6de6df55dd104281d7d0664fa89f9
Instruction ID: acc7d6948229dac1bd14c774d15316c7c4095f9fd4af83d8fb8c163ac72bfaae
Opcode Fuzzy Hash: 4f21002669519091e2ac2c3443de8f9a2cd6de6df55dd104281d7d0664fa89f9
Instruction Fuzzy Hash: BFD18073C0A9B30A8735812D425816FEE626FD578031FC3E28CD47F38E926B5DA195D4

Function 0041240C Relevance: .4, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1786389498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1786377607.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786433721.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786449752.0000000000490000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786464053.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca7c59de1961946bf0f00fae1a7e59b9e6f7868706423ea309761ac9a72c1bb6
Instruction ID: 8dbfb60f639456fe85fae823d3190c83b2a3c40a5e72647f142981fa9e44395d
Opcode Fuzzy Hash: ca7c59de1961946bf0f00fae1a7e59b9e6f7868706423ea309761ac9a72c1bb6
Instruction Fuzzy Hash: 82C18173C0A9B30A8736812D426856FEE626FD578031FC3E28CD47F38A91AB5DA195D4

Function 00412038 Relevance: .3, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1786389498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1786377607.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786433721.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786449752.0000000000490000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786464053.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bc1b35ccf90b4e0ab534e30f565e1d6cf3ddd0e07c099306c6352206ecedba5
Instruction ID: b7264c976688b3bd84512f67baeda3f709aa64df9b99904a8c5a0f6ae1cc9e6b
Opcode Fuzzy Hash: 3bc1b35ccf90b4e0ab534e30f565e1d6cf3ddd0e07c099306c6352206ecedba5
Instruction Fuzzy Hash: DFC19F73D0A9B30A8735812D46581AFEE626FD578031EC3E28CE06F38ED26F5DA195D4

Function 00424F70 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1786389498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1786377607.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786433721.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786449752.0000000000490000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786464053.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60403d84afd1dd4868a9ea593d1d673cbab0137efb0d2b8641247869cf0c27c3
Instruction ID: d33b3193fbaef1e1c3d9b380a1e2f95b318ccb890ed9ae146fff54a307237ed0
Opcode Fuzzy Hash: 60403d84afd1dd4868a9ea593d1d673cbab0137efb0d2b8641247869cf0c27c3
Instruction Fuzzy Hash: 12619071A016268FCB18CF49D9945AAF7B2FF89310B5AC16EC9096F362D7709D41CBC4

Function 00410D10 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1786389498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1786377607.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786433721.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786449752.0000000000490000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786464053.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 304d221b5688423ebfa6c473264aec07cdb78ae451f757bdd5acbbf2c1e92ad4
Instruction ID: b8cfd58d412160527e66ace840abba843d94ac3f5b06779728c9fe736b8606cc
Opcode Fuzzy Hash: 304d221b5688423ebfa6c473264aec07cdb78ae451f757bdd5acbbf2c1e92ad4
Instruction Fuzzy Hash: ECD012F621844146F33144D866C0BD100437344310FB58C276005CEBC1C0DDECD6C229

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_d45efbb66f135ac8cdfb63cf29b9eedf1d892ee_1c527afe_b625bdb1-c4ff-4937-90f9-5c486047f251\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER339D.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER33DC.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER33FC.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Network Behavior

UDP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exePID: 3732, Parent PID: 2580

General

Chronological Activities

Windows Analysis Report
SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.17829.973.exe

Function 00416310 Relevance: 1.5, APIs: 1, Instructions: 2
libraryCOMMON