Windows Analysis Report
SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exe
Analysis ID:	1528324
MD5:	038aeec194f57b9b270b4c7163d5a6b3
SHA1:	c901cf779694e1d7f5a79f9de088744b17068adb
SHA256:	5cb230932976abcbdc63ecb275ff92d00d37f94b31cb482cb60dfb4400f86568
Tags:	exe
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Found API chain indicative of debugger detection

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

One or more processes crash

PE file contains more sections than normal

PE file contains sections with non-standard names

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exe

ReversingLabs: Detection: 42%

Source: Amcache.hve.4.dr

String found in binary or memory: http://upx.sf.net

One or more processes crash

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7256 -s 208

PE file contains more sections than normal

Source: SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exe

Static PE information: Number of sections : 15 > 10

Source: classification engine

Classification label: mal52.evad.winEXE@3/6@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exe

Code function: 0_2_00401550 CreateToolhelp32Snapshot,Process32First,printf,CloseHandle,CloseHandle,

0_2_00401550

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exe

Code function: 0_2_00401627 OpenSCManagerA,GetLastError,printf,OpenServiceA,GetLastError,printf,CloseHandle,CloseHandle,printf,StartServiceA,GetLastError,printf,CloseHandle,printf,SleepEx,QueryServiceStatusEx,CloseHandle,

0_2_00401627

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7264:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7256

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\bbd6564c-be9c-45e7-af3b-2b09a0637bba

Jump to behavior

Source: SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exe

ReversingLabs: Detection: 42%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7256 -s 208

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exe

Section loaded: apphelp.dll

Jump to behavior

PE file contains sections with non-standard names

Source: SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exe	Static PE information: section name: .xdata
Source: SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exe	Static PE information: section name: /4
Source: SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exe	Static PE information: section name: /19
Source: SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exe	Static PE information: section name: /31
Source: SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exe	Static PE information: section name: /45
Source: SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exe	Static PE information: section name: /57
Source: SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exe	Static PE information: section name: /70

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exe

0_2_00401627

Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exe

Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exe	Code function: 0_2_00401180 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,_initterm,GetStartupInfoA,	0_2_00401180
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exe	Code function: 0_2_00403361 SetUnhandledExceptionFilter,	0_2_00403361
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exe	Code function: 0_2_00401ED0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	0_2_00401ED0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exe	Code function: 0_2_00409380 SetUnhandledExceptionFilter,	0_2_00409380

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exe

Code function: 0_2_00401DF0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_00401DF0

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

ID:	1528324
Product:	CloudBasic
Start time:	19:26:07
Start date:	07.10.2024
Sample:	SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	038aeec194f57b9b270b4c7163d5a6b3
SHA1:	c901cf779694e1d7f5a79f9de088744b17068adb
SHA256:	5cb230932976abcbdc63ecb275ff92d00d37f94b31cb482cb60dfb4400f86568
Filetype:	Win64 Executable Console (202006/5) 92.64%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_a3d5b28f45f55dfcfad94157e0e1426378f45bdc_27ead845_a6f82c43-7a16-4296-8c91-11f0f1e3d529\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	9FE3D962C83130AACFF00BA6DC797F5E	FCE988598AB073AF7D98D38405703B2C18236C5C	C4705372B104BECA63453121E81DB1360B170ECCBFAF3EA9165FE00EF8D7A29B
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5BB9.tmp.dmp	Mini DuMP crash report, 14 streams, Mon Oct 7 17:26:58 2024, 0x1205a4 type	EAB0B76A35353586EA2EA720882E9536	D765F3DA54F49F98C542C89EB21E3D851A7CE1DF	7F748963A1C30A008EAD64506C38C446E239D42AE709D61791EDD1F373453833
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5C08.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	1E8D416B2138E64D35B1E298C2B91597	EF066C59F729060F7F4B97ED91C15A99972530CF	A132A6BD2E832D7BF187842AE66EC7BC84D771B2ED57BDBC8F1C012AC32EA0F6
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5C28.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	710EEEE5A008549CE6A69AC11224A0E0	BA0448376A8521A86EF0E8D974BF6CBFABBA6332	3A6E53A79EF6CFFCF0D0634B7ADC9C64E9DF3DEF5B69853B8F4862C187220E30
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	411B81574009EFF2E153674E2FA4749E	024E7EFC8F1C8F1140CED915BC2614C54C300722	08111D2FA562F76EBB9424E589330DB2334E2AAB22BEDDC4925F4C2347C7D5A6
\Device\ConDrv	ASCII text, with CRLF line terminators	C63453B1FF219B51D3229D2BE73A81CC	900AF9F57E158D14BE44244593D8BDEEDD20BC6C	F6ACA7AA753B6F15C363C98820C44CC09A7E1D30721BC95DD475784A49C68E04

Windows Analysis Report
SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Windows Analysis Report SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exe