Windows Analysis Report
SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe
Analysis ID:	1528521
MD5:	70ecf035b9701551510fbeae9d957f7e
SHA1:	7a62fcabcc0fc9276eef23160d538c199b711f7b
SHA256:	3459a9a11a2d9e6b530107c8433c2c759d9f495d5f11fe7641180300df188150
Tags:	exe
Infos:

Detection

Score:	22
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

AI detected suspicious sample

PE file contains more sections than normal

PE file contains sections with non-standard names

Program does not show much activity (idle)

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 89.9% probability

Source: SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe

String found in binary or memory: https://windows.php.net/downloads/releases/archives/mallocgc

PE file contains more sections than normal

Source: SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe

Static PE information: Number of sections : 15 > 10

Source: SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe	Static PE information: Section: /19 ZLIB complexity 1.0001677389705883
Source: SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe	Static PE information: Section: /32 ZLIB complexity 0.9981123428770949
Source: SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe	Static PE information: Section: /65 ZLIB complexity 0.9988079019073569
Source: SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe	Static PE information: Section: /78 ZLIB complexity 0.9925872011840929

Source: SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe

Binary string: bindm in unexpected GOOSrunqsteal: runq overflowdouble traceGCSweepStartunexpected buffer len=%vinvalid pseudo-header %qframe_headers_prio_shortinvalid request :path %qread_frame_conn_error_%sRequest Entity Too Largehttp: nil Request.Headerexec: Stdout already setfloating point exceptionconnection reset by peerlevel 2 not synchronizedlink number out of rangeout of streams resourcesfunction not implementedstructure needs cleaningnot supported by windowsCertFreeCertificateChainCreateToolhelp32SnapshotGetUserProfileDirectoryWSA Pacific Standard TimeSA Eastern Standard TimeUS Eastern Standard TimeSA Western Standard TimeMontevideo Standard TimeMagallanes Standard TimePacific SA Standard TimeAzerbaijan Standard TimeBangladesh Standard TimeNorth Asia Standard TimeCape Verde Standard Time116415321826934814453125582076609134674072265625flate: maxBits too largeerror decrypting messagecertificate unobtainableidna: disallowed rune %USetConsoleCursorPosition\Device\NamedPipe\cygwininvalid pattern syntax: x509: malformed validityaddress string too shortresource length too longunpacking Question.ClassstreamSafe was not resetGODEBUG sys/cpu: value "", required CPU feature

Source: classification engine

Classification label: sus22.winEXE@6/0@0/0

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7580:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7372:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7488:120:WilError_03

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe	File opened: C:\Windows\system32\7c10d8ad9e1362281ee3eddaa0cab049c93af6e547960cb15f257a2d66b74b8dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe	File opened: C:\Windows\system32\ddf38300a7ae2239275e8d94af43932ad663dbb028586b701ba39f351b1230daAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe	File opened: C:\Windows\system32\14ddd44c9e2a11941f61faf492da01d822eaa4d6270abc04e6af69218ffa003aAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA	Jump to behavior

Source: SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe	String found in binary or memory: C:/Program Files/Go/src/net/addrselect.go
Source: SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe	String found in binary or memory: C:/Users/Harry/Dev/pvm/commands/install.go

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe" -install
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe" /install
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe" /load
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe	Section loaded: umpdc.dll	Jump to behavior

Source: SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe

Static file information: File size 7715328 > 1048576

Source: SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x25a400
Source: SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x267400

Source: SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

PE file contains sections with non-standard names

Source: SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe	Static PE information: section name: .xdata
Source: SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe	Static PE information: section name: /4
Source: SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe	Static PE information: section name: /19
Source: SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe	Static PE information: section name: /32
Source: SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe	Static PE information: section name: /46
Source: SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe	Static PE information: section name: /65
Source: SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe	Static PE information: section name: /78
Source: SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe	Static PE information: section name: /90
Source: SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe	Static PE information: section name: .symtab

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe	Code function: 3_2_000000015D5FEE32 push ecx; retf	3_2_000000015D5FEE69
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe	Code function: 3_2_000000015D5FD768 push ecx; retf	3_2_000000015D5FD7C9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe	Code function: 5_2_00000077777FD608 push ecx; retf	5_2_00000077777FD609
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe	Code function: 5_2_00000077777FECA8 push ecx; retf	5_2_00000077777FECA9

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe, 00000000.00000002.1376606657.0000026C8E834000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe, 00000003.00000002.1398366729.000001A4C7FDF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe, 00000005.00000002.1420803524.00000254E38DF000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

ID:	1528521
Product:	CloudBasic
Start time:	00:40:22
Start date:	08.10.2024
Sample:	SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	70ecf035b9701551510fbeae9d957f7e
SHA1:	7a62fcabcc0fc9276eef23160d538c199b711f7b
SHA256:	3459a9a11a2d9e6b530107c8433c2c759d9f495d5f11fe7641180300df188150
Filetype:	Win64 Executable Console (202006/5) 92.65%

Windows Analysis Report
SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Screenshots

Behavior Graph

Network Map

Windows Analysis Report SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe