Windows Analysis Report
SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe
Analysis ID:	1532505
MD5:	2452e269ee2a615e90c5e19a373b0239
SHA1:	6e02258265d33f5d622997091065953c4730ec10
SHA256:	4c0dbbf022d7dfc0b4eacb34dbb4d41e3fd860c04057362002a5d4a6e0220a55
Tags:	exe
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

.NET source code contains potential unpacker

AI detected suspicious sample

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Enables debug privileges

HTTP GET or POST without a user agent

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	ReversingLabs: Detection: 52%
Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Virustotal: Detection: 54%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Uses 32bit PE files

Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 18.166.250.135:443 -> 192.168.2.4:49730 version: TLS 1.2

Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Users\Ashtin\Desktop\WTF\SolaraBootstrapper\SolaraBootstrapper\bin\Release\Bootstrapper.pdb source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /quiving/Solara/raw/branch/main/Files/endpoint HTTP/1.1Host: gitea.comConnection: Keep-Alive

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /quiving/Solara/raw/branch/main/Files/endpoint HTTP/1.1Host: gitea.comConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: gitea.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 13 Oct 2024 12:27:01 GMTContent-Type: text/plain;charset=utf-8Content-Length: 11Connection: closeCache-Control: max-age=0, private, must-revalidate, no-transformServer: CaddySet-Cookie: i_like_gitea=775661cd8dc0adc0; Path=/; HttpOnly; Secure; SameSite=LaxSet-Cookie: _csrf=6ppViQ1aeWleoIZL9QKPor9alOY6MTcyODgyMjQyMTcxMzI0NzM3MA; Path=/; Max-Age=86400; HttpOnly; Secure; SameSite=LaxX-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGIN

Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe, 00000000.00000002.2943769676.0000000002A11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://gitea.com
Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe, 00000000.00000002.2943769676.0000000002A11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://gitea.comd
Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	String found in binary or memory: http://james.newtonking.com/projects/json
Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe, 00000000.00000002.2943769676.0000000002991000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	String found in binary or memory: https://aka.ms/vs/16/release/vc_redist.x64.exe#vc_redist.x64.exeiVisual
Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe, 00000000.00000002.2943769676.0000000002991000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/vs/17/release/vc_redist.x64.exe
Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	String found in binary or memory: https://aka.ms/vs/17/release/vc_redist.x64.exeiWebView2
Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe, 00000000.00000002.2943769676.0000000002991000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gitea.com
Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	String found in binary or memory: https://gitea.com/quiving/Solara/raw/branch/main/Files/endpoint
Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	String found in binary or memory: https://www.nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msi
Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: unknown

HTTPS traffic detected: 18.166.250.135:443 -> 192.168.2.4:49730 version: TLS 1.2

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe, 00000000.00000002.2942925913.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe
Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe, 00000000.00000000.1696542029.000000000068A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSolaraBootstrapper.exeF vs SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe
Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Binary or memory string: OriginalFilenameSolaraBootstrapper.exeF vs SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe

Uses 32bit PE files

Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal56.evad.winEXE@2/0@1/1

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6896:120:WilError_03
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Mutant created: NULL

Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	ReversingLabs: Detection: 52%
Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Virustotal: Detection: 54%

Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	String found in binary or memory: pv]Error checking WebView2 runtime installation: chttps://go.microsoft.com/fwlink/p/?LinkId=2124703=MicrosoftEdgeWebview2Setup.exe!/silent /installQWebView2 runtime installed successfully.qWebView2 runtime installation failed with exit code {0}.GError installing WebView2 runtime: iSOFTWARE\Microsoft\VisualStudio\14.0\VC\Runtimes\x64
Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	String found in binary or memory: Version3Error checking registry: ]https://aka.ms/vs/16/release/vc_redist.x64.exe#vc_redist.x64.exeiVisual C++ Redistributable installer downloaded to: 5/install /quiet /norestart

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: gpapi.dll	Jump to behavior

Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\Users\Ashtin\Desktop\WTF\SolaraBootstrapper\SolaraBootstrapper\bin\Release\Bootstrapper.pdb source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe

Data Obfuscation

.NET source code contains potential unpacker

Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe, DynamicUtils.cs	.Net Code: CreateSharpArgumentInfoArray
Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe, LateBoundReflectionDelegateFactory.cs	.Net Code: CreateDefaultConstructor

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Memory allocated: DA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Memory allocated: 2990000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Memory allocated: 4990000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe TID: 6848

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe, 00000000.00000002.2942925913.0000000000E05000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Enables debug privileges

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe

Memory allocated: page read and write | page guard

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
18.166.250.135	gitea.com	United States		16509	AMAZON-02US	false

Contacted Domains

Name	IP	Active
gitea.com	18.166.250.135	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://gitea.com/quiving/Solara/raw/branch/main/Files/endpoint	false	0%, Virustotal, Browse	unknown

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	ReversingLabs: Detection: 52%
Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Virustotal: Detection: 54%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Uses 32bit PE files

Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 18.166.250.135:443 -> 192.168.2.4:49730 version: TLS 1.2

Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Users\Ashtin\Desktop\WTF\SolaraBootstrapper\SolaraBootstrapper\bin\Release\Bootstrapper.pdb source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /quiving/Solara/raw/branch/main/Files/endpoint HTTP/1.1Host: gitea.comConnection: Keep-Alive

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /quiving/Solara/raw/branch/main/Files/endpoint HTTP/1.1Host: gitea.comConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: gitea.com

Source: global traffic

Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe, 00000000.00000002.2943769676.0000000002A11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://gitea.com
Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe, 00000000.00000002.2943769676.0000000002A11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://gitea.comd
Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	String found in binary or memory: http://james.newtonking.com/projects/json
Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe, 00000000.00000002.2943769676.0000000002991000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	String found in binary or memory: https://aka.ms/vs/16/release/vc_redist.x64.exe#vc_redist.x64.exeiVisual
Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe, 00000000.00000002.2943769676.0000000002991000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/vs/17/release/vc_redist.x64.exe
Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	String found in binary or memory: https://aka.ms/vs/17/release/vc_redist.x64.exeiWebView2
Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe, 00000000.00000002.2943769676.0000000002991000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gitea.com
Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	String found in binary or memory: https://gitea.com/quiving/Solara/raw/branch/main/Files/endpoint
Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	String found in binary or memory: https://www.nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msi
Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: unknown

HTTPS traffic detected: 18.166.250.135:443 -> 192.168.2.4:49730 version: TLS 1.2

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe, 00000000.00000002.2942925913.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe
Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe, 00000000.00000000.1696542029.000000000068A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSolaraBootstrapper.exeF vs SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe
Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Binary or memory string: OriginalFilenameSolaraBootstrapper.exeF vs SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe

Uses 32bit PE files

Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal56.evad.winEXE@2/0@1/1

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6896:120:WilError_03
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Mutant created: NULL

Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	ReversingLabs: Detection: 52%
Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Virustotal: Detection: 54%

Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	String found in binary or memory: pv]Error checking WebView2 runtime installation: chttps://go.microsoft.com/fwlink/p/?LinkId=2124703=MicrosoftEdgeWebview2Setup.exe!/silent /installQWebView2 runtime installed successfully.qWebView2 runtime installation failed with exit code {0}.GError installing WebView2 runtime: iSOFTWARE\Microsoft\VisualStudio\14.0\VC\Runtimes\x64
Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	String found in binary or memory: Version3Error checking registry: ]https://aka.ms/vs/16/release/vc_redist.x64.exe#vc_redist.x64.exeiVisual C++ Redistributable installer downloaded to: 5/install /quiet /norestart

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: gpapi.dll	Jump to behavior

Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\Users\Ashtin\Desktop\WTF\SolaraBootstrapper\SolaraBootstrapper\bin\Release\Bootstrapper.pdb source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe

Data Obfuscation

.NET source code contains potential unpacker

Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe, DynamicUtils.cs	.Net Code: CreateSharpArgumentInfoArray
Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe, LateBoundReflectionDelegateFactory.cs	.Net Code: CreateDefaultConstructor

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Memory allocated: DA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Memory allocated: 2990000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Memory allocated: 4990000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe TID: 6848

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe, 00000000.00000002.2942925913.0000000000E05000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Enables debug privileges

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe

Memory allocated: page read and write | page guard

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

ID:	1532505
Product:	CloudBasic
Start time:	14:26:05
Start date:	13.10.2024
Sample:	SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	2452e269ee2a615e90c5e19a373b0239
SHA1:	6e02258265d33f5d622997091065953c4730ec10
SHA256:	4c0dbbf022d7dfc0b4eacb34dbb4d41e3fd860c04057362002a5d4a6e0220a55
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Windows Analysis Report
SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe