Windows
Analysis Report
SecuriteInfo.com.Win64.Malware-gen.1863.6431.exe
Overview
General Information
Sample name: | SecuriteInfo.com.Win64.Malware-gen.1863.6431.exe |
Analysis ID: | 1532613 |
MD5: | 5d0de7f05d673ba4135d698134385416 |
SHA1: | 8f54cb2091ef206bb9b608c5d2e2e8ee53176e51 |
SHA256: | f221046e04812cb9cc27d82d35d6445f70801fb9ed0755d8cdffee45b61ba525 |
Tags: | exe |
Errors
|
Detection
Score: | 48 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- SecuriteInfo.com.Win64.Malware-gen.1863.6431.exe (PID: 7528 cmdline:
"C:\Users\ user\Deskt op\Securit eInfo.com. Win64.Malw are-gen.18 63.6431.ex e" MD5: 5D0DE7F05D673BA4135D698134385416)
- cleanup
Click to jump to signature section
AV Detection |
---|
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 2_2_00007FF7F43E2A2C |
Source: | Code function: | 2_2_00007FF7F43E1190 |
Source: | Code function: | 2_2_00007FF7F43E1190 |
Source: | Code function: |
Source: | Binary string: |
Source: | Classification label: |
Source: | Static PE information: |
Source: | ReversingLabs: | ||
Source: | Virustotal: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Static PE information: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Code function: | 2_2_00007FF7F43E2DD4 |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | Path Interception | Path Interception | 1 Deobfuscate/Decode Files or Information | OS Credential Dumping | 1 System Information Discovery | Remote Services | 1 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 Obfuscated Files or Information | LSASS Memory | Application Window Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
32% | ReversingLabs | Win64.Malware.Generic | ||
37% | Virustotal | Browse |
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1532613 |
Start date and time: | 2024-10-13 18:36:10 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 1m 41s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 9 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | SecuriteInfo.com.Win64.Malware-gen.1863.6431.exe |
Detection: | MAL |
Classification: | mal48.winEXE@1/0@0/0 |
EGA Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Corrupt sample or wrongly selected analyzer. Details: The %1 application cannot be run in Win32 mode.
- Exclude process from analysis (whitelisted): dllhost.exe, sppsvc.exe, Sgrmuserer.exe, svchost.exe
- Excluded domains from analysis (whitelisted): otelrules.azureedge.net
- Execution Graph export aborted for target SecuriteInfo.com.Win64.Malware-gen.1863.6431.exe, PID 7528 because there are no executed function
File type: | |
Entropy (8bit): | 5.627856281171006 |
TrID: |
|
File name: | SecuriteInfo.com.Win64.Malware-gen.1863.6431.exe |
File size: | 22'448 bytes |
MD5: | 5d0de7f05d673ba4135d698134385416 |
SHA1: | 8f54cb2091ef206bb9b608c5d2e2e8ee53176e51 |
SHA256: | f221046e04812cb9cc27d82d35d6445f70801fb9ed0755d8cdffee45b61ba525 |
SHA512: | ad9844c47a5958df1d24041a9b1e0320c460e685c6a08c0af6b292c30e659182a53a4b57c005357938846fb27268e5b6ccceea1e55da1a2112052183e745c349 |
SSDEEP: | 384:Hi3b+JWPVSsf0Kb+m5FbSBDbzKG+eV8NoFAoHq0vkpG6Bm2mxAhdw:LiVSs0KVnbSRbmNoiC3vkoTxA |
TLSH: | 7DA2199772640149E2B91139E7249A27C371F48143519BEF43E693B95F33BD025BFB82 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................................................5.......5.......Rich............................PE..d....Z.c.........." |
Icon Hash: | 90cececece8e8eb0 |
Entrypoint: | 0x1400016b0 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x140000000 |
Subsystem: | native |
Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT |
Time Stamp: | 0x639F5AE5 [Sun Dec 18 18:24:37 2022 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 10 |
OS Version Minor: | 0 |
File Version Major: | 10 |
File Version Minor: | 0 |
Subsystem Version Major: | 10 |
Subsystem Version Minor: | 0 |
Import Hash: | 74b08518b0767e2e0d22ac4c02c62c8d |
Instruction |
---|
dec eax |
mov dword ptr [esp+08h], ebx |
dec eax |
mov dword ptr [esp+10h], esi |
dec eax |
mov dword ptr [esp+20h], edi |
push ebp |
inc ecx |
push esp |
inc ecx |
push esi |
dec eax |
mov ebp, esp |
dec eax |
sub esp, 70h |
dec eax |
mov eax, 00000014h |
xor bh, FFFFFFFFh |
dec dword ptr [eax-73h] |
or eax, 00004994h |
dec eax |
mov eax, dword ptr [eax] |
mov dword ptr [0000498Bh], eax |
call dword ptr [0000297Dh] |
movups xmm0, dqword ptr [000023CEh] |
mov dword ptr [ebp+30h], eax |
mov esi, 0000000Ch |
mov eax, dword ptr [000023E0h] |
dec eax |
lea ebx, dword ptr [ebp-50h] |
movups xmm1, dqword ptr [000023C5h] |
mov dword ptr [ebp-10h], eax |
inc esp |
mov esi, esi |
mov al, byte ptr [000023CDh] |
xor edi, edi |
mov byte ptr [ebp-0Ch], al |
dec ecx |
mov esp, 8E38E38Fh |
jecxz 00007F8C7C82F30Ah |
mov fs, bx |
movups dqword ptr [ebp-30h], xmm0 |
mov dword ptr [ebp-50h], 39303035h |
movups dqword ptr [ebp-20h], xmm1 |
mov dword ptr [ebp-4Ch], 33394537h |
mov dword ptr [ebp-48h], 41333138h |
inc eax |
cmp byte ptr [ebx], bh |
jne 00007F8C7C82F2F9h |
dec eax |
lea ecx, dword ptr [ebp+30h] |
call dword ptr [00002916h] |
mov ecx, eax |
dec ecx |
mov eax, esp |
dec eax |
mul ecx |
dec eax |
shr edx, 05h |
dec eax |
lea eax, dword ptr [edx+edx*8] |
dec eax |
shl eax, 02h |
dec eax |
sub ecx, eax |
mov al, byte ptr [ebp+ecx-30h] |
mov byte ptr [ebx], al |
dec eax |
inc ebx |
dec ecx |
sub esi, 01h |
jne 00007F8C7C82F29Dh |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xa000 | 0x28 | INIT |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x9000 | 0x18c | .pdata |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x40c8 | 0x38 | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x4000 | 0xc8 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x2c3f | 0x2e00 | 3f883a25dddecdbbda307aab754c7583 | False | 0.5070482336956522 | data | 6.237136703190457 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x4000 | 0x460 | 0x600 | c5f7dffd49afcb152126e2b46e1e16ef | False | 0.4244791666666667 | data | 3.6210073341664373 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ |
.data | 0x5000 | 0x3068 | 0x200 | db529a89da6069506a9071e8daed8c41 | False | 0.041015625 | data | 0.1479605681713509 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.pdata | 0x9000 | 0x18c | 0x200 | d3a03678d8485dfc63871a8bc639da56 | False | 0.494140625 | data | 3.182843258564883 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ |
INIT | 0xa000 | 0x2e0 | 0x400 | 2d593d8357e9b0ddf02cc53e75e04f14 | False | 0.4404296875 | data | 3.7518190901876096 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
DLL | Import |
---|---|
ntoskrnl.exe | wcsstr, RtlInitUnicodeString, DbgPrint, KeInitializeEvent, KeWaitForSingleObject, ExAllocatePoolWithTag, ExFreePoolWithTag, MmMapLockedPages, IoBuildDeviceIoControlRequest, IofCallDriver, IoGetAttachedDeviceReference, IoGetDeviceObjectPointer, ObfDereferenceObject, RtlRandomEx, IoEnumerateDeviceObjectList, ObQueryNameString, swprintf, ObReferenceObjectByName, rand, IoDriverObjectType, tolower, strstr, MmCopyMemory, ZwQuerySystemInformation |
Target ID: | 2 |
Start time: | 12:37:01 |
Start date: | 13/10/2024 |
Path: | C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1863.6431.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7f43e0000 |
File size: | 22'448 bytes |
MD5 hash: | 5D0DE7F05D673BA4135D698134385416 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Function 00007FF7F43E1190 Relevance: 89.5, APIs: 29, Strings: 22, Instructions: 291memoryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7F43E2A2C Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 111memorynativeCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7F43E2DD4 Relevance: .0, Instructions: 48COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7F43E1CD4 Relevance: 49.2, APIs: 14, Strings: 14, Instructions: 204COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7F43E2438 Relevance: 42.2, APIs: 14, Strings: 10, Instructions: 162memoryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7F43E16B0 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 128COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7F43E10AC Relevance: 22.8, APIs: 2, Strings: 11, Instructions: 50COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7F43E1898 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 53COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7F43E2790 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7F43E1A58 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 63COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7F43E2C38 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 42memoryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7F43E2874 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33memoryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7F43E2130 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7F43E197C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7F43E26DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7F43E1000 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7F43E23A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|