Windows Analysis Report
SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe

Overview

General Information

Sample name: SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe
Analysis ID: 1532614
MD5: c9f34d943343f0b5d62ff8c61de23b5a
SHA1: a44170b3c1a271484ea46257c44ecff7815eb2f5
SHA256: 6feb92743d620750c92fac455db821d1f97361c73b275d97b96294b8a0840217
Tags: exe
Infos:

Detection

Score: 52
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

AI detected suspicious sample
Disables security and backup related services
Found API chain indicative of debugger detection
Contains functionality to launch a program with higher privileges
Creates a process in suspended mode (likely to inject code)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses net.exe to stop services

Classification

AV Detection
barindex
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 94.9% probability
PE file contains more sections than normal
Source: SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe Static PE information: Number of sections : 15 > 10
Source: classification engine Classification label: mal52.evad.winEXE@16/0@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7316:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8028:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8152:120:WilError_03
Source: SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c net stop dps
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net stop dps
Source: C:\Windows\System32\net.exe Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 stop dps
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c net start dps
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net start dps
Source: C:\Windows\System32\net.exe Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 start dps
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c net stop dps Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c net start dps Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net stop dps Jump to behavior
Source: C:\Windows\System32\net.exe Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 stop dps Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net start dps Jump to behavior
Source: C:\Windows\System32\net.exe Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 start dps Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\net1.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\System32\net1.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\net1.exe Section loaded: dsrole.dll Jump to behavior
Source: C:\Windows\System32\net1.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\net1.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\net1.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\System32\net1.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\net1.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\System32\net1.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\net1.exe Section loaded: dsrole.dll Jump to behavior
Source: C:\Windows\System32\net1.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\net1.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\net1.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\System32\net1.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32 Jump to behavior
PE file contains sections with non-standard names
Source: SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe Static PE information: section name: .xdata
Source: SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe Static PE information: section name: /4
Source: SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe Static PE information: section name: /19
Source: SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe Static PE information: section name: /31
Source: SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe Static PE information: section name: /45
Source: SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe Static PE information: section name: /57
Source: SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe Static PE information: section name: /70
Uses net.exe to stop services
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net stop dps
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe TID: 8024 Thread sleep time: -30000s >= -30000s Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe Thread delayed: delay time: 30000 Jump to behavior

Anti Debugging
barindex
Found API chain indicative of debugger detection
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe Code function: 0_2_00401180 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,_initterm,GetStartupInfoA, 0_2_00401180
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe Code function: 0_2_00401830 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, 0_2_00401830
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe Code function: 0_2_00401550 ShellExecuteExW,ShellExecuteExW,WaitForSingleObject,CloseHandle, 0_2_00401550
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c net stop dps Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c net start dps Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net stop dps Jump to behavior
Source: C:\Windows\System32\net.exe Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 stop dps Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net start dps Jump to behavior
Source: C:\Windows\System32\net.exe Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 start dps Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe Code function: 0_2_00401750 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_00401750

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Disables security and backup related services
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c net stop dps
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c net stop dps
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c net stop dps
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c net stop dps
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c net stop dps
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c net stop dps
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c net stop dps
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c net stop dps
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c net stop dps
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c net stop dps
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c net stop dps
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c net stop dps Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c net stop dps Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c net stop dps Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c net stop dps Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c net stop dps Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c net stop dps Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c net stop dps Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c net stop dps Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c net stop dps Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c net stop dps Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c net stop dps Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1532614 Sample: SecuriteInfo.com.Trojan.Win... Startdate: 13/10/2024 Architecture: WINDOWS Score: 52 29 AI detected suspicious sample 2->29 8 SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe 2 2->8         started        process3 signatures4 31 Found API chain indicative of debugger detection 8->31 33 Disables security and backup related services 8->33 11 cmd.exe 1 8->11         started        13 cmd.exe 1 8->13         started        15 conhost.exe 8->15         started        process5 process6 17 net.exe 1 11->17         started        19 conhost.exe 11->19         started        21 net.exe 1 13->21         started        23 conhost.exe 13->23         started        process7 25 net1.exe 1 17->25         started        27 net1.exe 1 21->27         started       
No contacted IP infos

Contacted Domains

Name IP Active
s-part-0036.t-0009.t-msedge.net 13.107.246.64 true