Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe
Analysis ID:	1532614
MD5:	c9f34d943343f0b5d62ff8c61de23b5a
SHA1:	a44170b3c1a271484ea46257c44ecff7815eb2f5
SHA256:	6feb92743d620750c92fac455db821d1f97361c73b275d97b96294b8a0840217
Tags:	exe
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected suspicious sample

Disables security and backup related services

Found API chain indicative of debugger detection

Contains functionality to launch a program with higher privileges

Creates a process in suspended mode (likely to inject code)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains more sections than normal

PE file contains sections with non-standard names

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Uses net.exe to stop services

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe (PID: 8020 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe" MD5: C9F34D943343F0B5D62FF8C61DE23B5A)

conhost.exe (PID: 8028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 8144 cmdline: "C:\Windows\System32\cmd.exe" /c net stop dps MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net.exe (PID: 2076 cmdline: net stop dps MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)

net1.exe (PID: 7220 cmdline: C:\Windows\system32\net1 stop dps MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9)

cmd.exe (PID: 7288 cmdline: "C:\Windows\System32\cmd.exe" /c net start dps MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net.exe (PID: 7460 cmdline: net start dps MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)

net1.exe (PID: 7500 cmdline: C:\Windows\system32\net1 start dps MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9)

cleanup

Sigma Signatures

Sigma detected: Net.exe Execution

Source: Process started

Author: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): Data: Command: net stop dps, CommandLine: net stop dps, CommandLine|base64offset|contains: , Image: C:\Windows\System32\net.exe, NewProcessName: C:\Windows\System32\net.exe, OriginalFileName: C:\Windows\System32\net.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c net stop dps, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 8144, ParentProcessName: cmd.exe, ProcessCommandLine: net stop dps, ProcessId: 2076, ProcessName: net.exe

Sigma detected: Start Windows Service Via Net.EXE

Source: Process started

Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: net start dps, CommandLine: net start dps, CommandLine|base64offset|contains: , Image: C:\Windows\System32\net.exe, NewProcessName: C:\Windows\System32\net.exe, OriginalFileName: C:\Windows\System32\net.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c net start dps, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7288, ParentProcessName: cmd.exe, ProcessCommandLine: net start dps, ProcessId: 7460, ProcessName: net.exe

Sigma detected: Stop Windows Service Via Net.EXE

Source: Process started

Author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems): Data: Command: net stop dps, CommandLine: net stop dps, CommandLine|base64offset|contains: , Image: C:\Windows\System32\net.exe, NewProcessName: C:\Windows\System32\net.exe, OriginalFileName: C:\Windows\System32\net.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c net stop dps, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 8144, ParentProcessName: cmd.exe, ProcessCommandLine: net stop dps, ProcessId: 2076, ProcessName: net.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 94.9% probability

Source: SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe

Static PE information: Number of sections : 15 > 10

Source: classification engine

Classification label: mal52.evad.winEXE@16/0@0/0

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7316:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8028:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8152:120:WilError_03

Source: SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c net stop dps
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net stop dps
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 stop dps
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c net start dps
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net start dps
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 start dps
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c net stop dps	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c net start dps	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net stop dps	Jump to behavior
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 stop dps	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net start dps	Jump to behavior
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 start dps	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32

Jump to behavior

Source: SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe	Static PE information: section name: .xdata
Source: SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe	Static PE information: section name: /4
Source: SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe	Static PE information: section name: /19
Source: SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe	Static PE information: section name: /31
Source: SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe	Static PE information: section name: /45
Source: SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe	Static PE information: section name: /57
Source: SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe	Static PE information: section name: /70

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\net.exe net stop dps

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe TID: 8024

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe

Thread delayed: delay time: 30000

Jump to behavior

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe

Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep

graph_0-630

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe	Code function: 0_2_00401180 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,_initterm,GetStartupInfoA,		0_2_00401180
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe	Code function: 0_2_00401830 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,		0_2_00401830

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe

Code function: 0_2_00401550 ShellExecuteExW,ShellExecuteExW,WaitForSingleObject,CloseHandle,

0_2_00401550

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c net stop dps	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c net start dps	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net stop dps	Jump to behavior
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 stop dps	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net start dps	Jump to behavior
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 start dps	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe

Code function: 0_2_00401750 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_00401750

Lowering of HIPS / PFW / Operating System Security Settings

Disables security and backup related services

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c net stop dps
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c net stop dps
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c net stop dps
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c net stop dps
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c net stop dps
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c net stop dps
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c net stop dps
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c net stop dps
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c net stop dps
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c net stop dps
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c net stop dps
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c net stop dps	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c net stop dps	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c net stop dps	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c net stop dps	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c net stop dps	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c net stop dps	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c net stop dps	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c net stop dps	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c net stop dps	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c net stop dps	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c net stop dps	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Service Execution	1 Windows Service	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Windows Service	111 Virtualization/Sandbox Evasion	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	11 Process Injection	11 Process Injection	Security Account Manager	111 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 DLL Side-Loading	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	2 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe	5%	ReversingLabs
SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe	3%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
s-part-0036.t-0009.t-msedge.net	0%	Virustotal		Browse

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s-part-0036.t-0009.t-msedge.net	13.107.246.64	true	false	0%, Virustotal, Browse	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1532614
Start date and time:	2024-10-13 18:36:11 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe
Detection:	MAL
Classification:	mal52.evad.winEXE@16/0@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 3 Number of non-executed functions: 14
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:37:12	API Interceptor	1x Sleep call for process: SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0036.t-0009.t-msedge.net	http://dat2.store	Get hash	malicious	Unknown	Browse	13.107.246.64
	http://host.cloudsonicwave.com	Get hash	malicious	Unknown	Browse	13.107.246.64
	file.exe	Get hash	malicious	LummaC	Browse	13.107.246.64
	kwVoiAAfGm.exe	Get hash	malicious	LummaC	Browse	13.107.246.64
	ATT4416530006_Swissquote.htm	Get hash	malicious	HTMLPhisher	Browse	13.107.246.64
	https://clicktime.symantec.com/15tpJCqdM9QTMPCbrFFYy?h=klzqFfVRykrA0KxCmyOSMtGNk2cnn93amKCU2afEZ8c=&u=https://www.tiktok.com/link/v2?aid%3D1988%26lang%3Den%26scene%3Dbio_url%26target%3Dhttps://www.google.ht/url?q%3Dhttps://google%25E3%2580%2582com/amp/s/cli.re/kBNkWr%23a2FyZW4ubWNjcm9ob25AdXJlbmNvLmNvbQ%3D%3D%252F%26opi%3D256371986142%26usg%3DlxfGUQNysmkDx%26source%3Dgmail%26ust%3D2908128326238375%26usg%3DAO2mBxLVnqpOjng75rOWFwZ2mBxLVnqpOqR75	Get hash	malicious	HTMLPhisher	Browse	13.107.246.64
	Quarantined Messages(11).zip	Get hash	malicious	HTMLPhisher	Browse	13.107.246.64
	http://hans.uniformeslaamistad.com/yuop/66e6ea133c92f_crypted.exe#xin	Get hash	malicious	PureLog Stealer, RedLine, zgRAT	Browse	13.107.246.64
	bJ7Q5TP1uG.exe	Get hash	malicious	Metasploit	Browse	13.107.246.64
	1f13Cs1ogc.exe	Get hash	malicious	Stealc	Browse	13.107.246.64

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	4.735818731011617
TrID:	Win64 Executable Console (202006/5) 92.64% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% VXD Driver (31/22) 0.01%
File name:	SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe
File size:	58'271 bytes
MD5:	c9f34d943343f0b5d62ff8c61de23b5a
SHA1:	a44170b3c1a271484ea46257c44ecff7815eb2f5
SHA256:	6feb92743d620750c92fac455db821d1f97361c73b275d97b96294b8a0840217
SHA512:	37325dec60091b9cc9e84f91fce6f7ee145fad8b5e024f1d50d1ab23cd8c07f58fb8287081b8174f9d438fc0a61833594c347787d0ddb55aca1e9cb5054ada25
SSDEEP:	768:MHsfsJYg+P2rfEqTIYv4gKNwFPfFBlb7Esk8gbO/+j:M2soP+EqTIm4gKN2PfFBlb7Eskmg
TLSH:	1C4362D53AD88C9AEA14523C41FA9231267DBAE087534B536A30B7320F13BE17DD725E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....mf.n........'...... ...>................@.............................. ......SU........ ............................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4014e0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LARGE_ADDRESS_AWARE
DLL Characteristics:
Time Stamp:	0x666DE2C2 [Sat Jun 15 18:51:46 2024 UTC]
TLS Callbacks:	0x401960
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	d40077e654b71a9d16abb8886fe24aa3

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [00002FE5h]
mov dword ptr [eax], 00000000h
call 00007FAC38E09B9Fh
call 00007FAC38E095CAh
nop
nop
dec eax
add esp, 28h
ret
nop dword ptr [eax+00h]
nop word ptr [eax+eax+00000000h]
dec eax
sub esp, 28h
call 00007FAC38E0AFACh
dec eax
test eax, eax
sete al
movzx eax, al
neg eax
dec eax
add esp, 28h
ret
nop
nop
nop
nop
nop
nop
nop
dec eax
lea ecx, dword ptr [00000009h]
jmp 00007FAC38E09919h
nop dword ptr [eax+00h]
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
push ebp
push edi
dec eax
sub esp, 00000098h
dec eax
lea ebp, dword ptr [esp+00000080h]
dec eax
mov dword ptr [ebp+30h], ecx
dec eax
lea edx, dword ptr [ebp-60h]
mov eax, 00000000h
mov ecx, 0000000Eh
dec eax
mov edi, edx
dec eax
stosd
mov dword ptr [ebp-60h], 00000070h
mov dword ptr [ebp-5Ch], 00000040h
dec eax
lea eax, dword ptr [00002A72h]
dec eax
mov dword ptr [ebp-50h], eax
dec eax
lea eax, dword ptr [00002A73h]
dec eax
mov dword ptr [ebp-48h], eax
dec eax
mov eax, dword ptr [ebp+30h]
dec eax
mov dword ptr [ebp-40h], eax
mov dword ptr [ebp-30h], 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8000	0x86c	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x5000	0x288	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x40a0	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x822c	0x1c8	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1e18	0x2000	096049bb6747aec4c682dffca531406f	False	0.5618896484375	data	5.784054051693567	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x3000	0xd0	0x200	cdafbabd2e4c5313ac1773fac9fd79f1	False	0.1328125	data	0.7983628322298817	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x4000	0x560	0x600	48e8151de0c0f03e18d877183d899e1a	False	0.3938802083333333	data	3.6298793403816116	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.pdata	0x5000	0x288	0x400	c88bd171e43b9a6d5a6e0bc381e40136	False	0.3623046875	data	2.737050847787977	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.xdata	0x6000	0x20c	0x400	0a79ef6ec59470443827e1e566d9a0b6	False	0.2490234375	data	2.4219552963185955	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.bss	0x7000	0x980	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x8000	0x86c	0xa00	68c68cc6576c5bad50b898864acc1382	False	0.321484375	data	3.5871409730139856	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x9000	0x68	0x200	8e3a2e06a884908cbfbf32ab6aa0edb0	False	0.0703125	data	0.2655385886073115	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0xa000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
/4	0xb000	0x50	0x200	4e202c4288169e9e4a7b896d6197a626	False	0.0703125	data	0.2162069074398449	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/19	0xc000	0x1f08	0x2000	0b7bb40b6b51a29b28edb81995a80166	False	0.45947265625	data	5.821443031684246	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/31	0xe000	0x149	0x200	5d291f74219487bffd06356d36f3a0e4	False	0.375	data	3.2872917906726884	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/45	0xf000	0x222	0x400	9a088ddc03d93c16a278708634e42432	False	0.2890625	data	3.228510811933141	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/57	0x10000	0x48	0x200	51f393494473a7b97facf4c6ad2238f0	False	0.119140625	data	0.6931503241542495	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/70	0x11000	0x9b	0x200	406b70665a5983d1f1682455c669f732	False	0.259765625	data	2.320780444544343	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
KERNEL32.dll	CloseHandle, DeleteCriticalSection, EnterCriticalSection, GetConsoleWindow, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetLastError, GetStartupInfoA, GetSystemTimeAsFileTime, GetTickCount, InitializeCriticalSection, LeaveCriticalSection, QueryPerformanceCounter, RtlAddFunctionTable, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, SetUnhandledExceptionFilter, Sleep, TerminateProcess, TlsGetValue, UnhandledExceptionFilter, VirtualProtect, VirtualQuery, WaitForSingleObject
msvcrt.dll	__C_specific_handler, __getmainargs, __initenv, __iob_func, __lconv_init, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _cexit, _fmode, _initterm, _onexit, abort, calloc, exit, fprintf, free, fwrite, malloc, memcpy, signal, strlen, strncmp, vfprintf
SHELL32.dll	ShellExecuteExW
USER32.dll	ShowWindow

Network Behavior

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 13, 2024 18:37:09.217513084 CEST	1.1.1.1	192.168.2.11	0xdad9	No error (0)	shed.dual-low.s-part-0036.t-0009.t-msedge.net	s-part-0036.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 13, 2024 18:37:09.217513084 CEST	1.1.1.1	192.168.2.11	0xdad9	No error (0)	s-part-0036.t-0009.t-msedge.net		13.107.246.64	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	12:37:12
Start date:	13/10/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe"
Imagebase:	0x400000
File size:	58'271 bytes
MD5 hash:	C9F34D943343F0B5D62FF8C61DE23B5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	12:37:12
Start date:	13/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	12:37:12
Start date:	13/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /c net stop dps
Imagebase:	0x7ff627830000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	12:37:12
Start date:	13/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	12:37:12
Start date:	13/10/2024
Path:	C:\Windows\System32\net.exe
Wow64 process (32bit):	false
Commandline:	net stop dps
Imagebase:	0x7ff606c30000
File size:	59'904 bytes
MD5 hash:	0BD94A338EEA5A4E1F2830AE326E6D19
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	12:37:12
Start date:	13/10/2024
Path:	C:\Windows\System32\net1.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\net1 stop dps
Imagebase:	0x7ff767d70000
File size:	183'808 bytes
MD5 hash:	55693DF2BB3CBE2899DFDDF18B4EB8C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	12:37:12
Start date:	13/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /c net start dps
Imagebase:	0x7ff627830000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	12:37:12
Start date:	13/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	12:37:12
Start date:	13/10/2024
Path:	C:\Windows\System32\net.exe
Wow64 process (32bit):	false
Commandline:	net start dps
Imagebase:	0x7ff606c30000
File size:	59'904 bytes
MD5 hash:	0BD94A338EEA5A4E1F2830AE326E6D19
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	12:37:12
Start date:	13/10/2024
Path:	C:\Windows\System32\net1.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\net1 start dps
Imagebase:	0x7ff767d70000
File size:	183'808 bytes
MD5 hash:	55693DF2BB3CBE2899DFDDF18B4EB8C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	12.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	20.6%
Total number of Nodes:	155
Total number of Limit Nodes:	3

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00401180 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 198
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 004011E1
SetUnhandledExceptionFilter.KERNEL32 ref: 00401253
malloc.MSVCRT ref: 00401329
strlen.MSVCRT ref: 00401354
malloc.MSVCRT ref: 00401360
memcpy.MSVCRT ref: 00401378
_cexit.MSVCRT ref: 004013E5
GetStartupInfoA.KERNEL32 ref: 00401473

Strings

py@, xrefs: 004011F1, 00401410
xy@, xrefs: 004011BD
@v@, xrefs: 00401259

Memory Dump Source

Source File: 00000000.00000002.1343283337.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1343247896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1343303540.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1343322787.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1343341395.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1343341395.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandled_cexitmemcpystrlen
String ID: @v@$py@$xy@
API String ID: 1640792405-2148754610
Opcode ID: 34766a99da830c1b3b73a049980ba02f88cdf6b2e7f4ee8de1703b2971f9d531
Instruction ID: f61040157b9ab14210d7bd0fd37eb3bcba0b4eec42d2a3fc5dceeb298ebc88c4
Opcode Fuzzy Hash: 34766a99da830c1b3b73a049980ba02f88cdf6b2e7f4ee8de1703b2971f9d531
Instruction Fuzzy Hash: 5B819CB560564486EB24AF66E99076A33A1B785B88F84843BEF48773F1DF7CD841C309

Function 00401550 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteExW.SHELL32 ref: 004015BA

Strings

cmd, xrefs: 00401592
runas, xrefs: 00401587

Memory Dump Source

Source File: 00000000.00000002.1343283337.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1343247896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1343303540.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1343322787.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1343341395.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1343341395.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ExecuteShell
String ID: cmd$runas
API String ID: 587946157-60640312
Opcode ID: b01852272fd66988f6c3295ddb34043be3187056cc96adf705a72caf1947378a
Instruction ID: b6d53a8ea57a91f8b02f311b64cfb39c913c077d4837d462ceb35a7cc770c6a3
Opcode Fuzzy Hash: b01852272fd66988f6c3295ddb34043be3187056cc96adf705a72caf1947378a
Instruction Fuzzy Hash: 5E01E276711B949DEB908FA5E84438C33B5B788798F50822ADF5C6BBA8DF38C548C344

Function 004015EC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleWindow.KERNELBASE ref: 0040160B

Part of subcall function 00401550: ShellExecuteExW.SHELL32 ref: 004015BA

SleepEx.KERNELBASE ref: 0040163E

Strings

/c net start dps, xrefs: 00401640
/c net stop dps, xrefs: 00401626

Memory Dump Source

Source File: 00000000.00000002.1343283337.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1343247896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1343303540.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1343322787.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1343341395.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1343341395.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ConsoleExecuteShellSleepWindow
String ID: /c net start dps$/c net stop dps
API String ID: 599060321-2952981288
Opcode ID: e5799b1b03686444d3959dd64eeb0193a4ceff0d1e11a016b23a3da34200e4be
Instruction ID: b4960f33086fe31331f5afd6f8e4b77142d23bda735e606a3014341cbe9ca3c3
Opcode Fuzzy Hash: e5799b1b03686444d3959dd64eeb0193a4ceff0d1e11a016b23a3da34200e4be
Instruction Fuzzy Hash: FBF08CB2610F0099E740AF65FC923993374E794788F04016AEB5D6B7B4EE38C6618388

Non-executed Functions

Function 00401830 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCaptureContext.KERNEL32 ref: 00401844
RtlLookupFunctionEntry.KERNEL32 ref: 0040185B
RtlVirtualUnwind.KERNEL32 ref: 0040189D
SetUnhandledExceptionFilter.KERNEL32 ref: 004018E1
UnhandledExceptionFilter.KERNEL32 ref: 004018EE
GetCurrentProcess.KERNEL32 ref: 004018F4
TerminateProcess.KERNEL32 ref: 00401902
abort.MSVCRT ref: 00401908

Strings

@u@, xrefs: 004018E7

Memory Dump Source

Source File: 00000000.00000002.1343283337.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1343247896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1343303540.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1343322787.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1343341395.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1343341395.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentEntryFunctionLookupTerminateUnwindVirtualabort
String ID: @u@
API String ID: 4278921479-2874120433
Opcode ID: 64dd720258001e6a9add5ec7e82dc8c6e9edb5c3ee09e20689457ae5489c85e8
Instruction ID: b1c151bb61c023455e294b7dd413e4e4c0a0066d6c6bf75f24da43921eb891c8
Opcode Fuzzy Hash: 64dd720258001e6a9add5ec7e82dc8c6e9edb5c3ee09e20689457ae5489c85e8
Instruction Fuzzy Hash: 8A2104B5A16F44D9EB009B65FC8439937B4BB48B84F54412ADB8E677A4EF38C104C308

Function 00401750 Relevance: 7.6, APIs: 5, Instructions: 56
timethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00401795
GetCurrentProcessId.KERNEL32 ref: 004017A0
GetCurrentThreadId.KERNEL32 ref: 004017A9
GetTickCount.KERNEL32 ref: 004017B1
QueryPerformanceCounter.KERNEL32 ref: 004017BE

Memory Dump Source

Source File: 00000000.00000002.1343283337.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1343247896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1343303540.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1343322787.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1343341395.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1343341395.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 005e4d6f4335a43e20920343d4b6f2b3dc0a67de5b6495c410f755cf3543f680
Instruction ID: f91319260887b59586992985d8b325d55ca4e91f5fcda6ec9c6ed990604cca4b
Opcode Fuzzy Hash: 005e4d6f4335a43e20920343d4b6f2b3dc0a67de5b6495c410f755cf3543f680
Instruction Fuzzy Hash: 5C119EA6766A1081FB105B25FD04316B3A4B788BB1F0847799F9C537A8EF3CC589C308

Function 00401D50 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 283
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32(00407610,00007FFEFE3AADA0,?,?,?,00000001,0040124C), ref: 00401E7D

Strings

`E@, xrefs: 00401DA9
`E@, xrefs: 00401DBA
Unknown pseudo relocation bit size %d., xrefs: 00401FEA
Unknown pseudo relocation protocol version %d., xrefs: 00401FFE

Memory Dump Source

Source File: 00000000.00000002.1343283337.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1343247896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1343303540.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1343322787.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1343341395.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1343341395.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ProtectVirtual
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$`E@$`E@
API String ID: 544645111-2660773367
Opcode ID: 2269dc8aa27a426d268b85a6c817b95a1c1ca146ff00244c5d8c9b458006eddb
Instruction ID: dca5683da72d807886d86375f5707f703bf4d304d08726f4f2fcd40ee53290e8
Opcode Fuzzy Hash: 2269dc8aa27a426d268b85a6c817b95a1c1ca146ff00244c5d8c9b458006eddb
Instruction Fuzzy Hash: C7919871B0064146EB249B6ACA4871F7362BB843A8F54853BDF09777E4DA7DD882C30D

Function 004022A0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

signal.MSVCRT ref: 004022F9
signal.MSVCRT ref: 00402352
signal.MSVCRT ref: 004023AE
signal.MSVCRT ref: 00402463

Strings

CCG , xrefs: 004022B5

Memory Dump Source

Source File: 00000000.00000002.1343283337.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1343247896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1343303540.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1343322787.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1343341395.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1343341395.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: signal
String ID: CCG
API String ID: 1946981877-1584390748
Opcode ID: e92f40cea0a9825c8c759c6b1fc838814e23495f2d567f744961d1a0c5aa1c13
Instruction ID: 24bfa5f7dfcdfcdea129f73ce5d1dd7ae3667d051b1cbb233547e031a2e469f3
Opcode Fuzzy Hash: e92f40cea0a9825c8c759c6b1fc838814e23495f2d567f744961d1a0c5aa1c13
Instruction Fuzzy Hash: 0731402060150186EF38567A475C33B11015B9A338F288A3BAE6DAB3E1DDFC98C5021F

Function 00401B80 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 148
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualQuery.KERNEL32 ref: 00401C2B
VirtualProtect.KERNEL32 ref: 00401CD2
GetLastError.KERNEL32 ref: 00401CE0

Strings

VirtualProtect failed with code 0x%x, xrefs: 00401CE6
Address %p has no image-section, xrefs: 00401D3D
VirtualQuery failed for %d bytes at address %p, xrefs: 00401D27

Memory Dump Source

Source File: 00000000.00000002.1343283337.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1343247896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1343303540.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1343322787.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1343341395.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1343341395.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Virtual$ErrorLastProtectQuery
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
API String ID: 637304234-2123141913
Opcode ID: c0b59577e5cd97fe0715eaae8c30ed78fd31b71169e74243a61e95e4c8da94fb
Instruction ID: 0bd241eedf3dbf15b1e916ea10f7df5b614333080103f6031fda88f349f5300d
Opcode Fuzzy Hash: c0b59577e5cd97fe0715eaae8c30ed78fd31b71169e74243a61e95e4c8da94fb
Instruction Fuzzy Hash: 3B5113B3705A5186EB118F26ED4075A77A0BB99BA4F448126DF4E633E4EB3CD942C308

Function 00401010 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00401070

Strings

0v@, xrefs: 0040107A
`0@, xrefs: 0040108A
@p@, xrefs: 0040103D

Memory Dump Source

Source File: 00000000.00000002.1343283337.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1343247896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1343303540.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1343322787.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1343341395.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1343341395.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __set_app_type
String ID: 0v@$@p@$`0@
API String ID: 1108511539-3268658271
Opcode ID: 7392dc7e9a0bbf52ed55200be09cb53b61de662a5a4148638275b3825dbad887
Instruction ID: fd9d19e994baf7e2f11b5d28e98c86898c8701afe80eade77481b5ca9ced20ae
Opcode Fuzzy Hash: 7392dc7e9a0bbf52ed55200be09cb53b61de662a5a4148638275b3825dbad887
Instruction Fuzzy Hash: 7C2179B1A0064586E718AF1AE89136A37A1F7C4B44F85C037DB0A67BF1DB7E8885D718

Function 00401A50 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fprintf.MSVCRT ref: 00401AC9

Strings

Unknown error, xrefs: 00401B40
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00401AB9

Memory Dump Source

Source File: 00000000.00000002.1343283337.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1343247896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1343303540.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1343322787.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1343341395.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1343341395.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: edf048563546d7573fb3b8e49876c7ac760cce1aa7f9c381c1cdae167f7dd8dc
Instruction ID: 1717d74e9015c440a66cfa6e9fbcd0f8d0c1013e5a7df2e0d80e07d0fbbdb39d
Opcode Fuzzy Hash: edf048563546d7573fb3b8e49876c7ac760cce1aa7f9c381c1cdae167f7dd8dc
Instruction Fuzzy Hash: D70188A2504E88C2D6169F1DD8053DA7374FF99799F145316EF8836260DB39D593C704

Function 00401AF0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fprintf.MSVCRT ref: 00401AC9

Strings

Argument singularity (SIGN), xrefs: 00401AF0
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00401AB9

Memory Dump Source

Source File: 00000000.00000002.1343283337.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1343247896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1343303540.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1343322787.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1343341395.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1343341395.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: fprintf
String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2468659920
Opcode ID: 151d3e77c1ddb13c28ece62127f607bf7abaae325ba231e1e244808f3a2dce09
Instruction ID: 36daf1d5667cca1cab3a3dabc4a2107a5d96b249ca579a6d074505834bc63413
Opcode Fuzzy Hash: 151d3e77c1ddb13c28ece62127f607bf7abaae325ba231e1e244808f3a2dce09
Instruction Fuzzy Hash: 61F09662504E4881C2019F1DA8003ABB370FF9D789F185316EF893A564DF38D6838704

Function 00401B00 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fprintf.MSVCRT ref: 00401AC9

Strings

Overflow range error (OVERFLOW), xrefs: 00401B00
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00401AB9

Memory Dump Source

Source File: 00000000.00000002.1343283337.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1343247896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1343303540.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1343322787.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1343341395.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1343341395.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: fprintf
String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4064033741
Opcode ID: 66cac9fea47ed298782a02216b209abc09f3a389415dc09856040a25b4597757
Instruction ID: f6d4facb65d6c38deb25a2634443a4eea8d103c94b9cd778989fc9e2e7ae0962
Opcode Fuzzy Hash: 66cac9fea47ed298782a02216b209abc09f3a389415dc09856040a25b4597757
Instruction Fuzzy Hash: 60F03662504E4881D2019F1DA8043ABB374FF9D799F595716EF893A564DF38D6838704

Function 00401B10 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fprintf.MSVCRT ref: 00401AC9

Strings

The result is too small to be represented (UNDERFLOW), xrefs: 00401B10
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00401AB9

Memory Dump Source

Source File: 00000000.00000002.1343283337.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1343247896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1343303540.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1343322787.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1343341395.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1343341395.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: fprintf
String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2187435201
Opcode ID: e2dfb09408b24940db909e2efd1456621b80fcc864c66ba868ac76ae221c4521
Instruction ID: e1f1debda1e726c58272f207414565285d4e89a7795f1e471707632806906dd2
Opcode Fuzzy Hash: e2dfb09408b24940db909e2efd1456621b80fcc864c66ba868ac76ae221c4521
Instruction Fuzzy Hash: 08F03662504E4881D2019F1DA8043ABB374FF9D799F595716EF893A564DF38D6838704

Function 00401B20 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fprintf.MSVCRT ref: 00401AC9

Strings

Total loss of significance (TLOSS), xrefs: 00401B20
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00401AB9

Memory Dump Source

Source File: 00000000.00000002.1343283337.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1343247896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1343303540.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1343322787.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1343341395.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1343341395.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: fprintf
String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4273532761
Opcode ID: ba10a8e036e3208dd75491ed570a48e2ab6c9c02d6703965f98c992e82e08590
Instruction ID: 2c4b4c1f6c9eef1b2439ef335247dc8519df53e696df31e12774712fafac3b28
Opcode Fuzzy Hash: ba10a8e036e3208dd75491ed570a48e2ab6c9c02d6703965f98c992e82e08590
Instruction Fuzzy Hash: 31F09662504E4881C2019F2DA8003ABB370FF9D789F195316EF893A564DF38D683C704

Function 00401B30 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00401AC9

Strings

Partial loss of significance (PLOSS), xrefs: 00401B30
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00401AB9

Memory Dump Source

Source File: 00000000.00000002.1343283337.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1343247896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1343303540.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1343322787.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1343341395.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1343341395.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: fprintf
String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4283191376
Opcode ID: bf6baefa6a00c9342a2119fb24cf72473f61a69570fce31df4b659fdb0e749d4
Instruction ID: 79202755b55f08cf2a298ed996ffb4ecfb0f22c6230b9952b1720332fbd345a4
Opcode Fuzzy Hash: bf6baefa6a00c9342a2119fb24cf72473f61a69570fce31df4b659fdb0e749d4
Instruction Fuzzy Hash: 8AF03662504E4881D2019F1DA8043ABB374FF9D799F595716EF893A564DF38D6838704

Function 00401A81 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00401AC9

Strings

Argument domain error (DOMAIN), xrefs: 00401A81
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00401AB9

Memory Dump Source

Source File: 00000000.00000002.1343283337.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1343247896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1343303540.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1343322787.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1343341395.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1343341395.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: fprintf
String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2713391170
Opcode ID: 8b231581f6086cfd70346b105ff5f9f32b0d1a10f1b91497b035981503104c88
Instruction ID: c7a7dfaab92556413fb8eec377ba0ac71315c197c3e0b4ea742a0652beb020c6
Opcode Fuzzy Hash: 8b231581f6086cfd70346b105ff5f9f32b0d1a10f1b91497b035981503104c88
Instruction Fuzzy Hash: DEF09656404F4881C2019F19A80039BB370FF9D789F145316EF893A164DB28D6838704

Function 00402580 Relevance: 5.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 004025A7
free.MSVCRT ref: 004025F8
LeaveCriticalSection.KERNEL32 ref: 00402604

Memory Dump Source

Source File: 00000000.00000002.1343283337.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1343247896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1343303540.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1343322787.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1343341395.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1343341395.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$EnterLeavefree
String ID:
API String ID: 4020351045-0
Opcode ID: 8deff2b90dcf990df99764e0c033885e985dc562dd55141c764cf6d1c32405c4
Instruction ID: f689d4ad56698b7a11b7b7c56a7925263ab266b630ebde4a8ba00ed67c8c8438
Opcode Fuzzy Hash: 8deff2b90dcf990df99764e0c033885e985dc562dd55141c764cf6d1c32405c4
Instruction Fuzzy Hash: BD0152B171660496EF48DB55ED9832623A0B794B40F64847ACB0DA73D0EBBCD881D34D

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

DNS Answers

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exePID: 8020, Parent PID: 2592

General

Chronological Activities

Analysis Process: conhost.exePID: 8028, Parent PID: 8020

General

Chronological Activities

Analysis Process: cmd.exePID: 8144, Parent PID: 8020

General

Chronological Activities

Analysis Process: conhost.exePID: 8152, Parent PID: 8144

Windows Analysis Report
SecuriteInfo.com.Trojan.Win64.Inject.4588.21334.exe

Function 00401180 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 198
sleepstringCOMMON

Function 00401550 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37
COMMON

Function 004015EC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 26
COMMON

Function 00401830 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 50
COMMON

Function 00401750 Relevance: 7.6, APIs: 5, Instructions: 56
timethreadCOMMON

Function 00401D50 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 283
memoryCOMMON

Function 004022A0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 111
COMMON

Function 00401B80 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 148
memoryCOMMON

Function 00401010 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 62
COMMON

Function 00401A50 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38
COMMON

Function 00401AF0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25
COMMON

Function 00401B00 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25
COMMON

Function 00401B10 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25
COMMON

Function 00401B20 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25
COMMON