Windows Analysis Report
SecuriteInfo.com.Riskware.Application.25773.563.exe

Overview

General Information

Sample name: SecuriteInfo.com.Riskware.Application.25773.563.exe
Analysis ID: 1532744
MD5: 168b53e30b4b064151a7d3b5b8fb64b8
SHA1: 60c94ca95e67a143984da48906760a10344af23a
SHA256: 1bbda33a4a0ee71425e0ef5188383a661c01aa9f430f4cea6bdae78212f9c8e0
Tags: exe
Infos:

Detection

Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Found potential dummy code loops (likely to delay analysis)
Hides threads from debuggers
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Tries to detect debuggers (CloseHandle check)
Tries to evade analysis by execution special instruction (VM detection)
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Checks if the current process is being debugged
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Riskware.Application.25773.563.exe ReversingLabs: Detection: 21%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 98.9% probability

System Summary
barindex
PE file contains section with special chars
Source: SecuriteInfo.com.Riskware.Application.25773.563.exe Static PE information: section name: .,[H
Source: classification engine Classification label: mal84.evad.winEXE@2/1@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6228:120:WilError_03
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.Riskware.Application.25773.563.exe ReversingLabs: Detection: 21%
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe "C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe Section loaded: cryptbase.dll Jump to behavior
Source: SecuriteInfo.com.Riskware.Application.25773.563.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: SecuriteInfo.com.Riskware.Application.25773.563.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: SecuriteInfo.com.Riskware.Application.25773.563.exe Static file information: File size 28346898 > 1048576
Source: SecuriteInfo.com.Riskware.Application.25773.563.exe Static PE information: Raw size of .CX. is bigger than: 0x100000 < 0x17bb600
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .CX.
PE file contains sections with non-standard names
Source: SecuriteInfo.com.Riskware.Application.25773.563.exe Static PE information: section name: .ZRz
Source: SecuriteInfo.com.Riskware.Application.25773.563.exe Static PE information: section name: .,[H
Source: SecuriteInfo.com.Riskware.Application.25773.563.exe Static PE information: section name: .CX.

Hooking and other Techniques for Hiding and Protection
barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe Memory written: PID: 6204 base: 7FFE22370008 value: E9 EB D9 E9 FF Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe Memory written: PID: 6204 base: 7FFE2220D9F0 value: E9 20 26 16 00 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe Memory written: PID: 6204 base: 7FFE2238000D value: E9 BB CB EB FF Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe Memory written: PID: 6204 base: 7FFE2223CBC0 value: E9 5A 34 14 00 Jump to behavior

Malware Analysis System Evasion
barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe System information queried: FirmwareTableInformation Jump to behavior
Tries to evade analysis by execution special instruction (VM detection)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe Special instruction interceptor: First address: 1424B3C62 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe Special instruction interceptor: First address: 1424B3C90 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe Window / User API: threadDelayed 3540 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe Window / User API: threadDelayed 6452 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe TID: 6184 Thread sleep time: -354000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe TID: 6184 Thread sleep time: -645200s >= -30000s Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe Process Stats: CPU usage > 42% for more than 60s
Hides threads from debuggers
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe Thread information set: HideFromDebugger Jump to behavior
Tries to detect debuggers (CloseHandle check)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe Handle closed: DEADC0DE
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe System information queried: KernelDebuggerInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe Process queried: DebugPort Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe Process token adjusted: Debug Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion
barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe NtProtectVirtualMemory: Direct from: 0x14231C506 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe NtSetInformationProcess: Direct from: 0x1414C657D Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe NtQueryInformationProcess: Direct from: 0x1424ACF73 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe NtSetInformationThread: Direct from: 0x14149A03F Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe NtSetInformationThread: Direct from: 0x1424AF985 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe NtProtectVirtualMemory: Direct from: 0x1414AEB1D Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe NtProtectVirtualMemory: Direct from: 0x1414C44FA Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe NtQuerySystemInformation: Direct from: 0x14231C5CC Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe NtProtectVirtualMemory: Direct from: 0x1414A8B48 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe NtQuerySystemInformation: Direct from: 0x14131361D Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe NtProtectVirtualMemory: Direct from: 0x14149432C Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe NtQueryInformationProcess: Direct from: 0x14231FC5A Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe NtClose: Indirect: 0x1424B3C5C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe NtQuerySystemInformation: Direct from: 0x141412697 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe NtMapViewOfSection: Direct from: 0x1424A2D46 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe NtQuerySystemInformation: Direct from: 0x1424AF5F2 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe NtProtectVirtualMemory: Indirect: 0x1412C40D1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe NtQuerySystemInformation: Direct from: 0x1422D08E5 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe NtUnmapViewOfSection: Direct from: 0x1422C5339 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe NtProtectVirtualMemory: Direct from: 0x1412FF191 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe NtClose: Direct from: 0x1414C5ED4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe NtQueryInformationProcess: Direct from: 0x1424ACBB6 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe NtQueryInformationProcess: Direct from: 0x1424B142F Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe NtProtectVirtualMemory: Direct from: 0x1413F3190 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe NtQuerySystemInformation: Direct from: 0x1422D8EBC Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe NtProtectVirtualMemory: Direct from: 0x1422BFB31 Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1532744 Sample: SecuriteInfo.com.Riskware.A... Startdate: 13/10/2024 Architecture: WINDOWS Score: 84 11 Multi AV Scanner detection for submitted file 2->11 13 PE file contains section with special chars 2->13 15 AI detected suspicious sample 2->15 6 SecuriteInfo.com.Riskware.Application.25773.563.exe 1 2->6         started        process3 signatures4 17 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 6->17 19 Query firmware table information (likely to detect VMs) 6->19 21 Tries to evade analysis by execution special instruction (VM detection) 6->21 23 4 other signatures 6->23 9 conhost.exe 6->9         started        process5
No contacted IP infos