Source: SecuriteInfo.com.Riskware.Application.25773.563.exe |
ReversingLabs: Detection: 21% |
Source: Submited Sample |
Integrated Neural Analysis Model: Matched 98.9% probability |
Source: SecuriteInfo.com.Riskware.Application.25773.563.exe |
Static PE information: section name: .,[H |
Source: classification engine |
Classification label: mal84.evad.winEXE@2/1@0/0 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6228:120:WilError_03 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe |
Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: SecuriteInfo.com.Riskware.Application.25773.563.exe |
ReversingLabs: Detection: 21% |
Source: unknown |
Process created: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe "C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe" |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: SecuriteInfo.com.Riskware.Application.25773.563.exe |
Static PE information: Virtual size of .text is bigger than: 0x100000 |
Source: SecuriteInfo.com.Riskware.Application.25773.563.exe |
Static PE information: Image base 0x140000000 > 0x60000000 |
Source: SecuriteInfo.com.Riskware.Application.25773.563.exe |
Static file information: File size 28346898 > 1048576 |
Source: SecuriteInfo.com.Riskware.Application.25773.563.exe |
Static PE information: Raw size of .CX. is bigger than: 0x100000 < 0x17bb600 |
Source: initial sample |
Static PE information: section where entry point is pointing to: .CX. |
Source: SecuriteInfo.com.Riskware.Application.25773.563.exe |
Static PE information: section name: .ZRz |
Source: SecuriteInfo.com.Riskware.Application.25773.563.exe |
Static PE information: section name: .,[H |
Source: SecuriteInfo.com.Riskware.Application.25773.563.exe |
Static PE information: section name: .CX. |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe |
Memory written: PID: 6204 base: 7FFE22370008 value: E9 EB D9 E9 FF |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe |
Memory written: PID: 6204 base: 7FFE2220D9F0 value: E9 20 26 16 00 |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe |
Memory written: PID: 6204 base: 7FFE2238000D value: E9 BB CB EB FF |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe |
Memory written: PID: 6204 base: 7FFE2223CBC0 value: E9 5A 34 14 00 |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe |
System information queried: FirmwareTableInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe |
System information queried: FirmwareTableInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe |
Special instruction interceptor: First address: 1424B3C62 instructions rdtsc caused by: RDTSC with Trap Flag (TF) |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe |
Special instruction interceptor: First address: 1424B3C90 instructions rdtsc caused by: RDTSC with Trap Flag (TF) |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe |
Window / User API: threadDelayed 3540 |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe |
Window / User API: threadDelayed 6452 |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe TID: 6184 |
Thread sleep time: -354000s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe TID: 6184 |
Thread sleep time: -645200s >= -30000s |
Jump to behavior |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe |
Last function: Thread delayed |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe |
Process information queried: ProcessInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe |
Process Stats: CPU usage > 42% for more than 60s |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe |
Thread information set: HideFromDebugger |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe |
Thread information set: HideFromDebugger |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe |
Handle closed: DEADC0DE |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe |
System information queried: KernelDebuggerInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe |
Process queried: DebugPort |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe |
Process queried: DebugObjectHandle |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe |
Process queried: DebugObjectHandle |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe |
Process queried: DebugObjectHandle |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe |
Process queried: DebugPort |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe |
Process token adjusted: Debug |
Jump to behavior |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe |
NtProtectVirtualMemory: Direct from: 0x14231C506 |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe |
NtSetInformationProcess: Direct from: 0x1414C657D |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe |
NtQueryInformationProcess: Direct from: 0x1424ACF73 |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe |
NtSetInformationThread: Direct from: 0x14149A03F |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe |
NtSetInformationThread: Direct from: 0x1424AF985 |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe |
NtProtectVirtualMemory: Direct from: 0x1414AEB1D |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe |
NtProtectVirtualMemory: Direct from: 0x1414C44FA |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe |
NtQuerySystemInformation: Direct from: 0x14231C5CC |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe |
NtProtectVirtualMemory: Direct from: 0x1414A8B48 |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe |
NtQuerySystemInformation: Direct from: 0x14131361D |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe |
NtProtectVirtualMemory: Direct from: 0x14149432C |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe |
NtQueryInformationProcess: Direct from: 0x14231FC5A |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe |
NtClose: Indirect: 0x1424B3C5C |
|
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe |
NtQuerySystemInformation: Direct from: 0x141412697 |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe |
NtMapViewOfSection: Direct from: 0x1424A2D46 |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe |
NtQuerySystemInformation: Direct from: 0x1424AF5F2 |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe |
NtProtectVirtualMemory: Indirect: 0x1412C40D1 |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe |
NtQuerySystemInformation: Direct from: 0x1422D08E5 |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe |
NtUnmapViewOfSection: Direct from: 0x1422C5339 |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe |
NtProtectVirtualMemory: Direct from: 0x1412FF191 |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe |
NtClose: Direct from: 0x1414C5ED4 |
|
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe |
NtQueryInformationProcess: Direct from: 0x1424ACBB6 |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe |
NtQueryInformationProcess: Direct from: 0x1424B142F |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe |
NtProtectVirtualMemory: Direct from: 0x1413F3190 |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe |
NtQuerySystemInformation: Direct from: 0x1422D8EBC |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe |
NtProtectVirtualMemory: Direct from: 0x1422BFB31 |
Jump to behavior |