Edit tour

Windows Analysis Report
SecuriteInfo.com.Riskware.Application.25773.563.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Riskware.Application.25773.563.exe
Analysis ID:	1532744
MD5:	168b53e30b4b064151a7d3b5b8fb64b8
SHA1:	60c94ca95e67a143984da48906760a10344af23a
SHA256:	1bbda33a4a0ee71425e0ef5188383a661c01aa9f430f4cea6bdae78212f9c8e0
Tags:	exe
Infos:

Detection

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Found direct / indirect Syscall (likely to bypass EDR)

Found potential dummy code loops (likely to delay analysis)

Hides threads from debuggers

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

PE file contains section with special chars

Query firmware table information (likely to detect VMs)

Tries to detect debuggers (CloseHandle check)

Tries to evade analysis by execution special instruction (VM detection)

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Checks if the current process is being debugged

Enables debug privileges

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Riskware.Application.25773.563.exe (PID: 6204 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe" MD5: 168B53E30B4B064151A7D3B5B8FB64B8)

conhost.exe (PID: 6228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Riskware.Application.25773.563.exe

ReversingLabs: Detection: 21%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.9% probability

System Summary

PE file contains section with special chars

Source: SecuriteInfo.com.Riskware.Application.25773.563.exe

Static PE information: section name: .,[H

Source: classification engine

Classification label: mal84.evad.winEXE@2/1@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6228:120:WilError_03

Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Riskware.Application.25773.563.exe

ReversingLabs: Detection: 21%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe "C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe	Section loaded: cryptbase.dll			Jump to behavior

Source: SecuriteInfo.com.Riskware.Application.25773.563.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: SecuriteInfo.com.Riskware.Application.25773.563.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: SecuriteInfo.com.Riskware.Application.25773.563.exe

Static file information: File size 28346898 > 1048576

Source: SecuriteInfo.com.Riskware.Application.25773.563.exe

Static PE information: Raw size of .CX. is bigger than: 0x100000 < 0x17bb600

Source: initial sample

Static PE information: section where entry point is pointing to: .CX.

Source: SecuriteInfo.com.Riskware.Application.25773.563.exe	Static PE information: section name: .ZRz
Source: SecuriteInfo.com.Riskware.Application.25773.563.exe	Static PE information: section name: .,[H
Source: SecuriteInfo.com.Riskware.Application.25773.563.exe	Static PE information: section name: .CX.

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe	Memory written: PID: 6204 base: 7FFE22370008 value: E9 EB D9 E9 FF	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe	Memory written: PID: 6204 base: 7FFE2220D9F0 value: E9 20 26 16 00	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe	Memory written: PID: 6204 base: 7FFE2238000D value: E9 BB CB EB FF	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe	Memory written: PID: 6204 base: 7FFE2223CBC0 value: E9 5A 34 14 00	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe	System information queried: FirmwareTableInformation			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe	System information queried: FirmwareTableInformation			Jump to behavior

Tries to evade analysis by execution special instruction (VM detection)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe	Special instruction interceptor: First address: 1424B3C62 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe	Special instruction interceptor: First address: 1424B3C90 instructions rdtsc caused by: RDTSC with Trap Flag (TF)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe	Window / User API: threadDelayed 3540			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe	Window / User API: threadDelayed 6452			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe TID: 6184	Thread sleep time: -354000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe TID: 6184	Thread sleep time: -645200s >= -30000s			Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe

Process Stats: CPU usage > 42% for more than 60s

Hides threads from debuggers

Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe	Thread information set: HideFromDebugger			Jump to behavior

Tries to detect debuggers (CloseHandle check)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe

Handle closed: DEADC0DE

Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe

System information queried: KernelDebuggerInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe

Process token adjusted: Debug

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe	NtProtectVirtualMemory: Direct from: 0x14231C506	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe	NtSetInformationProcess: Direct from: 0x1414C657D	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe	NtQueryInformationProcess: Direct from: 0x1424ACF73	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe	NtSetInformationThread: Direct from: 0x14149A03F	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe	NtSetInformationThread: Direct from: 0x1424AF985	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe	NtProtectVirtualMemory: Direct from: 0x1414AEB1D	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe	NtProtectVirtualMemory: Direct from: 0x1414C44FA	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe	NtQuerySystemInformation: Direct from: 0x14231C5CC	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe	NtProtectVirtualMemory: Direct from: 0x1414A8B48	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe	NtQuerySystemInformation: Direct from: 0x14131361D	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe	NtProtectVirtualMemory: Direct from: 0x14149432C	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe	NtQueryInformationProcess: Direct from: 0x14231FC5A	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe	NtClose: Indirect: 0x1424B3C5C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe	NtQuerySystemInformation: Direct from: 0x141412697	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe	NtMapViewOfSection: Direct from: 0x1424A2D46	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe	NtQuerySystemInformation: Direct from: 0x1424AF5F2	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe	NtProtectVirtualMemory: Indirect: 0x1412C40D1	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe	NtQuerySystemInformation: Direct from: 0x1422D08E5	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe	NtUnmapViewOfSection: Direct from: 0x1422C5339	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe	NtProtectVirtualMemory: Direct from: 0x1412FF191	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe	NtClose: Direct from: 0x1414C5ED4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe	NtQueryInformationProcess: Direct from: 0x1424ACBB6	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe	NtQueryInformationProcess: Direct from: 0x1424B142F	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe	NtProtectVirtualMemory: Direct from: 0x1413F3190	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe	NtQuerySystemInformation: Direct from: 0x1422D8EBC	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe	NtProtectVirtualMemory: Direct from: 0x1422BFB31	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	331 Virtualization/Sandbox Evasion	1 Credential API Hooking	52 Security Software Discovery	Remote Services	1 Credential API Hooking	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Abuse Elevation Control Mechanism	1 Process Injection	LSASS Memory	331 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	11 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Riskware.Application.25773.563.exe	21%	ReversingLabs

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1532744
Start date and time:	2024-10-13 21:40:28 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Riskware.Application.25773.563.exe
Detection:	MAL
Classification:	mal84.evad.winEXE@2/1@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: SecuriteInfo.com.Riskware.Application.25773.563.exe

Simulations

Behavior and APIs

Time	Type	Description
15:42:26	API Interceptor	15102x Sleep call for process: SecuriteInfo.com.Riskware.Application.25773.563.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

\Device\ConDrv

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	1254
Entropy (8bit):	1.501585090809539
Encrypted:	false
SSDEEP:	6:Y/ZluTZ1/h1gb5FFeJ4ajbWQwVd6ai041kUvuetFIgcNOPFaaP:Yg1/UbbE/ONfi0BUvLtm1oFLP
MD5:	DFB4D3610120BAF39F0D9B85DABCC590
SHA1:	5B350D803F831A6DC263F36E6F6D8A833CE80FE7
SHA-256:	A21A250ECAEF2C6C15057F5767920495B791D0215D699A64B6C2567E09066133
SHA-512:	C6311ED232FF518376B9F7C49E4ACA92BF343BCB3BA89D42E6F2EAD2C5969FD99E603D94A63BA9C3C5A50970A2F0FB958C79305AED1BAA6B2A469F0146F77871
Malicious:	false
Reputation:	low
Preview:	. _ _ _ _ _ .. . __\| \|_ __(_)_ __ \| (_) \|_ ___ .. . / _` \| '__\| \| '_ \ \| \| \| __/ _ \.. . \| (_\| \| \| \| \| \|_) \| \| \| \| \|\| __/.. . \__,_\|_\| \|_\| .__/ \|_\|_\|\__\___\|.. . \|_\| .... . ....v3.2.................................. . Starting Drip Lite in 10 seconds...

Static File Info

General

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	7.920098021724909
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Riskware.Application.25773.563.exe
File size:	28'346'898 bytes
MD5:	168b53e30b4b064151a7d3b5b8fb64b8
SHA1:	60c94ca95e67a143984da48906760a10344af23a
SHA256:	1bbda33a4a0ee71425e0ef5188383a661c01aa9f430f4cea6bdae78212f9c8e0
SHA512:	01fd6882d7fab22a1d8d57189c923224e3aa576f7c77a877fdd22febb928e70d8550d35d8789e36980a143050f1fb5f4afe5030fbe5ee9de5270d250d84616d5
SSDEEP:	393216:x509tqWcvPnE1wPlqOlf5Y36of4VGP8ZpNlwy99sN2AyaWWqWi00kSE:x58tClmBAAPqpN7982AyaoW1F
TLSH:	20573396B9E6A3D4D7834D006A4A22D570D5B29DC1BB9A1E2BC71C033530DBBCA49DF3
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...X..f..........#......L...^........1........@.......................................... ........................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x142319dab
Entrypoint Section:	.CX.
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66CCA658 [Mon Aug 26 15:59:20 2024 UTC]
TLS Callbacks:	0x422f56b9, 0x1, 0x4009b810, 0x1, 0x4009b890, 0x1
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	aa7790079e5da97cfab7bf84d8bc295b

Entrypoint Preview

Instruction
inc ecx
push esi
dec ecx
mov esi, FCB40FB1h
push esi

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1319988	0x64	.CX.
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2aaa000	0x1ff	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x2aa0760	0x8e50	.CX.
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x14bc930	0x28	.CX.
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2aa0620	0x138	.CX.
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x12ed000	0x40	.,[H
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x104a46	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x106000	0x3c170	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x143000	0xf3068	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x237000	0x64e0	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0x23e000	0x10	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ZRz	0x23f000	0x10ad151	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.,[H	0x12ed000	0x78	0x200	7bc2b85179055fb7dcd672b7d8393dbd	False	0.064453125	data	0.30609107431271465	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CX.	0x12ee000	0x17bb5b0	0x17bb600	476002243b6859beabfbe4ad5a8288ee	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x2aaa000	0x1ff	0x200	551aca63bbe4416892bf141f14025a01	False	0.529296875	data	4.808766913049419	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x2aaa058	0x1a7	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5437352245862884

Imports

DLL	Import
msvcrt.dll	__C_specific_handler
USER32.dll	CloseClipboard
KERNEL32.dll	AcquireSRWLockExclusive
ADVAPI32.dll	SystemFunction036

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: SecuriteInfo.com.Riskware.Application.25773.563.exePID: 6204, Parent PID: 2580

General

Target ID:	0
Start time:	15:41:22
Start date:	13/10/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe"
Imagebase:	0x140000000
File size:	28'346'898 bytes
MD5 hash:	168B53E30B4B064151A7D3B5B8FB64B8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6228, Parent PID: 6204

General

Target ID:	1
Start time:	15:41:22
Start date:	13/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Riskware.Application.25773.563.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: SecuriteInfo.com.Riskware.Application.25773.563.exePID: 6204, Parent PID: 2580

General

Chronological Activities

Analysis Process: conhost.exePID: 6228, Parent PID: 6204

General

Chronological Activities

Disassembly

Windows Analysis Report
SecuriteInfo.com.Riskware.Application.25773.563.exe