Click to jump to signature section
Source: SecuriteInfo.com.Riskware.Application.25773.563.exe | ReversingLabs: Detection: 21% |
Source: Submited Sample | Integrated Neural Analysis Model: Matched 98.9% probability |
Source: SecuriteInfo.com.Riskware.Application.25773.563.exe | Static PE information: section name: .,[H |
Source: classification engine | Classification label: mal84.evad.winEXE@2/1@0/0 |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6228:120:WilError_03 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe | Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: SecuriteInfo.com.Riskware.Application.25773.563.exe | ReversingLabs: Detection: 21% |
Source: unknown | Process created: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe "C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe" |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe | Section loaded: apphelp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe | Section loaded: cryptbase.dll | Jump to behavior |
Source: SecuriteInfo.com.Riskware.Application.25773.563.exe | Static PE information: Virtual size of .text is bigger than: 0x100000 |
Source: SecuriteInfo.com.Riskware.Application.25773.563.exe | Static PE information: Image base 0x140000000 > 0x60000000 |
Source: SecuriteInfo.com.Riskware.Application.25773.563.exe | Static file information: File size 28346898 > 1048576 |
Source: SecuriteInfo.com.Riskware.Application.25773.563.exe | Static PE information: Raw size of .CX. is bigger than: 0x100000 < 0x17bb600 |
Source: initial sample | Static PE information: section where entry point is pointing to: .CX. |
Source: SecuriteInfo.com.Riskware.Application.25773.563.exe | Static PE information: section name: .ZRz |
Source: SecuriteInfo.com.Riskware.Application.25773.563.exe | Static PE information: section name: .,[H |
Source: SecuriteInfo.com.Riskware.Application.25773.563.exe | Static PE information: section name: .CX. |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe | Memory written: PID: 6204 base: 7FFE22370008 value: E9 EB D9 E9 FF | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe | Memory written: PID: 6204 base: 7FFE2220D9F0 value: E9 20 26 16 00 | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe | Memory written: PID: 6204 base: 7FFE2238000D value: E9 BB CB EB FF | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe | Memory written: PID: 6204 base: 7FFE2223CBC0 value: E9 5A 34 14 00 | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe | System information queried: FirmwareTableInformation | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe | System information queried: FirmwareTableInformation | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe | Special instruction interceptor: First address: 1424B3C62 instructions rdtsc caused by: RDTSC with Trap Flag (TF) |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe | Special instruction interceptor: First address: 1424B3C90 instructions rdtsc caused by: RDTSC with Trap Flag (TF) |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe | Window / User API: threadDelayed 3540 | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe | Window / User API: threadDelayed 6452 | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe TID: 6184 | Thread sleep time: -354000s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe TID: 6184 | Thread sleep time: -645200s >= -30000s | Jump to behavior |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe | Last function: Thread delayed |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe | Process information queried: ProcessInformation | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe | Process Stats: CPU usage > 42% for more than 60s |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe | Thread information set: HideFromDebugger | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe | Thread information set: HideFromDebugger | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe | Handle closed: DEADC0DE |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe | System information queried: KernelDebuggerInformation | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe | Process queried: DebugPort | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe | Process queried: DebugObjectHandle | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe | Process queried: DebugObjectHandle | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe | Process queried: DebugObjectHandle | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe | Process queried: DebugPort | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe | Process token adjusted: Debug | Jump to behavior |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe | NtProtectVirtualMemory: Direct from: 0x14231C506 | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe | NtSetInformationProcess: Direct from: 0x1414C657D | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe | NtQueryInformationProcess: Direct from: 0x1424ACF73 | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe | NtSetInformationThread: Direct from: 0x14149A03F | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe | NtSetInformationThread: Direct from: 0x1424AF985 | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe | NtProtectVirtualMemory: Direct from: 0x1414AEB1D | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe | NtProtectVirtualMemory: Direct from: 0x1414C44FA | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe | NtQuerySystemInformation: Direct from: 0x14231C5CC | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe | NtProtectVirtualMemory: Direct from: 0x1414A8B48 | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe | NtQuerySystemInformation: Direct from: 0x14131361D | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe | NtProtectVirtualMemory: Direct from: 0x14149432C | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe | NtQueryInformationProcess: Direct from: 0x14231FC5A | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe | NtClose: Indirect: 0x1424B3C5C | |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe | NtQuerySystemInformation: Direct from: 0x141412697 | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe | NtMapViewOfSection: Direct from: 0x1424A2D46 | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe | NtQuerySystemInformation: Direct from: 0x1424AF5F2 | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe | NtProtectVirtualMemory: Indirect: 0x1412C40D1 | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe | NtQuerySystemInformation: Direct from: 0x1422D08E5 | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe | NtUnmapViewOfSection: Direct from: 0x1422C5339 | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe | NtProtectVirtualMemory: Direct from: 0x1412FF191 | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe | NtClose: Direct from: 0x1414C5ED4 | |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe | NtQueryInformationProcess: Direct from: 0x1424ACBB6 | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe | NtQueryInformationProcess: Direct from: 0x1424B142F | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe | NtProtectVirtualMemory: Direct from: 0x1413F3190 | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe | NtQuerySystemInformation: Direct from: 0x1422D8EBC | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe | NtProtectVirtualMemory: Direct from: 0x1422BFB31 | Jump to behavior |