Windows Analysis Report
SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe
Analysis ID:	1541680
MD5:	7b5ead3041ec05071ee6b28913d72547
SHA1:	8af0a3f29aff1d0fd9ab792539ff1a1fe7a32ad2
SHA256:	e999cb5dcdea4d51a6178dfda3248fdf812d90841545a5ff4bbfaeac95e31c11
Tags:	exe

Detection

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Found direct / indirect Syscall (likely to bypass EDR)

Machine Learning detection for sample

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

PE file contains section with special chars

Contains capabilities to detect virtual machines

Entry point lies outside standard sections

PE file contains sections with non-standard names

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe

ReversingLabs: Detection: 18%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 96.4% probability

Machine Learning detection for sample

Source: SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe

Joe Sandbox ML: detected

Source: SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

System Summary

PE file contains section with special chars

Source: SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe	Static PE information: section name: .LW:
Source: SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe	Static PE information: section name: .3*9

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe, 00000000.00000000.2074287155.00007FF6843BF000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameRuntimeBroker.exe` vs SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe
Source: SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe, 00000000.00000003.2093691744.00000228D30CF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameD3D10Warp.dllj% vs SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe
Source: SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe, 00000000.00000003.2093747211.00000228D30D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameD3D10Warp.dllj% vs SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe
Source: SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe	Binary or memory string: OriginalFilenameRuntimeBroker.exe` vs SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe

Source: classification engine

Classification label: mal76.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe

ReversingLabs: Detection: 18%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe	Section loaded: d3d10warp.dll	Jump to behavior

Source: SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe

Static file information: File size 14430720 > 1048576

Source: SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe

Static PE information: Raw size of .3*9 is bigger than: 0x100000 < 0xdc1800

Source: SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .3*9

PE file contains sections with non-standard names

Source: SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe	Static PE information: section name: .LW:
Source: SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe	Static PE information: section name: .UKD
Source: SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe	Static PE information: section name: .3*9

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe	Memory written: PID: 3180 base: 7FF8C8A50008 value: E9 EB D9 E9 FF			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe	Memory written: PID: 3180 base: 7FF8C88ED9F0 value: E9 20 26 16 00			Jump to behavior

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe	File opened / queried: HGFS			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe	File opened / queried: VBoxMiniRdrDN			Jump to behavior

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe, 00000000.00000002.2093934740.00000228D30A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\.\VBoxMiniRdrDN
Source: SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe, 00000000.00000002.2093934740.00000228D30A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: qemupcivideo.sys
Source: SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe, 00000000.00000002.2093934740.00000228D3090000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \.\HGFS
Source: SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe, 00000000.00000002.2093934740.00000228D30A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: qemupci.sys

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe

Process information queried: ProcessInformation

Jump to behavior

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe	NtProtectVirtualMemory: Direct from: 0x7FF683E4F7EE	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe	NtProtectVirtualMemory: Direct from: 0x7FF683F2EA22	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe	NtProtectVirtualMemory: Direct from: 0x7FF683F0CD52	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe	NtProtectVirtualMemory: Direct from: 0x7FF683E9FCFD	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe	NtProtectVirtualMemory: Indirect: 0x7FF6835EDEA6	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe	NtProtectVirtualMemory: Direct from: 0x7FF683E65903	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe	NtProtectVirtualMemory: Direct from: 0x7FF683E4854B	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe	NtProtectVirtualMemory: Direct from: 0x7FF683DBE7D5	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe	NtMapViewOfSection: Direct from: 0x7FF683E09A76	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe	NtClose: Direct from: 0x7FF683E9170F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe	NtUnmapViewOfSection: Direct from: 0x7FF683F16848	Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

ID:	1541680
Product:	CloudBasic
Start time:	01:35:10
Start date:	25.10.2024
Sample:	SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	7b5ead3041ec05071ee6b28913d72547
SHA1:	8af0a3f29aff1d0fd9ab792539ff1a1fe7a32ad2
SHA256:	e999cb5dcdea4d51a6178dfda3248fdf812d90841545a5ff4bbfaeac95e31c11
Filetype:	Win64 Executable GUI (202006/5) 92.65%

Windows Analysis Report
SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Screenshots

Behavior Graph

Network Map

Windows Analysis Report SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe