Edit tour
Windows
Analysis Report
SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe
Overview
General Information
| Sample name: | SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe |
| Analysis ID: | 1544040 |
| MD5: | de33be5614d00e60edcc7f0188826233 |
| SHA1: | c4d3b63dbae6226ad2c71d22f8afc729c38af2ec |
| SHA256: | fc57a1e56ec50da6e17a351bb29d6598d5f8ddb043e28331e474e0d8efac73a5 |
| Tags: | exe |
| Infos: | |
 | |
Detection
| Score: | 52 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Initial sample is a PE file and has a suspicious name
Contains functionality to check if a debugger is running (IsDebuggerPresent)
HTTP GET or POST without a user agent
PE file contains executable resources (Code or Archives)
Queries disk information (often used to detect virtual machines)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe (PID: 3160 cmdline: "C:\Users\ user\Deskt op\Securit eInfo.com. Riskware.P dfxd.1445. 707.exe" MD5: DE33BE5614D00E60EDCC7F0188826233)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | ReversingLabs: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
System Summary | |
|---|
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | ReversingLabs: | ||
| Source: | String found in binary or memory: | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00F520EF | |
| Source: | File opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 0_2_00F567F3 | |
| Source: | Code function: | 0_2_00F567F3 | |
| Source: | Code function: | 0_2_00F5192D | |
| Source: | Code function: | 0_2_00F524C8 | |
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Command and Scripting Interpreter | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 Masquerading | OS Credential Dumping | 1 System Time Discovery | Remote Services | Data from Local System | 2 Non-Application Layer Protocol | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 Virtualization/Sandbox Evasion | LSASS Memory | 21 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | 2 Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 DLL Side-Loading | Security Account Manager | 1 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Obfuscated Files or Information | NTDS | 12 System Information Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 13% | ReversingLabs |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| report.pdfxd.com | 123.56.218.178 | true | false | unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false | unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 123.56.218.178 | report.pdfxd.com | China | 37963 | CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd | false |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1544040 |
| Start date and time: | 2024-10-28 18:36:12 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 4m 38s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 5 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe |
| Detection: | MAL |
| Classification: | mal52.winEXE@1/0@1/1 |
| EGA Information: |
|
| HCA Information: | Failed |
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
- Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, login.live.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Report size getting too big, too many NtQueryValueKey calls found.
- VT rate limit hit for: SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe
⊘No simulations
⊘No context
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd | Get hash | malicious | GhostRat | Browse |
| |
| Get hash | malicious | GhostRat | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
⊘No context
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 7.995877630321369 |
| TrID: |
|
| File name: | SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe |
| File size: | 43'003'376 bytes |
| MD5: | de33be5614d00e60edcc7f0188826233 |
| SHA1: | c4d3b63dbae6226ad2c71d22f8afc729c38af2ec |
| SHA256: | fc57a1e56ec50da6e17a351bb29d6598d5f8ddb043e28331e474e0d8efac73a5 |
| SHA512: | 9e1df0cb90054d732c6cd9083eba7561e491cd55fb715fe01336f35ae9af1b2d3c74f7ba0c6e39b8ddf2b38c7832e5533eeba26bab9f630d61d41832c694c8a9 |
| SSDEEP: | 786432:zgmnUmofP4fKDo72GORr/X2fnW4GmDDAU2dzg1vTfG1RmwXf/8DlrWnX:rnUtwfKDo7REMnW9U2dM1vT4zf/8DxWX |
| TLSH: | 74973373299E4034E95100729678DF7ED0AF63290B2F8DC797C00B690967BC16A7AE5F |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........vo...<...<...<...=...<...=...<.c.=...<.c.=...<.c.=...<...=...<...=...<...=...<...<...<.d.=V..<.d.=...<.d.<...<...<...<.d.=... |
 | |
| Icon Hash: | 619a14960b292109 |
| Entrypoint: | 0x4a1d9c |
| Entrypoint Section: | .text |
| Digitally signed: | true |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x66E2E9FB [Thu Sep 12 13:17:47 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 0a7217542690edbbd6c792caac85a70c |
| Signature Valid: | true |
| Signature Issuer: | CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US |
| Signature Validation Error: | The operation completed successfully |
| Error Number: | 0 |
| Not Before, Not After |
|
| Subject Chain |
|
| Version: | 3 |
| Thumbprint MD5: | B1DB425DAFF1EE9F34BFCDCD9CB68DF4 |
| Thumbprint SHA-1: | D9185C2F47829D062DDCE1C387F13D96A40EBF37 |
| Thumbprint SHA-256: | A58F9C0E4DF0109F1443CE86FF4795F924BB4FA6D8141DB24CD37B04AAF98204 |
| Serial: | 073AD6CAE07689A7F4334C3698FBF405 |
| Instruction |
|---|
| call 00007F1EB08D04D9h |
| jmp 00007F1EB08CFBDFh |
| push ebp |
| mov ebp, esp |
| pop ebp |
| jmp 00007F1EB08CF459h |
| push ebp |
| mov ebp, esp |
| and dword ptr [00508440h], 00000000h |
| sub esp, 28h |
| or dword ptr [00504118h], 01h |
| push 0000000Ah |
| call dword ptr [004DC238h] |
| test eax, eax |
| je 00007F1EB08D006Bh |
| push ebx |
| push esi |
| push edi |
| xor eax, eax |
| lea edi, dword ptr [ebp-28h] |
| xor ecx, ecx |
| push ebx |
| cpuid |
| mov esi, ebx |
| pop ebx |
| nop |
| mov dword ptr [edi], eax |
| mov dword ptr [edi+04h], esi |
| mov dword ptr [edi+08h], ecx |
| xor ecx, ecx |
| mov dword ptr [edi+0Ch], edx |
| mov eax, dword ptr [ebp-28h] |
| mov edi, dword ptr [ebp-24h] |
| mov dword ptr [ebp-04h], eax |
| xor edi, 756E6547h |
| mov eax, dword ptr [ebp-1Ch] |
| xor eax, 49656E69h |
| mov dword ptr [ebp-18h], eax |
| mov eax, dword ptr [ebp-20h] |
| xor eax, 6C65746Eh |
| mov dword ptr [ebp-14h], eax |
| xor eax, eax |
| inc eax |
| push ebx |
| cpuid |
| mov esi, ebx |
| pop ebx |
| nop |
| lea ebx, dword ptr [ebp-28h] |
| mov dword ptr [ebx], eax |
| mov eax, dword ptr [ebp-18h] |
| or eax, dword ptr [ebp-14h] |
| or eax, edi |
| mov dword ptr [ebx+04h], esi |
| mov dword ptr [ebx+08h], ecx |
| mov dword ptr [ebx+0Ch], edx |
| jne 00007F1EB08CFD9Bh |
| mov eax, dword ptr [ebp-28h] |
| and eax, 0FFF3FF0h |
| cmp eax, 000106C0h |
| je 00007F1EB08CFD85h |
| cmp eax, 00020660h |
| je 00007F1EB08CFD7Eh |
| cmp eax, 00020670h |
| je 00007F1EB08CFD77h |
| cmp eax, 00030650h |
| je 00007F1EB08CFD70h |
| cmp eax, 00030660h |
| je 00007F1EB08CFD69h |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x100d6c | 0x168 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x11d000 | 0x27ee868 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x2900400 | 0x29f0 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x290c000 | 0xb208 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0xf09a0 | 0x1c | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0xf09c0 | 0x18 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0xf08e0 | 0x40 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0xdc000 | 0x69c | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0xdaf5c | 0xdb000 | ee4ffa6b421416cb870b4dd7c2555747 | False | 0.4587993186358447 | DOS executable (COM) | 6.498008455044036 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0xdc000 | 0x272d4 | 0x27400 | d0e77bd1dac89316a0665d9a06b26adf | False | 0.3346312699044586 | data | 4.759283366681058 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x104000 | 0x18020 | 0x3e00 | a96155ca2312d5ea5ef1db479d615469 | False | 0.19430443548387097 | data | 4.566885531106728 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x11d000 | 0x27ee868 | 0x27eea00 | b19da25060bf75d761a2364b0a9c73b1 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x290c000 | 0xb208 | 0xb400 | 109541f3149bcdc7ef96ce8b5e55bbce | False | 0.573828125 | data | 6.5666903730688855 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| PNG | 0x11d798 | 0x2b1 | PNG image data, 210 x 143, 8-bit/color RGBA, non-interlaced | Chinese | China | 0.7706821480406386 |
| PNG | 0x11da4c | 0x834 | PNG image data, 800 x 40, 8-bit colormap, non-interlaced | Chinese | China | 1.0052380952380953 |
| PNG | 0x11e280 | 0xca | PNG image data, 16 x 6, 8-bit/color RGBA, non-interlaced | Chinese | China | 1.004950495049505 |
| PNG | 0x11e34c | 0x167 | PNG image data, 72 x 24, 8-bit gray+alpha, non-interlaced | Chinese | China | 1.0306406685236769 |
| PNG | 0x11e4b4 | 0xd4 | PNG image data, 16 x 6, 8-bit/color RGBA, non-interlaced | Chinese | China | 1.009433962264151 |
| PNG | 0x11e588 | 0xa2 | PNG image data, 20 x 20, 4-bit colormap, non-interlaced | Chinese | China | 0.9629629629629629 |
| PNG | 0x11e62c | 0x6e4 | PNG image data, 80 x 80, 8-bit colormap, non-interlaced | Chinese | China | 1.006235827664399 |
| PNG | 0x11ed10 | 0x1fb8 | PNG image data, 600 x 400, 4-bit colormap, non-interlaced | Chinese | China | 0.9926108374384236 |
| PNG | 0x120cc8 | 0xb50 | PNG image data, 200 x 29, 8-bit colormap, non-interlaced | Chinese | China | 0.9986187845303868 |
| PNG | 0x121818 | 0x3cf | PNG image data, 96 x 12, 8-bit colormap, non-interlaced | Chinese | China | 0.9364102564102564 |
| PNG | 0x121be8 | 0x134 | PNG image data, 36 x 12, 8-bit colormap, non-interlaced | Chinese | China | 0.961038961038961 |
| PNG | 0x121d1c | 0x12d | PNG image data, 36 x 12, 8-bit colormap, non-interlaced | Chinese | China | 0.9833887043189369 |
| PNG | 0x121e4c | 0x190 | PNG image data, 240 x 24, 8-bit colormap, non-interlaced | Chinese | China | 1.0 |
| RT_ICON | 0x121fdc | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | Chinese | China | 0.3421985815602837 |
| RT_ICON | 0x122444 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 0 | Chinese | China | 0.25778688524590165 |
| RT_ICON | 0x122dcc | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | Chinese | China | 0.18878986866791744 |
| RT_ICON | 0x123e74 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | Chinese | China | 0.1370331950207469 |
| RT_ICON | 0x12641c | 0x4228 | Device independent bitmap graphic, 64 x 128 x 32, image size 0 | Chinese | China | 0.10899858290033065 |
| RT_ICON | 0x12a644 | 0x2dd6 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | Chinese | China | 0.9944605420146583 |
| RT_ICON | 0x12d41c | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | Chinese | China | 0.3421985815602837 |
| RT_ICON | 0x12d884 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 0 | Chinese | China | 0.25778688524590165 |
| RT_ICON | 0x12e20c | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | Chinese | China | 0.18878986866791744 |
| RT_ICON | 0x12f2b4 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | Chinese | China | 0.1370331950207469 |
| RT_ICON | 0x13185c | 0x4228 | Device independent bitmap graphic, 64 x 128 x 32, image size 0 | Chinese | China | 0.10899858290033065 |
| RT_ICON | 0x135a84 | 0x2dd6 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | Chinese | China | 0.9944605420146583 |
| RT_MENU | 0x13885c | 0x50 | data | Chinese | China | 0.8375 |
| RT_DIALOG | 0x1388ac | 0x114 | data | Chinese | China | 0.6159420289855072 |
| RT_STRING | 0x1389c0 | 0x34 | data | Chinese | China | 0.6346153846153846 |
| RT_ACCELERATOR | 0x1389f4 | 0x10 | data | Chinese | China | 1.25 |
| RT_RCDATA | 0x138a04 | 0x4ef | XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | Chinese | China | 0.40380047505938244 |
| RT_RCDATA | 0x138ef4 | 0x27d21eb | 7-zip archive data, version 0.4 | Chinese | China | 1.0003108978271484 |
| RT_GROUP_ICON | 0x290b0e0 | 0x5a | data | Chinese | China | 0.7777777777777778 |
| RT_GROUP_ICON | 0x290b13c | 0x5a | data | Chinese | China | 0.8111111111111111 |
| RT_VERSION | 0x290b198 | 0x2a0 | data | Chinese | China | 0.5461309523809523 |
| RT_MANIFEST | 0x290b438 | 0x42e | XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (1010), with CRLF line terminators | English | United States | 0.5037383177570094 |
| DLL | Import |
|---|---|
| VERSION.dll | GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW |
| KERNEL32.dll | lstrcmpA, GetThreadLocale, SetThreadLocale, InitializeCriticalSectionAndSpinCount, GetSystemInfo, SetEndOfFile, GetFileSizeEx, MoveFileExW, SetFileAttributesW, GetFileAttributesExW, ResetEvent, SetEvent, PostQueuedCompletionStatus, GetExitCodeThread, CreateEventW, CreateIoCompletionPort, GetQueuedCompletionStatus, DecodePointer, WriteConsoleW, SetEnvironmentVariableW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, GetACP, IsValidCodePage, FindFirstFileExW, FlushFileBuffers, GetTimeZoneInformation, GetUserDefaultLCID, IsValidLocale, GetLocaleInfoW, LCMapStringW, CompareStringW, GetTimeFormatW, GetDateFormatW, GetConsoleOutputCP, SetStdHandle, WaitForSingleObject, SetFilePointerEx, GetFileType, GetStdHandle, ExitProcess, GetModuleHandleExW, FreeLibraryAndExitThread, ExitThread, QueryPerformanceFrequency, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, RtlUnwind, GetSystemTimeAsFileTime, QueryPerformanceCounter, SetUnhandledExceptionFilter, UnhandledExceptionFilter, SleepConditionVariableSRW, WakeAllConditionVariable, AcquireSRWLockExclusive, ReleaseSRWLockExclusive, GetCPInfo, LCMapStringEx, GetStringTypeW, LoadLibraryExA, VirtualFree, VirtualAlloc, IsProcessorFeaturePresent, FlushInstructionCache, InterlockedPushEntrySList, InterlockedPopEntrySList, InitializeSListHead, EncodePointer, IsDebuggerPresent, EnumSystemLocalesW, GetLastError, HeapDestroy, lstrlenA, GetSystemTime, HeapAlloc, HeapReAlloc, GetNativeSystemInfo, GetFileSize, HeapFree, HeapSize, GetProcessHeap, InitializeCriticalSectionEx, DeleteCriticalSection, FindResourceExW, LoadResource, LockResource, SizeofResource, FindResourceW, RaiseException, SetLastError, EnterCriticalSection, LeaveCriticalSection, GetCurrentThreadId, GetModuleFileNameW, CreateFileA, SystemTimeToFileTime, GetWindowsDirectoryW, FileTimeToSystemTime, DeviceIoControl, GetCurrentProcess, K32GetModuleFileNameExW, Process32NextW, Process32FirstW, CreateToolhelp32Snapshot, ReadFile, GetStartupInfoW, CreatePipe, TerminateProcess, GetExitCodeProcess, CreateProcessW, MoveFileW, RemoveDirectoryW, FindClose, FindNextFileW, FindFirstFileW, LocalAlloc, LocalFree, OutputDebugStringW, SetFilePointer, GetPrivateProfileStringW, GetPrivateProfileIntW, CopyFileW, lstrlenW, CreateThread, ReadConsoleW, TerminateThread, InitializeCriticalSection, GetVersionExW, GetModuleHandleW, DeleteFileW, WriteFile, LoadLibraryW, GetTickCount, MulDiv, GetCurrentProcessId, OpenProcess, FreeResource, GlobalFree, GlobalAlloc, Sleep, VerSetConditionMask, VerifyVersionInfoW, WideCharToMultiByte, MultiByteToWideChar, WritePrivateProfileStringW, lstrcmpiW, LoadLibraryExW, GetProcAddress, FreeLibrary, CloseHandle, CreateFileW, CreateDirectoryW, GetVersion, GetConsoleMode |
| USER32.dll | GetShellWindow, IsClipboardFormatAvailable, RegisterClipboardFormatW, GetSysColor, SetCaretPos, CreateCaret, GetCaretBlinkTime, wsprintfW, SetWindowPos, MoveWindow, ShowWindow, PostQuitMessage, LoadCursorW, KillTimer, SetTimer, DestroyWindow, IsWindow, CreateWindowExW, GetClassInfoExW, RegisterClassExW, SetWindowLongW, GetWindowLongW, GetDlgItem, UnregisterClassW, CallWindowProcW, IsRectEmpty, DefWindowProcW, SendMessageW, GetWindowTextLengthW, SetWindowTextW, CharLowerBuffW, UpdateWindow, UpdateLayeredWindow, SetActiveWindow, BringWindowToTop, AttachThreadInput, GetWindowThreadProcessId, GetClientRect, GetWindowRect, MapWindowPoints, GetParent, LoadIconW, MonitorFromWindow, GetMonitorInfoW, MessageBoxW, GetMessageW, TranslateMessage, DispatchMessageW, PeekMessageW, CharNextW, SetRectEmpty, EqualRect, SetCursor, ClientToScreen, GetCursorPos, PtInRect, ScreenToClient, GetDoubleClickTime, CopyRect, IntersectRect, PostMessageW, SystemParametersInfoW, BeginPaint, EndPaint, IsIconic, InvalidateRect, TrackMouseEvent, SetFocus, GetFocus, SetCapture, ReleaseCapture, SetWindowRgn, IsWindowVisible, EnableWindow, GetForegroundWindow, GetWindowTextW, SetForegroundWindow, IsZoomed, MonitorFromRect, OffsetRect, SetLayeredWindowAttributes, DrawTextW, GetCursor, GetIconInfo, GetDC, ReleaseDC, FillRect, GetWindow, LoadImageW |
| GDI32.dll | CreatePen, RestoreDC, ExtSelectClipRgn, CreateRectRgnIndirect, SaveDC, GetDeviceCaps, GetStockObject, SetBkColor, GetBitmapBits, StretchBlt, SetStretchBltMode, SetPixel, Rectangle, CreateSolidBrush, GetObjectW, SetTextColor, SetBkMode, CreateRectRgn, CombineRgn, CreateRoundRectRgn, DeleteDC, BitBlt, SelectObject, CreateCompatibleDC, DeleteObject, CreateFontIndirectW, SetBitmapBits, GetTextColor, GetCurrentObject, SetTextCharacterExtra, GetViewportOrgEx, CreateDIBSection |
| ADVAPI32.dll | RegQueryInfoKeyW, FreeSid, CheckTokenMembership, AllocateAndInitializeSid, ConvertSidToStringSidW, LookupAccountNameW, GetUserNameW, DeleteService, ControlService, SetSecurityDescriptorDacl, RegSetKeySecurity, InitializeSecurityDescriptor, RegEnumKeyW, CloseServiceHandle, ChangeServiceConfigW, QueryServiceConfigW, QueryServiceStatus, StartServiceW, OpenServiceW, OpenSCManagerW, CreateProcessWithTokenW, DuplicateTokenEx, OpenProcessToken, RegQueryValueExW, RegSetValueExW, RegOpenKeyExW, RegEnumKeyExW, RegDeleteValueW, RegDeleteKeyW, RegCreateKeyExW, RegCloseKey |
| SHELL32.dll | SHGetPathFromIDListW, SHGetSpecialFolderLocation, SHBrowseForFolderW, ShellExecuteW, SHCreateDirectoryExW, ShellExecuteExW, SHChangeNotify, SHGetSpecialFolderPathW, SHGetMalloc |
| ole32.dll | CoInitializeSecurity, OleRun, RegisterDragDrop, StgCreateDocfileOnILockBytes, CreateILockBytesOnHGlobal, CreateStreamOnHGlobal, CoInitialize, CoTaskMemRealloc, CoTaskMemAlloc, CoCreateInstance, CoTaskMemFree, CoUninitialize |
| OLEAUT32.dll | SysAllocString, VarBstrCmp, VarUI4FromStr, VariantCopy, VariantClear, LoadRegTypeLib, LoadTypeLib, SysFreeString, SysStringLen, VariantInit, GetErrorInfo |
| SHLWAPI.dll | PathIsDirectoryW, PathSearchAndQualifyW, PathRemoveBackslashW, SHDeleteValueW, SHGetValueW, StrCmpIW, PathCombineW, PathAppendW, PathRemoveFileSpecW, PathRemoveExtensionW, PathFindFileNameW, PathFileExistsW |
| COMCTL32.dll | DrawShadowText, InitCommonControlsEx |
| MSIMG32.dll | AlphaBlend |
| WININET.dll | InternetCloseHandle, HttpSendRequestW, HttpOpenRequestW, InternetReadFile, HttpQueryInfoW, InternetCrackUrlW, InternetConnectW, InternetSetOptionW, InternetOpenW |
| gdiplus.dll | GdipCreateBitmapFromHICON, GdipCreateBitmapFromHBITMAP, GdipCreateBitmapFromScan0, GdipCreateBitmapFromStream, GdipCreateBitmapFromFile, GdipBitmapLockBits, GdipGetImageHeight, GdipGetImageWidth, GdipCloneImage, GdipDrawImageRectI, GdipGetImagePixelFormat, GdipDeleteGraphics, GdipGetImageGraphicsContext, GdipCreateFromHDC, GdipDisposeImage, GdipAlloc, GdipFree, GdipDeleteBrush, GdipCloneBrush, GdipCreateSolidFill, GdipSetTextRenderingHint, GdipDrawString, GdipCreateFontFamilyFromName, GdipDeleteFontFamily, GdipCreateFont, GdipDeleteFont, GdiplusStartup, GdipSetInterpolationMode |
| Secur32.dll | GetUserNameExW |
| CRYPT32.dll | CryptBinaryToStringW, CryptStringToBinaryW |
| NETAPI32.dll | Netbios |
| IPHLPAPI.DLL | GetAdaptersInfo, GetIpAddrTable |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| Chinese | China |  |
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Oct 28, 2024 18:37:08.763045073 CET | 49706 | 80 | 192.168.2.6 | 123.56.218.178 |
| Oct 28, 2024 18:37:08.803069115 CET | 80 | 49706 | 123.56.218.178 | 192.168.2.6 |
| Oct 28, 2024 18:37:08.803478003 CET | 49706 | 80 | 192.168.2.6 | 123.56.218.178 |
| Oct 28, 2024 18:37:08.822451115 CET | 49706 | 80 | 192.168.2.6 | 123.56.218.178 |
| Oct 28, 2024 18:37:08.864703894 CET | 80 | 49706 | 123.56.218.178 | 192.168.2.6 |
| Oct 28, 2024 18:37:10.115009069 CET | 80 | 49706 | 123.56.218.178 | 192.168.2.6 |
| Oct 28, 2024 18:37:10.115087032 CET | 49706 | 80 | 192.168.2.6 | 123.56.218.178 |
| Oct 28, 2024 18:37:10.115602016 CET | 80 | 49706 | 123.56.218.178 | 192.168.2.6 |
| Oct 28, 2024 18:37:10.115658045 CET | 49706 | 80 | 192.168.2.6 | 123.56.218.178 |
| Oct 28, 2024 18:37:10.348500013 CET | 80 | 49706 | 123.56.218.178 | 192.168.2.6 |
| Oct 28, 2024 18:37:10.348583937 CET | 49706 | 80 | 192.168.2.6 | 123.56.218.178 |
| Oct 28, 2024 18:37:25.172838926 CET | 80 | 49706 | 123.56.218.178 | 192.168.2.6 |
| Oct 28, 2024 18:37:25.172957897 CET | 49706 | 80 | 192.168.2.6 | 123.56.218.178 |
| Oct 28, 2024 18:38:58.496223927 CET | 49706 | 80 | 192.168.2.6 | 123.56.218.178 |
| Oct 28, 2024 18:38:58.808022976 CET | 49706 | 80 | 192.168.2.6 | 123.56.218.178 |
| Oct 28, 2024 18:38:59.417403936 CET | 49706 | 80 | 192.168.2.6 | 123.56.218.178 |
| Oct 28, 2024 18:39:00.620520115 CET | 49706 | 80 | 192.168.2.6 | 123.56.218.178 |
| Oct 28, 2024 18:39:03.026798010 CET | 49706 | 80 | 192.168.2.6 | 123.56.218.178 |
| Oct 28, 2024 18:39:07.839284897 CET | 49706 | 80 | 192.168.2.6 | 123.56.218.178 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Oct 28, 2024 18:37:08.610331059 CET | 64453 | 53 | 192.168.2.6 | 1.1.1.1 |
| Oct 28, 2024 18:37:08.663336039 CET | 53 | 64453 | 1.1.1.1 | 192.168.2.6 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Oct 28, 2024 18:37:08.610331059 CET | 192.168.2.6 | 1.1.1.1 | 0x8aac | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Oct 28, 2024 18:37:08.663336039 CET | 1.1.1.1 | 192.168.2.6 | 0x8aac | No error (0) | 123.56.218.178 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.6 | 49706 | 123.56.218.178 | 80 | 3160 | C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Oct 28, 2024 18:37:08.822451115 CET | 415 | OUT | |
| Oct 28, 2024 18:37:10.115009069 CET | 180 | IN | |
| Oct 28, 2024 18:37:10.115602016 CET | 180 | IN | |
| Oct 28, 2024 18:37:10.348500013 CET | 180 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
| Target ID: | 0 |
| Start time: | 13:37:06 |
| Start date: | 28/10/2024 |
| Path: | C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xeb0000 |
| File size: | 43'003'376 bytes |
| MD5 hash: | DE33BE5614D00E60EDCC7F0188826233 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | false |
Execution Graph
| Execution Coverage: | 6.9% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 1.6% |
| Total number of Nodes: | 434 |
| Total number of Limit Nodes: | 8 |
Graph
Callgraph
Function 00F6AE5A Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F6F792 Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F6F4A7 Relevance: 2.6, APIs: 2, Instructions: 125COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F70C3C Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F567F3 Relevance: 4.6, APIs: 3, Instructions: 77COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F6CB54 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|