Windows Analysis Report
SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe
Analysis ID:	1546295
MD5:	3b97ad27c3ea67c7e6f51d23c8b11471
SHA1:	618434d4edd1aa20c3f97c70fecedac65000b6dd
SHA256:	f84215746692872e393b68b6d0dc8ef7d050da10b6994d53cbcfcddeb16499ff
Tags:	exe
Infos:

Detection

Score:	23
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

AI detected suspicious sample

Installs a raw input device (often for capturing keystrokes)

Queries information about the installed CPU (vendor, model number etc)

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Classification

Signatures

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 91.5% probability

Uses 32bit PE files

Source: SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.6:49776
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.6:49967

Source: SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	String found in binary or memory: http://fastmm.sourceforge.net).
Source: SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	String found in binary or memory: http://www.winimage.com/zLibDll
Source: SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	String found in binary or memory: http://www.winimage.com/zLibDll-1.2.3rbr

Installs a raw input device (often for capturing keystrokes)

Source: SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe, 00000000.00000002.3419312276.00000000024FC000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: RegisterRawInputDevices

memstr_0dfbb972-e

Yara detected Keylogger Generic

Source: Yara match

File source: Process Memory Space: SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe PID: 1916, type: MEMORYSTR

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe, 00000000.00000000.2178734994.000000000066E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename" vs SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe
Source: SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe, 00000000.00000002.3420189550.0000000004BB0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMXDWDRV.DLLj% vs SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe
Source: SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Binary or memory string: OriginalFilename" vs SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe

Uses 32bit PE files

Source: SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe

Static PE information: Section: .reloc IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe

Binary string: \Device\Video0

Source: classification engine

Classification label: sus23.winEXE@1/1@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe

File created: C:\Users\user\AppData\Roaming\EurekaLog

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe

Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Section loaded: midas.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Section loaded: midas.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe

Window found: window name: TButton

Jump to behavior

Source: SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe

Static file information: File size 3165184 > 1048576

Source: SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe

Static PE information: Raw size of CODE is bigger than: 0x100000 < 0x234400

Source: SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe

Static PE information: More than 200 imports for user32.dll

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Code function: 0_3_0250F85C push ss; ret	0_3_0250F85D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Code function: 0_3_02510E6A push es; retf	0_3_02510E70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Code function: 0_3_0250EC29 push edi; iretd	0_3_0250EC41
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Code function: 0_3_0250CCDF push edi; iretd	0_3_0250CD2D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Code function: 0_3_0250FAC1 push esi; retf	0_3_0250FACC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Code function: 0_3_0250FAE7 push esi; retf	0_3_0250FAFC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Code function: 0_3_0250D4EA push edi; iretd	0_3_0250D4ED
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Code function: 0_3_0250D8EA push edi; iretd	0_3_0250D8F5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Code function: 0_3_0250D89B push edi; iretd	0_3_0250D89E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Code function: 0_3_0250F48C push edi; iretd	0_3_0250F48F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Code function: 0_3_0250C6A3 push ds; retf	0_3_0250C70E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Code function: 0_3_0250F744 push edi; iretd	0_3_0250F747
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Code function: 0_3_0250ED45 push edi; iretd	0_3_0250ED4D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Code function: 0_3_0250F778 push edi; iretd	0_3_0250F77B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Code function: 0_3_0250E162 push edi; iretd	0_3_0250E188
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Code function: 0_3_0250D3D1 push edi; iretd	0_3_0250D3D4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Code function: 0_3_0250F9D1 push edi; iretd	0_3_0250F9D4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Code function: 0_3_0250CDD3 pushfd ; retf	0_3_0250CDDD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Code function: 0_3_0250DFF1 push edi; iretd	0_3_0250DFF4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Code function: 0_3_0250CFF7 push ds; iretd	0_3_0250D020
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Code function: 0_3_0250CD97 push edi; iretd	0_3_0250CD9A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Code function: 0_3_0250ED88 push es; iretd	0_3_0250EDA7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Code function: 0_3_0250E1B1 push edi; iretd	0_3_0250E188
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Code function: 0_3_0250C5AB push edi; iretd	0_3_0250C5AE

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe

Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe, 00000000.00000002.3418859320.000000000097E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlll

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe

Process information queried: ProcessInformation

Jump to behavior

Source: SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Binary or memory string: SeDelegateSessionUserImpersonatePrivilege - OFF Active Controls: ------------------------------------ 4.1 Form Class : Progman 4.2 Form Text : Program Manager 4.3 Control Class: 4.4 Control Text : Computer: ---------------------
Source: SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe, 00000000.00000002.3419312276.00000000024FC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe, 00000000.00000002.3419204141.00000000024F9000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: GetProgmanWindow t
Source: SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe, 00000000.00000002.3420260237.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe, 00000000.00000003.2229189694.0000000004BF4000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: 4.1 Form Class : Progman
Source: SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe, 00000000.00000002.3419204141.00000000024F9000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: GetProgmanWindow
Source: SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe, 00000000.00000002.3420260237.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe, 00000000.00000003.2229189694.0000000004BF4000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: 4.2 Form Text : Program Manager
Source: SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe, 00000000.00000002.3419312276.00000000024FC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: 4.2 Form Text: Program Manager
Source: SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe, 00000000.00000002.3419312276.00000000024FC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe, 00000000.00000002.3420189550.0000000004BB0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: 4.1 Form Class : Progman
Source: SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe, 00000000.00000002.3419312276.00000000024FC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SetProgmanWindow
Source: SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe, 00000000.00000002.3419312276.00000000024FC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: 4.1 Form Class: Progman

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

ID:	1546295
Product:	CloudBasic
Start time:	18:26:06
Start date:	31.10.2024
Sample:	SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	3b97ad27c3ea67c7e6f51d23c8b11471
SHA1:	618434d4edd1aa20c3f97c70fecedac65000b6dd
SHA256:	f84215746692872e393b68b6d0dc8ef7d050da10b6994d53cbcfcddeb16499ff
Filetype:	Win32 Executable (generic) a (10002005/4) 98.12%

Windows Analysis Report
SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe