Windows Analysis Report
SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll

Overview

General Information

Sample name: SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll
Analysis ID: 1419153
MD5: cd943166310d5c29ea7fecdd00c23957
SHA1: f14eb88f4cdc2fc251b4471a2975f0576b4df61c
SHA256: 05d741cbb567eb90955cca6eba3b377351976e2d5d013ba3ea42ad04aad72bdb
Tags: dll
Infos:

Detection

Score: 52
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found large amount of non-executed APIs
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll ReversingLabs: Detection: 50%
Source: SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll Virustotal: Detection: 55% Perma Link
Machine Learning detection for sample
Source: SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll Joe Sandbox ML: detected
Uses 32bit PE files
Source: SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
Source: Binary string: sc.pdb source: loaddll32.exe, 00000000.00000002.4066903929.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.4066921397.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4066881545.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.4066979714.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.4067008230.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll
Source: loaddll32.exe, 00000000.00000002.4066903929.00000000100BE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.4066921397.00000000100BE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4066881545.00000000100BE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.4066979714.00000000100BE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.4067008230.00000000100BE000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll String found in binary or memory: http://www.kaikuoyun.com/list-127-1.htmlDVarFileInfo$
Source: loaddll32.exe, 00000000.00000002.4066903929.00000000100BE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.4066921397.00000000100BE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4066881545.00000000100BE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.4066979714.00000000100BE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.4067008230.00000000100BE000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll String found in binary or memory: http://www.kaikuoyun.com/list-127-1.htmll)
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100511B0 0_2_100511B0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100A75C6 0_2_100A75C6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100511B0 3_2_100511B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100A75C6 3_2_100A75C6
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll Binary or memory string: OriginalFilenamebszip.dll" vs SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll
Source: SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll Binary or memory string: OriginalFilenamesc.exej% vs SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll
Tries to load missing DLLs
Source: C:\Windows\System32\loaddll32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Uses 32bit PE files
Source: SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
Source: classification engine Classification label: mal52.winDLL@12/0@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3668:120:WilError_03
Source: SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll,_main
Source: SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll ReversingLabs: Detection: 50%
Source: SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll Virustotal: Detection: 55%
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll,_main
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll,
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll,
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll,_main Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll, Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll, Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0E59F1D5-1FBE-11D0-8FF2-00A0D10038BC}\InprocServer32 Jump to behavior
Source: SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll Static file information: File size 2334720 > 1048576
Source: SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x150000
Source: Binary string: sc.pdb source: loaddll32.exe, 00000000.00000002.4066903929.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.4066921397.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4066881545.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.4066979714.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.4067008230.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10050430 GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary, 0_2_10050430
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1009FAD0 push eax; ret 0_2_1009FAFE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10013787 push ecx; retf 0001h 0_2_10013788
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100A1798 push eax; ret 0_2_100A17B6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1009FAD0 push eax; ret 3_2_1009FAFE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10013787 push ecx; retf 0001h 3_2_10013788
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100A1798 push eax; ret 3_2_100A17B6
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100060FC rdtsc 0_2_100060FC
Found large amount of non-executed APIs
Source: C:\Windows\System32\loaddll32.exe API coverage: 9.5 %
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 6.7 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\loaddll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\loaddll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100060FC rdtsc 0_2_100060FC
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10050430 GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary, 0_2_10050430
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1000BC31 mov ebx, dword ptr fs:[00000030h] 0_2_1000BC31
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1000DC38 mov ecx, dword ptr fs:[00000030h] 0_2_1000DC38
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1000E4D8 mov ebx, dword ptr fs:[00000030h] 0_2_1000E4D8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1000B391 mov ecx, dword ptr fs:[00000030h] 0_2_1000B391
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000BC31 mov ebx, dword ptr fs:[00000030h] 3_2_1000BC31
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000DC38 mov ecx, dword ptr fs:[00000030h] 3_2_1000DC38
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000E4D8 mov ebx, dword ptr fs:[00000030h] 3_2_1000E4D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000B391 mov ecx, dword ptr fs:[00000030h] 3_2_1000B391
Enables debug privileges
Source: C:\Windows\System32\loaddll32.exe Process token adjusted: Debug Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll",#1 Jump to behavior
Source: SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll Binary or memory string: Program ManagerProgman
Source: loaddll32.exe, loaddll32.exe, 00000000.00000002.4066903929.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000003.00000002.4066921397.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4066881545.00000000101CD000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: Program Manager
Source: loaddll32.exe, loaddll32.exe, 00000000.00000002.4066903929.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000003.00000002.4066921397.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4066881545.00000000101CD000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: Progman
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1002F8C8 cpuid 0_2_1002F8C8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1009E49D GetVersion,GetCommandLineA, 0_2_1009E49D
AV process strings found (often used to terminate AV products)
Source: loaddll32.exe, loaddll32.exe, 00000000.00000002.4066903929.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000003.00000002.4066921397.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4066881545.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.4066979714.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.4067008230.00000000101CD000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: kxetray.exe
Source: loaddll32.exe, loaddll32.exe, 00000000.00000002.4066903929.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000003.00000002.4066921397.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4066881545.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.4066979714.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.4067008230.00000000101CD000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: 360Tray.exe
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1419153 Sample: SecuriteInfo.com.Win32.Malw... Startdate: 03/04/2024 Architecture: WINDOWS Score: 52 19 Multi AV Scanner detection for submitted file 2->19 21 Machine Learning detection for sample 2->21 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 rundll32.exe 7->11         started        13 rundll32.exe 7->13         started        15 2 other processes 7->15 process5 17 rundll32.exe 9->17         started       
No contacted IP infos