Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll

Overview

General Information

Sample name:SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll
Analysis ID:1419153
MD5:cd943166310d5c29ea7fecdd00c23957
SHA1:f14eb88f4cdc2fc251b4471a2975f0576b4df61c
SHA256:05d741cbb567eb90955cca6eba3b377351976e2d5d013ba3ea42ad04aad72bdb
Tags:dll
Infos:

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found large amount of non-executed APIs
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • loaddll32.exe (PID: 5220 cmdline: loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 3668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6704 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 2080 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 6728 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll,_main MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 6876 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll, MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 1892 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll, MD5: 889B99C52A60DD49227C5E485A016679)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Snort rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: SecuriteInfo.com.Win32.Malware-gen.11946.22825.dllReversingLabs: Detection: 50%
Source: SecuriteInfo.com.Win32.Malware-gen.11946.22825.dllVirustotal: Detection: 55%Perma Link
Source: SecuriteInfo.com.Win32.Malware-gen.11946.22825.dllJoe Sandbox ML: detected
Source: SecuriteInfo.com.Win32.Malware-gen.11946.22825.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
Source: Binary string: sc.pdb source: loaddll32.exe, 00000000.00000002.4066903929.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.4066921397.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4066881545.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.4066979714.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.4067008230.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll
Source: loaddll32.exe, 00000000.00000002.4066903929.00000000100BE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.4066921397.00000000100BE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4066881545.00000000100BE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.4066979714.00000000100BE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.4067008230.00000000100BE000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Win32.Malware-gen.11946.22825.dllString found in binary or memory: http://www.kaikuoyun.com/list-127-1.htmlDVarFileInfo$
Source: loaddll32.exe, 00000000.00000002.4066903929.00000000100BE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.4066921397.00000000100BE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4066881545.00000000100BE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.4066979714.00000000100BE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.4067008230.00000000100BE000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Win32.Malware-gen.11946.22825.dllString found in binary or memory: http://www.kaikuoyun.com/list-127-1.htmll)
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100511B00_2_100511B0
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100A75C60_2_100A75C6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100511B03_2_100511B0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100A75C63_2_100A75C6
Source: SecuriteInfo.com.Win32.Malware-gen.11946.22825.dllBinary or memory string: OriginalFilenamebszip.dll" vs SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll
Source: SecuriteInfo.com.Win32.Malware-gen.11946.22825.dllBinary or memory string: OriginalFilenamesc.exej% vs SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll
Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: winmm.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: SecuriteInfo.com.Win32.Malware-gen.11946.22825.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
Source: classification engineClassification label: mal52.winDLL@12/0@0/0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3668:120:WilError_03
Source: SecuriteInfo.com.Win32.Malware-gen.11946.22825.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll,_main
Source: SecuriteInfo.com.Win32.Malware-gen.11946.22825.dllReversingLabs: Detection: 50%
Source: SecuriteInfo.com.Win32.Malware-gen.11946.22825.dllVirustotal: Detection: 55%
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll"
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll,_main
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll,
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll,
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll,_mainJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll, Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll, Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0E59F1D5-1FBE-11D0-8FF2-00A0D10038BC}\InprocServer32Jump to behavior
Source: SecuriteInfo.com.Win32.Malware-gen.11946.22825.dllStatic file information: File size 2334720 > 1048576
Source: SecuriteInfo.com.Win32.Malware-gen.11946.22825.dllStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x150000
Source: Binary string: sc.pdb source: loaddll32.exe, 00000000.00000002.4066903929.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.4066921397.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4066881545.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.4066979714.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.4067008230.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10050430 GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,0_2_10050430
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1009FAD0 push eax; ret 0_2_1009FAFE
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10013787 push ecx; retf 0001h0_2_10013788
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100A1798 push eax; ret 0_2_100A17B6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1009FAD0 push eax; ret 3_2_1009FAFE
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10013787 push ecx; retf 0001h3_2_10013788
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100A1798 push eax; ret 3_2_100A17B6
Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100060FC rdtsc 0_2_100060FC
Source: C:\Windows\System32\loaddll32.exeAPI coverage: 9.5 %
Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 6.7 %
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\loaddll32.exeAPI call chain: ExitProcess graph end nodegraph_0-19116
Source: C:\Windows\System32\loaddll32.exeAPI call chain: ExitProcess graph end nodegraph_0-18447
Source: C:\Windows\System32\loaddll32.exeAPI call chain: ExitProcess graph end nodegraph_0-18446
Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_3-18447
Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_3-18446
Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_3-19119
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100060FC rdtsc 0_2_100060FC
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10050430 GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,0_2_10050430
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000BC31 mov ebx, dword ptr fs:[00000030h]0_2_1000BC31
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000DC38 mov ecx, dword ptr fs:[00000030h]0_2_1000DC38
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000E4D8 mov ebx, dword ptr fs:[00000030h]0_2_1000E4D8
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000B391 mov ecx, dword ptr fs:[00000030h]0_2_1000B391
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000BC31 mov ebx, dword ptr fs:[00000030h]3_2_1000BC31
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000DC38 mov ecx, dword ptr fs:[00000030h]3_2_1000DC38
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000E4D8 mov ebx, dword ptr fs:[00000030h]3_2_1000E4D8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000B391 mov ecx, dword ptr fs:[00000030h]3_2_1000B391
Source: C:\Windows\System32\loaddll32.exeProcess token adjusted: DebugJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll",#1Jump to behavior
Source: SecuriteInfo.com.Win32.Malware-gen.11946.22825.dllBinary or memory string: Program ManagerProgman
Source: loaddll32.exe, loaddll32.exe, 00000000.00000002.4066903929.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000003.00000002.4066921397.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4066881545.00000000101CD000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
Source: loaddll32.exe, loaddll32.exe, 00000000.00000002.4066903929.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000003.00000002.4066921397.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4066881545.00000000101CD000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: Progman
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1002F8C8 cpuid 0_2_1002F8C8
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1009E49D GetVersion,GetCommandLineA,0_2_1009E49D
Source: loaddll32.exe, loaddll32.exe, 00000000.00000002.4066903929.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000003.00000002.4066921397.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4066881545.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.4066979714.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.4067008230.00000000101CD000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: kxetray.exe
Source: loaddll32.exe, loaddll32.exe, 00000000.00000002.4066903929.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000003.00000002.4066921397.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4066881545.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.4066979714.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.4067008230.00000000101CD000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: 360Tray.exe
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Native API
1
DLL Side-Loading
12
Process Injection
1
Rundll32
OS Credential Dumping2
Security Software Discovery
Remote Services1
Archive Collected Data
1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading
12
Process Injection
LSASS Memory1
Process Discovery
Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading
Security Account Manager12
System Information Discovery
SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information
NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1419153 Sample: SecuriteInfo.com.Win32.Malw... Startdate: 03/04/2024 Architecture: WINDOWS Score: 52 19 Multi AV Scanner detection for submitted file 2->19 21 Machine Learning detection for sample 2->21 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 rundll32.exe 7->11         started        13 rundll32.exe 7->13         started        15 2 other processes 7->15 process5 17 rundll32.exe