Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.GenericKD.70591578.24974.31588.dll

Overview

General Information

Sample name:SecuriteInfo.com.Trojan.GenericKD.70591578.24974.31588.dll
(renamed file extension from exe to dll)
Original sample name:SecuriteInfo.com.Trojan.GenericKD.70591578.24974.31588.exe
Analysis ID:1426608
MD5:27e1ba124dca078b7c11401f9467b1d8
SHA1:5549c30cc5f36ef2ed3d796e6f16309e7f274c60
SHA256:1862b29b4e7d6d936345b6dd89216cd677f82410761de7a192af822663ecdecf
Tags:exe
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Creates a process in suspended mode (likely to inject code)
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Conhost Spawned By Uncommon Parent Process

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 6688 cmdline: loaddll64.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.70591578.24974.31588.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)
    • conhost.exe (PID: 5272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3928 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.70591578.24974.31588.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • rundll32.exe (PID: 4232 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.70591578.24974.31588.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)
        • conhost.exe (PID: 5764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Conhost Spawned By Uncommon Parent Process
Source: Process startedAuthor: Tim Rauch: Data: Command: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine|base64offset|contains: }}, Image: C:\Windows\System32\conhost.exe, NewProcessName: C:\Windows\System32\conhost.exe, OriginalFileName: C:\Windows\System32\conhost.exe, ParentCommandLine: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.70591578.24974.31588.dll",#1, ParentImage: C:\Windows\System32\rundll32.exe, ParentProcessId: 4232, ParentProcessName: rundll32.exe, ProcessCommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, ProcessId: 5764, ProcessName: conhost.exe

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Trojan.GenericKD.70591578.24974.31588.dllReversingLabs: Detection: 25%
Source: SecuriteInfo.com.Trojan.GenericKD.70591578.24974.31588.dllVirustotal: Detection: 29%Perma Link
Source: SecuriteInfo.com.Trojan.GenericKD.70591578.24974.31588.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: A:\Srcs\Pad\Build\Release\Hyper3.pdb??'GCTL source: SecuriteInfo.com.Trojan.GenericKD.70591578.24974.31588.dll
Source: Binary string: A:\Srcs\Pad\Build\Release\Hyper3.pdb source: SecuriteInfo.com.Trojan.GenericKD.70591578.24974.31588.dll
Source: SecuriteInfo.com.Trojan.GenericKD.70591578.24974.31588.dllString found in binary or memory: https://cdn.discordapp.com/attachments/1135629801705709640/1170156279776411779/Hyper.ytd
Source: classification engineClassification label: mal48.winDLL@7/3@0/0
Source: C:\Windows\System32\loaddll64.exeFile created: C:\Users\user\AppData\Roaming\HyperJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5272:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5764:120:WilError_03
Source: SecuriteInfo.com.Trojan.GenericKD.70591578.24974.31588.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.70591578.24974.31588.dll",#1
Source: SecuriteInfo.com.Trojan.GenericKD.70591578.24974.31588.dllReversingLabs: Detection: 25%
Source: SecuriteInfo.com.Trojan.GenericKD.70591578.24974.31588.dllVirustotal: Detection: 29%
Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.70591578.24974.31588.dll"
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.70591578.24974.31588.dll",#1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.70591578.24974.31588.dll",#1
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.70591578.24974.31588.dll",#1Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.70591578.24974.31588.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: winmm.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\rundll32.exeAutomated click: OK
Source: C:\Windows\System32\rundll32.exeAutomated click: OK
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: SecuriteInfo.com.Trojan.GenericKD.70591578.24974.31588.dllStatic PE information: Image base 0x180000000 > 0x60000000
Source: SecuriteInfo.com.Trojan.GenericKD.70591578.24974.31588.dllStatic file information: File size 1581056 > 1048576
Source: SecuriteInfo.com.Trojan.GenericKD.70591578.24974.31588.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Trojan.GenericKD.70591578.24974.31588.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Trojan.GenericKD.70591578.24974.31588.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Trojan.GenericKD.70591578.24974.31588.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Trojan.GenericKD.70591578.24974.31588.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Trojan.GenericKD.70591578.24974.31588.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: SecuriteInfo.com.Trojan.GenericKD.70591578.24974.31588.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: SecuriteInfo.com.Trojan.GenericKD.70591578.24974.31588.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: A:\Srcs\Pad\Build\Release\Hyper3.pdb??'GCTL source: SecuriteInfo.com.Trojan.GenericKD.70591578.24974.31588.dll
Source: Binary string: A:\Srcs\Pad\Build\Release\Hyper3.pdb source: SecuriteInfo.com.Trojan.GenericKD.70591578.24974.31588.dll
Source: SecuriteInfo.com.Trojan.GenericKD.70591578.24974.31588.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Trojan.GenericKD.70591578.24974.31588.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Trojan.GenericKD.70591578.24974.31588.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Trojan.GenericKD.70591578.24974.31588.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Trojan.GenericKD.70591578.24974.31588.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\loaddll64.exe TID: 5948Thread sleep time: -120000s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\loaddll64.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.70591578.24974.31588.dll",#1Jump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		11
Process Injection		1
Masquerading		OS Credential Dumping11
Virtualization/Sandbox Evasion		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Rundll32		LSASS Memory1
System Information Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
Virtualization/Sandbox Evasion		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
Process Injection		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1426608 Sample: SecuriteInfo.com.Trojan.Gen... Startdate: 16/04/2024 Architecture: WINDOWS Score: 48 18 Multi AV Scanner detection for submitted file 2->18 8 loaddll64.exe 3 2->8         started        process3 process4 10 cmd.exe 1 8->10         started        12 conhost.exe 8->12         started        process5 14 rundll32.exe 1 10->14         started        process6 16 conhost.exe 14->16         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
SecuriteInfo.com.Trojan.GenericKD.70591578.24974.31588.dll25%ReversingLabsWin64.Trojan.Generic
SecuriteInfo.com.Trojan.GenericKD.70591578.24974.31588.dll30%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://cdn.discordapp.com/attachments/1135629801705709640/1170156279776411779/Hyper.ytdSecuriteInfo.com.Trojan.GenericKD.70591578.24974.31588.dllfalse
    		high

    World Map of Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox version:40.0.0 Tourmaline
    Analysis ID:1426608
    Start date and time:2024-04-16 11:25:05 +02:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 1m 57s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:6
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:SecuriteInfo.com.Trojan.GenericKD.70591578.24974.31588.dll
    (renamed file extension from exe to dll)
    Original Sample Name:SecuriteInfo.com.Trojan.GenericKD.70591578.24974.31588.exe
    Detection:MAL
    Classification:mal48.winDLL@7/3@0/0
    EGA Information:Failed
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 0
    • Number of non-executed functions: 0
    Cookbook Comments:
    • Stop behavior analysis, all processes terminated

    Warnings

    • Exclude process from analysis (whitelisted): dllhost.exe
    • Not all processes where analyzed, report is missing behavior information

    Simulations

    Behavior and APIs

    TimeTypeDescription
    11:25:51API Interceptor1x Sleep call for process: loaddll64.exe modified

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    C:\Users\user\AppData\Roaming\Hyper\Hyper.log

    Download File
    Process:C:\Windows\System32\loaddll64.exe
    File Type:ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):237
    Entropy (8bit):4.971573774254783
    Encrypted:false
    SSDEEP:6:D6Xgv2jU1RvDaR6Xgv2jU1RvDaR6XkdQjU/t05:D6Km6Km1Qo05
    MD5:5A9E583789D3D58E5230663212FD9698
    SHA1:E47FA5B656A1231CBCC91E960F31FEBE8066230E
    SHA-256:180B2BCFCC96CF563D69ED03700D2F7A6A3371DB5B7A110C584D649B21424368
    SHA-512:5F627CE3574F1FBABA1CA2D7C751C4C68619D306D3AEECC1E384B2ABA1590DCC05CCCD59AFB2247C4F180CDBFBDB01E28E8AAFEB98A16D4BAE6EFCE987333C87
    Malicious:false
    Reputation:low
    Preview:[Hyper] [11:25:51] OMG IT'S FATAL ERROR: Failed to find Frame Count pattern...[Hyper] [11:25:51] OMG IT'S FATAL ERROR: Failed to find Frame Count pattern...[Hyper] [11:25:55] OMG IT'S FATAL ERROR: Failed to find Is Dlc Present pattern...

    \Device\ConDrv

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):159
    Entropy (8bit):4.977577455763364
    Encrypted:false
    SSDEEP:3:DAfXg49i21608FReg2eRvDaRAfXk4gQ1608FReWt9je5:D6Xgv2jU1RvDaR6XkdQjU/t05
    MD5:0E186C2511589A40B0A824EC821760C5
    SHA1:B1CA8D04CFB4EDEA814719464826E9DA699DE57D
    SHA-256:16B588B5DA25985847F4681D75303AFB3E5F8A016EC72DF12AD48622547A538D
    SHA-512:9040F479691017FADC6E7810640705353465B5899F90A3E6C71CFADAB5907CE6B22ED44E8103028F3E974A70B543D74C38A16B8CD74E759A9E555F5692110CF1
    Malicious:false
    Reputation:low
    Preview:[Hyper] [11:25:51] OMG IT'S FATAL ERROR: Failed to find Frame Count pattern...[Hyper] [11:25:55] OMG IT'S FATAL ERROR: Failed to find Is Dlc Present pattern...

    Static File Info

    General

    File type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
    Entropy (8bit):6.417090481074733
    TrID:
    • Win64 Dynamic Link Library (generic) (102004/3) 86.43%
    • Win64 Executable (generic) (12005/4) 10.17%
    • Generic Win/DOS Executable (2004/3) 1.70%
    • DOS Executable Generic (2002/1) 1.70%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
    File name:SecuriteInfo.com.Trojan.GenericKD.70591578.24974.31588.dll
    File size:1'581'056 bytes
    MD5:27e1ba124dca078b7c11401f9467b1d8
    SHA1:5549c30cc5f36ef2ed3d796e6f16309e7f274c60
    SHA256:1862b29b4e7d6d936345b6dd89216cd677f82410761de7a192af822663ecdecf
    SHA512:d248baee1d69424a16867ef5c6cd5ed789399d3eaedf5b8094781861ae632427ed3bc377825c14d2328d243ab6ad30cc8dcfc5667f9e486a4fab5fe979ef93b1
    SSDEEP:49152:FiaDCMQwfG+mLpit5ckD0bF6eq+yNGNbbgWWkPAdU+To:FRDJW3bR
    TLSH:77755C1EB51241A4C46EE570997B9928F370B5549BF477CF92A4038D2EEBBD81AFE300
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................................................L...............?.......i.......i.......i.......i.......Rich...........

    File Icon

    Icon Hash:7ae282899bbab082

    Static PE Info

    General

    Entrypoint:0x1800cd9d0
    Entrypoint Section:.text
    Digitally signed:false
    Imagebase:0x180000000
    Subsystem:windows gui
    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
    Time Stamp:0x65561244 [Thu Nov 16 12:59:48 2023 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:6
    OS Version Minor:0
    File Version Major:6
    File Version Minor:0
    Subsystem Version Major:6
    Subsystem Version Minor:0
    Import Hash:8d907744ea3ec6418c39e9dd7b1b8f8c

    Entrypoint Preview

    Instruction
    dec eax
    mov dword ptr [esp+08h], ebx
    dec eax
    mov dword ptr [esp+10h], esi
    push edi
    dec eax
    sub esp, 20h
    dec ecx
    mov edi, eax
    mov ebx, edx
    dec eax
    mov esi, ecx
    cmp edx, 01h
    jne 00007F51786CCFF7h
    call 00007F51786CD65Ch
    dec esp
    mov eax, edi
    mov edx, ebx
    dec eax
    mov ecx, esi
    dec eax
    mov ebx, dword ptr [esp+30h]
    dec eax
    mov esi, dword ptr [esp+38h]
    dec eax
    add esp, 20h
    pop edi
    jmp 00007F51786CCE84h
    int3
    int3
    int3
    dec eax
    sub esp, 28h
    call 00007F51786CC844h
    jmp 00007F51786CCFF4h
    xor eax, eax
    dec eax
    add esp, 28h
    ret
    int3
    int3
    dec eax
    sub esp, 28h
    dec ebp
    mov eax, dword ptr [ecx+38h]
    dec eax
    mov ecx, edx
    dec ecx
    mov edx, ecx
    call 00007F51786CD002h
    mov eax, 00000001h
    dec eax
    add esp, 28h
    ret
    int3
    int3
    int3
    inc eax
    push ebx
    inc ebp
    mov ebx, dword ptr [eax]
    dec eax
    mov ebx, edx
    inc ecx
    and ebx, FFFFFFF8h
    dec esp
    mov ecx, ecx
    inc ecx
    test byte ptr [eax], 00000004h
    dec esp
    mov edx, ecx
    je 00007F51786CD005h
    inc ecx
    mov eax, dword ptr [eax+08h]
    dec ebp
    arpl word ptr [eax+04h], dx
    neg eax
    dec esp
    add edx, ecx
    dec eax
    arpl ax, cx
    dec esp
    and edx, ecx
    dec ecx
    arpl bx, ax
    dec edx
    mov edx, dword ptr [eax+edx]
    dec eax
    mov eax, dword ptr [ebx+10h]
    mov ecx, dword ptr [eax+08h]
    dec eax
    mov eax, dword ptr [ebx+08h]
    test byte ptr [ecx+eax+03h], 0000000Fh
    je 00007F51786CCFFDh
    movzx eax, byte ptr [ecx+eax+03h]
    and eax, FFFFFFF0h
    dec esp
    add ecx, eax
    dec esp
    xor ecx, edx
    dec ecx

    Rich Headers

    Programming Language:
    • [IMP] VS2008 SP1 build 30729
    • [C++] VS2015 UPD3.1 build 24215

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x12c8040x1a4.rdata
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x1b90000x1e0.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x1b20000x6684.pdata
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x1ba0000x56e4.reloc
    IMAGE_DIRECTORY_ENTRY_DEBUG0x1053700x70.rdata
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x1054000x28.rdata
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x1052300x140.rdata
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IAT0xd50000x908.rdata
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000xd3d3b0xd3e00716280265c566665da5d0d9b9b78a72fFalse0.34765164085545724data6.346274780236436IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    .rdata0xd50000x5a2080x5a4004fc74272351d96fbe3072eee9b5b74e6False0.31576242209141275data4.884341444760375IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .data0x1300000x81d300x478009d4c44dde80e52e3f64bc4d4bf502440False0.4962542340472028data6.574411250073421IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .pdata0x1b20000x66840x680098afb60e49557fb9cde88ad011f848cdFalse0.4704777644230769data5.850295556751704IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .rsrc0x1b90000x1e00x2005a4fc4b1b50ebdae228610dc4df968b2False0.533203125data4.724728911998389IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .reloc0x1ba0000x56e40x5800466ca5f6392ff9648334f3adc8b8b1b8False0.09401633522727272data5.4230288166515965IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

    Resources

    NameRVASizeTypeLanguageCountryZLIB Complexity
    RT_MANIFEST0x1b90600x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

    Imports

    DLLImport
    KERNEL32.dllGetTickCount, GetModuleHandleA, IsThreadAFiber, ConvertThreadToFiber, SwitchToFiber, CreateFiber, VirtualQuery, DeleteFileA, FreeConsole, FreeLibraryAndExitThread, Sleep, AttachConsole, GetCurrentProcessId, SetConsoleTextAttribute, GetStdHandle, QueryPerformanceCounter, GetPrivateProfileStringA, HeapCreate, VirtualProtect, HeapFree, GetCurrentProcess, Thread32Next, Thread32First, GetCurrentThreadId, SuspendThread, ResumeThread, CreateToolhelp32Snapshot, GetLastError, GetModuleHandleW, CloseHandle, HeapAlloc, HeapDestroy, GetThreadContext, GetProcAddress, FlushInstructionCache, SetThreadContext, OpenThread, VirtualFree, VirtualAlloc, GetSystemInfo, GetModuleFileNameW, lstrlenW, MultiByteToWideChar, CreateFileW, ReadFile, WriteFile, PeekNamedPipe, WaitNamedPipeW, InitializeSListHead, GetSystemTimeAsFileTime, IsDebuggerPresent, IsProcessorFeaturePresent, TerminateProcess, SetUnhandledExceptionFilter, UnhandledExceptionFilter, RtlVirtualUnwind, RtlLookupFunctionEntry, SetConsoleTitleW, AllocConsole, SetConsoleOutputCP, SetConsoleCP, HeapReAlloc, CreateThread, RtlCaptureContext, CreateEventW, WaitForSingleObjectEx, ResetEvent, SetEvent, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, CreateDirectoryW, FindClose, FindFirstFileW, FindFirstFileExW, FindNextFileW, GetFileAttributesExW, AreFileApisANSI, GetFileInformationByHandleEx, WideCharToMultiByte, LocalFree, FormatMessageA, GetLocaleInfoEx, EnterCriticalSection, LeaveCriticalSection
    USER32.dllGetCursorPos, ShowCursor, MessageBoxA, CallWindowProcW, GetAsyncKeyState, GetKeyState, GetForegroundWindow, FindWindowW, SetWindowLongPtrW
    ADVAPI32.dllRegQueryValueExW, RegOpenKeyExW, RegCreateKeyExW, RegCloseKey, RegSetValueExW
    SHELL32.dllShellExecuteW, SHGetFolderPathW
    WINMM.dlltimeGetTime
    urlmon.dllURLDownloadToFileA
    MSVCP140.dll??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ, ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z, ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ, ?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ, ?uncaught_exception@std@@YA_NXZ, ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z, ?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ, ?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ, ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z, ?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z, ?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z, ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z, ?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z, ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ, ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ, ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@M@Z, ?_Syserror_map@std@@YAPEBDH@Z, ?_Winerror_map@std@@YAHH@Z, _Mtx_init_in_situ, _Mtx_lock, ?_Throw_C_error@std@@YAXH@Z, _Mtx_unlock, ?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z, ??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ, ??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z, ??1_Lockit@std@@QEAA@XZ, ??0_Lockit@std@@QEAA@H@Z, ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ, ??Bid@locale@std@@QEAA_KXZ, ?always_noconv@codecvt_base@std@@QEBA_NXZ, ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ, ?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z, ?_Xout_of_range@std@@YAXPEBD@Z, ?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A, ?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z, ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z, ?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z, ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ, ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAPEAD0PEAH001@Z, ?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z, ?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z, _Thrd_detach, ?_Throw_Cpp_error@std@@YAXH@Z, _Cnd_do_broadcast_at_thread_exit, ?overflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHH@Z, ?underflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ, ?setprecision@std@@YA?AU?$_Smanip@_J@1@_J@Z, ?seekpos@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA?AV?$fpos@U_Mbstatet@@@2@V32@H@Z, ?seekoff@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA?AV?$fpos@U_Mbstatet@@@2@_JHH@Z, ?pbackfail@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHH@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@I@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_J@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_K@Z, _Thrd_start, _Thrd_join, _Thrd_id, _Mtx_init, _Mtx_destroy, _Mtx_current_owns, _Cnd_init, _Cnd_destroy, _Cnd_init_in_situ, _Cnd_destroy_in_situ, _Cnd_wait, _Cnd_timedwait, _Cnd_broadcast, _Cnd_signal, ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ, ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ, ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z, ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z, ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z, ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ, ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ, ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ, ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ, _Xtime_get_ticks, _Query_perf_counter, _Thrd_sleep, _Mtx_destroy_in_situ, _Query_perf_frequency, _Thrd_yield, ?_Xlength_error@std@@YAXPEBD@Z, ?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
    VCRUNTIME140_1.dll__CxxFrameHandler4
    VCRUNTIME140.dllmemcpy, memset, memcmp, __CxxFrameHandler3, __std_type_info_destroy_list, memchr, memmove, _purecall, __current_exception, __current_exception_context, __std_terminate, __C_specific_handler, __std_exception_destroy, __std_exception_copy, _CxxThrowException
    api-ms-win-crt-runtime-l1-1-0.dll_beginthreadex, _seh_filter_dll, _configure_narrow_argv, _initialize_narrow_environment, _initialize_onexit_table, _register_onexit_function, _execute_onexit_table, _crt_atexit, _invalid_parameter_noinfo_noreturn, _cexit, terminate, _initterm, _initterm_e
    api-ms-win-crt-heap-l1-1-0.dll_callnewh, free, malloc
    api-ms-win-crt-stdio-l1-1-0.dllfwrite, fgetpos, _fseeki64, fsetpos, __acrt_iob_func, __stdio_common_vfprintf, freopen_s, setvbuf, fflush, fclose, __stdio_common_vsprintf_s, fread, fgetc, ungetc, __stdio_common_vsprintf, fputc, _get_stream_buffer_pointers, __stdio_common_vswprintf, __stdio_common_vsnprintf_s
    api-ms-win-crt-utility-l1-1-0.dllrand, srand
    api-ms-win-crt-time-l1-1-0.dll_localtime64_s, _localtime64, _time64
    api-ms-win-crt-math-l1-1-0.dllceil, cosf, sin, sqrt, cos, ceilf, sinf, log2
    api-ms-win-crt-convert-l1-1-0.dllatof, atoll, atoi, wcstombs, strtol
    api-ms-win-crt-string-l1-1-0.dllstrcpy_s, strcat_s, strcmp, strncpy, toupper, _strdup
    api-ms-win-crt-environment-l1-1-0.dllgetenv
    api-ms-win-crt-filesystem-l1-1-0.dll_lock_file, _unlock_file
    api-ms-win-crt-locale-l1-1-0.dll___lc_codepage_func

    Possible Origin

    Language of compilation systemCountry where language is spokenMap
    EnglishUnited States

    Network Behavior

    No network behavior found

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    Behavior

    Click to jump to process

    System Behavior

    General

    Target ID:0
    Start time:11:25:51
    Start date:16/04/2024
    Path:C:\Windows\System32\loaddll64.exe
    Wow64 process (32bit):false
    Commandline:loaddll64.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.70591578.24974.31588.dll"
    Imagebase:0x7ff65f580000
    File size:165'888 bytes
    MD5 hash:763455F9DCB24DFEECC2B9D9F8D46D52
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:moderate
    Has exited:true

    General

    Target ID:1
    Start time:11:25:51
    Start date:16/04/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff66e660000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:2
    Start time:11:25:51
    Start date:16/04/2024
    Path:C:\Windows\System32\cmd.exe
    Wow64 process (32bit):false
    Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.70591578.24974.31588.dll",#1
    Imagebase:0x7ff7bc690000
    File size:289'792 bytes
    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:3
    Start time:11:25:51
    Start date:16/04/2024
    Path:C:\Windows\System32\rundll32.exe
    Wow64 process (32bit):false
    Commandline:rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.70591578.24974.31588.dll",#1
    Imagebase:0x7ff728a40000
    File size:71'680 bytes
    MD5 hash:EF3179D498793BF4234F708D3BE28633
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:5
    Start time:11:25:51
    Start date:16/04/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff66e660000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    Disassembly

    No disassembly