Windows Analysis Report
derp.bin.dll

Overview

General Information

Sample name: derp.bin.dll
(renamed file extension from exe to dll)
Original sample name: derp.bin.exe
Analysis ID: 1428416
MD5: bb81a76867cdeb0ea988acd8b4253394
SHA1: 26ae6a9e1f80f5f9a0f205c2e58fa15b53570481
SHA256: 16bc219a61e07e9ef91370950515a857290c0770ac2b3354a902f65824894316
Tags: DLLexe
Infos:

Detection

Score: 48
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

System process connects to network (likely due to code injection or exploit)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE file contains sections with non-standard names
Program does not show much activity (idle)
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Communication To Uncommon Destination Ports
Sigma detected: Network Connection Initiated By Regsvr32.EXE
Uses Microsoft's Enhanced Cryptographic Provider

Classification

Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB278050 BCryptGenRandom,GetCurrentProcessId,BCryptGenRandom,CreateNamedPipeW,GetLastError,BCryptGenRandom,CloseHandle,BCryptGenRandom, 0_2_00007FFDFB278050
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFDFB278050 BCryptGenRandom,GetCurrentProcessId,BCryptGenRandom,CreateNamedPipeW,GetLastError,BCryptGenRandom,CloseHandle,BCryptGenRandom, 3_2_00007FFDFB278050
Source: derp.bin.dll Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB276720 CloseHandle,FindFirstFileW,FindClose, 0_2_00007FFDFB276720
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB297508 FindFirstFileExW, 0_2_00007FFDFB297508
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFDFB276720 CloseHandle,FindFirstFileW,FindClose, 3_2_00007FFDFB276720
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFDFB297508 FindFirstFileExW, 3_2_00007FFDFB297508

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\rundll32.exe Network Connect: 193.32.176.22 8080 Jump to behavior
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49730 -> 193.32.176.22:8080
Source: unknown TCP traffic detected without corresponding DNS query: 193.32.176.22
Source: unknown TCP traffic detected without corresponding DNS query: 193.32.176.22
Source: unknown TCP traffic detected without corresponding DNS query: 193.32.176.22
Source: unknown TCP traffic detected without corresponding DNS query: 193.32.176.22
Source: unknown TCP traffic detected without corresponding DNS query: 193.32.176.22
Source: unknown TCP traffic detected without corresponding DNS query: 193.32.176.22
Source: unknown TCP traffic detected without corresponding DNS query: 193.32.176.22
Source: unknown TCP traffic detected without corresponding DNS query: 193.32.176.22
Source: unknown TCP traffic detected without corresponding DNS query: 193.32.176.22
Source: unknown TCP traffic detected without corresponding DNS query: 193.32.176.22
Source: unknown TCP traffic detected without corresponding DNS query: 193.32.176.22
Source: unknown TCP traffic detected without corresponding DNS query: 193.32.176.22
Source: unknown TCP traffic detected without corresponding DNS query: 193.32.176.22
Source: unknown TCP traffic detected without corresponding DNS query: 193.32.176.22
Source: unknown TCP traffic detected without corresponding DNS query: 193.32.176.22
Source: unknown TCP traffic detected without corresponding DNS query: 193.32.176.22
Source: unknown TCP traffic detected without corresponding DNS query: 193.32.176.22
Source: unknown TCP traffic detected without corresponding DNS query: 193.32.176.22
Source: unknown TCP traffic detected without corresponding DNS query: 193.32.176.22
Source: unknown TCP traffic detected without corresponding DNS query: 193.32.176.22
Source: unknown TCP traffic detected without corresponding DNS query: 193.32.176.22
Source: unknown TCP traffic detected without corresponding DNS query: 193.32.176.22
Source: unknown TCP traffic detected without corresponding DNS query: 193.32.176.22
Source: unknown TCP traffic detected without corresponding DNS query: 193.32.176.22
Source: unknown TCP traffic detected without corresponding DNS query: 193.32.176.22
Source: unknown TCP traffic detected without corresponding DNS query: 193.32.176.22
Source: unknown TCP traffic detected without corresponding DNS query: 193.32.176.22
Source: unknown TCP traffic detected without corresponding DNS query: 193.32.176.22
Source: unknown TCP traffic detected without corresponding DNS query: 193.32.176.22
Source: unknown TCP traffic detected without corresponding DNS query: 193.32.176.22
Source: unknown TCP traffic detected without corresponding DNS query: 193.32.176.22
Source: unknown TCP traffic detected without corresponding DNS query: 193.32.176.22
Source: unknown TCP traffic detected without corresponding DNS query: 193.32.176.22
Source: unknown TCP traffic detected without corresponding DNS query: 193.32.176.22
Source: unknown TCP traffic detected without corresponding DNS query: 193.32.176.22
Source: unknown TCP traffic detected without corresponding DNS query: 193.32.176.22
Source: unknown TCP traffic detected without corresponding DNS query: 193.32.176.22
Source: unknown TCP traffic detected without corresponding DNS query: 193.32.176.22
Source: unknown TCP traffic detected without corresponding DNS query: 193.32.176.22
Source: unknown TCP traffic detected without corresponding DNS query: 193.32.176.22
Source: unknown TCP traffic detected without corresponding DNS query: 193.32.176.22
Source: unknown TCP traffic detected without corresponding DNS query: 193.32.176.22
Source: unknown TCP traffic detected without corresponding DNS query: 193.32.176.22
Source: unknown TCP traffic detected without corresponding DNS query: 193.32.176.22
Source: unknown TCP traffic detected without corresponding DNS query: 193.32.176.22
Source: unknown TCP traffic detected without corresponding DNS query: 193.32.176.22
Source: unknown TCP traffic detected without corresponding DNS query: 193.32.176.22
Source: unknown TCP traffic detected without corresponding DNS query: 193.32.176.22
Source: unknown TCP traffic detected without corresponding DNS query: 193.32.176.22
Source: unknown TCP traffic detected without corresponding DNS query: 193.32.176.22
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB26F1C0 recv,WSAGetLastError, 0_2_00007FFDFB26F1C0
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB2771E0 NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError, 0_2_00007FFDFB2771E0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB277080 NtReadFile,WaitForSingleObject,RtlNtStatusToDosError, 0_2_00007FFDFB277080
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFDFB2771E0 NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError, 3_2_00007FFDFB2771E0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFDFB277080 NtReadFile,WaitForSingleObject,RtlNtStatusToDosError, 3_2_00007FFDFB277080
Detected potential crypto function
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB279A90 0_2_00007FFDFB279A90
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB28EAA0 0_2_00007FFDFB28EAA0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB278050 0_2_00007FFDFB278050
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB28AEB0 0_2_00007FFDFB28AEB0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB29DDA8 0_2_00007FFDFB29DDA8
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB288D10 0_2_00007FFDFB288D10
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB284D00 0_2_00007FFDFB284D00
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB266410 0_2_00007FFDFB266410
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB26E350 0_2_00007FFDFB26E350
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB27E340 0_2_00007FFDFB27E340
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB28B330 0_2_00007FFDFB28B330
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB28F080 0_2_00007FFDFB28F080
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB281120 0_2_00007FFDFB281120
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB28C120 0_2_00007FFDFB28C120
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB282790 0_2_00007FFDFB282790
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB2837F0 0_2_00007FFDFB2837F0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB27E840 0_2_00007FFDFB27E840
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB28B710 0_2_00007FFDFB28B710
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB297508 0_2_00007FFDFB297508
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFDFB279A90 3_2_00007FFDFB279A90
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFDFB28EAA0 3_2_00007FFDFB28EAA0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFDFB278050 3_2_00007FFDFB278050
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFDFB28AEB0 3_2_00007FFDFB28AEB0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFDFB29DDA8 3_2_00007FFDFB29DDA8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFDFB288D10 3_2_00007FFDFB288D10
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFDFB284D00 3_2_00007FFDFB284D00
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFDFB266410 3_2_00007FFDFB266410
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFDFB26E350 3_2_00007FFDFB26E350
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFDFB27E340 3_2_00007FFDFB27E340
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFDFB28B330 3_2_00007FFDFB28B330
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFDFB28F080 3_2_00007FFDFB28F080
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFDFB281120 3_2_00007FFDFB281120
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFDFB28C120 3_2_00007FFDFB28C120
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFDFB282790 3_2_00007FFDFB282790
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFDFB2837F0 3_2_00007FFDFB2837F0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFDFB27E840 3_2_00007FFDFB27E840
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFDFB28B710 3_2_00007FFDFB28B710
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFDFB297508 3_2_00007FFDFB297508
Found potential string decryption / allocating functions
Source: C:\Windows\System32\loaddll64.exe Code function: String function: 00007FFDFB265B00 appears 46 times
Source: C:\Windows\System32\loaddll64.exe Code function: String function: 00007FFDFB28E1D0 appears 69 times
Source: C:\Windows\System32\regsvr32.exe Code function: String function: 00007FFDFB265B00 appears 46 times
Source: C:\Windows\System32\regsvr32.exe Code function: String function: 00007FFDFB28E1D0 appears 69 times
Source: classification engine Classification label: mal48.evad.winDLL@14/0@0/1
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB277430 GetModuleHandleW,FormatMessageW,GetLastError, 0_2_00007FFDFB277430
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7292:120:WilError_03
Source: derp.bin.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\derp.bin.dll",#1
Source: unknown Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\derp.bin.dll"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\derp.bin.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\derp.bin.dll
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\derp.bin.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\derp.bin.dll,DllGetClassObject
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\derp.bin.dll,DllRegisterServer
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\derp.bin.dll,DllUnregisterServer
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\derp.bin.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\derp.bin.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\derp.bin.dll,DllGetClassObject Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\derp.bin.dll,DllRegisterServer Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\derp.bin.dll,DllUnregisterServer Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\derp.bin.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: mswsock.dll Jump to behavior
Source: derp.bin.dll Static PE information: Image base 0x180000000 > 0x60000000
Source: derp.bin.dll Static file information: File size 1728000 > 1048576
Source: derp.bin.dll Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x14ae00
Source: derp.bin.dll Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: derp.bin.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: derp.bin.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: derp.bin.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: derp.bin.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: derp.bin.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB2823E0 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,GetProcAddress,GetCurrentProcessId,CreateMutexA,CloseHandle,ReleaseMutex,ReleaseMutex, 0_2_00007FFDFB2823E0
PE file contains sections with non-standard names
Source: derp.bin.dll Static PE information: section name: _RDATA
Registers a DLL
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\derp.bin.dll
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\System32\loaddll64.exe API coverage: 5.5 %
Source: C:\Windows\System32\regsvr32.exe API coverage: 5.1 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB276720 CloseHandle,FindFirstFileW,FindClose, 0_2_00007FFDFB276720
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB297508 FindFirstFileExW, 0_2_00007FFDFB297508
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFDFB276720 CloseHandle,FindFirstFileW,FindClose, 3_2_00007FFDFB276720
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFDFB297508 FindFirstFileExW, 3_2_00007FFDFB297508
Source: rundll32.exe, 00000007.00000002.4111414355.000001C671F5F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllhh~
Source: rundll32.exe, 00000004.00000002.4111443209.0000016F59EE8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllYYA
Source: rundll32.exe, 00000005.00000002.4111539610.0000016BD67C8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll3
Source: regsvr32.exe, 00000003.00000002.4111420370.0000000000537000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: loaddll64.exe, 00000000.00000002.4111425524.000001C7B1198000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll@@
Source: rundll32.exe, 00000006.00000002.4111361993.000001D2A4BE8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll__
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB296ACC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FFDFB296ACC
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB2823E0 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,GetProcAddress,GetCurrentProcessId,CreateMutexA,CloseHandle,ReleaseMutex,ReleaseMutex, 0_2_00007FFDFB2823E0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB299058 GetProcessHeap, 0_2_00007FFDFB299058
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB296ACC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FFDFB296ACC
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB29E32C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00007FFDFB29E32C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB291494 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FFDFB291494
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFDFB296ACC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_00007FFDFB296ACC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFDFB29E32C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_00007FFDFB29E32C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFDFB291494 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_00007FFDFB291494

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\rundll32.exe Network Connect: 193.32.176.22 8080 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\derp.bin.dll",#1 Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB29DBF0 cpuid 0_2_00007FFDFB29DBF0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB278050 BCryptGenRandom,GetCurrentProcessId,BCryptGenRandom,CreateNamedPipeW,GetLastError,BCryptGenRandom,CloseHandle,BCryptGenRandom, 0_2_00007FFDFB278050
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB29106C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00007FFDFB29106C
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1428416 Sample: derp.bin.exe Startdate: 18/04/2024 Architecture: WINDOWS Score: 48 6 loaddll64.exe 1 2->6         started        process3 8 rundll32.exe 6->8         started        11 rundll32.exe 6->11         started        14 cmd.exe 1 6->14         started        16 3 other processes 6->16 dnsIp4 22 System process connects to network (likely due to code injection or exploit) 8->22 20 193.32.176.22, 8080 VARIAGRU Russian Federation 11->20 18 rundll32.exe 14->18         started        signatures5 process6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
193.32.176.22
 unknown Russian Federation
209357 VARIAGRU true