Windows Analysis Report
SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll

Overview

General Information

Sample name: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll
Analysis ID: 1458489
MD5: 156301b141411e5cfc6c06d34b6dca9d
SHA1: 3802929d012253b84f6825e4a4bdc3729366df5b
SHA256: 7e96bbce4a287218078120ec71b4964b6ed6b2727a052bbe2dc038c8be2baffd
Tags: dll
Infos:

Detection

Score: 48
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll ReversingLabs: Detection: 37%
Uses 32bit PE files
Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: D:\perfecthook\ArcticTech\Release\ArcticTech.pdb source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll
Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll String found in binary or memory: http://scripts.sil.org/OFLMulishMediumWeightItalicRoman
Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll String found in binary or memory: https://github.com/googlefonts/mulish)Mulish
Uses 32bit PE files
Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll Binary or memory string: ...Slnt
Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll Binary or memory string: ...Slntcaught (...) exception
Source: classification engine Classification label: mal48.winDLL@12/0@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3220:120:WilError_03
Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll,__swprintf_l
Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll ReversingLabs: Detection: 37%
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll,__swprintf_l
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll,__vswprintf_l
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll,_fprintf_l
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll,__swprintf_l Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll,__vswprintf_l Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll,_fprintf_l Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: d3dx9_43.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll Static PE information: More than 176 > 100 exports found
Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll Static PE information: Virtual size of .text is bigger than: 0x100000
Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll Static file information: File size 6404096 > 1048576
Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll Static PE information: Raw size of .text is bigger than: 0x100000 < 0x4e3c00
Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\perfecthook\ArcticTech\Release\ArcticTech.pdb source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll
Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll",#1 Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1458489 Sample: SecuriteInfo.com.Variant.Te... Startdate: 17/06/2024 Architecture: WINDOWS Score: 48 19 Multi AV Scanner detection for submitted file 2->19 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 rundll32.exe 7->11         started        13 rundll32.exe 7->13         started        15 2 other processes 7->15 process5 17 rundll32.exe 9->17         started       
No contacted IP infos

Contacted Domains

Name IP Active
bg.microsoft.map.fastly.net 199.232.210.172 true
fp2e7a.wpc.phicdn.net 192.229.221.95 true