Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll

Overview

General Information

Sample name:SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll
Analysis ID:1458489
MD5:156301b141411e5cfc6c06d34b6dca9d
SHA1:3802929d012253b84f6825e4a4bdc3729366df5b
SHA256:7e96bbce4a287218078120ec71b4964b6ed6b2727a052bbe2dc038c8be2baffd
Tags:dll
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files

Classification

  • System is w10x64
  • loaddll32.exe (PID: 3180 cmdline: loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 3220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2656 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 3748 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 3712 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll,__swprintf_l MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 3568 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll,__vswprintf_l MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 2616 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll,_fprintf_l MD5: 889B99C52A60DD49227C5E485A016679)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Snort rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dllReversingLabs: Detection: 37%
Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: D:\perfecthook\ArcticTech\Release\ArcticTech.pdb source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll
Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dllString found in binary or memory: http://scripts.sil.org/OFLMulishMediumWeightItalicRoman
Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dllString found in binary or memory: https://github.com/googlefonts/mulish)Mulish
Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dllBinary or memory string: ...Slnt
Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dllBinary or memory string: ...Slntcaught (...) exception
Source: classification engineClassification label: mal48.winDLL@12/0@0/0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3220:120:WilError_03
Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll,__swprintf_l
Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dllReversingLabs: Detection: 37%
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll"
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll,__swprintf_l
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll,__vswprintf_l
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll,_fprintf_l
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll,__swprintf_lJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll,__vswprintf_lJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll,_fprintf_lJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: d3dx9_43.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dllStatic PE information: More than 176 > 100 exports found
Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dllStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dllStatic file information: File size 6404096 > 1048576
Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dllStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x4e3c00
Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\perfecthook\ArcticTech\Release\ArcticTech.pdb source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll
Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPortJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll",#1Jump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading
11
Process Injection
1
Virtualization/Sandbox Evasion
OS Credential Dumping1
Security Software Discovery
Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading
1
Rundll32
LSASS Memory1
Virtualization/Sandbox Evasion
Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
Process Injection
Security Account Manager1
System Information Discovery
SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading
NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1458489 Sample: SecuriteInfo.com.Variant.Te... Startdate: 17/06/2024 Architecture: WINDOWS Score: 48 19 Multi AV Scanner detection for submitted file 2->19 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 rundll32.exe 7->11         started        13 rundll32.exe 7->13         started        15 2 other processes 7->15 process5 17 rundll32.exe 9->17         started       

This section contains all screenshots as thumbnails, including those not shown in the slideshow.