Source: SecuriteInfo.com.Mal.EncPk-APW.3323.dll |
Virustotal: Detection: 28% |
Perma Link |
Source: SecuriteInfo.com.Mal.EncPk-APW.3323.dll |
Joe Sandbox ML: detected |
Source: 1.2.loaddll32.exe.10000000.3.unpack |
Avira: Label: TR/Crypt.XPACK.Gen8 |
Source: SecuriteInfo.com.Mal.EncPk-APW.3323.dll |
Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: Yara match |
File source: 00000003.00000002.274936732.0000000002600000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000002.254342538.0000000004990000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000002.625111885.0000000000D90000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 1.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.rundll32.exe.2600000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.2.rundll32.exe.4990000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.loaddll32.exe.d90000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000003.00000002.274936732.0000000002600000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000002.254342538.0000000004990000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000002.625111885.0000000000D90000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 1.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.rundll32.exe.2600000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.2.rundll32.exe.4990000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.loaddll32.exe.d90000.2.raw.unpack, type: UNPACKEDPE |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_10002375 NtQueryVirtualMemory, |
1_2_10002375 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_10002154 |
1_2_10002154 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_023D5F16 |
3_2_023D5F16 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_023D5A25 |
3_2_023D5A25 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_023D1B1E |
3_2_023D1B1E |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_023D3A14 |
3_2_023D3A14 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_023D150C |
3_2_023D150C |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_023D5378 |
3_2_023D5378 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_023D2A69 |
3_2_023D2A69 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_023D1967 |
3_2_023D1967 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_023D2566 |
3_2_023D2566 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_023D5262 |
3_2_023D5262 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_023D88BA |
3_2_023D88BA |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_023D31B3 |
3_2_023D31B3 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_023D92B2 |
3_2_023D92B2 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_023D2FAF |
3_2_023D2FAF |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_023D3FAB |
3_2_023D3FAB |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_023D43D8 |
3_2_023D43D8 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_023D27D4 |
3_2_023D27D4 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_023D1CD0 |
3_2_023D1CD0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_023D13C5 |
3_2_023D13C5 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_03045F16 |
4_2_03045F16 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_0304150C |
4_2_0304150C |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_03043A14 |
4_2_03043A14 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_03041B1E |
4_2_03041B1E |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_03045A25 |
4_2_03045A25 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_03042566 |
4_2_03042566 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_03041967 |
4_2_03041967 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_03045262 |
4_2_03045262 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_03042A69 |
4_2_03042A69 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_03045378 |
4_2_03045378 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_03042FAF |
4_2_03042FAF |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_03043FAB |
4_2_03043FAB |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_030492B2 |
4_2_030492B2 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_030431B3 |
4_2_030431B3 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_030488BA |
4_2_030488BA |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_030413C5 |
4_2_030413C5 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_030427D4 |
4_2_030427D4 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_03041CD0 |
4_2_03041CD0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_030443D8 |
4_2_030443D8 |
Source: SecuriteInfo.com.Mal.EncPk-APW.3323.dll |
Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: classification engine |
Classification label: mal60.troj.winDLL@7/0@0/0 |
Source: C:\Windows\System32\loaddll32.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll,DllServer |
Source: SecuriteInfo.com.Mal.EncPk-APW.3323.dll |
Virustotal: Detection: 28% |
Source: unknown |
Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll' |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll',#1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll,DllServer |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll',#1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll',#1 |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll,DllServer |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll',#1 |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_10001745 LoadLibraryA,GetProcAddress, |
1_2_10001745 |
Source: SecuriteInfo.com.Mal.EncPk-APW.3323.dll |
Static PE information: section name: .code |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_10002143 push ecx; ret |
1_2_10002153 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_100020F0 push ecx; ret |
1_2_100020F9 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_023D5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], edx |
3_2_023D5F7B |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_023D5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax |
3_2_023D5F94 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_023D5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax |
3_2_023D5FDD |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_023D5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax |
3_2_023D604B |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_023D5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax |
3_2_023D6124 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_023D5F16 push 00000000h; mov dword ptr [esp], edi |
3_2_023D614F |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_023D5F16 push 00000000h; mov dword ptr [esp], edx |
3_2_023D625E |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_023D5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax |
3_2_023D62B5 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_023D5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax |
3_2_023D6343 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_023D5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax |
3_2_023D635D |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_023D5F16 push 00000000h; mov dword ptr [esp], ebp |
3_2_023D6368 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_023D5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax |
3_2_023D6385 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_023D5F16 push 00000000h; mov dword ptr [esp], edx |
3_2_023D63B4 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_023D5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax |
3_2_023D6483 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_023D5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax |
3_2_023D64F2 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_023D5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax |
3_2_023D64FE |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_023D5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax |
3_2_023D650A |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_023D5F16 push 00000000h; mov dword ptr [esp], edi |
3_2_023D6567 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_023D5F16 push 00000000h; mov dword ptr [esp], edi |
3_2_023D65A9 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_023D5F16 push 00000000h; mov dword ptr [esp], eax |
3_2_023D6610 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_023D5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax |
3_2_023D6685 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_023D5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], ecx |
3_2_023D66C2 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_023D5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax |
3_2_023D66E8 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_023D5F16 push 00000000h; mov dword ptr [esp], edi |
3_2_023D6781 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_023D5F16 push 00000000h; mov dword ptr [esp], edx |
3_2_023D67B6 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_023D5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax |
3_2_023D684C |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_023D5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax |
3_2_023D6858 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_023D5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], edx |
3_2_023D6926 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_023D5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax |
3_2_023D6945 |
Source: Yara match |
File source: 00000003.00000002.274936732.0000000002600000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000002.254342538.0000000004990000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000002.625111885.0000000000D90000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 1.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.rundll32.exe.2600000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.2.rundll32.exe.4990000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.loaddll32.exe.d90000.2.raw.unpack, type: UNPACKEDPE |
Source: C:\Windows\System32\loaddll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\System32\loaddll32.exe |
Last function: Thread delayed |
Source: C:\Windows\System32\loaddll32.exe |
Thread delayed: delay time: 120000 |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_10001745 LoadLibraryA,GetProcAddress, |
1_2_10001745 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_023D2A69 xor edi, dword ptr fs:[00000030h] |
3_2_023D2A69 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_03042A69 xor edi, dword ptr fs:[00000030h] |
4_2_03042A69 |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll',#1 |
Jump to behavior |
Source: loaddll32.exe, 00000001.00000002.625565568.0000000001450000.00000002.00000001.sdmp |
Binary or memory string: uProgram Manager |
Source: loaddll32.exe, 00000001.00000002.625565568.0000000001450000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: loaddll32.exe, 00000001.00000002.625565568.0000000001450000.00000002.00000001.sdmp |
Binary or memory string: Progman |
Source: loaddll32.exe, 00000001.00000002.625565568.0000000001450000.00000002.00000001.sdmp |
Binary or memory string: Progmanlock |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_1000163F SetThreadPriority,GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, |
1_2_1000163F |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_10001850 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, |
1_2_10001850 |
Source: Yara match |
File source: 00000003.00000002.274936732.0000000002600000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000002.254342538.0000000004990000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000002.625111885.0000000000D90000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 1.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.rundll32.exe.2600000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.2.rundll32.exe.4990000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.loaddll32.exe.d90000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000003.00000002.274936732.0000000002600000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000002.254342538.0000000004990000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000002.625111885.0000000000D90000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 1.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.rundll32.exe.2600000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.2.rundll32.exe.4990000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.loaddll32.exe.d90000.2.raw.unpack, type: UNPACKEDPE |