Windows Analysis Report SAWHipN3nS.dll

Overview

General Information

Sample Name: SAWHipN3nS.dll
Analysis ID: 490253
MD5: 1ff17ce907ce2d98867ec9c78998518e
SHA1: 91818954ba50a5c63b73461af867a8c68958e20e
SHA256: 2dca3e9494cc2b34e8e1d53d1c9b78830ef35cda9473c5a0b8d84ef9bf4ea330
Tags: dllSquirrelwaffle
Infos:

Most interesting Screenshot:

Detection

Score: 92
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Writes to foreign memory regions
Machine Learning detection for sample
Allocates memory in foreign processes
Injects code into the Windows Explorer (explorer.exe)
Sigma detected: Regsvr32 Command Line Without DLL
Machine Learning detection for dropped file
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
PE file does not import any functions
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Checks if the current process is being debugged
Registers a DLL
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: SAWHipN3nS.dll ReversingLabs: Detection: 51%
Machine Learning detection for sample
Source: SAWHipN3nS.dll Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\Desktop\SAWHipN3nS.dll Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: SAWHipN3nS.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: Binary string: winspool.pdbxW source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000D.00000003.375176370.00000000007F5000.00000004.00000001.sdmp, WerFault.exe, 00000021.00000003.577706381.00000000040B1000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source: Binary string: sfc_os.pdb source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdbTW source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000D.00000003.386168716.0000000003681000.00000004.00000001.sdmp, WerFault.exe, 00000021.00000003.577706381.00000000040B1000.00000004.00000001.sdmp
Source: Binary string: powrprof.pdbQ source: WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000D.00000003.386168716.0000000003681000.00000004.00000001.sdmp, WerFault.exe, 00000021.00000003.577706381.00000000040B1000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000D.00000003.386268708.00000000037E0000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577726861.0000000004080000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000D.00000003.375740594.00000000007EF000.00000004.00000001.sdmp, WerFault.exe, 00000021.00000003.572693362.00000000030BD000.00000004.00000001.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 0000000D.00000003.386268708.00000000037E0000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577726861.0000000004080000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000D.00000003.386168716.0000000003681000.00000004.00000001.sdmp, WerFault.exe, 00000021.00000003.577706381.00000000040B1000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source: Binary string: regsvr32.pdbk source: WerFault.exe, 0000000D.00000003.386168716.0000000003681000.00000004.00000001.sdmp, WerFault.exe, 00000021.00000003.577706381.00000000040B1000.00000004.00000001.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 0000000D.00000003.386168716.0000000003681000.00000004.00000001.sdmp, WerFault.exe, 00000021.00000003.577706381.00000000040B1000.00000004.00000001.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000D.00000003.386168716.0000000003681000.00000004.00000001.sdmp, WerFault.exe, 00000021.00000003.577706381.00000000040B1000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000D.00000003.375280310.00000000007FB000.00000004.00000001.sdmp, WerFault.exe, 00000021.00000003.577706381.00000000040B1000.00000004.00000001.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source: Binary string: mpr.pdb source: WerFault.exe, 0000000D.00000003.386268708.00000000037E0000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577726861.0000000004080000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdbG source: WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000D.00000003.386168716.0000000003681000.00000004.00000001.sdmp, WerFault.exe, 00000021.00000003.577706381.00000000040B1000.00000004.00000001.sdmp
Source: Binary string: setupapi.pdb source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdbe source: WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source: Binary string: regsvr32.pdb source: WerFault.exe, 0000000D.00000003.375158454.00000000007EA000.00000004.00000001.sdmp, WerFault.exe, 00000021.00000003.577706381.00000000040B1000.00000004.00000001.sdmp
Source: Binary string: oleaut32.pdbI source: WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source: Binary string: shcore.pdbk source: WerFault.exe, 0000000D.00000003.386268708.00000000037E0000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577726861.0000000004080000.00000004.00000040.sdmp
Source: Binary string: regsvr32.pdb( source: WerFault.exe, 0000000D.00000003.375158454.00000000007EA000.00000004.00000001.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source: Binary string: sechost.pdbZW source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp
Source: Binary string: winspool.pdb source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000D.00000003.386168716.0000000003681000.00000004.00000001.sdmp, WerFault.exe, 00000021.00000003.577706381.00000000040B1000.00000004.00000001.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source: Binary string: amstream.pdb source: explorer.exe, 00000004.00000003.360596035.0000000004491000.00000004.00000001.sdmp, explorer.exe, 00000005.00000003.360628617.00000000043E1000.00000004.00000001.sdmp, regsvr32.exe, 0000000A.00000000.370275460.0000000010001000.00000020.00020000.sdmp, regsvr32.exe, 0000001F.00000002.583080769.0000000010001000.00000020.00020000.sdmp, SAWHipN3nS.dll.5.dr
Source: Binary string: propsys.pdb source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb] source: WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000D.00000003.386268708.00000000037E0000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577726861.0000000004080000.00000004.00000040.sdmp
Source: Binary string: profapi.pdbo source: WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source: Binary string: sfc.pdbK source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source: Binary string: amstream.pdbGCTL source: explorer.exe, 00000004.00000003.360596035.0000000004491000.00000004.00000001.sdmp, explorer.exe, 00000005.00000003.360628617.00000000043E1000.00000004.00000001.sdmp, regsvr32.exe, 0000000A.00000000.370275460.0000000010001000.00000020.00020000.sdmp, regsvr32.exe, 0000001F.00000002.583080769.0000000010001000.00000020.00020000.sdmp, SAWHipN3nS.dll.5.dr
Source: Binary string: powrprof.pdb<W source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp
Source: Binary string: AcLayers.pdb source: WerFault.exe, 0000000D.00000003.386168716.0000000003681000.00000004.00000001.sdmp, WerFault.exe, 00000021.00000003.577706381.00000000040B1000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdbrW source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb~W source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp
Source: Binary string: combase.pdb[ source: WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000D.00000003.386268708.00000000037E0000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577726861.0000000004080000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000D.00000003.386268708.00000000037E0000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577726861.0000000004080000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000D.00000003.386268708.00000000037E0000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577726861.0000000004080000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb`W source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000D.00000003.375189057.00000000007FB000.00000004.00000001.sdmp, WerFault.exe, 00000021.00000003.566824953.00000000030C9000.00000004.00000001.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000D.00000003.386268708.00000000037E0000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577726861.0000000004080000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdbNW source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000021.00000003.566808703.00000000030C3000.00000004.00000001.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source: Binary string: sfc.pdb source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source: Binary string: propsys.pdbBW source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000D.00000003.386168716.0000000003681000.00000004.00000001.sdmp, WerFault.exe, 00000021.00000003.577706381.00000000040B1000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000D.00000003.386168716.0000000003681000.00000004.00000001.sdmp, WerFault.exe, 00000021.00000003.577706381.00000000040B1000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbk source: WerFault.exe, 0000000D.00000003.386168716.0000000003681000.00000004.00000001.sdmp, WerFault.exe, 00000021.00000003.577706381.00000000040B1000.00000004.00000001.sdmp
Source: Binary string: a/pjr2pCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000D.00000002.393309522.0000000000432000.00000004.00000001.sdmp, WerFault.exe, 00000021.00000002.584600011.0000000002D52000.00000004.00000001.sdmp
Source: Binary string: sfc_os.pdbHW source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp
Source: Binary string: mpr.pdbp source: WerFault.exe, 0000000D.00000003.386268708.00000000037E0000.00000004.00000040.sdmp
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_1000AE9A FindFirstFileW,FindNextFileW, 1_2_1000AE9A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000AE9A FindFirstFileW,FindNextFileW, 3_2_1000AE9A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 4_2_026EAE9A FindFirstFileW,FindNextFileW, 4_2_026EAE9A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_026EAE9A FindFirstFileW,FindNextFileW, 5_2_026EAE9A

System Summary:

barindex
Uses 32bit PE files
Source: SAWHipN3nS.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
One or more processes crash
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6896 -s 644
Creates files inside the system directory
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\DBG Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_025E19A1 1_2_025E19A1
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_10016EC0 1_2_10016EC0
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_10012351 1_2_10012351
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_10011763 1_2_10011763
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_1001538F 1_2_1001538F
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_10014FD0 1_2_10014FD0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_045A19A1 3_2_045A19A1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10016EC0 3_2_10016EC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10012351 3_2_10012351
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10011763 3_2_10011763
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001538F 3_2_1001538F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10014FD0 3_2_10014FD0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 4_2_026F6EC0 4_2_026F6EC0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 4_2_026F1763 4_2_026F1763
Source: C:\Windows\SysWOW64\explorer.exe Code function: 4_2_026F2351 4_2_026F2351
Source: C:\Windows\SysWOW64\explorer.exe Code function: 4_2_026F4FD0 4_2_026F4FD0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 4_2_026F538F 4_2_026F538F
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_026F6EC0 5_2_026F6EC0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_026F1763 5_2_026F1763
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_026F2351 5_2_026F2351
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_026F4FD0 5_2_026F4FD0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_026F538F 5_2_026F538F
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_1000C6CB NtCreateSection,DefWindowProcA,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,GetCurrentProcess,NtUnmapViewOfSection,NtClose, 1_2_1000C6CB
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_1000CB82 memset,GetThreadContext,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,FreeLibrary, 1_2_1000CB82
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000C6CB NtCreateSection,DefWindowProcA,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,GetCurrentProcess,NtUnmapViewOfSection,NtClose, 3_2_1000C6CB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000CB82 memset,GetThreadContext,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,FreeLibrary, 3_2_1000CB82
PE file does not import any functions
Source: SAWHipN3nS.dll.5.dr Static PE information: No import functions for PE file found
Source: SAWHipN3nS.dll.4.dr Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: SAWHipN3nS.dll.5.dr Binary or memory string: OriginalFilenameAMStream.dllj% vs SAWHipN3nS.dll
Tries to load missing DLLs
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: SAWHipN3nS.dll ReversingLabs: Detection: 51%
Source: SAWHipN3nS.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\SAWHipN3nS.dll'
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SAWHipN3nS.dll',#1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SAWHipN3nS.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn yyhcsfwg /tr 'regsvr32.exe -s \'C:\Users\user\Desktop\SAWHipN3nS.dll\'' /SC ONCE /Z /ST 10:15 /ET 10:27
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\Desktop\SAWHipN3nS.dll'
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Desktop\SAWHipN3nS.dll'
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6896 -s 644
Source: unknown Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\Desktop\SAWHipN3nS.dll'
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Desktop\SAWHipN3nS.dll'
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6324 -s 652
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SAWHipN3nS.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SAWHipN3nS.dll',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn yyhcsfwg /tr 'regsvr32.exe -s \'C:\Users\user\Desktop\SAWHipN3nS.dll\'' /SC ONCE /Z /ST 10:15 /ET 10:27 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Desktop\SAWHipN3nS.dll' Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Desktop\SAWHipN3nS.dll' Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Pavbnst Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERCE23.tmp Jump to behavior
Source: classification engine Classification label: mal92.evad.winDLL@20/10@0/0
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_1000D52E CoInitializeEx,CoInitializeSecurity,CoCreateInstance,SysAllocString,CoSetProxyBlanket, 1_2_1000D52E
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_1000AB89 CreateToolhelp32Snapshot,memset,Process32First,Process32Next,CloseHandle, 1_2_1000AB89
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SAWHipN3nS.dll',#1
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \BaseNamedObjects\Local\WERReportingForProcess6896
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \BaseNamedObjects\Local\WERReportingForProcess6324
Source: C:\Windows\SysWOW64\explorer.exe Mutant created: \Sessions\1\BaseNamedObjects\{07AEAA9B-1A91-47DC-972F-5BF5DFBCBD50}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6840:120:WilError_01
Source: C:\Windows\SysWOW64\explorer.exe Mutant created: \Sessions\1\BaseNamedObjects\{A5687C0D-CE45-44A3-9FC0-6E0686595B4B}
Source: C:\Windows\SysWOW64\explorer.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{07AEAA9B-1A91-47DC-972F-5BF5DFBCBD50}
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: Binary string: winspool.pdbxW source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000D.00000003.375176370.00000000007F5000.00000004.00000001.sdmp, WerFault.exe, 00000021.00000003.577706381.00000000040B1000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source: Binary string: sfc_os.pdb source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdbTW source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000D.00000003.386168716.0000000003681000.00000004.00000001.sdmp, WerFault.exe, 00000021.00000003.577706381.00000000040B1000.00000004.00000001.sdmp
Source: Binary string: powrprof.pdbQ source: WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000D.00000003.386168716.0000000003681000.00000004.00000001.sdmp, WerFault.exe, 00000021.00000003.577706381.00000000040B1000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000D.00000003.386268708.00000000037E0000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577726861.0000000004080000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000D.00000003.375740594.00000000007EF000.00000004.00000001.sdmp, WerFault.exe, 00000021.00000003.572693362.00000000030BD000.00000004.00000001.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 0000000D.00000003.386268708.00000000037E0000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577726861.0000000004080000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000D.00000003.386168716.0000000003681000.00000004.00000001.sdmp, WerFault.exe, 00000021.00000003.577706381.00000000040B1000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source: Binary string: regsvr32.pdbk source: WerFault.exe, 0000000D.00000003.386168716.0000000003681000.00000004.00000001.sdmp, WerFault.exe, 00000021.00000003.577706381.00000000040B1000.00000004.00000001.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 0000000D.00000003.386168716.0000000003681000.00000004.00000001.sdmp, WerFault.exe, 00000021.00000003.577706381.00000000040B1000.00000004.00000001.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000D.00000003.386168716.0000000003681000.00000004.00000001.sdmp, WerFault.exe, 00000021.00000003.577706381.00000000040B1000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000D.00000003.375280310.00000000007FB000.00000004.00000001.sdmp, WerFault.exe, 00000021.00000003.577706381.00000000040B1000.00000004.00000001.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source: Binary string: mpr.pdb source: WerFault.exe, 0000000D.00000003.386268708.00000000037E0000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577726861.0000000004080000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdbG source: WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000D.00000003.386168716.0000000003681000.00000004.00000001.sdmp, WerFault.exe, 00000021.00000003.577706381.00000000040B1000.00000004.00000001.sdmp
Source: Binary string: setupapi.pdb source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdbe source: WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source: Binary string: regsvr32.pdb source: WerFault.exe, 0000000D.00000003.375158454.00000000007EA000.00000004.00000001.sdmp, WerFault.exe, 00000021.00000003.577706381.00000000040B1000.00000004.00000001.sdmp
Source: Binary string: oleaut32.pdbI source: WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source: Binary string: shcore.pdbk source: WerFault.exe, 0000000D.00000003.386268708.00000000037E0000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577726861.0000000004080000.00000004.00000040.sdmp
Source: Binary string: regsvr32.pdb( source: WerFault.exe, 0000000D.00000003.375158454.00000000007EA000.00000004.00000001.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source: Binary string: sechost.pdbZW source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp
Source: Binary string: winspool.pdb source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000D.00000003.386168716.0000000003681000.00000004.00000001.sdmp, WerFault.exe, 00000021.00000003.577706381.00000000040B1000.00000004.00000001.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source: Binary string: amstream.pdb source: explorer.exe, 00000004.00000003.360596035.0000000004491000.00000004.00000001.sdmp, explorer.exe, 00000005.00000003.360628617.00000000043E1000.00000004.00000001.sdmp, regsvr32.exe, 0000000A.00000000.370275460.0000000010001000.00000020.00020000.sdmp, regsvr32.exe, 0000001F.00000002.583080769.0000000010001000.00000020.00020000.sdmp, SAWHipN3nS.dll.5.dr
Source: Binary string: propsys.pdb source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb] source: WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000D.00000003.386268708.00000000037E0000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577726861.0000000004080000.00000004.00000040.sdmp
Source: Binary string: profapi.pdbo source: WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source: Binary string: sfc.pdbK source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source: Binary string: amstream.pdbGCTL source: explorer.exe, 00000004.00000003.360596035.0000000004491000.00000004.00000001.sdmp, explorer.exe, 00000005.00000003.360628617.00000000043E1000.00000004.00000001.sdmp, regsvr32.exe, 0000000A.00000000.370275460.0000000010001000.00000020.00020000.sdmp, regsvr32.exe, 0000001F.00000002.583080769.0000000010001000.00000020.00020000.sdmp, SAWHipN3nS.dll.5.dr
Source: Binary string: powrprof.pdb<W source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp
Source: Binary string: AcLayers.pdb source: WerFault.exe, 0000000D.00000003.386168716.0000000003681000.00000004.00000001.sdmp, WerFault.exe, 00000021.00000003.577706381.00000000040B1000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdbrW source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb~W source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp
Source: Binary string: combase.pdb[ source: WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000D.00000003.386268708.00000000037E0000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577726861.0000000004080000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000D.00000003.386268708.00000000037E0000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577726861.0000000004080000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000D.00000003.386268708.00000000037E0000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577726861.0000000004080000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb`W source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000D.00000003.375189057.00000000007FB000.00000004.00000001.sdmp, WerFault.exe, 00000021.00000003.566824953.00000000030C9000.00000004.00000001.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000D.00000003.386268708.00000000037E0000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577726861.0000000004080000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdbNW source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000021.00000003.566808703.00000000030C3000.00000004.00000001.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source: Binary string: sfc.pdb source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source: Binary string: propsys.pdbBW source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000D.00000003.386168716.0000000003681000.00000004.00000001.sdmp, WerFault.exe, 00000021.00000003.577706381.00000000040B1000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000D.00000003.386168716.0000000003681000.00000004.00000001.sdmp, WerFault.exe, 00000021.00000003.577706381.00000000040B1000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbk source: WerFault.exe, 0000000D.00000003.386168716.0000000003681000.00000004.00000001.sdmp, WerFault.exe, 00000021.00000003.577706381.00000000040B1000.00000004.00000001.sdmp
Source: Binary string: a/pjr2pCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000D.00000002.393309522.0000000000432000.00000004.00000001.sdmp, WerFault.exe, 00000021.00000002.584600011.0000000002D52000.00000004.00000001.sdmp
Source: Binary string: sfc_os.pdbHW source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp
Source: Binary string: mpr.pdbp source: WerFault.exe, 0000000D.00000003.386268708.00000000037E0000.00000004.00000040.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_025E44AB push edi; mov dword ptr [esp], 00000003h 1_2_025E44FE
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_025E44AB push edx; mov dword ptr [esp], 00F00000h 1_2_025E4507
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_025E19A1 push 00000000h; mov dword ptr [esp], eax 1_2_025E1C63
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_025E19A1 push 00000000h; mov dword ptr [esp], edx 1_2_025E1C89
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_025E19A1 push 00000000h; mov dword ptr [esp], ecx 1_2_025E1D27
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_025E19A1 push ebp; mov dword ptr [esp], 000FFFFFh 1_2_025E1EE2
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_1001A006 push ebx; ret 1_2_1001A007
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_1001D485 push FFFFFF8Ah; iretd 1_2_1001D50E
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_1001D4B6 push FFFFFF8Ah; iretd 1_2_1001D50E
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_10019D54 push cs; iretd 1_2_10019E2A
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_10019E56 push cs; iretd 1_2_10019E2A
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_1001BB21 push esi; iretd 1_2_1001BB26
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_045A44AB push edi; mov dword ptr [esp], 00000003h 3_2_045A44FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_045A44AB push edx; mov dword ptr [esp], 00F00000h 3_2_045A4507
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_045A19A1 push 00000000h; mov dword ptr [esp], eax 3_2_045A1C63
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_045A19A1 push 00000000h; mov dword ptr [esp], edx 3_2_045A1C89
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_045A19A1 push 00000000h; mov dword ptr [esp], ecx 3_2_045A1D27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_045A19A1 push ebp; mov dword ptr [esp], 000FFFFFh 3_2_045A1EE2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001A006 push ebx; ret 3_2_1001A007
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001D485 push FFFFFF8Ah; iretd 3_2_1001D50E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001D4B6 push FFFFFF8Ah; iretd 3_2_1001D50E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10019D54 push cs; iretd 3_2_10019E2A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10019E56 push cs; iretd 3_2_10019E2A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001BB21 push esi; iretd 3_2_1001BB26
Source: C:\Windows\SysWOW64\explorer.exe Code function: 4_2_026F9E56 push cs; iretd 4_2_026F9E2A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 4_2_026FBB21 push esi; iretd 4_2_026FBB26
Source: C:\Windows\SysWOW64\explorer.exe Code function: 4_2_026FA006 push ebx; ret 4_2_026FA007
Source: C:\Windows\SysWOW64\explorer.exe Code function: 4_2_026FD4B6 push FFFFFF8Ah; iretd 4_2_026FD50E
Source: C:\Windows\SysWOW64\explorer.exe Code function: 4_2_026FD485 push FFFFFF8Ah; iretd 4_2_026FD50E
Source: C:\Windows\SysWOW64\explorer.exe Code function: 4_2_026F9D54 push cs; iretd 4_2_026F9E2A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_026F9E56 push cs; iretd 5_2_026F9E2A
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_1000DFB8 LoadLibraryA,GetProcAddress, 1_2_1000DFB8
Registers a DLL
Source: unknown Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\Desktop\SAWHipN3nS.dll'

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\Desktop\SAWHipN3nS.dll Jump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn yyhcsfwg /tr 'regsvr32.exe -s \'C:\Users\user\Desktop\SAWHipN3nS.dll\'' /SC ONCE /Z /ST 10:15 /ET 10:27

Hooking and other Techniques for Hiding and Protection:

barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 6732 base: 12F380 value: E9 4F 69 5B 02 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6752 base: 12F380 value: E9 4F 69 5B 02 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\explorer.exe TID: 6736 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 6756 Thread sleep count: 67 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_1000D02A GetCurrentProcessId,GetModuleFileNameW,GetCurrentProcess,GetCurrentProcess,GetLastError,GetLastError,GetSystemMetrics,GetModuleFileNameW,GetLastError,MultiByteToWideChar,GetCurrentProcess,memset,GetVersionExA,GetCurrentProcess,GetSystemInfo,GetWindowsDirectoryW, 1_2_1000D02A
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_1000AE9A FindFirstFileW,FindNextFileW, 1_2_1000AE9A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000AE9A FindFirstFileW,FindNextFileW, 3_2_1000AE9A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 4_2_026EAE9A FindFirstFileW,FindNextFileW, 4_2_026EAE9A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_026EAE9A FindFirstFileW,FindNextFileW, 5_2_026EAE9A

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_1000DFB8 LoadLibraryA,GetProcAddress, 1_2_1000DFB8
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\regsvr32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Code function: 4_2_026E5A49 RtlAddVectoredExceptionHandler, 4_2_026E5A49

HIPS / PFW / Operating System Protection Evasion:

barindex
Maps a DLL or memory area into another process
Source: C:\Windows\System32\loaddll32.exe Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 2710000 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 12F380 Jump to behavior
Allocates memory in foreign processes
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 2710000 protect: page read and write Jump to behavior
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 6732 base: 26D0000 value: B8 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 6732 base: 25FB2D8 value: 00 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 6732 base: 25FC1E8 value: 00 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 6732 base: 2710000 value: 9C Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 6732 base: 12F380 value: E9 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6752 base: 2710000 value: 9C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6752 base: 12F380 value: E9 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SAWHipN3nS.dll',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: explorer.exe, 00000004.00000002.616005670.0000000002FA0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000002.616005670.0000000002FA0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000004.00000002.616005670.0000000002FA0000.00000002.00020000.sdmp Binary or memory string: &Program Manager
Source: explorer.exe, 00000004.00000002.616005670.0000000002FA0000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\loaddll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Code function: 4_2_026E31C2 CreateNamedPipeA, 4_2_026E31C2
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_100097F2 GetSystemTimeAsFileTime, 1_2_100097F2
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_1000D02A GetCurrentProcessId,GetModuleFileNameW,GetCurrentProcess,GetCurrentProcess,GetLastError,GetLastError,GetSystemMetrics,GetModuleFileNameW,GetLastError,MultiByteToWideChar,GetCurrentProcess,memset,GetVersionExA,GetCurrentProcess,GetSystemInfo,GetWindowsDirectoryW, 1_2_1000D02A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 4_2_026EE2D1 LookupAccountNameW,Sleep, 4_2_026EE2D1
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 490253 Sample: SAWHipN3nS.dll Startdate: 25/09/2021 Architecture: WINDOWS Score: 92 42 Multi AV Scanner detection for submitted file 2->42 44 Sigma detected: Schedule system process 2->44 46 Machine Learning detection for sample 2->46 48 2 other signatures 2->48 8 loaddll32.exe 1 2->8         started        11 regsvr32.exe 2->11         started        13 regsvr32.exe 2->13         started        process3 signatures4 50 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->50 52 Injects code into the Windows Explorer (explorer.exe) 8->52 54 Maps a DLL or memory area into another process 8->54 15 cmd.exe 1 8->15         started        17 explorer.exe 8 1 8->17         started        20 regsvr32.exe 11->20         started        22 regsvr32.exe 13->22         started        process5 signatures6 24 rundll32.exe 15->24         started        40 Uses schtasks.exe or at.exe to add and modify task schedules 17->40 27 schtasks.exe 1 17->27         started        29 WerFault.exe 20 9 20->29         started        31 WerFault.exe 9 22->31         started        process7 signatures8 56 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 24->56 58 Injects code into the Windows Explorer (explorer.exe) 24->58 60 Writes to foreign memory regions 24->60 62 2 other signatures 24->62 33 explorer.exe 24->33         started        36 conhost.exe 27->36         started        process9 file10 38 C:\Users\user\Desktop\SAWHipN3nS.dll, PE32 33->38 dropped
No contacted IP infos