Windows Analysis Report
Scan.api

Overview

General Information

Sample Name: Scan.api (renamed file extension from api to dll)
Analysis ID: 612084
MD5: 997e64e4d24d881dd5905f7271976fff
SHA1: fd2aadd2aa4089f4cb471b28fc9a17bf13eda4e3
SHA256: 2f09f817d6663b7ca96959e0ef136751099f53047535a99b4eb0cd6347a422d5
Infos:

Detection

Score: 26
Range: 0 - 100
Whitelisted: false
Confidence: 60%

Signatures

Sigma detected: Suspicious Call by Ordinal
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Sample file is different than original file name gathered from version info
One or more processes crash
Tries to load missing DLLs
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Checks if the current process is being debugged
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Registers a DLL
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

Uses 32bit PE files
Source: Scan.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
Source: Scan.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: scan.pdb source: rundll32.exe, 00000006.00000000.253410662.000000006DEC8000.00000002.00000001.01000000.00000003.sdmp, Scan.dll
Source: rundll32.exe, 00000006.00000000.254410933.000000006DF3B000.00000002.00000001.01000000.00000003.sdmp, Scan.dll String found in binary or memory: http://www.aiim.org/pdfa/ns/extension/
Source: Scan.dll String found in binary or memory: http://www.aiim.org/pdfa/ns/id/
Source: rundll32.exe, 00000006.00000000.253410662.000000006DEC8000.00000002.00000001.01000000.00000003.sdmp, Scan.dll String found in binary or memory: http://www.aiim.org/pdfa/ns/id/partconformanceAIDS_LearnMoreScan_EventGTS_PDFA1sRGBIEC
Source: rundll32.exe, 00000006.00000000.254410933.000000006DF3B000.00000002.00000001.01000000.00000003.sdmp, Scan.dll String found in binary or memory: http://www.aiim.org/pdfa/ns/property#
Source: rundll32.exe, 00000006.00000000.254410933.000000006DF3B000.00000002.00000001.01000000.00000003.sdmp, Scan.dll String found in binary or memory: http://www.aiim.org/pdfa/ns/schema#
Source: rundll32.exe, rundll32.exe, 00000006.00000000.253410662.000000006DEC8000.00000002.00000001.01000000.00000003.sdmp, Scan.dll String found in binary or memory: http://www.color.org
Source: rundll32.exe, 00000006.00000000.253410662.000000006DEC8000.00000002.00000001.01000000.00000003.sdmp, Scan.dll String found in binary or memory: http://www.color.orgOutputIntentsSOutputConditionOutputConditionIdentifierRegistryNameFilterNDestOut
Creates a DirectInput object (often for capturing keystrokes)
Source: loaddll32.exe, 00000000.00000002.258546917.000000000101B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Uses 32bit PE files
Source: Scan.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
Sample file is different than original file name gathered from version info
Source: Scan.dll Binary or memory string: OriginalFilenameScan.apiD vs Scan.dll
One or more processes crash
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6384 -s 680
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6DE5CDD0 6_2_6DE5CDD0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6DEB79D0 6_2_6DEB79D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6DE8DDA0 6_2_6DE8DDA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6DE88D40 6_2_6DE88D40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6DE818E0 6_2_6DE818E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6DE804C0 6_2_6DE804C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6DE94C40 6_2_6DE94C40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6DE90040 6_2_6DE90040
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6DE12BE0 6_2_6DE12BE0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6DE1EFC0 6_2_6DE1EFC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6DE847A0 6_2_6DE847A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6DE7EBB0 6_2_6DE7EBB0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6DE7CB80 6_2_6DE7CB80
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6DE87F90 6_2_6DE87F90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6DE8FB50 6_2_6DE8FB50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6DE8B330 6_2_6DE8B330
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6DE8D700 6_2_6DE8D700
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6DE5FEE0 6_2_6DE5FEE0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6DE7DED0 6_2_6DE7DED0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6DE7BA80 6_2_6DE7BA80
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6DE84A60 6_2_6DE84A60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6DE7D670 6_2_6DE7D670
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6DE82230 6_2_6DE82230
Source: Scan.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Scan.dll",#1
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\Scan.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Scan.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\Scan.dll
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Scan.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Scan.dll,DllRegisterServer
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Scan.dll,DllUnregisterServer
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Scan.dll,PlugInMain
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6384 -s 680
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Scan.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\Scan.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Scan.dll,DllRegisterServer Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Scan.dll,DllUnregisterServer Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Scan.dll,PlugInMain Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Scan.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6384
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF6B2.tmp Jump to behavior
Source: classification engine Classification label: sus26.winDLL@14/4@0/0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6DE76D00 CoCreateInstance,StringFromGUID2,WideCharToMultiByte,strcpy_s,strcat_s,strcat_s,strcat_s,RegOpenKeyExA,RegQueryInfoKeyA,RegCloseKey,strcpy_s,strcat_s,strcat_s,strcat_s,RegOpenKeyExA,RegCloseKey,RegCloseKey,RegQueryInfoKeyA,RegCloseKey,RegCloseKey,RegCloseKey,free,free, 6_2_6DE76D00
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Scan.dll Static file information: File size 1282659 > 1048576
Source: Scan.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Scan.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Scan.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Scan.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Scan.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Scan.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: Scan.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Scan.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: scan.pdb source: rundll32.exe, 00000006.00000000.253410662.000000006DEC8000.00000002.00000001.01000000.00000003.sdmp, Scan.dll
Source: Scan.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Scan.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Scan.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Scan.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Scan.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Registers a DLL
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\Scan.dll
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\WerFault.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 0.9 %
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 120000 Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6DEC1CA2 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_6DEC1CA2
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6DEC1CA2 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_6DEC1CA2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6DEC145D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_6DEC145D
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Scan.dll",#1 Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6DE2AA67 cpuid 6_2_6DE2AA67
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6DEC1E2B GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 6_2_6DEC1E2B
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 612084 Sample: Scan.api Startdate: 20/04/2022 Architecture: WINDOWS Score: 26 21 Sigma detected: Suspicious Call by Ordinal 2->21 7 loaddll32.exe 12 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 rundll32.exe 7->11         started        13 regsvr32.exe 12 7->13         started        15 2 other processes 7->15 process5 17 rundll32.exe 9->17         started        19 WerFault.exe 20 9 11->19         started       
No contacted IP infos