Windows Analysis Report
Scan.dll

Overview

General Information

Sample Name: Scan.dll
Analysis ID: 612084
MD5: 997e64e4d24d881dd5905f7271976fff
SHA1: fd2aadd2aa4089f4cb471b28fc9a17bf13eda4e3
SHA256: 2f09f817d6663b7ca96959e0ef136751099f53047535a99b4eb0cd6347a422d5
Infos:

Detection

Score: 25
Range: 0 - 100
Whitelisted: false
Confidence: 60%

Signatures

Sigma detected: Suspicious Call by Ordinal
Uses 32bit PE files
Sample file is different than original file name gathered from version info
One or more processes crash
Tries to load missing DLLs
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Checks if the current process is being debugged
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Registers a DLL
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

Uses 32bit PE files
Source: Scan.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
Source: Scan.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: scan.pdb source: rundll32.exe, 00000007.00000000.372133858.000000006DFE8000.00000002.00000001.01000000.00000003.sdmp, Scan.dll
Source: rundll32.exe, 00000007.00000000.372301661.000000006E05B000.00000002.00000001.01000000.00000003.sdmp, Scan.dll String found in binary or memory: http://www.aiim.org/pdfa/ns/extension/
Source: Scan.dll String found in binary or memory: http://www.aiim.org/pdfa/ns/id/
Source: rundll32.exe, 00000007.00000000.372133858.000000006DFE8000.00000002.00000001.01000000.00000003.sdmp, Scan.dll String found in binary or memory: http://www.aiim.org/pdfa/ns/id/partconformanceAIDS_LearnMoreScan_EventGTS_PDFA1sRGBIEC
Source: rundll32.exe, 00000007.00000000.372301661.000000006E05B000.00000002.00000001.01000000.00000003.sdmp, Scan.dll String found in binary or memory: http://www.aiim.org/pdfa/ns/property#
Source: rundll32.exe, 00000007.00000000.372301661.000000006E05B000.00000002.00000001.01000000.00000003.sdmp, Scan.dll String found in binary or memory: http://www.aiim.org/pdfa/ns/schema#
Source: rundll32.exe, 00000007.00000000.372133858.000000006DFE8000.00000002.00000001.01000000.00000003.sdmp, Scan.dll String found in binary or memory: http://www.color.org
Source: rundll32.exe, 00000007.00000000.372133858.000000006DFE8000.00000002.00000001.01000000.00000003.sdmp, Scan.dll String found in binary or memory: http://www.color.orgOutputIntentsSOutputConditionOutputConditionIdentifierRegistryNameFilterNDestOut
Uses 32bit PE files
Source: Scan.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
Sample file is different than original file name gathered from version info
Source: Scan.dll Binary or memory string: OriginalFilenameScan.apiD vs Scan.dll
One or more processes crash
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6136 -s 680
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_6DF7CDD0 7_2_6DF7CDD0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_6DFD79D0 7_2_6DFD79D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_6DFADDA0 7_2_6DFADDA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_6DFA8D40 7_2_6DFA8D40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_6DFA18E0 7_2_6DFA18E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_6DFA04C0 7_2_6DFA04C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_6DFB4C40 7_2_6DFB4C40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_6DFB0040 7_2_6DFB0040
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_6DF32BE0 7_2_6DF32BE0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_6DF3EFC0 7_2_6DF3EFC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_6DF9EBB0 7_2_6DF9EBB0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_6DFA47A0 7_2_6DFA47A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_6DFA7F90 7_2_6DFA7F90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_6DF9CB80 7_2_6DF9CB80
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_6DFAFB50 7_2_6DFAFB50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_6DFAB330 7_2_6DFAB330
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_6DFAD700 7_2_6DFAD700
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_6DF7FEE0 7_2_6DF7FEE0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_6DF9DED0 7_2_6DF9DED0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_6DF9BA80 7_2_6DF9BA80
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_6DF9D670 7_2_6DF9D670
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_6DFA4A60 7_2_6DFA4A60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_6DFA2230 7_2_6DFA2230
Source: Scan.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Scan.dll",#1
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\Scan.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Scan.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\Scan.dll
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Scan.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Scan.dll,DllRegisterServer
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Scan.dll,DllUnregisterServer
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Scan.dll,PlugInMain
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6136 -s 680
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Scan.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\Scan.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Scan.dll,DllRegisterServer Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Scan.dll,DllUnregisterServer Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Scan.dll,PlugInMain Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Scan.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6136
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER6047.tmp Jump to behavior
Source: classification engine Classification label: sus25.winDLL@14/4@0/0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_6DF96D00 CoCreateInstance,StringFromGUID2,WideCharToMultiByte,strcpy_s,strcat_s,strcat_s,strcat_s,RegOpenKeyExA,RegQueryInfoKeyA,RegCloseKey,strcpy_s,strcat_s,strcat_s,strcat_s,RegOpenKeyExA,RegCloseKey,RegCloseKey,RegQueryInfoKeyA,RegCloseKey,RegCloseKey,RegCloseKey,free,free, 7_2_6DF96D00
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Scan.dll Static file information: File size 1282659 > 1048576
Source: Scan.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Scan.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Scan.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Scan.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Scan.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Scan.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: Scan.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Scan.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: scan.pdb source: rundll32.exe, 00000007.00000000.372133858.000000006DFE8000.00000002.00000001.01000000.00000003.sdmp, Scan.dll
Source: Scan.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Scan.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Scan.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Scan.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Scan.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Registers a DLL
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\Scan.dll
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 0.9 %
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 120000 Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_6DFE1CA2 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_6DFE1CA2
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_6DFE1CA2 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_6DFE1CA2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_6DFE145D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 7_2_6DFE145D
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Scan.dll",#1 Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_6DF4AA67 cpuid 7_2_6DF4AA67
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_6DFE1E2B GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 7_2_6DFE1E2B
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 612084 Sample: Scan.dll Startdate: 20/04/2022 Architecture: WINDOWS Score: 25 21 Sigma detected: Suspicious Call by Ordinal 2->21 7 loaddll32.exe 12 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 rundll32.exe 7->11         started        13 regsvr32.exe 12 7->13         started        15 2 other processes 7->15 process5 17 rundll32.exe 9->17         started        19 WerFault.exe 23 9 11->19         started       
No contacted IP infos