Source: 62724e14c3203.dll |
Virustotal: Detection: 29% |
Perma Link |
Source: 62724e14c3203.dll |
ReversingLabs: Detection: 28% |
Source: 62724e14c3203.dll |
Joe Sandbox ML: detected |
Source: 62724e14c3203.dll |
Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: 62724e14c3203.dll |
String found in binary or memory: http://pki-crl.symauth.com/ca_d409a5cb737dc0768fd08ed5256f3633/LatestCRL.crl07 |
Source: 62724e14c3203.dll |
String found in binary or memory: http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.cr |
Source: 62724e14c3203.dll |
String found in binary or memory: http://pki-ocsp.symauth.com0 |
Source: Yara match |
File source: 62724e14c3203.dll, type: SAMPLE |
Source: Yara match |
File source: 62724e14c3203.dll, type: SAMPLE |
Source: 62724e14c3203.dll |
Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: sfc.dll |
Jump to behavior |
Source: 62724e14c3203.dll |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: 62724e14c3203.dll |
Virustotal: Detection: 29% |
Source: 62724e14c3203.dll |
ReversingLabs: Detection: 28% |
Source: C:\Windows\System32\loaddll32.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\62724e14c3203.dll",#1 |
Source: unknown |
Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\62724e14c3203.dll" |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\62724e14c3203.dll",#1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\62724e14c3203.dll |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\62724e14c3203.dll",#1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\62724e14c3203.dll,DllRegisterServer |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\62724e14c3203.dll",#1 |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\62724e14c3203.dll |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\62724e14c3203.dll,DllRegisterServer |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\62724e14c3203.dll",#1 |
Jump to behavior |
Source: classification engine |
Classification label: mal72.troj.evad.winDLL@9/0@0/0 |
Source: 62724e14c3203.dll |
Static file information: File size 3735060 > 1048576 |
Source: 62724e14c3203.dll |
Static PE information: Raw size of .themida is bigger than: 0x100000 < 0x384000 |
Source: 62724e14c3203.dll |
Static PE information: real checksum: 0x39f49d should be: 0x394d2c |
Source: 62724e14c3203.dll |
Static PE information: section name: .exports |
Source: 62724e14c3203.dll |
Static PE information: section name: .imports |
Source: 62724e14c3203.dll |
Static PE information: section name: .themida |
Source: 62724e14c3203.dll |
Static PE information: section name: .taggant |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\62724e14c3203.dll |
Source: initial sample |
Static PE information: section where entry point is pointing to: .taggant |
Source: Yara match |
File source: 62724e14c3203.dll, type: SAMPLE |
Source: C:\Windows\System32\loaddll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
System information queried: FirmwareTableInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
System information queried: FirmwareTableInformation |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4944 |
Thread sleep time: -1773297476s >= -30000s |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion |
Jump to behavior |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\System32\loaddll32.exe |
System information queried: ModuleInformation |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Thread delayed: delay time: 120000 |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Open window title or class name: regmonclass |
Source: C:\Windows\SysWOW64\rundll32.exe |
Open window title or class name: process monitor - sysinternals: www.sysinternals.com |
Source: C:\Windows\SysWOW64\rundll32.exe |
Open window title or class name: registry monitor - sysinternals: www.sysinternals.com |
Source: C:\Windows\SysWOW64\rundll32.exe |
Open window title or class name: procmon_window_class |
Source: C:\Windows\SysWOW64\rundll32.exe |
Open window title or class name: filemonclass |
Source: C:\Windows\SysWOW64\rundll32.exe |
Open window title or class name: file monitor - sysinternals: www.sysinternals.com |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\62724e14c3203.dll",#1 |
Jump to behavior |
Source: Yara match |
File source: 62724e14c3203.dll, type: SAMPLE |
Source: Yara match |
File source: 62724e14c3203.dll, type: SAMPLE |