Windows Analysis Report
SecuriteInfo.com.Trojan.Win32.Malgent.MSR.9890.26444.dll

Overview

General Information

Sample Name: SecuriteInfo.com.Trojan.Win32.Malgent.MSR.9890.26444.dll
Analysis ID: 1290370
MD5: 0f849bc43ffe1bb5f29aac19f11f6740
SHA1: 2bb74d7772c4b7cae2571e5751914e267b482002
SHA256: 65eb8d11d173cc5c330a2a87f602e2140c1a73b7cda6eb8c46b88ed2ff093860
Tags: dll
Infos:

Detection

Score: 4
Range: 0 - 100
Whitelisted: false
Confidence: 80%

Signatures

Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Sample execution stops while process was sleeping (likely an evasion)
PE / OLE file has an invalid certificate
Program does not show much activity (idle)
Creates a process in suspended mode (likely to inject code)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.Win32.Malgent.MSR.9890.26444.dll Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: SecuriteInfo.com.Trojan.Win32.Malgent.MSR.9890.26444.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: SecuriteInfo.com.Trojan.Win32.Malgent.MSR.9890.26444.dll String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: SecuriteInfo.com.Trojan.Win32.Malgent.MSR.9890.26444.dll String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: SecuriteInfo.com.Trojan.Win32.Malgent.MSR.9890.26444.dll String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: SecuriteInfo.com.Trojan.Win32.Malgent.MSR.9890.26444.dll String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: SecuriteInfo.com.Trojan.Win32.Malgent.MSR.9890.26444.dll String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: SecuriteInfo.com.Trojan.Win32.Malgent.MSR.9890.26444.dll String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: SecuriteInfo.com.Trojan.Win32.Malgent.MSR.9890.26444.dll String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: SecuriteInfo.com.Trojan.Win32.Malgent.MSR.9890.26444.dll String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: SecuriteInfo.com.Trojan.Win32.Malgent.MSR.9890.26444.dll String found in binary or memory: http://ocsp.digicert.com0C
Source: SecuriteInfo.com.Trojan.Win32.Malgent.MSR.9890.26444.dll String found in binary or memory: http://ocsp.digicert.com0N
Source: SecuriteInfo.com.Trojan.Win32.Malgent.MSR.9890.26444.dll String found in binary or memory: http://ocsp.sectigo.com0
Source: SecuriteInfo.com.Trojan.Win32.Malgent.MSR.9890.26444.dll String found in binary or memory: https://sectigo.com/CPS0
Source: SecuriteInfo.com.Trojan.Win32.Malgent.MSR.9890.26444.dll String found in binary or memory: https://www.digicert.com/CPS0
Creates a DirectInput object (often for capturing keystrokes)
Source: loaddll32.exe, 00000000.00000002.623194107.00000000005FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.Win32.Malgent.MSR.9890.26444.dll Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Trojan.Win32.Malgent.MSR.9890.26444.dll Binary or memory string: OriginalFilenameAspose.Words.dllL vs SecuriteInfo.com.Trojan.Win32.Malgent.MSR.9890.26444.dll
PE / OLE file has an invalid certificate
Source: SecuriteInfo.com.Trojan.Win32.Malgent.MSR.9890.26444.dll Static PE information: invalid certificate
Source: SecuriteInfo.com.Trojan.Win32.Malgent.MSR.9890.26444.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Malgent.MSR.9890.26444.dll,InitUI
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Malgent.MSR.9890.26444.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Malgent.MSR.9890.26444.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Malgent.MSR.9890.26444.dll,InitUI
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Malgent.MSR.9890.26444.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Malgent.MSR.9890.26444.dll",InitUI
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Malgent.MSR.9890.26444.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Malgent.MSR.9890.26444.dll,InitUI Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Malgent.MSR.9890.26444.dll",InitUI Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Malgent.MSR.9890.26444.dll",#1 Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7512:120:WilError_01
Source: classification engine Classification label: clean4.winDLL@10/0@0/0
Source: SecuriteInfo.com.Trojan.Win32.Malgent.MSR.9890.26444.dll Static file information: File size 1268400 > 1048576
Source: SecuriteInfo.com.Trojan.Win32.Malgent.MSR.9890.26444.dll Static PE information: Virtual size of .text is bigger than: 0x100000
Source: SecuriteInfo.com.Trojan.Win32.Malgent.MSR.9890.26444.dll Static PE information: Raw size of .text is bigger than: 0x100000 < 0x106a00
Source: SecuriteInfo.com.Trojan.Win32.Malgent.MSR.9890.26444.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Trojan.Win32.Malgent.MSR.9890.26444.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Trojan.Win32.Malgent.MSR.9890.26444.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Trojan.Win32.Malgent.MSR.9890.26444.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Trojan.Win32.Malgent.MSR.9890.26444.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Trojan.Win32.Malgent.MSR.9890.26444.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: SecuriteInfo.com.Trojan.Win32.Malgent.MSR.9890.26444.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: SecuriteInfo.com.Trojan.Win32.Malgent.MSR.9890.26444.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Trojan.Win32.Malgent.MSR.9890.26444.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Trojan.Win32.Malgent.MSR.9890.26444.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Trojan.Win32.Malgent.MSR.9890.26444.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Trojan.Win32.Malgent.MSR.9890.26444.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Trojan.Win32.Malgent.MSR.9890.26444.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\loaddll32.exe Window / User API: threadDelayed 1298 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 120000 Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Malgent.MSR.9890.26444.dll",#1 Jump to behavior
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1290370 Sample: SecuriteInfo.com.Trojan.Win... Startdate: 12/08/2023 Architecture: WINDOWS Score: 4 6 loaddll32.exe 1 2->6         started        process3 8 cmd.exe 1 6->8         started        10 conhost.exe 6->10         started        12 rundll32.exe 6->12         started        14 rundll32.exe 6->14         started        process4 16 rundll32.exe 8->16         started       
No contacted IP infos