Source: svcmsi_32.dll.dll |
Avira: detected |
Source: svcmsi_32.dll.dll |
ReversingLabs: Detection: 84% |
Source: svcmsi_32.dll.dll |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT |
Source: svcmsi_32.dll.dll, type: SAMPLE |
Matched rule: Detects malware - Duqu2 (cross-matches with IronTiger malware and Derusbi) Author: Florian Roth |
Source: svcmsi_32.dll.dll, type: SAMPLE |
Matched rule: Rule to detect Duqu 2.0 samples Author: unknown |
Source: svcmsi_32.dll.dll, type: SAMPLE |
Matched rule: Kaspersky APT Report - Duqu2 Sample - Malicious MSI Author: Florian Roth |
Source: svcmsi_32.dll.dll |
Binary or memory string: OriginalFilenamesvcmsi_32.dllB vs svcmsi_32.dll.dll |
Source: svcmsi_32.dll.dll, type: SAMPLE |
Matched rule: Duqu2_Sample1 date = 2016-07-02, hash4 = 5559fcc93eef38a1c22db66a3e0f9e9f026c99e741cc8b1a4980d166f2696188, hash3 = 2796a119171328e91648a73d95eb297edc220e8768f4bbba5fb7237122a988fc, hash2 = 8e97c371633d285cd8fc842f4582705052a9409149ee67d97de545030787a192, author = Florian Roth, description = Detects malware - Duqu2 (cross-matches with IronTiger malware and Derusbi), score = 6b146e3a59025d7085127b552494e8aaf76450a19c249bfed0b4c09f328e564f, reference = https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: svcmsi_32.dll.dll, type: SAMPLE |
Matched rule: apt_duqu2_loaders copyright = Kaspersky Lab, description = Rule to detect Duqu 2.0 samples, version = 1.0, last_modified = 2015-06-09 |
Source: svcmsi_32.dll.dll, type: SAMPLE |
Matched rule: APT_Kaspersky_Duqu2_procexp date = 2015-06-10, hash3 = 288ebfe21a71f83b5575dfcc92242579fb13910d, hash2 = b120620b5d82b05fee2c2153ceaf305807fa9f79, hash1 = 2422835716066b6bcecb045ddd4f1fbc9486667a, author = Florian Roth, description = Kaspersky APT Report - Duqu2 Sample - Malicious MSI, reference = https://goo.gl/7yKyOj |
Source: classification engine |
Classification label: mal64.winDLL@10/0@0/0 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3968:120:WilError_03 |
Source: svcmsi_32.dll.dll |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Windows\System32\loaddll64.exe |
Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\svcmsi_32.dll.dll,StartAction |
Source: svcmsi_32.dll.dll |
ReversingLabs: Detection: 84% |
Source: unknown |
Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\svcmsi_32.dll.dll" |
|
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\svcmsi_32.dll.dll",#1 |
|
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\svcmsi_32.dll.dll,StartAction |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\svcmsi_32.dll.dll",#1 |
|
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\svcmsi_32.dll.dll",StartAction |
|
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\svcmsi_32.dll.dll",#1 |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\svcmsi_32.dll.dll,StartAction |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\svcmsi_32.dll.dll",StartAction |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\svcmsi_32.dll.dll",#1 |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe |
Section loaded: msi.dll |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: svcmsi_32.dll.dll |
Static PE information: Image base 0x180000000 > 0x60000000 |
Source: svcmsi_32.dll.dll |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe TID: 1596 |
Thread sleep time: -120000s >= -30000s |
Jump to behavior |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Windows\System32\loaddll64.exe |
Thread delayed: delay time: 120000 |
Jump to behavior |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\svcmsi_32.dll.dll",#1 |
Jump to behavior |