Windows Analysis Report
svcmsi_32.dll.dll

Overview

General Information

Sample name: svcmsi_32.dll.dll
(renamed file extension from exe to dll)
Original sample name: svcmsi_32.dll.exe
Analysis ID: 1446224
MD5: a297976b28412278a000392bc670cc16
SHA1: 7b9bcde6a509566214169056190330a7b7ea4598
SHA256: 2e0871af9cc539acb513e8afc795c2dab01febd688f2754c6a551485184070dc
Tags: aptDuqu2exeHUN
Infos:

Detection

Score: 64
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Creates a process in suspended mode (likely to inject code)
May sleep (evasive loops) to hinder dynamic analysis
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: svcmsi_32.dll.dll Avira: detected
Multi AV Scanner detection for submitted file
Source: svcmsi_32.dll.dll ReversingLabs: Detection: 84%
Source: svcmsi_32.dll.dll Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: svcmsi_32.dll.dll, type: SAMPLE Matched rule: Detects malware - Duqu2 (cross-matches with IronTiger malware and Derusbi) Author: Florian Roth
Source: svcmsi_32.dll.dll, type: SAMPLE Matched rule: Rule to detect Duqu 2.0 samples Author: unknown
Source: svcmsi_32.dll.dll, type: SAMPLE Matched rule: Kaspersky APT Report - Duqu2 Sample - Malicious MSI Author: Florian Roth
Sample file is different than original file name gathered from version info
Source: svcmsi_32.dll.dll Binary or memory string: OriginalFilenamesvcmsi_32.dllB vs svcmsi_32.dll.dll
Yara signature match
Source: svcmsi_32.dll.dll, type: SAMPLE Matched rule: Duqu2_Sample1 date = 2016-07-02, hash4 = 5559fcc93eef38a1c22db66a3e0f9e9f026c99e741cc8b1a4980d166f2696188, hash3 = 2796a119171328e91648a73d95eb297edc220e8768f4bbba5fb7237122a988fc, hash2 = 8e97c371633d285cd8fc842f4582705052a9409149ee67d97de545030787a192, author = Florian Roth, description = Detects malware - Duqu2 (cross-matches with IronTiger malware and Derusbi), score = 6b146e3a59025d7085127b552494e8aaf76450a19c249bfed0b4c09f328e564f, reference = https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: svcmsi_32.dll.dll, type: SAMPLE Matched rule: apt_duqu2_loaders copyright = Kaspersky Lab, description = Rule to detect Duqu 2.0 samples, version = 1.0, last_modified = 2015-06-09
Source: svcmsi_32.dll.dll, type: SAMPLE Matched rule: APT_Kaspersky_Duqu2_procexp date = 2015-06-10, hash3 = 288ebfe21a71f83b5575dfcc92242579fb13910d, hash2 = b120620b5d82b05fee2c2153ceaf305807fa9f79, hash1 = 2422835716066b6bcecb045ddd4f1fbc9486667a, author = Florian Roth, description = Kaspersky APT Report - Duqu2 Sample - Malicious MSI, reference = https://goo.gl/7yKyOj
Source: classification engine Classification label: mal64.winDLL@10/0@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3968:120:WilError_03
Source: svcmsi_32.dll.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\svcmsi_32.dll.dll,StartAction
Source: svcmsi_32.dll.dll ReversingLabs: Detection: 84%
Source: unknown Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\svcmsi_32.dll.dll"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\svcmsi_32.dll.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\svcmsi_32.dll.dll,StartAction
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\svcmsi_32.dll.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\svcmsi_32.dll.dll",StartAction
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\svcmsi_32.dll.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\svcmsi_32.dll.dll,StartAction Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\svcmsi_32.dll.dll",StartAction Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\svcmsi_32.dll.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: svcmsi_32.dll.dll Static PE information: Image base 0x180000000 > 0x60000000
Source: svcmsi_32.dll.dll Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\loaddll64.exe TID: 1596 Thread sleep time: -120000s >= -30000s Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\loaddll64.exe Thread delayed: delay time: 120000 Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\svcmsi_32.dll.dll",#1 Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1446224 Sample: svcmsi_32.dll.exe Startdate: 23/05/2024 Architecture: WINDOWS Score: 64 19 Malicious sample detected (through community Yara rule) 2->19 21 Antivirus / Scanner detection for submitted sample 2->21 23 Multi AV Scanner detection for submitted file 2->23 7 loaddll64.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 rundll32.exe 7->11         started        13 conhost.exe 7->13         started        15 rundll32.exe 7->15         started        process5 17 rundll32.exe 9->17         started       
No contacted IP infos