Windows Analysis Report
Qe73sKzGgb.dll

Overview

General Information

Sample name: Qe73sKzGgb.dll
(renamed file extension from exe to dll, renamed because original name is a hash value)
Original sample name: 17561b8a9ca5b29c23d27dd75f9d5aea43bc77625f1203a015e3d17ee33a6a61.exe
Analysis ID: 1522596
MD5: 91d4990ea1a6cf19d40cc96f32202b63
SHA1: 6a03998802559f88b5236c8372d3683f081227bb
SHA256: 17561b8a9ca5b29c23d27dd75f9d5aea43bc77625f1203a015e3d17ee33a6a61
Tags: exeRavinAcademyuser-JAMESWT_MHT
Infos:

Detection

Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Creates a thread in another existing process (thread injection)
Found direct / indirect Syscall (likely to bypass EDR)
Maps a DLL or memory area into another process
Uses known network protocols on non-standard ports
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to call native functions
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: Qe73sKzGgb.dll ReversingLabs: Detection: 34%
Source: Qe73sKzGgb.dll Virustotal: Detection: 45% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.4% probability
Source: Qe73sKzGgb.dll Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\Users\NEO\Desktop\RavinAcademy\RedTeam-01\10\HTTPMalware\Persist\x64\Release\DLL.pdb source: Qe73sKzGgb.dll
Source: Binary string: C:\Users\NEO\Desktop\RavinAcademy\RedTeam-01\10\HTTPMalware\HTTPMalw\HTTPMalw\obj\Release\HTTPMalw.pdb source: sihost.exe, 00000004.00000002.3330089530.0000024EB5ED0000.00000004.10000000.00040000.00000000.sdmp, sihost.exe, 00000004.00000000.2092725357.0000024EB5E50000.00000004.00000001.00020000.00000000.sdmp, sihost.exe, 00000004.00000002.3331065779.0000024EB64E6000.00000004.00000001.00020000.00000000.sdmp, sihost.exe, 00000004.00000002.3331065779.0000024EB6421000.00000004.00000001.00020000.00000000.sdmp

Networking
barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 81
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 81
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 81
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 81
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 81
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 81
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 81
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 81
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 81
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 81
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 81
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 81
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246Host: 192.168.1.140:81Content-Length: 133Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246Host: 192.168.1.140:81Content-Length: 133Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246Host: 192.168.1.140:81Content-Length: 133Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246Host: 192.168.1.140:81Content-Length: 133Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246Host: 192.168.1.140:81Content-Length: 133Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246Host: 192.168.1.140:81Content-Length: 133Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246Host: 192.168.1.140:81Content-Length: 133Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246Host: 192.168.1.140:81Content-Length: 133Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246Host: 192.168.1.140:81Content-Length: 133Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246Host: 192.168.1.140:81Content-Length: 133Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246Host: 192.168.1.140:81Content-Length: 133Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246Host: 192.168.1.140:81Content-Length: 133Expect: 100-continueConnection: Keep-Alive
Source: C:\Windows\System32\sihost.exe Code function: 4_2_00007FF849230C9F recv, 4_2_00007FF849230C9F
Source: unknown HTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246Host: 192.168.1.140:81Content-Length: 133Expect: 100-continueConnection: Keep-Alive
Source: sihost.exe, 00000004.00000002.3331065779.0000024EB6421000.00000004.00000001.00020000.00000000.sdmp, sihost.exe, 00000004.00000002.3331065779.0000024EB657A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://192.168.1.140:81
Source: sihost.exe, 00000004.00000002.3331065779.0000024EB657A000.00000004.00000001.00020000.00000000.sdmp, sihost.exe, 00000004.00000002.3330504947.0000024EB62C3000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://192.168.1.140:81/
Source: sihost.exe, 00000004.00000002.3330504947.0000024EB62C3000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://192.168.1.140:81/-
Source: sihost.exe, 00000004.00000002.3330504947.0000024EB62C3000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://192.168.1.140:81/:
Source: sihost.exe, 00000004.00000002.3331065779.0000024EB65D0000.00000004.00000001.00020000.00000000.sdmp, sihost.exe, 00000004.00000002.3331065779.0000024EB65B5000.00000004.00000001.00020000.00000000.sdmp, sihost.exe, 00000004.00000002.3331065779.0000024EB64C7000.00000004.00000001.00020000.00000000.sdmp, sihost.exe, 00000004.00000002.3331065779.0000024EB659C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://192.168.1.140:81/X
Source: sihost.exe, 00000004.00000002.3331065779.0000024EB65D0000.00000004.00000001.00020000.00000000.sdmp, sihost.exe, 00000004.00000002.3331065779.0000024EB65B5000.00000004.00000001.00020000.00000000.sdmp, sihost.exe, 00000004.00000002.3331065779.0000024EB65EC000.00000004.00000001.00020000.00000000.sdmp, sihost.exe, 00000004.00000002.3331065779.0000024EB659C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://192.168.1.140:81pV
Source: sihost.exe, 00000004.00000002.3331065779.0000024EB64C7000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: Qe73sKzGgb.dll, type: SAMPLE Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: Qe73sKzGgb.dll, type: SAMPLE Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
Source: 00000003.00000002.2139912895.000001BDF7DF0000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000003.00000002.2139912895.000001BDF7DF0000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
Source: 00000004.00000000.2092567006.0000024EB5E20000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000004.00000000.2092567006.0000024EB5E20000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
Source: 00000004.00000002.3329850570.0000024EB5E10000.00000020.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000004.00000002.3329850570.0000024EB5E10000.00000020.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
Source: 00000004.00000002.3329877059.0000024EB5E20000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000004.00000002.3329877059.0000024EB5E20000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
Source: 00000000.00000002.2098220710.000001FA21A10000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000000.00000002.2098220710.000001FA21A10000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
Contains functionality to call native functions
Source: C:\Windows\System32\sihost.exe Code function: 4_2_00007FF848FF1332 NtQuerySystemInformation, 4_2_00007FF848FF1332
Source: C:\Windows\System32\sihost.exe Code function: 4_2_00007FF848FF2FE6 NtQuerySystemInformation, 4_2_00007FF848FF2FE6
Detected potential crypto function
Source: C:\Windows\System32\sihost.exe Code function: 4_2_0000024EB5E13777 4_2_0000024EB5E13777
Source: C:\Windows\System32\sihost.exe Code function: 4_2_0000024EB5E13B97 4_2_0000024EB5E13B97
Source: C:\Windows\System32\sihost.exe Code function: 4_2_0000024EB5E12B4F 4_2_0000024EB5E12B4F
Source: C:\Windows\System32\sihost.exe Code function: 4_2_0000024EB5E13FCF 4_2_0000024EB5E13FCF
Source: C:\Windows\System32\sihost.exe Code function: 4_2_0000024EB5E14457 4_2_0000024EB5E14457
Source: C:\Windows\System32\sihost.exe Code function: 4_2_0000024EB5E23777 4_2_0000024EB5E23777
Source: C:\Windows\System32\sihost.exe Code function: 4_2_0000024EB5E23B97 4_2_0000024EB5E23B97
Source: C:\Windows\System32\sihost.exe Code function: 4_2_0000024EB5E22B4F 4_2_0000024EB5E22B4F
Source: C:\Windows\System32\sihost.exe Code function: 4_2_0000024EB5E23FCF 4_2_0000024EB5E23FCF
Source: C:\Windows\System32\sihost.exe Code function: 4_2_0000024EB5E24457 4_2_0000024EB5E24457
Source: C:\Windows\System32\sihost.exe Code function: 4_2_00007FF848FFC205 4_2_00007FF848FFC205
Source: C:\Windows\System32\sihost.exe Code function: 4_2_00007FF848FFCA58 4_2_00007FF848FFCA58
Source: C:\Windows\System32\sihost.exe Code function: 4_2_00007FF848FF59AF 4_2_00007FF848FF59AF
Source: C:\Windows\System32\sihost.exe Code function: 4_2_00007FF848FF2B4A 4_2_00007FF848FF2B4A
Source: C:\Windows\System32\sihost.exe Code function: 4_2_00007FF848FFCB88 4_2_00007FF848FFCB88
Source: C:\Windows\System32\sihost.exe Code function: 4_2_00007FF848FFCBD8 4_2_00007FF848FFCBD8
Source: C:\Windows\System32\sihost.exe Code function: 4_2_00007FF849006DFB 4_2_00007FF849006DFB
Source: C:\Windows\System32\sihost.exe Code function: 4_2_00007FF848FFF6A3 4_2_00007FF848FFF6A3
Source: C:\Windows\System32\sihost.exe Code function: 4_2_00007FF849043070 4_2_00007FF849043070
Source: C:\Windows\System32\sihost.exe Code function: 4_2_00007FF849007790 4_2_00007FF849007790
Source: C:\Windows\System32\sihost.exe Code function: 4_2_00007FF849001A7F 4_2_00007FF849001A7F
Source: C:\Windows\System32\sihost.exe Code function: 4_2_00007FF849001AB0 4_2_00007FF849001AB0
Source: C:\Windows\System32\sihost.exe Code function: 4_2_00007FF8490012D8 4_2_00007FF8490012D8
Source: C:\Windows\System32\sihost.exe Code function: 4_2_00007FF849001AF3 4_2_00007FF849001AF3
Source: C:\Windows\System32\sihost.exe Code function: 4_2_00007FF849002AF3 4_2_00007FF849002AF3
Source: C:\Windows\System32\sihost.exe Code function: 4_2_00007FF849002AF0 4_2_00007FF849002AF0
Source: C:\Windows\System32\sihost.exe Code function: 4_2_00007FF848FF10FA 4_2_00007FF848FF10FA
Source: C:\Windows\System32\sihost.exe Code function: 4_2_00007FF848FFC939 4_2_00007FF848FFC939
Source: C:\Windows\System32\sihost.exe Code function: 4_2_00007FF848FFE9E0 4_2_00007FF848FFE9E0
Source: C:\Windows\System32\sihost.exe Code function: 4_2_00007FF848FFA3FA 4_2_00007FF848FFA3FA
Source: C:\Windows\System32\sihost.exe Code function: 4_2_00007FF848FF8322 4_2_00007FF848FF8322
Source: C:\Windows\System32\sihost.exe Code function: 4_2_00007FF848FF8330 4_2_00007FF848FF8330
Source: C:\Windows\System32\sihost.exe Code function: 4_2_00007FF848FF1328 4_2_00007FF848FF1328
Source: C:\Windows\System32\sihost.exe Code function: 4_2_00007FF849009B60 4_2_00007FF849009B60
Source: C:\Windows\System32\sihost.exe Code function: 4_2_00007FF848FFCB80 4_2_00007FF848FFCB80
Source: C:\Windows\System32\sihost.exe Code function: 4_2_00007FF849005BD3 4_2_00007FF849005BD3
Source: C:\Windows\System32\sihost.exe Code function: 4_2_00007FF848FFCDF8 4_2_00007FF848FFCDF8
Source: C:\Windows\System32\sihost.exe Code function: 4_2_00007FF848FFD578 4_2_00007FF848FFD578
Source: C:\Windows\System32\sihost.exe Code function: 4_2_00007FF8490025A0 4_2_00007FF8490025A0
Source: C:\Windows\System32\sihost.exe Code function: 4_2_00007FF8490025A8 4_2_00007FF8490025A8
Source: C:\Windows\System32\sihost.exe Code function: 4_2_00007FF8490025D0 4_2_00007FF8490025D0
Source: C:\Windows\System32\sihost.exe Code function: 4_2_00007FF8490055F2 4_2_00007FF8490055F2
Source: C:\Windows\System32\sihost.exe Code function: 4_2_00007FF848FF50D3 4_2_00007FF848FF50D3
Source: C:\Windows\System32\sihost.exe Code function: 4_2_00007FF848FF5960 4_2_00007FF848FF5960
Source: C:\Windows\System32\sihost.exe Code function: 4_2_00007FF849233A1D 4_2_00007FF849233A1D
Source: C:\Windows\System32\sihost.exe Code function: 4_2_00007FF849231B9D 4_2_00007FF849231B9D
Source: C:\Windows\System32\sihost.exe Code function: 4_2_00007FF849232B7C 4_2_00007FF849232B7C
Yara signature match
Source: Qe73sKzGgb.dll, type: SAMPLE Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: Qe73sKzGgb.dll, type: SAMPLE Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13
Source: 00000003.00000002.2139912895.000001BDF7DF0000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000003.00000002.2139912895.000001BDF7DF0000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13
Source: 00000004.00000000.2092567006.0000024EB5E20000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000004.00000000.2092567006.0000024EB5E20000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13
Source: 00000004.00000002.3329850570.0000024EB5E10000.00000020.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000004.00000002.3329850570.0000024EB5E10000.00000020.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13
Source: 00000004.00000002.3329877059.0000024EB5E20000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000004.00000002.3329877059.0000024EB5E20000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13
Source: 00000000.00000002.2098220710.000001FA21A10000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000000.00000002.2098220710.000001FA21A10000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13
Source: Qe73sKzGgb.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal76.troj.evad.winDLL@6/0@0/1
Source: C:\Windows\System32\sihost.exe Code function: 4_2_00007FF848FF24B8 AdjustTokenPrivileges, 4_2_00007FF848FF24B8
Source: C:\Windows\System32\sihost.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:576:120:WilError_03
Source: Qe73sKzGgb.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Qe73sKzGgb.dll",#1
Source: Qe73sKzGgb.dll ReversingLabs: Detection: 34%
Source: Qe73sKzGgb.dll Virustotal: Detection: 45%
Source: unknown Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\Qe73sKzGgb.dll"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Qe73sKzGgb.dll",#1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Qe73sKzGgb.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Qe73sKzGgb.dll",#1 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Qe73sKzGgb.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\sihost.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\sihost.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\sihost.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\sihost.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\sihost.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\sihost.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\sihost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\sihost.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\sihost.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\sihost.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\sihost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\sihost.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\sihost.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\sihost.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\System32\sihost.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\sihost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\sihost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\sihost.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\sihost.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\sihost.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\sihost.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\sihost.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Qe73sKzGgb.dll Static PE information: Image base 0x180000000 > 0x60000000
Source: Qe73sKzGgb.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Qe73sKzGgb.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Qe73sKzGgb.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Qe73sKzGgb.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Qe73sKzGgb.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Qe73sKzGgb.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: Qe73sKzGgb.dll Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: Qe73sKzGgb.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\NEO\Desktop\RavinAcademy\RedTeam-01\10\HTTPMalware\Persist\x64\Release\DLL.pdb source: Qe73sKzGgb.dll
Source: Binary string: C:\Users\NEO\Desktop\RavinAcademy\RedTeam-01\10\HTTPMalware\HTTPMalw\HTTPMalw\obj\Release\HTTPMalw.pdb source: sihost.exe, 00000004.00000002.3330089530.0000024EB5ED0000.00000004.10000000.00040000.00000000.sdmp, sihost.exe, 00000004.00000000.2092725357.0000024EB5E50000.00000004.00000001.00020000.00000000.sdmp, sihost.exe, 00000004.00000002.3331065779.0000024EB64E6000.00000004.00000001.00020000.00000000.sdmp, sihost.exe, 00000004.00000002.3331065779.0000024EB6421000.00000004.00000001.00020000.00000000.sdmp
Source: Qe73sKzGgb.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Qe73sKzGgb.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Qe73sKzGgb.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Qe73sKzGgb.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Qe73sKzGgb.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\sihost.exe Code function: 4_2_00007FF848FF72F0 push ebx; retf 4_2_00007FF848FF73DA
Source: C:\Windows\System32\sihost.exe Code function: 4_2_00007FF848FF5458 push ebx; retf 4_2_00007FF848FF73DA
Source: C:\Windows\System32\sihost.exe Code function: 4_2_00007FF848FF7300 push ebx; retf 4_2_00007FF848FF73DA
Source: C:\Windows\System32\sihost.exe Code function: 4_2_00007FF848FF72F8 push ebx; retf 4_2_00007FF848FF73DA
Source: C:\Windows\System32\sihost.exe Code function: 4_2_00007FF848FF7338 push ebx; retf 4_2_00007FF848FF73DA
Source: C:\Windows\System32\sihost.exe Code function: 4_2_00007FF8490025A0 push FFFFFFE8h; ret 4_2_00007FF8490026F9
Source: C:\Windows\System32\sihost.exe Code function: 4_2_00007FF8490025A8 push FFFFFFE8h; ret 4_2_00007FF8490026F9
Source: C:\Windows\System32\sihost.exe Code function: 4_2_00007FF8490025D0 push FFFFFFE8h; ret 4_2_00007FF8490026F9
Source: C:\Windows\System32\sihost.exe Code function: 4_2_00007FF84923096A push edx; ret 4_2_00007FF84923096B
Source: C:\Windows\System32\sihost.exe Code function: 4_2_00007FF84923294D pushad ; ret 4_2_00007FF849232974
Source: C:\Windows\System32\sihost.exe Code function: 4_2_00007FF849236F90 pushfd ; iretd 4_2_00007FF849236F91
Source: Qe73sKzGgb.dll Static PE information: section name: .text entropy: 7.125462328457127

Hooking and other Techniques for Hiding and Protection
barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 81
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 81
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 81
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 81
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 81
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 81
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 81
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 81
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 81
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 81
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 81
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 81
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Windows\System32\sihost.exe Memory allocated: 24EB5EA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\System32\sihost.exe Memory allocated: 24ECE420000 memory reserve | memory write watch Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\loaddll64.exe TID: 2000 Thread sleep time: -120000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\loaddll64.exe Thread delayed: delay time: 120000 Jump to behavior
Source: sihost.exe, 00000004.00000002.3330504947.0000024EB629A000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\loaddll64.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\sihost.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Creates a thread in another existing process (thread injection)
Source: C:\Windows\System32\loaddll64.exe Thread created: C:\Windows\System32\sihost.exe EIP: B5E10000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Thread created: C:\Windows\System32\sihost.exe EIP: B5E20000 Jump to behavior
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Windows\System32\loaddll64.exe NtMapViewOfSection: Direct from: 0x7FF8BFAB65DF Jump to behavior
Source: C:\Windows\System32\loaddll64.exe NtCreateThreadEx: Direct from: 0x7FF8BFAB661F Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Windows\System32\loaddll64.exe Section loaded: NULL target: C:\Windows\System32\sihost.exe protection: execute and read Jump to behavior
Source: C:\Windows\System32\rundll32.exe Section loaded: NULL target: C:\Windows\System32\sihost.exe protection: execute and read Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Qe73sKzGgb.dll",#1 Jump to behavior
Source: sihost.exe, 00000004.00000002.3329405613.0000024EB3A21000.00000002.00000001.00040000.00000000.sdmp, sihost.exe, 00000004.00000000.2091868600.0000024EB3A21000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program Manager
Source: sihost.exe, 00000004.00000002.3329405613.0000024EB3A21000.00000002.00000001.00040000.00000000.sdmp, sihost.exe, 00000004.00000000.2091868600.0000024EB3A21000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: sihost.exe, 00000004.00000002.3329405613.0000024EB3A21000.00000002.00000001.00040000.00000000.sdmp, sihost.exe, 00000004.00000000.2091868600.0000024EB3A21000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: sihost.exe, 00000004.00000002.3329405613.0000024EB3A21000.00000002.00000001.00040000.00000000.sdmp, sihost.exe, 00000004.00000000.2091868600.0000024EB3A21000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\sihost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\sihost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\sihost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\sihost.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1522596 Sample: Qe73sKzGgb.exe Startdate: 30/09/2024 Architecture: WINDOWS Score: 76 26 Malicious sample detected (through community Yara rule) 2->26 28 Multi AV Scanner detection for submitted file 2->28 30 Uses known network protocols on non-standard ports 2->30 32 AI detected suspicious sample 2->32 7 loaddll64.exe 1 2->7         started        process3 signatures4 34 Maps a DLL or memory area into another process 7->34 36 Creates a thread in another existing process (thread injection) 7->36 38 Found direct / indirect Syscall (likely to bypass EDR) 7->38 10 cmd.exe 1 7->10         started        12 sihost.exe 14 4 7->12 injected 15 conhost.exe 7->15         started        process5 dnsIp6 17 rundll32.exe 10->17         started        20 192.168.1.140, 49704, 49705, 49711 unknown unknown 12->20 process7 signatures8 22 Maps a DLL or memory area into another process 17->22 24 Creates a thread in another existing process (thread injection) 17->24
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious

Private

IP
192.168.1.140

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://192.168.1.140:81/ false
    		unknown