Source: viYcjIFhBz.dll |
ReversingLabs: Detection: 28% |
Source: viYcjIFhBz.dll |
Virustotal: Detection: 37% |
Perma Link |
Source: viYcjIFhBz.dll |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT |
Source: |
Binary string: C:\Users\NEO\Desktop\RavinAcademy\RedTeam-01\09\03-ACG\x64\Release\EnableACG.pdb source: viYcjIFhBz.dll |
Source: viYcjIFhBz.dll, type: SAMPLE |
Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown |
Source: viYcjIFhBz.dll, type: SAMPLE |
Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown |
Source: 00000000.00000002.2148920564.000001A119050000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown |
Source: 00000000.00000002.2148920564.000001A119050000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown |
Source: 00000003.00000002.2186246904.000001BA72F20000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown |
Source: 00000003.00000002.2186246904.000001BA72F20000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown |
Source: viYcjIFhBz.dll, type: SAMPLE |
Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13 |
Source: viYcjIFhBz.dll, type: SAMPLE |
Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13 |
Source: 00000000.00000002.2148920564.000001A119050000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13 |
Source: 00000000.00000002.2148920564.000001A119050000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13 |
Source: 00000003.00000002.2186246904.000001BA72F20000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13 |
Source: 00000003.00000002.2186246904.000001BA72F20000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13 |
Source: viYcjIFhBz.dll |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: classification engine |
Classification label: mal60.evad.winDLL@6/0@0/0 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1476:120:WilError_03 |
Source: viYcjIFhBz.dll |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Windows\System32\loaddll64.exe |
Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\viYcjIFhBz.dll",#1 |
Source: viYcjIFhBz.dll |
ReversingLabs: Detection: 28% |
Source: viYcjIFhBz.dll |
Virustotal: Detection: 37% |
Source: unknown |
Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\viYcjIFhBz.dll" |
|
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\viYcjIFhBz.dll",#1 |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\viYcjIFhBz.dll",#1 |
|
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\viYcjIFhBz.dll",#1 |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\viYcjIFhBz.dll",#1 |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe |
Section loaded: vcruntime140.dll |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: viYcjIFhBz.dll |
Static PE information: Image base 0x180000000 > 0x60000000 |
Source: viYcjIFhBz.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
Source: viYcjIFhBz.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
Source: viYcjIFhBz.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
Source: viYcjIFhBz.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: viYcjIFhBz.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
Source: viYcjIFhBz.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
Source: viYcjIFhBz.dll |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT |
Source: viYcjIFhBz.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: |
Binary string: C:\Users\NEO\Desktop\RavinAcademy\RedTeam-01\09\03-ACG\x64\Release\EnableACG.pdb source: viYcjIFhBz.dll |
Source: viYcjIFhBz.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata |
Source: viYcjIFhBz.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc |
Source: viYcjIFhBz.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc |
Source: viYcjIFhBz.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata |
Source: viYcjIFhBz.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata |
Source: viYcjIFhBz.dll |
Static PE information: section name: .text entropy: 7.085181042380631 |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe TID: 7016 |
Thread sleep time: -120000s >= -30000s |
Jump to behavior |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Windows\System32\loaddll64.exe |
Thread delayed: delay time: 120000 |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe |
Process information queried: ProcessInformation |
Jump to behavior |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\System32\loaddll64.exe |
NtCreateThreadEx: Direct from: 0x7FFDA54E642F |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe |
NtMapViewOfSection: Direct from: 0x7FFDA54E63EF |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\viYcjIFhBz.dll",#1 |
Jump to behavior |