Source: eNtYgxj1lX.dll, type: SAMPLE |
Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown |
Source: eNtYgxj1lX.dll, type: SAMPLE |
Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown |
Source: 0.2.loaddll64.exe.7ffb226c0000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown |
Source: 0.2.loaddll64.exe.7ffb226c0000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown |
Source: 4.2.rundll32.exe.7ffb226c0000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown |
Source: 4.2.rundll32.exe.7ffb226c0000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown |
Source: 00000000.00000002.3719303951.0000020FFA250000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown |
Source: 00000000.00000002.3719303951.0000020FFA250000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown |
Source: 00000004.00000002.3719759282.00007FFB226C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown |
Source: 00000004.00000002.3719759282.00007FFB226C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown |
Source: 00000000.00000002.3719632649.00007FFB226C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown |
Source: 00000000.00000002.3719632649.00007FFB226C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown |
Source: 00000004.00000002.3719520350.0000026F84150000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown |
Source: 00000004.00000002.3719520350.0000026F84150000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown |
Source: eNtYgxj1lX.dll, type: SAMPLE |
Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13 |
Source: eNtYgxj1lX.dll, type: SAMPLE |
Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13 |
Source: 0.2.loaddll64.exe.7ffb226c0000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13 |
Source: 0.2.loaddll64.exe.7ffb226c0000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13 |
Source: 4.2.rundll32.exe.7ffb226c0000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13 |
Source: 4.2.rundll32.exe.7ffb226c0000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13 |
Source: 00000000.00000002.3719303951.0000020FFA250000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13 |
Source: 00000000.00000002.3719303951.0000020FFA250000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13 |
Source: 00000004.00000002.3719759282.00007FFB226C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13 |
Source: 00000004.00000002.3719759282.00007FFB226C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13 |
Source: 00000000.00000002.3719632649.00007FFB226C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13 |
Source: 00000000.00000002.3719632649.00007FFB226C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13 |
Source: 00000004.00000002.3719520350.0000026F84150000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13 |
Source: 00000004.00000002.3719520350.0000026F84150000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13 |
Source: C:\Windows\System32\loaddll64.exe |
Code function: 0_2_00007FFB226C6250 CreateToolhelp32Snapshot,Process32First,tolower,tolower,tolower,tolower,tolower,tolower,Process32Next,CloseHandle,printf,GetCurrentProcess,printf,OpenProcess,printf,memset,memcpy,printf,GetCurrentProcess,GetProcessMitigationPolicy,printf,printf,SetProcessMitigationPolicy,GetProcessMitigationPolicy,printf,SetProcessMitigationPolicy,SleepEx, |
0_2_00007FFB226C6250 |
Source: unknown |
Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\eNtYgxj1lX.dll" |
|
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\eNtYgxj1lX.dll",#1 |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\eNtYgxj1lX.dll",#1 |
|
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\eNtYgxj1lX.dll",#1 |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\eNtYgxj1lX.dll",#1 |
Jump to behavior |
Source: eNtYgxj1lX.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
Source: eNtYgxj1lX.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
Source: eNtYgxj1lX.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
Source: eNtYgxj1lX.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: eNtYgxj1lX.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
Source: eNtYgxj1lX.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
Source: eNtYgxj1lX.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata |
Source: eNtYgxj1lX.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc |
Source: eNtYgxj1lX.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc |
Source: eNtYgxj1lX.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata |
Source: eNtYgxj1lX.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata |
Source: C:\Windows\System32\loaddll64.exe |
Code function: 0_2_00007FFB226C16B5 push FFFFFFB0h; retf |
0_2_00007FFB226C16CD |
Source: C:\Windows\System32\loaddll64.exe |
Code function: 0_2_00007FFB226C257A push rdx; iretd |
0_2_00007FFB226C2585 |
Source: C:\Windows\System32\loaddll64.exe |
Code function: 0_2_00007FFB226C1925 push rsp; ret |
0_2_00007FFB226C192C |
Source: C:\Windows\System32\loaddll64.exe |
Code function: 0_2_00007FFB226C266C push rax; retf |
0_2_00007FFB226C266D |
Source: C:\Windows\System32\loaddll64.exe |
Code function: 0_2_00007FFB226C3639 push rbx; ret |
0_2_00007FFB226C3643 |
Source: C:\Windows\System32\loaddll64.exe TID: 6732 |
Thread sleep time: -11892000s >= -30000s |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe TID: 6732 |
Thread sleep time: -8106000s >= -30000s |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe TID: 2412 |
Thread sleep count: 6468 > 30 |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe TID: 2412 |
Thread sleep time: -12936000s >= -30000s |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe TID: 2412 |
Thread sleep count: 3531 > 30 |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe TID: 2412 |
Thread sleep time: -7062000s >= -30000s |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe |
Last function: Thread delayed |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Windows\System32\rundll32.exe |
Last function: Thread delayed |
Source: C:\Windows\System32\rundll32.exe |
Last function: Thread delayed |
Source: C:\Windows\System32\loaddll64.exe |
Code function: 0_2_00007FFB226C71D8 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_00007FFB226C71D8 |
Source: C:\Windows\System32\loaddll64.exe |
Code function: 0_2_00007FFB226C71D8 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_00007FFB226C71D8 |
Source: C:\Windows\System32\loaddll64.exe |
Code function: 0_2_00007FFB226C6C34 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
0_2_00007FFB226C6C34 |