Source: AB5tAhygtM.dll |
ReversingLabs: Detection: 31% |
Source: Submited Sample |
Integrated Neural Analysis Model: Matched 90.9% probability |
Source: AB5tAhygtM.dll |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL |
Source: AB5tAhygtM.dll |
Static PE information: DYNAMIC_BASE, NX_COMPAT |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6CDF0C06 FindFirstFileExW,_free, |
3_2_6CDF0C06 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6CDC2A10 lstrlenW,lstrcatW,lstrlenW,FindFirstFileW,GetLastError,FindClose, |
3_2_6CDC2A10 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6CDC3420 lstrcatW,lstrlenW,lstrcpyW,FindFirstFileW,lstrcatW,_memcpy_s,FindNextFileW, |
3_2_6CDC3420 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6CDC30F0 lstrlenW,lstrcatW,lstrlenW,lstrcpyW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,FindNextFileW,FindClose,GetFileAttributesW,SetFileAttributesW,RemoveDirectoryW,GetLastError,SetFileAttributesW,GetLastError, |
3_2_6CDC30F0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_6D080C06 FindFirstFileExW,_free, |
5_2_6D080C06 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_6D052A10 lstrlenW,lstrcatW,lstrlenW,FindFirstFileW,GetLastError,FindClose, |
5_2_6D052A10 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_6D053420 lstrcatW,lstrlenW,lstrcpyW,FindFirstFileW,lstrcatW,_memcpy_s,FindNextFileW, |
5_2_6D053420 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_6D0530F0 lstrlenW,lstrcatW,lstrlenW,lstrcpyW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,FindNextFileW,FindClose,GetFileAttributesW,SetFileAttributesW,RemoveDirectoryW,GetLastError,SetFileAttributesW,GetLastError, |
5_2_6D0530F0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6CDC1200 GetLogicalDriveStringsW,GetDriveTypeW,GetDiskFreeSpaceExW, |
3_2_6CDC1200 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6CDE6D29 |
3_2_6CDE6D29 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6CDDAFD0 |
3_2_6CDDAFD0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6CDF38D4 |
3_2_6CDF38D4 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6CDCB8B0 |
3_2_6CDCB8B0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6CDE6B00 |
3_2_6CDE6B00 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6CDEE7E0 |
3_2_6CDEE7E0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6CDDB760 |
3_2_6CDDB760 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6CDDB01E |
3_2_6CDDB01E |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6CDDB230 |
3_2_6CDDB230 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6CDF2226 |
3_2_6CDF2226 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6CDF2352 |
3_2_6CDF2352 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_6D076D29 |
5_2_6D076D29 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_6D06AFD0 |
5_2_6D06AFD0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_6D05B8B0 |
5_2_6D05B8B0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_6D0838D4 |
5_2_6D0838D4 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_6D076B00 |
5_2_6D076B00 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_6D06B760 |
5_2_6D06B760 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_6D07E7E0 |
5_2_6D07E7E0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_6D06B01E |
5_2_6D06B01E |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_6D082352 |
5_2_6D082352 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_6D082226 |
5_2_6D082226 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_6D06B230 |
5_2_6D06B230 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: String function: 6D072C80 appears 32 times |
|
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: String function: 6CDE2C80 appears 32 times |
|
Source: AB5tAhygtM.dll |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL |
Source: classification engine |
Classification label: mal60.winDLL@10/0@0/0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6CDC1200 GetLogicalDriveStringsW,GetDriveTypeW,GetDiskFreeSpaceExW, |
3_2_6CDC1200 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6CDC66B0 CreateToolhelp32Snapshot,Process32First,CloseHandle,CloseHandle,Process32Next,CloseHandle, |
3_2_6CDC66B0 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6788:120:WilError_03 |
Source: AB5tAhygtM.dll |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Windows\System32\loaddll32.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\AB5tAhygtM.dll,ModuleMain |
Source: AB5tAhygtM.dll |
ReversingLabs: Detection: 31% |
Source: C:\Windows\SysWOW64\rundll32.exe |
Evasive API call chain: GetCommandLine,DecisionNodes,ExitProcess |
Source: unknown |
Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\AB5tAhygtM.dll" |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\AB5tAhygtM.dll",#1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\AB5tAhygtM.dll,ModuleMain |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\AB5tAhygtM.dll",#1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\AB5tAhygtM.dll",ModuleMain |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\AB5tAhygtM.dll",#1 |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\AB5tAhygtM.dll,ModuleMain |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\AB5tAhygtM.dll",ModuleMain |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\AB5tAhygtM.dll",#1 |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Section loaded: dbghelp.dll |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Section loaded: dbgcore.dll |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: AB5tAhygtM.dll |
Static PE information: DYNAMIC_BASE, NX_COMPAT |
Source: AB5tAhygtM.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6CDCCF60 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, |
3_2_6CDCCF60 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6CDE2CC6 push ecx; ret |
3_2_6CDE2CD9 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6CDF4168 push ecx; ret |
3_2_6CDF4166 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_6D072CC6 push ecx; ret |
5_2_6D072CD9 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_6D084168 push ecx; ret |
5_2_6D084166 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
API coverage: 1.6 % |
Source: C:\Windows\SysWOW64\rundll32.exe |
API coverage: 1.6 % |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6CDF0C06 FindFirstFileExW,_free, |
3_2_6CDF0C06 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6CDC2A10 lstrlenW,lstrcatW,lstrlenW,FindFirstFileW,GetLastError,FindClose, |
3_2_6CDC2A10 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6CDC3420 lstrcatW,lstrlenW,lstrcpyW,FindFirstFileW,lstrcatW,_memcpy_s,FindNextFileW, |
3_2_6CDC3420 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6CDC30F0 lstrlenW,lstrcatW,lstrlenW,lstrcpyW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,FindNextFileW,FindClose,GetFileAttributesW,SetFileAttributesW,RemoveDirectoryW,GetLastError,SetFileAttributesW,GetLastError, |
3_2_6CDC30F0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_6D080C06 FindFirstFileExW,_free, |
5_2_6D080C06 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_6D052A10 lstrlenW,lstrcatW,lstrlenW,FindFirstFileW,GetLastError,FindClose, |
5_2_6D052A10 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_6D053420 lstrcatW,lstrlenW,lstrcpyW,FindFirstFileW,lstrcatW,_memcpy_s,FindNextFileW, |
5_2_6D053420 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_6D0530F0 lstrlenW,lstrcatW,lstrlenW,lstrcpyW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,FindNextFileW,FindClose,GetFileAttributesW,SetFileAttributesW,RemoveDirectoryW,GetLastError,SetFileAttributesW,GetLastError, |
5_2_6D0530F0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6CDC1200 GetLogicalDriveStringsW,GetDriveTypeW,GetDiskFreeSpaceExW, |
3_2_6CDC1200 |
Source: C:\Windows\System32\loaddll32.exe |
Thread delayed: delay time: 120000 |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6CDE5874 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
3_2_6CDE5874 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6CDCCF60 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, |
3_2_6CDCCF60 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6CDEBD10 mov eax, dword ptr fs:[00000030h] |
3_2_6CDEBD10 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6CDE8899 mov eax, dword ptr fs:[00000030h] |
3_2_6CDE8899 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_6D07BD10 mov eax, dword ptr fs:[00000030h] |
5_2_6D07BD10 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_6D078899 mov eax, dword ptr fs:[00000030h] |
5_2_6D078899 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6CDECD0A GetProcessHeap, |
3_2_6CDECD0A |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6CDE5874 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
3_2_6CDE5874 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6CDE2B02 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
3_2_6CDE2B02 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6CDDA450 SetUnhandledExceptionFilter, |
3_2_6CDDA450 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6CDE2157 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
3_2_6CDE2157 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_6D075874 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
5_2_6D075874 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_6D072B02 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
5_2_6D072B02 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_6D06A450 SetUnhandledExceptionFilter, |
5_2_6D06A450 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_6D072157 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
5_2_6D072157 |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\AB5tAhygtM.dll",#1 |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6CDE2CDC cpuid |
3_2_6CDE2CDC |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6CDC7FA0 CreateNamedPipeA,CreateEventA,ConnectNamedPipe,GetLastError,WaitForSingleObject,CloseHandle, |
3_2_6CDC7FA0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6CDE2733 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, |
3_2_6CDE2733 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: cmd.exe /c |
3_2_6CDC5F20 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: cmd.exe /c |
5_2_6D055F20 |