Windows Analysis Report
AB5tAhygtM.dll

Overview

General Information

Sample name: AB5tAhygtM.dll
renamed because original name is a hash value
Original sample name: 6655c5686b9b0292cf5121fc6346341bb888704b421a85a15011456a9a2c192a.dll
Analysis ID: 1524368
MD5: 1e6c67456dd21d7fb2967364cf4735af
SHA1: 42a3d252faa7d7457c7f708ec6f44f3c1afd843e
SHA256: 6655c5686b9b0292cf5121fc6346341bb888704b421a85a15011456a9a2c192a
Tags: CeranaKeeperdlluser-JAMESWT_MHT
Infos:

Detection

Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: AB5tAhygtM.dll Avira: detected
Multi AV Scanner detection for submitted file
Source: AB5tAhygtM.dll ReversingLabs: Detection: 31%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 90.9% probability
Uses 32bit PE files
Source: AB5tAhygtM.dll Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: AB5tAhygtM.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CDF0C06 FindFirstFileExW,_free, 3_2_6CDF0C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CDC2A10 lstrlenW,lstrcatW,lstrlenW,FindFirstFileW,GetLastError,FindClose, 3_2_6CDC2A10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CDC3420 lstrcatW,lstrlenW,lstrcpyW,FindFirstFileW,lstrcatW,_memcpy_s,FindNextFileW, 3_2_6CDC3420
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CDC30F0 lstrlenW,lstrcatW,lstrlenW,lstrcpyW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,FindNextFileW,FindClose,GetFileAttributesW,SetFileAttributesW,RemoveDirectoryW,GetLastError,SetFileAttributesW,GetLastError, 3_2_6CDC30F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6D080C06 FindFirstFileExW,_free, 5_2_6D080C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6D052A10 lstrlenW,lstrcatW,lstrlenW,FindFirstFileW,GetLastError,FindClose, 5_2_6D052A10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6D053420 lstrcatW,lstrlenW,lstrcpyW,FindFirstFileW,lstrcatW,_memcpy_s,FindNextFileW, 5_2_6D053420
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6D0530F0 lstrlenW,lstrcatW,lstrlenW,lstrcpyW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,FindNextFileW,FindClose,GetFileAttributesW,SetFileAttributesW,RemoveDirectoryW,GetLastError,SetFileAttributesW,GetLastError, 5_2_6D0530F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CDC1200 GetLogicalDriveStringsW,GetDriveTypeW,GetDiskFreeSpaceExW, 3_2_6CDC1200
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CDE6D29 3_2_6CDE6D29
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CDDAFD0 3_2_6CDDAFD0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CDF38D4 3_2_6CDF38D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CDCB8B0 3_2_6CDCB8B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CDE6B00 3_2_6CDE6B00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CDEE7E0 3_2_6CDEE7E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CDDB760 3_2_6CDDB760
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CDDB01E 3_2_6CDDB01E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CDDB230 3_2_6CDDB230
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CDF2226 3_2_6CDF2226
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CDF2352 3_2_6CDF2352
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6D076D29 5_2_6D076D29
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6D06AFD0 5_2_6D06AFD0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6D05B8B0 5_2_6D05B8B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6D0838D4 5_2_6D0838D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6D076B00 5_2_6D076B00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6D06B760 5_2_6D06B760
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6D07E7E0 5_2_6D07E7E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6D06B01E 5_2_6D06B01E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6D082352 5_2_6D082352
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6D082226 5_2_6D082226
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6D06B230 5_2_6D06B230
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6D072C80 appears 32 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6CDE2C80 appears 32 times
Uses 32bit PE files
Source: AB5tAhygtM.dll Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: classification engine Classification label: mal60.winDLL@10/0@0/0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CDC1200 GetLogicalDriveStringsW,GetDriveTypeW,GetDiskFreeSpaceExW, 3_2_6CDC1200
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CDC66B0 CreateToolhelp32Snapshot,Process32First,CloseHandle,CloseHandle,Process32Next,CloseHandle, 3_2_6CDC66B0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6788:120:WilError_03
Source: AB5tAhygtM.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\AB5tAhygtM.dll,ModuleMain
Source: AB5tAhygtM.dll ReversingLabs: Detection: 31%
Source: C:\Windows\SysWOW64\rundll32.exe Evasive API call chain: GetCommandLine,DecisionNodes,ExitProcess
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\AB5tAhygtM.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\AB5tAhygtM.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\AB5tAhygtM.dll,ModuleMain
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\AB5tAhygtM.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\AB5tAhygtM.dll",ModuleMain
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\AB5tAhygtM.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\AB5tAhygtM.dll,ModuleMain Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\AB5tAhygtM.dll",ModuleMain Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\AB5tAhygtM.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: dbgcore.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: AB5tAhygtM.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: AB5tAhygtM.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CDCCF60 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 3_2_6CDCCF60
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CDE2CC6 push ecx; ret 3_2_6CDE2CD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CDF4168 push ecx; ret 3_2_6CDF4166
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6D072CC6 push ecx; ret 5_2_6D072CD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6D084168 push ecx; ret 5_2_6D084166
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 1.6 %
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 1.6 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CDF0C06 FindFirstFileExW,_free, 3_2_6CDF0C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CDC2A10 lstrlenW,lstrcatW,lstrlenW,FindFirstFileW,GetLastError,FindClose, 3_2_6CDC2A10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CDC3420 lstrcatW,lstrlenW,lstrcpyW,FindFirstFileW,lstrcatW,_memcpy_s,FindNextFileW, 3_2_6CDC3420
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CDC30F0 lstrlenW,lstrcatW,lstrlenW,lstrcpyW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,FindNextFileW,FindClose,GetFileAttributesW,SetFileAttributesW,RemoveDirectoryW,GetLastError,SetFileAttributesW,GetLastError, 3_2_6CDC30F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6D080C06 FindFirstFileExW,_free, 5_2_6D080C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6D052A10 lstrlenW,lstrcatW,lstrlenW,FindFirstFileW,GetLastError,FindClose, 5_2_6D052A10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6D053420 lstrcatW,lstrlenW,lstrcpyW,FindFirstFileW,lstrcatW,_memcpy_s,FindNextFileW, 5_2_6D053420
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6D0530F0 lstrlenW,lstrcatW,lstrlenW,lstrcpyW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,FindNextFileW,FindClose,GetFileAttributesW,SetFileAttributesW,RemoveDirectoryW,GetLastError,SetFileAttributesW,GetLastError, 5_2_6D0530F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CDC1200 GetLogicalDriveStringsW,GetDriveTypeW,GetDiskFreeSpaceExW, 3_2_6CDC1200
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 120000 Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CDE5874 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_6CDE5874
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CDCCF60 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 3_2_6CDCCF60
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CDEBD10 mov eax, dword ptr fs:[00000030h] 3_2_6CDEBD10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CDE8899 mov eax, dword ptr fs:[00000030h] 3_2_6CDE8899
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6D07BD10 mov eax, dword ptr fs:[00000030h] 5_2_6D07BD10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6D078899 mov eax, dword ptr fs:[00000030h] 5_2_6D078899
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CDECD0A GetProcessHeap, 3_2_6CDECD0A
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CDE5874 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_6CDE5874
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CDE2B02 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_6CDE2B02
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CDDA450 SetUnhandledExceptionFilter, 3_2_6CDDA450
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CDE2157 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_6CDE2157
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6D075874 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_6D075874
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6D072B02 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_6D072B02
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6D06A450 SetUnhandledExceptionFilter, 5_2_6D06A450
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6D072157 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_6D072157
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\AB5tAhygtM.dll",#1 Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CDE2CDC cpuid 3_2_6CDE2CDC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CDC7FA0 CreateNamedPipeA,CreateEventA,ConnectNamedPipe,GetLastError,WaitForSingleObject,CloseHandle, 3_2_6CDC7FA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CDE2733 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 3_2_6CDE2733
Contains functionality to launch a control a shell (cmd.exe)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: cmd.exe /c 3_2_6CDC5F20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: cmd.exe /c 5_2_6D055F20
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1524368 Sample: AB5tAhygtM.dll Startdate: 02/10/2024 Architecture: WINDOWS Score: 60 19 Antivirus / Scanner detection for submitted sample 2->19 21 Multi AV Scanner detection for submitted file 2->21 23 AI detected suspicious sample 2->23 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 conhost.exe 7->11         started        13 rundll32.exe 7->13         started        15 rundll32.exe 7->15         started        process5 17 rundll32.exe 9->17         started       
No contacted IP infos