Windows Analysis Report
SecuriteInfo.com.PUA.RiskWare.Hacktool.27928.4275.dll

Overview

General Information

Sample name: SecuriteInfo.com.PUA.RiskWare.Hacktool.27928.4275.dll
(renamed file extension from exe to dll)
Original sample name: SecuriteInfo.com.PUA.RiskWare.Hacktool.27928.4275.exe
Analysis ID: 1532737
MD5: 15c9072909a72490eb1092bcc7c037e7
SHA1: da41f3fd32d982dfcad32b818baaf41eb7003330
SHA256: ef6f600e68f76e9526edb785f37d9f7d53edc717830ec40ff8cc2a8e84319b49
Tags: exe
Infos:

Detection

Score: 22
Range: 0 - 100
Whitelisted: false
Confidence: 80%

Signatures

AI detected suspicious sample
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)

Classification

AV Detection
barindex
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 87.4% probability
Source: SecuriteInfo.com.PUA.RiskWare.Hacktool.27928.4275.dll Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\Program Files\Epic Games\GTAV\d3d10.pdb11 source: SecuriteInfo.com.PUA.RiskWare.Hacktool.27928.4275.dll
Source: Binary string: C:\Program Files\Epic Games\GTAV\d3d10.pdb source: SecuriteInfo.com.PUA.RiskWare.Hacktool.27928.4275.dll
Source: SecuriteInfo.com.PUA.RiskWare.Hacktool.27928.4275.dll String found in binary or memory: http://scripts.sil.org/OFLhttp://scripts.sil.org/OFL
Source: SecuriteInfo.com.PUA.RiskWare.Hacktool.27928.4275.dll String found in binary or memory: http://scripts.sil.org/OFLhttp://scripts.sil.org/OFLCopyright
Source: SecuriteInfo.com.PUA.RiskWare.Hacktool.27928.4275.dll String found in binary or memory: http://www.google.com/fontshttp://www.hubertfischer.comThis
Source: SecuriteInfo.com.PUA.RiskWare.Hacktool.27928.4275.dll String found in binary or memory: https://fontawesome.com
Source: SecuriteInfo.com.PUA.RiskWare.Hacktool.27928.4275.dll String found in binary or memory: https://fontawesome.comhttps://fontawesome.comFont
Source: classification engine Classification label: sus22.winDLL@6/0@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7720:120:WilError_03
Source: SecuriteInfo.com.PUA.RiskWare.Hacktool.27928.4275.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Hacktool.27928.4275.dll",#1
Source: unknown Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Hacktool.27928.4275.dll"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Hacktool.27928.4275.dll",#1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Hacktool.27928.4275.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Hacktool.27928.4275.dll",#1 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Hacktool.27928.4275.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: d3dcompiler_43.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: SecuriteInfo.com.PUA.RiskWare.Hacktool.27928.4275.dll Static PE information: Image base 0x180000000 > 0x60000000
Source: SecuriteInfo.com.PUA.RiskWare.Hacktool.27928.4275.dll Static file information: File size 1104384 > 1048576
Source: SecuriteInfo.com.PUA.RiskWare.Hacktool.27928.4275.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.PUA.RiskWare.Hacktool.27928.4275.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.PUA.RiskWare.Hacktool.27928.4275.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.PUA.RiskWare.Hacktool.27928.4275.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.PUA.RiskWare.Hacktool.27928.4275.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.PUA.RiskWare.Hacktool.27928.4275.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: SecuriteInfo.com.PUA.RiskWare.Hacktool.27928.4275.dll Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: SecuriteInfo.com.PUA.RiskWare.Hacktool.27928.4275.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Program Files\Epic Games\GTAV\d3d10.pdb11 source: SecuriteInfo.com.PUA.RiskWare.Hacktool.27928.4275.dll
Source: Binary string: C:\Program Files\Epic Games\GTAV\d3d10.pdb source: SecuriteInfo.com.PUA.RiskWare.Hacktool.27928.4275.dll
Source: SecuriteInfo.com.PUA.RiskWare.Hacktool.27928.4275.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.PUA.RiskWare.Hacktool.27928.4275.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.PUA.RiskWare.Hacktool.27928.4275.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.PUA.RiskWare.Hacktool.27928.4275.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.PUA.RiskWare.Hacktool.27928.4275.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll64.exe Process queried: DebugPort Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Hacktool.27928.4275.dll",#1 Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1532737 Sample: SecuriteInfo.com.PUA.RiskWa... Startdate: 13/10/2024 Architecture: WINDOWS Score: 22 15 AI detected suspicious sample 2->15 7 loaddll64.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 conhost.exe 7->11         started        process5 13 rundll32.exe 9->13         started       
No contacted IP infos