Source: SecuriteInfo.com.FileRepPup.27878.13681.dll |
ReversingLabs: Detection: 36% |
Source: Submited Sample |
Integrated Neural Analysis Model: Matched 100.0% probability |
Source: loaddll64.exe, 00000000.00000002.1674763147.00007FF8E754C000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: -----BEGIN PUBLIC KEY----- |
memstr_57ec9d83-3 |
Source: SecuriteInfo.com.FileRepPup.27878.13681.dll |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT |
Source: unknown |
DNS traffic detected: query: 18.31.95.13.in-addr.arpa replaycode: Name error (3) |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: global traffic |
DNS traffic detected: DNS query: 18.31.95.13.in-addr.arpa |
Source: loaddll64.exe, 00000000.00000002.1674826458.00007FF8E75CE000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.1584474646.00007FF8E75CE000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1568058981.00007FF8E75CE000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.1614939315.00007FF8E75CE000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.1647536434.00007FF8E75CE000.00000004.00000001.01000000.00000003.sdmp |
String found in binary or memory: http://www.openssl.org/support/faq.html |
Source: loaddll64.exe, 00000000.00000002.1674826458.00007FF8E75CE000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.1584474646.00007FF8E75CE000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1568058981.00007FF8E75CE000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.1614939315.00007FF8E75CE000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.1647536434.00007FF8E75CE000.00000004.00000001.01000000.00000003.sdmp |
String found in binary or memory: http://www.openssl.org/support/faq.html. |
Source: loaddll64.exe, 00000000.00000002.1674763147.00007FF8E754C000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.1584411808.00007FF8E754C000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1568013379.00007FF8E754C000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.1614867632.00007FF8E754C000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.1647461495.00007FF8E754C000.00000002.00000001.01000000.00000003.sdmp |
String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html |
Source: classification engine |
Classification label: mal56.evad.winDLL@12/0@1/0 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:828:120:WilError_03 |
Source: C:\Windows\System32\loaddll64.exe |
Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.27878.13681.dll,Breakpad_SteamMiniDumpInit |
Source: SecuriteInfo.com.FileRepPup.27878.13681.dll |
ReversingLabs: Detection: 36% |
Source: unknown |
Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.27878.13681.dll" |
|
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.27878.13681.dll",#1 |
|
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.27878.13681.dll,Breakpad_SteamMiniDumpInit |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.27878.13681.dll",#1 |
|
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.27878.13681.dll,Breakpad_SteamSetAppID |
|
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.27878.13681.dll,Breakpad_SteamSetSteamID |
|
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.27878.13681.dll",#1 |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.27878.13681.dll,Breakpad_SteamMiniDumpInit |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.27878.13681.dll,Breakpad_SteamSetAppID |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.27878.13681.dll,Breakpad_SteamSetSteamID |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.27878.13681.dll",#1 |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe |
Section loaded: textshaping.dll |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe |
Automated click: OK |
Source: C:\Windows\System32\rundll32.exe |
Automated click: OK |
Source: C:\Windows\System32\rundll32.exe |
Automated click: OK |
Source: C:\Windows\System32\rundll32.exe |
Automated click: OK |
Source: C:\Windows\System32\rundll32.exe |
Automated click: OK |
Source: Window Recorder |
Window detected: More than 3 window changes detected |
Source: SecuriteInfo.com.FileRepPup.27878.13681.dll |
Static PE information: Virtual size of .text is bigger than: 0x100000 |
Source: SecuriteInfo.com.FileRepPup.27878.13681.dll |
Static PE information: Image base 0x180000000 > 0x60000000 |
Source: SecuriteInfo.com.FileRepPup.27878.13681.dll |
Static file information: File size 4791808 > 1048576 |
Source: SecuriteInfo.com.FileRepPup.27878.13681.dll |
Static PE information: Raw size of .of2 is bigger than: 0x100000 < 0x490a00 |
Source: SecuriteInfo.com.FileRepPup.27878.13681.dll |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT |
Source: initial sample |
Static PE information: section where entry point is pointing to: .of2 |
Source: SecuriteInfo.com.FileRepPup.27878.13681.dll |
Static PE information: section name: _RDATA |
Source: SecuriteInfo.com.FileRepPup.27878.13681.dll |
Static PE information: section name: .of0 |
Source: SecuriteInfo.com.FileRepPup.27878.13681.dll |
Static PE information: section name: .of1 |
Source: SecuriteInfo.com.FileRepPup.27878.13681.dll |
Static PE information: section name: .of2 |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe |
Code function: 0_2_00007FF8E7B4BFBA rdtsc |
0_2_00007FF8E7B4BFBA |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Windows\System32\loaddll64.exe |
Code function: 0_2_00007FF8E7B4BFBA rdtsc |
0_2_00007FF8E7B4BFBA |
Source: C:\Windows\System32\loaddll64.exe |
NtProtectVirtualMemory: Direct from: 0x7FF8E7C4FFD9 |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe |
NtProtectVirtualMemory: Direct from: 0x7FF8E7C4FF35 |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.27878.13681.dll",#1 |
Jump to behavior |