Windows Analysis Report
SecuriteInfo.com.FileRepPup.27878.13681.dll

Overview

General Information

Sample name: SecuriteInfo.com.FileRepPup.27878.13681.dll
(renamed file extension from exe to dll)
Original sample name: SecuriteInfo.com.FileRepPup.27878.13681.exe
Analysis ID: 1532748
MD5: 05fdda04525c97630c95e5095164cde3
SHA1: c77ee48196d6f0b59b92b2e8bd2d16b6a0a22884
SHA256: d80efa7ffc44b018e51f5528cf5b701e6c05c47108f2be98611f08591477b4ed
Tags: exe
Infos:

Detection

Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Contains functionality for execution timing, often used to detect debuggers
Creates a process in suspended mode (likely to inject code)
Entry point lies outside standard sections
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.FileRepPup.27878.13681.dll ReversingLabs: Detection: 36%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Source: loaddll64.exe, 00000000.00000002.1674763147.00007FF8E754C000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_57ec9d83-3
Source: SecuriteInfo.com.FileRepPup.27878.13681.dll Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: 18.31.95.13.in-addr.arpa replaycode: Name error (3)
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: 18.31.95.13.in-addr.arpa
Source: loaddll64.exe, 00000000.00000002.1674826458.00007FF8E75CE000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.1584474646.00007FF8E75CE000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1568058981.00007FF8E75CE000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.1614939315.00007FF8E75CE000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.1647536434.00007FF8E75CE000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.openssl.org/support/faq.html
Source: loaddll64.exe, 00000000.00000002.1674826458.00007FF8E75CE000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.1584474646.00007FF8E75CE000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1568058981.00007FF8E75CE000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.1614939315.00007FF8E75CE000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.1647536434.00007FF8E75CE000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.openssl.org/support/faq.html.
Source: loaddll64.exe, 00000000.00000002.1674763147.00007FF8E754C000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.1584411808.00007FF8E754C000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1568013379.00007FF8E754C000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.1614867632.00007FF8E754C000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.1647461495.00007FF8E754C000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: classification engine Classification label: mal56.evad.winDLL@12/0@1/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:828:120:WilError_03
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.27878.13681.dll,Breakpad_SteamMiniDumpInit
Source: SecuriteInfo.com.FileRepPup.27878.13681.dll ReversingLabs: Detection: 36%
Source: unknown Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.27878.13681.dll"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.27878.13681.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.27878.13681.dll,Breakpad_SteamMiniDumpInit
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.27878.13681.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.27878.13681.dll,Breakpad_SteamSetAppID
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.27878.13681.dll,Breakpad_SteamSetSteamID
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.27878.13681.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.27878.13681.dll,Breakpad_SteamMiniDumpInit Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.27878.13681.dll,Breakpad_SteamSetAppID Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.27878.13681.dll,Breakpad_SteamSetSteamID Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.27878.13681.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Automated click: OK
Source: C:\Windows\System32\rundll32.exe Automated click: OK
Source: C:\Windows\System32\rundll32.exe Automated click: OK
Source: C:\Windows\System32\rundll32.exe Automated click: OK
Source: C:\Windows\System32\rundll32.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: SecuriteInfo.com.FileRepPup.27878.13681.dll Static PE information: Virtual size of .text is bigger than: 0x100000
Source: SecuriteInfo.com.FileRepPup.27878.13681.dll Static PE information: Image base 0x180000000 > 0x60000000
Source: SecuriteInfo.com.FileRepPup.27878.13681.dll Static file information: File size 4791808 > 1048576
Source: SecuriteInfo.com.FileRepPup.27878.13681.dll Static PE information: Raw size of .of2 is bigger than: 0x100000 < 0x490a00
Source: SecuriteInfo.com.FileRepPup.27878.13681.dll Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .of2
PE file contains sections with non-standard names
Source: SecuriteInfo.com.FileRepPup.27878.13681.dll Static PE information: section name: _RDATA
Source: SecuriteInfo.com.FileRepPup.27878.13681.dll Static PE information: section name: .of0
Source: SecuriteInfo.com.FileRepPup.27878.13681.dll Static PE information: section name: .of1
Source: SecuriteInfo.com.FileRepPup.27878.13681.dll Static PE information: section name: .of2
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8E7B4BFBA rdtsc 0_2_00007FF8E7B4BFBA
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8E7B4BFBA rdtsc 0_2_00007FF8E7B4BFBA

HIPS / PFW / Operating System Protection Evasion
barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Windows\System32\loaddll64.exe NtProtectVirtualMemory: Direct from: 0x7FF8E7C4FFD9 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe NtProtectVirtualMemory: Direct from: 0x7FF8E7C4FF35 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.27878.13681.dll",#1 Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1532748 Sample: SecuriteInfo.com.FileRepPup... Startdate: 13/10/2024 Architecture: WINDOWS Score: 56 21 18.31.95.13.in-addr.arpa 2->21 23 Multi AV Scanner detection for submitted file 2->23 25 AI detected suspicious sample 2->25 8 loaddll64.exe 1 2->8         started        signatures3 process4 signatures5 27 Found direct / indirect Syscall (likely to bypass EDR) 8->27 11 cmd.exe 1 8->11         started        13 rundll32.exe 8->13         started        15 rundll32.exe 8->15         started        17 2 other processes 8->17 process6 process7 19 rundll32.exe 11->19         started       
No contacted IP infos

Contacted Domains

Name IP Active
18.31.95.13.in-addr.arpa unknown unknown