Managed XDR

cryptopp.dll — malware analysis report

File info

Filename: cryptopp.dll
File type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
File size: 5.6 MB
First seen: 2025-09-19 17:48
Last seen: 2025-09-19 17:48

Environment

win7/x86 en

Hashes

SHA1: bd87e3269ec0bc027435f885366ff23ae3407120
SHA256: cc7c007d0566d7eae701e8be09ebd6bf09054176e951bf6e7104e5c3577aca39
MD5: 6acdebe50177464f9fd864775db93769

Signatures

Persistence

T1546.010 persistence_autorun: Makes itself run automatically on Windows startup

T1546.010 installs_appinit: Installs itself in AppInit to inject into new processes

T1574 dropper_dll: Creates DLL, which is then loaded into the process

Privilege Escalation

T1546.010 persistence_autorun: Makes itself run automatically on Windows startup

T1546.010 installs_appinit: Installs itself in AppInit to inject into new processes

T1574 dropper_dll: Creates DLL, which is then loaded into the process

T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1574 dropper_dll: Creates DLL, which is then loaded into the process

T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Credential Access

T1003.001 dumps_lsass: Dumps lsass.exe process (probably, to extract credentials)

T1552 cookie_files: Accesses cookie files

T1555.003 cookie_files: Accesses cookie files

Discovery

T1057 process_interest: Enumerates processes

T1082 reads_csrss: Attempts to read csrss.exe memory

Command and Control

T1071.001 network_cnc_http: Suspicious HTTP traffic

T1071.001 network_http: Performs HTTP requests

T1071.001 wininet_openurl: Performs HTTP/HTTPS-requests using InternetOpenUrl

Other

yara_rules: Static rules

suricata_alert: Malicious traffic detected

creates_exe: Creates executable files in the file system

suspicious_process_network: Unusual process network activity detected

dns_without_resolve: DNS query without a response

process_crashed: One of the processes has failed

unexpected_exception: Unexpected exception

create_rpc_bindings: Creates RPC connection

has_pdb: This executable file has a PDB path

message_box: Displays a message

error_drawtext: An error occured while executing the file

get_policy_info: Retrieves information about a Policy object

test_check_service: Starts services

pe_overlay: PE file contains overlay

open_winlogon_process: Trying to open winlogon process

Managed XDR