Windows Analysis Report
1.dll

Overview

General Information

Sample name: 1.dll
(renamed file extension from exe to dll)
Original sample name: 1.exe
Analysis ID: 1417057
MD5: 4a77fb2014f6d9a165a139bd550916ae
SHA1: 9f717b1a5d22f74979934b6c55d22f8990608c3f
SHA256: f2d850025dd7b65c44d979ec74a3f5a77e1c15b4070812be5656887cee95dc59
Infos:

Detection

Score: 48
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Binary contains a suspicious time stamp
Creates a process in suspended mode (likely to inject code)
May sleep (evasive loops) to hinder dynamic analysis
PE file does not import any functions
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: 1.dll Virustotal: Detection: 11% Perma Link
Source: 1.dll Static PE information: certificate valid
Source: 1.dll Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\ArchonCore6\Common\Dell.FrontEndPlugin\obj\x64\Release\Dell.FrontEndPlugin.pdb source: 1.dll
Source: Binary string: C:\ArchonCore6\Common\Dell.FrontEndPlugin\obj\x64\Release\Dell.FrontEndPlugin.pdbSHA256qm source: 1.dll
Source: 1.dll String found in binary or memory: http://aia.entrust.net/evcs2-chain.p7c01
Source: 1.dll String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: 1.dll String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: 1.dll String found in binary or memory: http://crl.entrust.net/csbr1.crl0
Source: 1.dll String found in binary or memory: http://crl.entrust.net/evcs2.crl0
Source: 1.dll String found in binary or memory: http://crl.entrust.net/g2ca.crl0
Source: 1.dll String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: 1.dll String found in binary or memory: http://ocsp.entrust.net00
Source: 1.dll String found in binary or memory: http://ocsp.entrust.net01
Source: 1.dll String found in binary or memory: http://ocsp.entrust.net02
Source: 1.dll String found in binary or memory: http://ocsp.entrust.net03
Source: 1.dll String found in binary or memory: http://www.entrust.net/rpa0
Source: 1.dll String found in binary or memory: http://www.entrust.net/rpa03
Source: 1.dll String found in binary or memory: https://www.entrust.net/rpa0
PE file does not import any functions
Source: 1.dll Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: 1.dll Binary or memory string: OriginalFilenameDell.FrontEndPlugin.dllH vs 1.dll
Tries to load missing DLLs
Source: C:\Windows\System32\loaddll64.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: classification engine Classification label: mal48.winDLL@6/0@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2884:120:WilError_03
Source: 1.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1.dll",#1
Source: 1.dll Virustotal: Detection: 11%
Source: unknown Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\1.dll"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\1.dll",#1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\1.dll",#1 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1.dll",#1 Jump to behavior
Source: 1.dll Static PE information: certificate valid
Source: 1.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: 1.dll Static PE information: Image base 0x180000000 > 0x60000000
Source: 1.dll Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: 1.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\ArchonCore6\Common\Dell.FrontEndPlugin\obj\x64\Release\Dell.FrontEndPlugin.pdb source: 1.dll
Source: Binary string: C:\ArchonCore6\Common\Dell.FrontEndPlugin\obj\x64\Release\Dell.FrontEndPlugin.pdbSHA256qm source: 1.dll
Binary contains a suspicious time stamp
Source: 1.dll Static PE information: 0x8093189B [Mon May 10 17:02:19 2038 UTC]
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\loaddll64.exe TID: 6044 Thread sleep time: -120000s >= -30000s Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\loaddll64.exe Thread delayed: delay time: 120000 Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1.dll",#1 Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1417057 Sample: 1.exe Startdate: 28/03/2024 Architecture: WINDOWS Score: 48 15 Multi AV Scanner detection for submitted file 2->15 7 loaddll64.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 conhost.exe 7->11         started        process5 13 rundll32.exe 9->13         started       
No contacted IP infos