Edit tour

Windows Analysis Report
INETCwsSDezirces.dll

Overview

General Information

Sample name:	INETCwsSDezirces.dll
Analysis ID:	1432306
MD5:	786756c0ea8c6b146e336f662bef1a9d
SHA1:	43ebde827896e9281da7ebaf43205b8fc11fd197
SHA256:	e444558a435731f5531467a9cca0c2861d230ea79d924cd370460fef8be9f02a
Tags:	dll
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Machine Learning detection for sample

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 4416 cmdline: loaddll32.exe "C:\Users\user\Desktop\INETCwsSDezirces.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 4520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6716 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\INETCwsSDezirces.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 3484 cmdline: rundll32.exe "C:\Users\user\Desktop\INETCwsSDezirces.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 6808 cmdline: rundll32.exe C:\Users\user\Desktop\INETCwsSDezirces.dll,Rotrzlrabdd MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 6912 cmdline: rundll32.exe C:\Users\user\Desktop\INETCwsSDezirces.dll,sydthnu MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 3452 cmdline: rundll32.exe "C:\Users\user\Desktop\INETCwsSDezirces.dll",Rotrzlrabdd MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 4928 cmdline: rundll32.exe "C:\Users\user\Desktop\INETCwsSDezirces.dll",sydthnu MD5: 889B99C52A60DD49227C5E485A016679)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: INETCwsSDezirces.dll

Avira: detected

Multi AV Scanner detection for submitted file

Source: INETCwsSDezirces.dll

Virustotal: Detection: 38%

Perma Link

Machine Learning detection for sample

Source: INETCwsSDezirces.dll

Joe Sandbox ML: detected

Source: INETCwsSDezirces.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: INETCwsSDezirces.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: INETCwsSDezirces.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: classification engine

Classification label: mal60.winDLL@14/1@0/0

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4520:120:WilError_03

Source: INETCwsSDezirces.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: INETCwsSDezirces.dll

Static file information: TRID: Win32 Dynamic Link Library (generic) Net Framework (1011504/3) 50.08%

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\INETCwsSDezirces.dll,Rotrzlrabdd

Source: INETCwsSDezirces.dll

Virustotal: Detection: 38%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\INETCwsSDezirces.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\INETCwsSDezirces.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\INETCwsSDezirces.dll,Rotrzlrabdd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\INETCwsSDezirces.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\INETCwsSDezirces.dll,sydthnu
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\INETCwsSDezirces.dll",Rotrzlrabdd
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\INETCwsSDezirces.dll",sydthnu
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\INETCwsSDezirces.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\INETCwsSDezirces.dll,Rotrzlrabdd	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\INETCwsSDezirces.dll,sydthnu	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\INETCwsSDezirces.dll",Rotrzlrabdd	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\INETCwsSDezirces.dll",sydthnu	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\INETCwsSDezirces.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior

Source: INETCwsSDezirces.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: INETCwsSDezirces.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0448451C push esp; iretd	3_2_04484521
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E22451C push esp; iretd	3_2_6E224521
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0438451C push esp; iretd	4_2_04384521
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E22451C push esp; iretd	4_2_6E224521
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_066A451C push esp; iretd	5_2_066A4521
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E22451C push esp; iretd	5_2_6E224521
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_071E453C push esi; retf	5_2_071E453D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_051A451C push esp; iretd	6_2_051A4521
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E22451C push esp; iretd	6_2_6E224521
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_06CE451C push esp; iretd	7_2_06CE4521
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_6E22451C push esp; iretd	7_2_6E224521
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0782453C push esi; retf	7_2_0782453D

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe TID: 4888	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 1804	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe	Thread delayed: delay time: 120000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\INETCwsSDezirces.dll",#1

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\Desktop\INETCwsSDezirces.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\Desktop\INETCwsSDezirces.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\Desktop\INETCwsSDezirces.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\Desktop\INETCwsSDezirces.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\Desktop\INETCwsSDezirces.dll VolumeInformation	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Masquerading	OS Credential Dumping	21 Virtualization/Sandbox Evasion	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Rundll32	LSASS Memory	11 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Disable or Modify Tools	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	21 Virtualization/Sandbox Evasion	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Process Injection	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
INETCwsSDezirces.dll	39%	Virustotal		Browse
INETCwsSDezirces.dll	100%	Avira	HEUR/AGEN.1301100
INETCwsSDezirces.dll	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1432306
Start date and time:	2024-04-26 20:36:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	INETCwsSDezirces.dll
Detection:	MAL
Classification:	mal60.winDLL@14/1@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 56% Number of executed functions: 22 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .dll Stop behavior analysis, all processes terminated

Warnings

Execution Graph export aborted for target rundll32.exe, PID 3452 because it is empty
Execution Graph export aborted for target rundll32.exe, PID 3484 because it is empty
Execution Graph export aborted for target rundll32.exe, PID 4928 because it is empty
Execution Graph export aborted for target rundll32.exe, PID 6808 because it is empty
Execution Graph export aborted for target rundll32.exe, PID 6912 because it is empty
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
20:36:57	API Interceptor	1x Sleep call for process: loaddll32.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log

Download File

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	42
Entropy (8bit):	4.0050635535766075
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUy:Q3La/xwQ
MD5:	84CFDB4B995B1DBF543B26B86C863ADC
SHA1:	D2F47764908BF30036CF8248B9FF5541E2711FA2
SHA-256:	D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
SHA-512:	485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..

Static File Info

General

File type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.100784556445581
TrID:	Win32 Dynamic Link Library (generic) Net Framework (1011504/3) 50.08% Win32 Dynamic Link Library (generic) (1002004/3) 49.61% Win16/32 Executable Delphi generic (2074/23) 0.10% Generic Win/DOS Executable (2004/3) 0.10% DOS Executable Generic (2002/1) 0.10%
File name:	INETCwsSDezirces.dll
File size:	146'432 bytes
MD5:	786756c0ea8c6b146e336f662bef1a9d
SHA1:	43ebde827896e9281da7ebaf43205b8fc11fd197
SHA256:	e444558a435731f5531467a9cca0c2861d230ea79d924cd370460fef8be9f02a
SHA512:	aaaae6653e170dd81f5686097c6327c210454c6f39a1f200f648a74515744a8b21551eb01cfbcb18ea8ddca3722800f49f82183b4ea65e8921f4042d66291417
SSDEEP:	3072:3GYcR19KDICARggR26KKnY2B7SAzCgCMKdYjtvKu:wfKsRKIYYuhdY
TLSH:	34E35338C92B6830DBDA3CF63CDB29465F6B21B21356CD0AA7D36D035363D6AD48B854
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Q..`...........!.....0...........O... ...`....... ....................................@..........................`..(..

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x10024fae
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x60B01151 [Thu May 27 21:38:25 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	dae02f32a21e03ce65412f6e56942daa

Entrypoint Preview

Instruction
jmp dword ptr [10002000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x26008	0x28	.sdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x24f5c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x28000	0x2c8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2a000	0x10	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x22fb4	0x23000	f45897c5faa45704b9ece9e0c2b6913b	False	0.38603515625	data	5.145895822948627	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.sdata	0x26000	0x6d	0x200	6598950e8a9de8a54343c9f70a39a885	False	0.193359375	data	1.3060026818921529	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x28000	0x2c8	0x400	46c8fe5425696ef07cf9848cdb62e02b	False	0.30859375	data	2.2820898113316983	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2a000	0x10	0x200	fa91ba0bffaadc64bb38f17d5ce657a1	False	0.052734375	GLS_BINARY_LSB_FIRST	0.17014565200323517	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x28058	0x26c	data			0.45806451612903226

Imports

DLL	Import
mscoree.dll	_CorDllMain

Exports

Name	Ordinal	Address
Rotrzlrabdd	1	0x10024f4e
sydthnu	2	0x10024f3e

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exePID: 4416, Parent PID: 2580

General

Target ID:	0
Start time:	20:36:51
Start date:	26/04/2024
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\INETCwsSDezirces.dll"
Imagebase:	0x890000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 4520, Parent PID: 4416

General

Target ID:	1
Start time:	20:36:51
Start date:	26/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 6716, Parent PID: 4416

General

Target ID:	2
Start time:	20:36:51
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\INETCwsSDezirces.dll",#1
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 6808, Parent PID: 4416

General

Target ID:	3
Start time:	20:36:51
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\INETCwsSDezirces.dll,Rotrzlrabdd
Imagebase:	0x450000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 3484, Parent PID: 6716

General

Target ID:	4
Start time:	20:36:51
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\INETCwsSDezirces.dll",#1
Imagebase:	0x450000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 6912, Parent PID: 4416

General

Target ID:	5
Start time:	20:36:54
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\INETCwsSDezirces.dll,sydthnu
Imagebase:	0x450000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 3452, Parent PID: 4416

General

Target ID:	6
Start time:	20:36:57
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\INETCwsSDezirces.dll",Rotrzlrabdd
Imagebase:	0x450000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 4928, Parent PID: 4416

General

Target ID:	7
Start time:	20:36:57
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\INETCwsSDezirces.dll",sydthnu
Imagebase:	0x450000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: rundll32.exePID: 6808, Parent PID: 4416COMMON

Executed Functions

Function 04140478 Relevance: 3.1, Strings: 2, Instructions: 571COMMON

Download Yara Rule

Strings

JCvq, xrefs: 041408BE
nKvq, xrefs: 0414093F

Memory Dump Source

Source File: 00000003.00000002.1617430844.0000000004140000.00000040.00000800.00020000.00000000.sdmp, Offset: 04140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4140000_rundll32.jbxd

Similarity

API ID:
String ID: JCvq$nKvq
API String ID: 0-2289145667
Opcode ID: 5182a8deaee8b7851181e45368924b770b21bf5f43ba3c7cf376d8e49bc877d2
Instruction ID: e4e4e9c407fe2384e21bc8b025dd86305fea2c02c14aa966e5bdf1bc658e1ad6
Opcode Fuzzy Hash: 5182a8deaee8b7851181e45368924b770b21bf5f43ba3c7cf376d8e49bc877d2
Instruction Fuzzy Hash: 03416370A202058FEB08EFA9D9817DEBFA2FBC4308F10D9699450AB355EF3459498791

Uniqueness

Uniqueness Score: -1.00%

Function 04140848 Relevance: 2.6, Strings: 2, Instructions: 94COMMON

Download Yara Rule

Strings

JCvq, xrefs: 041408BE
nKvq, xrefs: 0414093F

Memory Dump Source

Source File: 00000003.00000002.1617430844.0000000004140000.00000040.00000800.00020000.00000000.sdmp, Offset: 04140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4140000_rundll32.jbxd

Similarity

API ID:
String ID: JCvq$nKvq
API String ID: 0-2289145667
Opcode ID: 081f271132a029bcc87fd36432ae83a251866e8d6bb2db526b564cf0d715ec64
Instruction ID: f22e0cc1791e22d00ad34fc29c3cd8fc8359788e7db39f432efdfa27a598ef34
Opcode Fuzzy Hash: 081f271132a029bcc87fd36432ae83a251866e8d6bb2db526b564cf0d715ec64
Instruction Fuzzy Hash: 49313570A102098FDB08EFADD5816DEFBB6FBC4308F10D9399414AB354EF3469598B91

Uniqueness

Uniqueness Score: -1.00%

Function 040DD01C Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1617368135.00000000040DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 040DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40dd000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2063e610b166bc6a52f30a75f932630be311c24edd11e5efad2fbaf445ef4ac
Instruction ID: e02b3737437c03be3089d24ccab6f2841427df283d995177db3dac21676923fa
Opcode Fuzzy Hash: f2063e610b166bc6a52f30a75f932630be311c24edd11e5efad2fbaf445ef4ac
Instruction Fuzzy Hash: 3611E6B1644344DFDB14EF28E984B2ABFA4EFC4714F208A6DD5495B241D33AE44BC662

Uniqueness

Uniqueness Score: -1.00%

Function 040DD006 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1617368135.00000000040DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 040DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40dd000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef9f25d612209dde8fb7196bc8c7d93b393e9d3dd003797468dff381f3a889a3
Instruction ID: 87a52e1b572d32818d15655678c2aa72f00e07437f98f8ed8b1be54c7ad3a761
Opcode Fuzzy Hash: ef9f25d612209dde8fb7196bc8c7d93b393e9d3dd003797468dff381f3a889a3
Instruction Fuzzy Hash: E411A3B15093C08FDB16DF24D594715BFB1EF81204F2486EAC9498B293C33A944ECB62

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exePID: 3484, Parent PID: 6716COMMON

Executed Functions

Function 04100478 Relevance: 3.1, Strings: 2, Instructions: 575COMMON

Download Yara Rule

Strings

nKvq, xrefs: 0410093F
JCvq, xrefs: 041008BE

Memory Dump Source

Source File: 00000004.00000002.1617467818.0000000004100000.00000040.00000800.00020000.00000000.sdmp, Offset: 04100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4100000_rundll32.jbxd

Similarity

API ID:
String ID: JCvq$nKvq
API String ID: 0-2289145667
Opcode ID: adb10a7a25b749367392e93d753ebdb680ae3553259d65f1a2c1696a6aeb3799
Instruction ID: 3d915fd27d0afe929edfd113e9af050a247e1744f6ba532c8722633d462a7f34
Opcode Fuzzy Hash: adb10a7a25b749367392e93d753ebdb680ae3553259d65f1a2c1696a6aeb3799
Instruction Fuzzy Hash: 5C4193B0A102088FE705EFA9D9816DEBFB6FBC4308F10C979D450AB365EF3469098791

Uniqueness

Uniqueness Score: -1.00%

Function 04100848 Relevance: 2.6, Strings: 2, Instructions: 94COMMON

Download Yara Rule

Strings

nKvq, xrefs: 0410093F
JCvq, xrefs: 041008BE

Memory Dump Source

Source File: 00000004.00000002.1617467818.0000000004100000.00000040.00000800.00020000.00000000.sdmp, Offset: 04100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4100000_rundll32.jbxd

Similarity

API ID:
String ID: JCvq$nKvq
API String ID: 0-2289145667
Opcode ID: 6bbe67a61b5d6a6ae84a0d04c61bae3891dacb341aad034a846cde926ad62b3e
Instruction ID: f1de3575cd1232bec1df579b2d5d2b34a040e9d7dc2bc6b98b483790029dd84c
Opcode Fuzzy Hash: 6bbe67a61b5d6a6ae84a0d04c61bae3891dacb341aad034a846cde926ad62b3e
Instruction Fuzzy Hash: 67316570A102098FD704EFA9D9816DEBFB6FBC4308F10C9349515AB754EF3469498B91

Uniqueness

Uniqueness Score: -1.00%

Function 0406D01C Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1617401489.000000000406D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0406D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_406d000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aceb5471232a68b31dbf39af2483cd1d7aa74acfeb550a5f741b9683c62ab342
Instruction ID: d2587399dd14e8b42707614f745ec3de0e5fe6c0d4beee68d8a8a9024b4028c9
Opcode Fuzzy Hash: aceb5471232a68b31dbf39af2483cd1d7aa74acfeb550a5f741b9683c62ab342
Instruction Fuzzy Hash: B411E9B1744344DFEB14EF24E984B2ABB94EF84714F208A6DD54B5B241D33AE447C662

Uniqueness

Uniqueness Score: -1.00%

Function 0406D006 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1617401489.000000000406D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0406D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_406d000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f549b913c7315efd4a2e4d7d143640c048976789a1dd74ad3300d3c31b56383c
Instruction ID: 6debc03d032aec0ad67d708c26c9c9dfa4e46ca093da5b7c3d1b02a7d1677f93
Opcode Fuzzy Hash: f549b913c7315efd4a2e4d7d143640c048976789a1dd74ad3300d3c31b56383c
Instruction Fuzzy Hash: 071177715097C08FE712DF24D594715BFB1EF45214F2886EAD84A8F593C33A944AC762

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exePID: 6912, Parent PID: 4416COMMON

Executed Functions

Function 02790848 Relevance: 2.6, Strings: 2, Instructions: 94COMMON

Download Yara Rule

Strings

JCvq, xrefs: 027908BE
nKvq, xrefs: 0279093F

Memory Dump Source

Source File: 00000005.00000002.1657384162.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2790000_rundll32.jbxd

Similarity

API ID:
String ID: JCvq$nKvq
API String ID: 0-2289145667
Opcode ID: 3dcbe671b3d020d53ce27de60ba6aa9d5816c59618c9e2e6f33874547282d6f1
Instruction ID: 25473b18002d34d11e26d5152aae3d74926dfd7212a084590ade1750e0e3c50b
Opcode Fuzzy Hash: 3dcbe671b3d020d53ce27de60ba6aa9d5816c59618c9e2e6f33874547282d6f1
Instruction Fuzzy Hash: BD314074A102598FD705EFA9E88569EBBB7FF88300F10C978D0149B398EF3459498F91

Uniqueness

Uniqueness Score: -1.00%

Function 027909E8 Relevance: .6, Instructions: 640COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1657384162.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2790000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5c1ee5064d13c0089d14bb401c7b78a33cce13423cdf175498aac4f665fa6d8
Instruction ID: e00f9962d973f84b261574820dd52490057eb08e27d2b8a0ce31930a8ff80a2a
Opcode Fuzzy Hash: b5c1ee5064d13c0089d14bb401c7b78a33cce13423cdf175498aac4f665fa6d8
Instruction Fuzzy Hash: 8971A174A65380CFCB09CF18F5A8A257BB2FF4431AF55C865E4448B296D730A8D5CF84

Uniqueness

Uniqueness Score: -1.00%

Function 027909D8 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1657384162.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2790000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9082ed2fea4b464ff771d8dd6c822344c19b51db8780bc1a262923a46a7dc741
Instruction ID: ea621e0db466f6a051223e1e66ebcdf40063fb54031f1beb39db08ce22df4cd2
Opcode Fuzzy Hash: 9082ed2fea4b464ff771d8dd6c822344c19b51db8780bc1a262923a46a7dc741
Instruction Fuzzy Hash: C7418874924380CFCF18CB24F198A297BB6FF5432AF14D869E4458B256C730A8E1CF89

Uniqueness

Uniqueness Score: -1.00%

Function 0273D01C Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1657222549.000000000273D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0273D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_273d000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf4d4345918b4ac41b25d22d0e68544dbed209c876e4544001a524935c0acf31
Instruction ID: f1ba77a6355cefe2428bfd0d92eb8cee5bdec3b68449ddeabdaf8566d0adbe1b
Opcode Fuzzy Hash: cf4d4345918b4ac41b25d22d0e68544dbed209c876e4544001a524935c0acf31
Instruction Fuzzy Hash: AE1138B0544340DFDB32EF24DAC4B2ABFA4EB44B04F208A7DD44A4B242C33AD447C662

Uniqueness

Uniqueness Score: -1.00%

Function 0273D007 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1657222549.000000000273D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0273D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_273d000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5aa25129685b582c25c4fd8b11370832823768a2b126f63fd2f1ca5cdfd2f5e5
Instruction ID: fccc2f36bab4cd6b2e32e16d22d35f2037a4a8dcde85d57425bdb82ed0d72216
Opcode Fuzzy Hash: 5aa25129685b582c25c4fd8b11370832823768a2b126f63fd2f1ca5cdfd2f5e5
Instruction Fuzzy Hash: 1B1191715093C08FDB23DF24D584715BF71EB46614F2886EAC8898F2A3C33A944AC762

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exePID: 3452, Parent PID: 4416COMMON

Executed Functions

Function 04EA0478 Relevance: 3.1, Strings: 2, Instructions: 577COMMON

Download Yara Rule

Strings

nKvq, xrefs: 04EA093F
JCvq, xrefs: 04EA08BE

Memory Dump Source

Source File: 00000006.00000002.1677937572.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4ea0000_rundll32.jbxd

Similarity

API ID:
String ID: JCvq$nKvq
API String ID: 0-2289145667
Opcode ID: 48a85526954b209d221eb4ccec6333e811951aa6f78c1e54e64bd9083dc849a5
Instruction ID: ae51ab393655a8808fb521278b71191c95b9a5004a5f298e37cdb9699ea44626
Opcode Fuzzy Hash: 48a85526954b209d221eb4ccec6333e811951aa6f78c1e54e64bd9083dc849a5
Instruction Fuzzy Hash: C8418370A003098FE705EF69E99469EBBB3FB84304F10D979C5509B355EB7869098F91

Uniqueness

Uniqueness Score: -1.00%

Function 04EA0848 Relevance: 2.6, Strings: 2, Instructions: 94COMMON

Download Yara Rule

Strings

nKvq, xrefs: 04EA093F
JCvq, xrefs: 04EA08BE

Memory Dump Source

Source File: 00000006.00000002.1677937572.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4ea0000_rundll32.jbxd

Similarity

API ID:
String ID: JCvq$nKvq
API String ID: 0-2289145667
Opcode ID: 29aff7f451b810c238103713ac0498ce61bde3d1b6264aa5f0e3024cc470bde0
Instruction ID: ff20f8102add5be0a13ba9177c64a4ae9a03d6a0a8c8d17509989e50c12794ad
Opcode Fuzzy Hash: 29aff7f451b810c238103713ac0498ce61bde3d1b6264aa5f0e3024cc470bde0
Instruction Fuzzy Hash: 7E316670A402098FD704EFA9E98469EBBB7FB88314F10D934C5159B358EF7869498F91

Uniqueness

Uniqueness Score: -1.00%

Function 04E3D01C Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1677883860.0000000004E3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4e3d000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b70fb2ea9809fb3af06dee1d64d8b32f983a7fca5265410833ec207a900db7a0
Instruction ID: 09e91d78082d974950759102ec70e32c958343090dd99ade34acf380f949c5d1
Opcode Fuzzy Hash: b70fb2ea9809fb3af06dee1d64d8b32f983a7fca5265410833ec207a900db7a0
Instruction Fuzzy Hash: 81113BB0644340DFDB16EF24EDC8F26BBA6E744B09F208A7DD4094B241D37AE447CA61

Uniqueness

Uniqueness Score: -1.00%

Function 04E3D005 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1677883860.0000000004E3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4e3d000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f8969d0a63675f8a3a55429d46d8a03c70c1a32cf0f40708c629a3bcc0e578f
Instruction ID: fe904173bc64ffb636faa836a1c20344fdb5bc6104932f5f90cd24aaa1a283a2
Opcode Fuzzy Hash: 6f8969d0a63675f8a3a55429d46d8a03c70c1a32cf0f40708c629a3bcc0e578f
Instruction Fuzzy Hash: 961154715097C08FD713DF24D988B55BF71EB41618F2485EAD4498F593C33A944ACB62

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exePID: 4928, Parent PID: 4416COMMON

Executed Functions

Function 04760848 Relevance: 2.6, Strings: 2, Instructions: 94COMMON

Download Yara Rule

Strings

JCvq, xrefs: 047608BE
nKvq, xrefs: 0476093F

Memory Dump Source

Source File: 00000007.00000002.1697000528.0000000004760000.00000040.00000800.00020000.00000000.sdmp, Offset: 04760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4760000_rundll32.jbxd

Similarity

API ID:
String ID: JCvq$nKvq
API String ID: 0-2289145667
Opcode ID: 39c5094b3fd9aaf1d8d43ec3db6a7f77b4deba86d297057a1586aa8433a6b72a
Instruction ID: b0f27ceb42dd33252b094f230ec2c7bec3bad302dad0dd2d5849233f3d652b11
Opcode Fuzzy Hash: 39c5094b3fd9aaf1d8d43ec3db6a7f77b4deba86d297057a1586aa8433a6b72a
Instruction Fuzzy Hash: 0D316870A102098FD714EFA9D8916AEBBB7FF84304F10C97C94589B359FF3459498B91

Uniqueness

Uniqueness Score: -1.00%

Function 047609E8 Relevance: .6, Instructions: 639COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1697000528.0000000004760000.00000040.00000800.00020000.00000000.sdmp, Offset: 04760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4760000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84fc50802504ba0174a4939ec8c8d1c7e8f9580da0e613d2d7e3489b8fc3e2ab
Instruction ID: a2eaed3103ab8fe8da3e7255a501c2c933b10a56ad2348f3c565ff1ee66c71fc
Opcode Fuzzy Hash: 84fc50802504ba0174a4939ec8c8d1c7e8f9580da0e613d2d7e3489b8fc3e2ab
Instruction Fuzzy Hash: 8A718C30615380CFC725CF18E595A267BF7FB50309B19D459E88AABB56EB38BC85CB40

Uniqueness

Uniqueness Score: -1.00%

Function 047609D8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1697000528.0000000004760000.00000040.00000800.00020000.00000000.sdmp, Offset: 04760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4760000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e853f4eb3917270a42bb8158b95e420a48fb2abd451441eb29f27d7e4e451fb0
Instruction ID: bdd3e6d66639064f484956d57399244e8c48a1cb2c1e6b0013172b9fd43ed0a7
Opcode Fuzzy Hash: e853f4eb3917270a42bb8158b95e420a48fb2abd451441eb29f27d7e4e451fb0
Instruction Fuzzy Hash: 59317C34215280DFC724CF14E285A2A7BF3FB50349B19D559E88A9BB56EB38F8C5DB40

Uniqueness

Uniqueness Score: -1.00%

Function 046FD01C Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1696891105.00000000046FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 046FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_46fd000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2df9084b106b6b64a675cad5ce712cc6758ae2ec7bd515debf349c73955b727
Instruction ID: a22e6761e52b3b88379e19ca9415eba91a3e31f9a0a1a02de43dbfaa6a255fc1
Opcode Fuzzy Hash: a2df9084b106b6b64a675cad5ce712cc6758ae2ec7bd515debf349c73955b727
Instruction Fuzzy Hash: C411E9B1644344DFDB14EF24ED84B26BB94E754714F208A6DDE8A4B341E33AF447C662

Uniqueness

Uniqueness Score: -1.00%

Function 046FD006 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1696891105.00000000046FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 046FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_46fd000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a10cf668624f0130aca4c1a40757793a248c6cb9cffff635ead4703d2ef77ff5
Instruction ID: 6a3f66740434e5a69570e8f7a49788c1cf4819707347aaba3513312edc8fcc19
Opcode Fuzzy Hash: a10cf668624f0130aca4c1a40757793a248c6cb9cffff635ead4703d2ef77ff5
Instruction Fuzzy Hash: 9311E7715093C08FD712DF24D984715BF70FB52204F24C6EAC9898B293D33AA44AC762

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report INETCwsSDezirces.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: loaddll32.exePID: 4416, Parent PID: 2580

General

Chronological Activities

Analysis Process: conhost.exePID: 4520, Parent PID: 4416

General

Chronological Activities

Analysis Process: cmd.exePID: 6716, Parent PID: 4416

General

Windows Analysis Report
INETCwsSDezirces.dll