Windows Analysis Report

Overview

General Information

Analysis ID: 1432352
Infos:

Detection

Score: 2
Range: 0 - 100
Whitelisted: false
Confidence: 80%

Signatures

Creates a process in suspended mode (likely to inject code)
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Potentially Suspicious Rundll32 Activity

Classification

Source: classification engine Classification label: clean2.win@6/0@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2588:120:WilError_03
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" SHELL32.DLL,Control_RunDLL ca400cpl.cpl,@0,1
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe cmd /C ""C:\Windows\System32\rundll32.exe" SHELL32.DLL,Control_RunDLL ca400cpl.cpl,@0,1"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" SHELL32.DLL,Control_RunDLL ca400cpl.cpl,@0,1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL ca400cpl.cpl,@0,1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" SHELL32.DLL,Control_RunDLL ca400cpl.cpl,@0,1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL ca400cpl.cpl,@0,1 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" SHELL32.DLL,Control_RunDLL ca400cpl.cpl,@0,1 Jump to behavior

No Screenshots

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1432352 Cookbook: defaultwindowscmdlinecookbook.jbs Startdate: 26/04/2024 Architecture: WINDOWS Score: 2 6 cmd.exe 1 2->6         started        process3 8 rundll32.exe 6->8         started        10 conhost.exe 6->10         started        process4 12 rundll32.exe 8->12         started       
No contacted IP infos