Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ssowoface.dll

Overview

General Information

Sample name:ssowoface.dll
Analysis ID:1530868
MD5:030bcd5ede911a4c12bace4d0695fdf1
SHA1:5c861990cf2e07b99f37b21c4dc2d7a6fdfa8cd8
SHA256:4a302c0ed3c47231bc7c34cf2d41bc0ceb60d9c7b0023df015f75a58853f43d2
Infos:

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Creates a process in suspended mode (likely to inject code)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Sample execution stops while process was sleeping (likely an evasion)

Classification

  • System is w10x64
  • loaddll64.exe (PID: 5012 cmdline: loaddll64.exe "C:\Users\user\Desktop\ssowoface.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)
    • conhost.exe (PID: 4960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1136 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ssowoface.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • rundll32.exe (PID: 1720 cmdline: rundll32.exe "C:\Users\user\Desktop\ssowoface.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)
        • cmd.exe (PID: 5232 cmdline: "C:\Windows\system32\cmd.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 1004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • rundll32.exe (PID: 4916 cmdline: rundll32.exe C:\Users\user\Desktop\ssowoface.dll,DoUpdateInstanceEx MD5: EF3179D498793BF4234F708D3BE28633)
      • cmd.exe (PID: 3524 cmdline: "C:\Windows\system32\cmd.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • rundll32.exe (PID: 4192 cmdline: rundll32.exe "C:\Users\user\Desktop\ssowoface.dll",DoUpdateInstanceEx MD5: EF3179D498793BF4234F708D3BE28633)
      • cmd.exe (PID: 7104 cmdline: "C:\Windows\system32\cmd.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 5232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-10-10T16:15:36.016944+020020349451A Network Trojan was detected192.168.2.449731192.36.61.122443TCP

Click to jump to signature section

Show All Signature Results
Source: ssowoface.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Networking

barindex
Source: Network trafficSuricata IDS: 2034945 - Severity 1 - ET MALWARE Win32/Suspected Reverse Shell Connection : 192.168.2.4:49731 -> 192.36.61.122:443
Source: C:\Windows\System32\rundll32.exeNetwork Connect: 192.36.61.122 443Jump to behavior
Source: Joe Sandbox ViewASN Name: EDIS-AS-EUAT EDIS-AS-EUAT
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: protectconnections.com
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
Source: ssowoface.dllStatic PE information: invalid certificate
Source: classification engineClassification label: mal56.evad.winDLL@19/0@1/1
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5232:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:916:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1004:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4960:120:WilError_03
Source: ssowoface.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\ssowoface.dll,DoUpdateInstanceEx
Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\ssowoface.dll"
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ssowoface.dll",#1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\ssowoface.dll,DoUpdateInstanceEx
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ssowoface.dll",#1
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe"
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ssowoface.dll",DoUpdateInstanceEx
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ssowoface.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\ssowoface.dll,DoUpdateInstanceExJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ssowoface.dll",DoUpdateInstanceExJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ssowoface.dll",#1Jump to behavior
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe"Jump to behavior
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe"Jump to behavior
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe"Jump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: winbrand.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: winbrand.dll
Source: C:\Windows\System32\cmd.exeSection loaded: wldp.dll
Source: C:\Windows\System32\cmd.exeSection loaded: winbrand.dll
Source: C:\Windows\System32\cmd.exeSection loaded: wldp.dll
Source: ssowoface.dllStatic PE information: Image base 0x180000000 > 0x60000000
Source: ssowoface.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: ssowoface.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\loaddll64.exe TID: 1700Thread sleep time: -120000s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\loaddll64.exeThread delayed: delay time: 120000Jump to behavior
Source: rundll32.exe, 00000003.00000002.1671384608.00000202CABD8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1671502440.0000023352BF8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.1701057969.00000175CDD22000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Windows\System32\rundll32.exeNetwork Connect: 192.36.61.122 443Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ssowoface.dll",#1Jump to behavior
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe"Jump to behavior
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe"Jump to behavior
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe"Jump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading
111
Process Injection
1
Rundll32
OS Credential Dumping1
Security Software Discovery
Remote ServicesData from Local System2
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initializ