Click to jump to signature section
Source: ssowoface.dll | Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT |
Source: Network traffic | Suricata IDS: 2034945 - Severity 1 - ET MALWARE Win32/Suspected Reverse Shell Connection : 192.168.2.4:49731 -> 192.36.61.122:443 |
Source: C:\Windows\System32\rundll32.exe | Network Connect: 192.36.61.122 443 | Jump to behavior |
Source: Joe Sandbox View | ASN Name: EDIS-AS-EUAT EDIS-AS-EUAT |
Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: global traffic | DNS traffic detected: DNS query: protectconnections.com |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49732 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49731 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49730 |
Source: unknown | Network traffic detected: HTTP traffic on port 49731 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49732 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49730 -> 443 |
Source: ssowoface.dll | Static PE information: invalid certificate |
Source: classification engine | Classification label: mal56.evad.winDLL@19/0@1/1 |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5232:120:WilError_03 |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:916:120:WilError_03 |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1004:120:WilError_03 |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4960:120:WilError_03 |
Source: ssowoface.dll | Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Windows\System32\loaddll64.exe | Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\ssowoface.dll,DoUpdateInstanceEx |
Source: unknown | Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\ssowoface.dll" | |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ssowoface.dll",#1 | |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\ssowoface.dll,DoUpdateInstanceEx | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ssowoface.dll",#1 | |
Source: C:\Windows\System32\rundll32.exe | Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" | |
Source: C:\Windows\System32\rundll32.exe | Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ssowoface.dll",DoUpdateInstanceEx | |
Source: C:\Windows\System32\rundll32.exe | Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ssowoface.dll",#1 | Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\ssowoface.dll,DoUpdateInstanceEx | Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ssowoface.dll",DoUpdateInstanceEx | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ssowoface.dll",#1 | Jump to behavior |
Source: C:\Windows\System32\rundll32.exe | Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" | Jump to behavior |
Source: C:\Windows\System32\rundll32.exe | Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" | Jump to behavior |
Source: C:\Windows\System32\rundll32.exe | Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" | Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe | Section loaded: apphelp.dll | Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Section loaded: winbrand.dll | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Section loaded: wldp.dll | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Section loaded: winbrand.dll | |
Source: C:\Windows\System32\cmd.exe | Section loaded: wldp.dll | |
Source: C:\Windows\System32\cmd.exe | Section loaded: winbrand.dll | |
Source: C:\Windows\System32\cmd.exe | Section loaded: wldp.dll | |
Source: ssowoface.dll | Static PE information: Image base 0x180000000 > 0x60000000 |
Source: ssowoface.dll | Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT |
Source: ssowoface.dll | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: C:\Windows\System32\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\conhost.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\conhost.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\conhost.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe TID: 1700 | Thread sleep time: -120000s >= -30000s | Jump to behavior |
Source: C:\Windows\System32\conhost.exe | Last function: Thread delayed |
Source: C:\Windows\System32\conhost.exe | Last function: Thread delayed |
Source: C:\Windows\System32\conhost.exe | Last function: Thread delayed |
Source: C:\Windows\System32\conhost.exe | Last function: Thread delayed |
Source: C:\Windows\System32\loaddll64.exe | Thread delayed: delay time: 120000 | Jump to behavior |
Source: rundll32.exe, 00000003.00000002.1671384608.00000202CABD8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1671502440.0000023352BF8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.1701057969.00000175CDD22000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll |
Source: C:\Windows\System32\rundll32.exe | Network Connect: 192.36.61.122 443 | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ssowoface.dll",#1 | Jump to behavior |
Source: C:\Windows\System32\rundll32.exe | Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" | Jump to behavior |
Source: C:\Windows\System32\rundll32.exe | Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" | Jump to behavior |
Source: C:\Windows\System32\rundll32.exe | Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" | Jump to behavior |